Hi, Following up our last SPDX tech call I would like to ask your feedback on a SPDX relationships inspired exclude OSS filter that we are planning to build into OSS Review Toolkit. You can find the current proposal at https://github.com/heremaps/oss-review-toolkit/issues/731
Bit of background - we are working on adding SPDX to OSS Review Toolkit. The plan is to generate SPDX result files based on merging the dependency graph from supported package managers with license and copyright findings for supported scanners. A common use case is that not everything that is automatically detected is actually used, distributed or correct therefore we would like to provide our users with an easy to specify what findings to exclude from inclusion into the SPDX output. The solution we came up with is to add support for an .ort.yaml configuration file in which an user can define which detected projects, packages, scopes, errors or licenses should be excluded. After some thought we came up with the idea to re-use some of the SPDX relationships [1] for the exclusion filter. This should allow us to not only generated SPDX for distributed artefacts but also one of the source code including SPDX relationships on whether a SPDX Package or File is documentation, example code, source code, etc. Welcome your feedback. Regards, Thomas Steenbergen Open Source Office, HERE Technologies [1] https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/ -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3608): https://lists.spdx.org/g/Spdx-tech/message/3608 Mute This Topic: https://lists.spdx.org/mt/24525477/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
