Hi Thomas,
I like the use of the relationships. The choice of relationships in the issue documentation looks good to me. One use case we don’t currently support in SPDX is to note some kind of exclusion due to errors or false positives from tools. I can see this being generally useful. In my work, it is not uncommon to run across a false positive in a scan. These false positives are currently documented outside of the SPDX document and the false positives are just not included. I think it would be valuable to retain this information inside the SPDX document itself. Perhaps something we could consider for 2.2 or 3.0. Gary From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Thomas Steenbergen Sent: Tuesday, August 14, 2018 7:22 AM To: Spdx-tech@lists.spdx.org Subject: [spdx-tech] SPDX inspired exclude OSS filter in ORT Hi, Following up our last SPDX tech call I would like to ask your feedback on a SPDX relationships inspired exclude OSS filter that we are planning to build into OSS Review Toolkit. You can find the current proposal at https://github.com/heremaps/oss-review-toolkit/issues/731 Bit of background - we are working on adding SPDX to OSS Review Toolkit. The plan is to generate SPDX result files based on merging the dependency graph from supported package managers with license and copyright findings for supported scanners. A common use case is that not everything that is automatically detected is actually used, distributed or correct therefore we would like to provide our users with an easy to specify what findings to exclude from inclusion into the SPDX output. The solution we came up with is to add support for an .ort.yaml configuration file in which an user can define which detected projects, packages, scopes, errors or licenses should be excluded. After some thought we came up with the idea to re-use some of the SPDX relationships [1] for the exclusion filter. This should allow us to not only generated SPDX for distributed artefacts but also one of the source code including SPDX relationships on whether a SPDX Package or File is documentation, example code, source code, etc. Welcome your feedback. Regards, Thomas Steenbergen Open Source Office, HERE Technologies [1] https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/ -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3609): https://lists.spdx.org/g/Spdx-tech/message/3609 Mute This Topic: https://lists.spdx.org/mt/24525477/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
