Using ORT with the SPDX "package manager" only #4505
Description
Here at Renault, most of our integration is made with git repositories aggregated with google repo or git submodules.
We do put tags on our releases, but we would like to test our mainlines before. We started to use a bit of conan, but we can't wait this process to finish to implement full open-source reviews.
At the moment we have been using scancode-toolkit to scan our code, and have some custom report aggregation on google datastudio. We are happy with that but are starting to hit the problems that ort.yml is resolving. (exclude, curation, resolutions, license-choices)
We are struggling to use the OSS review toolkit because it all starts with a package manager, and we don't have one.
We tried to generate a spdx BOM from our repo list, or to generate the intermediate analyser output, but then the downloader seems to insist in downloading a tag and will just not accept to use a mainline branch for scan input.
So if my analysis is good, we would need to features on ORT
- a new Analyser which takes a list of (package_name, repository_url, repository_branch) tuples and just output that lists in the analyser output format. We do intent to generate this format externally with internal tools we already have. That analyser input would be more simple than the analyser output and also have more stability.
- Fix in the downloader to be able to download from a branch and not only a tag.
We are willing to help on the development of those features as needed, but will probably need some architecture help to make sure we are making the right change
Thanks for your inputs!