SPDX Document File

A package manager that uses SPDX documents as definition files.

Description

A "fake" package manager implementation that uses SPDX documents as definition files to declare projects and describe packages. See https://github.com/spdx/spdx-spec/issues/439 for details.

Configuration

Example

Use the following syntax to configure this plugin globally as part of config.yml:

ort:
  analyzer:
    packageManagers:
      SpdxDocumentFile:
        options:
          deduceOrtIdFromPurl: false
          warnAboutUnclearLinkage: false

Use the following syntax to configure this plugin in a repository's .ort.yml:

analyzer:
  package_managers:
    SpdxDocumentFile:
      options:
        deduceOrtIdFromPurl: false
        warnAboutUnclearLinkage: false

If the plugin is configured in both locations, the configurations are merged, with options from .ort.yml taking precedence over those from config.yml.

Options

deduceOrtIdFromPurl

If this option is enabled and an SPDX package has a PURL as an external reference, the ORT [Package]'s [Identifier] is deduced from that PURL instead of from the [SpdxPackage]'s [ID][SpdxPackage.spdxId].

warnAboutUnclearLinkage

If this option is enabled, issues will be created for relationships with unspecified or ambiguous linkage types.

Description​

Configuration​

Example​

Options​

deduceOrtIdFromPurl​

warnAboutUnclearLinkage​