-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce ORT result scanner infrastructure #5325
Introduce ORT result scanner infrastructure #5325
Conversation
As explained in the issue oss-review-toolkit#5324, we need a scanner with the capability to access and autonomously process the full ORT result into a scan result structure. This pull request gives an insight on how we solved this requirement using the current ORT infrastructure. This has to be seen as an example and a base for further discussion on the ORT developer community. Signed-off-by: Rainer Bieniek <extern.rainer.bieniek@porsche.de>
@porsche-rbieniek What data exactly do you need to send to Blackduck? Does ORT (1) need to download the source code of the projects and packages and upload it to Blackduck, or (2) send the identifiers and source code location (VCS, source artifact URL) of the projects and packages to Blackduck and Blackduck downloads the source code on its own? |
@mnonnenmacher Note: Blackduck is not downloading any software library but checking against its own storage to return the information on the SPDX License Name, License Text and Copyright (C) information. Authors are not part of Blackduck. |
Do you only send the dependencies or also the projects? And do you have to send them in bulk in a single request, or can it be one request per dependency?
Does the data fit into the ORT scan result model? E.g. do you get license and copyright data per file, or only for the whole library? |
Does the data fit into the ORT scan result model? E.g. do you get license and copyright data per file, or only for the whole library?
|
In general, any new scanner implementation should be done by implementing the new |
Given that this was submitted only as a demo, and there have been no updates / follow-up PR implementing @mnonnenmacher's comments, this is getting closed as part of backlog grooming. Feel free to comment if you would like to contribute to this. |
This pull request is meant to provide a functional overview of what changes in the ORT infrastrcture are required to allow the integration of ORT with the (commercial) BlackDuck tool as a backend scanner.
From a high-level perspective, we need an infrastructural way to integrate a scanner which is not working on a per-package level, like scancode does, but works on the level of an analyzer result.
We have built the Blackduck integration in a way that we organize all projects in an ORT analyzer result as projects grouped in a project group. A project group is a Blackduck-specific concept of a container grouping individual projects.
In order to make this logic work, we need to work on the level of an analyzer result which where we descend through the projects and its dependencies.
We then build the Blackduck scan input per project, create the project groups and the projects in Blackduck, ship the dependencies and start the processing on Blackduck.
Once the scanning is complete (on Blackduck), we retrieve the results for all projects and create the ORT scan result in one step.
We are well aware of the on-going changes in ORT in the area of experimental scanner support (as discussed in the ORT developer meeting). Therefore we submit this pull request as a technology demo to show what support we need from the ORT infrastructure.
Once the additional infrastructure is in place, we're happy to supply another pull request to provide the Blackduck inegration