Skip to content

Add a workflows to test the ORT to ScanCode.io integration #1886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add a workflows to test the ORT to ScanCode.io integration #1886

wants to merge 9 commits into from

Conversation

@tsteenbe
Copy link

@tsteenbe tsteenbe commented Sep 22, 2025
edited
Loading

See individual commits for details.

@tsteenbe
Copy link
Author

tsteenbe commented Sep 22, 2025

This PR is currently blocked due to #1885.

@tsteenbe tsteenbe force-pushed the sca-integration-ort-to-scancode-io branch 2 times, most recently from d90305a to 218fc4f Compare September 22, 2025 13:54
This was referenced Sep 22, 2025
Open
Closed
@tsteenbe tsteenbe force-pushed the sca-integration-ort-to-scancode-io branch from 218fc4f to 345155d Compare October 1, 2025 07:56
@tsteenbe
Add CycloneDX 1.6 funtest resources from ORT 67.1.0 reporter
085c71f 
Signed-off-by: Thomas Steenbergen <thomas@aboutcode.org>
@tsteenbe
Add SPDX 2.3 funtest resources from ORT 67.1.0 reporter
556908c 
Signed-off-by: Thomas Steenbergen <thomas@aboutcode.org>
@tsteenbe
Add SPDX 2.2 funtest resources from ORT 67.1.0 reporter
d87c16c 
Signed-off-by: Thomas Steenbergen <thomas@aboutcode.org>
@tsteenbe
Add scan result example from ORTHW d3c9173
4e3b912 
Signed-off-by: Thomas Steenbergen <thomas@aboutcode.org>
@tsteenbe tsteenbe force-pushed the sca-integration-ort-to-scancode-io branch 4 times, most recently from ba94ab2 to 1cd5ce0 Compare November 19, 2025 10:38
@tsteenbe
Add workflows to test the ORT to ScanCode.io integration
2452675 
Resolves #1727 #1884.

Signed-off-by: Thomas Steenbergen <thomas@aboutcode.org>
@tsteenbe tsteenbe force-pushed the sca-integration-ort-to-scancode-io branch from 1cd5ce0 to 2452675 Compare November 19, 2025 10:40
@tsteenbe tsteenbe marked this pull request as ready for review November 19, 2025 10:41
@tsteenbe
Copy link
Author

tsteenbe commented Nov 19, 2025

@tdruez Could you help me debug this PR, have been running into issues with ScanCode.io detecting the right number of packages, vulnerabilities and dependencies?

@tsteenbe tsteenbe requested a review from tdruez November 19, 2025 10:42
@tdruez
Replace old check system with verify-project command
b67a9b1 
plus a few adjustments.

Signed-off-by: tdruez <tdruez@aboutcode.org>
@tdruez
Set 0 expected packages for the "result-without-findings" SBOM
afcd93c 
Signed-off-by: tdruez <tdruez@aboutcode.org>
@tdruez
Set 0 expected vulnerability for the "SPDX YAML SBOM"
946648f 
Not vulnerability data in SPDX output

Signed-off-by: tdruez <tdruez@aboutcode.org>
@tdruez
Enable the XML SBOM job
edc8ca6 
Signed-off-by: tdruez <tdruez@aboutcode.org>
@tdruez
Copy link
Contributor

tdruez commented Nov 20, 2025

Hey @tsteenbe, sure I can help!

Changes:

  • Set 0 expected packages for the "result-without-findings" SBOM afcd93c
  • Set 0 expected vulnerability for the "SPDX YAML SBOM", no vulnerability data in SPDX output 946648f
  • Enable the XML SBOM job, now properly supported edc8ca6

Now there are a couple FIXME left to discuss:

  1. https://github.com/aboutcode-org/scancode.io/pull/1886/files#diff-a1d9a02b6d47c297535484fe73ff6436f3ba38f7b3de938b41aa3b43bde7158bR210

This is a data issue. ScanCode.io loads what is provided in the SBOM, see https://github.com/oss-review-toolkit/ort/blob/e40ada3cda7ff156607e88499540e82741b3aaee/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result.json#L365-L386

Nothing to fix here imo.

  1. https://github.com/aboutcode-org/scancode.io/pull/1886/files#diff-a1d9a02b6d47c297535484fe73ff6436f3ba38f7b3de938b41aa3b43bde7158bR341-R346
    Both values look correct in the ScanCode.io imported results. The SBOM has 380 components and the full dependencies tree looks correct too.

Let me know about the expected values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdruez tdruez Awaiting requested review from tdruez

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tsteenbe @tdruez