diff --git a/.github/workflows/ort/action.yml b/.github/workflows/ort/action.yml index c6cdfa5b28c..93c13715279 100644 --- a/.github/workflows/ort/action.yml +++ b/.github/workflows/ort/action.yml @@ -4,12 +4,6 @@ name: "Run OSS Review Toolkit" description: "Runs OSS Review Toolkit & generates SBoMs" inputs: - build-artifacts: - description: | - Build Artifact paths to include into SBoM. - May contain a glob pattern or list of paths separated by a newline. - required: false - default: "" report-formats: description: "ORT Report Formats" required: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a5b9689032..0ef12ff3dc1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -196,7 +196,6 @@ jobs: id: ort uses: ./.github/workflows/ort with: - build-artifacts: "/tmp/build-artifacts/*" report-formats: "CycloneDx,SpdxDocument" version: "${{ github.ref_type == 'tag' && github.ref_name || github.sha }}" diff --git a/.ort.yml b/.ort.yml index 2aa3687fd46..ee3bf93d0e0 100644 --- a/.ort.yml +++ b/.ort.yml @@ -1,23 +1,111 @@ # SPDX-License-Identifier: Apache-2.0 # SPDX-FileCopyrightText: 2021 The Elixir Team +excludes: + paths: + - pattern: "lib/elixir/pages/**/*" + reason: "DOCUMENTATION_OF" + comment: "Documentation" + - pattern: "lib/elixir/scripts/**/*" + reason: "BUILD_TOOL_OF" + comment: "Build Tool" + - pattern: "lib/ex_unit/examples/**/*" + reason: "EXAMPLE_OF" + comment: "Example" + - pattern: "lib/*/test/**/*" + reason: "TEST_OF" + comment: "Tests" + - pattern: "man/*" + reason: "DOCUMENTATION_OF" + comment: "Documentation" + - pattern: ".github/*" + reason: "BUILD_TOOL_OF" + comment: "Documentation" + - pattern: ".ort/*" + reason: "BUILD_TOOL_OF" + comment: "Documentation" + curations: license_findings: + # Logos - path: "lib/elixir/pages/images/logo.png" - reason: "INCORRECT" + reason: "NOT_DETECTED" + comment: "Apply Trademark Policy to Elixir Logo" + detected_license: "NONE" + concluded_license: "LicenseRef-elixir-trademark-policy" + - path: "lib/elixir/scripts/windows_installer/assets/Elixir.ico" + reason: "NOT_DETECTED" comment: "Apply Trademark Policy to Elixir Logo" detected_license: "NONE" concluded_license: "LicenseRef-elixir-trademark-policy" + # Version File + - path: "VERSION" + reason: "NOT_DETECTED" + comment: "Apply Trademark Policy to VERSION file" + detected_license: "NONE" + concluded_license: "Apache-2.0" + + # Documentation Images + - path: "lib/elixir/pages/images/**/*.png" + reason: "NOT_DETECTED" + comment: "Apply default license to all images" + detected_license: "NONE" + concluded_license: "Apache-2.0" + + # Test Fixtures + - path: "lib/eex/test/fixtures/**/*" + reason: "NOT_DETECTED" + comment: "Apply default license to test fixtures" + detected_license: "NONE" + concluded_license: "Apache-2.0" + - path: "lib/elixir/test/elixir/fixtures/**/*" + reason: "NOT_DETECTED" + comment: "Apply default license to test fixtures" + detected_license: "NONE" + concluded_license: "Apache-2.0" + - path: "lib/ex_unit/test/fixtures/**/*" + reason: "NOT_DETECTED" + comment: "Apply default license to test fixtures" + detected_license: "NONE" + concluded_license: "Apache-2.0" + - path: "lib/mix/test/fixtures/**/*" + reason: "NOT_DETECTED" + comment: "Apply default license to test fixtures" + detected_license: "NONE" + concluded_license: "Apache-2.0" + + # Unicode + - path: "lib/elixir/unicode/*.txt" + reason: "NOT_DETECTED" + comment: "Apply default license to unicode files" + detected_license: "NONE" + concluded_license: "LicenseRef-scancode-unicode" + + # Wrongly Identified + - path: "LICENSES/LicenseRef-elixir-trademark-policy.txt" + reason: "INCORRECT" + comment: "Correct LicenseRef" + detected_license: "LicenseRef-scancode-proprietary-license" + concluded_license: "LicenseRef-elixir-trademark-policy" - path: "lib/elixir/pages/references/library-guidelines.md" reason: "INCORRECT" comment: | The guide mentions multiple licenses for users to choose from. It however is not licensed itself by the mentioned licenses. concluded_license: "Apache-2.0" - - - path: "**/*" + - path: ".gitignore" + reason: "INCORRECT" + comment: "Ignored by ScanCode" + detected_license: "NONE" + concluded_license: "Apache-2.0" + - path: ".gitattributes" + reason: "INCORRECT" + comment: "Ignored by ScanCode" + detected_license: "NONE" + concluded_license: "Apache-2.0" + - path: "lib/elixir/scripts/windows_installer/.gitignore" reason: "INCORRECT" - comment: "Apply default license to all unknown files" + comment: "Ignored by ScanCode" detected_license: "NONE" concluded_license: "Apache-2.0" diff --git a/.ort/config/config.yml b/.ort/config/config.yml index 9b45396fdf8..159637f3a6d 100644 --- a/.ort/config/config.yml +++ b/.ort/config/config.yml @@ -8,5 +8,5 @@ ort: analyzer: allowDynamicVersions: true - enabledPackageManagers: [Unmanaged] + enabledPackageManagers: [SpdxDocumentFile] skipExcluded: true diff --git a/project.spdx.yml b/project.spdx.yml new file mode 100644 index 00000000000..c06eacc1ecc --- /dev/null +++ b/project.spdx.yml @@ -0,0 +1,28 @@ +SPDXID: "SPDXRef-DOCUMENT" +spdxVersion: "SPDX-2.2" +creationInfo: + created: "2025-02-05T12:29:35Z" + creators: + - "Organization: The Elixir Team" + licenseListVersion: "3.9" +name: "elixir" +dataLicense: "CC0-1.0" +documentNamespace: "https://github.com/elixir-lang/elixir" +documentDescribes: +- "SPDXRef-Package-elixir" +packages: +- SPDXID: "SPDXRef-Package-elixir" + summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications" + copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved." + downloadLocation: "git+https://github.com/elixir-lang/elixir.git" + filesAnalyzed: false + homepage: "https://elixir-lang.org/" + licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode" + licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode" + name: "elixir" + packageFileName: "./" + externalRefs: + - referenceCategory: PACKAGE-MANAGER + referenceType: "purl" + referenceLocator: "pkg:github/elixir-lang/elixir" + comment: "GitHub PURL"