Expose Packages in SBoM (#14264)

.github/workflows/ort/action.yml

@@ -54,14 +54,22 @@ runs:
         mkdir -p "/$HOME/.ort/"
 
         # Move Fetched Default Config into Place
-        mv .ort-config "/$HOME/.ort/config"
+        mv .ort-config "$HOME/.ort/config"
         
         # Append Global ORT Config
         cat .ort/config/config.yml >> "$HOME/.ort/config/config.yml"
         
         # Override Default Evaluator Rules
         cp .ort/config/evaluator.rules.kts "$HOME/.ort/config/evaluator.rules.kts"
 
+        # Set Version in SPDX & Config
+        sed -i "s/# elixir-version-insert/versionInfo: '${ELIXIR_VERSION}'/" project.spdx.yml
+        sed -i -E "s/(\"SpdxDocumentFile:The Elixir Team:.+:)\"/\1${ELIXIR_VERSION}\"/" .ort.yml
+        sed -i "s|https://github.com/elixir-lang/elixir.git|${ELIXIR_REPO}@${ELIXIR_VERSION}|" project.spdx.yml
+      env:
+        ELIXIR_VERSION: "${{ inputs.version }}"
+        ELIXIR_REPO: "${{ github.server_url }}/${{ github.repository }}.git"
+
     - name: "Cache ScanCode"
       uses: actions/cache@v4
       with:
@@ -74,10 +82,10 @@ runs:
       # * https://github.com/oss-review-toolkit/ort-ci-github-action/issues/37
       # * https://github.com/oss-review-toolkit/ort-ci-github-action/pull/41
       # * https://github.com/oss-review-toolkit/ort-ci-github-action/pull/43
-      uses: maennchen/ort-ci-github-action@action-output
+      uses: oss-review-toolkit/ort-ci-github-action@2cda885c8eefaf92bab9f3e979b5d5a42970dfa4 # main
       with:
-        image: ghcr.io/oss-review-toolkit/ort-minimal:latest
-        run: >
+        image: ghcr.io/oss-review-toolkit/ort-minimal:51.1.0
+        run: >-
           labels,
           cache-dependencies,
           cache-scan-results,
@@ -89,5 +97,7 @@ runs:
           ${{ inputs.upload-reports == 'true' && 'upload-results' || '' }}
         fail-on: "${{ inputs.fail-on-violation == 'true' && 'violations,issues' || '' }}"
         report-formats: "${{ inputs.report-formats }}"
-        ort-cli-report-args: '-O CycloneDX=output.file.formats=json,xml -O SpdxDocument=outputFileFormats=JSON,YAML'
+        ort-cli-report-args: >-
+          -O CycloneDX=output.file.formats=json,xml
+          -O SpdxDocument=outputFileFormats=JSON,YAML
         sw-version: "${{ inputs.version }}"

.ort.yml

@@ -18,10 +18,10 @@ excludes:
     - pattern: "man/*"
       reason: "DOCUMENTATION_OF"
       comment: "Documentation"
-    - pattern: ".github/*"
+    - pattern: ".github/**/*"
       reason: "BUILD_TOOL_OF"
       comment: "Documentation"
-    - pattern: ".ort/*"
+    - pattern: ".ort/**/*"
       reason: "BUILD_TOOL_OF"
       comment: "Documentation"
 
@@ -109,3 +109,32 @@ curations:
       comment: "Ignored by ScanCode"
       detected_license: "NONE"
       concluded_license: "Apache-2.0"
+
+  packages:
+    - id: "SpdxDocumentFile:The Elixir Team:elixir-lang:"
+      curations:
+        concluded_license: "Apache-2.0 AND LicenseRef-scancode-unicode"
+    - id: "SpdxDocumentFile:The Elixir Team:eex:"
+      curations:
+        concluded_license: "Apache-2.0"
+        is_metadata_only: true
+    - id: "SpdxDocumentFile:The Elixir Team:elixir:"
+      curations:
+        concluded_license: "Apache-2.0 AND LicenseRef-scancode-unicode"
+        is_metadata_only: true
+    - id: "SpdxDocumentFile:The Elixir Team:exunit:"
+      curations:
+        concluded_license: "Apache-2.0"
+        is_metadata_only: true
+    - id: "SpdxDocumentFile:The Elixir Team:iex:"
+      curations:
+        concluded_license: "Apache-2.0"
+        is_metadata_only: true
+    - id: "SpdxDocumentFile:The Elixir Team:logger:"
+      curations:
+        concluded_license: "Apache-2.0"
+        is_metadata_only: true
+    - id: "SpdxDocumentFile:The Elixir Team:mix:"
+      curations:
+        concluded_license: "Apache-2.0"
+        is_metadata_only: true

.ort/config/config.yml

@@ -2,6 +2,8 @@
 # SPDX-FileCopyrightText: 2021 The Elixir Team
 
 ort:
+  enableRepositoryPackageCurations: true
+
   scanner:
     skipConcluded: false
     includeFilesWithoutFindings: true

project.spdx.yml

@@ -9,20 +9,184 @@ name: "elixir"
 dataLicense: "CC0-1.0"
 documentNamespace: "https://github.com/elixir-lang/elixir"
 documentDescribes:
-- "SPDXRef-Package-elixir"
+- "SPDXRef-Project-elixir-lang"
 packages:
-- SPDXID: "SPDXRef-Package-elixir"
+- SPDXID: "SPDXRef-Project-elixir-lang"
   summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
   copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
   downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
   filesAnalyzed: false
   homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode AND LicenseRef-elixir-trademark-policy"
+  licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode AND LicenseRef-elixir-trademark-policy"
+  name: "elixir-lang"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "."
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:github/elixir-lang/elixir"
+      comment: "GitHub PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-eex"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git#lib/eex"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "eex"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/eex"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:otp/eex"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-elixir"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git#lib/elixir"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
   licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
   licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
   name: "elixir"
-  packageFileName: "./"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/elixir"
   externalRefs:
     - referenceCategory: PACKAGE-MANAGER
       referenceType: "purl"
-      referenceLocator: "pkg:github/elixir-lang/elixir"
+      referenceLocator: "pkg:otp/elixir"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-exunit"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git#lib/ex_unit"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "exunit"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/ex_unit"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:otp/ex_unit"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-iex"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git#lib/iex"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "iex"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/iex"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:otp/iex"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-logger"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git/lib/logger"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "logger"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/logger"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:otp/logger"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Package-mix"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git#lib/mix"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "mix"
+  originator: "Organization: The Elixir Team"
+  supplier: "Organization: The Elixir Team"
+  packageFileName: "./lib/mix"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:otp/mix"
+      comment: "OTP PURL"
+  # elixir-version-insert
+- SPDXID: "SPDXRef-Project-erlang"
+  description: "Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability."
+  copyrightText: "Copyright Ericsson AB 2010-2024. All Rights Reserved."
+  downloadLocation: "git+https://github.com/erlang/otp.git"
+  filesAnalyzed: false
+  homepage: "https://www.erlang.org/"
+  licenseConcluded: "Apache-2.0"
+  licenseDeclared: "Apache-2.0"
+  name: "erlang"
+  originator: "Organization: Ericsson AB"
+  supplier: "Organization: Ericsson AB"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:github/erlang/otp"
       comment: "GitHub PURL"
+relationships:
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-eex"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-exunit"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-iex"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-logger"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Project-elixir-lang"
+  relatedSpdxElement: "SPDXRef-Package-mix"
+  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
+- spdxElementId: "SPDXRef-Package-elixir"
+  relatedSpdxElement: "SPDXRef-Project-erlang"
+  relationshipType: "RUNTIME_DEPENDENCY_OF"
+- spdxElementId: "SPDXRef-Package-eex"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK"
+- spdxElementId: "SPDXRef-Package-exunit"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK"
+- spdxElementId: "SPDXRef-Package-iex"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK"
+- spdxElementId: "SPDXRef-Package-logger"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK"
+- spdxElementId: "SPDXRef-Package-mix"
+  relatedSpdxElement: "SPDXRef-Package-elixir"
+  relationshipType: "STATIC_LINK"