|
|
|
|
|
The various configuration files recognised by ORT and used for our setup are all located in the `conf/` directory of the repository. They are:
|
|
|
* `ort.conf` is the main configuration file for ORT, used for backend cache, scancode options, etc.
|
|
|
* `curations.yml` holds information about our curated list of approved libraries.
|
|
|
* `evaluator.rules.kts` declares what category of licenses are ok in our context.
|
|
|
* `license-classifications.yml` defines the category of licenses that we use (approved or ignored).
|
|
|
* `config.yml` is the main configuration file for ORT, used for backend cache, scancode options, etc.
|
|
|
* `evaluator.rules.kts` declares what category of licenses are ok in our context, and includes the OSADL matrix computations.
|
|
|
* `license-classifications.yml` defines the category of licenses that we use (approved or ignored). This file is regularly updated from [Eclipse's official list](https://www.eclipse.org/legal/licenses.json).
|
|
|
* `curations/` contains all the curations we manually feed to ORT.
|
|
|
|
|
|
## Licence classification
|
|
|
|
|
|
We currently build our licence classification mechanism from different files:
|
|
|
* `eclipse_licenses_approved.json` is downloaded from https://www.eclipse.org/legal/licenses.json
|
|
|
* `eclipse_licenses_approved_priv.json` is a second, non-yet official, list of approved licences, and is available in [the repository](https://gitlab.eclipse.org/eclipsefdn/emo-team/eclipsefdn-ort/-/blob/main/conf/eclipse_licenses_approved_priv.json).
|
|
|
* `eclipse_licenses_ignored.json` is a list of licences detected by Scancode that are [generally non-relevant](https://gitlab.eclipse.org/eclipsefdn/emo-team/eclipsefdn-ort/-/issues/3) and can be safely disregarded.
|
|
|
|
|
|
The categories defined for our context are `ef-approved` and `ef-ignored`. These categories are then taken into account by the `evaluator.rules.kts` file.
|
|
|
|
|
|
## Generic structure
|
|
|
|
... | ... | @@ -20,37 +12,19 @@ The categories defined for our context are `ef-approved` and `ef-ignored`. These |
|
|
|
|
|
## Curations
|
|
|
|
|
|
Curations correct invalid or missing package metadata, configure a licenses mapping, and set the concluded license for packages.
|
|
|
Curations are used to correct invalid or missing package metadata, configure licenses mapping, or set the concluded license for packages.
|
|
|
|
|
|
The defined process includes curations retrieved from [clearlydefined](https://clearlydefined.io) and from the [Eclipse IPLab](https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab).
|
|
|
|
|
|
* Where? `curations.yml`, `.ort.yml`
|
|
|
* When? passed to the `analyze` or `evaluate`.
|
|
|
* Doc: https://github.com/oss-review-toolkit/ort/blob/main/docs/config-file-curations-yml.md
|
|
|
IPLab is the official reference for dependencies manually vetted by the Eclipse IP team. A dedicated script exports the whole set of validated issues as [a YML file](http://www.eclipse.org/projects/services/curations.yml.php), and we [regularly update](Strategy-for-global-analysis) ORT configuration with the newest export.
|
|
|
|
|
|
The official documentation for curations is hosted in their repository [1], and there is an example file provided for convenience [2].
|
|
|
For more information about curations, see the official documentation for curations hosted in their repository [1]. There is an example file provided for convenience [2].
|
|
|
|
|
|
[1] https://github.com/oss-review-toolkit/ort/blob/main/docs/config-file-curations-yml.md \
|
|
|
[2] https://github.com/oss-review-toolkit/ort/blob/main/examples/curations.yml
|
|
|
|
|
|
We've conducted a few tests on our instance and eventually settled down on this format:
|
|
|
```
|
|
|
- id: "NPM::argparse:1.0.10"
|
|
|
curations:
|
|
|
comment: "Manually checked issue, it is a false-positive. License available at https://www.npmjs.com/package/argparse/v/1.0.10"
|
|
|
concluded_license: "MIT"
|
|
|
- id: "NPM::chokidar:3.5.2"
|
|
|
curations:
|
|
|
comment: "Manually checked issue, it is a false-positive. License available at https://www.npmjs.com/package/chokidar/v/3.5.2"
|
|
|
concluded_license: "MIT"
|
|
|
```
|
|
|
|
|
|
As of now curations are automatically exported from the IPZilla API thanks to a new entrypoint, as described in issue #10:
|
|
|
* http://www.eclipse.org/projects/services/curations.yml.php
|
|
|
|
|
|
## Resolutions
|
|
|
|
|
|
Resolutions allow you to resolve issues, policy rule violations or vulnerabilities by providing a reason why they are acceptable and can be ignored.
|
|
|
## Repository resolutions
|
|
|
|
|
|
* Where? `resolutions.yml`, `.ort.yml`
|
|
|
* When? passed to the `reporter`.
|
|
|
* Doc: https://github.com/oss-review-toolkit/ort/blob/main/docs/config-file-resolutions-yml.md
|
|
|
[Resolutions](https://github.com/oss-review-toolkit/ort/blob/main/docs/config-file-resolutions-yml.md) allow you to resolve issues, policy rule violations or vulnerabilities on specific projects, by providing a reason why they are acceptable and can be ignored.
|
|
|
|