Fossology, SPDX Packages & Sub Packages


Dear All,

I am having a hard using Fossology to fulfil my needs efficiently.
I would like to share one of the core aspect I am struggling with, and would love to see if some of you are facing the same problems.

My goal is to scan complete products source code, and ultimately produce a report listing all embedded components (libraries, dependencies, etc.), their licenses as well as copyright notices.
Today, I generate SPDX-TV reports with Fossolgy, convert them to XLS format using the SPDX Tools [1], and manually reorganise the file to create a list of components.
I didn't find within Fossology  a way to indicate that, for example, a given directory/file contains the library X, licensed under Y, and copyrighted to Z, and generate the corresponding SPDX report.

Beside, the SPDX specifications seem to allow Packages and Sub-Packages identification [2] that seems to be what I'm looking for.

So my questions are:
- Do you share the need of identifying components / sub-packages within a scanned project ?
- If so, is there a way to achieve this with Fossology, and producing SPDX reports ?
- Can the SPDX [Sub-]Package be used to identify components and their license ?
- ... or is my compliance process totally wrong (should I identify and scan all components separately) ?


Nicolas Toussaint
OAB - Orange Applications for Business - Lyon
Tel: +33 608 763 559

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

Join to automatically receive all group messages.