Frank Viernau
Frank Viernau
I've ran `Cvss.parse(..)` against a couple of vectors, e.g. `"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"`. The implementation matches it as `3.0` string, so `Cvss.parse(..).toVector()` return vectors of the form `"CVSS:3.1/*"`.
The data model of the curated package does not store the uncurated package explicitly. It stores a list of package diffs, computed by `Package.diff()`. The idea was that the original...
See individual commits.
Flagging non-inclusive language in ORT can make it easy for companies to enforce their respective policy. ORT may examine the code as well as the VCS history (e.g. prior to...
For Python projects it is hard (impossible) to determine to which Python version they apply. ORT has some mechanism which tries (1) Python 2.x and (2) Python 3. In particular,...
Looking at all provider implementations it seems that having the severity as property of a reference is not necessary, because all providers do create redundant entries: 1. VulnerableCode - has...
### advisor data model The data model of the severity of vulnerabilities aka. `VulnerabilityReference`is not very strictly typed. So, it provides too much flexibility which introduces unnecessary complexity and the...
The Vulnerability data model is currently quite minimalistic. This can make a lot of sense, things information can probably obtained by following the links, so it avoids redundancy. However, the...
BLOCKED BY BELOW TICKETS ORT's logic for determining VCS info currently works only for GitHub. It does not re-use the (non-trivial) logic from the tooling. As soon as the following...
A common use case which needs improval: A source file is dual license and ScanCode detects both licenses separately, e.g. `GPL-2.0-only`, `MIT`. If one wants to curate only that single...