Add ORT configurations and instructions (#24)

* Add ORT configurations and instructions - Add .ort.yml to fix mistakes made by the ORT scanner - Add release note instructions * Correct wording
iml130 · Jun 19, 2024 · da292f7 · da292f7
1 parent 66e0fdc
commit da292f7
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 0 deletions.
diff --git a/.ort.yml b/.ort.yml
@@ -0,0 +1,93 @@
+# SPDX-FileCopyrightText: The PFDL VS Code Extension Contributors
+# SPDX-License-Identifier: CC0-1.0
+
+excludes:
+  scopes:
+  - pattern: "devDependencies"
+    reason: "DEV_DEPENDENCY_OF"
+    comment: "Packages for development only."
+  - pattern: "\\*\\*/node_modules/\\*\\*"
+    reason: "BUILD_TOOL_OF"
+    comment: "Packages for building the source code only."
+  - pattern: "\\*\\*/package-lock.json"
+    reason: "BUILD_TOOL_OF"
+    comment: "Autogenerated by npm, might contain missleading information."
+
+curations:
+  license_findings:
+  - path: "README.md"
+    start_lines: 256
+    line_count: 1
+    detected_license: "LGPL-2.0-or-later"
+    reason: "DOCUMENTATION_OF"
+    comment: "The scanner missmatches a License declaration in the documentation."
+    concluded_license: "MIT"
+
+  - path: "pfdl/README.md"
+    start_lines: 81
+    line_count: 1
+    detected_license: "NOASSERTION"
+    reason: "DOCUMENTATION_OF"
+    comment: "The scanner missmatches a License declaration in the documentation."
+    concluded_license: "MIT"
+
+  - path: "pfdl/README.md"
+    start_lines: 87
+    line_count: 1
+    detected_license: "NOASSERTION"
+    reason: "DOCUMENTATION_OF"
+    comment: "The scanner missmatches a License declaration in the documentation."
+    concluded_license: "MIT"
+
+  - path: "pfdl/**/*.py"
+    start_lines: 3
+    line_count: 2
+    detected_license: "LicenseRef-scancode-proprietary-license"
+    reason: "INCORRECT"
+    comment: "The scanner missmatches the license headers of various python files."
+    concluded_license: "MIT"
+
+package_configurations:
+  - id: "NPM::dotparser:1.1.1"
+    vcs:
+      type: "Git"
+      url: "https://github.com/anvaka/dotparser.git"
+      revision: "0756a293a56ada4c978a6a1aa4d315ecdac2944e"
+    path_excludes:
+    - pattern: "./package-lock.json"
+      reason: "BUILD_TOOL_OF"
+      comment: "Autogenerated by npm, contains missleading licensing information."
+  - id: "NPM::minimatch:3.1.2"
+    vcs:
+      type: "Git"
+      url: "https://github.com/isaacs/minimatch.git"
+      revision: "699c459443a6bd98f5b28197978f76e7f71467ac"
+    path_excludes:
+    - pattern: "./package-lock.json"
+      reason: "BUILD_TOOL_OF"
+      comment: "Autogenerated by npm, contains missleading licensing information."
+  - id: "NPM::cytoscape:3.27.0"
+    vcs:
+      type: "Git"
+      url: "https://github.com/cytoscape/cytoscape.js.git"
+      revision: "f8ffa3a95eff6fc2427beab110c23a22843681ff"
+    path_excludes:
+    - pattern: "./test/lib/*"
+      reason: "TEST_OF"
+      comment: "test code is missinterpreted."
+  - id: "PyPI::certifi:2024.6.2"
+    source_artifact_url: "https://files.pythonhosted.org/packages/07/b3/e02f4f397c81077ffc52a538e0aec464016f1860c472ed33bd2a1d220cc5/certifi-2024.6.2.tar.gz"
+    path_excludes:
+    - pattern: "certifi-2024.6.2/certifi/cacert.pem"
+      reason: "OTHER"
+      comment: "pem file is analysed for copyrights."
+  - id: "PyPI::requests:2.32.3"
+    vcs:
+      type: "Git"
+      url: "https://github.com/psf/requests.git"
+      revision: "0e322af87745eff34caffe4df68456ebc20d9068"
+    path_excludes:
+    - pattern: "docs/**/*"
+      reason: "DOCUMENTATION_OF"
+      comment: "Wrong licensing information were gained from documentation files."
+
diff --git a/README.md b/README.md
@@ -233,6 +233,20 @@ The program crashes and it has something to do with the Scheduler the extension
 
 ## Release Notes
 
+For each release, a `.vsix` installation file for VS Code is provided, as well as a `bundle.js` source code file, containing the code that is responsible for the code visualization.
+
+Additionally, a license file is generated using the [OSS Review Toolkit (ORT)](http://oss-review-toolkit.org/ort/) to automatically collect and summarize licenses and copyright information declared in the dependencies of this project (excluding `devDependencies` for npm). The file can be reproduced by following the [ORT installation guide](http://oss-review-toolkit.org/ort/docs/getting-started/installation) and running the following commands from inside the downloaded ORT repository:
+
+```
+cli/build/install/ort/bin/ort analyze -i path/to/pfdl-vs-code-extension -o path/to/output/directory
+
+cli/build/install/ort/bin/ort -P ort.enableRepositoryPackageCurations=true -P ort.enableRepositoryPackageConfigurations=true -P ort.scanner.skipExcluded=true scan -i path/to/output/directory/analyzer-result.yml -o path/to/output/directory
+
+cli/build/install/ort/bin/ort report -f PdfTemplate -i path/to/output/directory/scan-result.yml -o path/to/output/directory
+```
+
+Note that the copyright information of this project found by ORT are not complete and had to be completed manually.
+
 ### v0.1.0
 
 - First release