Usage of SpdxDocumentFile package manager and ort.yml

[maennchen]

I'm currently implementing Source SBoMs for the Elixir programming language. To get as much detail into it as possible and also get adequate CycloneDX output (only contains packages, not project), I would like to change my project.spdx.yml to include the software components.

Before:

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
  created: "2025-02-05T12:29:35Z"
  creators:
  - "Organization: The Elixir Team"
  licenseListVersion: "3.9"
name: "elixir"
dataLicense: "CC0-1.0"
documentNamespace: "https://github.com/elixir-lang/elixir"
documentDescribes:
- "SPDXRef-Package-elixir"
packages:
- SPDXID: "SPDXRef-Package-elixir"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
  licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
  name: "elixir"
  packageFileName: "./"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/elixir"
      comment: "OTP PURL"

After:

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
  created: "2025-02-05T12:29:35Z"
  creators:
  - "Organization: The Elixir Team"
  licenseListVersion: "3.9"
name: "elixir"
dataLicense: "CC0-1.0"
documentNamespace: "https://github.com/elixir-lang/elixir"
documentDescribes:
- "SPDXRef-Package-elixir-lang"
packages:
- SPDXID: "SPDXRef-Package-elixir-lang"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
  licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
  name: "elixir-lang"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:github/elixir-lang/elixir"
      comment: "GitHub PURL"
- SPDXID: "SPDXRef-Package-eex"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0"
  licenseDeclared: "Apache-2.0"
  name: "eex"
  packageFileName: "./lib/eex"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/eex"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-elixir"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
  licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
  name: "elixir"
  packageFileName: "./lib/elixir"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/elixir"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-exunit"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0"
  licenseDeclared: "Apache-2.0"
  name: "exunit"
  packageFileName: "./lib/ex_unit"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/ex_unit"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-iex"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0"
  licenseDeclared: "Apache-2.0"
  name: "iex"
  packageFileName: "./lib/iex"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/iex"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-logger"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0"
  licenseDeclared: "Apache-2.0"
  name: "logger"
  packageFileName: "./lib/logger"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/logger"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-mix"
  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
  filesAnalyzed: false
  homepage: "https://elixir-lang.org/"
  licenseConcluded: "Apache-2.0"
  licenseDeclared: "Apache-2.0"
  name: "mix"
  packageFileName: "./lib/mix"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:otp/mix"
      comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-erlang"
  description: "Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability."
  copyrightText: "Copyright Ericsson AB 2010-2024. All Rights Reserved."
  downloadLocation: "git+https://github.com/erlang/otp.git"
  filesAnalyzed: false
  homepage: "https://www.erlang.org/"
  licenseConcluded: "NOASSERTION"
  licenseDeclared: "Apache-2.0"
  name: "erlang"
  externalRefs:
    - referenceCategory: PACKAGE-MANAGER
      referenceType: "purl"
      referenceLocator: "pkg:github/erlang/otp"
      comment: "GitHub PURL"
relationships:
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-eex"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-exunit"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-iex"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-logger"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
  relatedSpdxElement: "SPDXRef-Package-mix"
  relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir"
  relatedSpdxElement: "SPDXRef-Package-erlang"
  relationshipType: "RUNTIME_DEPENDENCY_OF"
- spdxElementId: "SPDXRef-Package-eex"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-exunit"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-iex"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-logger"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-mix"
  relatedSpdxElement: "SPDXRef-Package-elixir"
  relationshipType: "STATIC_LINK"

Unfortunately by doing that, the exclusions and curations (license findings) are no longer applied.

I tried to work around the issue with the following approaches:

• Copy relevant parts of .ort.yml into the respective components (absolute / relative paths)
• Create package configurations in ort config directory
• Create package configurations in .ort.yml and enable enableRepositoryPackageConfigurations.

Did I implement things correctly and is what I'm trying to do even possible with ORT as it is right now?

Context:

• Change Commit: maennchen/elixir@671d757
• CI Execution Before: https://github.com/maennchen/elixir/actions/runs/13210025633
  
• CI Execution After: https://github.com/maennchen/elixir/actions/runs/13210254304
  

[tsteenbe]

@maennchen project.spdx.yml and related package.spdx.yml were implemented in ORT as fallbacks for when ORT does not support a package manager or if there is no package manager e.g. C/C++ projects. These are specially crafted/reduced SPDX files that are valid by the SPDX spec v2.2 but I do not recommend you to use them as a base for an ORT integration. We have issue open to support SBOMs as first class input to ORT see #9878 but the issue is that if you take 6 SBOM tools you get 6 different SBOMs as neither in CycloneDX nor SPDX there is a test suite/guidelines that describes how to map a given reality in code into a SBOM.

The right way forwards for now in my opinion is for you to implement SBOM output in Elixir and then a ORT Elixir analyzer plugin needs to be implemented that executes Elixir's SBOM command and then ingest the resulting SBOM.

[maennchen]

@tsteenbe I might be wrong with my assumptions, but my plan is to add Elixir (mix) and Erlang (rebar3) package manager support to ORT. This will work for all "normal" Elixir/Erlang projects / libraries.

I however don't think that this will work well for the language itself itself. The build tool is not fully available at this stage and dependencies are not properly declared.

I therefore think that I will not get around doing something manually for the language itself.

Also: The SBoM tooling which is currently being developed, will be able to support SPDX v3 and CycloneDX. I don't think that there will be any SPDX 2.X support.

[maennchen]

@tsteenbe I've found the reason why it didn't work:

• I'm implementing all this in a personal fork of the project
• Since the VCS URL is therefore not equal, it skipped the package configuration

Fixing that makes it work.

[marcpope]

Thanks for reporting this. There were two issues here:

1. Job list was showing queue time instead of completion time

The Status tab's recent jobs list was displaying started_at (with a fallback to queued_at) for all jobs — including finished ones. This has been fixed to show completed_at for finished jobs, which is the more useful timestamp.

2. Time may appear wrong if your timezone isn't set

BBS stores all timestamps in UTC and converts them to your local timezone for display. If the time looks off, check your timezone setting:

Profile (top-right menu) → Timezone dropdown → select your timezone and save.

We also just added a 24-hour time format option in the same profile page if you prefer that over the AM/PM format.

[sschuberth]

Did this somehow go to the wrong project, @marcpope?