-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle identified JAR Packages from pkg:osgi/
and pkg:jar/
to pkg:maven/
#1456
Comments
See comment at aboutcode-org/scancode-toolkit#3962 (comment) too. This is a duplicate. It is not possible to convert
This is an inherant issue of the osgi ecosystem, and maven jars which don't have pom.xml files inside. Only way to get to the packages in maven is looking for packages with the same name(might be possible to have this as a script?) /some targeted matching, but it's hard to automate this and make it work for all packages like this even then, or have this as a general functionality in the main package scanner. From a discussion on the same thread with @pombredanne :
|
For the springframework example we actually do have org/springframework/aop in the classpath, but classpath would be problematic for an uber-JAR or SpringBoot JAR.
|
Certain jar packages are identified as
pkg:osgi/
orpkg:jar/
instead ofpkg:maven/
.For example:
purl: pkg:osgi/[email protected]
name: org.eclipse.sisu.plexus-0.3.5.jar
download_url: https://repo1.maven.org/maven2/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.jar
purl: pkg:jar/[email protected]
name: spring-aop-6.0.18.jar
download_url: https://repo1.maven.org/maven2/org/springframework/spring-aop/6.0.18/spring-aop-6.0.18.jar
This discrepancy may arise because these jars lack a pom.xml file.
However, from the VCIO perspective, the purl should be converted to
pkg:maven/
i.e.
The text was updated successfully, but these errors were encountered: