Improve SBoM Details (#14258)

Author: maennchen

.github/workflows/ort/action.yml

@@ -4,12 +4,6 @@
 name: "Run OSS Review Toolkit"
 description: "Runs OSS Review Toolkit & generates SBoMs"
 inputs:
-  build-artifacts:
-    description: |
-      Build Artifact paths to include into SBoM.
-      May contain a glob pattern or list of paths separated by a newline.
-    required: false
-    default: ""
   report-formats:
     description: "ORT Report Formats"
     required: true

.github/workflows/release.yml

@@ -196,7 +196,6 @@ jobs:
         id: ort
         uses: ./.github/workflows/ort
         with:
-          build-artifacts: "/tmp/build-artifacts/*"
           report-formats: "CycloneDx,SpdxDocument"
           version: "${{ github.ref_type	== 'tag' && github.ref_name || github.sha }}"
 

.ort.yml

@@ -1,23 +1,111 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-FileCopyrightText: 2021 The Elixir Team
 
+excludes:
+  paths:
+    - pattern: "lib/elixir/pages/**/*"
+      reason: "DOCUMENTATION_OF"
+      comment: "Documentation"
+    - pattern: "lib/elixir/scripts/**/*"
+      reason: "BUILD_TOOL_OF"
+      comment: "Build Tool"
+    - pattern: "lib/ex_unit/examples/**/*"
+      reason: "EXAMPLE_OF"
+      comment: "Example"
+    - pattern: "lib/*/test/**/*"
+      reason: "TEST_OF"
+      comment: "Tests"
+    - pattern: "man/*"
+      reason: "DOCUMENTATION_OF"
+      comment: "Documentation"
+    - pattern: ".github/*"
+      reason: "BUILD_TOOL_OF"
+      comment: "Documentation"
+    - pattern: ".ort/*"
+      reason: "BUILD_TOOL_OF"
+      comment: "Documentation"
+
 curations:
   license_findings:
+    # Logos
     - path: "lib/elixir/pages/images/logo.png"
-      reason: "INCORRECT"
+      reason: "NOT_DETECTED"
+      comment: "Apply Trademark Policy to Elixir Logo"
+      detected_license: "NONE"
+      concluded_license: "LicenseRef-elixir-trademark-policy"
+    - path: "lib/elixir/scripts/windows_installer/assets/Elixir.ico"
+      reason: "NOT_DETECTED"
       comment: "Apply Trademark Policy to Elixir Logo"
       detected_license: "NONE"
       concluded_license: "LicenseRef-elixir-trademark-policy"
 
+    # Version File
+    - path: "VERSION"
+      reason: "NOT_DETECTED"
+      comment: "Apply Trademark Policy to VERSION file"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+
+    # Documentation Images
+    - path: "lib/elixir/pages/images/**/*.png"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to all images"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+
+    # Test Fixtures
+    - path: "lib/eex/test/fixtures/**/*"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to test fixtures"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+    - path: "lib/elixir/test/elixir/fixtures/**/*"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to test fixtures"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+    - path: "lib/ex_unit/test/fixtures/**/*"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to test fixtures"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+    - path: "lib/mix/test/fixtures/**/*"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to test fixtures"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+
+    # Unicode
+    - path: "lib/elixir/unicode/*.txt"
+      reason: "NOT_DETECTED"
+      comment: "Apply default license to unicode files"
+      detected_license: "NONE"
+      concluded_license: "LicenseRef-scancode-unicode"
+
+    # Wrongly Identified
+    - path: "LICENSES/LicenseRef-elixir-trademark-policy.txt"
+      reason: "INCORRECT"
+      comment: "Correct LicenseRef"
+      detected_license: "LicenseRef-scancode-proprietary-license"
+      concluded_license: "LicenseRef-elixir-trademark-policy"
     - path: "lib/elixir/pages/references/library-guidelines.md"
       reason: "INCORRECT"
       comment: |
         The guide mentions multiple licenses for users to choose from.
         It however is not licensed itself by the mentioned licenses.
       concluded_license: "Apache-2.0"
-
-    - path: "**/*"
+    - path: ".gitignore"
+      reason: "INCORRECT"
+      comment: "Ignored by ScanCode"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+    - path: ".gitattributes"
+      reason: "INCORRECT"
+      comment: "Ignored by ScanCode"
+      detected_license: "NONE"
+      concluded_license: "Apache-2.0"
+    - path: "lib/elixir/scripts/windows_installer/.gitignore"
       reason: "INCORRECT"
-      comment: "Apply default license to all unknown files"
+      comment: "Ignored by ScanCode"
       detected_license: "NONE"
       concluded_license: "Apache-2.0"

.ort/config/config.yml

@@ -8,5 +8,5 @@ ort:
 
   analyzer:
     allowDynamicVersions: true
-    enabledPackageManagers: [Unmanaged]
+    enabledPackageManagers: [SpdxDocumentFile]
     skipExcluded: true

project.spdx.yml

@@ -0,0 +1,28 @@
+SPDXID: "SPDXRef-DOCUMENT"
+spdxVersion: "SPDX-2.2"
+creationInfo:
+  created: "2025-02-05T12:29:35Z"
+  creators:
+  - "Organization: The Elixir Team"
+  licenseListVersion: "3.9"
+name: "elixir"
+dataLicense: "CC0-1.0"
+documentNamespace: "https://github.com/elixir-lang/elixir"
+documentDescribes:
+- "SPDXRef-Package-elixir"
+packages:
+- SPDXID: "SPDXRef-Package-elixir"
+  summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
+  copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
+  downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
+  filesAnalyzed: false
+  homepage: "https://elixir-lang.org/"
+  licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
+  licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
+  name: "elixir"
+  packageFileName: "./"
+  externalRefs:
+    - referenceCategory: PACKAGE-MANAGER
+      referenceType: "purl"
+      referenceLocator: "pkg:github/elixir-lang/elixir"
+      comment: "GitHub PURL"