project aggregation

[JSurf]

We are trying to generate an aggregated SBOM/report with ORT with mixed results. Wondering if anyone else does this and how.

ORT works great for us on a simple project with one project descriptor (one maven pom.xml for example) but our software consists of several modules which are independendly built and can be different package managers.

We tried:
Create an individual spdx (json) report of every module then
Then just put all the spdx files in a directory and run ORT on this directory:
Drawback:

• No control on how the individual modules are linked together
• Loss of information since ORT does not even understand all the details of their own SPDX format, and also does not write all information to SPDX. For example source artifact and VCS information get lost
• Can't define a "root" project

Create an individual spdx (json) report of every module then use hand crafted SPDX files and use externalDocumentRefs to combine the individual modules and analyze again with ORT
Drawback:

• Loss of information since ORT does not even understand all the details of their own SPDX format, and also does not write all information to SPDX. For example source artifact and VCS information get lost
• Struggling with "duplicate package" issues preventing the analyzer-result.yml

Just put all projects in one directory and scan the whole directory:
Plus:

• All ORT details from analyzer available
  Drawbacks:
• No control on how the individual modules are linked together
• Individual .ort.yml files seem to be ignored, so no per-module settings

Ideally there would be a way to merge and structure the results of the EvaluatedModelReporter
and maybe feed this back into ORT as an input format to generate reports in other formats

Wondering how others do this or do you just deliver multiple reports SBOMs ?