Allow to import data from the OSS Review Toolkit
I'd love to get data gathered by the analyzer tool of the OSS Review Toolkit (ORT) into DMD. ORT's reporter tool can already write out SPDX and CycloneDX SBOM, so if dmd import sbom
would support these (also see this comment of mine), that would probably already work. However, I'd like to reduce the levels of indirection to avoid potential data loss, as it's not well-defined what data exactly should go into SBOMs. So, any suggestions about the best approach? We could try to solve this on the ORT side by adding a reporter format that writes out to some DMD-native format, ensuing that we populate any data fields that we can. Or we could try to solve this on the DMD side by creating an importer for ORT's native format, similar to like dependabot-graph or renovate-graph do. My hunch is that the answer depends on who's native format changes more often. And if it was ORT's, it might be cumbersome for a DMD subproject to catch up with these.
Disclaimer: I'm the founder and a core maintainer of the ORT project.