python-ort 0.4.2__tar.gz → 0.5.0__tar.gz

{python_ort-0.4.2 → python_ort-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-ort
-Version: 0.4.2
+Version: 0.5.0
 Summary: A Python Ort model serialization library
 License-Expression: MIT
 License-File: LICENSE
@@ -13,7 +13,7 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Dist: pydantic>=2.12.4
+Requires-Dist: pydantic>=2.12.5
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 

{python_ort-0.4.2 → python_ort-0.5.0}/pyproject.toml

@@ -4,14 +4,14 @@ build-backend = "uv_build"
 
 [project]
 name = "python-ort"
-version = "0.4.2"
+version = "0.5.0"
 description = "A Python Ort model serialization library"
 readme = "README.md"
 license = "MIT"
 license-files = ["LICENSE"]
 requires-python = ">=3.10"
 dependencies = [
-    "pydantic>=2.12.4",
+    "pydantic>=2.12.5",
 ]
 classifiers = [
     "Development Status :: 3 - Alpha",
@@ -31,13 +31,13 @@ module-root = "src"
 
 [dependency-groups]
 dev = [
-    "datamodel-code-generator[http]>=0.35.0",
-    "pre-commit>=4.3.0",
+    "datamodel-code-generator[http]>=0.53.0",
+    "pre-commit>=4.5.1",
     "pycodestyle>=2.14.0",
-    "pyrefly>=0.40.0",
-    "pytest>=8.4.2",
+    "pyrefly>=0.49.0",
+    "pytest>=9.0.2",
     "rich>=14.2.0",
-    "ruff>=0.14.4",
+    "ruff>=0.14.14",
     "types-pyyaml>=6.0.12.20250915",
 ]
 

{python_ort-0.4.2 → python_ort-0.5.0}/src/ort/__init__.py

@@ -2,8 +2,12 @@
 #
 # SPDX-License-Identifier: MIT
 
+from ort.models.analyzer_result import AnalyzerResult
+from ort.models.ort_result import OrtResult
 from ort.models.repository_configuration import OrtRepositoryConfiguration
 
 __all__ = [
+    "AnalyzerResult",
     "OrtRepositoryConfiguration",
+    "OrtResult",
 ]

python_ort-0.5.0/src/ort/models/__init__.py

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from .identifier import Identifier
+from .vcstype import VcsType
+
+__all__ = [
+    "Identifier",
+    "VcsType",
+]

python_ort-0.5.0/src/ort/models/analyzer_result.py

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.dependency_graph import DependencyGraph
+from ort.models.identifier import Identifier
+from ort.models.issue import Issue
+from ort.models.package import Package
+from ort.models.project import Project
+
+
+class AnalyzerResult(BaseModel):
+    """
+    A class that merges all information from individual [ProjectAnalyzerResult]s created for each found definition file.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    projects: set[Project] = Field(
+        description="Sorted set of the projects, as they appear in the individual analyzer results.",
+    )
+
+    packages: set[Package] = Field(
+        description="The set of identified packages for all projects.",
+    )
+
+    issues: dict[Identifier, list[Issue]] = Field(
+        default_factory=dict,
+        description="The lists of Issue objects that occurred within the analyzed projects themselves. Issues related"
+        "to project dependencies are contained in the dependencies of the project's scopes. This property is not"
+        "serialized if the map is empty to reduce the size of the result file.",
+    )
+
+    dependency_graphs: dict[str, DependencyGraph] = Field(
+        default_factory=dict,
+        description="A map with DependencyGraph objects keyed by the name of the package manager that created this"
+        "graph. Package managers supporting this feature can construct a shared DependencyGraph over all projects and"
+        "store it in this map.",
+    )

python_ort-0.5.0/src/ort/models/analyzer_run.py

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.analyzer_result import AnalyzerResult
+from ort.models.config.analyzer_configuration import AnalyzerConfiguration
+from ort.utils.environment import Environment
+
+
+class AnalyzerRun(BaseModel):
+    """
+    The summary of a single run of the analyzer.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    start_time: datetime = Field(
+        description="The time the analyzer was started.",
+    )
+    end_time: datetime = Field(
+        description="The time the analyzer has finished.",
+    )
+    environment: Environment = Field(
+        description="The [Environment] in which the analyzer was executed.",
+    )
+    config: AnalyzerConfiguration = Field(
+        description="The [AnalyzerConfiguration] used for this run.",
+    )
+    result: AnalyzerResult | None = Field(
+        default=None,
+        description="The result of this run.",
+    )

{python_ort-0.4.2 → python_ort-0.5.0}/src/ort/models/config/analyzer_configuration.py

@@ -38,11 +38,9 @@ _package_managers: list[str] = [
 
 class AnalyzerConfiguration(BaseModel):
     """
-    Enable the analysis of projects that use version ranges to declare their dependencies. If set to true,
-    dependencies of exactly the same project might change with another scan done at a later time if any of the
-    (transitive) dependencies are declared using version ranges and a new version of such a dependency was
-    published in the meantime. If set to false, analysis of projects that use version ranges will fail. Defaults to
-    false.
+    The configuration model of the analyzer. This class is (de-)serialized in the following places:
+    - Deserialized from "config.yml" as part of [OrtConfiguration] (via Hoplite).
+    - (De-)Serialized as part of [org.ossreviewtoolkit.model.OrtResult] (via Jackson).
     """
 
     model_config = ConfigDict(

{python_ort-0.4.2 → python_ort-0.5.0}/src/ort/models/config/package_manager_configuration.py

@@ -29,7 +29,8 @@ class PackageManagerConfiguration(BaseModel):
 
     @field_validator("options", mode="before")
     @classmethod
-    def convert_bools_to_str(cls, value: Any) -> Any:
+    def convert_to_str(cls, value: Any) -> Any:
         if not isinstance(value, dict):
             return value
-        return {k: str(v).lower() if isinstance(v, bool) else v for k, v in value.items()}
+        for key, item in value.items():
+            return {k: str(v).lower() if not isinstance(v, str) else v for k, v in value.items()}

python_ort-0.5.0/src/ort/models/dependency_graph.py

@@ -0,0 +1,98 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from ort.models.dependency_graph_edge import DependencyGraphEdge
+from ort.models.dependency_graph_node import DependencyGraphNode
+from ort.models.dependency_reference import DependencyReference
+from ort.models.identifier import Identifier
+from ort.models.root_dependency_index import RootDependencyIndex
+
+
+class DependencyGraph(BaseModel):
+    """
+    Represents the graph of dependencies of a project.
+
+    This class holds information about a project's scopes and their dependencies in a format that minimizes the
+    consumption of memory. In projects with many scopes there is often a high degree of duplication in the dependencies
+    of the scopes. To avoid this, this class aims to share as many parts of the dependency graph as possible between
+    the different scopes. Ideally, there is only a single dependency graph containing the dependencies used by all
+    scopes. This is not always possible due to inconsistencies in dependency relations, like a package using different
+    dependencies in different scopes. Then the dependency graph is split into multiple fragments, and each fragment has
+    a consistent view on the dependencies it contains.
+
+    When constructing a dependency graph the dependencies are organized as a connected structure of DependencyReference
+    objects in memory. Originally, the serialization format of a graph was based on this structure, but that turned out
+    to be not ideal: During serialization, sub graphs referenced from multiple nodes (e.g. libraries with transitive
+    dependencies referenced from multiple projects) get duplicated, which can cause a significant amount of redundancy.
+    Therefore, the data representation has been changed again to a form, which can be serialized without introducing
+    redundancy. It consists of the following elements:
+
+    - packages: A list with the coordinates of all the packages (free of duplication) that are referenced by the graph.
+      This allows extracting the packages directly, but also has the advantage that the package coordinates do not have
+      to be repeated over and over: All the references to packages are expressed by indices into this list.
+    - nodes: An ordered list with the nodes of the dependency graph. A single node represents a package, and therefore
+      has a reference into the list with package coordinates. It can, however, happen that packages occur multiple
+      times in the graph if they are in different subtrees with different sets of transitive dependencies. Then there
+      are multiple nodes for the packages affected, and a fragment_index is used to identify them uniquely. Nodes also
+      store information about issues of a package and their linkage.
+    - edges: Here the structure of the graph comes in. Each edge connects two nodes and represents a directed
+      depends-on relationship. The nodes are referenced by numeric indices into the list of nodes.
+    - scopes: This is a map that associates the scopes used by projects with their direct dependencies. A single
+      dependency graph contains the dependencies of all the projects processed by a specific package manager.
+      Therefore, the keys of this map are scope names qualified by the coordinates of a project; which makes them
+      unique. The values are references to the nodes in the graph that correspond to the packages the scopes depend on
+      directly.
+
+    To navigate this structure, start with a scope and gather the references to its direct dependency nodes. Then, by
+    following the edges starting from these nodes, the set of transitive dependencies can be determined. The numeric
+    indices can be resolved via the packages list.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    packages: list[Identifier] = Field(
+        default_factory=list,
+        description="A list with the identifiers of the packages that appear in the dependency graph. This list is "
+        "used to resolve the numeric indices contained in the dependency_graph_node objects.",
+    )
+
+    scope_roots: set[DependencyReference] = Field(
+        default_factory=set,
+        description="Stores the dependency graph as a list of root nodes for the direct dependencies referenced by "
+        "scopes. Starting with these nodes, the whole graph can be traversed. The nodes are constructed "
+        "from the direct dependencies declared by scopes that cannot be reached via other paths in the "
+        "dependency graph. Note that this property exists for backwards compatibility only; it is replaced "
+        "by the lists of nodes and edges.",
+    )
+
+    scopes: dict[str, list[RootDependencyIndex]] = Field(
+        default_factory=dict,
+        description="A mapping from scope names to the direct dependencies of the scopes. Based on this information, "
+        "the set of scopes of a project can be constructed from the serialized form.",
+    )
+
+    nodes: list[DependencyGraphNode] = Field(
+        default_factory=list,
+        description="A list with the nodes of this dependency graph. Nodes correspond to packages, but in contrast to "
+        "the packages list, there can be multiple nodes for a single package. The order of nodes in this "
+        "list is relevant; the edges of the graph reference their nodes by numeric indices.",
+    )
+
+    edges: set[DependencyGraphEdge] = Field(
+        default_factory=set,
+        description="A set with the edges of this dependency graph. By traversing the edges, the dependencies of "
+        "packages can be determined.",
+    )
+
+    @field_validator("edges", mode="before")
+    @classmethod
+    def sort_and_set_edges(cls, v):
+        if v is None:
+            return set()
+
+        return {DependencyGraphEdge.model_validate(e) for e in v}

python_ort-0.5.0/src/ort/models/dependency_graph_edge.py

@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class DependencyGraphEdge(BaseModel):
+    """
+    A data class representing an edge in the dependency graph.
+
+    An edge corresponds to a directed depends-on relationship between two packages. The packages are identified by the
+    numeric indices into the list of nodes.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+        frozen=True,
+    )
+
+    from_: int = Field(
+        ...,
+        alias="from",
+        description="The index of the source node of this edge.",
+    )
+    to_: int = Field(
+        ...,
+        alias="to",
+        description="The index of the destination node of this edge.",
+    )

python_ort-0.5.0/src/ort/models/dependency_graph_node.py

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.issue import Issue
+from ort.models.package_linkage import PackageLinkage
+
+
+class DependencyGraphNode(BaseModel):
+    """
+    A data class representing a node in the dependency graph.
+
+    A node corresponds to a package, which is referenced by a numeric index. A package may, however, occur multiple
+    times in the dependency graph with different transitive dependencies. In this case, different fragment indices are
+    used to distinguish between these occurrences.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    pkg: int | None = Field(
+        default=None,
+        description="Stores the numeric index of the package dependency referenced by this object. The package behind "
+        "this index can be resolved by evaluating the list of identifiers stored in DependencyGraph at "
+        "this index.",
+    )
+    fragment: int = Field(
+        0,
+        description="Stores the index of the fragment in the dependency graph where the referenced dependency is "
+        "contained. This is needed to uniquely identify the target if the dependency occurs multiple times "
+        "in the graph.",
+    )
+    linkage: PackageLinkage = Field(
+        default=PackageLinkage.DYNAMIC,
+        description="The type of linkage used for the referred package from its dependent package. As most of ORT's "
+        "supported package managers / languages only support dynamic linking or at least default to it, "
+        "also use that as the default value here to not blow up ORT result files.",
+    )
+    issues: list[Issue] = Field(
+        default_factory=list, description="A list of Issue objects that occurred handling this dependency."
+    )

python_ort-0.5.0/src/ort/models/dependency_reference.py

@@ -0,0 +1,51 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.issue import Issue
+from ort.models.package_linkage import PackageLinkage
+
+
+class DependencyReference(BaseModel):
+    """
+    A class to model a tree-like structure to represent the dependencies of a project.
+
+    Instances of this class are used to store the relations between dependencies in fragments of dependency trees in an
+    Analyzer result. The main purpose of this class is to define an efficient serialization format, which avoids
+    redundancy as far as possible. Therefore, dependencies are represented by numeric indices into an external table.
+    As a dependency can occur multiple times in the dependency graph with different transitive dependencies, the class
+    defines another index to distinguish these cases.
+
+    Note: This is by intention no data class. Equality is tested via references and not via the values contained.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    pkg: int = Field(
+        ...,
+        description="Stores the numeric index of the package dependency referenced by this object. The package behind "
+        "this index can be resolved by evaluating the list of identifiers stored in DependencyGraph at "
+        "this index.",
+    )
+    fragment: int = Field(
+        default=0,
+        description="Stores the index of the fragment in the dependency graph where the referenced dependency is "
+        "contained. This is needed to uniquely identify the target if the dependency occurs multiple times "
+        "in the graph.",
+    )
+    dependencies: set["DependencyReference"] = Field(
+        default_factory=set,
+        description="A set with the references to the dependencies of this dependency. That way a tree-like structure "
+        "is established.",
+    )
+    linkage: PackageLinkage = Field(
+        default=PackageLinkage.DYNAMIC,
+        description="The type of linkage used for the referred package from its dependent package. As most of ORT's "
+        "supported package managers / languages only support dynamic linking or at least default to it, "
+        "also use that as the default value here to not blow up ORT result files.",
+    )
+    issues: list[Issue] = Field(..., description="A list of Issue objects that occurred handling this dependency.")

{python_ort-0.4.2 → python_ort-0.5.0}/src/ort/models/identifier.py

@@ -23,6 +23,7 @@ class Identifier(BaseModel):
 
     model_config = ConfigDict(
         extra="forbid",
+        frozen=True,
     )
 
     orttype: str = Field(
@@ -61,3 +62,6 @@ class Identifier(BaseModel):
                 "version": parts[3],
             }
         raise TypeError("Identifier must be a dict or a string in the correct format")
+
+    def __str__(self) -> str:
+        return ":".join([self.orttype, self.namespace, self.name, self.version])

python_ort-0.5.0/src/ort/models/issue.py

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.severity import Severity
+
+
+class Issue(BaseModel):
+    """
+    An issue that occurred while executing ORT.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    timestamp: datetime = Field(
+        description="The timestamp of the issue.",
+    )
+    source: str = Field(
+        description="A description of the issue source, e.g. the tool that caused the issue.",
+    )
+    message: str = Field(
+        description="The issue's message.",
+    )
+    severity: Severity = Field(
+        description="The issue's severity.",
+    )
+    affected_path: str | None = Field(
+        default=None,
+        description="The affected file or directory the issue is limited to, if any.",
+    )

python_ort-0.5.0/src/ort/models/ort_result.py

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.analyzer_run import AnalyzerRun
+from ort.models.repository import Repository
+
+
+class OrtResult(BaseModel):
+    """
+    The common output format for the analyzer and scanner. It contains information about the scanned repository,
+    and the analyzer and scanner will add their result to it.
+
+    Attributes:
+        repository(Repository): Information about the repository that was used as input.
+        analyzer(AnalyzerRun): An [AnalyzerRun] containing details about the analyzer that was run using [repository]
+            as input. Can be null if the [repository] was not yet analyzed.
+
+    """
+
+    model_config = ConfigDict(
+        extra="ignore",
+    )
+    repository: Repository = Field(
+        description="Information about the repository that was used as input.",
+    )
+    analyzer: AnalyzerRun = Field(
+        description="An [AnalyzerRun] containing details about the analyzer that was run using [repository]"
+        "as input. Can be null if the [repository] was not yet analyzed."
+    )

python_ort-0.5.0/src/ort/models/package.py

@@ -0,0 +1,130 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.identifier import Identifier
+from ort.models.remote_artifact import RemoteArtifact
+from ort.models.source_code_origin import SourceCodeOrigin
+from ort.models.vcsinfo import VcsInfo
+from ort.utils.processed_declared_license import ProcessedDeclaredLicense
+
+
+class Package(BaseModel):
+    """
+    A generic descriptor for a software package. It contains all relevant metadata about a package like the name,
+    version, and how to retrieve the package and its source code. It does not contain information about the package's
+    dependencies, however. This is because at this stage ORT would only be able to get the declared dependencies,
+    whereas the resolved dependencies are of interest. Resolved dependencies might differ from declared dependencies
+    due to specified version ranges, or change depending on how the package is used in a project due to the build
+    system's dependency resolution process. For example, if multiple versions of the same package are used in a
+    project, the build system might decide to align on a single version of that package.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    id: Identifier = Field(
+        description="The unique identifier of this package. The id's type is the name of the package type or protocol "
+        "(e.g. 'Maven' for a file from a Maven repository).",
+    )
+
+    purl: str = Field(
+        ...,
+        description="An additional identifier in package URL syntax (https://github.com/package-url/purl-spec).",
+    )
+
+    cpe: str | None = Field(
+        default=None,
+        description="An optional additional identifier in CPE syntax (https://cpe.mitre.org/specification/).",
+    )
+
+    authors: set[str] = Field(
+        default_factory=set,
+        description="The set of authors declared for this package.",
+    )
+
+    declared_licenses: set[str] = Field(
+        ...,
+        description="The set of licenses declared for this package. This does not necessarily correspond to"
+        "the licenses as detected by a scanner. Both need to be taken into account for any conclusions.",
+    )
+
+    declared_licenses_processed: ProcessedDeclaredLicense = Field(
+        ...,
+        description="The declared licenses as SpdxExpression. If declared_licenses contains multiple licenses they are "
+        "concatenated with SpdxOperator.AND.",
+    )
+
+    concluded_license: str | None = Field(
+        default=None,
+        description="The concluded license as an SpdxExpression. It can be used to override the declared/detected "
+        "licenses of a package. ORT itself does not set this field, it needs to be set by the user using a "
+        "PackageCuration.",
+    )
+
+    description: str = Field(
+        ...,
+        description="The description of the package, as provided by the package manager.",
+    )
+
+    homepage_url: str = Field(
+        ...,
+        description="The homepage of the package.",
+    )
+
+    binary_artifact: RemoteArtifact = Field(
+        ...,
+        description="The remote artifact where the binary package can be downloaded.",
+    )
+
+    source_artifact: RemoteArtifact = Field(
+        ...,
+        description="The remote artifact where the source package can be downloaded.",
+    )
+
+    vcs: VcsInfo = Field(
+        ...,
+        description="Original VCS-related information as defined in the package's metadata.",
+    )
+
+    vcs_processed: VcsInfo = Field(
+        ...,
+        description="Processed VCS-related information about the package in normalized form. The information is either "
+        "derived from vcs, guessed from additional data as a fallback, or empty. On top of that PackageCurations may "
+        "have been applied.",
+    )
+
+    is_metadata_only: bool = Field(
+        default=False,
+        description="Indicates whether the package is just metadata, like e.g. Maven BOM artifacts which only define "
+        "constraints for dependency versions.",
+    )
+
+    is_modified: bool = Field(
+        default=False,
+        description="Indicates whether the source code of the package has been modified compared to the original source"
+        "code, e.g., in case of a fork of an upstream Open Source project.",
+    )
+
+    source_code_origins: list[SourceCodeOrigin] | None = Field(
+        default=None,
+        description="The considered source code origins and their priority order to use for this package. If null, the "
+        "configured default is used. If not null, this must not be empty and not contain any duplicates.",
+    )
+
+    labels: dict[str, str] = Field(
+        default_factory=dict,
+        description="User defined labels associated with this package. The labels are not interpreted by the core of"
+        "ORT itself, but can be used in parts of ORT such as plugins, in evaluator rules, or in reporter templates.",
+    )
+
+    def __hash__(self) -> int:
+        return hash(self.id)
+
+    def __eq__(self, other) -> bool:
+        if not isinstance(other, Package):
+            return NotImplemented
+        return self.id == other.id

python_ort-0.5.0/src/ort/models/package_linkage.py

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from enum import Enum, auto
+
+
+class PackageLinkage(Enum):
+    """
+    A class to denote the linkage type between two packages.
+
+    Members:
+        DYNAMIC:
+            A dynamically linked package whose source code is not directly defined in the project itself,
+            but which is retrieved as an external artifact.
+
+        STATIC:
+            A statically linked package whose source code is not directly defined in the project itself,
+            but which is retrieved as an external artifact.
+
+        PROJECT_DYNAMIC:
+            A dynamically linked package whose source code is part of the project itself,
+            e.g. a subproject of a multi-project.
+
+        PROJECT_STATIC:
+            A statically linked package whose source code is part of the project itself,
+            e.g. a subproject of a multi-project.
+    """
+
+    DYNAMIC = auto()
+    STATIC = auto()
+    PROJECT_DYNAMIC = auto()
+    PROJECT_STATIC = auto()