SPDX (3) files can hold more information than usually discovered by ORT's analyzer; in that sense, SPDX (3) is more than a substitute for a lack of a package manager.
For example, SPDX 3 files can also hold information about vulnerabilities. These usually are discovered by ORT's advisor. So, to match ORT's modularity concept of each tool doing one thing (well), we should have an advisor that takes an SPDX 3 file as the input and enriches an ORT analyzer result (as created from an SPDX 3 file) with vulnerability information (from the same SPDX 3 input file as used for the analyzer run).
SPDX (3) files can hold more information than usually discovered by ORT's analyzer; in that sense, SPDX (3) is more than a substitute for a lack of a package manager.
For example, SPDX 3 files can also hold information about vulnerabilities. These usually are discovered by ORT's advisor. So, to match ORT's modularity concept of each tool doing one thing (well), we should have an advisor that takes an SPDX 3 file as the input and enriches an ORT analyzer result (as created from an SPDX 3 file) with vulnerability information (from the same SPDX 3 input file as used for the analyzer run).