BoF : How to define / extract dependencies of libs/apps for license analysis?

Background Material

• example kconfig SPDX package description: https://invent.kde.org/helio/kconfig/-/blob/spdx/package.spdx.yml
• example license scan report: http://heliocastro.info/reports/kconfig/report/
• example license scan overview: http://heliocastro.info/reports/kconfig/report/scan-report-web-app.html
• https://github.com/oss-review-toolkit/ort
  • example config: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml
  • curl example: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml
• Helio's tool landscape: https://github.com/Open-Source-Compliance/Sharing-creates-value/blob/master/Templates/Toolchain-big-picture-abstract-and-instance-example-7.pptx?raw=true