fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

dependency package in attribution report is shown as an URL

Open carocad opened this issue 4 years ago • 3 comments

Describe the bug Several Package entries in the attribution report of our Android project are shown as URL even though java uses groupId:artifactId nomenclature.

To Reproduce Execute the steps below

  1. fossa analyze
  2. fossa test
  3. fossa report attribution --json
  4. Some dependencies are reported as groupId:artifactId whereas others are reported as URLs. For example
{
"Package": "https://nexus.pentaho.org/content/groups/omni:androidx.appcompat:appcompat",
"Source": "mvn",
"Version": "1.3.1",
"Licenses": [
{
"Name": "Apache-2.0"
}
],
"ProjectURL": "https://developer.android.com/jetpack/androidx/releases/appcompat#1.3.1"
},
{
"Package": "https://nexus.pentaho.org/content/groups/omni:androidx.constraintlayout:constraintlayout",
"Source": "mvn",
"Version": "2.0.1",
"Licenses": [
{
"Name": "Apache-2.0"
}
],
"ProjectURL": "http://tools.android.com"
},
{
"Package": "https://nexus.pentaho.org/content/groups/omni:androidx.constraintlayout:constraintlayout",
"Source": "mvn",
"Version": "2.0.4",
"Licenses": [
{
"Name": "Apache-2.0"
}
],
"ProjectURL": "http://tools.android.com"
},

Expected behavior All package entries should follow java package convention of groupId:artifactId

Debugging information Please provide the following:

  1. The output of running the buggy command with the --debug flag If possible I would like to provide this via email or similar as mentioned below this is a private repo

  2. We use the bash script provided on this repo . The output is

fossas/fossa-cli info checking GitHub for latest tag
11:16:17  fossas/fossa-cli info found version: 1.1.10 for v1.1.10/linux/amd64
11:16:17  fossas/fossa-cli info installed .//fossa

  1. The project's configuration file (usually .fossa.yml) Unfortunately I cannot provide it since it is a private project with private dependencies. However, the project locator is: custom+5128/github.boschdevcloud.com/eBike/app-one-bike-android. I hope that is enough to debug it.

  2. If possible, a minimal test case reproducing the bug (ideally, a GitHub repository) Unfortunately I cannot provide it since it is a private repo

Environment (please complete the following information):

  • OS: Linux
  • Are you running in CI?: Yes, Jenkins
  • Are you running in a Docker image?: Yes, custom image based on openjdk:11 dockerhub image.

Additional context This started happening around the 27 May 2021. All our releases before had correct package names.

carocad avatar Oct 07 '21 11:10 carocad

Thank you for filing this issue. I have created a duplicate issue on our internal tracker (ANE-334) and will update you when any progress has been made.

zlav avatar May 20 '22 23:05 zlav

Hello @zlav , Is there any progress on this? we just migrated to v3 and we are still experiencing this issue :/

carocad avatar Mar 05 '24 10:03 carocad

For anyone who has the same issue, you can use this jq trick to remove the undesired https://… prefixes from the packages this way (this requires a Fossa 3 attribution report which you can get via ./fossa report attribution --json):

cat in.json | jq '.directDependencies[].package |= sub("https.*\\/[^:]*:(?<package>.*)"; "\(.package)")' | jq '.deepDependencies[].package |= sub("https.*\\/[^:]*:(?<package>.*)"; "\(.package)")' > out.json

It's not nice, but it works™. Note that you need to transform the directDependencies as well as the deepDependencies.

mreichelt avatar Mar 05 '24 16:03 mreichelt