ort
ort copied to clipboard
oss-review-toolkit
Setting path curation for SVN-based package will result in scanning of sources.jar
Apache Hadoop depends on Maven:org.apache.directory.api:api-asn1-api:1.0.0-M20. This api-asn1-api packages is actually located in a sub directory of the parent repository so I created below curation
- id: "Maven:org.apache.directory.api:api-asn1-api"
curations:
comment: "This library resides in its own dir in the VCS referred to by parent artifact."
vcs:
path: "asn1/api"
Whilst testing above curation I noticed that ORT switches from analyzing the SVN repository to sources.jar so I presume this curation does not work so ORT switches. Is this a bug or am I doing something wrong?
Package details via ORT analyzer (#475ba0c8)
Id: Maven:org.apache.directory.api:api-asn1-api:1.0.0-M20
Package URL: pkg:maven/org.apache.directory.api/[email protected]
Description: ASN.1 API
Repository Declared: http://svn.apache.org/repos/asf/directory/shared/tags/1.0.0-M20
Repository Processed: http://svn.apache.org/repos/asf/directory/shared
Source Artifact: https://repo.maven.apache.org/maven2/org/apache/directory/api/api-asn1-api/1.0.0-M20/api-asn1-api-1.0.0-M20-sources.jar
Binary Artifact: https://repo.maven.apache.org/maven2/org/apache/directory/api/api-asn1-api/1.0.0-M20/api-asn1-api-1.0.0-M20.jar
I recently have observed a similar behavior when scanning the Maven:org.apache.pdfbox:pdfbox:2.0.20 package with the following curation in place
- id: "Maven:org.apache.pdfbox:pdfbox:(,2.0.29]"
curations:
comment: "Wrong SVN repository path in parent POM: https://repo1.maven.org/maven2/org/apache/pdfbox/pdfbox-parent/2.0.29/pdfbox-parent-2.0.29.pom"
vcs:
type: "Subversion"
url: "https://svn.apache.org/repos/asf/pdfbox"
path: "pdfbox"
This results in the whole Subversion repository to be scanned, including all branches and tags.