ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

Analyzer does not provide correct VCS revision of Pub dependencies

Open bennati opened this issue 2 years ago • 0 comments

This issue happens when analyzing a Pub dependency, which is part of Dart-lang sdk.

The pubspec.lock file contains the following:

packages:
  _fe_analyzer_shared:
    dependency: transitive
    description:
      name: _fe_analyzer_shared
      url: "https://pub.dartlang.org"
    source: hosted
    version: "22.0.0"

dart pub get is invoked, and it correctly downloads the dependency in the .pub-cache directory. From package_config.json:

"packages": [
    {
      "name": "_fe_analyzer_shared",
      "rootUri": "file:///root/.pub-cache/hosted/pub.dartlang.org/_fe_analyzer_shared-22.0.0",
      "packageUri": "lib/",
      "languageVersion": "2.12"
    },

That folder contain the pubspec.yaml that has been downloaded by pub.dev/packages, which contains:

name: _fe_analyzer_shared
version: 22.0.0
description: Logic that is shared between the front_end and analyzer packages.
homepage: https://github.com/dart-lang/sdk/tree/master/pkg/_fe_analyzer_shared

environment:
  sdk: '>=2.12.0 <3.0.0'
dependencies:
  meta: ^1.0.2
dev_dependencies:
  test: ^1.3.4

The analyzer takes the value of homepage to build the VCS info for the dependency, leading to the following entry in analyzer-result.json:

          "vcs_processed" : {
            "type" : "Git",
            "url" : "https://github.com/dart-lang/sdk.git",
            "revision" : "master",
            "path" : "pkg/_fe_analyzer_shared"
          }

The revision is set to master, but that does not correspond to the required 22.0.0 version.

Scancode then fails to find the required version 22.0.0 among the tags of the repository, because these tags refer to the SDK version, with the error No matching tag for version '22.0.0' found in [2.18.0-89.0.dev, 2.8.0-dev.12.0, ....

I looked into pub.dev but I could not find any reference of the revision corresponding to the correct dependency version, nor could I find how to obtain that information from dart pub get. I noticed that pub.dev contains a source artifact for that version, but my attempt to add a source artifact to the analyzer-result.json did not solve the issue.

bennati avatar Jul 11 '22 07:07 bennati