ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

analyzer: The revision in VCS processed may be wrong for NPM packages

Open fviernau opened this issue 3 years ago • 2 comments

Reproduce

  1. Create an empty directory and add the below package.json
{
    "name": "@some/test",
    "version": "1.0.0",
    "description": "a",
    "repository": "https://github.com/a/b",
    "license": "MIT",
    "dependencies": {
      "@babel/plugin-proposal-nullish-coalescing-operator": "7.8.3"
    }
  }
  1. Generate the corresponding lockfile: npm i --package-lock-only
  2. Analyze the directory with latest ORT
  3. find master as revision in the analyzer result under vcsProcessed
         - metadata:
        id: "NPM:@babel:plugin-proposal-nullish-coalescing-operator:7.8.3"
        purl: "pkg:npm/%40babel/[email protected]"
        declared_licenses:
        - "MIT"
        declared_licenses_processed:
          spdx_expression: "MIT"
        description: "Remove nullish coalescing operator"
        homepage_url: "https://babel.dev/docs/en/next/babel-plugin-proposal-nullish-coalescing-operator"
        binary_artifact:
          url: ""
          hash:
            value: ""
            algorithm: ""
        source_artifact:
          url: "https://registry.npmjs.org/@babel/plugin-proposal-nullish-coalescing-operator/-/plugin-proposal-nullish-coalescing-operator-7.8.3.tgz"
          hash:
            value: "e4572253fdeed65cddeecfdab3f928afeb2fd5d2"
            algorithm: "SHA-1"
        vcs:
          type: "Git"
          url: "https://github.com/babel/babel/tree/master/packages/babel-plugin-proposal-nullish-coalescing-operator"
          revision: "a7620bd266ae1345975767bbc7abf09034437017"
          path: ""
        vcs_processed:
          type: "Git"
          url: "https://github.com/babel/babel.git"
          revision: "a7620bd266ae1345975767bbc7abf09034437017"
          path: "packages/babel-plugin-proposal-nullish-coalescing-operator"
      curations: []
    - metadata:
        id: "NPM:@babel:plugin-syntax-nullish-coalescing-operator:7.8.3"
        purl: "pkg:npm/%40babel/[email protected]"
        declared_licenses:
        - "MIT"
        declared_licenses_processed:
          spdx_expression: "MIT"
        description: "Allow parsing of the nullish-coalescing operator"
        homepage_url: ""
        binary_artifact:
          url: ""
          hash:
            value: ""
            algorithm: ""
        source_artifact:
          url: "https://registry.npmjs.org/@babel/plugin-syntax-nullish-coalescing-operator/-/plugin-syntax-nullish-coalescing-operator-7.8.3.tgz"
          hash:
            value: "167ed70368886081f74b5c36c65a88c03b66d1a9"
            algorithm: "SHA-1"
        vcs:
          type: "Git"
          url: "https://github.com/babel/babel/tree/master/packages/babel-plugin-syntax-nullish-coalescing-operator"
          revision: ""
          path: ""
        vcs_processed:
          type: "Git"
          url: "https://github.com/babel/babel.git"
          revision: "master"
          path: "packages/babel-plugin-syntax-nullish-coalescing-operator"
  1. Compare the package.json files
{
  "name": "@babel/plugin-proposal-nullish-coalescing-operator",
  "version": "7.8.3",
  "description": "Remove nullish coalescing operator",
  "repository": "https://github.com/babel/babel/tree/master/packages/babel-plugin-proposal-nullish-coalescing-operator",
  "license": "MIT",
  "publishConfig": {
    "access": "public"
  },
  "main": "lib/index.js",
  "keywords": [
    "babel-plugin"
  ],
  "dependencies": {
    "@babel/helper-plugin-utils": "^7.8.3",
    "@babel/plugin-syntax-nullish-coalescing-operator": "^7.8.0"
  },
  "peerDependencies": {
    "@babel/core": "^7.0.0-0"
  },
  "devDependencies": {
    "@babel/core": "^7.8.3",
    "@babel/helper-plugin-test-runner": "^7.8.3"
  },
  "gitHead": "a7620bd266ae1345975767bbc7abf09034437017"
}

{
  "name": "@babel/plugin-syntax-nullish-coalescing-operator",
  "version": "7.8.3",
  "description": "Allow parsing of the nullish-coalescing operator",
  "repository": "https://github.com/babel/babel/tree/master/packages/babel-plugin-syntax-nullish-coalescing-operator",
  "license": "MIT",
  "publishConfig": {
    "access": "public"
  },
  "main": "lib/index.js",
  "keywords": [
    "babel-plugin"
  ],
  "dependencies": {
    "@babel/helper-plugin-utils": "^7.8.0"
  },
  "peerDependencies": {
    "@babel/core": "^7.0.0-0"
  },
  "devDependencies": {
    "@babel/core": "^7.8.0"
  }
}

Expected

The package plugin-syntax-nullish-coalescing-operator lacks the revision in its metadata. The URL is master because it is derived from the repository URL.

Should we say repository URL is wrong but the behavior is correct?

@bennati can you double check please if this issue really just popped up of if it existed already for a while?

fviernau avatar Nov 02 '22 11:11 fviernau

Hi Frank, I backtraced the ORT version in which the revision is correctly detected in the package.json. The revision is 88d1633e2e

sankalpa-menon15 avatar Nov 23 '22 07:11 sankalpa-menon15

@fviernau could you maybe invest some time to check whether this issue is still present?

sschuberth avatar Jun 24 '24 09:06 sschuberth