ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

Do not fail hard if the scanner fails to resolve a revision

Open robertguetzkow opened this issue 1 year ago • 7 comments

I am testing ORT on a simple package.json that contains one dependency. Everything works correctly, except for the scanning based on ScanCode. JGit cannot checkout the correct revision of transitive dependencies, seemingly because the analyzer has either not found a particular revision or it is given a commit hash but does not find it.

I'm currently testing this in combination with the ort-ci-gitlab pipeline. I have modified the ort-scan.yml to use the minimal container image, activate the scanner and use local file storage instead of a PostgreSQL database.

Could you please help me identify whether my configuration is incorrect or if this is a bug?

package.json ort-test.zip

 ______________________________                                                
/        \_______   \__    ___/ The OSS Review Toolkit, version 15.0.0.        
|    |   | |       _/ |    |                                                   
|    |   | |    |   \ |    |    Running 'scan' as 'ort' under Java 17.0.10 on L
\________/ |____|___/ |____|    with 4 CPUs and a maximum of 3988 MiB of memory
                                                                               
Environment variables:                                                        
ORT_CONFIG_DIR = /home/ort/.ort/config                                        
ORT_DATA_DIR = /home/ort/.ort                                                 
HOME = /home/ort                                                              
TERM = xterm                                                                  
JAVA_HOME = /opt/java/openjdk                                                 
                                                                              
Looking for ORT configuration in the following file:
        /home/ort/.ort/config/config.yml
Scanning projects with:
        ScanCode (version 32.0.8)
Scanning packages with:
        ScanCode (version 32.0.8)
java.io.IOException: Could not resolve revision for package 'NPM::example-proj:1.0.0' with VcsInfo(type=Git, url=http://dev@localhost/dev/min-package-json.git, revision=6051c9bf635f2307a28c0c6b125060c269d4c010, path=):
	Could not find any revision candidates for package 'NPM::example-proj:1.0.0' with VcsInfo(type=Git, url=http://dev@localhost/dev/min-package-json.git, revision=6051c9bf635f2307a28c0c6b125060c269d4c010, path=).
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:270)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.utils.DefaultWorkingTreeCache.use(WorkingTreeCache.kt:65)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveVcs(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.access$resolveVcs(PackageProvenanceResolver.kt:60)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveProvenance$1$1$2.invokeSuspend(PackageProvenanceResolver.kt:84)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveProvenance(PackageProvenanceResolver.kt:84)
	at org.ossreviewtoolkit.scanner.Scanner$resolvePackageProvenances$duration$1$1$1$1.invokeSuspend(Scanner.kt:246)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:103)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
java.io.IOException: Could not resolve revision for package 'NPM::concat-map:0.0.1' with VcsInfo(type=Git, url=https://github.com/substack/node-concat-map.git, revision=, path=):
	Could not find any revision candidates for package 'NPM::concat-map:0.0.1' with VcsInfo(type=Git, url=https://github.com/substack/node-concat-map.git, revision=, path=).
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:270)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.utils.DefaultWorkingTreeCache.use(WorkingTreeCache.kt:65)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveVcs(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.access$resolveVcs(PackageProvenanceResolver.kt:60)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveProvenance$1$1$2.invokeSuspend(PackageProvenanceResolver.kt:84)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveProvenance(PackageProvenanceResolver.kt:84)
	at org.ossreviewtoolkit.scanner.Scanner$resolvePackageProvenances$duration$1$1$1$1.invokeSuspend(Scanner.kt:246)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:103)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
java.io.IOException: Could not resolve revision for package 'NPM::big-integer:1.6.52' with VcsInfo(type=Git, url=ssh://[email protected]/peterolson/BigInteger.js.git, revision=3892895546890db1c71b1e629fae58f0eb52d815, path=):
	Could not find any revision candidates for package 'NPM::big-integer:1.6.52' with VcsInfo(type=Git, url=ssh://[email protected]/peterolson/BigInteger.js.git, revision=3892895546890db1c71b1e629fae58f0eb52d815, path=).
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:270)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.utils.DefaultWorkingTreeCache.use(WorkingTreeCache.kt:65)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveVcs(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.access$resolveVcs(PackageProvenanceResolver.kt:60)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveProvenance$1$1$2.invokeSuspend(PackageProvenanceResolver.kt:84)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveProvenance(PackageProvenanceResolver.kt:84)
	at org.ossreviewtoolkit.scanner.Scanner$resolvePackageProvenances$duration$1$1$1$1.invokeSuspend(Scanner.kt:246)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:103)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
org.eclipse.jgit.api.errors.TransportException: Remote does not have refs/heads/db31c2772cda956c1a53fcc95cd40d7825077ec4 available for fetch.
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:249)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.Git.updateWorkingTreeWithoutSubmodules-0E7RQCE(Git.kt:208)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.Git.access$updateWorkingTreeWithoutSubmodules-0E7RQCE(Git.kt:70)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.Git$updateWorkingTree$1.invoke-IoAF18A(Git.kt:179)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.Git$updateWorkingTree$1.invoke(Git.kt:175)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.GitWorkingTree.useRepo(GitWorkingTree.kt:58)
	at org.ossreviewtoolkit.plugins.versioncontrolsystems.git.Git.updateWorkingTree-BWLJW6A(Git.kt:175)
	at org.ossreviewtoolkit.downloader.VersionControlSystem.updateWorkingTree-BWLJW6A$default(VersionControlSystem.kt:382)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:227)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.utils.DefaultWorkingTreeCache.use(WorkingTreeCache.kt:65)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveVcs(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.access$resolveVcs(PackageProvenanceResolver.kt:60)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveProvenance$1$1$2.invokeSuspend(PackageProvenanceResolver.kt:84)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveProvenance(PackageProvenanceResolver.kt:84)
	at org.ossreviewtoolkit.scanner.Scanner$resolvePackageProvenances$duration$1$1$1$1.invokeSuspend(Scanner.kt:246)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:103)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
Caused by: org.eclipse.jgit.errors.TransportException: Remote does not have refs/heads/db31c2772cda956c1a53fcc95cd40d7825077ec4 available for fetch.
	at org.eclipse.jgit.transport.FetchProcess.expandSingle(FetchProcess.java:437)
	at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:171)
	at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:105)
	at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1482)
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:238)
	... 31 more
java.io.IOException: Could not resolve revision for package 'NPM::unload:2.2.0' with VcsInfo(type=Git, url=https://github.com/pubkey/unload.git, revision=db31c2772cda956c1a53fcc95cd40d7825077ec4, path=):
	Could not resolve revision candidate 'db31c2772cda956c1a53fcc95cd40d7825077ec4': IOException: Running 'git checkout db31c2772cda956c1a53fcc95cd40d7825077ec4' in '/tmp/ort-DefaultWorkingTreeCache12928582668955791483' failed with exit code 128:
fatal: reference is not a tree: db31c2772cda956c1a53fcc95cd40d7825077ec4
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:270)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveVcs$6.invoke(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.utils.DefaultWorkingTreeCache.use(WorkingTreeCache.kt:65)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveVcs(PackageProvenanceResolver.kt:207)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.access$resolveVcs(PackageProvenanceResolver.kt:60)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver$resolveProvenance$1$1$2.invokeSuspend(PackageProvenanceResolver.kt:84)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at org.ossreviewtoolkit.scanner.provenance.DefaultPackageProvenanceResolver.resolveProvenance(PackageProvenanceResolver.kt:84)
	at org.ossreviewtoolkit.scanner.Scanner$resolvePackageProvenances$duration$1$1$1$1.invokeSuspend(Scanner.kt:246)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:103)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)

robertguetzkow avatar Feb 01 '24 19:02 robertguetzkow

Apparently, the NPM registry's metadata for NPM::unload:2.2.0 says that version 2.2.0 was built from Git revision db31c2772cda956c1a53fcc95cd40d7825077ec4, but there is no such revision in https://github.com/pubkey/unload.git.

Unfortunately, this is a rather common problem with NPM packages, where developers publish packages from a local state of the Git repository without ever pushing that state to the remote repository. And at least in the past, the NPM registry did not implement the properly sanity checks to prohibit the publication of such packages.

That said, this kind of broken metadata for a published package can be fixed up via curations, which basically allows you to map a package version to a Git revision. Unfortunately, https://github.com/pubkey/unload/tags does not list any tags, so it's probably going to be hard to determine the correct revision. Maybe it's ca56fae861ba7d1178bbbf98a037c1dca893ebf0. Thank the NPM ecosystem for this mess 😭

sschuberth avatar Feb 01 '24 20:02 sschuberth

@sschuberth Thank you for the really quick reply. I have suspected as much, since I've noticed those missing commits for some npm packages too. However, it seems like big-interger fails, although 3892895546890db1c71b1e629fae58f0eb52d815 does exist, see https://github.com/peterolson/BigInteger.js/commit/3892895546890db1c71b1e629fae58f0eb52d815

I would have hoped that the scanner can skip packages that have inaccurate information or do not provide a revision at all.

In essence I would have to create curation entries for many of the transitive dependency? That's not feasible on any larger project where there can be hundreds or even thousands of them. Is there any other way to work around this, e.g. tell the JGit and the scanner to skip them automatically?

robertguetzkow avatar Feb 01 '24 20:02 robertguetzkow

However, it seems like big-interger fails, although 3892895546890db1c71b1e629fae58f0eb52d815 does exist, see peterolson/BigInteger.js@3892895

For NPM::big-integer:1.6.52 the root cause is a differnet kind of metadata error: See how the Git repository URL uses SSH as the transport: ssh://[email protected]/peterolson/BigInteger.js.git. As you can't clone anonymously via SSH, either SSH credentials have to be provided to ORT (ideally via SSH agent), or yet better, another curations has to be made that points at https://github.com/peterolson/BigInteger.js.git instead.

I would have hoped that the scanner can skip packages that have inaccurate information or do not provide a revision at all.

That would be super-dangerous as it would result in incomplete scan results and possibly missing license information. ORT deliberately fails hard here to ensure these issues are being dealt with via ORT configuration means.

In essence I would have to create curation entries for many of the transitive dependency? That's not feasible on any larger project where there can be hundreds or even thousands of them.

That why we have https://github.com/oss-review-toolkit/ort-config/tree/main/curations which already contains hundreds of curations. As a joint community effort, this is feasible to do. If people would simply start to contribute instead of saying it's not feasible :wink:

Is there any other way to work around this, e.g. tell the JGit and the scanner to skip them automatically?

Not right now. The most transparent way to fix this is by contributing curations. However, if https://github.com/oss-review-toolkit/ort/issues/3537 was implemented, that'd be an option as well.

sschuberth avatar Feb 02 '24 07:02 sschuberth

As a joint community effort, this is feasible to do.

To lead with good example, I've started to address this in the Open Source way by contributing both a fix for future big-integer releases and a curation for past big-integer releases.

sschuberth avatar Feb 02 '24 07:02 sschuberth

ORT deliberately fails hard here to ensure these issues are being dealt with via ORT configuration means.

Though we could discuss to make these issues (of ERROR severity) instead of exceptions. @mnonnenmacher is it maybe an oversight to throw here from the DefaultPackageProvenanceResolver?

sschuberth avatar Feb 02 '24 07:02 sschuberth

For NPM::big-integer:1.6.52 the root cause is a differnet kind of metadata error: See how the Git repository URL uses SSH as the transport: ssh://[email protected]/peterolson/BigInteger.js.git. As you can't clone anonymously via SSH, either SSH credentials have to be provided to ORT (ideally via SSH agent), or yet better, another curations has to be made that points at https://github.com/peterolson/BigInteger.js.git instead.

I was under the impression that using git config --global url."https://github.com/".insteadOf "ssh://[email protected]/" would already address this. Is this setting not applied for the scanner?

That would be super-dangerous as it would result in incomplete scan results and possibly missing license information. ORT deliberately fails hard here to ensure these issues are being dealt with via ORT configuration means.

Obviously it should not fail silently and report errors. In my opinion the missing or inaccurate revisions on some packages should not result in the scan to fails as a whole. Perhaps the exception handling could be adjusted as you've suggested yourself. From my point of view the information gathered by the scanner are an addition to the information already found by the analyzer. If it is not possible for some then that is ok, as long as the user is aware of it not being able to retrieve additional data for a package.

That why we have https://github.com/oss-review-toolkit/ort-config/tree/main/curations which already contains hundreds of curations. As a joint community effort, this is feasible to do. If people would simply start to contribute instead of saying it's not feasible 😉

I appreciate the FOSS spirit, I've been working on Blender and other OSS software before, but if I suggest that approach to my coworker on a project with 2400 transitive dependencies, then I'm afraid he won't like me very much. Over all it is a good idea to collect that information, but it would be great to have a user friendly way to skip or exclude them when needed without having to manually list every single package. As you've said yourself, in some cases the commit may be missing entirely from the public repo and as such no truly correct remediation exists (short of manually evaluating the repository, but even then the exact commit might not be clear).

Not right now. The most transparent way to fix this is by contributing curations. However, if https://github.com/oss-review-toolkit/ort/issues/3537 was implemented, that'd be an option as well.

Could be, some form a transitive depth filtering might make sense here as well.

To lead with good example, I've started to address this in the Open Source way by contributing both https://github.com/peterolson/BigInteger.js/pull/243 and https://github.com/oss-review-toolkit/ort-config/pull/166.

Thank you!

Though we could discuss to make these issues (of ERROR severity) instead of exceptions. @mnonnenmacher is it maybe an oversight to throw here from the DefaultPackageProvenanceResolver?

That would really help, because then it could at least run successfully and include data on dependencies it did find, such as the one directly listed in the package.json.

robertguetzkow avatar Feb 02 '24 16:02 robertguetzkow

Is this setting not applied for the scanner?

Let's phrase it like this: I'm not whether also JGit picks it up correctly, and whether you have configured at the right place (esp. if you run ORT via Docker).

Perhaps the exception handling could be adjusted as you've suggested yourself.

Ping @mnonnenmacher as a reminder.

sschuberth avatar Feb 02 '24 16:02 sschuberth