Open sschuberth opened 6 months ago
@sschuberth thanks for the bug report!
apply a fix for both fields to contain comparable paths,
I think this would be the cleanest approach here, since we have already considered implementing the other two options you mentioned:
- only add from_file at all if it's pointing to a different file then path,
- add a dedicated is_reference field to yet more easily filter out findings that are just references to other scanned files.
And after a discussion with @pombredanne decided to implement the from_file
attribute the way it is today, every match is populated with the file path it originated from, regardless of it belonging to the current file or a different file.
@sschuberth In hindsight, I have always had reservation wrt. the --strip-root option, and I wonder if this should not be removed entirely
Please keep in mind that when sharing scan results it is actually convenient to have only relative paths in the JSON (to make results somewhat "relocatable"). While you probably could make them relative WRT headers.options.input
, users might also feel uncomfortable with disclosing the directory structure where they store source code, as it could reveal things about the origin in the names.
So, personally I'm not against --strip-root
, but then the behavior should change so as if --strip-root
was always specified, and always only relative paths should be used, IMO.
Description
I'd expect the value of the new
from_file
field inside the JSON'smatches
object to be a path relative to the input directory (if--strip-root
is given). Instead, it is a relative path, but it contains the name of the input directory.How To Reproduce
Using ScanCode 32.1.0, run a scan on the files mentioned at #3648. This gets you
So compare
to
which makes it unnecessary hard to check whether a given finding is actually just a reference or not by comparing whether both fields point to the same path.
I propose to either:
from_file
at all if it's pointing to a different file thanpath
,is_reference
field to yet more easily filter out findings that are just references to other scanned files.System configuration