search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.59k stars 309 forks source link

no version for the cache key can be determined & Maven SCM connection URL lacks the required 'scm' prefix #2193

Closed dineshr93 closed 4 years ago

dineshr93 commented 4 years ago

Hi I am trying to analyze a maven dep build system project.

when i ran the analyze command i get the below warn

  1. no version for the cache key can be determined &
  2. Maven SCM connection URL "url_of_gitrepo" lacks the required 'scm' prefix

dinesh@dinesh-VirtualBox:~/ort/oss-review-toolkit/cli/build/install/ort/bin$ ./ort analyze -i /home/dinesh/project/sdk -o /home/dinesh/project/sdk-output --allow-dynamic-versions

_ \____ _ / the OSS Review Toolkit, version 0.1.0-SNAPSHOT. / | | _/ | | Running 'analyze' under Java 1.8.0_242 on Linux with / | \ | \ | | ORT_USER_HOME = /home/dinesh/.ort ___ /_| / |__| SHELL = /bin/bash \/ \/ More environment variables: TERM = xterm-256color

The following package managers are activated: Bower, Bundler, Cargo, Conan, DotNet, GoDep, GoMod, Gradle, Maven, NPM, NuGet, PhpComposer, PIP, Pipenv, Pub, SBT, Stack, Yarn Analyzing project path: /home/dinesh/project/sdk 11:36:22.616 [analyzer-3] WARN com.here.ort.analyzer.managers.Unmanaged - Analysis of local directory '/home/dinesh/project/sdk' which is not under version control will produce non-cacheable results as no version for the cache key can be determined. 11:36:32.716 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix. 11:36:32.737 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix. 11:36:40.452 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'git://android.git.kernel.org/platform/manifest.git' lacks the required 'scm' prefix. 11:37:34.350 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'git@github.com:qos-ch/slf4j.git' lacks the required 'scm' prefix. 11:39:52.071 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix. 11:39:52.074 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix. 11:39:52.471 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'git://android.git.kernel.org/platform/manifest.git' lacks the required 'scm' prefix. 11:39:52.835 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'git@github.com:qos-ch/slf4j.git' lacks the required 'scm' prefix. 11:40:14.014 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix. 11:40:17.100 [analyzer-1] WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'git://android.git.kernel.org/platform/manifest.git' lacks the required 'scm' prefix. 11:40:17.368 [main] ERROR java.lang.Object - Multiple projects with the same id 'Maven:com.mahindra.server:MahindraServer:1.0-SNAPSHOT' found. Not adding the project defined in '/' to the analyzer results as it duplicates the project defined in '/'. Found 4 project(s) in total. Writing analyzer result to '/home/dinesh/project/sdk-output/analyzer-result.yml'.

What is the effect on the analyzer-result.yml output? how to rectify the warn & cache err?

tsteenbe commented 4 years ago

WARN com.here.ort.analyzer.managers.Unmanaged - Analysis of local directory '/home/dinesh/project/sdk' which is not under version control will produce non-cacheable results as no version for the cache key can be determined.

ORT will create a project called Unmanaged if ort scan is run on a directory where no package manager is found. Using just Unmanaged as project id is missing a version that why ORT checks if a version control system like Git, Hg, SVN, etc. is present and if it is it will use the revision as a version number. As you project seems to not use either Git, Hg, SVN an warning is thrown.

WARN com.here.ort.analyzer.managers.utils.MavenSupport - Maven SCM connection URL 'https://github.com/typetools/checker-framework.git' lacks the required 'scm' prefix.

For all org.checkerframework:checker package the pom.xml files have the following SCM connection URLs

    <scm>
        <url>https://github.com/typetools/checker-framework.git</url>
        <connection>https://github.com/typetools/checker-framework.git</connection>
    </scm>

Per https://maven.apache.org/pom.html#SCM the expected format is scm:[provider]:[provider_specific] so it should be 

    <scm>
      <connection>scm:git:https://github.com/typetools/checker-framework.git</connection>
      <developerConnection>scm:git:git@https://github.com/typetools/checker-framework.git</developerConnection>
      <url>https://github.com/heremaps/here-aaa-java-sdk</url>
    </scm>

As the connection URL is in the wrong format a warning is thrown by ORT's analyzer but it should not break the scan as ORT has built-in logic to automatically correct this kind of mistakes.

Recommend you fill an issue or PR with checker-framework to fix the incorrect SCM connection value.