Setting path curation for SVN-based package will result in scanning of sources.jar

[tsteenbe]

Apache Hadoop depends on Maven:org.apache.directory.api:api-asn1-api:1.0.0-M20. This api-asn1-api packages is actually located in a sub directory of the parent repository so I created below curation

- id: "Maven:org.apache.directory.api:api-asn1-api"
  curations:
    comment: "This library resides in its own dir in the VCS referred to by parent artifact."
    vcs:
      path: "asn1/api"

Whilst testing above curation I noticed that ORT switches from analyzing the SVN repository to sources.jar so I presume this curation does not work so ORT switches. Is this a bug or am I doing something wrong?

Package details via ORT analyzer (#475ba0c8)

Id: Maven:org.apache.directory.api:api-asn1-api:1.0.0-M20
Package URL: pkg:maven/org.apache.directory.api/api-asn1-api@1.0.0-M20
Description: ASN.1 API
Repository Declared: http://svn.apache.org/repos/asf/directory/shared/tags/1.0.0-M20
Repository Processed: http://svn.apache.org/repos/asf/directory/shared
Source Artifact: https://repo.maven.apache.org/maven2/org/apache/directory/api/api-asn1-api/1.0.0-M20/api-asn1-api-1.0.0-M20-sources.jar
Binary Artifact: https://repo.maven.apache.org/maven2/org/apache/directory/api/api-asn1-api/1.0.0-M20/api-asn1-api-1.0.0-M20.jar

[sschuberth]

Is this still a thing, @tsteenbe?

[tsteenbe]

Will retest this week as I am working and curations PRs atm

[sschuberth]

I recently have observed a similar behavior when scanning the Maven:org.apache.pdfbox:pdfbox:2.0.20 package with the following curation in place

- id: "Maven:org.apache.pdfbox:pdfbox:(,2.0.29]"
  curations:
    comment: "Wrong SVN repository path in parent POM: https://repo1.maven.org/maven2/org/apache/pdfbox/pdfbox-parent/2.0.29/pdfbox-parent-2.0.29.pom"
    vcs:
      type: "Subversion"
      url: "https://svn.apache.org/repos/asf/pdfbox"
      path: "pdfbox"

This results in the whole Subversion repository to be scanned, including all branches and tags.