[SPDX] Analyzer results contains projects instead of packages for some dependencies

nnobelis commented 1 year ago

I had a SPDX-managed repository. This is the project.spdx.yml

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
name: "myapplication"
documentNamespace: "bosch:/myapplication"
documentDescribes:
  - "SPDXRef-Package-myapplication"
packages:
# base package
- SPDXID: "SPDXRef-Package-myapplication"
  copyrightText: "NONE"
  downloadLocation: "https://repository/myapplication.git"
  filesAnalyzed: false
  name: "myapplication"
# packages referenced by base package
- SPDXID: "SPDXRef-Package-mydependency"
  copyrightText: "NONE"
  downloadLocation: "https://repository/mydependency.git"
  filesAnalyzed: false
  packageFileName: "./external/mydependency"
  name: "mydependency"

relationships:
- spdxElementId:      "SPDXRef-Package-mydependency"
  relationshipType:   "DEPENDENCY_OF"
  relatedSpdxElement: "SPDXRef-Package-myapplication"

For myapplication, ./external/mydependency is a Git submodule to the mydependency.git. .gitmodules:

[submodule "external/mydependency"]
    path = external/mydependency
    url = https://repository/mydependency.git

Also in mydependency.git, there is another project.spdx.yml:

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
name: "mydependency"
documentNamespace: "bosch:/mydependency"
documentDescribes:
  - "SPDXRef-Package-mydependency"
packages:
# base package
- SPDXID: "SPDXRef-Package-mydependency"
  copyrightText: "NONE"
  downloadLocation: "https://repository/mydependency.git"
  filesAnalyzed: false
  name: "mydependency"

The problem is that when ORT Analyzer runs over https://repository/myapplication.git, it generates the following result:

projects:
    - id: "SpdxDocumentFile:Bosch:mydependency:"
      definition_file_path: "project.spdx.yml"
      [...]
      vcs_processed:
        url: "https://repository/mydependency.git"
      [...]
   - id: "SpdxDocumentFile:Bosch:myapplication:"
      definition_file_path: "project.spdx.yml"
      [...]
      vcs_processed:
        url: "https://repository/myapplication.git"
      [...]
    packages:
    [...]

Since I am analyzing myapplication, I was expecting to find only one project for myapplication and one package for mydependency. However here I have two projects !

I think the problem is that the SpdxDocumentFile package manager find the project.spdx.yml of the mydependency package and then decides its a project, without any regards to the downloadLocation of the package: See https://github.com/oss-review-toolkit/ort/blob/0143ab7802d3259b39560aba5215455820256353/analyzer/src/main/kotlin/managers/SpdxDocumentFile.kt#L493

sschuberth commented 1 year ago

I think the problem is that the SpdxDocumentFile package manager find the project.spdx.yml of the mydependency package and then decides its a project, without any regards to the downloadLocation of the package:

This sounds related to https://github.com/oss-review-toolkit/ort/issues/5483.

nnobelis commented 1 year ago

I read #5483 and I am not sure this apply here, has mydependency has its own project.spdx.yml, not a package.spdx.yml. @tsteenbe what do you think ?

mnonnenmacher commented 1 year ago

@nnobelis I think the example for mydependency is not complete, to be recognized as a project the project.spdx.yml needs to contain either >1 packages or an external document reference: https://github.com/oss-review-toolkit/ort/blob/7c1cb2ec76b06ce66793962fdc91d5599ce3733a/analyzer/src/main/kotlin/managers/SpdxDocumentFile.kt#L99-L105

nnobelis commented 1 year ago

@nnobelis I think the example for mydependency is not complete, to be recognized as a project the project.spdx.yml needs to contain either >1 packages or an external document reference:

Yes of course: there is one additional package in the mydependency project.spdx.yml file that I didn't put, as the description was already pretty long.

oss-review-toolkit / ort

[SPDX] Analyzer results contains projects instead of packages for some dependencies #6245