Closed malmor closed 1 year ago
Our filterVersionNames
function should already support finding the "config/v1.18.3" tag as a revision candidate for a project called "config". Maybe we simply forgot to pass along the project name to our guessing logic?
Which revision of ORT are you using @malmor?
Which revision of ORT are you using @malmor?
Sorry, forgot to put that information into the issue description. 🤦♂️
We are running revision 37d7e05e98363793e024081bcd31ce4777364d4f
- which is three weeks old.
which is three weeks old.
There have been quote bunch of esp. GoMod-related changes since then. Please first try again with the latest version from today.
Thanks for the hint!
I just ran ORT again using revision d949be19c1c99f8abd07d30bbe5d2ce480744bed
(release yesterday evening) - but this results in an analysis error:
Analyzing project path:
/builds/my/project-example
Found 1 GoMod definition file(s) at:
go.mod
Found 1 definition file(s) from 1 package manager(s) in total.
14:22:13.302 [DefaultDispatcher-worker-2] ERROR org.ossreviewtoolkit.analyzer.PackageManager - Resolving GoMod dependencies for path 'go.mod' failed with: MissingKotlinParameterException: Instantiation of [simple type, class org.ossreviewtoolkit.analyzer.managers.ModuleInfo] value failed for JSON property GoMod due to missing (therefore NULL) value for creator parameter goMod which is a non-nullable type
at [Source: (String)"{
\u0009"Path": "my.company/my/project-example",
\u0009"Main": true,
\u0009"Dir": "/builds/my/project-example",
\u0009"GoMod": "/builds/my/project-example/go.mod",
\u0009"GoVersion": "1.19"
}
{
\u0009"Path": "github.com/BurntSushi/toml",
\u0009"Version": "v0.3.1",
\u0009"Time": "2018-08-15T10:47:33Z",
\u0009"Indirect": true,
\u0009"GoMod": "/tmp/ort-GoMod4423785630482469950/pkg/mod/cache/download/github.com/!burnt!sushi/toml/@v/v0.3.1.mod"
}
{
\u0009"Path": "github.com/aws/aws-lambda-go","[truncated 15634 chars]; line: 269, column: 1] (through reference chain: org.ossreviewtoolkit.analyzer.managers.ModuleInfo["GoMod"])
Writing analyzer result to '/builds/my/project-example/output/analyzer-result.yml'.
The analysis took 1m 52.467218401s.
Found 1 project(s) and 0 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 3 provider(s).
Resolved issues: 0 errors, 0 warnings, 0 hints.
Unresolved issues: 1 error, 0 warnings, 0 hints.
This is the diff between the two revisions. Do you want me to open a separate issue for this problem?
Do you want me to open a separate issue for this problem?
No, this now sounds to me like a duplicate of https://github.com/oss-review-toolkit/ort/issues/6615 which @fviernau is already looking into.
Looking at the produced analyzer result in the issues description, I see that it contains:
revision: "v1.18.3"
I haven't verified but am certain that this revision won't be output by latest HEAD of master ORT version anymore, as that's exactly (one part of) what my recent GoMod
improvements were about. It should now always output a SHA1
, never a tag name so the problem should be gone. As part of these changes I introduced #6615, but in my view that's something different.
The problem illustrated here should be fixed, so closing this as fixed. @malmor it'd be great if you could verify this with latest ORT.
@malmor I agree that https://github.com/oss-review-toolkit/ort/issues/6626#issuecomment-1458286182 is actually #6615, would you be able to share the files go.mod
+ main.go
for reproducing this under #6615?
Hey @fviernau, fantastic to hear - looking forward to testing this with the latest ORT version after #6615 is fixed!
I will join the discussion in #6615 and try to provide our example - just need to refactor it first because it contains some internal dependencies hosted in our own infrastructure.
Thanks!
I will join the discussion in #6615 and try to provide our example - just need to refactor it first because it contains some internal dependencies hosted in our own infrastructure.
Great, thanks! Note that for the file you'd provide for reproducing the go.mod
file ideally should be consistent with go mod tidy
e.g. unused dependencies stripped. (which is why I also asked for main.go
.
Hey, we have and issue with the GoMod Package Manager during the
scan
phase.Our setup
Our project has a dependency on the module
config
(and some more) fromaws-sdk-go-v2
:go.mod
``` module my.company go 1.19 require ( github.com/aws/aws-lambda-go v1.35.0 github.com/aws/aws-sdk-go v1.44.150 github.com/aws/aws-sdk-go-v2 v1.17.1 github.com/aws/aws-sdk-go-v2/config v1.18.3 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.10.6 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 github.com/aws/aws-sdk-go-v2/service/s3 v1.29.4 github.com/google/go-cmp v0.5.8 golang.org/x/exp v0.0.0-20230105202349-8879d0199aa3 ) require github.com/patrickmn/go-cache v2.1.0+incompatible // indirect require ( github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.3 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.16 // indirect github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.13.26 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.20 // indirect github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.19 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.17.5 // indirect github.com/aws/smithy-go v1.13.4 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b // indirect ) ```ORT successfully detects the package, but when running the
scan
phase it does not use the correct Git tag to download the source code from. Theanalyze
phase produces the followinganalyzer-result
(removed unrelated information):One can see that
type
,url
andpath
are correct - but the revision is not. Because this module is part of a multi-module repository, therevision
should be the combination ofpath
andversion
(see below).The
scan
phase finds multiple Git tags that contain theversion
part - and throws anIOException
here:The correct Git tag
config/v1.18.3
is there - but ORT does not use it.Go modules with name and version
For Go modules that are part of a multi-module repository it is common to use Git tags that contain the module name and the semantic version: https://github.com/golang/go/wiki/Modules#publishing-a-release
In this example the Git tag that should be used for this version is
config/v1.18.3
: https://github.com/aws/aws-sdk-go-v2/releases/tag/config%2Fv1.18.3Possible workaround
One way to fix this issue is by creating curations for the
vcs:revision
part:The downside of this approach is that one needs to create such a curation for every single version. This results in a huge amount of manual work because we update dependencies very often.
And using a single curation for all versions (like
id: "Go::github.com/aws/aws-sdk-go-v2/config
) does not seem to be possible because the version needs to be part of therevision
value. (?)Question
Would it be possible to implement native support for these kind of packages in ORT? As far as I can tell the necessary information should be available after the
analyze
phase. This would allow us to include these packages in ourNOTICE
files.Kind Regards, Malte