Closed rcky closed 1 year ago
sschuberth
commented
1 year ago I guess the key question is: Are platform dependencies ever distributed with the application? Or do they work similar to Maven's "provided" scope, i.e. it is assumed that the target system that runs the application has them installed.
rcky
commented
1 year ago As far as I can see from the Docs, these libraries are not shipped with the application:
When you require one of the platform packages no code is installed. The version numbers of platform packages are derived from the environment Composer is executed in and they cannot be updated or removed.
In the case of lib-pcre it is usually bundled with the PHP source of the target system. But - to be honest - I'am not able to judge if and how the licenses of these dependencies affect the license of the application itself. Nevertheless, excluding the dependencies referencing these libraries from the analysis will surely affect the evaluation 😉
sschuberth
commented
1 year ago Yeah, I was also stumbling over
When you require one of the platform packages no code is installed.
That sounded promising (in the sense that platform dependencies are not distributed). But in the end, just because something is not installed (as it's already present) does not mean it's not going to be bundled into the distribution.
Anyway, as we already exclude PHP Extensions (which also are a type of platform dependency) I guess it'd be consistent to also exclude other types of platform dependencies, like PHP Libraries.
Do you feel like contributing a PR @rcky?
rcky
commented
1 year ago That sounded promising (in the sense that platform dependencies are not distributed). But in the end, just because something is not installed (as it's already present) does not mean it's not going to be bundled into the distribution.
I had the same impression (this might even be true for the PHP runtime itself). Therefore, my first intent was to add some sort of curations for these dependencies ... until I found out that curations are not available at this stage of the process.
Do you feel like contributing a PR @rcky?
I'd love to, but I got no clue about the Kotlin ecosystem 🤷
p.s: @sschuberth Thanks you for the fast replies, really appreciate that.
sschuberth
commented
1 year ago @rcky, can you please verify whether https://github.com/oss-review-toolkit/ort/pull/6808 fixes your issue?
rcky
commented
1 year ago @sschuberth As far as i can see, the fix works like a charm and the report seems to be complete using the new version.
Just FYI:
Composer does allow the packages to specify platform dependencies. While the analyzer for PHP handles extensions as well as composer dependencies it fails when analyzing libraries i.e. starting with the
lib-*prefix (as described in the aforementioned link).Dependencies relying on such libraries will cause an error and will not be included in the analyzer result (and therefore also miss in the following steps):
Is there a way to exclude these dependencies from the Analysis phase?
Details
I had to dig in the source code to find out what happens:
Extensions are handled here: https://github.com/oss-review-toolkit/ort/blob/834f86bbe30d6688da57886f6d2a1c9781886e3f/plugins/package-managers/composer/src/main/kotlin/Composer.kt#L185