Open hanna-modica opened 1 year ago
However, it will not create an issue
Are you certain about that? This is what I tried for testing:
plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/inline-packages/project-xyz.spdx.yml
to end the SPDXID
in line 15 with an !
.SpdxDocumentFileFunTest
.issues:
- timestamp: "2023-07-04T09:07:53.008578087Z"
source: "SpdxDocumentFile"
message: "SpdxDocumentFile failed to resolve dependencies for path 'src/funTest/assets/projects/synthetic/inline-packages/project-xyz.spdx.yml':\
\ ValueInstantiationException: Cannot construct instance of `org.ossreviewtoolkit.utils.spdx.model.SpdxPackage`,\
\ problem: The SPDX ID 'SPDXRef-Package-xyz!' is only allowed to contain letters,\
\ numbers, '.', and '-'.
at [Source: (File); line: 26, column: 1] (through reference\
\ chain: org.ossreviewtoolkit.utils.spdx.model.SpdxDocument[\"packages\"]->java.util.ArrayList[0])
\
Caused by: IllegalArgumentException: The SPDX ID 'SPDXRef-Package-xyz!' is only\
\ allowed to contain letters, numbers, '.', and '-'."
severity: "ERROR"
Hi @sschuberth, unfortunately, yes. The analyzer-result.yml does not contain an issue for that error message in our run. I am not sure, what I can provide to you without disclosing company information.
Ok, thanks for the feedback, but as I'm not able to reproduce the issue then I'll mark this as help wanted
and someone who can reproduce this needs to look into it.
I am not sure, what I can provide to you without disclosing company information.
@mnonnenmacher can you help here maybe?
The following commit [1] will produce an error in the analyzer logs, if there is an spdx id that contains a forbidden character. However, it will not create an issue, therefore, the analyzer we run inside docker finishes with exit code 0 and in the scan report web app there is also no issue for this error. However, the dependency tree will be incomplete, but for a regular user it is hard to find out why. If possible, please make this error appear correctly in the scan report web app.
[1] https://github.com/oss-review-toolkit/ort/pull/7066/commits/015382f5645dedd55cd3c94d10ff175d4fa5198f