search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.6k stars 309 forks source link

Issue doesnt appear when direct dependency is no longer available while such issue appear for transitive dependencies #8109

Open dobringochev opened 9 months ago

dobringochev commented 9 months ago

Hello there, Let's say I have a product where in his project.spdx.yml I've got couple of dependencies. Direct dependencies are with STATIC_LINK relationship while transitive dependencies are with DEPENDS_ON relationship. So for example I've got./external/transtive-dependency-1 which represent git submodule and it's not available anymore I will get an issue about that in my scan-web-app-report which is fine. But if /external/direct-dependency-1 (which again is another git submodule) which refers to another repo is not available I'm not getting an issue in my scan-web-app report for some reason. I believe this should be like that and my expectations are that if for some reason direct dependency is also not available anymore I should receive issue in my scan-web-app-report just like I have for the transitive dependency. Here is one example of my project.spdx.yml file.

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
  created: "2023-02-22T00:00:00Z"
  creators:
  - "Organization: ORGX"
name: "ProductX"
documentNamespace: "orgx://company/productx"
documentDescribes:
  - "PDXRef-Package-ProductX"
packages:
# base package
- SPDXID: "PDXRef-Package-ProductX"
  copyrightText: "NONE"
  downloadLocation: "https://productx.company.git"
  filesAnalyzed: false
  homepage: "NONE"
  licenseConcluded: "NONE"
  licenseDeclared: "LicenseRef-Proprietary-CompanyX"
  name: "ProductX"
  originator: "Organization: Company"
# end package
# packages referenced by base package
- SPDXID: "PDXRef-Package-Direct-Dependency-1"
  copyrightText: "NONE"
  downloadLocation: "https://direct-dependency-1.company.git"
  filesAnalyzed: false
  homepage: "https://www.dep1.com"
  licenseConcluded: "NONE"
  licenseDeclared: "Apache-2.0"
  packageFileName: "./external/direct-dependency-1"
  name: "direct-dependency-1"
  originator: "Organization: Supplier1"
# end package
- SPDXID: "PDXRef-Package-Transitive-Dependency-1"
  copyrightText: "NONE"
  downloadLocation: "https://transitive-dependency-1.company.git"
  filesAnalyzed: false
  homepage: "https://www.trans-dep1.com"
  licenseConcluded: "NONE"
  licenseDeclared: "MIT"
  packageFileName: "./external/transtive-dependency-1"
  name: "transitive-dependency-1"
  originator: "Organization: Supplier2"
# end package
#
# define relationships
# pattern:
# - spdxElementId:      "SPDXRef-Package-<somePackage>"
#   relationshipType:   "<relationship>"
#   relatedSpdxElement: "SPDXRef-Package-<basePackage>"
#
relationships:
- spdxElementId:      "PDXRef-Package-ProductX"
  relationshipType:   "STATIC_LINK"
  relatedSpdxElement: "PDXRef-Package-Direct-Dependency-1"
- spdxElementId:      "PDXRef-Package-Direct-Dependency-1"
  relationshipType:   "DEPENDS_ON"
  relatedSpdxElement: "PDXRef-Package-Transitive-Dependency-1"
sschuberth commented 7 months ago

@dobringochev can you still reproduce your issue with now https://github.com/oss-review-toolkit/ort/pull/8376 being merged?

sschuberth commented 4 months ago

@dobringochev can you still reproduce your issue with now #8376 being merged?

Ping @dobringochev.