search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.59k stars 309 forks source link

Package download fails if Nuget artifact provided #9083

Closed vw-anton closed 1 month ago

vw-anton commented 1 month ago

Describe the bug

We provide https://www.nuget.org/api/v2/package/OpenCvSharp4.Extensions/4.9.0.20240103 to ORT to download but it fails with:

IOException: Could not resolve provenance for package 'NuGet::OpenCvSharp4.Extensions:4.9.0.20240103' for source code origins [VCS, ARTIFACT]. Resolution of ARTIFACT failed with: IOException: Could not verify existence of source artifact at https://www.nuget.org/api/v2/package/OpenCvSharp4.Extensions/4.9.0.20240103. HTTP request got response 404.

This is most probably due to the HEAD check we do here: https://github.com/oss-review-toolkit/ort/blob/bd4e76e996c7d99820dd884cea104276d4ee9861/scanner/src/main/kotlin/provenance/PackageProvenanceResolver.kt#L144 which does not follow redirects. This seems to be an odd behavior Nuget has breaking the correct lookup.

We should discuss whether it makes sense to do the HEAD or broaden the cases for the GET fallback.

To Reproduce

Run ORT with input: 

    packages:
    - id: "NuGet::OpenCvSharp4.Extensions:4.9.0.20240103"
      purl: ""
      declared_licenses: []
      declared_licenses_processed: {}
      description: ""
      homepage_url: ""
      binary_artifact:
        url: ""
        hash:
          value: ""
          algorithm: ""
      source_artifact:
        url: "https://www.nuget.org/api/v2/package/OpenCvSharp4.Extensions/4.9.0.20240103"
        hash:
          value: ""
          algorithm: ""
      vcs:
        type: ""
        url: ""
        revision: ""
        path: ""
      vcs_processed:
        type: ""
        url: ""
        revision: ""
        path: ""

Expected behavior

It follows the redirect and does not throw an exception.

Console / log output

n/a

Environment


 environment:
    ort_version: "25.1.0"
    build_jdk: "11.0.23+9"
    java_version: "17.0.11"
    os: "Linux"```

### Additional context

Add any other context about the problem here.
georg-eckert-zeiss commented 1 month ago

That link points to the binary artifact, not the source artifact. Source artifact would be something like https://github.com/shimat/opencvsharp/archive/refs/tags/4.8.0.20230711.zip - but you could just provide the VCS url in the curation.

sschuberth commented 1 month ago

This is most probably due to the HEAD check we do here: [...] which does not follow redirects.

Actually, the requestSourceArtifact() helper function uses our pre-configured okHttpClient which does follow redirects (both SSL and non-SSL) by default.

Additionally taking into account what @georg-eckert-zeiss wrote, I'm closing this as won't fix.