-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chores(analyzer): Print warning if duplicate packages #9260
base: main
Are you sure you want to change the base?
chores(analyzer): Print warning if duplicate packages #9260
Conversation
@@ -17,6 +17,8 @@ | |||
* License-Filename: LICENSE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commit message: interrupting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reworded commit message
"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: " + | ||
duplicates.values | ||
if (duplicates.isNotEmpty()) { | ||
logger.warn {"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: ${duplicates.values}"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of just logging, I believe an OrtIssue should be created - because the problem can potentially be severe, so there should be no risk of going unnoticed.
However, with the current logic, it may be difficult to implement that, because the problem is detected way after the duplicate IDs got inserted, so undoing the insertion is probably no more possible.
"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: " + | ||
duplicates.values | ||
if (duplicates.isNotEmpty()) { | ||
logger.warn {"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: ${duplicates.values}"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The log message now does not reflect what you're doing: You say an analyzer result cannot be created, but still create one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed log message
46924a6
to
49cb302
Compare
Besides the current build errors, I'm actually not sure if we want the change. I currently don't oversee all side effects of allowing duplicate identifiers. |
I appreciate the need of understanding in detail all side effects of allowing duplicate identifiers. In my opinion, the scan should crash only if there is a non-recoverable error. Having ORT produce a notice file with potential errors is still safer than having no notice file. |
I agree, that side-effect are hard to oversee and probably huge. Also I am strongly for keeping identifiers unique. |
49cb302
to
344d6cb
Compare
Is this what you had in mind? |
logger.warn { | ||
"AnalyzerResult contains packages and projects with the same ids: ${duplicates.values}" | ||
} |
Check warning
Code scanning / detekt
Reports code blocks that are not followed by an empty line Warning
for ((key, items) in duplicates) { | ||
val issue = createAndLogIssue( | ||
source = "analyzer", | ||
message = "AnalyzerResult contains packages and projects with the same ids: ${items}" | ||
) | ||
|
||
val existingIssues = issues.getOrDefault(key, emptyList()) | ||
issues[key] = existingIssues + issue | ||
} |
Check warning
Code scanning / detekt
Reports code blocks that are not followed by an empty line Warning
for ((key, items) in duplicates) { | ||
val issue = createAndLogIssue( | ||
source = "analyzer", | ||
message = "AnalyzerResult contains packages and projects with the same ids: ${items}" |
Check warning
Code scanning / detekt
Detects simplifications in template strings Warning
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9260 +/- ##
=========================================
Coverage 67.67% 67.67%
Complexity 1187 1187
=========================================
Files 239 239
Lines 7796 7796
Branches 900 900
=========================================
Hits 5276 5276
Misses 2153 2153
Partials 367 367
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
No it isn't. It disregards that:
...but, I also do not see a do-able way how to implement what I had in mind. |
Ok, let me know if any better solution than this comes to mind which is also feasible and I can try to implement it. |
I won't have the time to look into this anytime soon.
IMO it should not be merged, due to not understood side effects and possible broken referential integrity. Would you be willing to invest the time / effort to find another solution @bennati ? |
I can develop a different solution, but first I need someone to explain how the solution should work and the ORT maintainers to commit to merge it once developed. |
Any update on this? |
I believe this PR needs to make more clear which of the three different root causes for duplicate identifiers it targets to address. In any case, I believe it's wrong to unconditionally remove all duplicates from Instead, to get started with addressing the general topic, I plan to revive #6533 which targets the case where duplicates occur between projects and packages. |
We have identified another instance related to the RapidJSON library that may need to be addressed. Specifically, the OSS Review Toolkit (ORT) reported a failure because it detected a duplicate dependency across two distinct packages: [[Package(id=Identifier(type=SpdxDocumentFile, namespace=, name=rapidjson, version=v1.1.0),
purl=pkg:generic/[email protected]?download_url=https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz,
cpe=null, authors=[], declaredLicenses=[MIT],
declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={}, unmapped=[]),
concludedLicense=MIT, description=A fast JSON parser/generator for C++ with both SAX/DOM style API,
homepageUrl=https://rapidjson.org/, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)),
sourceArtifact=RemoteArtifact(url=https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz, hash=Hash(value=,
algorithm=)), vcs=VcsInfo(type=Git, url=ssh://[email protected]:3389/professional-services/hdo/hdo-client.git,
revision=2e21d71c1840c8d795ef73247b73b052acd73b8e, path=external/rapidjson), vcsProcessed=VcsInfo(type=Git,
url=ssh://[email protected]:3389/professional-services/hdo/hdo-client.git,
revision=2e21d71c1840c8d795ef73247b73b052acd73b8e, path=external/rapidjson), isMetadataOnly=false,
isModified=false, sourceCodeOrigins=null), Package(id=Identifier(type=SpdxDocumentFile, namespace=,
name=rapidjson, version=v1.1.0), purl=pkg:generic/[email protected]?
download_url=https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz, cpe=null, authors=[],
declaredLicenses=[MIT], declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={},
unmapped=[]), concludedLicense=MIT, description=A fast JSON parser/generator for C++ with both SAX/DOM style API,
homepageUrl=https://rapidjson.org/, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)),
sourceArtifact=RemoteArtifact(url=https://github.com/Tencent/rapidjson/archive/refs/tags/v1.1.0.tar.gz, hash=Hash(value=,
algorithm=)), vcs=VcsInfo(type=Git, url=ssh://[email protected]:3389/professional-
services/dra/clients/vehicle.git, revision=0b876fe71ff6056818fe4eebe0db31e21751679c, path=external/rapidjson),
vcsProcessed=VcsInfo(type=Git, url=ssh://[email protected]:3389/professional-services/dra/clients/vehicle.git,
revision=0b876fe71ff6056818fe4eebe0db31e21751679c, path=external/rapidjson), isMetadataOnly=false,
isModified=false, sourceCodeOrigins=null)]]
|
When duplicate packages or projects are found in the dependency tree, print a warning instead of throwing an exception and inteerrupting the scan. Duplicate packages may arise when the same package is imported twice, in these cases the dependency tree will be completed as the package is imported at least once. Signed-off-by: Stefano Bennati <[email protected]>
344d6cb
to
044ad84
Compare
When duplicate packages or projects are found in the dependency tree, print a warning instead of throwing an exception and inteerrupting the scan. Duplicate packages may arise when the same package is imported twice, in these cases the dependency tree will be completed as the package is imported at least once.
Please ensure that your pull request adheres to our contribution guidelines. Thank you!