-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX reporter: Stop creating dangling relationships to excluded packages #7488
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -70,7 +70,11 @@ internal object SpdxDocumentModelMapper : Logging { | |
ortResult | ||
) | ||
|
||
ortResult.getDependencies(project.id, 1).mapTo(relationships) { dependency -> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just wondering, can't the same bug also appear around line 94, if a non-excluded package depends on an excluded package? In general, I wonder whether a more general solution to the problem would be to also teach There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I believe so as well, good catch. If I'm not mistaken, in that case it is way more of an edge case compared to above, because IIUC it happens only if a package X appears at least twice in dependency tree (one time included, one time excluded), whereas the two subtrees rooted at X differ.
I've decided against that, because it seemed to me that the function as-is is already too use case specific (and in particular encouraging mis-use) for the location it resides. I'm saying that, because to me it's not obvious that it merges the subtrees for identical identifiers. Anyhow, maybe the
No, because that would not solve point #2 mentioned in the commit message. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I anyway have another question regard that point. You write (typo in "depdendencies" BTW):
I'm unsure about what "may not be linked ... at all" exactly means. So if I had (all non-excluded) a project structure like
are you saying there should be no relationship between "sub-project" and "package" being recorded in the SPDX document? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
If we have above, and consider the original (current) algorithm implemented by you, I guess the intention was to not mention subproject-1 and subproject-2 in the SPDX report, but link the dependencies directly to root-project-1 and root-project-2. To my understanding the implementation did not match this mentioned intention, which I wanted to fix with this new implementation.
Given the above, I'd say no, because "package" should be a direct child of the "root" project, and nested submodules should not be modeled in the output.
If I'm not mistaken in my above tree, the current algorithm would produce a SPDX document where there is no path from any root to "package 2" and / or to "package 1". (Due to the limitation of There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Actually no, that was not my intention. The intention was to create all of the following relationships in this case:
(And the same for the number 2 projects / packages.) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Well, that differs from what @tsteenbe and others have expressed here then. The intent of my b471544 was to partly address that linked issue. And we have the same ask to capture the full dependency tree for CycloneDX, BTW.
Not really, to be honest, as that takes us a step back again from solving #4099. However, I completely agree that I've introduced a bug in b471544 by disregarding excludes. That should certainly be fixed. And if I have introduced another bug related to sub-projects, that should be fixed, too. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I understand Thomas' comment differently, however. It's not mentioning sub-modules explicitly, so this is IMO speculation. I believe we should discuss sub-module case explicitly / separately.
Ok.
Why is it a step back? My PR does not reduce information reported at all. But fixes this bug:
So, can we use this PR as-is as a bug fix, and then moving forward discuss how exactly we want sub-module structure be represented in ORT community and then in a next iteration implement that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I'm not sure if this bug was clear to you already, but this sentence illustrates it pretty well. The idea does not work in case there are sub-projects, because then one does not iterate over the sub-projects dependencies at all in some cases. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
To me it would be misleading to report "package-1" as a direct dependency of "root-project-1" here, especially if both "root-project-1" and "sub-project-1" are published. I do not yet understand the issue with the current approach to build the tree, especially:
Under which circumstances would that be the case? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've adjusted the implementation to what I understood We agreed upon in todays call. |
||
ortResult.getDependencies( | ||
id = project.id, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Commit message nit: It's not "a type parameter" but "typed parameters" as also |
||
maxLevel = 1, | ||
omitExcluded = true | ||
).mapTo(relationships) { dependency -> | ||
SpdxRelationship( | ||
spdxElementId = spdxProjectPackage.spdxId, | ||
relationshipType = SpdxRelationship.Type.DEPENDS_ON, | ||
|
@@ -91,7 +95,11 @@ internal object SpdxDocumentModelMapper : Logging { | |
ortResult | ||
) | ||
|
||
ortResult.getDependencies(pkg.id, 1).mapTo(relationships) { dependency -> | ||
ortResult.getDependencies( | ||
id = pkg.id, | ||
maxLevel = 1, | ||
omitExcluded = true | ||
).mapTo(relationships) { dependency -> | ||
SpdxRelationship( | ||
spdxElementId = binaryPackage.spdxId, | ||
relationshipType = SpdxRelationship.Type.DEPENDS_ON, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about introducing a
DependencyNavigator.MATCH_NON_EXCLUDED
for{ !isExcluded(it.id) }
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not possible, because the
DependencyNavigator
does not know about the excluded state.