Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VCS resolved revision is not always included in EvaluatedModel / WebApp report #10000

Open
tsteenbe opened this issue Mar 4, 2025 · 1 comment
Labels
reporter About the reporter tool

Comments

@tsteenbe
Copy link
Member

tsteenbe commented Mar 4, 2025

Describe the bug

EvaluatedModel or WebApp report does not included resolved VCS revision for some packages where the VCS was scanned.

Found this bug during the development #4162 - without revision we can't construct a valid link for a scanner file finding .

To Reproduce

Steps to reproduce the behavior:

  1. Download abacus-scan-result.yml.zip
  2. Import it with orthw-shell - orthw init file:///${pwd}/abacus-scan-result.yml
  3. Generate EvaluatedModel with orthw report-model and WebApp report with orthw report-webapp
  4. Open evaluated-model.json with an editor of our choice and navigate to lines 155376 the entry for package Crate::http:1.2.0. See for your convenience attached abacus-evaluated-model.json.zip
{
    "_id" : 141,
    "id" : "Crate::http:1.2.0",
    ....
    "source_artifact" : {
      "url" : "https://crates.io/api/v1/crates/http/1.2.0/download",
      "hash" : {
        "value" : "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea",
        "algorithm" : "SHA-256"
      }
    },
    "vcs" : {
      "type" : "Git",
      "url" : "https://github.com/hyperium/http.git",
      "revision" : "",
      "path" : ""
    },
    "vcs_processed" : {
      "type" : "Git",
      "url" : "https://github.com/hyperium/http.git",
      "revision" : "",  <= Empty revision
      "path" : ""
    },

whilst abacus-scan-result.yml line 48396 till 48403 show there is a resolved revision

  - id: "Crate::http:1.2.0"
    package_provenance:
      vcs_info:
        type: "Git"
        url: "https://github.com/hyperium/http.git"
        revision: ""
        path: ""
      resolved_revision: "a9124455213238a888a25607eb7ca368ecf0e712"

Expected behavior

VCS resolved revision is reported in the EvaluatedModel for every package of which the source code repository was scanned so the WebApp report will include it.

Environment

  • ORT version: 53.0.0-022.sha.6e94cb3
  • ORT configuration: ort-config repository d2978de
  • Java version: Java 21.0.6.
  • OS: MacOS Sequoia 15.3.1
@tsteenbe tsteenbe added to triage Issues that need triaging reporter About the reporter tool labels Mar 4, 2025
@sschuberth sschuberth removed the to triage Issues that need triaging label Mar 4, 2025
@fviernau
Copy link
Member

fviernau commented Mar 10, 2025

@tsteenbe - do I understand correctly that this issue basically says: The resolved revision should be contained in the analyzer result part of the OrtResult? (This would be invalid imo, because version resolution is only part of the (later) scanner stage).

edit: Just noticed this is about EvaluatedModel. But I believe vcs_processed is the analog property to the analyzer result one, and thus must not contain any resolved revision, but only package metadata. So, probably the way that resolved revision is accessed / retrieved by the WebApp should be changed. Is it (easily) possible to obtain scan results for a package, and get the resolved revision from there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
reporter About the reporter tool
Projects
None yet
Development

No branches or pull requests

3 participants