Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Selected license is empty in ORT AOSD2.1 report #10047

Open
tsteenbe opened this issue Mar 17, 2025 · 2 comments
Open

Selected license is empty in ORT AOSD2.1 report #10047

tsteenbe opened this issue Mar 17, 2025 · 2 comments
Labels
reporter About the reporter tool

Comments

@tsteenbe
Copy link
Member

Filling on behalf of @smkatash

Describe the bug

In ORT AOSD2.1 report, "selectedLicense" is BLANK for packages "NPM::source-map-support:0.5.21", "NPM:@jsverse:transloco:7.5.1", "NPM::uuid:11.1.0" despite of curation and license_choices
defined in .ort.yml.

To Reproduce

Steps to reproduce the behavior:

  1. First, in new Node project, define package.json with following dependencies:
"dependencies": {
    "uuid": "^11.0.5",
    "source-map-support": "^0.5.21",
    "@jsverse/transloco": "^7.4.2"
} 
  1. Then, add .ort.yml with package curations into the project.
  2. Finally, successively run:
    ort --info analyze -f JSON -i $PROJECT_ROOT -o /home/ort/analyzer-result.json
    -P ort.scanner.skipExcluded=true scan -i /project/ort/analyzer-results/analyzer-result.json -o /project/ort/scancode-results
    report -f AOSD2.1 -i /project/ort/scancode-results/scan-result.yml -o /project/ort/report
  1. See problem with selectedLicense": "" (BLANK) in the report:
    REPORT RESULT:
 {
            "id": 103,
            "componentName": "uuid",
            "componentVersion": "11.1.0",
            "scmUrl": "https://github.com/uuidjs/uuid.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [ REDACTED],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "(Apache-2.0 OR MIT) AND MIT",
                    "copyrights": [
                        "Copyright (c) 2010-2020 Robert Kieffer and other contributors",
                        "Copyright 2011 Sebastian Tschan https://blueimp.net"
                    ],
                    "authors": [],
                    "licenseText": "REDACTED"
                    "licenseTextUrl": "",
                    "selectedLicense": "",
                    "additionalLicenseInfos": ""
                }
            ]
    },
    {
            "id": 133,
            "componentName": "source-map-support",
            "componentVersion": "0.5.21",
            "scmUrl": "https://github.com/evanw/node-source-map-support.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [
                REDACTED
            ],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "(BSD-3-Clause OR MIT) AND MIT",
                    "copyrights": [
                        "Copyright (c) 2010-2012 The Dojo Foundation",
                        "Copyright (c) 2014 Evan Wallace"
                    ],
                    "authors": [],
                    "licenseText": "REDACTED",
                    "licenseTextUrl": "",
                    "selectedLicense": "",
                    "additionalLicenseInfos": ""
                }
            ]
        },
         {
            "id": 154,
            "componentName": "transloco",
            "componentVersion": "7.5.1",
            "scmUrl": "https://github.com/jsverse/transloco.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [
                REDACTED
            ],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "(Apache-2.0 OR MIT) AND MIT",
                    "copyrights": [
                        "Copyright (c) 2019 $",
                        "Copyright (c) 2019-2024 Netanel Basal, Shahar Kazaz, and Itay Oded",
                        "Copyright Google Inc."
                    ],
                    "authors": [],
                    "licenseText": "REDACTED"
                    "licenseTextUrl": "",
                    "selectedLicense": "",
                    "additionalLicenseInfos": ""
                }
    ]
},

Expected behavior

REPORT RESULT:

 {
            "id": 103,
            "componentName": "uuid",
            "componentVersion": "11.1.0",
            "scmUrl": "https://github.com/uuidjs/uuid.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [ REDACTED],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "MIT",
                    "copyrights": [
                        "Copyright (c) 2010-2020 Robert Kieffer and other contributors",
                        "Copyright 2011 Sebastian Tschan https://blueimp.net"
                    ],
                    "authors": [],
                    "licenseText": "REDACTED"
                    "licenseTextUrl": "",
                    "selectedLicense": "MIT",
                    "additionalLicenseInfos": ""
                }
            ]
    },
    {
            "id": 133,
            "componentName": "source-map-support",
            "componentVersion": "0.5.21",
            "scmUrl": "https://github.com/evanw/node-source-map-support.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [
                REDACTED
            ],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "MIT",
                    "copyrights": [
                        "Copyright (c) 2010-2012 The Dojo Foundation",
                        "Copyright (c) 2014 Evan Wallace"
                    ],
                    "authors": [],
                    "licenseText": "REDACTED",
                    "licenseTextUrl": "",
                    "selectedLicense": "MIT",
                    "additionalLicenseInfos": ""
                }
            ]
        },
         {
            "id": 154,
            "componentName": "transloco",
            "componentVersion": "7.5.1",
            "scmUrl": "https://github.com/jsverse/transloco.git",
            "modified": false,
            "linking": "dynamic_linking",
            "transitiveDependencies": [
                REDACTED
            ],
            "subcomponents": [
                {
                    "subcomponentName": "main",
                    "spdxId": "MIT",
                    "copyrights": [
                        "Copyright (c) 2019 $",
                        "Copyright (c) 2019-2024 Netanel Basal, Shahar Kazaz, and Itay Oded",
                        "Copyright Google Inc."
                    ],
                    "authors": [],
                    "licenseText": "REDACTED"
                    "licenseTextUrl": "",
                    "selectedLicense": "MIT",
                    "additionalLicenseInfos": ""
                }
    ]
},

Environment

Output of the ort requirements command:

Attaching to ort-analyze-project-1, ort-scan-project-1
ort-analyze-project-1  | 14:02:58.722 [main] INFO  org.ossreviewtoolkit.model.config.OrtConfiguration - Using ORT configuration file '/home/ort/.ort/config/config.yml'.
ort-analyze-project-1  | Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
ort-analyze-project-1  | 14:02:59.147 [main] INFO  org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter - EnvironmentVariableFilter initialized with denySubstrings = [key, pass, pwd, token, user] and allowNames = [CARGO_HTTP_USER_AGENT, COMPOSER_ALLOW_SUPERUSER, CONAN_LOGIN_ENCRYPTION_KEY, CONAN_LOGIN_USERNAME, CONAN_PASSWORD, CONAN_USERNAME, CONAN_USER_HOME, CONAN_USER_HOME_SHORT, DOTNET_CLI_CONTEXT_ANSI_PASS_THRU, GIT_ASKPASS, GIT_HTTP_USER_AGENT, GRADLE_USER_HOME, HACKAGE_USERNAME, HACKAGE_PASSWORD, HACKAGE_KEY, PWD, USER, USERPROFILE].
ort-analyze-project-1  |  ______________________________                                                
ort-analyze-project-1  | /        \_______   \__    ___/ The OSS Review Toolkit, version 52.1.0,        
ort-analyze-project-1  | |    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java
ort-analyze-project-1  | |    |   | |    |   \ |    |    Executing 'analyze' as 'ort' on Linux          
ort-analyze-project-1  | \________/ |____|___/ |____|    with 4 CPUs and a maximum of 3996 MiB of memory
ort-analyze-project-1  |                                                                                
ort-analyze-project-1  | Environment variables:                                                        
ort-analyze-project-1  | ORT_CONFIG_DIR = /home/ort/.ort/config                                        
ort-analyze-project-1  | ORT_DATA_DIR = /home/ort/.ort                                                 
ort-analyze-project-1  | HOME = /home/ort                                                              
ort-analyze-project-1  | JAVA_HOME = /opt/java/openjdk                                                 
ort-analyze-project-1  | ANDROID_HOME = /opt/android-sdk                                               
ort-analyze-project-1  |                                                                               
ort-analyze-project-1  | Looking for ORT configuration in the following file:
ort-analyze-project-1  |         /home/ort/.ort/config/config.yml
ort-analyze-project-1  | 
ort-analyze-project-1  | Looking for analyzer-specific configuration in the following files and directories:
ort-analyze-project-1  |         /project/.ort.yml
ort-analyze-project-1  |         /home/ort/.ort/config/resolutions.yml (does not exist)
ort-analyze-project-1  | The following 26 package manager(s) are enabled:
ort-analyze-project-1  |         Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, GradleInspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, SwiftPM, Tycho, Unmanaged, Yarn, Yarn2
ort-analyze-project-1  | The following 3 package curation provider(s) are enabled:
ort-analyze-project-1  |         RepositoryConfiguration, DefaultDir, DefaultFile
ort-analyze-project-1  | Analyzing project path:
ort-analyze-project-1  |         /project
ort-analyze-project-1  | 14:02:59.785 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Detected '/project/package.json' to be the root of a(n) NPM project.
ort-analyze-project-1  | Found 1 NPM definition file(s) at:
ort-analyze-project-1  |         package.json
ort-analyze-project-1  | Found in total 1 definition file(s) from the following 1 package manager(s):
ort-analyze-project-1  |         NPM
.........
.........
ort-analyze-project-1  | 14:03:46.969 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.analyzer.PackageManager - NPM resolved dependencies for path 'package.json' in 47.017348522s.
ort-analyze-project-1  | 14:03:46.977 [DefaultDispatcher-worker-1] INFO  kotlinx.coroutines.CoroutineScope - Finished NPM analysis.
ort-analyze-project-1  | 14:03:46.980 [main] INFO  org.ossreviewtoolkit.analyzer.Analyzer - Calling after resolution hooks for 1 manager(s).
ort-analyze-project-1  | 14:03:47.185 [main] INFO  org.ossreviewtoolkit.utils.config.ConfigurationResolver - Getting 3 package curation(s) from provider 'RepositoryConfiguration' took 1.089753ms.
ort-analyze-project-1  | 14:03:47.185 [main] INFO  org.ossreviewtoolkit.utils.config.ConfigurationResolver - Getting 0 package curation(s) from provider 'DefaultDir' took 2.864us.
ort-analyze-project-1  | 14:03:47.185 [main] INFO  org.ossreviewtoolkit.utils.config.ConfigurationResolver - Getting 0 package curation(s) from provider 'DefaultFile' took 1.798us.
ort-analyze-project-1  | Wrote analyzer result to '/home/ort/analyzer-result.json' (0.15 MiB) in 518.388621ms.
ort-analyze-project-1  | The analysis took 47.369788189s.
ort-analyze-project-1  | Found 1 project(s) and 106 package(s) in total (not counting excluded ones).
ort-analyze-project-1  | Applied 3 curation(s) from 1 of 3 provider(s).
ort-analyze-project-1  | Resolved issues: 0 errors, 0 warnings, 0 hints.
ort-analyze-project-1  | Unresolved issues: 0 errors, 0 warnings, 2 hints.

�[Kort-analyze-project-1 exited with code 0
ort-scan-project-1     | Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
ort-scan-project-1     |  ______________________________                                                
ort-scan-project-1     | /        \_______   \__    ___/ The OSS Review Toolkit, version 52.1.0,        
ort-scan-project-1     | |    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java
ort-scan-project-1     | |    |   | |    |   \ |    |    Executing 'scan' as 'ort' on Linux             
ort-scan-project-1     | \________/ |____|___/ |____|    with 4 CPUs and a maximum of 3996 MiB of memory
ort-scan-project-1     |                                                                                
ort-scan-project-1     | Environment variables:                                                        
ort-scan-project-1     | ORT_CONFIG_DIR = /home/ort/.ort/config                                        
ort-scan-project-1     | ORT_DATA_DIR = /home/ort/.ort                                                 
ort-scan-project-1     | HOME = /home/ort                                                              
ort-scan-project-1     | JAVA_HOME = /opt/java/openjdk                                                 
ort-scan-project-1     | ANDROID_HOME = /opt/android-sdk                                               
ort-scan-project-1     |                                                                               
ort-scan-project-1     | Looking for ORT configuration in the following file:
ort-scan-project-1     |         /home/ort/.ort/config/config.yml
ort-scan-project-1     | 
ort-scan-project-1     | Scanning projects with:
ort-scan-project-1     |         ScanCode (version 32.3.2)
ort-scan-project-1     | Scanning packages with:
ort-scan-project-1     |         ScanCode (version 32.3.2)
ort-scan-project-1     | Wrote scan result to '/project/ort/scancode-results/scan-result.yml' (3.59 MiB) in 694.347060ms.
ort-scan-project-1     | The scan took 5.002570231s.
ort-scan-project-1     | Resolved issues: 0 errors, 0 warnings, 0 hints.
ort-scan-project-1     | Unresolved issues: 1 error, 0 warnings, 0 hints.
ort-scan-project-1     | There is 1 unresolved issue with a severity equal to or greater than the WARNING threshold.

And ORT configuration (.ort.yml, config.yml):

curations:
    packages:
      - id: "NPM::source-map-support:0.5.21"
        curations:
          comment: "Clarifying license and homepage_url for source-map-support 0.5.21."
          homepage_url: "https://github.com/evanw/node-source-map-support"
          concluded_license: "MIT"
      - id: "NPM:@jsverse:transloco:7.5.1"
        curations:
          comment: "Clarifying license and homepage_url for transloco 7.5.1."
          homepage_url: "https://jsverse.github.io/transloco/"
          concluded_license: "MIT"
      - id: "NPM::uuid:11.1.0"
        curations:
          comment: "Clarifying license and homepage_url for uuid 11.1.0."
          homepage_url: "https://github.com/uuidjs/uuid"
          concluded_license: "MIT"
license_choices:
    package_license_choices:
        - package_id: "NPM:@jsverse:transloco:7.5.1"
          license_choices:
              - choice: "MIT"
        - package_id: "NPM::source-map-support:0.5.21"
          license_choices:
              - choice: "MIT"
        - package_id: "NPM::uuid:11.1.0"
          license_choices:
              - choice: "MIT"
ort:
  enableRepositoryPackageCurations: true
  forceOverwrite: true
  downloader:
    skip_excluded: true
  analyzer:
    excludes:
      scopes:
        - comment: "Packages for development only."
          pattern: "devDependencies"
          reason: "DEV_DEPENDENCY_OF"
    skip_excluded: true
    skip_concluded: true
  scanner:
    excludes:
      scopes:
        - comment: "Packages for development only."
          pattern: "devDependencies"
          reason: "DEV_DEPENDENCY_OF"
    skip_excluded: true
    skip_concluded: true
    storages:
      fileBasedStorage:
        backend:
          localFileStorage:
            directory: "/scan-results" 
            compression: false
    storageReaders: ["fileBasedStorage"]
    storageWriters: ["fileBasedStorage"]
@tsteenbe tsteenbe added the to triage Issues that need triaging label Mar 17, 2025
@sschuberth sschuberth added reporter About the reporter tool and removed to triage Issues that need triaging labels Mar 17, 2025
@tsteenbe
Copy link
Member Author

@smkatash In the test project you gave me issue-10047-test-project.zip](https://github.com/user-attachments/files/19281257/issue-10047-test-project.zip) I noticed the license choice is set incorrectly - the given is null which should be the license choice as SPDX expression see https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#license-choices.

---
curations:
  packages:
  - id: "NPM::source-map-support:0.5.21"
    curations:
      comment: "Clarifying license and homepage_url for source-map-support 0.5.21."
      concluded_license: "MIT"
      homepage_url: "https://github.com/evanw/node-source-map-support"
  - id: "NPM:@jsverse:transloco:7.5.1"
    curations:
      comment: "Clarifying license and homepage_url for transloco 7.5.1."
      concluded_license: "MIT"
      homepage_url: "https://jsverse.github.io/transloco/"
  - id: "NPM::uuid:11.1.0"
    curations:
      comment: "Clarifying license and homepage_url for uuid 11.1.0."
      concluded_license: "MIT"
      homepage_url: "https://github.com/uuidjs/uuid"
license_choices:
  package_license_choices:
  - package_id: "NPM:@jsverse:transloco:7.5.1"
    license_choices:
    - given: null
      choice: "MIT"
  - package_id: "NPM::uuid:11.1.0"
    license_choices:
    - given: null
      choice: "MIT"
  - package_id: "NPM::source-map-support:0.5.21"
    license_choices:
    - given: null 
      choice: "MIT"

@smkatash
Copy link

smkatash commented Mar 17, 2025

@smkatash In the test project you gave me issue-10047-test-project.zip](https://github.com/user-attachments/files/19281257/issue-10047-test-project.zip) I noticed the license choice is set incorrectly - the given is null which should be the license choice as SPDX expression see https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#license-choices.

---
curations:
  packages:
  - id: "NPM::source-map-support:0.5.21"
    curations:
      comment: "Clarifying license and homepage_url for source-map-support 0.5.21."
      concluded_license: "MIT"
      homepage_url: "https://github.com/evanw/node-source-map-support"
  - id: "NPM:@jsverse:transloco:7.5.1"
    curations:
      comment: "Clarifying license and homepage_url for transloco 7.5.1."
      concluded_license: "MIT"
      homepage_url: "https://jsverse.github.io/transloco/"
  - id: "NPM::uuid:11.1.0"
    curations:
      comment: "Clarifying license and homepage_url for uuid 11.1.0."
      concluded_license: "MIT"
      homepage_url: "https://github.com/uuidjs/uuid"
license_choices:
  package_license_choices:
  - package_id: "NPM:@jsverse:transloco:7.5.1"
    license_choices:
    - given: null
      choice: "MIT"
  - package_id: "NPM::uuid:11.1.0"
    license_choices:
    - given: null
      choice: "MIT"
  - package_id: "NPM::source-map-support:0.5.21"
    license_choices:
    - given: null 
      choice: "MIT"

In the documentation it is stated: # Without a 'given', the 'choice' is applied to the effective license expression if it is a valid choice.

  • tsteenbe Does is it not mean that choice [without given] should be prioritized ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
reporter About the reporter tool
Projects
None yet
Development

No branches or pull requests

3 participants