feat(Provenance): Add DirectoryProvenance as a LocalProvenance
#9872
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pepper-jk
force-pushed
the
provenance-local
branch
from
a984e1f to
2471efa
Compare
pepper-jk
force-pushed
the
provenance-local
branch
from
2471efa to
1e3c8cf
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9872 +/- ##
============================================
- Coverage 69.66% 69.60% -0.07%
Complexity 1464 1464
============================================
Files 270 270
Lines 9682 9689 +7
Branches 1028 1033 +5
============================================
- Hits 6745 6744 -1
- Misses 2487 2492 +5
- Partials 450 453 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
pepper-jk
force-pushed
the
provenance-local
branch
from
1e3c8cf to
c2f8552
Compare
pepper-jk
changed the title
DirectoryProvenance as a LocalProvenanceLocalProvenance sub-interface
pepper-jk
force-pushed
the
provenance-local
branch
from
c2f8552 to
c6cbdbc
Compare
|
@sschuberth failing tests seem unrelated. |
pepper-jk
force-pushed
the
provenance-local
branch
from
c6cbdbc to
c0a51c2
Compare
The "Unable to create proxy for sealed class" failures in |
|
Thanks @sschuberth, I missed that. I'm already working on the However, it is quite a large branch, since a lot of I started with reasonable implementation for the Any thoughts or other ideas how to keep the PR small? |
Can't you "cheat" a bit by first limiting some / all |
Great to see we are on the same page here. I will do just that. |
pepper-jk
force-pushed
the
provenance-local
branch
3 times, most recently
from
9322fb4 to
9ffd2c5
Compare
pepper-jk
changed the title
LocalProvenance sub-interfaceDirectoryProvenance as a LocalProvenance
|
@sschuberth I added the |
|
Commit message:
We should probably say "absolute" / "canonical" / "real" path, and do the implementation accordingly.
"the new class can not be used right now."
"However, the presence of a new
"Wherever"
"exception"
"provenance hierarchy" |
pepper-jk
force-pushed
the
provenance-local
branch
from
9ffd2c5 to
9fc284d
Compare
pepper-jk
force-pushed
the
provenance-local
branch
from
9fc284d to
4d39003
Compare
pepper-jk
force-pushed
the
provenance-local
branch
from
cfdad33 to
4b97905
Compare
pepper-jk
force-pushed
the
provenance-local
branch
from
4b97905 to
cdeeddb
Compare
| @@ -37,7 +37,7 @@ data class ProvenanceResolutionResult( | |||
| * The resolved provenance of the package. Can only be null if a [packageProvenanceResolutionIssue] occurred. | |||
| */ | |||
| @JsonInclude(JsonInclude.Include.NON_NULL) | |||
| val packageProvenance: KnownProvenance? = null, | |||
| val packageProvenance: RemoteProvenance? = null, | |||
There was a problem hiding this comment.
More generally than already explained in the commit message, I believe we could say that whenever a provenance can only refer to a package, but not to a project, RemoteProvenance instead of KnownProvenance should be used.
Would you agree? Because actually all of this refactoring has the goal to be able to refer to a DirectoryProvenance from an OrtResult instead of using a Repository, right?
There was a problem hiding this comment.
Sounds about right. I can add it to the commit message.
Would have to check if it is these are the only places, where we switch to RemoteProvenance tho before removing the previous explanation.
There was a problem hiding this comment.
Added the remark to the first commit message.
| @@ -84,6 +85,7 @@ data class PackageConfiguration( | |||
| is UnknownProvenance -> false | |||
| is ArtifactProvenance -> sourceArtifactUrl != null && sourceArtifactUrl == provenance.sourceArtifact.url | |||
| is RepositoryProvenance -> vcs != null && vcs.matches(provenance) | |||
| is DirectoryProvenance -> false | |||
There was a problem hiding this comment.
Could combine this with line 85 to
is DirectoryProvenance, UnknownProvenance -> false
There was a problem hiding this comment.
But actually, at least when a PackageConfiguration is used in the context of a RepositoryConfiguration, the Identifier (and Provenance) actually is allowed to refer to a Project. So we should probably implement a proper check for DirectoryProvenance in that case after all.
There was a problem hiding this comment.
Yes, I assumed we would need a proper check sooner or later, which is why I added the case as a separate line.
Since this would touch the attributes of the PackageConfiguration, I assumed the best cause of action was to postpone any changes for the sake of a shorter PR and handle DirectoryProvenace like UnknownProvenance for now. I'd recommend to handle this, when we actually start using the DirectoryProvenance.
| @@ -79,7 +80,7 @@ internal class ScanController( | |||
| * A map of package [Identifier]s to their resolved [KnownProvenance]s. These provenances are used to filter the | |||
| * scan results for a package based on the VCS path. | |||
| */ | |||
| private val packageProvenances = mutableMapOf<Identifier, KnownProvenance>() | |||
| private val packageProvenances = mutableMapOf<Identifier, RemoteProvenance>() | |||
There was a problem hiding this comment.
If this is changed, the docs need to be adjusted as well.
There was a problem hiding this comment.
This change requires some careful thinking: We actually do want to be able to scan projects with DirectoryProvenance in the end, at least in the case when analyzer and scanner are run on the same machine. So is it really correct to limit us to RemoteProvenance here?
There was a problem hiding this comment.
There are probably multiple places, where the limit to RemoteProvenance is not correct in order to handle the DirectoryProvenance, once it is fully implemented.
But right now, while the class is dormant, it is either this or cast the arguments. Otherwise we would have to handle it everywhere from the get go as well.
side note: as this attribute is named packageProvenances, we probably need to address the shift from packages to projects as (primary) input for the scanner at some point, since you repeatedly stated before that a DirectoryProvenace can not be a Package due to lack of a remote.
| @@ -86,6 +87,10 @@ class ProvenanceBasedPostgresStorage( | |||
| return database.transaction { | |||
| val query = table.selectAll() | |||
|
|
|||
| if (provenance !is RemoteProvenance) { | |||
| throw ScanStorageException("Scan result must have a known provenance, but it is $provenance.") | |||
There was a problem hiding this comment.
The message refers to "known provenance", but the check is against RemoteProvenance, so this does not match.
This also somewhat relates to my comment above, that we actually do want to be able to scan a DirectoryProvenance.
There was a problem hiding this comment.
Yes, the code and the exception's text are technically not reflecting the same thing.
However, while the DirectoryProvenance is unused, the RemoteProvenance is practically the same as KnownProvenance. Similar to my comment above, this is a temporary change, which aims to avoid issues due unfinished class handling.
| @@ -137,7 +142,7 @@ class ProvenanceBasedPostgresStorage( | |||
|
|
|||
| requireEmptyVcsPath(provenance) | |||
|
|
|||
| if (provenance !is KnownProvenance) { | |||
| if (provenance !is RemoteProvenance) { | |||
pepper-jk
force-pushed
the
provenance-local
branch
from
cdeeddb to
84cf646
Compare
pepper-jk
force-pushed
the
provenance-local
branch
from
84cf646 to
150b157
Compare
In contrast to the previously added `RemoteProvenance` stands the `LocalProvenance`, which has no remote source, but instead references a local input of some kind. The `DirectoryProvenance` references a local project directory, which is lacking supported (remote) version control. It is defined by its canonical path only. Since ORT needs further refactoring until `DirectoryProvenance` can be fully utilized, the new class can not be used right now. However the presence of a new `KnownProvenance` class results in `when` conditional cases not being exhaustive anymore. To circumvent this issue, the following changes were made: 1. Wherever possible `RemoteProvenance` is used as parameter type instead of `KnownProvenance`. 2. When necessary `KnownProvenance`s are cast to `RemoteProvenance`. 3. If `Provenance` is expected, `DirectoryProvenance` is handled like `UnknownProvenance`. For instances of `Package` the new default data structure should be `RemoteProvenance`, as a `Package` by definition requires a remote. The exception being `hash` and `storageKey`, which both required a default value, which was set to the `canonicalPath`. However, since the rest of the code does not handle `DirectoryProvenance`, this should remain unused for now. See [1] for more context on the new provenance hierarchy. [1]: oss-review-toolkit#8803 (comment) Signed-off-by: Jens Keim <[email protected]>
Casts were removed from `FileListResolver`, `ProvenanceBasedFileStorage`, `ProvenanceDownloader`, and `Scanner`. In order to avoid casting `KnownProvenance` to `RemoteProvenance`, a lot of parameters need to be changed to `RemoteProvenance`. With the exception of `ProvenanceBasedFileStorage`, which now uses `UnknownProvenance` exceptions just like `ProvenanceBasedPostgresStorage`. Signed-off-by: Jens Keim <[email protected]>
pepper-jk
force-pushed
the
provenance-local
branch
from
150b157 to
19e6d80
Compare
In contrast to the previously added
RemoteProvenancestands theLocalProvenance, which has no remote source, but instead references a local input of some kind.The
DirectoryProvenancereferences a local project directory, which is lacking supported (remote) version control. It is defined by its local directory path only.Since ORT needs further refactoring until
DirectoryProvenancecan be fully utilized, it the new class can not be used right now. However the presence of a newKnownProvenanceclass, results inwhenconditional cases not being exhaustive anymore.To circumvent this issue, the following changes were made:
RemoteProvenanceis used as parameter type instead ofKnownProvenance.KnownProvenances are cast toRemoteProvenance.Provenanceis expected,DirectoryProvenanceis handled likeUnknownProvenance.The excaption being
hashandstorageKey, which both default to an empty string. However, since the rest of the code does not handleDirectoryProvenance, this should not become an issue.For more context on the new Provenance Hierarchy, see: #8803 (comment)
Signed-off-by: Jens Keim [email protected]