Giters

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.

Home Page:https://oss-review-toolkit.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Generated package configuration path excludes does not respect vcs path curations

tsteenbe opened this issue · comments

commented

Package configurations created with orth package-configuration create do not filter out paths outside of the path specified by a VCS curation for the same package.

To Reproduce

Steps to reproduce the behavior:

  1. Set up orthw on your machine
  2. Download this evaluation-result.json
  3. Run mkdir pc-create-bug && cd pc-create-bug
  4. Initialize orthw with the directory using orthw init file://${PWD}/evaluation-result.json
  5. Generate a package configuration for the logback package via orthw pc-create Maven:ch.qos.logback:logback-classic:1.4.14
    Wrote a package configuration to '/Volumes/Workspace/tsteenbe/ort-config/package-configurations/Maven/ch.qos.logback/logback-classic/1.4.14/vcs.yml'.
---
id: "Maven:ch.qos.logback:logback-classic:1.4.14"
vcs:
  type: "Git"
  url: "https://github.com/qos-ch/logback.git"
  revision: "407f935603f3f4d7825e4f57f85ed494da3b7197"
path_excludes:
- pattern: "CONTRIBUTING.md"
  reason: "DOCUMENTATION_OF"
- pattern: "logback-access/src/test/**"
  reason: "TEST_OF"
- pattern: "logback-classic-blackbox/src/test/**"
  reason: "TEST_OF"
- pattern: "logback-classic/performance/**"
  reason: "BUILD_TOOL_OF"
- pattern: "logback-classic/src/test/**"
  reason: "TEST_OF"
- pattern: "logback-core-blackbox/src/test/**"
  reason: "TEST_OF"
- pattern: "logback-core/src/main/java/ch/qos/logback/core/testUtil/**"
  reason: "TEST_OF"
- pattern: "logback-core/src/test/**"
  reason: "TEST_OF"
- pattern: "logback-examples/**"
  reason: "DOCUMENTATION_OF"

Expected behavior

A package configuration with only logback-core path excludes should be generated

id: "Maven:ch.qos.logback:logback-classic:1.4.14"
vcs:
  type: "Git"
  url: "https://github.com/qos-ch/logback.git"
  revision: "407f935603f3f4d7825e4f57f85ed494da3b7197"
path_excludes:
- pattern: "logback-classic/performance/**"
  reason: "BUILD_TOOL_OF"
- pattern: "logback-classic/src/test/**"
  reason: "TEST_OF"

As my local ort-config copy contains below curations for Maven:ch.qos.logback:logback-classic (see evaluation-result.json)

- id: "Maven:ch.qos.logback:logback-classic"
  curations:
    comment: |
      Package resides in its own directory within project's code repository.
    vcs:
      path: "logback-classic"

- id: "Maven:ch.qos.logback:logback-classic:[1.0.2,)"
  curations:
    comment: |
      Mapping based on https://github.com/qos-ch/logback/blob/v_1.0.2/LICENSE.txt and
      https://repo1.maven.org/maven2/ch/qos/logback/logback-parent/1.0.2/logback-parent-1.0.2.pom
      which refers to http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html but
    declared_license_mapping:
      "Eclipse Public License - v 1.0": "EPL-1.0 OR LGPL-2.1-only"
      "GNU Lesser General Public License": "EPL-1.0 OR LGPL-2.1-only"

Environment

  • ORT version: 22.6.0-036.sha.56bc621
  • Java version: JDK 11.0.22+7, running under Java 11.0.22.
  • OS: Mac OS X
commented

Should note that this behaviour only happens if you add the curations after scanning. When re-scanning it works as expected.