-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AnalyzerResultBuilder: improve error message for duplicated packages #6465
Comments
Happy to work on the implementation, if someone explains where to find the required information. |
I looked into this but I don't understand how to make sense of the dependency graph, are there any examples of how to work with it? |
@oheger-bosch can probably help here. |
Hi @bennati, I assume to better debug such problems something like the paths to dependencies as shown by the WebApp report would make sense. You might have a look how these paths are generated using the dependency navigator API in EvaluatedModelMapper. AIUI, the error happens for two different causes: If there is a project and a package with the same identifier, or if there are multiple packages with the same identifier. I am not sure whether these cases need to be distinguished when generating a more meaningful error message. Recently, I encountered the latter case. Here a package was referenced by both the GoMod and the GoDep package managers. Unfortunately, the package managers produced slightly different metadata (which may also be caused by the complex repository layout using Git submodules), so two different HTH |
Maybe @oheger-bosch and @sschuberth you could clarify on another question which pops up wrt this duplicate packages topic. We are getting e.g. this duplicate: The only difference between them is that one is referring company's internal artifactory, other one is in public Apache.
PUBLIC:
The question here is how this is duplicate issue is supposed to be "fixed"? |
I guess using the same list of artifact repositories (in the same order) for all projects in the build should help. |
@sschuberth I am not sure it's exactly the reason. I observe e.g. this in the list of duplicates:
Please note that sourceArtifact is the same, while binaryArtifact is empty in one case and apache.org in another one. |
Me too. The binary artifact should never be empty. Are you seeing "Could not find artifact"-style warnings similar to here being logged? |
Yes, I see 8 entries related to this artifact, based on timestamps - probably from different dependencies. Though none of them are trying to reach maven.apache.org, 6 are from internal Artifactory and 2 are from Google's. |
@sschuberth I created a new issue #6780 to track my problem as it's a different one from original @bennati's request |
Now after #6780 being fixed, I am back to the issue of duplicated dependencies where one is coming from internal mirror and other from maven central. @sschuberth you've mentioned
is there really a way to achieve that? e.g. through curations? |
No, what I was meaning is to fix the build files of the actual project that you're analyzing. |
This is potentially not always possible, it might be coming from transitive dependencies, right? |
Not if it's a Gradle project, as Gradle does not take repository definitions from dependencies into account. |
I think having same order of repositories is something that is tricky to achieve or not even possible in some cases for multirepo projects. E.g. in our case we have our internal app which "prefers" internal mirror over maven central, while external libraries might hold e.g. example app which of course is using public one. Maybe better approach would be to accept different URLs when hashes are the same.
vs
Based on my code understanding this should be relatively easy to do by comparison logic when checking for duplicates. Currently it's using plain operator syntax, but maybe smarter lambda can be used. If you agree it makes sense - I can try to draft it. |
@sschuberth what do you think about my idea above? I could work on the patch then.. |
@devcooch relaxing the check to disregard duplicates if they refer to artifacts with the same hash would indeed be rather straight forward. However, the same concerns as raised here apply: The duplicates would stay in ORT's data model, and there are assumptions spread all over the place that |
The build fails if packages and projects have the same name, returning a list of the duplicated package IDs
ort/analyzer/src/main/kotlin/AnalyzerResultBuilder.kt
Line 50 in 13f5dd2
This error makes troubleshooting hard, as these IDs could be transitive dependencies and so they don't provide enough information.
Update the error message to also contain the section of the dependency tree that includes each of these packages, i.e. a sequence of packages and the files where these are defined. This would allow to understand which direct dependencies cause the issue and enable users to fix their build system.
The text was updated successfully, but these errors were encountered: