chores(analyzer): Print warning if duplicate packages #9260
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -17,6 +17,8 @@ | |||
| * License-Filename: LICENSE | |||
There was a problem hiding this comment.
reworded commit message
| "Unable to create the AnalyzerResult as it contains packages and projects with the same ids: " + | ||
| duplicates.values | ||
| if (duplicates.isNotEmpty()) { | ||
| logger.warn {"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: ${duplicates.values}"} |
There was a problem hiding this comment.
Instead of just logging, I believe an OrtIssue should be created - because the problem can potentially be severe, so there should be no risk of going unnoticed.
However, with the current logic, it may be difficult to implement that, because the problem is detected way after the duplicate IDs got inserted, so undoing the insertion is probably no more possible.
| "Unable to create the AnalyzerResult as it contains packages and projects with the same ids: " + | ||
| duplicates.values | ||
| if (duplicates.isNotEmpty()) { | ||
| logger.warn {"Unable to create the AnalyzerResult as it contains packages and projects with the same ids: ${duplicates.values}"} |
There was a problem hiding this comment.
The log message now does not reflect what you're doing: You say an analyzer result cannot be created, but still create one.
bennati
force-pushed
the
warning-duplicate-packages
branch
from
46924a6
to
49cb302
Compare
|
Besides the current build errors, I'm actually not sure if we want the change. I currently don't oversee all side effects of allowing duplicate identifiers. |
|
I appreciate the need of understanding in detail all side effects of allowing duplicate identifiers. In my opinion, the scan should crash only if there is a non-recoverable error. Having ORT produce a notice file with potential errors is still safer than having no notice file. |
I agree, that side-effect are hard to oversee and probably huge. Also I am strongly for keeping identifiers unique. |
When duplicate packages or projects are found in the dependency tree, print a warning instead of throwing an exception and inteerrupting the scan. Duplicate packages may arise when the same package is imported twice, in these cases the dependency tree will be completed as the package is imported at least once. Signed-off-by: Stefano Bennati <[email protected]>
bennati
force-pushed
the
warning-duplicate-packages
branch
from
49cb302
to
344d6cb
Compare
|
Is this what you had in mind? |
| logger.warn { | ||
| "AnalyzerResult contains packages and projects with the same ids: ${duplicates.values}" | ||
| } |
Check warning
Code scanning / detekt
Reports code blocks that are not followed by an empty line Warning
| for ((key, items) in duplicates) { | ||
| val issue = createAndLogIssue( | ||
| source = "analyzer", | ||
| message = "AnalyzerResult contains packages and projects with the same ids: ${items}" | ||
| ) | ||
|
|
||
| val existingIssues = issues.getOrDefault(key, emptyList()) | ||
| issues[key] = existingIssues + issue | ||
| } |
Check warning
Code scanning / detekt
Reports code blocks that are not followed by an empty line Warning
| for ((key, items) in duplicates) { | ||
| val issue = createAndLogIssue( | ||
| source = "analyzer", | ||
| message = "AnalyzerResult contains packages and projects with the same ids: ${items}" |
Check warning
Code scanning / detekt
Detects simplifications in template strings Warning
| for ((key, items) in duplicates) { | ||
| val issue = createAndLogIssue( | ||
| source = "analyzer", | ||
| message = "AnalyzerResult contains packages and projects with the same ids: ${items}" |
Check notice
Code scanning / QDJVMC
Redundant curly braces in string template Note
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9260 +/- ##
=========================================
Coverage 67.67% 67.67%
Complexity 1187 1187
=========================================
Files 239 239
Lines 7796 7796
Branches 900 900
=========================================
Hits 5276 5276
Misses 2153 2153
Partials 367 367
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
No it isn't. It disregards that:
...but, I also do not see a do-able way how to implement what I had in mind. |
|
Ok, let me know if any better solution than this comes to mind which is also feasible and I can try to implement it. |
I won't have the time to look into this anytime soon.
IMO it should not be merged, due to not understood side effects and possible broken referential integrity. Would you be willing to invest the time / effort to find another solution @bennati ? |
|
I can develop a different solution, but first I need someone to explain how the solution should work and the ORT maintainers to commit to merge it once developed. |
|
Any update on this? |
I believe this PR needs to make more clear which of the three different root causes for duplicate identifiers it targets to address. In any case, I believe it's wrong to unconditionally remove all duplicates from Instead, to get started with addressing the general topic, I plan to revive #6533 which targets the case where duplicates occur between projects and packages. |
When duplicate packages or projects are found in the dependency tree, print a warning instead of throwing an exception and inteerrupting the scan. Duplicate packages may arise when the same package is imported twice, in these cases the dependency tree will be completed as the package is imported at least once.
Please ensure that your pull request adheres to our contribution guidelines. Thank you!