GoMod: Improve detecting the VCS info of packages #5555
Assignees
Labels
analyzer
About the analyzer tool
Comments
fviernau
added a commit
that referenced
this issue
Feb 21, 2023
Previously, ORT's GoMod integration had a rudimentary (re-)implementation of the Go toolings' logic for resolving the VCS infos for the dependencies, covering only the more common use cases. For example, the implementation is VCS host specific and cannot handle mono repository setup at all, without an ugly workaround in the downloader, see [1]. Furthermore, I expect many not yet known issues in the more uncommon use cases. Avoid all these issue by just relying on the VCS info resolution of the Go tooling. Note that as of Go 1.19, the `.info` files under '$GOPATH/pkg/mod' are guaranteed to contain the VCS info of the modules in case no Go proxy is used [2]. For now that information is only accessible by parsing the files directly, but there are plans to make this information available via the command line tools like `go list -json`. Fixes: #5555. [1]: https://github.com/oss-review-toolkit/ort/blob/1dc5c54de3630f0f1249a7ec56ce0a3ba87ac5f1/downloader/src/main/kotlin/VersionControlSystem.kt#L361-L366 [2]: golang/go#44742 (comment) [3]: golang/go#18387 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
fviernau
added a commit
that referenced
this issue
Feb 21, 2023
Previously, ORT's GoMod integration had a rudimentary (re-)implementation of the Go toolings' logic for resolving the VCS infos for the dependencies, covering only the more common use cases. For example, the implementation is VCS host specific and cannot handle mono repository setup at all, without an ugly workaround in the downloader, see [1]. Furthermore, I expect many not yet known issues in the more uncommon use cases. Avoid all these issue by just relying on the VCS info resolution of the Go tooling. Note that as of Go 1.19, the `.info` files under '$GOPATH/pkg/mod' are guaranteed to contain the VCS info of the modules in case no Go proxy is used [2]. For now that information is only accessible by parsing the files directly, but there are plans to make this information available via the command line tools like `go list -json`. Fixes: #5555. [1]: https://github.com/oss-review-toolkit/ort/blob/1dc5c54de3630f0f1249a7ec56ce0a3ba87ac5f1/downloader/src/main/kotlin/VersionControlSystem.kt#L361-L366 [2]: golang/go#44742 (comment) [3]: golang/go#18387 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
fviernau
added a commit
that referenced
this issue
Feb 21, 2023
Previously, ORT's GoMod integration had a rudimentary (re-)implementation of the Go toolings' logic for resolving the VCS infos for the dependencies, covering only the more common use cases. For example, the implementation is VCS host specific and cannot handle mono repository setups at all, without an ugly workaround in the downloader, see [1]. Furthermore, I expect many not yet known issues in the more uncommon use cases. Avoid all these issues by just relying on the VCS info resolution of the Go tooling. Note that as of Go 1.19, the `.info` files under '$GOPATH/pkg/mod' are guaranteed to contain the VCS info of the modules in case no Go proxy is used [2]. For now that information is only accessible by parsing the files directly, but there are plans to make this information available via the command line tools like `go list -json` [3]. Fixes: #5555. [1]: https://github.com/oss-review-toolkit/ort/blob/1dc5c54de3630f0f1249a7ec56ce0a3ba87ac5f1/downloader/src/main/kotlin/VersionControlSystem.kt#L361-L366 [2]: golang/go#44742 (comment) [3]: golang/go#18387 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
fviernau
added a commit
that referenced
this issue
Feb 22, 2023
Previously, ORT's GoMod integration had a rudimentary (re-)implementation of the Go toolings' logic for resolving the VCS infos for the dependencies, covering only the more common use cases. For example, the implementation is VCS host specific and cannot handle mono repository setups at all, without an ugly workaround in the downloader, see [1]. Furthermore, I expect many not yet known issues in the more uncommon use cases. Avoid all these issues by just relying on the VCS info resolution of the Go tooling. Note that as of Go 1.19, the `.info` files under '$GOPATH/pkg/mod' are guaranteed to contain the VCS info of the modules in case no Go proxy is used [2]. For now that information is only accessible by parsing the files directly, but there are plans to make this information available via the command line tools like `go list -json` [3]. Fixes: #5555. [1]: https://github.com/oss-review-toolkit/ort/blob/1dc5c54de3630f0f1249a7ec56ce0a3ba87ac5f1/downloader/src/main/kotlin/VersionControlSystem.kt#L361-L366 [2]: golang/go#44742 (comment) [3]: golang/go#18387 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
This does seem to be true anymore as your #6529 proposes a fix while golang/go#18387 is still unresolved, right? |
fviernau
added a commit
that referenced
this issue
Feb 22, 2023
Previously, ORT's GoMod integration had a rudimentary (re-)implementation of the Go toolings' logic for resolving the VCS infos for the dependencies, covering only the more common use cases. For example, the implementation is VCS host specific and cannot handle mono repository setups at all, without an ugly workaround in the downloader, see [1]. Furthermore, I expect many not yet known issues in the more uncommon use cases. Avoid all these issues by just relying on the VCS info resolution of the Go tooling. Note that as of Go 1.19, the `.info` files under '$GOPATH/pkg/mod' are guaranteed to contain the VCS info of the modules in case no Go proxy is used [2]. For now that information is only accessible by parsing the files directly, but there are plans to make this information available via the command line tools like `go list -json` [3]. Fixes: #5555. [1]: https://github.com/oss-review-toolkit/ort/blob/1dc5c54de3630f0f1249a7ec56ce0a3ba87ac5f1/downloader/src/main/kotlin/VersionControlSystem.kt#L361-L366 [2]: golang/go#44742 (comment) [3]: golang/go#18387 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BLOCKED BY BELOW TICKETS
ORT's logic for determining VCS info currently works only for GitHub. It does not re-use the (non-trivial) logic from the tooling.
As soon as the following tickets are completed / released, we can use the Go tooling to get the VCS info.
That would make VCS detection finally work and setting the source artifact URL can be dropped.
The text was updated successfully, but these errors were encountered: