Duplicate package name with different 'signature'

[olfkadolf]

Environment

• Elixir version (elixir -v):
  Erlang/OTP 27 [erts-15.1.1] [source] [64-bit] [smp:6:6] [ds:6:6:10] [async-threads:1] [jit:ns]
  Elixir 1.17.3 (compiled with Erlang/OTP 27)

• Phoenix version (mix deps):
  phoenix, "~> 1.7"

• Operating system:
  Debian GNU/Linux 11 (bullseye) container running on a Linux Gitlab runner

Actual behavior

While leveraging ORT for scanning a project containing Phoenix, the scanner fails on analyzing the Phoenix packages due to duplicate package naming with different 'signatures'. Is there any change to make the package names unique?

https://github.com/phoenixframework/phoenix/blob/main/package.json
https://github.com/phoenixframework/phoenix/blob/main/assets/package.json

additional information from ORT log output

Exception in thread "main" java.lang.IllegalArgumentException: Unable to create the AnalyzerResult as it contains packages and projects with the same ids: [[Package(id=Identifier(type=NPM, namespace=, name=phoenix, version=1.7.14), purl=pkg:npm/phoenix@1.7.14, cpe=null, authors=[Chris McCord], declaredLicenses=[MIT], declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={}, unmapped=[]), concludedLicense=null, description=, homepageUrl=, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), sourceArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), vcs=VcsInfo(type=Git, url=git://github.com/phoenixframework/phoenix.git, revision=, path=), vcsProcessed=VcsInfo(type=Git, url=https://gitlab-ci-token@foo/bar.git, revision=b60b4b13d1c8531792f99a5f84522558c3e3f1a7, path=deps/phoenix), isMetadataOnly=false, isModified=false, sourceCodeOrigins=null), Package(id=Identifier(type=NPM, namespace=, name=phoenix, version=1.7.14), purl=pkg:npm/phoenix@1.7.14, cpe=null, authors=[Chris McCord], declaredLicenses=[MIT], declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={}, unmapped=[]), concludedLicense=null, description=The official JavaScript client for the Phoenix web framework., homepageUrl=https://github.com/phoenixframework/phoenix#readme, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), sourceArtifact=RemoteArtifact(url=https://registry.npmjs.org/phoenix/-/phoenix-1.7.14.tgz, hash=Hash(value=2661c59dc39f0c0c00f4a4f5e5a9dfad22783810, algorithm=SHA-1)), vcs=VcsInfo(type=Git, url=git://github.com/phoenixframework/phoenix.git, revision=e99f657f1cc9062fca0f2b8b79bc90659d8bd514, path=), vcsProcessed=VcsInfo(type=Git, url=https://github.com/phoenixframework/phoenix.git, revision=e99f657f1cc9062fca0f2b8b79bc90659d8bd514, path=), isMetadataOnly=false, isModified=false, sourceCodeOrigins=null)]]
at org.ossreviewtoolkit.analyzer.AnalyzerResultBuilder.build(AnalyzerResultBuilder.kt:45)

Expected behavior

By having unique package names, Phoenix project will be better compliant to serve OSS compliancy.

[josevalim]

We may be able to call the package inside assets something else? I think it is only used internally.

[olfkadolf]

I think that would be a useful and quite low-impact change so I'd be happy if that could be done.