Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate package name with different 'signature' #6001

Open
olfkadolf opened this issue Dec 6, 2024 · 2 comments
Open

Duplicate package name with different 'signature' #6001

olfkadolf opened this issue Dec 6, 2024 · 2 comments

Comments

@olfkadolf
Copy link

Environment

  • Elixir version (elixir -v):
    Erlang/OTP 27 [erts-15.1.1] [source] [64-bit] [smp:6:6] [ds:6:6:10] [async-threads:1] [jit:ns]
    Elixir 1.17.3 (compiled with Erlang/OTP 27)

  • Phoenix version (mix deps):
    phoenix, "~> 1.7"

  • Operating system:
    Debian GNU/Linux 11 (bullseye) container running on a Linux Gitlab runner

Actual behavior

While leveraging ORT for scanning a project containing Phoenix, the scanner fails on analyzing the Phoenix packages due to duplicate package naming with different 'signatures'. Is there any change to make the package names unique?

https://github.com/phoenixframework/phoenix/blob/main/package.json
https://github.com/phoenixframework/phoenix/blob/main/assets/package.json

additional information from ORT log output

Exception in thread "main" java.lang.IllegalArgumentException: Unable to create the AnalyzerResult as it contains packages and projects with the same ids: [[Package(id=Identifier(type=NPM, namespace=, name=phoenix, version=1.7.14), purl=pkg:npm/[email protected], cpe=null, authors=[Chris McCord], declaredLicenses=[MIT], declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={}, unmapped=[]), concludedLicense=null, description=, homepageUrl=, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), sourceArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), vcs=VcsInfo(type=Git, url=git://github.com/phoenixframework/phoenix.git, revision=, path=), vcsProcessed=VcsInfo(type=Git, url=https://gitlab-ci-token@foo/bar.git, revision=b60b4b13d1c8531792f99a5f84522558c3e3f1a7, path=deps/phoenix), isMetadataOnly=false, isModified=false, sourceCodeOrigins=null), Package(id=Identifier(type=NPM, namespace=, name=phoenix, version=1.7.14), purl=pkg:npm/[email protected], cpe=null, authors=[Chris McCord], declaredLicenses=[MIT], declaredLicensesProcessed=ProcessedDeclaredLicense(spdxExpression=MIT, mapped={}, unmapped=[]), concludedLicense=null, description=The official JavaScript client for the Phoenix web framework., homepageUrl=https://github.com/phoenixframework/phoenix#readme, binaryArtifact=RemoteArtifact(url=, hash=Hash(value=, algorithm=)), sourceArtifact=RemoteArtifact(url=https://registry.npmjs.org/phoenix/-/phoenix-1.7.14.tgz, hash=Hash(value=2661c59dc39f0c0c00f4a4f5e5a9dfad22783810, algorithm=SHA-1)), vcs=VcsInfo(type=Git, url=git://github.com/phoenixframework/phoenix.git, revision=e99f657f1cc9062fca0f2b8b79bc90659d8bd514, path=), vcsProcessed=VcsInfo(type=Git, url=https://github.com/phoenixframework/phoenix.git, revision=e99f657f1cc9062fca0f2b8b79bc90659d8bd514, path=), isMetadataOnly=false, isModified=false, sourceCodeOrigins=null)]]
at org.ossreviewtoolkit.analyzer.AnalyzerResultBuilder.build(AnalyzerResultBuilder.kt:45)

Expected behavior

By having unique package names, Phoenix project will be better compliant to serve OSS compliancy.

@josevalim
Copy link
Member

We may be able to call the package inside assets something else? I think it is only used internally.

@olfkadolf
Copy link
Author

I think that would be a useful and quite low-impact change so I'd be happy if that could be done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants