Move resolvedRevision from VcsInfo to Provenance #4132
Conversation
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
5 times, most recently
from
3f93abf to
cd95a2b
Compare
|
@sschuberth @fviernau This can already be reviewed, even though I expect that some tests might fail due to the last two commits I added. The tests already worked for the main commit which moves the property. This change is basically the outcome of the discussion we had a while ago, I hope it matches everyone's requirements. The only thing I didn't do is to add a property for symbolic names like branches or tags, but I think this can be done later if required. |
I have to admit I was slightly confused by the PR's title, as I though the outcome of our discussion was rather to change the docs than the implementation of |
|
Yes, I mainly captured the "spirit" of our discussion, I have tried some approaches and found that this produced the cleanest code. |
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
from
cd95a2b to
77ef9e0
Compare
| "https://github.com/drupal/drupal.git", | ||
| "4a765491d80d1bcb11e542ffafccf10aef05b853", | ||
| "" | ||
| type = VcsType.GIT, |
There was a problem hiding this comment.
The
resolvedRevisionproperty was supposed to be only set by the downloader.
As mentioned in the past, I was believing this statement to be wrong; I was under the assumption that just the docs of that property were wrong, and that any part of ORT was free to put a resolved version of revision into resolvedRevision.
So I looked up when the property was introduced, which was in c87b658 (actually by you, Martin), and in the commit message you stated "The field is used to store the revision resolved from the working tree of a locally cloned repository in". So you're right and I was wrong 😁 Would you mind adding that commit's SHA1 as a reference so I remember?
There was a problem hiding this comment.
The requirement for
resolvedRevisionpreviouly lead to problems
Which "requirement"? The property was optional after all. Do you mean "The presence of"?"
s/previouly/previously/
There was a problem hiding this comment.
Address this by adding the new property
isResolvedRevisiontoVcsInfo.
Hmm. Just thinking out aloud:
- This means we cannot currently store the (symbolic) revision and its corresponding resolved revision at the same time , e.g. if provided by a package manager.
- It also means we need to know if a revision is resolved or not. Previously, this was no requirement for the
revisionproperly; it could have been resolved or not. Only forresolvedRevisionthere was a guarantee for it to be resolved.
There was a problem hiding this comment.
Would you mind adding that commit's SHA1 as a reference so I remember?
Done.
Which "requirement"?
This meant the requirement described in the paragraph above, I have rephrased the sentence to make it clearer.
s/previouly/previously/
Done.
This means we cannot currently store the (symbolic) revision and its corresponding resolved revision at the same time , e.g. if provided by a package manager.
Yes, just like before. But now there is a way for package managers to show that a revision is resolved which wasn't possible before. I have only done it for NuGet in this PR because it was doing this before and I wasn't sure which other package managers support that, probably GoMod and NPM/Gradle with VCS dependencies.
As mentioned above I think if we want this to be possible it can be done separately. I didn't want to do this now because I mainly wanted to improve the current situation, not add new functionality. Also I don't see that much value in capturing a branch/tag name if we already have a specific revision. I could be used as a fallback if the revision doesn't work or be shown in the reports (with explaining that it could probably have nothing to do with the actually scanned revision, depending on where the data is coming from), but it doesn't seem that any of the package managers I work most with supports two properties for the revision anyway.
It also means we need to know if a revision is resolved or not.
No, we don't. If we set the flag to false even though the revision was resolved by the package manager nothing bad happens, except that the downloader might try to guess a revision which is the same behavior as before. On the contrary we now have a way to flag resolved revisions outside the downloader. I already started using this in a separate PR for projects, because if the analyzer runs on a VCS working tree we always know that the revisions of detected projects are resolved.
The tests already worked for the main commit which moves the property.
Turns out I still have to fix some tests. I wrongly thought that we always execute all test tasks, but it seems that either Gradle stops executing tests tasks if one of them had failing tests, or that we have issues with test reporting on Azure, so everytime I fixed tests a new set of failing tests from another module popped up.
| type = VcsType.GIT, | ||
| url = "https://github.com/drupal/drupal.git", | ||
| revision = "4a765491d80d1bcb11e542ffafccf10aef05b853", | ||
| isResolvedRevision = true |
There was a problem hiding this comment.
As discussed in the developer meeting, isVerifiedRevision or isConfirmedRevision would probably fit the semantics better.
There was a problem hiding this comment.
I have renamed it to isVerifiedRevision and also removed the last commit because you mentioned in the meeting today that NuGet takes the commit SHA1 from metadata so it would be wrong to set the flag there.
There was a problem hiding this comment.
As discussed today I have now completely removed the isVerifiedRevision property so that we can address this topic later in a more sophisticated way.
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
6 times, most recently
from
6668f86 to
cda30e3
Compare
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
from
cda30e3 to
3737398
Compare
…esults ORT does not support source artifacts for projects, therefore we can safely assume that the provenance of a scan result for a project is always a `RepositoryProvenance`. Note that this assumption was already made further down in the same function. Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
The function erroneously compared the `revision` and the `resolvedRevision` of the provided `vcsInfo`. This was wrong, because it was instead supposed to check if the `revision` of a nested repository matches the `resolvedRevision` of the provided `vcsInfo`. While on it, also change the signature of the function to take a `RepositoryProvenance` instead of a `VcsInfo` to make clear that it is expected to contain a `resolvedRevision`. This is also a preparation for an upcoming commit which will move the `resolvedRevision` property from `VcsInfo` to `RepositoryProvenance`. Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
This is a preparation for a subsequent commit which will remove `resolvedRevision` from `VcsInfo` and move it to `RepositoryProvenance` instead. Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
from
3737398 to
7a09d26
Compare
The `resolvedRevision` property was supposed to be only set by the downloader because it should contain the revision resolved from a local VCS working tree (c87b658). This was not ideal, because this requirement could easily be overlooked when creating `VcsInfo`s in the analyzer. It also made it complex to match the provenance of a scan result against the `VcsInfo` of `Project`s and `Package`s. Moving the property to `RepositoryProvenance` makes it clear which revision is provided by the analyzer and which revision is provided by the downloader which simplifies the matching. The intention to set `resolvedRevision` only by the downloader previously lead to problems, especially because there was also the demand that package managers can signal that a revision was already resolved (see 48d2cbb, 32681e1, 835b197). This commit removes the confusion about the property by moving it to the correct place in `RepositoryProvenance`. Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
force-pushed
the
vcs-info-remove-resolved-revision
branch
from
7a09d26 to
bd86932
Compare
|
I have marked this as a breaking change because it partly invalidates stored scan results. In one test with ~500 stored scan results ~400 could still be matched, the other ~100 had to be scanned again. After re-scan of those packages the results can be retrieved from the storage again. |
I had a similar discussion with @MarcelBochtler in one of my PRs, and as this is not a change that requires our users to react, nor does it change the results. It would only be perceived as a (temporary) performance "regression". So from my point of view, we could drop the "breaking change" label. |
Makes sense, I have added the release notes label instead. |
I have re-added the breaking change label, because if ORT is used programmatically the API change does require adaption. |
This PR mainly moves the
resolvedRevisionproperty fromVcsInfotoRepositoryProvenanceto better model that this property is only supposed to be set by the downloader. Please see the commit messages for details.