feat(scanner): Merge duplicate scan results that share a provenance #10502
+59
−23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
038c082 to
40190e3
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
maennchen
changed the title
1 task
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #10502 +/- ##
============================================
+ Coverage 57.28% 57.30% +0.01%
- Complexity 1644 1648 +4
============================================
Files 341 341
Lines 12722 12722
Branches 1206 1206
============================================
+ Hits 7288 7290 +2
+ Misses 4971 4969 -2
Partials 463 463
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
40190e3 to
ed1df5f
Compare
There was a problem hiding this comment.
Hi @maennchen,
thanks for your contribution!
Do you mind adding a test that demonstrates the issue with the duplicated scan results and that your changes fix these issues?
Edit: As there is currently no existing test for the scan function that use an ORT result, I won't insist on this change.
Edit 2: I Found these existing tests which already test the scan() function:
ort/scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Lines 63 to 102 in c086b3b
Can you have a look at them and extend them to test your use-case?
|
@MarcelBochtler I added a test to test the deduplication. Running the same test on
$ ./gradlew scanner:funTest --tests "org.ossreviewtoolkit.scanner.scanners.ScannerIntegrationFunTest" |
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
4432de1 to
263be95
Compare
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
263be95 to
276bc2f
Compare
MarcelBochtler
previously approved these changes
Jun 25, 2025
sschuberth
requested changes
Jun 26, 2025
scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Outdated
Show resolved
Hide resolved
scanner/src/funTest/resources/scanner-integration-all-pkgs-expected-ort-result.yml
Outdated
Show resolved
Hide resolved
fviernau
requested changes
Jun 26, 2025
fviernau
requested changes
Jun 26, 2025
scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Outdated
Show resolved
Hide resolved
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
276bc2f to
dfb5f87
Compare
|
The code can be seen in action here: https://github.com/elixir-lang/elixir/actions/runs/16086802339/job/45398947306 |
fviernau
previously requested changes
Jul 7, 2025
scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Outdated
Show resolved
Hide resolved
scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Outdated
Show resolved
Hide resolved
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings() Inserts one synthetic LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path that lacks a license finding. * Add ScannerRun.padNoneLicenseFindings() Calls the above helper for each contained ScanResult, using the run’s FileList data to obtain the full set of paths. * Replace the in-place code in Scanner with a single call to ScannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is true. * Introduce ScannerRunTest.padNoneLicenseFindings() Verifies that a path without findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while isolating the padding logic in the domain model, improving reuse and testability and keeping later PRs focused. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings(paths) Creates a copy whose summary contains a single LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path in *paths* that currently lacks a licence finding. * Add ScannerRun.padNoneLicenseFindings() Uses the run’s FileList map to obtain all paths per provenance and delegates to the ScanResult helper for every contained result. * Remove the ad-hoc padding code from Scanner.kt and replace it with a single call to scannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is enabled. * Introduce ScannerRunTest.padNoneLicenseFindings() Ensures a file without licence findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while centralising the padding logic in the model layer, improving reuse and testability. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings(paths) Creates a copy whose summary contains a single LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path in *paths* that currently lacks a licence finding. * Add ScannerRun.padNoneLicenseFindings() Uses the run’s FileList map to obtain all paths per provenance and delegates to the ScanResult helper for every contained result. * Remove the ad-hoc padding code from Scanner.kt and replace it with a single call to scannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is enabled. * Introduce ScannerRunTest.padNoneLicenseFindings() Ensures a file without licence findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while centralising the padding logic in the model layer, improving reuse and testability. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
…ovenance Prep work for upcoming PR oss-review-toolkit#10502. * `ScannerRun.init` - Add a `require` check that no two `ScanResult`s share the same provenance. - Add a similar check that no two `FileList`s share the same provenance. The offending provenance is rendered via `toYaml()` to aid debugging. * `ScannerRunTest` - Introduce two unit tests that assert an `IllegalArgumentException` is thrown when duplicates are present for scan results or file lists, respectively. These runtime checks make improper scan runs surface early and provide clear error messages, which will simplify the upcoming deduplication work. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
…ovenance Prep work for upcoming PR oss-review-toolkit#10502. * `ScannerRun.init` - Add a `require` check that no two `ScanResult`s share the same provenance and scanner. - Add a similar check that no two `FileList`s share the same provenance. The offending provenance is rendered via `toYaml()` to aid debugging. * `ScannerRunTest` - Introduce two unit tests that assert an `IllegalArgumentException` is thrown when duplicates are present for scan results or file lists, respectively. These runtime checks make improper scan runs surface early and provide clear error messages, which will simplify the upcoming deduplication work. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
3 tasks
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings(paths) Creates a copy whose summary contains a single LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path in *paths* that currently lacks a licence finding. * Add ScannerRun.padNoneLicenseFindings() Uses the run’s FileList map to obtain all paths per provenance and delegates to the ScanResult helper for every contained result. * Remove the ad-hoc padding code from Scanner.kt and replace it with a single call to scannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is enabled. * Introduce ScannerRunTest.padNoneLicenseFindings() Ensures a file without licence findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while centralising the padding logic in the model layer, improving reuse and testability. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings(paths) Creates a copy whose summary contains a single LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path in *paths* that currently lacks a licence finding. * Add ScannerRun.padNoneLicenseFindings() Uses the run’s FileList map to obtain all paths per provenance and delegates to the ScanResult helper for every contained result. * Remove the ad-hoc padding code from Scanner.kt and replace it with a single call to scannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is enabled. * Introduce ScannerRunTest.padNoneLicenseFindings() Ensures a file without licence findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while centralising the padding logic in the model layer, improving reuse and testability. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `ScannerRun.init` - Add a `require` check that no two `ScanResult`s share the same provenance and scanner. - Add a similar check that no two `FileList`s share the same provenance. The offending provenance is rendered via `toYaml()` to aid debugging. * `ScannerRunTest` - Introduce two unit tests that assert an `IllegalArgumentException` is thrown when duplicates are present for scan results or file lists, respectively. These runtime checks make improper scan runs surface early and provide clear error messages, which will simplify the upcoming deduplication work. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 10, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
ed52821 to
56c12eb
Compare
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * Add ScanResult.padNoneLicenseFindings(paths) Creates a copy whose summary contains a single LicenseFinding(SpdxConstants.NONE, UNKNOWN_LINE) for every path in *paths* that currently lacks a licence finding. * Add ScannerRun.padNoneLicenseFindings() Uses the run’s FileList map to obtain all paths per provenance and delegates to the ScanResult helper for every contained result. * Remove the ad-hoc padding code from Scanner.kt and replace it with a single call to scannerRun.padNoneLicenseFindings() when includeFilesWithoutFindings is enabled. * Introduce ScannerRunTest.padNoneLicenseFindings() Ensures a file without licence findings receives exactly one NONE entry. This refactor keeps behaviour unchanged while centralising the padding logic in the model layer, improving reuse and testability. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
56c12eb to
671db0d
Compare
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
fviernau
pushed a commit
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR #10502. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 11, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
671db0d to
6a583fb
Compare
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 29, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 29, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
added a commit
to maennchen/ort
that referenced
this pull request
Jul 29, 2025
Prep work for upcoming PR oss-review-toolkit#10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
6a583fb to
f6a6d27
Compare
sschuberth
pushed a commit
that referenced
this pull request
Jul 29, 2025
Prep work for upcoming PR #10502. * `FileList`, `ScanSummary`, `ScanResult` and `ScannerRun` now implement `operator fun plus(...)`, enabling declarative, type-safe merging of scan data. * Each operator validates invariants (e.g. identical provenance, identical scanner / environment / config) and throws an `IllegalArgumentException` on mismatch. * For compatible objects, collections are union-merged; time ranges are widened (`startTime = min`, `endTime = max`). * `ScannerRun.plus()` * Merges file lists and scan results by `provenance to scanner` using the new operators. * Combines issues / scanners maps by key union. * Carries forward earliest start and latest end timestamps. * **Unit tests** * Extensive coverage in `ScannerRunTest` for all merge scenarios, including negative cases (different config / environment) and positive cases for times, provenances, issues, scanners, file lists and scan results. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
f6a6d27 to
d780617
Compare
sschuberth
requested changes
Jul 29, 2025
scanner/src/funTest/kotlin/scanners/ScannerIntegrationFunTest.kt
Outdated
Show resolved
Hide resolved
When the SpdxDocumentFile package manager is used, the *project* and all contained *packages* often resolve to the **same VCS provenance** (e.g. the root of the Git repository). Before this change ORT stored two separate `ScanResult`s for such a provenance – one keyed to the project, one keyed to the package. That caused two follow-on problems: * Both results appeared in the `OrtResult`, so evaluators saw **duplicate findings** for the *same* source tree. * Because projects and packages are handled by different rules the package result was additionally **padded with a `SpdxConstants.NONE` finding** whenever `includeFilesWithoutFindings` was enabled. The evaluator therefore compared *real* license findings from the project result with `NONE` from the package result and failed with a violation. This patch * merges `ScannerRun`, and * performs the "pad with NONE" step only **after** deduplication, so every path is represented exactly once. As a consequence the evaluator now receives one consistent set of license findings per provenance / scanner, eliminating the false mismatch. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
maennchen
force-pushed
the
jm/scan_deduplication
branch
from
d780617 to
d536a3e
Compare
sschuberth
approved these changes
Jul 29, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO
+merge operators for scan-domain objects #10585 firstWhen the SpdxDocumentFile package manager is used, the project and all contained packages often resolve to the same VCS provenance (e.g. the root of the Git repository).
Before this change ORT stored two separate
ScanResults for such a provenance – one keyed to the project, one keyed to the package.That caused two follow-on problems:
OrtResult, so evaluators saw duplicate findings for the same source tree.SpdxConstants.NONEfinding wheneverincludeFilesWithoutFindingswas enabled. The evaluator therefore compared real license findings from the project result withNONEfrom the package result and failed with a violation.This patch
ScannerRun, andAs a consequence the evaluator now receives one consistent set of license findings per provenance / scanner, eliminating the false mismatch.
This is the first time for me writing Kotlin. Sorry if the code is not up to the usual standards.