Resolved external artifacts reconciliation throwing IllegalStateException #115
Comments
|
Yeah I think we never found a good example of when that happens. Can you include a minimal sample project where this error occurs, that'll help us address it better? There might be some underlying variant information that we can use. Component Id might be insufficient. |
|
I don't have good sample example for this . jars for different arch are coming from my organizations custom repo ( can't share details) , any other detail like resolved artifact object structure through debug can help to fix this ? |
|
I think we need to rewrite a lot of the code to be "variant-aware" but that is hard because I haven't found a good example where multiple variants of the same componentId are included in a build, variants are picked and the rest are ignored. Without that I can't exactly design for it. |
|
Understood , will check if I can build such case with sample public repo . |
|
Is your build using multiple configurations in the sbom configuration? This is the only way I can think of to bring in multiple variants into a project and create this clash? |
|
my repo has a dependency on an organization level auth library which has library dependency on netty with different arch and as I also have included the netty it downloads the other arch lib too , Since the component identifier is same , plugin fails. |
|
Oh yeah the error message could be better. I don't think we can act on it though. The fix is likely excluding the unused netty dependency somehow. But variant selection should already do that which is why this is very confusing to me |
|
I am thinking of more like a warning instead of error. This would inform the user about issue but still generate sbom with best effort approach. |
|
Fundamentally this points to an issue with the user's build. Unless I'm mistaken, two variants of the same component cannot be part of a single configuration. We can provide a better error message, but other than that, I don't see any changes. |
|
Same here. In our case it's Netty DNS resolver:
|
|
@kamildoleglo can you point me to a sample project. I'd love to solve this, but I need an example to work with |
|
I'll try to make one. While I agree with you that probably
I use several configurations and I want all of them documented in one file: so that may trigger this behaviour EDIT: Actually no, I only left one configuration there and it still fails with the same message |
|
yeah multiple configurations will definitely trigger it. But I'm more curious about the single configuration case. |
|
Reproduced here: https://github.com/kamildoleglo/spdx-repro |
|
@vlsi fyi what we were talking about last week |
|
Ah so this is actually not variants, this is just multiple classifiers of the same object, which could(?) end up being easier to handle. |
|
Dependencies with classifiers should better be avoided, especially with Gradle (e.g. gradle/gradle#16665 (comment)). The reasoning is that "classifiers" have no metadata. Classifiers have little to no meaning, and they are hard to process dependency-wise. |
|
I agree with that, however this is a valid Gradle configuration and script. IMHO SPDX generation for valid Gradle scripts shouldn't fail in any case. Emitting a warning or providing a way / requiring to manually fix the resulting output is fine as well |
|
@goneall what's the maven plugin do here to represent multiple artifacts with a classifier? Is there an spdx field for this? For instance the case of a project depending on both:
the spdx entry is something like my best guess is just append to version so it's like |
I'm not completely sure - it's quite possible there is an issue in the Maven plugin related to generating multiple artifacts as well. If we had a Maven POM file example, I could try it out and see how it behaves.
I don't believe there is. We could add a filed such as "target architecture" for a package, but I don't think that would cover all the uses of the classifier.
This seems like a good approach since the qualifier could be considered a refinement of the version (even though it doesn't strictly follow the SemVer syntax/semantics). |
Yeah I don't think target architecture would work. We can't really know what the classifier's meaning is, and adding logic feels like we'll probably get it wrong. Lemme see if I can recreate this problem in maven. |
Hi,
External artifiacts reconcile throws illegalStateException https://github.com/spdx/spdx-gradle-plugin/blob/main/src/main/java/org/spdx/sbom/gradle/utils/SpdxDocumentBuilder.java#L174
This could happen if same componentIdentfier resolves to two different files ( possible due to transitive dependencies of different jars). In this case task simple fails as it couldn't make a decision which one is right.
Shouldn't this be handled gracefully or given an option to user to pick one ( first | second) in case such condition occurs.
Observed this issue for with netty jars which are platform dependent ,where component identifier is same.
The text was updated successfully, but these errors were encountered: