Trying to Use .ort.yml Repository Configuration for Package Concluded License Finding

[scottschreckengaust]

The documenation for Repository Configuration (.ort.yml) states:

curations - Overwrite package metadata, set a concluded license or correct license findings.

Yet received the PACKAGE_CURATION_IN_ORT_YML error while trying to do so:

The use of package curations is not allowed in the *.ort.yml file.

---

Using Ort version 4.0.0 here is the recommendation for the NO_LICENSE_IN_DEPENDENCY error:

{
      "rule" : "NO_LICENSE_IN_DEPENDENCY",
      "pkg" : "PyPI::numpy:1.26.1",
      "license" : null,
      "license_source" : null,
      "severity" : "ERROR",
      "message" : "No license information is available for dependency 'PyPI::numpy:1.26.1'.",
      "how_to_fix" : "If the dependency indeed is unlicensed, it must not be used. Otherwise, please conclude the appropriate license with a package curation."
}

Here is the repository configuration .ort.yml attempting to fix that received the PACKAGE_CURATION_IN_ORT_YML:

---
curations:  
  - id: "PyPI::numpy:1.26.1"
    curations:
      comment: "The https://github.com/numpy/numpy/blob/v1.26.1/LICENSE.txt, as a permissive license similar to the BSD 2-Clause License, but with a 3rd clause that prohibits others from using the name of the copyright holder or its contributors to promote derived products without written consent."
      concluded_license: "BSD-3-Clause"

[sschuberth]

The use of package curations is not allowed in the *.ort.yml file.

This is meaning to tell you that the feature is "disabled by policy", i.e. you need to enable it in the global ORT configuration before ORT user can make use of it in their project repositories, see

ort/model/src/main/resources/reference.yml

Line 32 in 6bb8315

enableRepositoryPackageCurations: true

[sschuberth]

I've clarified this in the docs: #7754

[sschuberth]

Improved docs are now live at https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#curations. Feel free to reopen is this does not answer your question @scottschreckengaust.

[scottschreckengaust]

Same results, I must be missing something:

The use of package curations is not allowed in the *.ort.yml file.

I setup a temporary sample repository https://github.com/scottschreckengaust/orter as an attempt to set the enableRepositoryPackageCurations using the GitHub Action https://github.com/oss-review-toolkit/ort-ci-github-action with a repository .ort.yml file?

I have reviewed https://github.com/oss-review-toolkit/ort-ci-github-action/blob/main/action.yml and documentation https://oss-review-toolkit.org/ort/docs/configuration/ort-yml#curations and need help still.

Here is a successful run with the artifact report showing the NO_LICENSE_IN_DEPENDENCY:

• https://github.com/scottschreckengaust/orter/actions/runs/6778313826

This run shows the PACKAGE_CURATION_IN_ORT_YML when attempting to fix with an included .ort.yml:

• https://github.com/scottschreckengaust/orter/actions/runs/6778545082

Here is the configuration of the repository's three files:

1. A requirements.txt to trigger the NO_LICENSE_IN_DEPENDENCY finding:

numpy==1.26.1

2. A GitHub Workflow .github/workflows/ort.yml:

---
name: ort-toolkit
on:
  push:
    branches:
      - main
  workflow_dispatch: {}
jobs:
  ort:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout project
        uses: actions/checkout@v3
      - name: Run GitHub Action for ORT
        uses: oss-review-toolkit/ort-ci-github-action@v1
        with:
          ort-cli-args: '-P ort.forceOverwrite=true -P ort.enableRepositoryPackageCurations=true --stacktrace'

3. The repository configuration .ort.yml:

---
curations:
  packages:
  - id: "PyPI::numpy:1.26.1"
    curations:
      comment: "The https://github.com/numpy/numpy/blob/v1.26.1/LICENSE.txt, as a permissive license similar to the BSD 2-Clause License, but with a 3rd clause that prohibits others from using the name of the copyright holder or its contributors to promote derived products without written consent."
      concluded_license: "BSD-3-Clause"

[sschuberth]

This line actually indicates that the curation has been applied, but there seems to be some bugs in the way the GitHub action calls ORT. It will take me some time to look into this as I'm currently traveling.

[scottschreckengaust]

I re-ran the job with debug logging. The 'evaluate':
https://github.com/scottschreckengaust/orter/actions/runs/6778545082/job/18447223666#step:3:2638

2023-11-07T15:17:39.5688480Z 
2023-11-07T15:17:40.4451538Z  ______________________________                                                
2023-11-07T15:17:40.4453146Z /        \_______   \__    ___/ The OSS Review Toolkit, version 4.0.0.         
2023-11-07T15:17:40.4454363Z |    |   | |       _/ |    |                                                   
2023-11-07T15:17:40.4456193Z |    |   | |    |   \ |    |    Running 'evaluate' as 'ort' under Java 17.0.8.1
2023-11-07T15:17:40.4457728Z \________/ |____|___/ |____|    with 4 CPUs and a maximum of 5120 MiB of memory
2023-11-07T15:17:40.4458821Z                                                                                
2023-11-07T15:17:40.4459959Z Environment variables:                                                        
2023-11-07T15:17:40.4461376Z ORT_CONFIG_DIR = /home/ort/.ort/config                                        
2023-11-07T15:17:40.4465650Z ORT_DATA_DIR = /home/ort/.ort                                                 
2023-11-07T15:17:40.4466978Z JAVA_HOME = /opt/java/openjdk                                                 
2023-11-07T15:17:40.4468351Z ANDROID_HOME = /opt/android-sdk                                               
2023-11-07T15:17:40.4469483Z                                                                               
2023-11-07T15:17:40.4486639Z Looking for ORT configuration in the following file:
2023-11-07T15:17:40.4498910Z         /home/ort/.ort/config/config.yml (does not exist)
2023-11-07T15:17:40.4499456Z 
2023-11-07T15:17:40.4500172Z Looking for evaluator-specific configuration in the following files and directories:
2023-11-07T15:17:40.4501308Z         /home/ort/.ort/config/copyright-garbage.yml
2023-11-07T15:17:40.4502171Z         /home/ort/.ort/config/license-classifications.yml
2023-11-07T15:17:49.6573381Z The evaluation of 1 script(s) took 7.994360913s.
2023-11-07T15:17:49.6599924Z WARNING: UNMAPPED_DECLARED_LICENSE - PyPI::numpy:1.26.1 - The declared license 'BSD License' could not be mapped to a valid license or parsed as an SPDX expression. The license was found in package PyPI::numpy:1.26.1.
2023-11-07T15:17:49.6602566Z ERROR: PACKAGE_CURATION_IN_ORT_YML - The use of package curations is not allowed in the *.ort.yml file.
2023-11-07T15:17:49.6638747Z Writing evaluation result to '/home/ort/.ort/ort-results/evaluation-result.json'.
2023-11-07T15:17:49.9609280Z Resolved rule violations: 0 errors, 0 warnings, 0 hints.
2023-11-07T15:17:49.9620300Z Unresolved rule violations: 1 error, 1 warning, 0 hints.
2023-11-07T15:17:49.9658249Z There are 2 unresolved rule violationss with a severity equal to or greater than the WARNING threshold.

The recommendation:

Please use a global package curation in the ort-config repository.

[scottschreckengaust]

This line actually indicates that the curation has been applied, but there seems to be some bugs in the way the GitHub action calls ORT. It will take me some time to look into this as I'm currently traveling.

Yes:
Applied 1 curation(s) from 1 of 3 provider(s).

[scottschreckengaust]

@sschuberth The analyzer seems to pick up the .ort.yml, it is the evaluator which signals an error when local curations or configurations are used https://github.com/oss-review-toolkit/ort-config/blob/ae41944655466de6f63875a6b55ea0d4ccc19780/evaluator.rules.kts#L1370-L1386

I have a PR for changing the error -> warning oss-review-toolkit/ort-config#141

[sschuberth]

it is the evaluator which signals an error when local curations or configurations are used

Good finding, I was confused by this myself.

[scottschreckengaust]

@sschuberth There is still the issue in reporting when the package curations and now added configurations switches are set to true. Is there a conditional switch warranted in the evaluator?

ort/plugins/commands/evaluator/src/main/kotlin/EvaluatorCommand.kt

Line 263 in 6ce0978

if (ortConfig.enableRepositoryPackageCurations) {

?

Updated the GitHub action because "@v1" failing, oss-review-toolkit/ort-ci-github-action#28, so pinned to a commit hash and added the second switch to enable repository configurations also for completion mapped the license:

.ort.yml

---
curations:
  packages:
  - id: "PyPI::numpy:1.26.1"
    curations:
      comment: "The https://github.com/numpy/numpy/blob/v1.26.1/LICENSE.txt, as a permissive license similar to the BSD 2-Clause License, but with a 3rd clause that prohibits others from using the name of the copyright holder or its contributors to promote derived products without written consent."
      declared_license_mapping:
        "BSD License": "BSD-3-Clause"
      concluded_license: "BSD-3-Clause"

.github/workflows/orter.yml

---
name: ort-toolkit
on:
  push:
    branches:
      - main
  workflow_dispatch: {}
jobs:
  ort:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout project
        uses: actions/checkout@v3
      - name: Run GitHub Action for ORT
        uses: oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e
        with:
          ort-cli-args: '-P ort.forceOverwrite=true -P ort.enableRepositoryPackageConfigurations=true -P ort.enableRepositoryPackageCurations=true --stacktrace'

[sschuberth]

There is still the issue in reporting

Sorry, I'm not sure I follow... what do you mean by "in reporting"? In some report created by ORT's reporter?

[scottschreckengaust]

There is still the issue in reporting

Sorry, I'm not sure I follow... what do you mean by "in reporting"? In some report created by ORT's reporter?

@sschuberth: Yes, I would assume with the enabled flags, no violation would be reported. For example, here is a screenshot from the action's artifact https://github.com/scottschreckengaust/orter/suites/18217645706/artifacts/1052044021.

[sschuberth]

Yes, I would assume with the enabled flags, no violation would be reported.

Well, in the discussion with @fviernau for your PR I unfortunately wasn't able to convince him to not emit this violation at all (or at least relax it's wording, or only complain if there are repository configurations / curations present although the feature is disabled).

Personally, I agree that the wording is misleading as it's unclear whether something actually did not work, and it also discourages the use of an IMO perfectly valid feature in ORT.

The simple solution is to not use evaluator.rules.kts from the ort-config repo, but your own.

[scottschreckengaust]

The simple solution is to not use evaluator.rules.kts from the ort-config repo, but your own.

Is also a solution to add to the curations, https://github.com/oss-review-toolkit/ort-config/tree/main/curations?

[sschuberth]

Is also a solution to add to the curations

I'm not sure what you mean, but in general you can just copy any configuration files / directories that you like / want to use from the ort-config repo, put them in your own repo, and amend the config with your own files. So yes, you could e.g. only take the curations from ort-config, but use your own evaluator.rules.kts.