Outdated or Inaccessible VCS #9502
Replies: 2 comments 2 replies
-
There is. We call them "package curations" as they are able to curate metadata errors, like the declared VCS location, for packages. See the docs and real-life use-cases.
It's implied by existing VCS curations: Simply put, any VCS URL for which there is a curation would fail otherwise. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I knew about ort-config and curations, but the ones I keep encountering don't have curations there, like the one I provided above. Should I be using the other curation sources for better coverage? |
Beta Was this translation helpful? Give feedback.
-
|
Well, you could try with enabling other curation sources, but ideally you'd just create a new curation and contribute it to the ort-config ones. Maintaining curation is a community effort (same goes for ClearlyDefined and other sources). |
Beta Was this translation helpful? Give feedback.
-
|
If you can share for which version of |
Beta Was this translation helpful? Give feedback.
-
Hi ORT team,
What's the best way to deal with the types of scanner failures below due to old or inaccessible VCS systems? I'd prefer to simply skip the scan when the Analyzer resolves these packages to outdated VCS systems like SourceForge, since it takes the scanner/downloader 30-60s to timeout on them. Assuming there's no workaround to locate the source, is there a way to configure the scanner to skip them, or skip known outdated/bad VCS urls? I can work around this by checking the Analyzer provenance prior to scanning, but would like to know the approved solution.
Please let me know if I'm missing something more fundamental like configuring additional VCS providers and/or curations prior to scanning.
Finally, is there a known list of VCS urls that will fail (no longer exist), for all package managers, not just Java/Maven?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions