feat(model): Guard duplicate scan results / file lists per provenance

maennchen · sschuberth · commit ac417693bc24 · 2025-07-29T21:05:00.000+02:00
* `ScannerRun.init`
  - Add a `require` check that no two `ScanResult`s share the same
    provenance and scanner.
  - Add a similar check that no two `FileList`s share the same provenance.
  The offending provenance is rendered via `toYaml()` to aid debugging.

* `ScannerRunTest`
  - Introduce two unit tests that assert an `IllegalArgumentException` is
    thrown when duplicates are present for scan results or file lists,
    respectively.

* `FreeMarkerTemplateProcessorTest`
  - Provide distinct vcsInfo to tests.

These runtime checks make improper scan runs surface early and provide
clear error messages.

Signed-off-by: Jonatan Männchen &lt;jonatan@maennchen.ch&gt;
diff --git a/model/src/main/kotlin/ScannerRun.kt b/model/src/main/kotlin/ScannerRun.kt
@@ -135,6 +135,20 @@ data class ScannerRun(
             }
         }
 
+        scanResults.getDuplicates { it.provenance to it.scanner }.keys.also { duplicates ->
+            require(duplicates.isEmpty()) {
+                val (dupProvenance, dupScanner) = duplicates.first()
+
+                buildString {
+                    appendLine("Found multiple scan results for the same provenance and scanner.")
+                    appendLine("Scanner:")
+                    appendLine(dupScanner.toYaml())
+                    appendLine("Provenance:")
+                    append(dupProvenance.toYaml())
+                }
+            }
+        }
+
         provenances.getDuplicates { it.id }.keys.also { idsForDuplicateProvenanceResolutionResults ->
             require(idsForDuplicateProvenanceResolutionResults.isEmpty()) {
                 "Found multiple provenance resolution results for the following ids: " +
@@ -173,6 +187,13 @@ data class ScannerRun(
                 }
             }
         }
+
+        files.getDuplicates { it.provenance }.keys.also { duplicateProvenances ->
+            require(duplicateProvenances.isEmpty()) {
+                "Found multiple file lists for the same provenance:\n" +
+                    duplicateProvenances.first().toYaml()
+            }
+        }
     }
 
     private val provenancesById: Map<Identifier, ProvenanceResolutionResult> by lazy {
diff --git a/model/src/test/kotlin/ScannerRunTest.kt b/model/src/test/kotlin/ScannerRunTest.kt
@@ -36,6 +36,154 @@ import org.ossreviewtoolkit.model.utils.clearVcsPath
 import org.ossreviewtoolkit.utils.ort.Environment
 
 class ScannerRunTest : WordSpec({
+    "init" should {
+        "error on duplicate provenance and scanner scan results" {
+            val provenance = RepositoryProvenance(
+                VcsInfo(type = VcsType.GIT, url = "https://github.com/example.git", revision = "revision"),
+                "revision"
+            )
+            val otherProvenance = RepositoryProvenance(
+                VcsInfo(type = VcsType.GIT, url = "https://github.com/example.git", revision = "other_revision"),
+                "other_revision"
+            )
+            val provenances = setOf(
+                ProvenanceResolutionResult(
+                    id = Identifier("maven::example:1.0"),
+                    packageProvenance = provenance
+                ),
+                ProvenanceResolutionResult(
+                    id = Identifier("maven::other_example:1.0"),
+                    packageProvenance = otherProvenance
+                )
+            )
+
+            val scanner = ScannerDetails("scanner", "1.0.0", "configuration")
+            val otherScanner = ScannerDetails("other-scanner", "1.0.0", "configuration")
+
+            // Shared provenance and scanner.
+            shouldThrow<IllegalArgumentException> {
+                ScannerRun.EMPTY.copy(
+                    provenances = provenances,
+                    scanResults = setOf(
+                        ScanResult(
+                            provenance = provenance,
+                            scanner = scanner,
+                            summary = ScanSummary.EMPTY.copy(
+                                licenseFindings = setOf(
+                                    LicenseFinding("MIT", TextLocation("file1.txt", 1, 1))
+                                )
+                            )
+                        ),
+                        ScanResult(
+                            provenance = provenance,
+                            scanner = scanner,
+                            summary = ScanSummary.EMPTY.copy(
+                                licenseFindings = setOf(
+                                    LicenseFinding("MIT", TextLocation("file2.txt", 1, 1))
+                                )
+                            )
+                        )
+                    )
+                )
+            }.message shouldBe buildString {
+                appendLine("Found multiple scan results for the same provenance and scanner.")
+                appendLine("Scanner:")
+                appendLine(scanner.toYaml())
+                appendLine("Provenance:")
+                append(provenance.toYaml())
+            }
+
+            // Shared provenance and different scanners.
+            ScannerRun.EMPTY.copy(
+                provenances = provenances,
+                scanResults = setOf(
+                    ScanResult(
+                        provenance = provenance,
+                        scanner = scanner,
+                        summary = ScanSummary.EMPTY.copy(
+                            licenseFindings = setOf(
+                                LicenseFinding("MIT", TextLocation("file1.txt", 1, 1))
+                            )
+                        )
+                    ),
+                    ScanResult(
+                        provenance = provenance,
+                        scanner = otherScanner,
+                        summary = ScanSummary.EMPTY.copy(
+                            licenseFindings = setOf(
+                                LicenseFinding("MIT", TextLocation("file2.txt", 1, 1))
+                            )
+                        )
+                    )
+                )
+            )
+
+            // Different provenance and shared scanner.
+            ScannerRun.EMPTY.copy(
+                provenances = provenances,
+                scanResults = setOf(
+                    ScanResult(
+                        provenance = provenance,
+                        scanner = scanner,
+                        summary = ScanSummary.EMPTY.copy(
+                            licenseFindings = setOf(
+                                LicenseFinding("MIT", TextLocation("file1.txt", 1, 1))
+                            )
+                        )
+                    ),
+                    ScanResult(
+                        provenance = otherProvenance,
+                        scanner = scanner,
+                        summary = ScanSummary.EMPTY.copy(
+                            licenseFindings = setOf(
+                                LicenseFinding("MIT", TextLocation("file2.txt", 1, 1))
+                            )
+                        )
+                    )
+                )
+            )
+        }
+
+        "error on duplicate provenance file lists" {
+            val provenance = RepositoryProvenance(
+                VcsInfo(type = VcsType.GIT, url = "https://github.com/example.git", revision = "revision"),
+                "revision"
+            )
+
+            shouldThrow<IllegalArgumentException> {
+                ScannerRun.EMPTY.copy(
+                    provenances = setOf(
+                        ProvenanceResolutionResult(
+                            id = Identifier("maven::other_example:1.0"),
+                            packageProvenance = provenance
+                        )
+                    ),
+                    files = setOf(
+                        FileList(
+                            provenance = provenance,
+                            files = setOf(
+                                Entry(
+                                    path = "vcs/path/file1.txt",
+                                    sha1 = "1111111111111111111111111111111111111111"
+                                )
+                            )
+                        ),
+                        FileList(
+                            provenance = provenance,
+                            files = setOf(
+                                Entry(
+                                    path = "some/dir/file2.txt",
+                                    sha1 = "2222222222222222222222222222222222222222"
+                                )
+                            )
+                        )
+                    )
+                )
+            }.message shouldBe "Found multiple file lists for the same provenance:\n" +
+                provenance.toYaml()
+        }
+    }
+
     "getFileList()" should {
         "filter by VCS path and merge sub-repository lists as expected" {
             val id = Identifier("a:b:c:1.0.0")
diff --git a/plugins/reporters/freemarker/src/test/kotlin/FreeMarkerTemplateProcessorTest.kt b/plugins/reporters/freemarker/src/test/kotlin/FreeMarkerTemplateProcessorTest.kt
@@ -89,11 +89,14 @@ private fun scanResults(vcsInfo: VcsInfo, findingsPaths: Collection<String>): Li
     )
 }
 
-private val PROJECT_VCS_INFO = VcsInfo(
+private val PROJECT_ROOT_VCS_INFO = VcsInfo(
     type = VcsType.GIT_REPO,
     url = "ssh://git@host/manifests/repo?manifest=path/to/manifest.xml",
     revision = "deadbeaf44444444333333332222222211111111"
 )
+private val PROJECT_SUB_VCS_INFO = PROJECT_ROOT_VCS_INFO.copy(
+    path = "sub-dir"
+)
 private val NESTED_VCS_INFO = VcsInfo(
     type = VcsType.GIT,
     url = "ssh://git@host/project/repo",
@@ -107,7 +110,7 @@ private val idNestedProject = Identifier("SpdxDocumentFile:@ort:project-in-neste
 
 private val ORT_RESULT = OrtResult(
     repository = Repository(
-        vcs = PROJECT_VCS_INFO,
+        vcs = PROJECT_ROOT_VCS_INFO,
         config = RepositoryConfiguration(),
         nestedRepositories = mapOf("nested-vcs-dir" to NESTED_VCS_INFO)
     ),
@@ -117,12 +120,12 @@ private val ORT_RESULT = OrtResult(
                 Project.EMPTY.copy(
                     id = idRootProject,
                     definitionFilePath = "package.json",
-                    vcsProcessed = PROJECT_VCS_INFO
+                    vcsProcessed = PROJECT_ROOT_VCS_INFO
                 ),
                 Project.EMPTY.copy(
                     id = idSubProject,
                     definitionFilePath = "sub-dir/project.spdx.yml",
-                    vcsProcessed = PROJECT_VCS_INFO
+                    vcsProcessed = PROJECT_ROOT_VCS_INFO
                 ),
                 Project.EMPTY.copy(
                     id = idNestedProject,
@@ -134,15 +137,15 @@ private val ORT_RESULT = OrtResult(
     ),
     scanner = scannerRunOf(
         idRootProject to scanResults(
-            vcsInfo = PROJECT_VCS_INFO,
+            vcsInfo = PROJECT_ROOT_VCS_INFO,
             findingsPaths = listOf(
                 "src/main.js",
                 "sub-dir/src/main.cpp",
                 "nested-vcs-dir/src/main.cpp"
             )
         ),
         idSubProject to scanResults(
-            vcsInfo = PROJECT_VCS_INFO,
+            vcsInfo = PROJECT_SUB_VCS_INFO,
             findingsPaths = listOf(
                 "sub-dir/src/main.cpp"
             )
diff --git a/utils/test/src/main/kotlin/Utils.kt b/utils/test/src/main/kotlin/Utils.kt
@@ -151,12 +151,18 @@ fun scannerRunOf(vararg pkgScanResults: Pair<Identifier, List<ScanResult>>): Sca
         }
     }
 
-    val scanResults = pkgScanResultsWithKnownProvenance.values.flatten().mapTo(mutableSetOf()) { scanResult ->
-        scanResult.copy(
-            provenance = (scanResult.provenance as? RepositoryProvenance)?.clearVcsPath()?.alignRevisions()
-                ?: scanResult.provenance
-        )
-    }
+    val scanResults = pkgScanResultsWithKnownProvenance.values.flatten()
+        .map { scanResult ->
+            scanResult.copy(
+                provenance = (scanResult.provenance as? RepositoryProvenance)?.clearVcsPath()?.alignRevisions()
+                    ?: scanResult.provenance
+            )
+        }
+        .groupBy { it.provenance to it.scanner }
+        .values
+        .mapTo(mutableSetOf()) { scanResults ->
+            scanResults.reduce { acc, next -> acc + next }
+        }
 
     val filePathsByProvenance = scanResults.mapNotNull { scanResult ->
         val provenance = scanResult.provenance as? KnownProvenance ?: return@mapNotNull null

Original file line number	Diff line number	Diff line change
`@@ -135,6 +135,20 @@ data class ScannerRun(`
`135`	`135`	`}`
`136`	`136`	`}`
`137`	`137`
	`138`	`+ scanResults.getDuplicates { it.provenance to it.scanner }.keys.also { duplicates ->`
	`139`	`+ require(duplicates.isEmpty()) {`
	`140`	`+ val (dupProvenance, dupScanner) = duplicates.first()`
	`141`	`+`
	`142`	`+ buildString {`
	`143`	`+ appendLine("Found multiple scan results for the same provenance and scanner.")`
	`144`	`+ appendLine("Scanner:")`
	`145`	`+ appendLine(dupScanner.toYaml())`
	`146`	`+ appendLine("Provenance:")`
	`147`	`+ append(dupProvenance.toYaml())`
	`148`	`+ }`
	`149`	`+ }`
	`150`	`+ }`
	`151`	`+`
`138`	`152`	`provenances.getDuplicates { it.id }.keys.also { idsForDuplicateProvenanceResolutionResults ->`
`139`	`153`	`require(idsForDuplicateProvenanceResolutionResults.isEmpty()) {`
`140`	`154`	`"Found multiple provenance resolution results for the following ids: " +`
`@@ -173,6 +187,13 @@ data class ScannerRun(`
`173`	`187`	`}`
`174`	`188`	`}`
`175`	`189`	`}`
	`190`	`+`
	`191`	`+ files.getDuplicates { it.provenance }.keys.also { duplicateProvenances ->`
	`192`	`+ require(duplicateProvenances.isEmpty()) {`
	`193`	`+ "Found multiple file lists for the same provenance:\n" +`
	`194`	`+ duplicateProvenances.first().toYaml()`
	`195`	`+ }`
	`196`	`+ }`
`176`	`197`	`}`
`177`	`198`
`178`	`199`	`private val provenancesById: Map<Identifier, ProvenanceResolutionResult> by lazy {`