PNPM: ort analyse exists with ERROR when PNPM-reference does not refer to a package.

[thomasscheer]

Describe the bug

ort analyse completly fails running docker: ort analyse with PNPM resolution fails, if a PNPM-reference does not refer to a package.

Steps to reproduce the behavior:

1. pnpm install with internal PNPM-references
2. pnpm list
3. pnpm info
4. See error

Expected behavior

PNPM resolution finished with no failure for references, that do not actually refer to packages:
Possible exit-values from PNPM should be catched from ORT.
Otherwise ort analyse does not even reports an analyse-file.

Console / log output

[DefaultDispatcher-worker-2] INFO org.ossreviewtoolkit.analyzer.PackageManager - PNPM resolved dependencies for path 'js/package.json' in 10m 4.272495485s.

Exception in thread "main" java.lang.IllegalArgumentException: The following references do not actually refer to packages: 'NPM:@backbone:platform-ontology:', 'NPM:@root:bb-ontology:', 'NPM:@root:alg-ontology:', 'NPM:@backbone:geni-ontology:', 'NPM:@backbone:ia-ontology:', 'NPM:@backbone:mm-ontology:', 'NPM:@backbone:spijk-ontology:', 'NPM:@root:time-ontology:', 'NPM:@backbone:proactivity-ontology:', 'NPM:@backbone:driveui-ontology:'.

at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.checkReferences(DependencyGraphBuilder.kt:207)
at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build(DependencyGraphBuilder.kt:177)
at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build$default(DependencyGraphBuilder.kt:176)
at org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManager.createPackageManagerResult(NodePackageManager.kt:121)
at org.ossreviewtoolkit.analyzer.PackageManager.resolveDependencies(PackageManager.kt:363)
at org.ossreviewtoolkit.analyzer.PackageManagerRunner$run$3.invokeSuspend(Analyzer.kt:354)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:34)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:124)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:89)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:586)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:820)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)

After the error message, ort analyse FAILS without an analyse-file.

Environment

• ORT version: 77.0.0
• Java version: 17
• OS: Docker + Linux

[fviernau]

@thomasscheer could you provide a reproducer?

[thomasscheer]

@fviernau
I tried to create a public reproducer, but how should I do that with packages, that are not public?

Next to that, it looks like the problem has nothing to do with (p)npm but with the validation step in ort which detects edges referencing to non-existent nodes or e.g. for version = (empty) packages. (NPM:@backbone:mm-ontology:'
I just found the same error here: #9699

So it seems that a failure in ORT’s graph consistency check breaks the complete graph creation.

[sschuberth]

Maybe try first if the reproducer from #11378 also makes PNPM analysis fail.

[thomasscheer]

"Unfortunatelty" PNPM analysis in ort 78.0.0 does not fail with the package.json from #11378

Found 1 project(s) and 124 package(s) in total (not counting excluded ones).

But also NPM runs through but "Found 0 project(s) and 0 package(s) in total (not counting excluded ones)."

[fviernau]

@thomasscheer I have no idea how to work on this issue. Any idea how this could be made reproducible? Maybe publishing a dummy package to a (private) NPM github package registry?

Note: Also sharing the output of pnpm list --json --recursive --depth Infinity could be provided for your original setup in the ticket (run after a pnpm install).