refactor(Repository): Add RepositoryProvenance attribute

[pepper-jk]

This draft includes the first changes for my personal POC for the LocalProvenance Input discussed in #8803.
As it's scope is so small, it might be good first contribution towards that goal.
If not, feel free to let me know. All feedback is welcome.

The Repository data structure seems the easiest place to allow Provenances as Analyzer and Scanner input.
This avoids refactoring the attributes of higher level data structures, such as OrtResult.
At the moment the implementation limits it to RepositoryProvence though, in order to keep its previous behavior. To that end, it also continues to expose the raw VcsInfo of the provenance as its vcs attribute.

Signed-off-by: Jens Keim [email protected]

[pepper-jk]

Just a rebase onto 66.1.0.

[pepper-jk]

Okay, according to the tests, I clearly missed something.
Unfortunately, I need to finish up for the week, so I will be back at this on Monday.
If you have any feedback or input on the failing tests in the meantime, it would be greatly appreciated.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.54%. Comparing base (783c6d5) to head (c45f7ba).

Files with missing lines	Patch %	Lines
...ands/CreateAnalyzerResultFromPackageListCommand.kt	0.00%	5 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #10575      +/-   ##
============================================
- Coverage     57.57%   57.54%   -0.03%     
  Complexity     1702     1702              
============================================
  Files           346      346              
  Lines         12829    12833       +4     
  Branches       1212     1212              
============================================
- Hits           7386     7385       -1     
- Misses         4978     4983       +5     
  Partials        465      465              

Flag	Coverage Δ
funTest-docker	71.03% <ø> (+0.04%)	⬆️
test-ubuntu-24.04	42.28% <0.00%> (-0.02%)	⬇️
test-windows-2025	42.26% <0.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sschuberth]

If you have any feedback or input on the failing tests in the meantime, it would be greatly appreciated.

I think the general problem is that older ORT results that do not contain a RepositoryProvenance still need to be deserializable. You probably need to write a custom deserializer for that...

[pepper-jk]

I think the general problem is that older ORT results that do not contain a RepositoryProvenance still need to be deserializable. You probably need to write a custom deserializer for that...

Thanks for the hint, adding the custom Deserializer fixed a lot of tests. Quite some progress today.

Working on fixing the other tests. Will get back to it tomorrow.

[pepper-jk]

@sschuberth @mnonnenmacher
Not quite done yet, but feedback on the fixes for the tests so far would be awesome for tomorrow. 😃

[sschuberth]

Not quite done yet, but feedback on the fixes for the tests so far would be awesome for tomorrow. 😃

Sorry, I'll not be available tomorrow.

[pepper-jk]

Not quite done yet, but feedback on the fixes for the tests so far would be awesome for tomorrow. 😃

Sorry, I'll not be available tomorrow.

Oh, my bad. I forgot. See you next week.

[sschuberth]

@pepper-jk, please rebase to get rid of a test failure.

[pepper-jk]

@pepper-jk, please rebase to get rid of a test failure.

I think the failing test is unrelated. The Expat package got a security update on September 16, and Conan is delivering the new package now.

[sschuberth]

@pepper-jk, please rebase to get rid of a test failure.

I think the failing test is unrelated. The Expat package got a security update on September 16, and Conan is delivering the new package now.

That's exactly the reason why you should do the rebase 😉 We fixed that already in main.

[pepper-jk]

@pepper-jk, please rebase to get rid of a test failure.

I think the failing test is unrelated. The Expat package got a security update on September 16, and Conan is delivering the new package now.

That's exactly the reason why you should do the rebase 😉 We fixed that already in main.

I am already working on the rebase as we speak. I was just checking the tests first to be sure yesterdays changes did not mess anything up.

[pepper-jk]

Rebased on 68.2.0 to check in on tests. WIll rebase on main after.

[pepper-jk]

Rebased on current main now.

[pepper-jk]

As discussed in the community meeting today, the Repository should contain normalized vcsInfo and resolved revisions.

This should solve the remaining two threads. So that is what I will be working on now.

[pepper-jk]

The EvaluatedModelReporterFunTests are currently failing, since the Deserializer can not extract a resolvedRevison from the legacy Repository data structure, as the vcs_processed only references master. See reporter-test-input.yml, which is used as input in the tests.

I assume I would need to iterate over the other nodes in the file and get the resolved_revision from a provenance, e.g. inside the scanner at L542 or the list of provenances at L438.

Since there is a findParent method, I assume it would at least be possible to iterate over other nodes from inside a Deserializer, but I have not confirmed this yet.

@sschuberth @mnonnenmacher Before I continue on this hunch, could you way in on the issue?

[pepper-jk]

Rebased onto main aka 69.0.0.