feat(scanner): Store VCS plugin config in NestedProvenanceStorage

wkl3nk · wkl3nk · commit 2a74519bf4ea · 2025-05-20T12:22:24.000+02:00
If particular VCS plugin configurations are active during a
scan (like `submoduleFetchStrategy=TOP_LEVEL_ONLY`),
ensure that VCS plugin configurations are stored alongside nested
provenance data. This prevents reuse of cache entries across scans
with differing VCS plugin settings, ensuring correctness and
reliability of scan results.

However, there remains a small risk that other dependencies are
not fully resolved in such a scenario where the WorkingTreeCache
is limited to the first level of submodules. But this is rather
small, because other open source dependencies typically don't
use nested submodules at all.

Signed-off-by: Wolfgang Klenk &lt;wolfgang.klenk2@bosch.com&gt;
diff --git a/dao/src/main/kotlin/tables/NestedProvenancesTable.kt b/dao/src/main/kotlin/tables/NestedProvenancesTable.kt
@@ -35,6 +35,11 @@ object NestedProvenancesTable : LongIdTable("nested_provenances") {
 
     val rootResolvedRevision = text("root_resolved_revision")
     val hasOnlyFixedRevisions = bool("has_only_fixed_revisions")
+
+    // If specific VCS plugin configurations are used, store a canonical string representation of these configuration
+    // options in this column. This ensures that results are only reused for scans with identical VCS plugin
+    // configurations.
+    val vcsPluginConfigs = text("vcs_plugin_configs").nullable()
 }
 
 class NestedProvenanceDao(id: EntityID<Long>) : LongEntity(id) {
@@ -44,6 +49,7 @@ class NestedProvenanceDao(id: EntityID<Long>) : LongEntity(id) {
 
     var rootResolvedRevision by NestedProvenancesTable.rootResolvedRevision
     var hasOnlyFixedRevisions by NestedProvenancesTable.hasOnlyFixedRevisions
+    var vcsPluginConfigs by NestedProvenancesTable.vcsPluginConfigs
 
     val packageProvenances by PackageProvenanceDao optionalReferrersOn PackageProvenancesTable.nestedProvenanceId
     val subRepositories by NestedProvenanceSubRepositoryDao referrersOn
diff --git a/dao/src/main/resources/db/migration/V105__addNestedProvenancesConfiguration.sql b/dao/src/main/resources/db/migration/V105__addNestedProvenancesConfiguration.sql
@@ -0,0 +1,2 @@
+ALTER TABLE nested_provenances
+    ADD COLUMN vcs_plugin_configs text DEFAULT NULL;
diff --git a/workers/scanner/src/main/kotlin/scanner/OrtServerNestedProvenanceStorage.kt b/workers/scanner/src/main/kotlin/scanner/OrtServerNestedProvenanceStorage.kt
@@ -42,7 +42,8 @@ import org.ossreviewtoolkit.utils.ort.runBlocking
 
 class OrtServerNestedProvenanceStorage(
     private val db: Database,
-    private val packageProvenanceCache: PackageProvenanceCache
+    private val packageProvenanceCache: PackageProvenanceCache,
+    private val vcsPluginConfigs: String?
 ) : NestedProvenanceStorage {
     override fun writeNestedProvenance(
         root: RepositoryProvenance,
@@ -64,6 +65,7 @@ class OrtServerNestedProvenanceStorage(
             rootVcs = vcsDao
             rootResolvedRevision = root.resolvedRevision
             hasOnlyFixedRevisions = result.hasOnlyFixedRevisions
+            vcsPluginConfigs = this@OrtServerNestedProvenanceStorage.vcsPluginConfigs
         }
 
         result.nestedProvenance.subRepositories.forEach { (path, repositoryProvenance) ->
@@ -89,7 +91,11 @@ class OrtServerNestedProvenanceStorage(
                 .where {
                     VcsInfoTable.type eq resolvedVcs.type.name and
                             (VcsInfoTable.url eq resolvedVcs.url) and
-                            (VcsInfoTable.revision eq resolvedVcs.revision)
+                            (VcsInfoTable.revision eq resolvedVcs.revision) and
+                            (
+                                    NestedProvenancesTable.vcsPluginConfigs eq
+                                            this@OrtServerNestedProvenanceStorage.vcsPluginConfigs
+                                    )
                 }.orderBy(NestedProvenancesTable.id to SortOrder.DESC)
                 .limit(1)
                 .singleOrNull()
diff --git a/workers/scanner/src/main/kotlin/scanner/ScannerRunner.kt b/workers/scanner/src/main/kotlin/scanner/ScannerRunner.kt
@@ -52,6 +52,18 @@ class ScannerRunner(
     private val fileArchiver: FileArchiver,
     private val fileListStorage: OrtServerFileListStorage
 ) {
+    companion object {
+        /**
+         * Convert the VCS plugin configurations to a canonical string representation. If there are no VCS plugin
+         * configurations, return null.
+         */
+        fun createCanonicalVcsPluginConfigs(vcsPluginConfigs: Map<String, PluginConfig>) =
+            vcsPluginConfigs.keys.sorted().joinToString(separator = "&") { vcs ->
+                vcsPluginConfigs[vcs]?.options.orEmpty()
+                    .toSortedMap().entries.joinToString(separator = "&") { (key, value) -> "$vcs/$key/$value" }
+            }.ifEmpty { null }
+    }
+
     suspend fun run(
         context: WorkerContext,
         ortResult: OrtResult,
@@ -78,9 +90,14 @@ class ScannerRunner(
             )
         }
 
+        val canonicalVcsPluginConfigs = createCanonicalVcsPluginConfigs(vcsPluginConfigs)
         val packageProvenanceCache = PackageProvenanceCache()
         val packageProvenanceStorage = OrtServerPackageProvenanceStorage(db, scannerRunId, packageProvenanceCache)
-        val nestedProvenanceStorage = OrtServerNestedProvenanceStorage(db, packageProvenanceCache)
+        val nestedProvenanceStorage = OrtServerNestedProvenanceStorage(
+            db,
+            packageProvenanceCache,
+            canonicalVcsPluginConfigs
+        )
         val scanResultStorage = OrtServerScanResultStorage(db, scannerRunId)
 
         val scanStorages = ScanStorages(
diff --git a/workers/scanner/src/test/kotlin/OrtServerNestedProvenanceStorageTest.kt b/workers/scanner/src/test/kotlin/OrtServerNestedProvenanceStorageTest.kt
@@ -64,7 +64,11 @@ class OrtServerNestedProvenanceStorageTest : WordSpec() {
             packageProvenanceCache = PackageProvenanceCache()
             packageProvenanceStorage =
                 OrtServerPackageProvenanceStorage(dbExtension.db, scannerRun.id, packageProvenanceCache)
-            nestedProvenanceStorage = OrtServerNestedProvenanceStorage(dbExtension.db, packageProvenanceCache)
+            nestedProvenanceStorage = OrtServerNestedProvenanceStorage(
+                dbExtension.db,
+                packageProvenanceCache,
+                ""
+            )
 
             packageProvenanceStorage.writeProvenance(id, vcsInfo, packageProvenance)
         }
@@ -209,7 +213,11 @@ class OrtServerNestedProvenanceStorageTest : WordSpec() {
                 packageProvenanceCache = PackageProvenanceCache()
                 packageProvenanceStorage =
                     OrtServerPackageProvenanceStorage(dbExtension.db, scannerRun.id, packageProvenanceCache)
-                nestedProvenanceStorage = OrtServerNestedProvenanceStorage(dbExtension.db, packageProvenanceCache)
+                nestedProvenanceStorage = OrtServerNestedProvenanceStorage(
+                    dbExtension.db,
+                    packageProvenanceCache,
+                    ""
+                )
 
                 val subInfo1 = vcsInfo.copy(path = "sub1")
                 val subProvenance1 = RepositoryProvenance(subInfo1, subInfo1.revision)
diff --git a/workers/scanner/src/test/kotlin/ScannerRunnerTest.kt b/workers/scanner/src/test/kotlin/ScannerRunnerTest.kt
@@ -44,6 +44,7 @@ import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.Provenance
 import org.ossreviewtoolkit.model.RepositoryProvenance
 import org.ossreviewtoolkit.model.config.ScannerConfiguration
+import org.ossreviewtoolkit.plugins.api.PluginConfig as OrtPluginConfig
 import org.ossreviewtoolkit.scanner.LocalPathScannerWrapper
 import org.ossreviewtoolkit.scanner.Scanner
 import org.ossreviewtoolkit.scanner.ScannerWrapperFactory
@@ -184,6 +185,43 @@ class ScannerRunnerTest : WordSpec({
             result.issues shouldBe issuesMap
         }
     }
+
+    "createCanonicalVcsPluginConfigs" should {
+        "return null if no VCS config plugins are used at all." {
+            val vcsPluginConfigs = emptyMap<String, OrtPluginConfig>()
+
+            val result = ScannerRunner.createCanonicalVcsPluginConfigs(vcsPluginConfigs)
+
+            result shouldBe null
+        }
+
+        "return a canonical string of VCS plugin configs." {
+            val vcsPluginConfigs = mapOf(
+                "VCS-Z" to OrtPluginConfig(
+                    options = mapOf(
+                        "option-z" to "1",
+                        "option-a" to "2"
+                    ),
+                    secrets = mapOf(
+                        "some-secret" to "my-secret"
+                    )
+                ),
+                "VCS-A" to OrtPluginConfig(
+                    options = mapOf(
+                        "option-x" to "3",
+                        "option-b" to "4"
+                    ),
+                    secrets = mapOf(
+                        "some-secret" to "my-secret"
+                    )
+                )
+            )
+
+            val result = ScannerRunner.createCanonicalVcsPluginConfigs(vcsPluginConfigs)
+
+            result shouldBe "VCS-A/option-b/4&VCS-A/option-x/3&VCS-Z/option-a/2&VCS-Z/option-z/1"
+        }
+    }
 })
 
 private fun mockScannerWrapperFactory(scannerName: String) =

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ALTER TABLE nested_provenances`
	`2`	`+ ADD COLUMN vcs_plugin_configs text DEFAULT NULL;`