`LicenseInfoResolver.effectiveLicense()` crashes given some large SPDX expression and non-empty license choices

[fviernau]

Reproduce:

1. Make a scan for an analyzer result contain Qt as dependency:

   vcsUrl: https://code.qt.io/qt/qt5.git
   vcsRevision: b9fd0a20a60b82cd91fdc86cb54d0eb7adf29eae
   

2. Set-up a license choice which applies to that dependency
3. Run the evaluator using the rules from ort-config repo. (I've used -Xmx16G)
4. Observe that CPU load goes to max., it seems to hang, after minutes CLI will just exit without a success.

Note: The issue seems to be in the SpdxExpression class hierarchy. In particular, related to validChoices() and DNF computation.

[sschuberth]

Could you maybe attach the analyzer result, license choice config etc. also to the issue for a quicker reproducer?

[fviernau]

Could you maybe attach the analyzer result, license choice config etc. also to the issue for a quicker reproducer?

Any license choice matching the package should reproduce it. The analyzer result:

{
  "repository" : {
    "vcs" : {
      "type" : "",
      "url" : "",
      "revision" : "",
      "path" : ""
    },
    "vcs_processed" : {
      "type" : "",
      "url" : "",
      "revision" : "",
      "path" : ""
    },
    "config" : {
      "excludes" : {
        "scopes" : [ {
          "pattern" : "excluded",
          "reason" : "DEV_DEPENDENCY_OF"
        } ]
      }
    }
  },
  "analyzer" : {
    "start_time" : "1970-01-01T00:00:00Z",
    "end_time" : "1970-01-01T00:00:00Z",
    "environment" : {
      "ort_version" : "707023526d-dirty",
      "java_version" : "17.0.7",
      "os" : "Linux",
      "processors" : 8,
      "max_memory" : 8342470656,
      "variables" : {
        "SHELL" : "/bin/bash",
        "TERM" : "xterm-256color",
        "GOPATH" : "/home/frank/go"
      },
      "tool_versions" : { }
    },
    "config" : {
      "allow_dynamic_versions" : false,
      "skip_excluded" : false
    },
    "result" : {
      "projects" : [ {
        "id" : "Unmanaged::unknown:",
        "definition_file_path" : "",
        "declared_licenses" : [ ],
        "declared_licenses_processed" : { },
        "vcs" : {
          "type" : "",
          "url" : "",
          "revision" : "",
          "path" : ""
        },
        "vcs_processed" : {
          "type" : "",
          "url" : "",
          "revision" : "",
          "path" : ""
        },
        "homepage_url" : "",
        "scopes" : [ {
          "name" : "excluded",
          "dependencies" : [ ]
        }, {
          "name" : "main",
          "dependencies" : [ {
            "id" : "Native::Qt5:5.15.9-lts-lgpl",
            "linkage" : "STATIC"
          } ]
        } ]
      } ],
      "packages" : [ {
        "id" : "Native::Qt5:5.15.9-lts-lgpl",
        "purl" : "",
        "declared_licenses" : [ ],
        "declared_licenses_processed" : { },
        "description" : "",
        "homepage_url" : "",
        "binary_artifact" : {
          "url" : "",
          "hash" : {
            "value" : "",
            "algorithm" : ""
          }
        },
        "source_artifact" : {
          "url" : "",
          "hash" : {
            "value" : "",
            "algorithm" : ""
          }
        },
        "vcs" : {
          "type" : "Git",
          "url" : "https://code.qt.io/qt/qt5.git",
          "revision" : "",
          "path" : ""
        },
        "vcs_processed" : {
          "type" : "Git",
          "url" : "https://code.qt.io/qt/qt5.git",
          "revision" : "",
          "path" : ""
        }
      }]
    }
  },
  "scanner" : null,
  "advisor" : null,
  "evaluator" : null,
  "resolved_configuration" : { }
}

[sschuberth]

Thanks. PS: You can also really attach files for download by dragging & dropping them into the comment field.

[sschuberth]

@fviernau could you spend the time to try reproducing this?

[fviernau]

@fviernau could you spend the time to try reproducing this?

No time for this currently.