fix(swiftpm): Use identity as name for Swift PM registry dependencies

[liedQM]

Currently only the location field is used to derive the name of a Swift PM dependency. For dependencies fetched over a Package Registry Service (Swift PM registry) the location field is empty which leads to incomplete and invalid results. For those dependencies the identity needs to be used instead.

Technical notes:

• Screenshots of a broken and fixed scan with SPM registries involved:

broken:

fixed:

Note: Like seen, the scan also stops resolving the broken SPM registries further which results in much shorter scan results.

• Test outcome of the newly added test without the fix:
  expected:

project:
  id: "SwiftPM::src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency/Package.resolved:e1d45fb08d20491de87deb7decd464633707ebaf"
  definition_file_path: "plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency/Package.resolved"
  declared_licenses: []
  declared_licenses_processed: {}
  vcs:
    type: ""
    url: ""
    revision: ""
    path: ""
  vcs_processed:
    type: "Git"
    url: "https://github.com/oss-review-toolkit/ort.git"
    revision: "e1d45fb08d20491de87deb7decd464633707ebaf"
    path: "plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency"
  homepage_url: ""
  scopes:
  - name: "dependencies"
    dependencies:
    - id: "Swift::alamofire.alamofire:5.4.4"
packages:
- id: "Swift::alamofire.alamofire:5.4.4"
  purl: "pkg:swift/[email protected]"
  declared_licenses: []
  declared_licenses_processed: {}
  description: ""
  homepage_url: ""
  binary_artifact:
    url: ""
    hash:
      value: ""
      algorithm: ""
  source_artifact:
    url: ""
    hash:
      value: ""
      algorithm: ""
  vcs:
    type: ""
    url: ""
    revision: ""
    path: ""
  vcs_processed:
    type: ""
    url: ""
    revision: ""
    path: ""

but was:

project:
  id: "SwiftPM::src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency/Package.resolved:e1d45fb08d20491de87deb7decd464633707ebaf"
  definition_file_path: "plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency/Package.resolved"
  declared_licenses: []
  declared_licenses_processed: {}
  vcs:
    type: ""
    url: ""
    revision: ""
    path: ""
  vcs_processed:
    type: "Git"
    url: "https://github.com/oss-review-toolkit/ort.git"
    revision: "e1d45fb08d20491de87deb7decd464633707ebaf"
    path: "plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/only-lockfile-v3-with-SPM-registry-dependency"
  homepage_url: ""
  scopes:
  - name: "dependencies"
    dependencies:
    - id: "Swift::null:5.4.4"
packages:
- id: "Swift::null:5.4.4"
  purl: "pkg:swift/[email protected]"
  declared_licenses: []
  declared_licenses_processed: {}
  description: ""
  homepage_url: ""
  binary_artifact:
    url: ""
    hash:
      value: ""
      algorithm: ""
  source_artifact:
    url: ""
    hash:
      value: ""
      algorithm: ""
  vcs:
    type: ""
    url: ""
    revision: ""
    path: ""
  vcs_processed:
    type: ""
    url: ""
    revision: ""
    path: ""

[sschuberth]

Thanks a lot for the contribution @liedQM! Please have a look at the failing commit linter: You should hard-wrap commit message body lines at column 75.

[sschuberth]

Nit: Please make this a sentence as "written in a book" (e.g. with a dot at the end):

// For SPM registry dependencies the `location` field is blank, so use the `identity` field instead.

[fviernau]

Shall we move this comment to the location property?

[liedQM]

Thanks for the sentence suggestion, I've applied it.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.60%. Comparing base (86de3cc) to head (f3980be).
Report is 85 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #10124   +/-   ##
=========================================
  Coverage     69.60%   69.60%           
  Complexity     1454     1454           
=========================================
  Files           270      270           
  Lines          9668     9668           
  Branches       1028     1028           
=========================================
  Hits           6729     6729           
  Misses         2487     2487           
  Partials        452      452           

Flag	Coverage Δ
funTest-docker	68.80% <ø> (+0.02%)	⬆️
funTest-non-docker	33.32% <ø> (ø)
test-ubuntu-24.04	39.14% <ø> (ø)
test-windows-2022	39.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fviernau]

Shall we move this comment to the location property?

[liedQM]

Thanks a lot for the contribution @liedQM! Please have a look at the failing commit linter: You should hard-wrap commit message body lines at column 75.

Thanks for the fast feedback. Just a short note: You refer to https://robertcooper.me/post/git-commit-messages in your Contribution Guideline which limits the commit messages to 80 characters (which I've followed). It would be nice to add a note in your guidelines regarding the smaller character count :)

[sschuberth]

Just a short note: You refer to https://robertcooper.me/post/git-commit-messages in your Contribution Guideline which limits the commit messages to 80 characters (which I've followed). It would be nice to add a note in your guidelines regarding the smaller character count :)

Thanks for letting us now, here's the proposed addition to the docs.

[fviernau]

commit-msg: Should say identity instead of identifier ?

[liedQM]

commit-msg: Should say identity instead of identifier ?

Thanks it seems I've mixed the terms up. Will fix it.

[fviernau]

question: What do you guys think about the purl? Is the current logic appropriate which sets it, as we're dealing with private registries, could this be ambigous?

[sschuberth]

could this be ambigous?

Theoretically it would be. If we can be sure the registry to be a non-default one, it's probably a good idea to add the repository_url qualifier to the purl.

[liedQM]

could this be ambigous?

Theoretically it would be. If we can be sure the registry to be a non-default one, it's probably a good idea to add the repository_url qualifier to the purl.

We don't get any information regarding the used registry from the Package.resolved or Package.swift since they are defined outside the project using the swift package-registry set command for a specific scope, e.g. alarmofire (the one before the .) in the test example.

Note: The Package.swift entry for the test example would be:

.package(
   id: "alamofire.alamofire",
   from: 5.4.4
)

[liedQM]

Do you need anything from me for the PR to be merged? The missing registry support blocks us to switch to ORT since a lot of dependencies are missed in the scan.
I'll create another PR which adds target (different dependency types) support of SPM similar to maven which allows excluding test-only dependencies but that will take some time and a bigger PR to make it work.

[sschuberth]

Do you need anything from me for the PR to be merged?

@fviernau could you please do another review?

[sschuberth]

Do you need anything from me for the PR to be merged?

@fviernau could you please do another review?

@fviernau are you okay to merge this (or to dismiss your review)?

[fviernau]

@fviernau are you okay to merge this (or to dismiss your review)?

yes, I'm ok to merge this as a "partial" solution, even though identity may be only an SwiftPM-internal project-local unique id, for which it is questionable whether the string value is always suitable for use withing the ORT package identifier. However, it can be improved later on. (Same for the purl).

---

@liedQM just out of curiosity: Would you know whether SwiftPM has a command to retrieve metadata for such package from the remote registry. E.g. the name, description and so forth?

I'm ok with this.

[liedQM]

@fviernau currently I'm not aware of any way despite reading it out of the a global settings file. I've been looking into the available swift pm commands and haven't found any to read the current scope configuration yet.
Nevertheless the SPM registry works like the maven repositories where a dependency can be loaded from any registry which provides the library, so it can be multiple ones.
Are you saving this information for maven dependencies as well? If yes I can dig deeper after my scope fix PR but if not I would leave it out for SPM as well.

[liedQM]

Thanks for merging my PR :)

[sschuberth]

Are you saving this information for maven dependencies as well?

Yes, we do.