component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

Poetry detector fails on specific use case due to multiple sources for a package being specified in poetry.lock file

Open FernandoRojo opened this issue 1 year ago • 0 comments

If a lock file is generated that has multiple source entries under a single package, the poetry detector will hard fail:

Tomlyn.TomlException: (157,1) : error : The key `package.[3].source` is already defined at (152,1) with `[package.source]␤type = \"legacy\"␤url = \"https://artifactory.metaswitch.com/api/pypi/pypi-virtual/simple\"␤reference = \"metaswitch\"` and cannot be redefined
(160,1) : error : The key `package.[3].source.reference` is already defined at (155,1) with `reference = \"metaswitch\"` and cannot be redefined
(162,1) : error : The key `package.[3].source` is already defined at (152,1) with `[package.source]␤type = \"legacy\"␤url = \"https://artifactory.metaswitch.com/api/pypi/pypi-virtual/simple\"␤reference = \"metaswitch\"` and cannot be redefined
(165,1) : error : The key `package.[3].source.reference` is already defined at (155,1) with `reference = \"metaswitch\"` and cannot be redefined
(215,1) : error : The key `package.[5].source` is already defined at (210,1) with `[package.source]␤type = \"legacy\"␤url = \"https://artifactory.metaswitch.com/api/pypi/pypi-virtual/simple\"␤reference = \"metaswitch\"` and cannot be redefined
(218,1) : error : The key `package.[5].source.reference` is already defined at (213,1) with `reference = \"metaswitch\"` and cannot be redefined
(220,1) : error : The key `package.[5].source` is already defined at (210,1) with `[package.source]␤type = \"legacy\"␤url = \"https://artifactory.metaswitch.com/api/pypi/pypi-virtual/simple\"␤reference = \"metaswitch\"` and cannot be redefined
(223,1) : error : The key `package.[5].source.reference` is already defined at (213,1) with `reference = \"metaswitch\"` and cannot be redefined
at Tomlyn.Toml.ToModel[T](String text, String sourcePath, TomlModelOptions options)
at Microsoft.ComponentDetection.Detectors.Poetry.PoetryComponentDetector.OnFileFoundAsync(ProcessRequest processRequest, IDictionary`2 detectorArgs, CancellationToken cancellationToken)
at Microsoft.ComponentDetection.Contracts.FileComponentDetector.OnFileFoundAsync(ProcessRequest processRequest, IDictionary`2 detectorArgs, Boolean cleanupCreatedFiles, CancellationToken cancellationToken)
at Microsoft.ComponentDetection.Contracts.FileComponentDetector.<>c__DisplayClass57_0.<<ProcessAsync>b__0>d.MoveNext()

spec for lock file needs to be reviewed and contract updated to prevent this.

FernandoRojo avatar Dec 10 '24 20:12 FernandoRojo