Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyzer/Reporter possibly do not hook correctly into Pub in my Flutter project #9960

Open
mnm-Sharpen360 opened this issue Feb 24, 2025 · 2 comments
Open

Analyzer/Reporter possibly do not hook correctly into Pub in my Flutter project #9960

mnm-Sharpen360 opened this issue Feb 24, 2025 · 2 comments
Labels
analyzer About the analyzer tool needs info An issue where further information is required question An issue that is actually a question

Comments

@mnm-Sharpen360
Copy link

mnm-Sharpen360 commented Feb 24, 2025
edited
Loading

Hi,

I am using ort on an older (2+ years) Flutter project with the intention of generating a SBOM as a basis for analyzing dependency risks and vulnerabilities. Additionally, I am interested in using the tool for analyzing which licenses are used in the project.

However, I am uneasy as to whether the results I get are faulty or incomplete, due to the following factors:

  1. The Analyzer is giving me some errors, although it does ultimately generate an analyzer-result.yml file
  2. After running the Reporter, some packages in pubspec.lock are not in the final bom.cyclonedx.json file
  3. None of the reported dependencies have a license, despite most (if not all) having their license listed on pubdev

I'll go through these in order, but first some basic info about my setup:

Setup

ort is installed in the simplest way by downloading the latest binaries, and adding them to my environment variable.

Java is likewise added to the environment variable, and I'm using the distribution that comes with Android Studio Ladybug Feature Drop | 2024.2.2 Patch 1. This version of Java is 21.0.5

ort requirements outputs the following:

Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 51.1.0,
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.5.
|    |   | |    |   \ |    |    Executing 'requirements' as 'MikkelEmilNielsen-Ma' on Windows 11
\________/ |____|___/ |____|    with 16 CPUs and a maximum of 8112 MiB of memory.

Environment variables:
ORT_CONFIG_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort\config
ORT_DATA_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort
USERPROFILE = C:\Users\MikkelEmilNielsen-Ma
OS = Windows_NT
COMSPEC = C:\WINDOWS\system32\cmd.exe

Looking for ORT configuration in the following file:
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\config.yml

PackageManagerFactory plugins:
        * Bazel
        * Bower
        * Bundler
        * Cargo
        * Carthage
        * CocoaPods
        * Composer
        * Conan
        * GoMod
        * Gradle
        * GradleInspector
        * Maven
        * NPM
        * NuGet
        * PIP
        * Pipenv
        * PNPM
        * Poetry
        * Pub
        * SBT
        * SpdxDocumentFile
        * Stack
        * SwiftPM
        * Unmanaged
        * Yarn
        * Yarn2

ScannerWrapperFactory plugins:
        * Askalono
        * BoyterLc
        * DOS
        * FossId
        * Licensee
        * ScanCode
        * SCANOSS

Scanners:
        * Askalono: Requires 'askalono.exe' in no specific version. Found version 0.5.0.
        - BoyterLc: Requires 'lc.exe' in no specific version. Tool not found.
        - Licensee: Requires 'licensee.bat' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode.bat' in version >=30.0.0. Found version 32.3.2.

PackageManagers:
        - Bazel: Requires 'bazel' in version >=7.0.0. Tool not found.
        - Bower: Requires 'bower.cmd' in version >=1.8.8. Tool not found.
        - Buildozer: Requires 'buildozer' in no specific version. Tool not found.
        - Cargo: Requires 'cargo' in no specific version. Tool not found.
        - CocoaPods: Requires 'pod.bat' in version >=1.11.0. Tool not found.
        - Composer: Requires 'composer.bat' in version >=1.5.0. Tool not found.
        - Conan: Requires 'conan' in version >=1.44.0 and <2.0.0. Tool not found.
        - Go: Requires 'go' in version >=1.21.1. Tool not found.
        * Npm: Requires 'npm.cmd' in version >=6.0.0 and <11.0.0. Found version 10.8.1.
        - NuGetInspector: Requires 'nuget-inspector' in no specific version. Tool not found.
        - Pipenv: Requires 'pipenv' in version >=2018.10.9. Tool not found.
        - Pnpm: Requires 'pnpm.cmd' in version >=5.0.0 and <10.0.0. Tool not found.
        - Poetry: Requires 'poetry' in no specific version. Tool not found.
        * Pub: Requires 'C:\src\flutter\bin\dart.bat' in version >=2.10.0. Found version 3.5.3.
        - PythonInspector: Requires 'python-inspector' in version >=0.9.2. Tool not found.
        - Sbt: Requires 'sbt.bat' in no specific version. Tool not found.
        - Stack: Requires 'stack' in version >=2.1.1. Tool not found.
        - Swift: Requires 'swift.exe' in no specific version. Tool not found.
        - Yarn: Requires 'yarn.cmd' in version >=1.3.0 and <1.23.0. Tool not found.

VersionControlSystems:
        * Git: Requires 'git' in version >=2.29.0. Found version 2.39.0.windows.2.
        - GitRepo: Requires 'repo' in no specific version. Tool not found.
        - Mercurial: Requires 'hg' in no specific version. Tool not found.

Prefix legend:
        - The tool was not found in the PATH environment.
        + The tool was found in the PATH environment, but not in the required version.
        * The tool was found in the PATH environment in the required version.

ScanCode license texts found in 'C:\src\scancode\scancode-toolkit-v32.3.2\venv\Lib\site-packages\licensedcode\data\licenses'.

Not all tools requirements were satisfied:
        ! Some tools were not found at all.

Configuration

The Flutter project in question is only released on web, so in an effort to not analyze the build.gradle and other android-specific files, I have made the following configurations:

<project_folder>/.ort.yml:

excludes:
  paths:
  - pattern: "android/**"
    reason: "OTHER"
    comment: "This project does not get built for Android"
  - pattern: "<nested project>/**"
    reason: "OTHER"
    comment: "Including this repository causes a duplicate error in ort, so we exclude it from analysis for now"

~/.ort/config/config.yml:

ort:
  analyzer:
    skipExcluded: true

  scanner:
    skipConcluded: true
    skipExcluded: true

    archive:
      enabled: true

      fileStorage:
        localFileStorage:
          directory: ~/.ort/scanner/archive
          compression: false

    fileListStorage:
      fileStorage:
        localFileStorage:
          directory: ~/.ort/scanner/file-lists
          compression: false
      
    storages:
      local:
        backend:
          localFileStorage:
            directory: ~/.ort/scanner/results
            compression: false

    storageReaders: [local]

Analyser errors

I analyze the project using the command ort analyze -i ./ -o ./ort/analyzer

This gives the following output (13 other near identical errors removes due to character limit):

Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 51.1.0,
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.5.
|    |   | |    |   \ |    |    Executing 'analyze' as 'MikkelEmilNielsen-Ma' on Windows 11
\________/ |____|___/ |____|    with 16 CPUs and a maximum of 8112 MiB of memory.

Environment variables:
ORT_CONFIG_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort\config
ORT_DATA_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort
USERPROFILE = C:\Users\MikkelEmilNielsen-Ma
OS = Windows_NT
COMSPEC = C:\WINDOWS\system32\cmd.exe

Looking for ORT configuration in the following file:
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\config.yml

Looking for analyzer-specific configuration in the following files and directories:
        C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics\.ort.yml
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\resolutions.yml (does not exist)
The following 25 package manager(s) are enabled:
        Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, GradleInspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, SwiftPM, Unmanaged, Yarn, Yarn2
The following 2 package curation provider(s) are enabled:
        DefaultDir, DefaultFile
Analyzing project path:
        C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics
Found 1 Pub definition file(s) at:
        pubspec.yaml
Found in total 1 definition file(s) from the following 1 package manager(s):
        Pub
14:23:41.881 [DefaultDispatcher-worker-1] ERROR org.ossreviewtoolkit.analyzer.PackageManager - GradleInspector failed to resolve dependencies for path 'build.gradle': BuildException: Could not fetch model of type 'OrtDependencyTreeModel' using connection to Gradle distribution 'https://services.gradle.org/distributions/gradle-7.3-bin.zip'.
Caused by: LocationAwareException: Initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'
Could not compile initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'.
    Caused by: ContextualPlaceholderException: Could not compile initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'.
        Caused by: PlaceholderException: startup failed:
        General error during conversion: Unsupported class file major version 65

        java.lang.IllegalArgumentException: Unsupported class file major version 65
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:199)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:180)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:166)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:287)
                at org.codehaus.groovy.ast.decompiled.AsmDecompiler.parseClass(AsmDecompiler.java:81)
                at org.codehaus.groovy.control.ClassNodeResolver.findDecompiled(ClassNodeResolver.java:251)
                at org.codehaus.groovy.control.ClassNodeResolver.tryAsLoaderClassOrScript(ClassNodeResolver.java:189)
                at org.codehaus.groovy.control.ClassNodeResolver.findClassNode(ClassNodeResolver.java:169)
                at org.codehaus.groovy.control.ClassNodeResolver.resolveName(ClassNodeResolver.java:125)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveClassNullable(AsmReferenceResolver.java:57)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveClass(AsmReferenceResolver.java:44)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveNonArrayType(AsmReferenceResolver.java:79)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveType(AsmReferenceResolver.java:70)
                at org.codehaus.groovy.ast.decompiled.MemberSignatureParser.createMethodNode(MemberSignatureParser.java:58)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.lambda$createMethodNode$1(DecompiledClassNode.java:230)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.createMethodNode(DecompiledClassNode.java:236)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.lazyInitMembers(DecompiledClassNode.java:203)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.getDeclaredMethods(DecompiledClassNode.java:122)
                at org.codehaus.groovy.ast.ClassNode.tryFindPossibleMethod(ClassNode.java:1283)
                at org.codehaus.groovy.control.StaticImportVisitor.transformMethodCallExpression(StaticImportVisitor.java:251)
                at org.codehaus.groovy.control.StaticImportVisitor.transform(StaticImportVisitor.java:133)
                at org.codehaus.groovy.ast.ClassCodeExpressionTransformer.visitExpressionStatement(ClassCodeExpressionTransformer.java:108)
                at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitClassCodeContainer(ClassCodeVisitorSupport.java:138)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitConstructorOrMethod(ClassCodeVisitorSupport.java:111)
                at org.codehaus.groovy.ast.ClassCodeExpressionTransformer.visitConstructorOrMethod(ClassCodeExpressionTransformer.java:66)
                at org.codehaus.groovy.control.StaticImportVisitor.visitConstructorOrMethod(StaticImportVisitor.java:108)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitConstructor(ClassCodeVisitorSupport.java:101)
                at org.codehaus.groovy.ast.ClassNode.visitContents(ClassNode.java:1089)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitClass(ClassCodeVisitorSupport.java:52)
                at org.codehaus.groovy.control.CompilationUnit.lambda$addPhaseOperations$3(CompilationUnit.java:209)
                at org.codehaus.groovy.control.CompilationUnit$IPrimaryClassNodeOperation.doPhaseOperation(CompilationUnit.java:942)
                at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:671)
                at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:635)
                at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:389)
                at groovy.lang.GroovyClassLoader.lambda$parseClass$3(GroovyClassLoader.java:332)
                at org.codehaus.groovy.runtime.memoize.StampedCommonCache.compute(StampedCommonCache.java:163)
                at org.codehaus.groovy.runtime.memoize.StampedCommonCache.getAndPut(StampedCommonCache.java:154)
                at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:330)
                at org.gradle.groovy.scripts.internal.DefaultScriptCompilationHandler.compileScript(DefaultScriptCompilationHandler.java:139)
                at org.gradle.groovy.scripts.internal.DefaultScriptCompilationHandler.compileToDir(DefaultScriptCompilationHandler.java:95)
                at org.gradle.groovy.scripts.internal.BuildOperationBackedScriptCompilationHandler$2.run(BuildOperationBackedScriptCompilationHandler.java:54)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.groovy.scripts.internal.BuildOperationBackedScriptCompilationHandler.compileToDir(BuildOperationBackedScriptCompilationHandler.java:51)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$CompileToCrossBuildCacheAction.execute(FileCacheBackedScriptClassCompiler.java:190)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$CompileToCrossBuildCacheAction.execute(FileCacheBackedScriptClassCompiler.java:170)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$ProgressReportingInitializer.execute(FileCacheBackedScriptClassCompiler.java:211)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$ProgressReportingInitializer.execute(FileCacheBackedScriptClassCompiler.java:194)
                at org.gradle.cache.internal.DefaultPersistentDirectoryCache$Initializer.initialize(DefaultPersistentDirectoryCache.java:100)
                at org.gradle.cache.internal.FixedSharedModeCrossProcessCacheAccess$1.run(FixedSharedModeCrossProcessCacheAccess.java:86)
                at org.gradle.cache.internal.DefaultFileLockManager$DefaultFileLock.doWriteAction(DefaultFileLockManager.java:216)
                at org.gradle.cache.internal.DefaultFileLockManager$DefaultFileLock.writeFile(DefaultFileLockManager.java:206)
                at org.gradle.cache.internal.FixedSharedModeCrossProcessCacheAccess.open(FixedSharedModeCrossProcessCacheAccess.java:83)
                at org.gradle.cache.internal.DefaultCacheAccess.open(DefaultCacheAccess.java:139)
                at org.gradle.cache.internal.DefaultPersistentDirectoryStore.open(DefaultPersistentDirectoryStore.java:89)
                at org.gradle.cache.internal.DefaultPersistentDirectoryStore.open(DefaultPersistentDirectoryStore.java:43)
                at org.gradle.cache.internal.DefaultCacheFactory.doOpen(DefaultCacheFactory.java:103)
                at org.gradle.cache.internal.DefaultCacheFactory.open(DefaultCacheFactory.java:68)
                at org.gradle.cache.internal.DefaultCacheRepository$PersistentCacheBuilder.open(DefaultCacheRepository.java:117)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler.compile(FileCacheBackedScriptClassCompiler.java:116)
                at org.gradle.groovy.scripts.internal.CrossBuildInMemoryCachingScriptClassCache.getOrCompile(CrossBuildInMemoryCachingScriptClassCache.java:50)
                at org.gradle.groovy.scripts.internal.BuildScopeInMemoryCachingScriptClassCompiler.compile(BuildScopeInMemoryCachingScriptClassCompiler.java:50)
                at org.gradle.groovy.scripts.DefaultScriptCompilerFactory$ScriptCompilerImpl.compile(DefaultScriptCompilerFactory.java:49)
                at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl.apply(DefaultScriptPluginFactory.java:110)
                at org.gradle.configuration.BuildOperationScriptPlugin$1.run(BuildOperationScriptPlugin.java:65)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.configuration.BuildOperationScriptPlugin.lambda$apply$0(BuildOperationScriptPlugin.java:62)
                at org.gradle.configuration.internal.DefaultUserCodeApplicationContext.apply(DefaultUserCodeApplicationContext.java:44)
                at org.gradle.configuration.BuildOperationScriptPlugin.apply(BuildOperationScriptPlugin.java:62)
                at org.gradle.configuration.DefaultInitScriptProcessor.process(DefaultInitScriptProcessor.java:50)
                at org.gradle.initialization.InitScriptHandler$1.run(InitScriptHandler.java:56)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.initialization.InitScriptHandler.executeScripts(InitScriptHandler.java:51)
                at org.gradle.initialization.InitScriptHandlingSettingsLoader.findAndLoadSettings(InitScriptHandlingSettingsLoader.java:33)
                at org.gradle.initialization.GradlePropertiesHandlingSettingsLoader.findAndLoadSettings(GradlePropertiesHandlingSettingsLoader.java:39)
                at org.gradle.initialization.DefaultSettingsPreparer.prepareSettings(DefaultSettingsPreparer.java:31)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer$LoadBuild.doLoadBuild(BuildOperationFiringSettingsPreparer.java:62)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer$LoadBuild.run(BuildOperationFiringSettingsPreparer.java:57)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer.prepareSettings(BuildOperationFiringSettingsPreparer.java:45)
                at org.gradle.initialization.VintageBuildModelController.lambda$prepareSettings$0(VintageBuildModelController.java:89)
                at org.gradle.internal.build.StateTransitionController.lambda$doTransition$1(StateTransitionController.java:222)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:243)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:221)
                at org.gradle.internal.build.StateTransitionController.transitionIfNotPreviously(StateTransitionController.java:190)
                at org.gradle.initialization.VintageBuildModelController.prepareSettings(VintageBuildModelController.java:89)
                at org.gradle.initialization.VintageBuildModelController.doBuildStages(VintageBuildModelController.java:73)
                at org.gradle.initialization.VintageBuildModelController.getConfiguredModel(VintageBuildModelController.java:58)
                at org.gradle.internal.build.StateTransitionController.notInStateIgnoreOtherThreads(StateTransitionController.java:89)
                at org.gradle.internal.build.DefaultBuildLifecycleController.getConfiguredBuild(DefaultBuildLifecycleController.java:98)
                at org.gradle.internal.build.AbstractBuildState.ensureProjectsConfigured(AbstractBuildState.java:65)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator$DefaultBuildToolingModelController.locateBuilderForTarget(DefaultBuildTreeModelCreator.java:90)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator$DefaultBuildToolingModelController.locateBuilderForDefaultTarget(DefaultBuildTreeModelCreator.java:82)
                at org.gradle.tooling.internal.provider.runner.BuildModelActionRunner$ModelCreateAction.fromBuildModel(BuildModelActionRunner.java:83)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator.fromBuildModel(DefaultBuildTreeModelCreator.java:62)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.lambda$fromBuildModel$1(DefaultBuildTreeLifecycleController.java:79)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.lambda$runBuild$4(DefaultBuildTreeLifecycleController.java:103)
                at org.gradle.internal.build.StateTransitionController.lambda$transition$0(StateTransitionController.java:145)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:243)
                at org.gradle.internal.build.StateTransitionController.transition(StateTransitionController.java:145)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.runBuild(DefaultBuildTreeLifecycleController.java:100)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.fromBuildModel(DefaultBuildTreeLifecycleController.java:71)
                at org.gradle.tooling.internal.provider.runner.BuildModelActionRunner.run(BuildModelActionRunner.java:49)
                at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
                at org.gradle.internal.buildtree.ProblemReportingBuildActionRunner.run(ProblemReportingBuildActionRunner.java:49)
                at org.gradle.launcher.exec.BuildOutcomeReportingBuildActionRunner.run(BuildOutcomeReportingBuildActionRunner.java:69)
                at org.gradle.tooling.internal.provider.FileSystemWatchingBuildActionRunner.run(FileSystemWatchingBuildActionRunner.java:114)
                at org.gradle.launcher.exec.BuildCompletionNotifyingBuildActionRunner.run(BuildCompletionNotifyingBuildActionRunner.java:41)
                at org.gradle.launcher.exec.RootBuildLifecycleBuildActionExecutor.lambda$execute$0(RootBuildLifecycleBuildActionExecutor.java:40)
                at org.gradle.composite.internal.DefaultRootBuildState.run(DefaultRootBuildState.java:155)
                at org.gradle.launcher.exec.RootBuildLifecycleBuildActionExecutor.execute(RootBuildLifecycleBuildActionExecutor.java:40)
                at org.gradle.internal.buildtree.DefaultBuildTreeContext.execute(DefaultBuildTreeContext.java:40)
                at org.gradle.launcher.exec.BuildTreeLifecycleBuildActionExecutor.lambda$execute$0(BuildTreeLifecycleBuildActionExecutor.java:65)
                at org.gradle.internal.buildtree.BuildTreeState.run(BuildTreeState.java:53)
                at org.gradle.launcher.exec.BuildTreeLifecycleBuildActionExecutor.execute(BuildTreeLifecycleBuildActionExecutor.java:65)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor$3.call(RunAsBuildOperationBuildActionExecutor.java:61)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor$3.call(RunAsBuildOperationBuildActionExecutor.java:57)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor.execute(RunAsBuildOperationBuildActionExecutor.java:57)
                at org.gradle.launcher.exec.RunAsWorkerThreadBuildActionExecutor.lambda$execute$0(RunAsWorkerThreadBuildActionExecutor.java:38)
                at org.gradle.internal.work.DefaultWorkerLeaseService.withLocks(DefaultWorkerLeaseService.java:211)
                at org.gradle.launcher.exec.RunAsWorkerThreadBuildActionExecutor.execute(RunAsWorkerThreadBuildActionExecutor.java:38)
                at org.gradle.tooling.internal.provider.ContinuousBuildActionExecutor.execute(ContinuousBuildActionExecutor.java:103)
                at org.gradle.tooling.internal.provider.SubscribableBuildActionExecutor.execute(SubscribableBuildActionExecutor.java:64)
                at org.gradle.internal.session.DefaultBuildSessionContext.execute(DefaultBuildSessionContext.java:46)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter$ActionImpl.apply(BuildSessionLifecycleBuildActionExecuter.java:100)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter$ActionImpl.apply(BuildSessionLifecycleBuildActionExecuter.java:88)
                at org.gradle.internal.session.BuildSessionState.run(BuildSessionState.java:69)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter.execute(BuildSessionLifecycleBuildActionExecuter.java:62)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter.execute(BuildSessionLifecycleBuildActionExecuter.java:41)
                at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:36)
                at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:25)
                at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:63)
                at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:31)
                at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:58)
                at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:42)
                at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:47)
                at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:31)
                at org.gradle.launcher.daemon.server.exec.ExecuteBuild.doBuild(ExecuteBuild.java:65)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.WatchForDisconnection.execute(WatchForDisconnection.java:39)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.ResetDeprecationLogger.execute(ResetDeprecationLogger.java:29)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.RequestStopIfSingleUsedDaemon.execute(RequestStopIfSingleUsedDaemon.java:35)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:78)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:75)
                at org.gradle.util.internal.Swapper.swap(Swapper.java:38)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput.execute(ForwardClientInput.java:75)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.LogAndCheckHealth.execute(LogAndCheckHealth.java:55)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.LogToClient.doBuild(LogToClient.java:63)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.EstablishBuildEnvironment.doBuild(EstablishBuildEnvironment.java:84)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.StartBuildOrRespondWithBusy$1.run(StartBuildOrRespondWithBusy.java:52)
                at org.gradle.launcher.daemon.server.DaemonStateCoordinator$1.run(DaemonStateCoordinator.java:297)
                at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
                at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:61)
                at java.base/java.lang.Thread.run(Unknown Source)

        1 error

<13 MORE SIMILAR ERRORS>

Wrote analyzer result to 'C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics\ort\analyzer\analyzer-result.yml' (0,20 MiB) in 1.006405700s.
The analysis took 25.973715700s.
Found 1 project(s) and 181 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 0 of 2 provider(s).
Resolved issues: 0 errors, 0 warnings, 0 hints.
Unresolved issues: 0 errors, 0 warnings, 0 hints.

Despite the errors, this does still result in a seemingly functional analyzer-result.yml file.

Report missing information

Running ort report -i ./ort/analyzer/analyzer-result.yml -o ./ort/reporter/cycloneDX -f CycloneDx produces a bom.cyclonedx.json file without any errors.

However, as mentioned at the beginning, this generated bill of materials does not appear to include every single dependency that I can find in the project's pubspec.lock file.

Nor does it have any license information attached to any of the listed dependencies, despite the licenses for most packages being listed on pubdev.

Questions

  1. If the errors I get from the analyzer are inconsequential, I can live with them. However, if anyone has a suggestion for a fix, I'd of course be more than happy to try it!
  2. It it "normal" for package license data to not be read from pubdev, and included in the analysis/report?
  3. Am I missing some "obvious" configurations or settings that I should be including, given my stated goal of getting license information on the project's dependencies?

Thank you very much for taking the time to read this far, and I hope someone can be of help!
@sschuberth
Copy link
Member

Unsupported class file major version 65

The first Google hit for that seems to be this, indicating that Gradle and / or Gradle Android plugin versions used by your project are too old to run with Java 21.

Instead of upgrading your Gradle build, you could also try to downgrade Java instead, but that would probably also require to downgrade Android Studio / the Android SDK.

@sschuberth sschuberth added question An issue that is actually a question analyzer About the analyzer tool needs info An issue where further information is required labels Feb 24, 2025
@mnm-Sharpen360
Copy link
Author

Unsupported class file major version 65

The first Google hit for that seems to be this, indicating that Gradle and / or Gradle Android plugin versions used by your project are too old to run with Java 21.

Instead of upgrading your Gradle build, you could also try to downgrade Java instead, but that would probably also require to downgrade Android Studio / the Android SDK.

Thank you for the speedy reply!

I have tried various ways of updating the Flutter project to use a newer version of Gradle that is compatible with Java 21, and the relevant project settings now looks like this:
android/gradle/wrapper.properties

distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-all.zip

android/settings.gradle

plugins {
    id "dev.flutter.flutter-plugin-loader" version "1.0.0"
    id "com.android.application" version "8.3.2" apply false
    id "org.jetbrains.kotlin.android" version "1.8.22" apply false
}

I have also followed the steps detailed in https://docs.flutter.dev/release/breaking-changes/flutter-gradle-plugin-apply

But indeed, the error is gone if I create a completely fresh Flutter project and then run ort analyse in it. So there is presumably some project setting that has eluded me so far.

However, and forgive my excessive ignorance here, since I have told ort to ignore everything in the android folder, should the project's Gradle version matter at all?

Thank you very much again for getting back to me so quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analyzer About the analyzer tool needs info An issue where further information is required question An issue that is actually a question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sschuberth @mnm-Sharpen360