Scanning a non package managed source tree

[buxtonpaul]

Hi,

I am wanting to scan a source tree containing C/C++ source code/headers. In this instance as just a test to see what kind of output I can get, it is not in source control and is not package managed.
A good example of a use case for this might be an archive from a supplier that we wish to check for licensing information, or one that we are shipping to a customer.

I am following the steps in the getting started guide but on my local code package instead.
Doing this I see issues similar to #2896

If instead of running the scanner on the analyser output I instead pass the source folder with the -p option, the scan runs correctly and detects licenses in the code, however this information then never makes it into the reports, and the evaluator runs without picking up any issues. But the report is empty.
`
docker run -v /home/paulb/work/fsim_scan:/project ort --info analyze -f JSON -i /project/FSIM_minimal -o /project/ort/analyzer

As we know the system is not package managed, for the scan we could just pass the path to the code rather than the analyser output

docker run -v /home/paulb/work/fsim_scan:/project ort --info scan -p /project/FSIM_minimal -o /project/ort/scanner
docker run -v /home/paulb/work/fsim_scan:/project ort --info evaluate --license-classifications-file /project/license-classifications.yml --rules-file /project/example.rules.kts -i /project/ort/scanner/scan-result.yml -o project/ort/evaluator
docker run -v /home/paulb/work/fsim_scan:/project ort --info report -f NoticeTemplate,StaticHtml,WebApp -i /project/ort/evaluator/evaluation-result.yml -o project/ort/reporter
`

I use the license-classifications and example.rules from the examples folder.

Analyse step, doesn't find anything (as I would expect as it isn't package managed).
Scan step (given the path rather than analyser output) finds licenses and copyrights.
Evaluate finds no issues
Report is empty.

Does this look like a bug, or am I driving it wrong?
Thanks,
Paul

[sschuberth]

it is not in source control

This bit is currently not supported. Historically, ORT requires source code to be under source control for provenance reasons. But as discussed in the last developer meeting, we seem to have an increasing amount of users who want this.

So, there is an agreement to add support for scanning sources not under source / version control, but so far no one has started to work on it.

[sschuberth]

So, there is an agreement to add support for scanning sources not under source / version control, but so far no one has started to work on it.

I don't recall the details of this "agreement". @oss-review-toolkit/core-devs should discuss whether we really want to officially support this use-case.

Anyway, this issue is actually conflating to separate things:

1. Analyzing source code that does not use a package manager. This is supported via the Unmanaged "fake" package manager.
2. Analyzing source code that is not checked into a Version Control System, which is not fully supported / untested.

So the only real issue is 2., which is a duplicate of #2896. Let's track it over there.