The integration between FossID Workbench and ORT requires proper configuration. For details about setting up ORT and the package managers, see the installation instructions and ORT FAQ sections.
When the Dependency Analysis fails, the output of ORT Analyzer is stored in the logs. The error messages produced by the Analyzer may help you resolving the issues. Below are examples of the typical error messages and how to fix them:
A scan cannot be started
Make sure the ort is in the path specified in fossid.conf.
Make sure the fossid.conf specifies to run the ort with sudo.
Make sure the user running the php service is the owner of the /fossid/lib/ort
and the files in it. This is typically the www-data user, but depending on the
operating system, it may differ. To find out which user it is, you can run
for example the command below and look for the php-fpm pool www process:
$ ps aux |grep php
root 4439 0.0 0.5 225684 22228 ? Ss 12:52 0:00 php-fpm: master process (/etc/php-fpm.conf)
apache 5610 0.0 0.4 243060 16840 ? S 13:23 0:00 php-fpm: pool www
test 5703 0.0 0.0 12112 1080 pts/0 S+ 13:32 0:00 grep --color=auto php
In the example above, the user is apache, rather than www-data.
Make sure the user can run the /fossid/lib/ort/bin/ort file with sudo
without password.
Run:
/fossid/lib/ort/bin/ort requirements
Check if it produces any relevant errors (it is not an issue that the package managers you do not need for scanning a certain project are not found).
Go to the Workbench and from System Utils / System Information, initiate the global system check. This runs the same command as the one above. Check that the result is the same and no errors are displayed.
Dependency Analysis is failing with errors and no or empty analyzer-result.json file is created
Check the scan logs for error messages. It is often a package manager missing or incompatible with the project being scanned which can be fixed by installing the package manager on FOSSID server, or it may have insufficient permissions to run.
Debug logging needs to be enabled in fossid.conf for the logs to be produced:
webapp_scan_debug=1
Logs are then stored in the folder configured in fossid.conf:
webapp_logs=/fossid/logs
The name of the log is scan_<scan id>.log (for example scan_1.log for the scan with ID 1).
Dependency Analysis finishes successfully but the results are incomplete
Download the analyzer-result.json and look for errors. The error messages are usually self-explanatory.
Java error appears on RHEL when running ORT
If the following error appears after running ORT:
Exception in thread "main" java.lang.UnsupportedClassVersionError:
org/ossreviewtoolkit/OrtMainKt has been compiled by a more recent version of
the Java Runtime (class file version 55.0), this version of the Java Runtime
only recognizes class file versions up to 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
Make sure java-11-openjdk is installed and set to be the default:
$ sudo alternatives --config java
There are 2 programs which provide 'java'.
Selection Command
-----------------------------------------------
1 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64/bin/java)
*+ 2 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.275.b01-1.el8_3.x86_64/jre/bin/java)
Access Denied
When Access Denied, EACCESS, or a similar code is in the logs, it usually indicates one of the following issues:
- the Workbench cannot run
ortusingsudo - the Workbench does not have rights to access the directory with ort
Example error message:
gyp ERR! stack Error: EACCES: permission denied,
mkdir '\/fossid\/uploads\/files\/scans\/1\/bootstrap-master\/node_modules\/node-sass\/.node-gyp'
Solution:
Check that the ORT installation directory (default is /fossid/lib/ort) and it’s content is owned by the www-data user.
Make sure the www-data user is allowed to run the /fossid/lib/ort/bin/ort command with sudo. This is configured in the sudoers file.
Check the setup guide for exact configuration instructions.
Cannot run program
ORT Analyzer may sometimes need to run an external package manager to resolve and analyze package dependencies. If the external package manager is missing, an error message like the following may appear in the logs:
Cannot run program \"virtualenv\": error=2, No such file or directory
Solution:
Install the missing program and make sure it can be started by the www-data user using sudo.
In System Utils - System Information, initiate the Global System Check. It includes the basic diagnostics of the ORT Analyzer that displays the installed versions of package managers and whether they are compatible:
\_____ \\______ \__ ___/ the OSS Review Toolkit, version 2020.2.0-SNAPSHOT.
/ | \| _/ | |
/ | \ | \ | | Running 'requirements' under Java 11.0.9 on Linux with
\_______ /____|_ / |____| 2 CPUs and a maximum of 988 MiB of memory.
\/ \/
Environment variables:
ORT_CONFIG_DIR = /root/.ort/config
ORT_DATA_DIR = /root/.ort
SHELL = /bin/bash
TERM = unknown
Scanners:
- Askalono: Requires 'askalono' in version =0.4.3. Tool not found.
- BoyterLc: Requires 'lc' in version =1.3.1. Tool not found.
- Licensee: Requires 'licensee' in version =9.13.0. Tool not found.
- ScanCode: Requires 'scancode' in version =3.2.1-rc2. Tool not found.
PackageManagers:
- Bower: Requires 'bower' in version =1.8.8. Tool not found.
* Bundler: Requires 'bundle' in version >=1.16.0 <2.2.0. Found version 1.17.3.
- Cargo: Requires 'cargo' in no specific version. Tool not found.
- Conan: Requires 'conan' in version =1.18.0. Tool not found.
- GoDep: Requires 'dep' in no specific version. Tool not found.
- GoMod: Requires 'go' in no specific version. Tool not found.
* Npm: Requires 'npm' in version >=5.7.0 <6.15.0. Found version 5.8.0.
- PhpComposer: Requires 'composer' in version >=1.5.0. Tool not found.
- Pip: Requires 'pip' in no specific version. Tool not found.
- Pipenv: Requires 'pipenv' in version >=2018.10.9. Tool not found.
- Pub: Requires 'pub' in version >=2.2.0. Tool not found.
- Sbt: Requires 'sbt' in version >=0.13.0. Tool not found.
- Stack: Requires 'stack' in version >=2.1.1. Tool not found.
- Yarn: Requires 'yarn' in version >=1.3.0 <1.23.0. Tool not found.
VersionControlSystems:
- Cvs: Requires 'cvs' in no specific version. Tool not found.
* Git: Requires 'git' in no specific version. Found version 2.20.1.
- GitRepo: Requires 'repo' in no specific version. Tool not found.
- Mercurial: Requires 'hg' in no specific version. Tool not found.
Other tools:
* PythonVersion: Requires 'python3' in no specific version. Found version 3.7.3.
* VirtualEnv: Requires 'virtualenv' in version >=15.1.0 <20.1.0. Found version 15.1.0.
Prefix legend:
- The tool was not found in the PATH environment.
+ The tool was found in the PATH environment, but not in the required version.
* The tool was found in the PATH environment in the required version.
Not all tools were found in their required versions.
Not all package managers are required. If you do not need to scan Python projects, you do not need to install Python and pip on the server.
Analyzer has issues
If the results are displayed but you see a message that the Analyzer has found some issues, the message will contain a link to download the raw result of the analysis. The output is a json file and the issues are listed almost at the end of the file:
"issues" : {
"NPM::npm-demo/package.json:" : [ {
"timestamp" : "2020-11-18T11:58:53.293613Z",
"source" : "NPM",
"message" : "Resolving dependencies for 'package.json' failed with: IllegalArgumentException:\
\ No lockfile found in 'eai-platform'. This potentially results in unstable\
\ versions of dependencies. To allow this, enable support for dynamic versions.",
"severity" : "ERROR"
} ]
},
"has_issues" : true
The issue description may hint the development team on what they need to provide or adjust in their source code to improve the analysis.
NuGet may require dotnet-sdk-6.0 for nuget-inspector in some dependencies.
NuGet may require specifically dotnet-sdk-6.0 for nuget-inspector in some dependencies as dotnet-sdk-7.0 and dotnet-sdk-8.0 have failed after some testing.