Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SpdxListedLicenseException when the internet is not available #172

Open
garydgregory opened this issue Nov 15, 2024 · 3 comments
Open

SpdxListedLicenseException when the internet is not available #172

garydgregory opened this issue Nov 15, 2024 · 3 comments

Comments

@garydgregory
Copy link

Hi All,

Would it be possible for the plugin to deliver known licenses in its jar and only go to the internet if absolutely required?

Without internet access you get:

[INFO] --- spdx:0.7.4:createSPDX (build-sbom-spdx) @ commons-io ---
[INFO] spdx file type = .json
[INFO] Creating SPDX File C:\Users\ggregory\git\a\commons-io\target\site\commons-io_commons-io-2.18.0-SNAPSHOT.spdx.json
[ERROR] Unable to access the most current listed licenses from https://spdx.org/licenses - using locally cached licenses: I/O error reading license TOC
org.spdx.library.model.license.SpdxListedLicenseException: I/O error reading license TOC
    at org.spdx.storage.listedlicense.SpdxListedLicenseModelStore.loadIds (SpdxListedLicenseModelStore.java:175)
    at org.spdx.storage.listedlicense.SpdxListedLicenseModelStore.<init> (SpdxListedLicenseModelStore.java:110)
    at org.spdx.storage.listedlicense.SpdxListedLicenseWebStore.<init> (SpdxListedLicenseWebStore.java:39)
    at org.spdx.library.model.license.ListedLicenses.initializeLicenseModelStore (ListedLicenses.java:81)
    at org.spdx.library.model.license.ListedLicenses.<init> (ListedLicenses.java:65)
    at org.spdx.library.model.license.ListedLicenses.getListedLicenses (ListedLicenses.java:112)
    at org.spdx.library.model.SpdxModelFactory.createSpdxDocument (SpdxModelFactory.java:156)
    at org.spdx.maven.utils.SpdxDocumentBuilder.<init> (SpdxDocumentBuilder.java:151)
    at org.spdx.maven.CreateSpdxMojo.initSpdxDocumentBuilder (CreateSpdxMojo.java:625)
    at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:512)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:569)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:255)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:201)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:361)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:314)
Caused by: java.net.UnknownHostException: spdx.org
    at sun.nio.ch.NioSocketImpl.connect (NioSocketImpl.java:572)
    at java.net.SocksSocketImpl.connect (SocksSocketImpl.java:327)
    at java.net.Socket.connect (Socket.java:633)
    at sun.security.ssl.SSLSocketImpl.connect (SSLSocketImpl.java:304)
    at sun.security.ssl.BaseSSLSocketImpl.connect (BaseSSLSocketImpl.java:174)
    at sun.net.NetworkClient.doConnect (NetworkClient.java:183)
    at sun.net.www.http.HttpClient.openServer (HttpClient.java:533)
    at sun.net.www.http.HttpClient.openServer (HttpClient.java:638)
    at sun.net.www.protocol.https.HttpsClient.<init> (HttpsClient.java:266)
    at sun.net.www.protocol.https.HttpsClient.New (HttpsClient.java:380)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient (AbstractDelegateHttpsURLConnection.java:193)
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1256)
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURLConnection.java:1142)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:179)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1701)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1625)
    at java.net.HttpURLConnection.getResponseCode (HttpURLConnection.java:529)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode (HttpsURLConnectionImpl.java:308)
    at org.spdx.utility.DownloadCache.processPossibleRedirect (DownloadCache.java:352)
    at org.spdx.utility.DownloadCache.getUrlInputStreamDirect (DownloadCache.java:203)
    at org.spdx.utility.DownloadCache.getUrlInputStream (DownloadCache.java:186)
    at org.spdx.utility.DownloadCache.getUrlInputStream (DownloadCache.java:169)
    at org.spdx.storage.listedlicense.SpdxListedLicenseWebStore.getUrlInputStream (SpdxListedLicenseWebStore.java:43)
    at org.spdx.storage.listedlicense.SpdxListedLicenseWebStore.getTocInputStream (SpdxListedLicenseWebStore.java:48)
    at org.spdx.storage.listedlicense.SpdxListedLicenseModelStore.loadIds (SpdxListedLicenseModelStore.java:152)
    at org.spdx.storage.listedlicense.SpdxListedLicenseModelStore.<init> (SpdxListedLicenseModelStore.java:110)
    at org.spdx.storage.listedlicense.SpdxListedLicenseWebStore.<init> (SpdxListedLicenseWebStore.java:39)
    at org.spdx.library.model.license.ListedLicenses.initializeLicenseModelStore (ListedLicenses.java:81)
    at org.spdx.library.model.license.ListedLicenses.<init> (ListedLicenses.java:65)
    at org.spdx.library.model.license.ListedLicenses.getListedLicenses (ListedLicenses.java:112)
    at org.spdx.library.model.SpdxModelFactory.createSpdxDocument (SpdxModelFactory.java:156)
    at org.spdx.maven.utils.SpdxDocumentBuilder.<init> (SpdxDocumentBuilder.java:151)
    at org.spdx.maven.CreateSpdxMojo.initSpdxDocumentBuilder (CreateSpdxMojo.java:625)
    at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:512)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:569)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:255)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:201)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:361)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:314)
@goneall
Copy link
Member

goneall commented Nov 15, 2024

Short answer is yes - that functionality is already built in.

From the above error message, it looks like it is falling back to using the locally cached licenses, just after displaying a rather ugly error message.

The SPDX Java Library support system environment variables to control whether to attempt going out to the internet or not. See https://github.com/spdx/spdx-java-library?tab=readme-ov-file#configuration-options

@garydgregory Let me know if this solves the issue.

We couple probably better document and/or provide a more convenient configuration mechanism in the Maven plugin. Let me know if you have any thoughts on this.

@garydgregory
Copy link
Author

@goneall

Thank you for the answer. The docs look good.

Since not having internet access is rare, I might leave it as is but... the large error message due to the stack trace is alarming in the sense that I am left not knowing (without your explanation and reading the docs) what it is the plugin actually did.

I think this is really now a request for the plugin to catch this error and log a helpful message to the console such that Maven users are left with an actionable item: "this happened because of that, if you want the internet behavior x, see the docs here" kind of message.

Ty!

goneall added a commit to spdx/Spdx-Java-Library that referenced this issue Nov 16, 2024
@goneall
Change logging for license list I/O error
edafc95 
Changes the logging level from error to warn if the license list can not
be accessed over the network.  The logic being that the impact is not
substantial since you may only be referencing a stale version of the
license list rather than the most recent.

The warning message was also enhanced to point to the
useJARLicenseInfoOnly property.

Reference related issue
spdx/spdx-maven-plugin#172
@goneall goneall mentioned this issue Nov 16, 2024
Merged
@goneall
Copy link
Member

goneall commented Nov 16, 2024

It looks like the latest SPDX Java library already excludes the stack trace from the logging message. It still, however, will log this as an error rather than a warning. Perhaps it should be a warning rather than an error since the impact is it will use a possibly stale version of the license list.

I created a PR to change the error to warning.

goneall added a commit to spdx/Spdx-Java-Library that referenced this issue Dec 12, 2024
@goneall
Change logging for license list I/O error
657a4e6 
Changes the logging level from error to warn if the license list can not
be accessed over the network.  The logic being that the impact is not
substantial since you may only be referencing a stale version of the
license list rather than the most recent.

The warning message was also enhanced to point to the
useJARLicenseInfoOnly property.

Reference related issue
spdx/spdx-maven-plugin#172
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @garydgregory