Analyzer/Reporter possibly do not hook correctly into Pub in my Flutter project

[mnm-Sharpen360]

Hi,

I am using ort on an older (2+ years) Flutter project with the intention of generating a SBOM as a basis for analyzing dependency risks and vulnerabilities. Additionally, I am interested in using the tool for analyzing which licenses are used in the project.

However, I am uneasy as to whether the results I get are faulty or incomplete, due to the following factors:

1. The Analyzer is giving me some errors, although it does ultimately generate an analyzer-result.yml file
2. After running the Reporter, some packages in pubspec.lock are not in the final bom.cyclonedx.json file
3. None of the reported dependencies have a license, despite most (if not all) having their license listed on pubdev

I'll go through these in order, but first some basic info about my setup:

Setup

ort is installed in the simplest way by downloading the latest binaries, and adding them to my environment variable.

Java is likewise added to the environment variable, and I'm using the distribution that comes with Android Studio Ladybug Feature Drop | 2024.2.2 Patch 1. This version of Java is 21.0.5

ort requirements outputs the following:

Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 51.1.0,
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.5.
|    |   | |    |   \ |    |    Executing 'requirements' as 'MikkelEmilNielsen-Ma' on Windows 11
\________/ |____|___/ |____|    with 16 CPUs and a maximum of 8112 MiB of memory.

Environment variables:
ORT_CONFIG_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort\config
ORT_DATA_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort
USERPROFILE = C:\Users\MikkelEmilNielsen-Ma
OS = Windows_NT
COMSPEC = C:\WINDOWS\system32\cmd.exe

Looking for ORT configuration in the following file:
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\config.yml

PackageManagerFactory plugins:
        * Bazel
        * Bower
        * Bundler
        * Cargo
        * Carthage
        * CocoaPods
        * Composer
        * Conan
        * GoMod
        * Gradle
        * GradleInspector
        * Maven
        * NPM
        * NuGet
        * PIP
        * Pipenv
        * PNPM
        * Poetry
        * Pub
        * SBT
        * SpdxDocumentFile
        * Stack
        * SwiftPM
        * Unmanaged
        * Yarn
        * Yarn2

ScannerWrapperFactory plugins:
        * Askalono
        * BoyterLc
        * DOS
        * FossId
        * Licensee
        * ScanCode
        * SCANOSS

Scanners:
        * Askalono: Requires 'askalono.exe' in no specific version. Found version 0.5.0.
        - BoyterLc: Requires 'lc.exe' in no specific version. Tool not found.
        - Licensee: Requires 'licensee.bat' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode.bat' in version >=30.0.0. Found version 32.3.2.

PackageManagers:
        - Bazel: Requires 'bazel' in version >=7.0.0. Tool not found.
        - Bower: Requires 'bower.cmd' in version >=1.8.8. Tool not found.
        - Buildozer: Requires 'buildozer' in no specific version. Tool not found.
        - Cargo: Requires 'cargo' in no specific version. Tool not found.
        - CocoaPods: Requires 'pod.bat' in version >=1.11.0. Tool not found.
        - Composer: Requires 'composer.bat' in version >=1.5.0. Tool not found.
        - Conan: Requires 'conan' in version >=1.44.0 and <2.0.0. Tool not found.
        - Go: Requires 'go' in version >=1.21.1. Tool not found.
        * Npm: Requires 'npm.cmd' in version >=6.0.0 and <11.0.0. Found version 10.8.1.
        - NuGetInspector: Requires 'nuget-inspector' in no specific version. Tool not found.
        - Pipenv: Requires 'pipenv' in version >=2018.10.9. Tool not found.
        - Pnpm: Requires 'pnpm.cmd' in version >=5.0.0 and <10.0.0. Tool not found.
        - Poetry: Requires 'poetry' in no specific version. Tool not found.
        * Pub: Requires 'C:\src\flutter\bin\dart.bat' in version >=2.10.0. Found version 3.5.3.
        - PythonInspector: Requires 'python-inspector' in version >=0.9.2. Tool not found.
        - Sbt: Requires 'sbt.bat' in no specific version. Tool not found.
        - Stack: Requires 'stack' in version >=2.1.1. Tool not found.
        - Swift: Requires 'swift.exe' in no specific version. Tool not found.
        - Yarn: Requires 'yarn.cmd' in version >=1.3.0 and <1.23.0. Tool not found.

VersionControlSystems:
        * Git: Requires 'git' in version >=2.29.0. Found version 2.39.0.windows.2.
        - GitRepo: Requires 'repo' in no specific version. Tool not found.
        - Mercurial: Requires 'hg' in no specific version. Tool not found.

Prefix legend:
        - The tool was not found in the PATH environment.
        + The tool was found in the PATH environment, but not in the required version.
        * The tool was found in the PATH environment in the required version.

ScanCode license texts found in 'C:\src\scancode\scancode-toolkit-v32.3.2\venv\Lib\site-packages\licensedcode\data\licenses'.

Not all tools requirements were satisfied:
        ! Some tools were not found at all.

Configuration

The Flutter project in question is only released on web, so in an effort to not analyze the build.gradle and other android-specific files, I have made the following configurations:

<project_folder>/.ort.yml:

excludes:
  paths:
  - pattern: "android/**"
    reason: "OTHER"
    comment: "This project does not get built for Android"
  - pattern: "<nested project>/**"
    reason: "OTHER"
    comment: "Including this repository causes a duplicate error in ort, so we exclude it from analysis for now"

~/.ort/config/config.yml:

ort:
  analyzer:
    skipExcluded: true

  scanner:
    skipConcluded: true
    skipExcluded: true

    archive:
      enabled: true

      fileStorage:
        localFileStorage:
          directory: ~/.ort/scanner/archive
          compression: false

    fileListStorage:
      fileStorage:
        localFileStorage:
          directory: ~/.ort/scanner/file-lists
          compression: false
      
    storages:
      local:
        backend:
          localFileStorage:
            directory: ~/.ort/scanner/results
            compression: false

    storageReaders: [local]

Analyser errors

I analyze the project using the command ort analyze -i ./ -o ./ort/analyzer

This gives the following output (13 other near identical errors removes due to character limit):

Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 51.1.0,
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.5.
|    |   | |    |   \ |    |    Executing 'analyze' as 'MikkelEmilNielsen-Ma' on Windows 11
\________/ |____|___/ |____|    with 16 CPUs and a maximum of 8112 MiB of memory.

Environment variables:
ORT_CONFIG_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort\config
ORT_DATA_DIR = C:\Users\MikkelEmilNielsen-Ma\.ort
USERPROFILE = C:\Users\MikkelEmilNielsen-Ma
OS = Windows_NT
COMSPEC = C:\WINDOWS\system32\cmd.exe

Looking for ORT configuration in the following file:
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\config.yml

Looking for analyzer-specific configuration in the following files and directories:
        C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics\.ort.yml
        C:\Users\MikkelEmilNielsen-Ma\.ort\config\resolutions.yml (does not exist)
The following 25 package manager(s) are enabled:
        Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, GradleInspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, SwiftPM, Unmanaged, Yarn, Yarn2
The following 2 package curation provider(s) are enabled:
        DefaultDir, DefaultFile
Analyzing project path:
        C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics
Found 1 Pub definition file(s) at:
        pubspec.yaml
Found in total 1 definition file(s) from the following 1 package manager(s):
        Pub
14:23:41.881 [DefaultDispatcher-worker-1] ERROR org.ossreviewtoolkit.analyzer.PackageManager - GradleInspector failed to resolve dependencies for path 'build.gradle': BuildException: Could not fetch model of type 'OrtDependencyTreeModel' using connection to Gradle distribution 'https://services.gradle.org/distributions/gradle-7.3-bin.zip'.
Caused by: LocationAwareException: Initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'
Could not compile initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'.
    Caused by: ContextualPlaceholderException: Could not compile initialization script 'C:\Users\MikkelEmilNielsen-Ma\.ort\tools\GradleInspector\init.gradle'.
        Caused by: PlaceholderException: startup failed:
        General error during conversion: Unsupported class file major version 65

        java.lang.IllegalArgumentException: Unsupported class file major version 65
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:199)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:180)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:166)
                at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:287)
                at org.codehaus.groovy.ast.decompiled.AsmDecompiler.parseClass(AsmDecompiler.java:81)
                at org.codehaus.groovy.control.ClassNodeResolver.findDecompiled(ClassNodeResolver.java:251)
                at org.codehaus.groovy.control.ClassNodeResolver.tryAsLoaderClassOrScript(ClassNodeResolver.java:189)
                at org.codehaus.groovy.control.ClassNodeResolver.findClassNode(ClassNodeResolver.java:169)
                at org.codehaus.groovy.control.ClassNodeResolver.resolveName(ClassNodeResolver.java:125)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveClassNullable(AsmReferenceResolver.java:57)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveClass(AsmReferenceResolver.java:44)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveNonArrayType(AsmReferenceResolver.java:79)
                at org.codehaus.groovy.ast.decompiled.AsmReferenceResolver.resolveType(AsmReferenceResolver.java:70)
                at org.codehaus.groovy.ast.decompiled.MemberSignatureParser.createMethodNode(MemberSignatureParser.java:58)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.lambda$createMethodNode$1(DecompiledClassNode.java:230)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.createMethodNode(DecompiledClassNode.java:236)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.lazyInitMembers(DecompiledClassNode.java:203)
                at org.codehaus.groovy.ast.decompiled.DecompiledClassNode.getDeclaredMethods(DecompiledClassNode.java:122)
                at org.codehaus.groovy.ast.ClassNode.tryFindPossibleMethod(ClassNode.java:1283)
                at org.codehaus.groovy.control.StaticImportVisitor.transformMethodCallExpression(StaticImportVisitor.java:251)
                at org.codehaus.groovy.control.StaticImportVisitor.transform(StaticImportVisitor.java:133)
                at org.codehaus.groovy.ast.ClassCodeExpressionTransformer.visitExpressionStatement(ClassCodeExpressionTransformer.java:108)
                at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitClassCodeContainer(ClassCodeVisitorSupport.java:138)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitConstructorOrMethod(ClassCodeVisitorSupport.java:111)
                at org.codehaus.groovy.ast.ClassCodeExpressionTransformer.visitConstructorOrMethod(ClassCodeExpressionTransformer.java:66)
                at org.codehaus.groovy.control.StaticImportVisitor.visitConstructorOrMethod(StaticImportVisitor.java:108)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitConstructor(ClassCodeVisitorSupport.java:101)
                at org.codehaus.groovy.ast.ClassNode.visitContents(ClassNode.java:1089)
                at org.codehaus.groovy.ast.ClassCodeVisitorSupport.visitClass(ClassCodeVisitorSupport.java:52)
                at org.codehaus.groovy.control.CompilationUnit.lambda$addPhaseOperations$3(CompilationUnit.java:209)
                at org.codehaus.groovy.control.CompilationUnit$IPrimaryClassNodeOperation.doPhaseOperation(CompilationUnit.java:942)
                at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:671)
                at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:635)
                at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:389)
                at groovy.lang.GroovyClassLoader.lambda$parseClass$3(GroovyClassLoader.java:332)
                at org.codehaus.groovy.runtime.memoize.StampedCommonCache.compute(StampedCommonCache.java:163)
                at org.codehaus.groovy.runtime.memoize.StampedCommonCache.getAndPut(StampedCommonCache.java:154)
                at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:330)
                at org.gradle.groovy.scripts.internal.DefaultScriptCompilationHandler.compileScript(DefaultScriptCompilationHandler.java:139)
                at org.gradle.groovy.scripts.internal.DefaultScriptCompilationHandler.compileToDir(DefaultScriptCompilationHandler.java:95)
                at org.gradle.groovy.scripts.internal.BuildOperationBackedScriptCompilationHandler$2.run(BuildOperationBackedScriptCompilationHandler.java:54)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.groovy.scripts.internal.BuildOperationBackedScriptCompilationHandler.compileToDir(BuildOperationBackedScriptCompilationHandler.java:51)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$CompileToCrossBuildCacheAction.execute(FileCacheBackedScriptClassCompiler.java:190)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$CompileToCrossBuildCacheAction.execute(FileCacheBackedScriptClassCompiler.java:170)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$ProgressReportingInitializer.execute(FileCacheBackedScriptClassCompiler.java:211)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler$ProgressReportingInitializer.execute(FileCacheBackedScriptClassCompiler.java:194)
                at org.gradle.cache.internal.DefaultPersistentDirectoryCache$Initializer.initialize(DefaultPersistentDirectoryCache.java:100)
                at org.gradle.cache.internal.FixedSharedModeCrossProcessCacheAccess$1.run(FixedSharedModeCrossProcessCacheAccess.java:86)
                at org.gradle.cache.internal.DefaultFileLockManager$DefaultFileLock.doWriteAction(DefaultFileLockManager.java:216)
                at org.gradle.cache.internal.DefaultFileLockManager$DefaultFileLock.writeFile(DefaultFileLockManager.java:206)
                at org.gradle.cache.internal.FixedSharedModeCrossProcessCacheAccess.open(FixedSharedModeCrossProcessCacheAccess.java:83)
                at org.gradle.cache.internal.DefaultCacheAccess.open(DefaultCacheAccess.java:139)
                at org.gradle.cache.internal.DefaultPersistentDirectoryStore.open(DefaultPersistentDirectoryStore.java:89)
                at org.gradle.cache.internal.DefaultPersistentDirectoryStore.open(DefaultPersistentDirectoryStore.java:43)
                at org.gradle.cache.internal.DefaultCacheFactory.doOpen(DefaultCacheFactory.java:103)
                at org.gradle.cache.internal.DefaultCacheFactory.open(DefaultCacheFactory.java:68)
                at org.gradle.cache.internal.DefaultCacheRepository$PersistentCacheBuilder.open(DefaultCacheRepository.java:117)
                at org.gradle.groovy.scripts.internal.FileCacheBackedScriptClassCompiler.compile(FileCacheBackedScriptClassCompiler.java:116)
                at org.gradle.groovy.scripts.internal.CrossBuildInMemoryCachingScriptClassCache.getOrCompile(CrossBuildInMemoryCachingScriptClassCache.java:50)
                at org.gradle.groovy.scripts.internal.BuildScopeInMemoryCachingScriptClassCompiler.compile(BuildScopeInMemoryCachingScriptClassCompiler.java:50)
                at org.gradle.groovy.scripts.DefaultScriptCompilerFactory$ScriptCompilerImpl.compile(DefaultScriptCompilerFactory.java:49)
                at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl.apply(DefaultScriptPluginFactory.java:110)
                at org.gradle.configuration.BuildOperationScriptPlugin$1.run(BuildOperationScriptPlugin.java:65)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.configuration.BuildOperationScriptPlugin.lambda$apply$0(BuildOperationScriptPlugin.java:62)
                at org.gradle.configuration.internal.DefaultUserCodeApplicationContext.apply(DefaultUserCodeApplicationContext.java:44)
                at org.gradle.configuration.BuildOperationScriptPlugin.apply(BuildOperationScriptPlugin.java:62)
                at org.gradle.configuration.DefaultInitScriptProcessor.process(DefaultInitScriptProcessor.java:50)
                at org.gradle.initialization.InitScriptHandler$1.run(InitScriptHandler.java:56)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.initialization.InitScriptHandler.executeScripts(InitScriptHandler.java:51)
                at org.gradle.initialization.InitScriptHandlingSettingsLoader.findAndLoadSettings(InitScriptHandlingSettingsLoader.java:33)
                at org.gradle.initialization.GradlePropertiesHandlingSettingsLoader.findAndLoadSettings(GradlePropertiesHandlingSettingsLoader.java:39)
                at org.gradle.initialization.DefaultSettingsPreparer.prepareSettings(DefaultSettingsPreparer.java:31)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer$LoadBuild.doLoadBuild(BuildOperationFiringSettingsPreparer.java:62)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer$LoadBuild.run(BuildOperationFiringSettingsPreparer.java:57)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
                at org.gradle.initialization.BuildOperationFiringSettingsPreparer.prepareSettings(BuildOperationFiringSettingsPreparer.java:45)
                at org.gradle.initialization.VintageBuildModelController.lambda$prepareSettings$0(VintageBuildModelController.java:89)
                at org.gradle.internal.build.StateTransitionController.lambda$doTransition$1(StateTransitionController.java:222)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:243)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:221)
                at org.gradle.internal.build.StateTransitionController.transitionIfNotPreviously(StateTransitionController.java:190)
                at org.gradle.initialization.VintageBuildModelController.prepareSettings(VintageBuildModelController.java:89)
                at org.gradle.initialization.VintageBuildModelController.doBuildStages(VintageBuildModelController.java:73)
                at org.gradle.initialization.VintageBuildModelController.getConfiguredModel(VintageBuildModelController.java:58)
                at org.gradle.internal.build.StateTransitionController.notInStateIgnoreOtherThreads(StateTransitionController.java:89)
                at org.gradle.internal.build.DefaultBuildLifecycleController.getConfiguredBuild(DefaultBuildLifecycleController.java:98)
                at org.gradle.internal.build.AbstractBuildState.ensureProjectsConfigured(AbstractBuildState.java:65)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator$DefaultBuildToolingModelController.locateBuilderForTarget(DefaultBuildTreeModelCreator.java:90)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator$DefaultBuildToolingModelController.locateBuilderForDefaultTarget(DefaultBuildTreeModelCreator.java:82)
                at org.gradle.tooling.internal.provider.runner.BuildModelActionRunner$ModelCreateAction.fromBuildModel(BuildModelActionRunner.java:83)
                at org.gradle.internal.buildtree.DefaultBuildTreeModelCreator.fromBuildModel(DefaultBuildTreeModelCreator.java:62)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.lambda$fromBuildModel$1(DefaultBuildTreeLifecycleController.java:79)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.lambda$runBuild$4(DefaultBuildTreeLifecycleController.java:103)
                at org.gradle.internal.build.StateTransitionController.lambda$transition$0(StateTransitionController.java:145)
                at org.gradle.internal.build.StateTransitionController.doTransition(StateTransitionController.java:243)
                at org.gradle.internal.build.StateTransitionController.transition(StateTransitionController.java:145)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.runBuild(DefaultBuildTreeLifecycleController.java:100)
                at org.gradle.internal.buildtree.DefaultBuildTreeLifecycleController.fromBuildModel(DefaultBuildTreeLifecycleController.java:71)
                at org.gradle.tooling.internal.provider.runner.BuildModelActionRunner.run(BuildModelActionRunner.java:49)
                at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
                at org.gradle.internal.buildtree.ProblemReportingBuildActionRunner.run(ProblemReportingBuildActionRunner.java:49)
                at org.gradle.launcher.exec.BuildOutcomeReportingBuildActionRunner.run(BuildOutcomeReportingBuildActionRunner.java:69)
                at org.gradle.tooling.internal.provider.FileSystemWatchingBuildActionRunner.run(FileSystemWatchingBuildActionRunner.java:114)
                at org.gradle.launcher.exec.BuildCompletionNotifyingBuildActionRunner.run(BuildCompletionNotifyingBuildActionRunner.java:41)
                at org.gradle.launcher.exec.RootBuildLifecycleBuildActionExecutor.lambda$execute$0(RootBuildLifecycleBuildActionExecutor.java:40)
                at org.gradle.composite.internal.DefaultRootBuildState.run(DefaultRootBuildState.java:155)
                at org.gradle.launcher.exec.RootBuildLifecycleBuildActionExecutor.execute(RootBuildLifecycleBuildActionExecutor.java:40)
                at org.gradle.internal.buildtree.DefaultBuildTreeContext.execute(DefaultBuildTreeContext.java:40)
                at org.gradle.launcher.exec.BuildTreeLifecycleBuildActionExecutor.lambda$execute$0(BuildTreeLifecycleBuildActionExecutor.java:65)
                at org.gradle.internal.buildtree.BuildTreeState.run(BuildTreeState.java:53)
                at org.gradle.launcher.exec.BuildTreeLifecycleBuildActionExecutor.execute(BuildTreeLifecycleBuildActionExecutor.java:65)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor$3.call(RunAsBuildOperationBuildActionExecutor.java:61)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor$3.call(RunAsBuildOperationBuildActionExecutor.java:57)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
                at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
                at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
                at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
                at org.gradle.launcher.exec.RunAsBuildOperationBuildActionExecutor.execute(RunAsBuildOperationBuildActionExecutor.java:57)
                at org.gradle.launcher.exec.RunAsWorkerThreadBuildActionExecutor.lambda$execute$0(RunAsWorkerThreadBuildActionExecutor.java:38)
                at org.gradle.internal.work.DefaultWorkerLeaseService.withLocks(DefaultWorkerLeaseService.java:211)
                at org.gradle.launcher.exec.RunAsWorkerThreadBuildActionExecutor.execute(RunAsWorkerThreadBuildActionExecutor.java:38)
                at org.gradle.tooling.internal.provider.ContinuousBuildActionExecutor.execute(ContinuousBuildActionExecutor.java:103)
                at org.gradle.tooling.internal.provider.SubscribableBuildActionExecutor.execute(SubscribableBuildActionExecutor.java:64)
                at org.gradle.internal.session.DefaultBuildSessionContext.execute(DefaultBuildSessionContext.java:46)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter$ActionImpl.apply(BuildSessionLifecycleBuildActionExecuter.java:100)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter$ActionImpl.apply(BuildSessionLifecycleBuildActionExecuter.java:88)
                at org.gradle.internal.session.BuildSessionState.run(BuildSessionState.java:69)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter.execute(BuildSessionLifecycleBuildActionExecuter.java:62)
                at org.gradle.tooling.internal.provider.BuildSessionLifecycleBuildActionExecuter.execute(BuildSessionLifecycleBuildActionExecuter.java:41)
                at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:36)
                at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:25)
                at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:63)
                at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:31)
                at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:58)
                at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:42)
                at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:47)
                at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:31)
                at org.gradle.launcher.daemon.server.exec.ExecuteBuild.doBuild(ExecuteBuild.java:65)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.WatchForDisconnection.execute(WatchForDisconnection.java:39)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.ResetDeprecationLogger.execute(ResetDeprecationLogger.java:29)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.RequestStopIfSingleUsedDaemon.execute(RequestStopIfSingleUsedDaemon.java:35)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:78)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:75)
                at org.gradle.util.internal.Swapper.swap(Swapper.java:38)
                at org.gradle.launcher.daemon.server.exec.ForwardClientInput.execute(ForwardClientInput.java:75)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.LogAndCheckHealth.execute(LogAndCheckHealth.java:55)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.LogToClient.doBuild(LogToClient.java:63)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.EstablishBuildEnvironment.doBuild(EstablishBuildEnvironment.java:84)
                at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
                at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
                at org.gradle.launcher.daemon.server.exec.StartBuildOrRespondWithBusy$1.run(StartBuildOrRespondWithBusy.java:52)
                at org.gradle.launcher.daemon.server.DaemonStateCoordinator$1.run(DaemonStateCoordinator.java:297)
                at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
                at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:61)
                at java.base/java.lang.Thread.run(Unknown Source)

        1 error

<13 MORE SIMILAR ERRORS>

Wrote analyzer result to 'C:\Users\MikkelEmilNielsen-Ma\Documents\GitHub\trace-metrics\ort\analyzer\analyzer-result.yml' (0,20 MiB) in 1.006405700s.
The analysis took 25.973715700s.
Found 1 project(s) and 181 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 0 of 2 provider(s).
Resolved issues: 0 errors, 0 warnings, 0 hints.
Unresolved issues: 0 errors, 0 warnings, 0 hints.

Despite the errors, this does still result in a seemingly functional analyzer-result.yml file.

Report missing information

Running ort report -i ./ort/analyzer/analyzer-result.yml -o ./ort/reporter/cycloneDX -f CycloneDx produces a bom.cyclonedx.json file without any errors.

However, as mentioned at the beginning, this generated bill of materials does not appear to include every single dependency that I can find in the project's pubspec.lock file.

Nor does it have any license information attached to any of the listed dependencies, despite the licenses for most packages being listed on pubdev.

Questions

1. If the errors I get from the analyzer are inconsequential, I can live with them. However, if anyone has a suggestion for a fix, I'd of course be more than happy to try it!
2. It it "normal" for package license data to not be read from pubdev, and included in the analysis/report?
3. Am I missing some "obvious" configurations or settings that I should be including, given my stated goal of getting license information on the project's dependencies?

Thank you very much for taking the time to read this far, and I hope someone can be of help!

[sschuberth]

Unsupported class file major version 65

The first Google hit for that seems to be this, indicating that Gradle and / or Gradle Android plugin versions used by your project are too old to run with Java 21.

Instead of upgrading your Gradle build, you could also try to downgrade Java instead, but that would probably also require to downgrade Android Studio / the Android SDK.

[mnm-Sharpen360]

Unsupported class file major version 65

The first Google hit for that seems to be this, indicating that Gradle and / or Gradle Android plugin versions used by your project are too old to run with Java 21.

Instead of upgrading your Gradle build, you could also try to downgrade Java instead, but that would probably also require to downgrade Android Studio / the Android SDK.

Thank you for the speedy reply!

I have tried various ways of updating the Flutter project to use a newer version of Gradle that is compatible with Java 21, and the relevant project settings now looks like this:
android/gradle/wrapper.properties

distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-all.zip

android/settings.gradle

plugins {
    id "dev.flutter.flutter-plugin-loader" version "1.0.0"
    id "com.android.application" version "8.3.2" apply false
    id "org.jetbrains.kotlin.android" version "1.8.22" apply false
}

I have also followed the steps detailed in https://docs.flutter.dev/release/breaking-changes/flutter-gradle-plugin-apply

But indeed, the error is gone if I create a completely fresh Flutter project and then run ort analyse in it. So there is presumably some project setting that has eluded me so far.

However, and forgive my excessive ignorance here, since I have told ort to ignore everything in the android folder, should the project's Gradle version matter at all?

Thank you very much again for getting back to me so quickly.

[mnm-Sharpen360]

Update: After upgrading everything from my Flutter to my project settings, and using the latest ort binaries (as of now, 61.3.0), I managed to get both the Analyzer and the Reporter to run without reporting any errors.

However the last of my issues remains: the report file does not appear to include any information about licenses on the packages that my project depends on.

Taking a closer look, I can see that every dependency in the analyzer-result.yml file has empty collections for the declared_licenses and declared_licenses_processed properties.

---

For one example, let's take a look at a simple package that my project depends on: flutter_svg

On the pubspec.dev page for flutter_svg, it is listed with an MIT license. However, this information does not appear to make it into the either the analyzer result, nor the generated report.

I've copied the relevant section from both generated files below.

analyser-result.yml

- id: "Pub::flutter_svg:2.1.0"
      purl: "pkg:pub/flutter_svg@2.1.0"
      declared_licenses: []
      declared_licenses_processed: {}
      description: "An SVG rendering and widget library for Flutter, which allows\
        \ painting and displaying Scalable Vector Graphics 1.1 files."
      homepage_url: ""
      binary_artifact:
        url: ""
        hash:
          value: ""
          algorithm: ""
      source_artifact:
        url: "https://pub.dev/packages/flutter_svg/versions/2.1.0.tar.gz"
        hash:
          value: "d44bf546b13025ec7353091516f6881f1d4c633993cb109c3916c3a0159dadf1"
          algorithm: "SHA-256"
      vcs:
        type: "Git"
        url: "https://github.com/flutter/packages.git"
        revision: ""
        path: "third_party/packages/flutter_svg"
      vcs_processed:
        type: "Git"
        url: "https://github.com/flutter/packages.git"
        revision: ""
        path: "third_party/packages/flutter_svg"

What I notice here is that both declared_licenses and declared_licenses_processed are empty, but maybe I'm looking at the wrong thing.

bom.cyclonedx.json

{
      "type" : "library",
      "bom-ref" : "Pub::flutter_svg:2.1.0",
      "group" : "",
      "name" : "flutter_svg",
      "version" : "2.1.0",
      "description" : "An SVG rendering and widget library for Flutter, which allows painting and displaying Scalable Vector Graphics 1.1 files.",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "SHA-256",
          "content" : "d44bf546b13025ec7353091516f6881f1d4c633993cb109c3916c3a0159dadf1"
        }
      ],
      "purl" : "pkg:pub/flutter_svg@2.1.0?classifier=sources",
      "modified" : false,
      "properties" : [
        {
          "name" : "ort:dependencyType",
          "value" : "direct"
        }
      ]
    },

As far as I can tell, the report does not contain any information about licenses at all, which may be due to the information missing from the analyser result(?)

---

I would be very appreciative of any insight about why the license information does not appear to "make it" into the analyser results.

Part of my use case for using your excellent tool is to help us analyze weaknesses and other issues relating to licenses on the packages that our project depends on.

Thank you very much for your help so far.

[sschuberth]

On the pubspec.dev page for flutter_svg, it is listed with an MIT license.

I guess you're referring to https://pub.dev/packages/flutter_svg which links to https://pub.dev/packages/flutter_svg/license from the side bar.

While I don't know exactly how pub.dev is retrieving its data, this very much looks like the license information does not come from package metadata, but that they're using the GitHub API to get information from https://github.com/flutter/packages/blob/main/third_party/packages/flutter_svg/LICENSE or https://github.com/dnfield/flutter_svg/?tab=MIT-1-ov-file#readme.

ORT's declared license concept, however, refers to lciense information that is directly contain in package-inherent metadata, like a pom.xml for Maven projects.

[sschuberth]

As a side note, it's a bit disappointing that https://dart.dev/tools/pub/pubspec does not seem to declare any license field.

[mnm-Sharpen360]

I see, that makes sense. I have experimented with getting package info via the GitHub API, and it seems possible to derive license information that way.

Thanks for the support, and please continue the great work!

[sschuberth]

As a side note, it's a bit disappointing that https://dart.dev/tools/pub/pubspec does not seem to declare any license field.

See dart-lang/pub-dev#5535 for a related discussion. In particular, https://github.com/dart-lang/pana seem to contain the code for the tool that determines the license names visible on pub.dev based in the license text of included LICENSE files.

Also see dart-lang/pana#1015.

[sschuberth]

So, I guess we could use the output of (at the example of the flutter_svg package) https://pub.dev/api/packages/flutter_svg/metrics, which contains

scorecard -> panaReport -> licenses -> 0 -> spdxIdentifier

and

scorecard -> panaReport -> result -> licenses -> 0 -> spdxIdentifier

but this information seems to be not package-version-specific, and I could not find a version-specific version of that API endpoint.