Incorrect invocation.configSource.uri value for inferred provenance value.

[tromai]

How to replicate

Run this command:

macaron analyze -rp https://github.com/ben-manes/caffeine.git --skip-deps

Because this repository doesn't have a provenance that Macaron can detect, Macaron put an inferred provenance in the final JSON report.
The content of the JSON report of this analysis is as follow:

...
                             "invocation": {
                                "configSource": {
                                    "uri": "https://github.com/ben-manes/caffeine@refs/heads/None",
...

Description

The logic for generating the content of invocation.configSource.uri for the inferred provenance is located here:

predicate["invocation"]["configSource"]["uri"] = (
    f"{ctx.component.repository.remote_path}"
    f"@refs/heads/{ctx.component.repository.branch_name}"
)

In scenarios where the branch name is not available, the content of this uri will be incorrect

Suggestion

If the branch name is not available for this software component, we can use f"{ctx.component.repository.remote_path}" only without f"@refs/heads/{ctx.component.repository.branch_name}"

[nathanwn]

How about using the ctx.component.repository.commit_sha field, which is not nullable, to replace the nullable branch_name?

predicate["invocation"]["configSource"]["uri"] = (
    f"{ctx.component.repository.remote_path}"
-    f"@refs/heads/{ctx.component.repository.branch_name}"
+    f"@{ctx.component.repository.commit_sha}"
)

I think this should be better than not referencing any particular revision of the repo.

[Demolus13]

The --skip-deps issue has been fixed and below are the PRs:

• feat!: allow specifying the dependency depth resolution through CLI and make dependency resolution off by default #840
• refactor: remove the deprecated --skip-deps command-line option. #943