Failed to scan .conda artifacts: xz-gpl-tools

[cgi-ricardo]

Describe the bug

I provided the package xz-gpl-tools-5.8.1-hbcc6ac9_1 to ORT, it failed to download them I downloaded manually and ran the analyze and then the scan but it failed to get information, I tried with other .conda packages and also don't work for them. Is it possible to scan coda packages?

  message: "IOException: Could not resolve provenance for package 'Unmanaged::xz-gpl-tools-5.8.1-hbcc6ac9_1:'\
    \ for source code origins [VCS, ARTIFACT]."

To Reproduce

analyze and scan the xz-gpl-tools-5.8.1-hbcc6ac9_1.conda

Expected behavior

should be able to detect the licenses inside

Console / log output

scan-result.yml

scanner:
  start_time: "2025-11-24T20:11:53.974432905Z"
  end_time: "2025-11-24T20:11:53.990562004Z"
  environment:
    ort_version: "72.0.0"
    build_jdk: "21.0.9+10-LTS"
    java_version: "21.0.9"
    os: "Linux"
    processors: 20
    max_memory: 4152360960
    variables:
      HOME: "/home/ort"
      JAVA_HOME: "/opt/java/openjdk"
      ANDROID_HOME: "/opt/android-sdk"
  config:
    skip_concluded: false
    skip_excluded: false
    include_files_without_findings: false
    detected_license_mapping:
      LicenseRef-scancode-agpl-generic-additional-terms: "NOASSERTION"
      LicenseRef-scancode-free-unknown: "NOASSERTION"
      LicenseRef-scancode-generic-cla: "NOASSERTION"
      LicenseRef-scancode-generic-exception: "NOASSERTION"
      LicenseRef-scancode-generic-export-compliance: "NOASSERTION"
      LicenseRef-scancode-generic-tos: "NOASSERTION"
      LicenseRef-scancode-generic-trademark: "NOASSERTION"
      LicenseRef-scancode-gpl-generic-additional-terms: "NOASSERTION"
      LicenseRef-scancode-other-copyleft: "NOASSERTION"
      LicenseRef-scancode-other-permissive: "NOASSERTION"
      LicenseRef-scancode-patent-disclaimer: "NOASSERTION"
      LicenseRef-scancode-unknown: "NOASSERTION"
      LicenseRef-scancode-unknown-license-reference: "NOASSERTION"
      LicenseRef-scancode-unknown-spdx: "NOASSERTION"
      LicenseRef-scancode-warranty-disclaimer: "NOASSERTION"
    ignore_patterns:
    - "**/*.ort.yml"
    - "**/*.spdx.yml"
    - "**/*.spdx.yaml"
    - "**/*.spdx.json"
    - "**/META-INF/DEPENDENCIES"
    - "**/META-INF/DEPENDENCIES.txt"
    - "**/META-INF/NOTICE"
    - "**/META-INF/NOTICE.txt"
  provenances:
  - id: "Unmanaged::xz-gpl-tools-5.8.1-hbcc6ac9_1:"
    package_provenance_resolution_issue:
      timestamp: "2025-11-24T20:11:53.983616523Z"
      source: "Scanner"
      message: "IOException: Could not resolve provenance for package 'Unmanaged::xz-gpl-tools-5.8.1-hbcc6ac9_1:'\
        \ for source code origins [VCS, ARTIFACT]."
      severity: "ERROR"
  scan_results: []
  scanners:
    'Unmanaged::xz-gpl-tools-5.8.1-hbcc6ac9_1:':
    - "ScanCode"

Environment

OSS Review Toolkit, version 72.0.0
ScanCode (version 32.4.1)
OS: Linux

[sschuberth]

Is it possible to scan coda packages?

Not directly, ORT has no support for Conda yet.

[cgi-ricardo]

Is it possible to scan coda packages?

Not directly, ORT has no support for Conda yet.

thanks for the info. Is there any work around that I can do it?

[sschuberth]

I don't think that you actually gain much with using ORT at all here, firstly due to the current lack of Conda ecosystem support, and secondly because a / that Conda package only seems to contain binaries (and metadata), but not source code. Which means that scanning its contents with a license scanner is of limited use.

You could manually and recursively unpack pkg-xz-gpl-tools-5.8.1-hbcc6ac9_1.tar.zst from xz-gpl-tools-5.8.1-hbcc6ac9_1.conda, but that would most likely only give you hits in the info/licenses/COPYING* files, which you could also inspect manually to begin with.

The most interesting part would be transitive dependencies, but we don't get these until #1534 is implemented.

[sschuberth]

The most interesting part would be transitive dependencies, but we don't get these until #1534 is implemented.

@cgi-ricardo, do you agree to close this as a duplicate of #1534?