The description for dependencies status in the HTML is ambiguous.

[tromai]

How to reproduce the issue

macaron analyze -rp https://github.com/apache/maven -sbom test_sbom.json

with the content of test_sbom.json as follows: test_sbom.json

In the example above, the dependency component org.hamcrest:hamcrest-library has the same repository URL https://github.com/hamcrest/JavaHamcrest as another dependency component org.hamcrest:hamcrest-core. Because https://github.com/hamcrest/JavaHamcrest has been analyzed already for org.hamcrest:hamcrest-core, we marked org.hamcrest:hamcrest-library as a DUPLICATED_REPO_URL component.

However, in the description column of org.hamcrest:hamcrest-library: https://github.com/hamcrest/JavaHamcrest is already analyzed.. I think this is quite confusing as the user don't know where to look for the report of that particular repository. Note that all dependencies listed in the HTML report are listed under the format of <group_id>:<name> to follow the data model.

In additions, the report column of org.hamcrest:hamcrest-library is empty (in the past, it used to link to the HTML report of org.hamcrest:hamcrest-core. However, because we are using PURL as the unique identification, I don't think linking to the same HTML report of another component with a different PURL would be a good idea.

Expect

I think we need to discuss on what would be the best way to display the "duplicated status" of dependencies. Note that after this PR is merged, the definition of "duplication" is not on the scope of repository URL, but it would be repository URL + commit or PURL with version number, etc.

[tromai]

As discussed, we have agreed that this issue will be addressed once this PR is merged as part of the change in data model where the analysis happens on a snap shot of a repository (URL + commit) instead of only happening on the repository URL like before.

[jsoref]

That PR was merged...