Bazel: MODULE.bazel files present in a local registry should not be considered as managed files

[nnobelis]

I have the following Bazel project:

project/
├─ registry/
│  ├─ modules/
│  │  ├─ A/
│  │  │  ├─ 1.0/
│  │  │  │  ├─ MODULE.bazel
│  │  │  │  ├─ source.json
│  │  │  ├─ metadata.json
│  │  ├─ B/
│  │  │  ├─ 1.0/
│  │  │  │  ├─ MODULE.bazel
│  │  │  │  ├─ source.json
│  │  │  ├─ metadata.json
├─ .bazelrc
├─ MODULE.bazel

The directory registry is a local registry defined in .bazelrc:
common --registry=file://%workspace%/registry/

In %workspace%/MODULE.bazel, a dependency to A is defined:
bazel_dep(name = "A", version = "1.0")

In %workspace%/registry/modules/A/1.0/MODULE:bazel, a dependency to B is defined:
bazel_dep(name = "B", version = "1.0")

With such a setup, ORT Analyzer throws the following error:

o.o.analyzer.PackageManager - Using Bazel to resolve dependencies for path 'registry/modules/A/1.0/MODULE.bazel'...
o.o.utils.common.ProcessCapture - Running 'bazel mod graph --output json --disk_cache=' in 'registry/modules/A/1.0'...ERROR: in module dependency chain <root> -> B@1.0.0: module not found in registries: B@1.0.0. Type 'bazel help mod' for syntax and help.

The problem is that the Bazel package manager collects all MODULE.bazels in the project directory and considers them all as managed files. The MODULES.bazels present in a (registry) should not be picked up by the package manager as there are not "really" sub dependency trees.
The dependency of A to B is picked by ORT by calling bazel mod graph on the top level MODULE.bazel.

Is there a mechanism in ORT to exclude managed files during a package manager run ?

I will create a test for this ASAP.

[nnobelis]

I mean the obvious solution to this problem is to create an exclude for registry/**/MODULE.bazel.
However I wonder if ORT, knowing that the folder is a local registry, could do it automatically?

[sschuberth]

Is there a mechanism in ORT to exclude managed files during a package manager run ?

Sounds like a use-case for

ort/analyzer/src/main/kotlin/PackageManager.kt

Lines 235 to 238 in 97a81dd

	/**
	* Optional mapping of found [definitionFiles] before dependency resolution.
	*/
	open fun mapDefinitionFiles(definitionFiles: List<File>): List<File> = definitionFiles

[nnobelis]

I created #9090 as a test for this issue.

However I think the issue is more severe as what is described here.

There is first:

ERROR org.ossreviewtoolkit.analyzer.PackageManager - Bazel failed to resolve dependencies for path 'registry/modules/module_a/0.0.1/MODULE.bazel': IOException: Running 'bazel mod graph --output json --disk_cache=' in /plugins/package-managers/bazel/src/funTest/assets/projects/synthetic/bazel-local-registry2/registry/modules/module_a/0.0.1' failed with exit code 2:
ERROR: in module dependency chain <root> -> module_b@0.0.1: module not found in registries: module_b@0.0.1. Type 'bazel help mod' for syntax and help

But afterwards comes this exception:

Unable to create the AnalyzerResult as it contains packages and projects with the same ids: [[Package(id=Identifier(type=Bazel, namespace=, name=module_b, version=0.0.1), purl=pkg:generic/module_b@0.0.1
[...]
	at org.ossreviewtoolkit.analyzer.AnalyzerResultBuilder.build(AnalyzerResultBuilder.kt:44)
	at org.ossreviewtoolkit.analyzer.AnalyzerState.buildResult(Analyzer.kt:257)
	at org.ossreviewtoolkit.analyzer.Analyzer.analyzeInParallel(Analyzer.kt:182)
	at org.ossreviewtoolkit.analyzer.Analyzer.analyze(Analyzer.kt:134)
	at org.ossreviewtoolkit.analyzer.Analyzer.analyze$default(Analyzer.kt:126)
	at org.ossreviewtoolkit.analyzer.TestUtilsKt.analyze(TestUtils.kt:133)
	at org.ossreviewtoolkit.analyzer.TestUtilsKt.analyze$default(TestUtils.kt:124)
	at org.ossreviewtoolkit.plugins.packagemanagers.bazel.BazelDetectionTest$1$1.invokeSuspend(BazelDetectionTest.kt:33)
	at org.ossreviewtoolkit.plugins.packagemanagers.bazel.BazelDetectionTest$1$1.invoke(BazelDetectionTest.kt)
	at org.ossreviewtoolkit.plugins.packagemanagers.bazel.BazelDetectionTest$1$1.invoke(BazelDetectionTest.kt)