Summary
When a portfile derives the REF value via string(REPLACE ...) instead
of using ${VERSION} directly, the SPDX generator emits the intermediate
variable name unresolved in downloadLocation.
Reproduction
The curl portfile (ports/curl/portfile.cmake) does:
string(REPLACE "." "_" curl_version "curl-${VERSION}")
vcpkg_from_github(
REPO curl/curl
REF ${curl_version}
...
)This is necessary because curl tags use underscores
(e.g. curl-8_19_0, not 8.19.0).
The generated vcpkg.spdx.json contains:
"downloadLocation": "git+https://github.com/curl/curl@${curl_version}"instead of:
"downloadLocation": "git+https://github.com/curl/curl@curl-8_19_0"
Notes
PRs #1162, #1607 and #1622 fixed the literal ${VERSION} case but do
not evaluate variables derived from CMake expressions like
string(REPLACE ...). Any port using a transformed REF will hit this.
Related
Summary
When a portfile derives the
REFvalue viastring(REPLACE ...)insteadof using
${VERSION}directly, the SPDX generator emits the intermediatevariable name unresolved in
downloadLocation.Reproduction
The
curlportfile (ports/curl/portfile.cmake) does:This is necessary because curl tags use underscores
(e.g.
curl-8_19_0, not8.19.0).The generated
vcpkg.spdx.jsoncontains:instead of:
Notes
PRs #1162, #1607 and #1622 fixed the literal
${VERSION}case but donot evaluate variables derived from CMake expressions like
string(REPLACE ...). Any port using a transformedREFwill hit this.Related
downloadLocationof some packages in generated spdx files is incorrect vcpkg#28235