config.yml is getting ignored while physically available

[MNesche]

Describe the bug

Running ORT (any Version, starting from 28.0) in Jenkins on Windows, the config.yml (format previously to ORT Version 41.0.0) is physically present but will not be parsed further to be used for the execution.
The default configuration settings are used instead.
When implementing a false intendation in the config.yml, the ORT commands fail, due to the wrong intendation.
This shows that the config.yml can be accessed and is also read by ORT.

Since ORT Version 41.0.0, the key "rootLicenseFilenames" in "licenseFilePatterns" of the config.yml got renamed.
That should throw an error, cause the key is not valid anymore, if the same config is used with ORT 41.0.0.
However, there is no error according the invalid key when running any ORT command, the fallback standard configuration settings are used instead.

To Reproduce

Steps to reproduce the behavior:

1. Install ORT on Jenkins with the right Environment Variables
2. Change specific values in the config.yml, i.e. limit the enabledPackageManagers
3. Execute a command like "ort config --show-active"
4. The content of the values are the standard values; in the example above, all possible PackageManagers are enabled.

Expected behavior

Settings in the config.yml will be applied successfully.

Console / log output

Add console and / or log output that shows the error and additional context.
No screenshots of plain text please, to keep text searchable.

Output after using command "ort config --show-active":

c:\FileDir>"c:\jenkins-slave\tools\com.cloudbees.jenkins.plugins.customtools.CustomTool\ORT41\bin\ort.bat" --info config --show-active  
17:07:43.709 [main] INFO  org.ossreviewtoolkit.model.config.OrtConfiguration - Using ORT configuration file 'c:\FileDir\.ort\ort-config\config.yml'.
Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
17:07:44.455 [main] INFO  org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter - EnvironmentVariableFilter initialized with denySubstrings = [key, pass, pwd, token, user] and allowNames = [CARGO_HTTP_USER_AGENT, COMPOSER_ALLOW_SUPERUSER, CONAN_LOGIN_ENCRYPTION_KEY, CONAN_LOGIN_USERNAME, CONAN_PASSWORD, CONAN_USERNAME, CONAN_USER_HOME, CONAN_USER_HOME_SHORT, DOTNET_CLI_CONTEXT_ANSI_PASS_THRU, GIT_ASKPASS, GIT_HTTP_USER_AGENT, GRADLE_USER_HOME, HACKAGE_USERNAME, HACKAGE_PASSWORD, HACKAGE_KEY, PWD, USER, USERPROFILE].
 ______________________________                                                
/        \_______   \__    ___/        The OSS Review Toolkit, version 41.0.0, 
|    |   | |       _/ |    |           built with JDK 21.0.5+11-LTS, running un
|    |   | |    |   \ |    |           Executing 'config' as 'ort-user' on 
\________/ |____|___/ |____|           with 4 CPUs and a maximum of 3066 MiB of
                                                                               
Environment variables:                                                        
ORT_CONFIG_DIR = c:\FileDir\.ort\ort-config  
ORT_DATA_DIR = c:\FileDir\.ort               
USERPROFILE = C:\Users\ort-user                                           
OS = Windows_NT                                                               
COMSPEC = C:\WINDOWS\system32\cmd.exe                                         
JAVA_HOME = c:\jenkins-slave\tools\hudson.model.JDK\java21_x86_64             
                                                                              
Looking for ORT configuration in the following file:
        c:\FileDir\.ort\ort-config\config.yml

The active configuration is:

ort:
  addAuthorsToCopyrights: false
  allowedProcessEnvironmentVariableNames:
  - "CARGO_HTTP_USER_AGENT"
  - "COMPOSER_ALLOW_SUPERUSER"
  - "CONAN_LOGIN_ENCRYPTION_KEY"
  - "CONAN_LOGIN_USERNAME"
  - "CONAN_PASSWORD"
  - "CONAN_USERNAME"
  - "CONAN_USER_HOME"
  - "CONAN_USER_HOME_SHORT"
  - "DOTNET_CLI_CONTEXT_ANSI_PASS_THRU"
  - "GIT_ASKPASS"
  - "GIT_HTTP_USER_AGENT"
  - "GRADLE_USER_HOME"
  - "HACKAGE_USERNAME"
  - "HACKAGE_PASSWORD"
  - "HACKAGE_KEY"
  - "PWD"
  - "USER"
  - "USERPROFILE"
  deniedProcessEnvironmentVariablesSubstrings:
  - "key"
  - "pass"
  - "pwd"
  - "token"
  - "user"
  enableRepositoryPackageConfigurations: false
  enableRepositoryPackageCurations: false
  forceOverwrite: false
  licenseFilePatterns:
    licenseFilenames:
    - "copying*"
    - "copyright"
    - "licence*"
    - "license*"
    - "*.licence"
    - "*.license"
    - "unlicence"
    - "unlicense"
    patentFilenames:
    - "patents"
    otherLicenseFilenames:
    - "readme*"
  packageConfigurationProviders:
  - type: "DefaultDir"
    id: "DefaultDir"
    enabled: true
    options: {}
  packageCurationProviders:
  - type: "DefaultDir"
    id: "DefaultDir"
    enabled: true
    options: {}
  - type: "DefaultFile"
    id: "DefaultFile"
    enabled: true
    options: {}
  severeIssueThreshold: "WARNING"
  severeRuleViolationThreshold: "WARNING"
  analyzer:
    allowDynamicVersions: false
    skipExcluded: false
  advisor:
    skipExcluded: false
  downloader:
    allowMovingRevisions: false
    includedLicenseCategories: []
    skipExcluded: false
    sourceCodeOrigins:
    - "VCS"
    - "ARTIFACT"
  scanner:
    skipConcluded: false
    skipExcluded: false
    detectedLicenseMapping:
      LicenseRef-scancode-agpl-generic-additional-terms: "NOASSERTION"
      LicenseRef-scancode-free-unknown: "NOASSERTION"
      LicenseRef-scancode-generic-cla: "NOASSERTION"
      LicenseRef-scancode-generic-exception: "NOASSERTION"
      LicenseRef-scancode-generic-export-compliance: "NOASSERTION"
      LicenseRef-scancode-generic-tos: "NOASSERTION"
      LicenseRef-scancode-generic-trademark: "NOASSERTION"
      LicenseRef-scancode-gpl-generic-additional-terms: "NOASSERTION"
      LicenseRef-scancode-other-copyleft: "NOASSERTION"
      LicenseRef-scancode-other-permissive: "NOASSERTION"
      LicenseRef-scancode-patent-disclaimer: "NOASSERTION"
      LicenseRef-scancode-unknown: "NOASSERTION"
      LicenseRef-scancode-unknown-license-reference: "NOASSERTION"
      LicenseRef-scancode-unknown-spdx: "NOASSERTION"
      LicenseRef-scancode-warranty-disclaimer: "NOASSERTION"
    ignorePatterns:
    - "**/*.ort.yml"
    - "**/*.spdx.yml"
    - "**/*.spdx.yaml"
    - "**/*.spdx.json"
    - "**/META-INF/DEPENDENCIES"
    - "**/META-INF/DEPENDENCIES.txt"
    - "**/META-INF/NOTICE"
    - "**/META-INF/NOTICE.txt"
  reporter: {}
  notifier:
    mail: null
    jira: null

Environment

Output of the ort requirements -l commands command:

 ______________________________                                                
/        \_______   \__    ___/        The OSS Review Toolkit, version 41.0.0, 
|    |   | |       _/ |    |           built with JDK 21.0.5+11-LTS, running un
|    |   | |    |   \ |    |           Executing 'requirements' as 'exam-servic
\________/ |____|___/ |____|           with 4 CPUs and a maximum of 3066 MiB of
                                                                               
Environment variables:                                                        
ORT_CONFIG_DIR = c:\FileDir\.ort\ort-config  
ORT_DATA_DIR = c:\FileDir\.ort               
USERPROFILE = C:\Users\ort-user                                           
OS = Windows_NT                                                               
COMSPEC = C:\WINDOWS\system32\cmd.exe                                         
JAVA_HOME = c:\jenkins-slave\tools\hudson.model.JDK\java21_x86_64             

Or manually specify:

• ORT version: [e.g. 22.1.0]
• Java version: [e.g. 17]
• OS: [e.g. Linux]

And specify (relevant parts of) your ORT configuration (config.yml):

ort:
  allowedProcessEnvironmentVariableNames:
    - PASSPORT
    - USER_HOME
  deniedProcessEnvironmentVariablesSubstrings:
    - PASS
    - SECRET
    - TOKEN
    - USER

  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true

  # Force overwriting of any existing output files.
  forceOverwrite: true

  licenseFilePatterns:
    licenseFilenames: ['license*']
    patentFilenames: ['patents']
    rootLicenseFilenames: ['readme*']

Additional context

Further investigation assumes a problem in the hoplite library.
The corresponding line of the issue happening in the source code of ORT seems to be at:

ort/model/src/main/kotlin/config/OrtConfiguration.kt

Line 173 in 1d5676f

val loader = ConfigLoaderBuilder.default()

[sschuberth]

Looks like there's a subtle issue with indentation of YAML lists: The "-" for the item must be on the start column of the parent key. This works for me:

ort:
  allowedProcessEnvironmentVariableNames:
  - PASSPORT
  - USER_HOME
  deniedProcessEnvironmentVariablesSubstrings:
  - PASS
  - SECRET
  - TOKEN
  - USER

  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true

  # Force overwriting of any existing output files.
  forceOverwrite: true

  licenseFilePatterns:
    licenseFilenames: ['license*']
    patentFilenames: ['patents']
    otherLicenseFilenames: ['readme*']

[sschuberth]

Very weird, I was able to reproduce it once, but now not anymore...

[MNesche]

Hi sschuberth,
thank you for having a look into this issue.
The intendation is exactly as in

ort/model/src/main/resources/reference.yml

Lines 21 to 29 in ac270d8

	ort:
	allowedProcessEnvironmentVariableNames:
	- PASSPORT
	- USER_HOME
	deniedProcessEnvironmentVariablesSubstrings:
	- PASS
	- SECRET
	- TOKEN
	- USER

However, changing the indendation didn't fix the problem, unfortunately.
We copied the raw reference.yml from the ort repository, as available on github and used it as config, no chance, even that one gets ignored.

[MNesche]

I did another test and removed everything from the config.yml except:

ort:
  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true

Still it gets ignored, cause the output of the log is:

enableRepositoryPackageConfigurations: false
enableRepositoryPackageCurations: false

This is really odd.

[sschuberth]

The intendation is exactly as in

Ok, that was a bit confusing. I've adressed that in #9549.

[sschuberth]

1. Install ORT on Jenkins with the right Environment Variables

@MNesche, can you elaborate what you mean by "with the right Environment Variables"? Do you set environment variables that should influence ORT configuration?

[MNesche]

Yes, in Jenkins we used the Variables as described in https://oss-review-toolkit.org/ort/docs/getting-started/usage#configuration.
Since that didn't work, we used the option "-c <pathToFile.yml>" but that didn't work also.
With debugging, we noticed that the content of the file is passed to hoplite and the error happened probably in there.

[sschuberth]

Ok, but you're not using Hoplite's mechanism to override configuration properties via environment variables?

[MNesche]

With the sentence "with the right Environment Variables" was only meant for the context of running ORT in Jenkins.
It's not necessary to set environment variables in Jenkins for the directories, but since we did that, I mentioned it.

For the workaround, we use the mechanism you asked about, to parse the config as string to hoplite but not for overriding any configuration properties via environment variables.
Here's the content of the patch:

Subject: [PATCH] ORT standalone version with included config settings as hardcoded string.
---
Index: helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt b/helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt
--- a/helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt	(date 1737550272238)
@@ -107,7 +107,8 @@
             )
         )
 
-        val ortConfig = OrtConfiguration.load(emptyMap(), configFile)
+        // previous: val ortConfig = OrtConfiguration.load(emptyMap(), configFile)
+        val ortConfig = OrtConfiguration.load()
         val packageCurationProviders = PackageCurationProviderFactory.create(ortConfig.packageCurationProviders)
 
         val ortResult = OrtResult(
Index: cli/src/main/kotlin/OrtMain.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/cli/src/main/kotlin/OrtMain.kt b/cli/src/main/kotlin/OrtMain.kt
--- a/cli/src/main/kotlin/OrtMain.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/cli/src/main/kotlin/OrtMain.kt	(date 1737540239023)
@@ -149,6 +149,7 @@
         // Make the parameter globally available.
         printStackTrace = stacktrace
 
+        /*
         // Make options available to subcommands and apply static configuration.
         val ortConfig = OrtConfiguration.load(args = configArguments, file = configFile)
         currentContext.findOrSetObject { ortConfig }
@@ -158,6 +159,19 @@
             ortConfig.deniedProcessEnvironmentVariablesSubstrings,
             ortConfig.allowedProcessEnvironmentVariableNames
         )
+        */
+
+    // Make options available to subcommands and apply static configuration. Hardcoded Config Variant
+        val ortConfig = OrtConfiguration.load()
+        currentContext.findOrSetObject { ortConfig }
+        LicenseFilePatterns.configure(ortConfig.licenseFilePatterns)
+
+        EnvironmentVariableFilter.reset(
+            ortConfig.deniedProcessEnvironmentVariablesSubstrings,
+            ortConfig.allowedProcessEnvironmentVariableNames
+        )
+
+
 
         if (helpAll) {
             registeredSubcommands().forEach {
Index: helper-cli/src/main/kotlin/commands/DownloadResultsFromPostgresCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/helper-cli/src/main/kotlin/commands/DownloadResultsFromPostgresCommand.kt b/helper-cli/src/main/kotlin/commands/DownloadResultsFromPostgresCommand.kt
--- a/helper-cli/src/main/kotlin/commands/DownloadResultsFromPostgresCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/helper-cli/src/main/kotlin/commands/DownloadResultsFromPostgresCommand.kt	(date 1737550249173)
@@ -145,7 +145,8 @@
     }
 
     private fun openDatabaseConnection(): Connection {
-        val storageConfig = OrtConfiguration.load(configArguments, configFile).scanner.storages?.values
+        // previous: OrtConfiguration.load(configArguments, configFile)
+        val storageConfig = OrtConfiguration.load().scanner.storages?.values
             ?.filterIsInstance<PostgresStorageConfiguration>()?.firstOrNull()
             ?: throw IllegalArgumentException("postgresStorage not configured.")
 
Index: model/src/main/kotlin/config/OrtConfiguration.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/model/src/main/kotlin/config/OrtConfiguration.kt b/model/src/main/kotlin/config/OrtConfiguration.kt
--- a/model/src/main/kotlin/config/OrtConfiguration.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/model/src/main/kotlin/config/OrtConfiguration.kt	(date 1737550315568)
@@ -20,10 +20,12 @@
 package org.ossreviewtoolkit.model.config
 
 import com.sksamuel.hoplite.ConfigLoaderBuilder
+import com.sksamuel.hoplite.ConfigSource
 import com.sksamuel.hoplite.PropertySource
 import com.sksamuel.hoplite.addEnvironmentSource
 import com.sksamuel.hoplite.fp.getOrElse
 import com.sksamuel.hoplite.resolver.context.ContextResolverMode
+import com.sksamuel.hoplite.yaml.YamlPropertySource
 
 import java.io.File
 
@@ -143,6 +145,7 @@
      */
     val notifier: NotifierConfiguration = NotifierConfiguration()
 ) {
+    /* original
     companion object {
         /**
          * Load the [OrtConfiguration]. The different sources are used with this priority:
@@ -185,6 +188,216 @@
                 OrtConfigurationWrapper(OrtConfiguration())
             }
 
+            return wrappedConfig.ort
+        }
+    }
+    */
+
+    /* added to use a hardcoded config */
+    companion object {
+         /**
+         * Load the [OrtConfiguration] using a hardcoded YAML configuration string.
+         */
+        fun load(): OrtConfiguration {
+            val hardcodedConfig = """
+ort:
+  allowedProcessEnvironmentVariableNames:
+    - PASSPORT
+    - USER_HOME
+  deniedProcessEnvironmentVariablesSubstrings:
+    - PASS
+    - SECRET
+    - TOKEN
+    - USER
+
+  enableRepositoryPackageConfigurations: true
+  enableRepositoryPackageCurations: true
+
+  # Force overwriting of any existing output files.
+  forceOverwrite: true
+
+  # add some more options here ....
+
+            """
+
+            val loader = ConfigLoaderBuilder.default()
+                .addSource(YamlPropertySource(hardcodedConfig))
+                .build()
+
+            val configResult = loader.loadConfig<OrtConfigurationWrapper>()
+            val wrappedConfig = configResult.getOrElse { failure ->
+                throw IllegalArgumentException("Failed to load ORT configuration: ${failure.description()}")
+            }
+
             return wrappedConfig.ort
         }
     }
Index: plugins/commands/config/src/main/kotlin/ConfigCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/plugins/commands/config/src/main/kotlin/ConfigCommand.kt b/plugins/commands/config/src/main/kotlin/ConfigCommand.kt
--- a/plugins/commands/config/src/main/kotlin/ConfigCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/plugins/commands/config/src/main/kotlin/ConfigCommand.kt	(date 1737550260062)
@@ -90,7 +90,8 @@
 
         checkSyntax?.run {
             runCatching {
-                OrtConfiguration.load(file = this)
+                // previous: OrtConfiguration.load(file = this)
+                OrtConfiguration.load()
             }.onSuccess {
                 echo("The syntax of the configuration file '$this' is valid.")
             }.onFailure {
Index: helper-cli/src/main/kotlin/commands/GetPackageLicensesCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/helper-cli/src/main/kotlin/commands/GetPackageLicensesCommand.kt b/helper-cli/src/main/kotlin/commands/GetPackageLicensesCommand.kt
--- a/helper-cli/src/main/kotlin/commands/GetPackageLicensesCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/helper-cli/src/main/kotlin/commands/GetPackageLicensesCommand.kt	(date 1737550239506)
@@ -106,7 +106,8 @@
     }
 
     private fun getStoredScanResults(pkg: Package): List<ScanResult> {
-        val ortConfiguration = OrtConfiguration.load(configArguments, configFile)
+        // previous: val ortConfiguration = OrtConfiguration.load(configArguments, configFile)
+        val ortConfiguration = OrtConfiguration.load()
         val scanStorages = ScanStorages.createFromConfig(ortConfiguration.scanner)
         return runCatching { scanStorages.read(pkg) }.getOrDefault(emptyList())
     }
Index: helper-cli/src/main/kotlin/commands/provenancestorage/DeleteCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/helper-cli/src/main/kotlin/commands/provenancestorage/DeleteCommand.kt b/helper-cli/src/main/kotlin/commands/provenancestorage/DeleteCommand.kt
--- a/helper-cli/src/main/kotlin/commands/provenancestorage/DeleteCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/helper-cli/src/main/kotlin/commands/provenancestorage/DeleteCommand.kt	(date 1737543893025)
@@ -67,7 +67,8 @@
     ).flag()
 
     override fun run() {
-        val config = OrtConfiguration.load(configArguments, configFile)
+        // val config = OrtConfiguration.load(configArguments, configFile)
+        val config = OrtConfiguration.load()
         val scanStorages = ScanStorages.createFromConfig(config.scanner)
 
         val provenances = scanStorages.packageProvenanceStorage.readProvenances(packageId)
Index: helper-cli/src/main/kotlin/commands/ListStoredScanResultsCommand.kt
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/helper-cli/src/main/kotlin/commands/ListStoredScanResultsCommand.kt b/helper-cli/src/main/kotlin/commands/ListStoredScanResultsCommand.kt
--- a/helper-cli/src/main/kotlin/commands/ListStoredScanResultsCommand.kt	(revision b5cc0ea487a5151fa0d4830f94bb063f0d9bf520)
+++ b/helper-cli/src/main/kotlin/commands/ListStoredScanResultsCommand.kt	(date 1737543849891)
@@ -63,7 +63,8 @@
     ).associate()
 
     override fun run() {
-        val config = OrtConfiguration.load(configArguments, configFile)
+        // val config = OrtConfiguration.load(configArguments, configFile)
+        val config = OrtConfiguration.load()
         val scanStorages = ScanStorages.createFromConfig(config.scanner)
 
         println(

[sschuberth]

@MNesche can you try without your work-around but #10095 merged? Do you then get a proper error on your side, instead of the silent fallback to the default config?

[MNesche]

Sure, thanks a lot for the update and effort in finding a solution, I'll let you know about the result as soon as possible.

[MNesche]

@sschuberth, the results are as following:
This works: Implemented fix according to @Harshad_Sinkar with commenting out // .addEnvironmentSource() in model/src/main/kotlin/config/OrtConfiguration.kt.

Config is used, as seen in the output log:

13:36:40  The following 2 package manager(s) are enabled:
13:36:40          Maven, NPM
13:36:41  The following 2 package curation provider(s) are enabled:
13:36:41          RepositoryConfiguration, ort-config-curations

The merge of the commits into the master branch according to #10095 doesn't work.
There's no error message or output according the problem.
Config is not used, as seen in the output log:

14:06:00  The following 26 package manager(s) are enabled:
14:06:00          Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, Gradle Inspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, Swift Package Manager, Tycho, Unmanaged, Yarn, Yarn 2+
14:06:01  The following 2 package curation provider(s) are enabled:
14:06:01          DefaultDir, DefaultFile

The same config has been used for both tests, without any changes in between.
The test runs were on Jenkins, running on Windows, same pipeline, only the ORT files have been exchanged.
Hope that helps.

[sschuberth]

@sinkarharshad and others, could you try with #10106? Is the issue then still reproducible?

[sinkarharshad]

@sschuberth I tried with #10106 and was able to reproduce the issue. I didn’t notice anything in the log, but I might have missed something:

❯ $ORT --debug -c dir_zlib_ort_results/config.yml config --show-active                                                                                         ─╯
14:04:15.182 [main] INFO  org.ossreviewtoolkit.model.config.OrtConfiguration - Using ORT configuration file '/Users/harshadsinkar/devel/dir_ort_test/dir_zlib_ort_results/config.yml'.
Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
14:04:15.321 [main] INFO  org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter - EnvironmentVariableFilter initialized with denySubstrings = [key, pass, pwd, token, user] and allowNames = [CARGO_HTTP_USER_AGENT, COMPOSER_ALLOW_SUPERUSER, CONAN_LOGIN_ENCRYPTION_KEY, CONAN_LOGIN_USERNAME, CONAN_PASSWORD, CONAN_USERNAME, CONAN_USER_HOME, CONAN_USER_HOME_SHORT, DOTNET_CLI_CONTEXT_ANSI_PASS_THRU, GIT_ASKPASS, GIT_HTTP_USER_AGENT, GRADLE_USER_HOME, HACKAGE_USERNAME, HACKAGE_PASSWORD, HACKAGE_KEY, PWD, USER, USERPROFILE].

[sschuberth]

Thanks @sinkarharshad for trying! Do you see the new "All property sources were empty, falling back to the default configuration." log statement in the output?

[sinkarharshad]

@sschuberth Nope, could not find any trace of that in the log.
Attaching here the full log for your reference.

config_log.txt

[sschuberth]

If you don't have any sensitive information in there, could you also dump all your environment variables?

[sinkarharshad]

Here you go:
env.txt