Potential issue with left-over project source code in `ProjectSourceRule`

[sschuberth]

The ProjectSourceRule can download a remote project repository in order to perform checks on the project's source code. It leverages a SourceTreeResolver for that which downloads the source code to a temporary directory:

ort/evaluator/src/main/kotlin/SourceTreeResolver.kt

Lines 35 to 45 in 660946f

	fun forRemoteRepository(vcsInfo: VcsInfo) =
	SourceTreeResolver {
	val downloadDir = createOrtTempDir()
	val downloaderConfiguration = DownloaderConfiguration(sourceCodeOrigins = listOf(SourceCodeOrigin.VCS))
	val downloader = Downloader(downloaderConfiguration)
	val pkg = Package.EMPTY.copy(vcsProcessed = vcsInfo)
	downloader.download(pkg, downloadDir)
	downloadDir
	}

However, this temporary directory seems to never get deleted. This could be problematic if different users share a CI node that runs the evaluator. Then user A could access the (proprietary) project source code of user B.

So we probably should delete the temporary directory after use, but this seems to be tricky with the current design of the ProjectSourceRule rule.

@fviernau would you have any idea how to properly delete the temporary directory after its use? Ideally automatically, without the need for the user to call a special function.

[fviernau]

Hm, it depends when we want it to happen. A simple option would be the File.deleteOnExit, to make it delete after the JVM shutdown. If this shouldn't work (e.g. custom delete function), maybe a JVM shutdown hook would do.

Making it "nicer" requires probably the introduction of some even hook, the project source resolver could be registerd for / told to delete its stuff. Maybe the RuleSet would be a good candidate, as it has that resolver. IIUC the ruleset cannot be contructed with all rules without execution. Separating construction and execution by introducing a RuleSet.evaluate() call, the last line of evaluate() could the call something like projectSourceResolver.cleanUp(). I hope this is understandable.

[sschuberth]

A simple option would be the File.deleteOnExit

I don't think that sufficient, e.g. in the server case, where the JVM is not shut down usually.

Separating construction and execution by introducing a RuleSet.evaluate() call, the last line of evaluate() could the call something like projectSourceResolver.cleanUp().

Yes, something like that would make sense to me as well. Essentially, like a lambda-block which marks the lifetime of the ProjectSourceRule, after which any cleanup would be performed.

[fviernau]

Yes, something like that would make sense to me as well. Essentially, like a lambda-block which marks the lifetime of the ProjectSourceRule, after which any cleanup would be performed.

The downloaded directory can be shared amongst multiple project source rules (to avoid redundant clones), which is why I came up with the idea of using the "lifetime" of the rule set instead.