Add support for multiple instances of a PURL in the CycloneDX outputs #…

…1316 (#1317)

Signed-off-by: tdruez <[email protected]>

CHANGELOG.rst

@@ -14,6 +14,10 @@ v34.7.1 (unreleased)
 - Display the resolved_to_package as link in the dependencies tab.
   https://github.com/nexB/scancode.io/pull/1314
 
+- Add support for multiple instances of a PackageURL in the CycloneDX outputs.
+  The `package_uid` is now included in each BOM Component as a property.
+  https://github.com/nexB/scancode.io/issues/1316
+
 v34.7.0 (2024-07-02)
 --------------------
 

scanpipe/models.py

@@ -3414,6 +3414,7 @@ def as_cyclonedx(self):
             "download_url",
             "homepage_url",
             "notice_text",
+            "package_uid",
         ]
         properties = [
             cyclonedx_model.Property(

scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json

@@ -54,6 +54,10 @@
           "name": "aboutcode:homepage_url",
           "value": "https://github.com/django/asgiref/"
         },
+        {
+          "name": "aboutcode:package_uid",
+          "value": "pkg:pypi/[email protected]?uuid=8203628e-74ff-42c0-b96d-cdd2c56a0f01"
+        },
         {
           "name": "aboutcode:primary_language",
           "value": "Python"
@@ -99,6 +103,10 @@
           "name": "aboutcode:homepage_url",
           "value": "https://github.com/django/asgiref/"
         },
+        {
+          "name": "aboutcode:package_uid",
+          "value": "pkg:pypi/[email protected]?uuid=6dc8a3e1-c9d2-41a0-aa6c-99999115001a"
+        },
         {
           "name": "aboutcode:primary_language",
           "value": "Python"

scanpipe/tests/pipes/test_cyclonedx.py

@@ -229,7 +229,7 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages(self):
         # JSON v1.5 (this file is generated by the to_cyclonedx)
         input_location = self.data / "asgiref-3.3.0.cdx.json"
         packages = cyclonedx.resolve_cyclonedx_packages(input_location)
-        self.assertEqual(1, len(packages))
+        self.assertEqual(2, len(packages))
 
         # XML v1.4
         input_location = self.data / "laravel-7.12.0" / "bom.1.4.xml"

scanpipe/tests/pipes/test_output.py

@@ -309,6 +309,15 @@ def test_scanpipe_pipes_outputs_get_cyclonedx_bom_dependency_tree(self):
         ]
         self.assertEqual(expected, results_json["dependencies"])
 
+    def test_scanpipe_pipes_outputs_get_cyclonedx_bom_package_uid_instances(self):
+        project = Project.objects.create(name="project")
+        make_package(project, "pkg:type/a", package_uid="pkg:type/a?uuid=1")
+        make_package(project, "pkg:type/a", package_uid="pkg:type/a?uuid=2")
+
+        output_file = output.to_cyclonedx(project=project)
+        results_json = json.loads(output_file.read_text())
+        self.assertEqual(2, len(results_json["components"]))
+
     def test_scanpipe_pipes_outputs_to_spdx(self):
         fixtures = self.data / "asgiref" / "asgiref-3.3.0_fixtures.json"
         call_command("loaddata", fixtures, **{"verbosity": 0})

scanpipe/tests/test_models.py

@@ -2059,6 +2059,7 @@ def test_scanpipe_discovered_package_model_as_cyclonedx(self):
             "aboutcode:homepage_url": "https://packages.debian.org",
             "aboutcode:primary_language": "bash",
             "aboutcode:notice_text": "Notice\nText",
+            "aboutcode:package_uid": package_data1["package_uid"],
         }
         self.assertEqual(expected_properties, properties)
 

setup.cfg

@@ -91,7 +91,7 @@ install_requires =
     # Profiling
     pyinstrument==4.6.2
     # CycloneDX
-    cyclonedx-python-lib==7.4.1
+    cyclonedx-python-lib==7.5.0
     jsonschema==4.22.0
     # Font Awesome
     fontawesomefree==6.5.1