dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

DJC: Store Dependencies as Packages and support multiple dependency types in the DejaCode model

Open DennisClark opened this issue 2 years ago • 1 comments

We should store Dependencies as Packages in DejaCode. Also, in addition to simply creating Product Packages, we really need to provide the necessary qualifiers for Dependencies, especially whether they are declared as required or optional. Needs design. The processes that import Product Inventory Items from ScanCode results, or from an SBOM that provides dependency details, need to be enhanced as well as the model and the corresponding UI presentation in DejaCode.

As we do for Package, the Dependency model should be aligned with the ScanCode-toolkit and ScanCode.io ones:

  • SCIO https://github.com/nexB/scancode.io/blob/main/scanpipe/models.py#L2742
  • SCTK https://github.com/nexB/scancode-toolkit/blob/develop/src/packagedcode/models.py#L387

Note that this improvement would enhance both license compliance and vulnerability management processes in DejaCode.

DennisClark avatar Dec 07 '23 22:12 DennisClark

See related analysis in SCIO: https://github.com/nexB/scancode.io/issues/1145 https://github.com/nexB/scancode.io/issues/1066

Assuming that the improvements suggested in those issues for SCIO are implemented, we should create a compatible model in DejaCode.

DennisClark avatar Apr 10 '24 14:04 DennisClark

Implemented in https://github.com/aboutcode-org/dejacode/pull/147 (https://github.com/aboutcode-org/dejacode/issues/138)

tdruez avatar Aug 22 '24 05:08 tdruez