aboutcode-org
Introduce an "Imports" entity to DejaCode
Objective: Provide access to the original details of data imported to DejaCode.
DejaCode currently supports multiple options to import data into a Product, including:
- Import data from Scan
- Load packages from SBOMs
- Import packages from manifests
- Pull ScanCode.io Project data
Note that one Product can be constructed using multiple imports. These imports result in additions to a DejaCode Product Inventory and new Package definitions; a summary and status of each import is available on the Product "Imports" tab. The details of the original data, and their connections to specific DejaCode objects, are generally not maintained.
Consider the ability to navigate to a new DejaCode form that presents the (read-only) details of the imported file, so that all the metadata of that "Import" object can be viewed in a structured manner, including any "header" (top-level) metadata from that object.
Consider an enhancement to the various import processes that "links" new Product Inventory Items and Packages to original imported data.
Consider an enhancement to provide the ability to reuse imports on another Product.
More details to follow.
See related issue in ScanCode.io https://github.com/nexB/scancode.io/issues/1343
For clarity and usability, we may want to limit the original implementation of an "Imports" entity to data imported from SBOMs, which is the main use case that needs to be supported here.
From discussions with a CISO, keeping the original imported SBOM (or scan) file(s) as-is as attachments is important as there are times where our import may not be 100% lossless. This helps with auditability and in general is a good thing. It can also help to reprocess the same SBOM in some other tool, so storing it is always important.
