dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

Enhancement request: Support submitting NuGet PURLs for scanning with ScanCode.io

Open rogu-beta opened this issue 10 months ago • 5 comments

Is your enhancement request related to a problem? Please describe. Currently the scanning of NuGet packages does not seem to work as no scan_single_package is getting triggered.

What are the benefits of the requested enhancement? Users could benefit from ScanCode.io scanning the package for license information

Describe the solution you would like Resolve the PURL (example: pkg:nuget/[email protected]) similar to npm packages so that ScanCode.io can analyze the package. This might also require work on ScanCode.io, since there are open tickets related to NuGet support such as: https://github.com/aboutcode-org/scancode.io/issues/1089

Additional notes n.a.

rogu-beta avatar Feb 07 '25 14:02 rogu-beta

This is tracked in https://github.com/aboutcode-org/purldb/issues/467 btw, as this is where it would be implemented

AyanSinhaMahapatra avatar Feb 20 '25 16:02 AyanSinhaMahapatra

@AyanSinhaMahapatra Perfect, thank you!

rogu-beta avatar Feb 20 '25 19:02 rogu-beta

@AyanSinhaMahapatra I just realized may have misunderstood your response. My request was about SBOMs being uploaded to DejaCode and then scanned through ScanCode.io, so PurlDB in itself would not be the solution. Currently DejaCode seems to be unable to convert nuget PURLs to download URLs, hence ScanCode.io does not process those packages. So likely this is a change needed in the conversion logic and requires adjustement for purl2url.

rogu-beta avatar Feb 24 '25 07:02 rogu-beta

Currently DejaCode seems to be unable to convert nuget PURLs to download URLs, hence ScanCode.io does not process those packages. So likely this is a change needed in the conversion logic and requires adjustement for purl2url.

It appears that purl2url does have support for converting NuGet PURLs to download URLs:

>>> from packageurl.contrib import purl2url
>>> purl2url.get_download_url("pkg:nuget/[email protected]")
'https://www.nuget.org/api/v2/package/Azure.Core/1.45.0'

purl2url is not leveraged during SBOM imports in DejaCode. We could add it in the import process, if the download_url of the package data is still empty after the PurlDB lookups.

tdruez avatar Jun 05 '25 12:06 tdruez

@tdruez I believe I've created this ticket prior to us having PurlDB up and running. Leveraging purl2url for SBOM imports makes perfect sense if no PurlDB instance is being used, because that was our original issue. We imported SBOMs, DejaCode was unable to determine a download URL and subsequently no analysis of packages was possible.

If there already is a PurlDB running, then I'm not entirely sure what the implications would be. Usually the analysis with PurlDB takes time, hence the need to manually run "Improve Packages from PurlDB" after having the SBOM processed and imported. If purl2url is being used and a download URL is assigned during the import, would it be still possible to run "Improve Packages from PurlDB" to overwrite the download URL afterwards or would this somehow block the assignment of information from PurlDB? If updates from PurlDB would be prevented then there should be an option in the import to selectively enable or disable it as it may cause problems.

In my opinion that would be an excellent feature.

rogu-beta avatar Jun 05 '25 12:06 rogu-beta