dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

BUG: Maven packages not scanned when importing SBOM

Open rogu-beta opened this issue 10 months ago • 0 comments

Describe the bug It appears that importing an SBOM that contains a mix of npm and Maven packages only results in npm packages being scanned by ScanCode.io. It seems that DejaCode is unable to retrieve the download URL from the given PURL, perhaps due to missing purl2url implementation (https://github.com/package-url/packageurl-python/issues/179), if no other means of translation to a download URL is available.

To Reproduce

  1. Ensure that the example package pkg:maven/commons-cli/[email protected] is not already listed in the packages
  2. Create a DejaCode product
  3. Import the SBOM with options "Update existing packages with discovered packages data" and "Scan all packages of this product post-import" enabled mwe-dejacode-258.json

You should be able to see that the load_sbom pipeline is run successfully in ScanCode.io, but not scan_single_package is triggered.

Note: The SBOM is a manually shortened version, since I cannot share the original file

Expected behavior All packages in the SBOM should be scanned for license information

Screenshots n.a.

Context (OS, Browser, Device, etc.): n.a.

rogu-beta avatar Feb 10 '25 12:02 rogu-beta