BUG: Usage policy not assigned despite successful scan

[rogu-beta]

Describe the bug If a package scan through scan_single_package in ScanCode.io intially failed, the pipeline is restarted manually in ScanCode.io, and it completes successfully, then no usage policy (e.g. Approved Package) is assigned to the package in DejaCode. This results in the status indicator (e.g. checkmark) to be missing in the inventory of the product. Re-submitting the package for scan from DejaCode does not help, as no scan is started if there is a previous run already in ScanCode.io.

Similarly it does not help to delete the existing scan in ScanCode.io and the trigger "Scan All Packages" again, at least not if there is a prior successful scan, if you've followed the steps from the previous paragraph.

To Reproduce Steps to reproduce the behavior:

1. Create a product
2. Import an SBOM
3. Make ScanCode.io fail the scan (e.g. cut internet connection, stop ScanCode.io, ...)
4. Restart the pipeline in ScanCode.io for the affected package(s)
5. Observe that the scan results are correctly shown for the package in DejaCode but no usage policy is assigned

Expected behavior I would hope either hope that the usage policy is assigned on later scans as well or that there is a way to trigger another evaluation based on the data that is now present. At the very least deleting the projects in ScanCode.io and then triggering "Scan All Packages" again should also reevaluate the usage policy and update the scan result.

Screenshots n.a.

Context (OS, Browser, Device, etc.): n.a.

[DennisClark]

Hi @ghsa-retrieval thanks for reporting your experiences. Please confirm the following: The Set usage policy on component or package from license policy option in your dataspaces is checked. You have defined an associated package policy for each of the license policies defined in your dataspace.

I am not clear on whether the problem you are describing only happens in the specific case you mention or whether a package usage policy is never automatically set when a license is assigned to a package.

[rogu-beta]

@DennisClark The setting is enabled and assignment of the usage policy does work if the first scan attempt succeeds. However, if the first scan fails I am unable to get DejaCode to evalute the usage policy at a later point. Neither deleting the original ScanCode.io project where scan_single_package was run and running "Scan All Packages" again nor manually starting another scan_single_package on the same project in ScanCode.io make any difference. For now I have to manually edit the package in DejaCode to assign it.

[DennisClark]

@ghsa-retrieval thanks for the clarifications. We'll investigate this.

[DennisClark]

@ghsa-retrieval Until we figure out what how to resolve your issue, you may want to try a workaround that will hopefully facilitate your efforts to assign usage policies to packages.

Go to the Browse Packages form in DejaCode administration. Use sorting or filtering to find your problem packages and select them. Select the Set usage policy from licenses option in the command dropdown in the lower left section of the form and click the Go button. Use the next form to do a reasonably quick update of package usage policies.

I hope that helps. Let me know if you have any comments or questions about that process.

[tdruez]

@rogu-beta Following those changes this issue should now be resolved:

• https://github.com/aboutcode-org/dejacode/issues/423
• https://github.com/aboutcode-org/dejacode/issues/388
• https://github.com/aboutcode-org/dejacode/issues/387
• https://github.com/aboutcode-org/scancode.io/pull/1963

Note: The changes are not all released yet, you need both main branch for SCIO and DejaCode.