scancode.io

scancode.io copied to clipboard

When we display a package manifest or lockfile in the resource details, we should have a way to add a hyperlink to the upstream repository web page for this repo: for instance when we browse a requirements.txt lockfile, if it contains: scancode-toolkit==30.0.1 we should recognize this and link to https://pypi.org/project/scancode-toolkit/30.1.0/

We can parse manifests alright and we can create URLs based on the ScanCode TK packagedcode classes.

@pombredanne can I work on this

@soma2000-lang sure thing. If you do, I think starting with requirements.txt files would be great. Another easy one would be go.mod and go.sum

Ok

@pombredanne is this issue unresolved?. I would love to work on it in case it is before mentioned.

@the-illuminatus I have not heard back from Soma and there has been no pending PRs... so go for it! Note that you can likely reuse the URL templates and functions to get the proper URL that exist in scancode-toolkit packagedcode code. See https://github.com/nexB/scancode-toolkit/blob/fff140efd68dd0098f09ad1bc675569f1f1ad6ae/src/packagedcode/pypi.py#L1163

Sure, thanks!

On Sun, 10 Apr 2022, 10:19 pm Philippe Ombredanne, @.***> wrote:

@the-illuminatus https://github.com/the-illuminatus I have not heard back from Soma and there has been no pending PRs... so go for it! Note that you can likely reuse the URL templates and functions to get the proper URL that exist in scancode-toolkit packagedcode code. See https://github.com/nexB/scancode-toolkit/blob/fff140efd68dd0098f09ad1bc675569f1f1ad6ae/src/packagedcode/pypi.py#L1163

— Reply to this email directly, view it on GitHub https://github.com/nexB/scancode.io/issues/403#issuecomment-1094315792, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASKNS5G4GWQZJ3NACQTFQVLVEMBCNANCNFSM5PIPHJTQ . You are receiving this because you were mentioned.Message ID: @.***>

A good example of a similar UI would be the hyperlinking in this https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/Gemfile ... or https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/blob/v2/requirements.txt In the SCIO UI, when we look a Codebase Resource content and that's a manifest file, we should get the URLs collected from SCTK or just use a few heuristics to hyperlink to the public package repo

Sure will look into it.

On Mon, 25 Jul 2022, 9:58 pm Philippe Ombredanne, @.***> wrote:

A good example of a similar UI would be the hyperlinking in this https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/Gemfile ... or https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/blob/v2/requirements.txt In the SCIO UI, when we look a Codebase Resource content and that's a manifest file, we should get the URLs collected from SCTK or just use a few heuristics to hyperlink to the public package repo

— Reply to this email directly, view it on GitHub https://github.com/nexB/scancode.io/issues/403#issuecomment-1194318783, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASKNS5D5UQCBDFDLSBRHAV3VV26CFANCNFSM5PIPHJTQ . You are receiving this because you were mentioned.Message ID: @.***>

@the-illuminatus Thanks! note also that @lf32 was interested in fixing it.

@pombredanne is this issue still open?

Yes, It's open

@lf32 @pombredanne is this issue still open? I would like to look into in.

Yes @melencholicmice, this is still in open.

@pombredanne @lf32 Hello sir i had few doubts in this issue , i will be really thankful if you can help me in them

• should i create a hyperlink to webpage in extracted_requirement section or should i make some new column in the table ?
• I'm making a class for getting urls with different methods like get_pypi_url , get_npm_url etc , so in which section should this class go to maintain the code consistency of this project

should i create a hyperlink to webpage in extracted_requirement section or should i make some new column in the table ?

We have to make the hyperlink in resource view in scancode.io.

Let's assume we scan using this download URL: https://github.com/nexB/python-inspector/releases/download/v0.9.4/python-inspector-0.9.4.tar.gz and use the scan_codebase/scan_package pipeline. We will have a requirements.txt like this:

Here each requirement will be a hyperlink, i.e. attrs will link to the latest version of attrs -> https://pypi.org/project/attrs/ If this had a version constraint: like pip install attrs==22.2.0 we would then link to https://pypi.org/project/attrs/22.2.0/ instead.

I'm making a class for getting urls with different methods like get_pypi_url , get_npm_url etc , so in which section should this class go to maintain the code consistency of this project

The code could go in https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/resolve.py, but this can be discussed more in the PR review stage, first step would be to get something working first, maybe with a few supported type of manifests, then we can think more about generalizing and supporting more lockfiles/manifests.

Greetings @pombredanne and @AyanSinhaMahapatra,

I have executed ScanCode.io locally and comprehended the issue along with the anticipated outcome, and I'd love to fix this. As this is my first endeavor in resolving an issue for a public project, I kindly request guidance on how to commence the process and identification of the particular file requiring code adjustments.

Thank you!