Merge branch 'main' into python-3.13

Author: tdruez

.github/workflows/gh-release.yml …thub/workflows/create-github-release.yml.github/workflows/gh-release.yml renamed to .github/workflows/create-github-release.yml .github/workflows/gh-release.yml renamed to .github/workflows/create-github-release.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   create-github-release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Create a GitHub release

.github/workflows/find-vulnerabilities.yml

@@ -0,0 +1,39 @@
+name: Find dependencies vulnerabilities
+
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-24.04
+    name: Inspect packages with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+          sparse-checkout: setup.cfg
+          sparse-checkout-cone-mode: false
+
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "inspect_packages:StaticResolver,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/
+
+      - name: Fail in case of vulnerabilities
+        shell: bash
+        run: |
+          scanpipe shell --command '
+          from scanpipe.models import Project
+          project = Project.objects.get()
+          packages_qs = project.discoveredpackages.vulnerable()
+          dependencies_qs = project.discovereddependencies.vulnerable()
+          vulnerability_count = packages_qs.count() + dependencies_qs.count()
+          if vulnerability_count:
+              print(vulnerability_count, "vulnerabilities found:")
+              for entry in [*packages_qs, *dependencies_qs]:
+                  print(entry)
+              exit(1)
+          else:
+              print("No vulnerabilities found")
+              exit(0)
+          '

.github/workflows/publish-docker.yml …ithub/workflows/publish-docker-image.yml.github/workflows/publish-docker.yml renamed to .github/workflows/publish-docker-image.yml .github/workflows/publish-docker.yml renamed to .github/workflows/publish-docker-image.yml

@@ -1,4 +1,4 @@
-name: Publish Docker image on GHCR
+name: Publish Docker image on GitHub Container Registry
 # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
 
 on:
@@ -16,7 +16,7 @@ env:
 
 jobs:
   build-and-push-image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:

.github/workflows/ci-docker.yml …thub/workflows/run-unit-tests-docker.yml.github/workflows/ci-docker.yml renamed to .github/workflows/run-unit-tests-docker.yml .github/workflows/ci-docker.yml renamed to .github/workflows/run-unit-tests-docker.yml

@@ -1,4 +1,4 @@
-name: Test on Docker CI
+name: Run unit tests on Docker container
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code

.github/workflows/ci.yml .github/workflows/run-unit-tests.yml.github/workflows/ci.yml renamed to .github/workflows/run-unit-tests.yml

@@ -1,4 +1,4 @@
-name: Test CI
+name: Run unit tests
 
 on:
   push:
@@ -14,7 +14,7 @@ env:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     services:
       postgres:
@@ -55,9 +55,6 @@ jobs:
       - name: Start Redis
         uses: supercharge/[email protected]
 
-#      - name: Check Django deployment settings
-#        run: make check-deploy
-
       - name: Build the documentation
         run: make docs
 

CHANGELOG.rst

@@ -1,7 +1,13 @@
 Release notes
 =============
 
-### Version 5.3.0-dev
+### Version 5.3.1-dev (unreleased)
+
+- Add new `is_locked` "Locked inventory" field to the ProductStatus model.
+  When a Product is locked through his status, its inventory cannot be modified.
+  https://github.com/aboutcode-org/dejacode/issues/189
+
+### Version 5.3.0
 
 - Rename ProductDependency is_resolved to is_pinned.
   https://github.com/aboutcode-org/dejacode/issues/189
@@ -80,6 +86,83 @@ Release notes
   Note that those count reflect the current risk threshold.
   https://github.com/aboutcode-org/dejacode/issues/102
 
+- Enable the delete_selected action on RequestTemplateAdmin.
+  https://github.com/aboutcode-org/dejacode/issues/243
+
+- The data rendering format was simplified for improved readability from
+  "Jan. 27, 2025, 07:55:54 a.m. UTC" to "Jan 27, 2025, 7:55 AM UTC".
+  The dates are now always rendered using this same format across the app.
+  The user timezone is automatically discovered and activated to the whole app using
+  the browser JavaScript `timeZone` API
+  The user's automatic timezone can be overridden using the new
+  ``DejacodeUser.timezone`` database field.
+  The timezone value can be defined from the User > "Profile Settings" form.
+  This value always takes precedence when defined.
+  In case the timezone is not defined by the user, or cannot be detected from the
+  browser, the date rendering always fallback to UTC.
+  Note: all the "humanized dates" such as "Modified 23 hours ago" have the whole
+  date syntax available in their `title` option, available on hovering the text with
+  the cursor for a couple seconds.
+  https://github.com/aboutcode-org/dejacode/issues/243
+
+- Set the "usage_policy" in update_fields list in SetPolicyFromLicenseMixin.
+  The associated package/license policy was properly set on the model in
+  SetPolicyFromLicenseMixin but the usage_policy entry was missing from the
+  update_fields. As a result the usage_policy value was not included in the UPDATE.
+  https://github.com/aboutcode-org/dejacode/issues/200
+
+- Improve the Owner assignment process on a Product/Component form.
+  Owner not found in the Dataspace are now automatically created.
+  https://github.com/aboutcode-org/dejacode/issues/239
+
+- Updated the label of the following Product actions.
+  The labels were updated everywhere in the UI (page title, documentation,
+  import log, etc...) for consistency:
+  - Import data from Scan -> Import ScanCode scan results
+  - Load Packages from SBOMs -> Import SBOM
+  - Import Packages from manifests -> Import Package manifests
+  - Pull ScanCode.io Project data -> Import ScanCode.io project
+  Improve the rendering and layout of the Import related forms for consistency,
+  simplicity, and readability.
+  https://github.com/aboutcode-org/dejacode/issues/241
+
+- Refine the way the PURL fragments are handled in searches.
+  https://github.com/aboutcode-org/dejacode/issues/286
+
+- Fix an issue with ``urlize_target_blank`` when the URL contains curly braces.
+
+- Add the ability to download Product "Imports" input file.
+  https://github.com/aboutcode-org/dejacode/issues/156
+
+- Fix a logic issue in the ``ImportPackageFromScanCodeIO.import_package`` that occurs when
+  multiple packages with the same PURL, but different download_url or filename,
+  are present in the Dataspace.
+  https://github.com/aboutcode-org/dejacode/issues/295
+
+- Fix a logic issue in the ``ImportPackageFromScanCodeIO.import_dependencies`` to
+  prevent the creation of duplicated "resolved" dependencies.
+  https://github.com/aboutcode-org/dejacode/issues/297
+
+- Display the filename/download_url in the Inventory tab.
+  https://github.com/aboutcode-org/dejacode/issues/303
+
+- Improve exception support in improve_packages_from_purldb task.
+  In case of an exception, the error is properly logged on the Import instance.
+  https://github.com/aboutcode-org/dejacode/issues/303
+
+- Refine the ``update_from_purldb`` function to avoid any IntegrityError.
+  Also, when multiple entries are returned from the PurlDB, only the common values are
+  merged and kept for the data update.
+  https://github.com/aboutcode-org/dejacode/issues/303
+
+- Add a new "Package Set" tab to the Package details view.
+  This tab displays related packages grouped by their normalized ("plain") Package URL.
+  https://github.com/aboutcode-org/dejacode/issues/276
+
+- Refine get_purldb_entries to compare on plain PackageURL.
+  Including the qualifiers and subpaths in the comparison was too restrictive.
+  https://github.com/aboutcode-org/dejacode/issues/307
+
 ### Version 5.2.1
 
 - Fix the models documentation navigation.
@@ -88,6 +171,9 @@ Release notes
 - Fix the validity of SPDX outputs.
   https://github.com/aboutcode-org/dejacode/issues/180
 
+- Add ability to start and delete package scans from the Product inventory tab.
+  https://github.com/aboutcode-org/dejacode/pull/281
+
 ### Version 5.2.0
 
 - Add visual indicator in hierarchy views, when an object on the far left or far right

Dockerfile

@@ -12,17 +12,23 @@ LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/dejacode
 LABEL org.opencontainers.image.description="DejaCode"
 LABEL org.opencontainers.image.licenses="AGPL-3.0-only"
 
-ENV APP_NAME dejacode
-ENV APP_USER app
-ENV APP_DIR /opt/$APP_NAME
-ENV VENV_LOCATION /opt/$APP_NAME/.venv
+# Set default values for APP_UID and APP_GID at build-time
+ARG APP_UID=1000
+ARG APP_GID=1000
+
+ENV APP_NAME=dejacode
+ENV APP_USER=app
+ENV APP_UID=${APP_UID}
+ENV APP_GID=${APP_GID}
+ENV APP_DIR=/opt/$APP_NAME
+ENV VENV_LOCATION=/opt/$APP_NAME/.venv
 
 # Force Python unbuffered stdout and stderr (they are flushed to terminal immediately)
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Do not write Python .pyc files
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Add the app dir in the Python path for entry points availability
-ENV PYTHONPATH $PYTHONPATH:$APP_DIR
+ENV PYTHONPATH=$PYTHONPATH:$APP_DIR
 
 # OS requirements
 RUN apt-get update \
@@ -36,9 +42,9 @@ RUN apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Create the APP_USER group, user, and directory with proper permissions
-RUN addgroup --system $APP_USER \
- && adduser --system --group --home=$APP_DIR $APP_USER \
+# Create the APP_USER group, user, and directory with specific UID and GID
+RUN groupadd --gid $APP_GID --system $APP_USER \
+ && useradd --uid $APP_UID --gid $APP_GID --home-dir $APP_DIR --system --create-home $APP_USER \
  && chown $APP_USER:$APP_USER $APP_DIR \
  && mkdir -p /var/$APP_NAME \
  && chown $APP_USER:$APP_USER /var/$APP_NAME
@@ -53,7 +59,7 @@ RUN mkdir -p /var/$APP_NAME/static/ /var/$APP_NAME/media/
 # Create the virtualenv
 RUN python -m venv $VENV_LOCATION
 # Enable the virtualenv, similar effect as "source activate"
-ENV PATH $VENV_LOCATION/bin:$PATH
+ENV PATH=$VENV_LOCATION/bin:$PATH
 
 # Install the dependencies before the codebase COPY for proper Docker layer caching
 COPY --chown=$APP_USER:$APP_USER setup.cfg setup.py $APP_DIR/

Makefile

@@ -136,7 +136,7 @@ postgresdb_clean:
 	@${SUDO_POSTGRES} dropuser '${DB_USERNAME}' || true
 
 run:
-	${MANAGE} runserver 8000 --insecure
+	DJANGO_RUNSERVER_HIDE_WARNING=true ${MANAGE} runserver 8000 --insecure
 
 worker:
 	${MANAGE} rqworker

RELEASE.md

@@ -0,0 +1,20 @@
+# Release instructions for `DejaCode
+
+### Automated release workflow
+
+- Create a new `release-x.x.x` branch
+- Update the version in:
+  - `setup.cfg`
+  - `dejacode/__init__.py`
+  - `CHANGELOG.rst` (set date)
+- Commit and push this branch
+- Create a PR and merge once approved
+- Tag and push that tag. This will trigger the `create-github-release.yml`
+  and `publish-docker-image.yml` GitHub workflows:
+  ```
+  VERSION=vx.x.x  # <- Set the new version here
+  git tag -a $VERSION -m ""
+  git push origin $VERSION
+  ```
+- Review the GitHub release created by the workflow at 
+  https://github.com/aboutcode-org/dejacode/releases/

component_catalog/admin.py

@@ -71,6 +71,7 @@
 from dje.templatetags.dje_tags import urlize_target_blank
 from dje.utils import CHANGELIST_LINK_TEMPLATE
 from dje.utils import get_instance_from_referer
+from dje.utils import is_purl_fragment
 from license_library.models import License
 from reporting.filters import ReportingQueryListFilter
 
@@ -774,7 +775,17 @@ class PackageAdmin(
         "get_dataspace",
     )
     list_display_links = ("identifier",)
-    search_fields = ("filename", "download_url", "project")
+    search_fields = (
+        "type",
+        "namespace",
+        "name",
+        "version",
+        "filename",
+        "download_url",
+        "sha1",
+        "md5",
+        "project",
+    )
     ordering = ("-last_modified_date",)
     list_filter = (
         ("component", HierarchyRelatedLookupListFilter),
@@ -912,6 +923,7 @@ def get_queryset(self, request):
         return (
             super()
             .get_queryset(request)
+            .annotate_sortable_identifier()
             .select_related(
                 "usage_policy",
             )
@@ -938,6 +950,16 @@ def get_urls(self):
 
         return urls + super().get_urls()
 
+    def get_search_results(self, request, queryset, search_term):
+        """Add searching on provided PackageURL identifier."""
+        use_distinct = False
+
+        if is_purl_fragment(search_term):
+            if results := queryset.for_package_url(search_term):
+                return results, use_distinct
+
+        return super().get_search_results(request, queryset, search_term)
+
     def changeform_view(self, request, object_id=None, form_url="", extra_context=None):
         """
         Add the `show_save_and_collect_data` in the context.
@@ -1053,6 +1075,10 @@ def inferred_url(self, obj):
             return urlize_target_blank(inferred_url)
         return ""
 
+    @admin.display(ordering="sortable_identifier")
+    def identifier(self, obj):
+        return obj.identifier
+
     def save_formset(self, request, form, formset, change):
         """
         Update the completion_level on the related Component at the end of the saving process.