Add support for on-demand data collection in Alpine Linux APK. (#711)

* Add initial support for on-demand data collection in Alpine Linux APK.

Signed-off-by: ziad hany <[email protected]>

* Add test for alpine

Signed-off-by: ziad hany <[email protected]>

---------

Signed-off-by: ziad hany <[email protected]>

Author: ziadhany

minecode/collectors/alpine.py

@@ -0,0 +1,84 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# purldb is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0
+# See https://github.com/aboutcode-org/purldb for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+from packageurl import PackageURL
+from minecode import priority_router
+from minecode.miners.alpine import build_packages
+from minecode.utils import fetch_http, get_temp_file
+from minecode.utils import extract_file
+from packagedb.models import PackageContentType
+
+logger = logging.getLogger(__name__)
+handler = logging.StreamHandler()
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+
+def map_apk_package(package_url, pipelines, priority=0):
+    """
+    Add a Alpine Linux ( APK ) distribution `package_url` to the PackageDB.
+    """
+    from minecode.model_utils import add_package_to_scan_queue
+    from minecode.model_utils import merge_or_create_package
+
+    name = package_url.name
+    version = package_url.version
+    arch = package_url.qualifiers.get("arch")
+    repo = package_url.qualifiers.get("repo")
+    alpine_version = package_url.qualifiers.get("alpine_version")
+
+    if not name or not version or not arch or not repo or not alpine_version:
+        return None
+
+    download_url = (
+        f"https://dl-cdn.alpinelinux.org/alpine/{alpine_version}/{repo}/{arch}/APKINDEX.tar.gz"
+    )
+    apk_download_url = (
+        f"https://dl-cdn.alpinelinux.org/alpine/{alpine_version}/{repo}/{arch}/{name}-{version}.apk"
+    )
+
+    content = fetch_http(download_url)
+    location = get_temp_file("NonPersistentHttpVisitor")
+    with open(location, "wb") as tmp:
+        tmp.write(content)
+
+    extracted_location = extract_file(location)
+
+    packages = build_packages(extracted_location, apk_download_url, package_url)
+
+    error = None
+    for package in packages:
+        package.extra_data["package_content"] = PackageContentType.SOURCE_ARCHIVE
+        db_package, _, _, error = merge_or_create_package(package, visit_level=0)
+        if error:
+            break
+
+        if db_package:
+            add_package_to_scan_queue(package=db_package, pipelines=pipelines, priority=priority)
+
+    return error
+
+
+@priority_router.route("pkg:apk/.*")
+def process_request(purl_str, **kwargs):
+    """
+    Process Alpine Linux ( APK ) Package URL (PURL).
+    """
+    from minecode.model_utils import DEFAULT_PIPELINES
+
+    addon_pipelines = kwargs.get("addon_pipelines", [])
+    pipelines = DEFAULT_PIPELINES + tuple(addon_pipelines)
+    priority = kwargs.get("priority", 0)
+
+    package_url = PackageURL.from_string(purl_str)
+    error_msg = map_apk_package(package_url, pipelines, priority)
+
+    if error_msg:
+        return error_msg

minecode/miners/alpine.py

@@ -0,0 +1,145 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# purldb is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/purldb for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from minecode import debutils
+from pathlib import Path
+from packagedcode import models as scan_models
+import base64
+
+
+def build_packages(extracted_location, apk_download_url, purl=None):
+    """
+    Yield ScannedPackage built from Alpine Linux ( APK ) a `metadata` content
+    """
+
+    apk_index_file = Path(extracted_location) / "APKINDEX"
+
+    with open(apk_index_file, encoding="utf-8") as f:
+        parsed_pkginfo = parse_apkindex(f.read())
+
+    extracted_pkginfo = get_package_by_name(parsed_pkginfo, purl.name)
+    if not extracted_pkginfo:
+        return
+
+    description = extracted_pkginfo.get("description")
+    version = extracted_pkginfo.get("version")
+    extracted_license_statement = extracted_pkginfo.get("license")
+
+    parties = []
+    maintainers = extracted_pkginfo.get("maintainer")
+    if maintainers:
+        name, email = debutils.parse_email(maintainers)
+        if name:
+            party = scan_models.Party(name=name, role="maintainer", email=email)
+            parties.append(party)
+
+    repository_homepage_url = extracted_pkginfo.get("url")
+    size = extracted_pkginfo.get("size")
+    apk_checksum = extracted_pkginfo.get("checksum")
+    sha1 = apk_checksum_to_sha1(apk_checksum)
+
+    download_data = dict(
+        type="apk",
+        name=purl.name,
+        version=version,
+        qualifiers=purl.qualifiers,
+        description=description,
+        repository_homepage_url=repository_homepage_url,
+        extracted_license_statement=extracted_license_statement,
+        parties=parties,
+        size=size,
+        sha1=sha1,
+        download_url=apk_download_url,
+    )
+
+    package = scan_models.PackageData.from_data(download_data)
+    package.datasource_id = "alpine_metadata"
+    package.set_purl(purl)
+    yield package
+
+
+def parse_apkindex(data: str):
+    """
+    Parse an APKINDEX format string into a list of package dictionaries.
+    https://wiki.alpinelinux.org/wiki/Apk_spec
+    """
+    packages = []
+    current_pkg = {}
+
+    for line in data.splitlines():
+        line = line.strip()
+        if not line:
+            if current_pkg:
+                packages.append(current_pkg)
+                current_pkg = {}
+            continue
+
+        if ":" not in line:
+            continue
+        key, value = line.split(":", 1)
+        key, value = key.strip(), value.strip()
+
+        mapping = {
+            "C": "checksum",
+            "P": "name",
+            "V": "version",
+            "A": "arch",
+            "S": "size",
+            "I": "installed_size",
+            "T": "description",
+            "U": "url",
+            "L": "license",
+            "o": "origin",
+            "m": "maintainer",
+            "t": "build_time",
+            "c": "commit",
+            "k": "provider_priority",
+            "D": "depends",
+            "p": "provides",
+            "i": "install_if",
+        }
+
+        field = mapping.get(key, key)
+
+        if key in ("D", "p", "i"):
+            current_pkg[field] = value.split()
+        elif key in ("S", "I", "t", "k"):
+            try:
+                current_pkg[field] = int(value)
+            except ValueError:
+                current_pkg[field] = value
+        else:
+            current_pkg[field] = value
+
+    if current_pkg:
+        packages.append(current_pkg)
+
+    return packages
+
+
+def get_package_by_name(packages, name):
+    return next((pkg for pkg in packages if pkg["name"] == name), None)
+
+
+def apk_checksum_to_sha1(apk_checksum: str) -> str:
+    """
+    Convert an Alpine APKINDEX package checksum (Q1... format)
+    into its SHA-1 hex digest.
+    """
+    if not apk_checksum.startswith("Q1"):
+        raise ValueError("Invalid checksum format: must start with 'Q1'")
+
+    # Drop the "Q1" prefix
+    b64_part = apk_checksum[2:]
+
+    # Decode from base64
+    sha1_bytes = base64.b64decode(b64_part)
+
+    # Convert to hex
+    return sha1_bytes.hex()

minecode/tests/collectors/test_alpine.py

@@ -0,0 +1,41 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# purldb is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/purldb for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from django.test import TestCase
+from packageurl import PackageURL
+import packagedb
+from minecode.collectors import alpine
+from minecode.utils_test import JsonBasedTesting
+
+
+class AlpinePriorityQueueTests(JsonBasedTesting, TestCase):
+    test_data_dir = os.path.join(os.path.dirname(os.path.dirname(__file__)), "testfiles")
+
+    def setUp(self):
+        super().setUp()
+        self.package_url = PackageURL.from_string(
+            "pkg:apk/[email protected]?arch=x86&repo=main&alpine_version=v3.0"
+        )
+        self.download_url = (
+            "https://dl-cdn.alpinelinux.org/alpine/v3.0/main/x86/ansible-1.6.7-r0.apk"
+        )
+
+    def test_map_alpine_package(self):
+        package_count = packagedb.models.Package.objects.all().count()
+        self.assertEqual(package_count, 0)
+
+        alpine.map_apk_package(self.package_url, ("test_pipelines"))
+        package_count = packagedb.models.Package.objects.all().count()
+        self.assertEqual(package_count, 1)
+        package = packagedb.models.Package.objects.all().first()
+        expected_conda_download_url = self.download_url
+
+        self.assertEqual(package.purl, str(self.package_url))
+        self.assertEqual(package.download_url, expected_conda_download_url)

minecode/tests/miners/test_alpine.py

@@ -0,0 +1,44 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# purldb is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/purldb for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from packageurl import PackageURL
+from minecode.miners import alpine
+from minecode.tests import FIXTURES_REGEN
+from minecode.utils_test import JsonBasedTesting
+from django.test import TestCase as DjangoTestCase
+
+
+class AlpineMapperTest(JsonBasedTesting, DjangoTestCase):
+    test_data_dir = os.path.join(os.path.dirname(os.path.dirname(__file__)), "testfiles")
+
+    def test_build_packages_metafile_alpine1(self):
+        package_url = PackageURL.from_string(
+            "pkg:apk/[email protected]?arch=x86_64&repo=main&alpine_version=latest-stable"
+        )
+        apk_download_url = "https://dl-cdn.alpinelinux.org/alpine/latest-stable/main/x86_64/postgresql16-contrib-16.10-r0.apk"
+        location = self.get_test_loc("alpine/postgresql16-contrib_v3.14-community-armhf")
+
+        result = alpine.build_packages(location, apk_download_url, package_url)
+        result = [p.to_dict() for p in result]
+        expected_loc = self.get_test_loc("alpine/mapper_postgresql16_contrib_expected.json")
+        self.check_expected_results(result, expected_loc, regen=FIXTURES_REGEN)
+
+    def test_build_packages_metafile_alpine2(self):
+        package_url = PackageURL.from_string(
+            "pkg:apk/[email protected]?arch=armhf&repo=community&alpine_version=v3.14"
+        )
+
+        apk_download_url = "https://dl-cdn.alpinelinux.org/v3.14/community/armhf/perf-bash-completion-5.10.42-r0.apk"
+        location = self.get_test_loc("alpine/perf-bash-completion_latest-stable_main_x86_64")
+
+        result = alpine.build_packages(location, apk_download_url, package_url)
+        result = [p.to_dict() for p in result]
+        expected_loc = self.get_test_loc("alpine/mapper_perf_bash_completion_expected.json")
+        self.check_expected_results(result, expected_loc, regen=FIXTURES_REGEN)