Properly tag Python Package Resources #2929

Signed-off-by: Jono Yang <[email protected]>

Author: JonoYang

src/packagedcode/pypi.py

@@ -118,6 +118,29 @@ def assign_package_to_resources(cls, package, resource, codebase):
         return models.DatafileHandler.assign_package_to_parent_tree(package, resource, codebase)
 
 
+def yield_dependencies_from_package_data(package_data, datafile_path, package_uid):
+    """
+    Yield a Dependency for each dependency from ``package_data.dependencies``
+    """
+    dependent_packages = package_data.dependencies
+    if dependent_packages:
+        yield from models.Dependency.from_dependent_packages(
+            dependent_packages=dependent_packages,
+            datafile_path=datafile_path,
+            datasource_id=package_data.datasource_id,
+            package_uid=package_uid,
+        )
+
+
+def yield_dependencies_from_package_resource(resource, package_uid=None):
+    """
+    Yield a Dependency for each dependency from each package from``resource.package_data``
+    """
+    for pkg_data in resource.package_data:
+        pkg_data = models.PackageData.from_dict(pkg_data)
+        yield_dependencies_from_package_data(pkg_data, resource.location, package_uid)
+
+
 class BaseExtractedPythonLayout(BasePypiHandler):
     """
     Base class for development repos, sdist tarballs and other related extracted
@@ -135,12 +158,54 @@ def assemble(cls, package_data, resource, codebase):
             'Pipfile',
         ) + PipRequirementsFileHandler.path_patterns
 
-        parent = resource.parent(codebase)
-        yield from cls.assemble_from_many_datafiles(
-            datafile_name_patterns=datafile_name_patterns,
-            directory=parent,
-            codebase=codebase,
-        )
+        package_resource = None
+        if resource.name in datafile_name_patterns:
+            package_resource = resource
+
+        if package_resource:
+            # do we have enough to create a package?
+            if package_data.purl:
+                package = models.Package.from_package_data(
+                    package_data=package_data,
+                    datafile_path=package_resource.path,
+                )
+                package_uid = package.package_uid
+
+                if not package.license_expression:
+                    package.license_expression = compute_normalized_license(package.declared_license)
+
+                root = package_resource.parent(codebase)
+                if root:
+                    for py_res in root.walk(codebase):
+                        if py_res.is_dir:
+                            continue
+                        if package_uid not in py_res.for_packages:
+                            py_res.for_packages.append(package_uid)
+                            py_res.save(codebase)
+                        yield py_res
+                elif codebase.has_single_resource:
+                    if package_uid not in package_resource.for_packages:
+                        package_resource.for_packages.append(package_uid)
+                        package_resource.save(codebase)
+                    yield package_resource
+                yield package
+            else:
+                # we have no package, so deps are not for a specific package uid
+                package_uid = None
+
+            # in all cases yield possible dependencies
+            yield from yield_dependencies_from_package_data(package_data, package_resource.path, package_uid)
+            yield package_resource
+
+            for sibling in package_resource.siblings(codebase):
+                if sibling.name in datafile_name_patterns:
+                    yield_dependencies_from_package_resource(sibling, package_uid)
+                    if package_uid not in sibling.for_packages:
+                        sibling.for_packages.append(package_uid)
+                        sibling.save(codebase)
+                    yield sibling
+        else:
+            yield_dependencies_from_package_resource(resource)
 
     @classmethod
     def assign_package_to_resources(cls, package, resource, codebase):

tests/packagedcode/data/pypi/solo-metadata/expected.json

@@ -26,7 +26,85 @@
     }
   ],
   "dependencies": [],
-  "packages": [],
+  "packages": [
+    {
+      "type": "pypi",
+      "namespace": null,
+      "name": "scancode-toolkit",
+      "version": "31.0.0b1",
+      "qualifiers": {},
+      "subpath": null,
+      "primary_language": "Python",
+      "description": "ScanCode is a tool to scan code for license, copyright, package and their documented dependencies and other interesting facts.\n================\nScanCode toolkit\n================\n\nA typical software project often reuses hundreds of third-party packages.\nLicense and origin information is not always easy to find and not normalized:\nScanCode discovers and normalizes this data for you.\n\nRead more about ScanCode here: `scancode-toolkit.readthedocs.io \n<https://scancode-toolkit.readthedocs.io/>`_.\n\nCheck out the code at https://github.com/nexB/scancode-toolkit\n\n\nWhy use ScanCode?\n=================\n\n- As a **standalone command-line tool**, ScanCode is **easy to install**, run,\n  and embed in your CI/CD processing pipeline.\n  It runs on **Windows, macOS, and Linux**.\n\n- ScanCode is **used by several projects and organizations** such as\n  the `Eclipse Foundation <https://www.eclipse.org>`_,\n  `OpenEmbedded.org <https://www.openembedded.org>`_,\n  the `FSFE <https://www.fsfe.org>`_,\n  the `FSF <https://www.fsf.org>`_,\n  `OSS Review Toolkit <http://oss-review-toolkit.org>`_, \n  `ClearlyDefined.io <https://clearlydefined.io/>`_,\n  `RedHat Fabric8 analytics <https://github.com/fabric8-analytics>`_,\n  and many more.\n\n- ScanCode detects licenses, copyrights, package manifests, direct dependencies,\n  and more both in **source code** and **binary** files and is considered as the\n  best-in-class and reference tool in this domain, re-used as the core tools for\n  software composition data collection by several open source tools.\n\n- ScanCode provides the **most accurate license detection engine** and does a\n  full comparison (also known as diff or red line comparison) between a database\n  of license texts and your code instead of relying only on approximate regex\n  patterns or probabilistic search, edit distance or machine learning.\n\n- Written in Python, ScanCode is **easy to extend with plugins** to contribute\n  new and improved scanners, data summarization, package manifest parsers, and\n  new outputs.\n\n- You can save your scan results as **JSON, HTML, CSV or SPDX** or create your\n  own format with Jinja templates.\n\n- You can also organize and run ScanCode server-side with the\n  companion `ScanCode.io web app <https://github.com/nexB/scancode.io>`_\n  to organize and store multiple scan projects including scripted scanning pipelines.\n\n- ScanCode is **actively maintained**, has a **growing users and contributors\n  community**.\n\n- ScanCode is heavily **tested** with an automated test suite of over **20,000 tests**.\n\n- ScanCode has an extensive and growing documentation.\n\n- ScanCode can process these packages, build manifest and lockfile formats to extract metadata:\n  Alpine packages, BUCK files, ABOUT files, Android apps, Autotools, Bazel, \n  JavaScript Bower, Java Axis, MS Cab, Rust Cargo, Chef Chrome apps, \n  PHP Composer and composer.lock, Conda, CPAN, Debian, Apple dmg,\n  Java EAR, WAR, JAR, FreeBSD packages, Rubygems gemspec, Gemfile and Gemfile.lock, \n  Go modules, Haxe packages, InstallShield installers, iOS apps, ISO images, \n  Apache IVY, JBoss Sar, R CRAN, Apache Maven, Meteor, Mozilla extensions, \n  MSI installers, JavaScript npm packages, package-lock.json, yarn.lock, \n  NSIS Installers, NugGet, OPam, Cocoapods, Python PyPI setup.py, setup.cfg, and \n  several related lockfile formats, semi structured README\n  files such as README.android, README.chromium, README.facebook, README.google,\n  README.thirdparty, RPMs, Shell Archives, Squashfs images, Java WAR, Windows executables.\n\n\nSee our `roadmap <https://scancode-toolkit.readthedocs.io/en/latest/contribute/roadmap.html>`_\nfor upcoming features.\n\n\nBuild and tests status\n======================\n\nWe run tests on multiple CIs to ensure a good platform compabitility and on\nmultiple version of Windows, Linux and macOS.\n\n+--------------+--------------+--------------+\n| **Appveyor** | **Azure**    | **RTD Build**|\n+==============+==============+==============+\n| |appveyor|   |    |azure|   | |docs-rtd|   |\n+--------------+--------------+--------------+\n\n\nDocumentation\n=============\n\nThe ScanCode documentation is hosted at `scancode-toolkit.readthedocs.io <https://scancode-toolkit.readthedocs.io/en/latest/>`_.\n\nIf you are new to Scancode, start `here <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/newcomer.html>`_.\n\nOther Important Documentation Pages:\n\n- A `synopsis <https://scancode-toolkit.readthedocs.io/en/latest/cli-reference/synopsis.html>`_ \n  of ScanCode command line options.\n\n- Tutorials on:\n\n  - `How to run a scan <https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_run_a_scan.html>`_\n  - `How to visualize scan results <https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_visualize_scan_results.html>`_\n\n- An exhaustive list of `all available options <https://scancode-toolkit.readthedocs.io/en/latest/cli-reference/list-options.html>`_\n\n- Documentation on `Contributing to Code Development <https://scancode-toolkit.readthedocs.io/en/latest/contribute/contrib_dev.html>`_\n\n- Documentation on `Plugin Architecture <https://scancode-toolkit.readthedocs.io/en/latest/plugins/plugin_arch.html>`_\n\n- `FAQ <https://scancode-toolkit.readthedocs.io/en/latest/misc/faq.html>`_\n\nSee also https://aboutcode.org for related companion projects and tools.\n\n\nInstallation\n============\n\nBefore installing ScanCode make sure that you have installed the prerequisites\nproperly. This means installing Python (Python 3.6 or higher is required).\n\nSee `prerequisites <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#prerequisites>`_\nfor detailed information on the support platforms and Python versions.\n\nThere are a few common ways to `install ScanCode <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html>`_.\n\n- `*Recommended* installation as an application: Download a release archive, extract and run.\n  <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#installation-as-an-application-downloading-releases>`_\n\n- `Development installation from source code using a git clone\n  <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#installation-from-source-code-git-clone>`_\n\n- `Development installation as a library with \"pip install scancode-toolkit\"\n  <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#pip-install>`_\n\n- `Run in a Docker container with a git clone and \"docker run\"\n  <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#installation-via-docker>`_\n\n\nQuick Start\n===========\n\nNote the `commands variation <https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html#commands-variation>`_\nacross installation methods and platforms.\n\nYou can run an example scan printed on screen as JSON::\n\n    ./scancode -clip --json-pp - samples\n\nFollow the `How to Run a Scan <https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_run_a_scan.html>`_\ntutorial to perform a basic scan on the ``samples`` directory distributed by\ndefault with Scancode.\n\nSee more command examples::\n\n    ./scancode --examples\n\nSee `How to select what will be detected in a scan\n<https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_set_what_will_be_detected_in_a_scan.html>`_\nand `How to specify the output format <https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_format_scan_output.html>`_\nfor more information.\n\nYou can also refer to the `command line options synopsis\n<https://scancode-toolkit.readthedocs.io/en/latest/cli-reference/synopsis.html>`_\nand an exhaustive list of `all available command line options\n<https://scancode-toolkit.readthedocs.io/en/latest/cli-reference/list-options.html>`_.\n\n\nArchive extraction\n==================\n\nBy default ScanCode does not extract files from tarballs, zip files, and\nother archives as part of the scan. The archives that exist in a codebase\nmust be extracted before running a scan: `extractcode` is a bundled utility\nbehaving as a mostly-universal archive extractor. For example, this command will\nrecursively extract the mytar.tar.bz2 tarball in the mytar.tar.bz2-extract\ndirectory::\n\n    ./extractcode mytar.tar.bz2\n\nSee `all extractcode options <https://scancode-toolkit.readthedocs.io/en/latest/cli-reference/list-options.html#all-extractcode-options>`_\nand `how to extract archives <https://scancode-toolkit.readthedocs.io/en/latest/tutorials/how_to_extract_archives.html>`_ for details.\n\n\nSupport\n=======\n\nIf you have a problem, a suggestion or found a bug, please enter a ticket at:\nhttps://github.com/nexB/scancode-toolkit/issues\n\nFor discussions and chats, we have:\n\n* an official Gitter channel for `web-based chats\n  <https://gitter.im/aboutcode-org/discuss>`_.\n  Gitter is also accessible via an `IRC bridge <https://irc.gitter.im/>`_.\n  There are other AboutCode project-specific channels available there too.\n\n* an official `#aboutcode` IRC channel on liberachat (server web.libera.chat).\n  This channel receives build and commit notifications and can be noisy.\n  You can use your favorite IRC client or use the `web chat \n  <https://web.libera.chat/?#aboutcode>`_.\n\n\nSource code and downloads\n=========================\n\n* https://github.com/nexB/scancode-toolkit/releases\n* https://github.com/nexB/scancode-toolkit.git\n* https://pypi.org/project/scancode-toolkit/\n* https://github.com/nexB/scancode-thirdparty-src.git\n\n\nLicense\n=======\n\n* Apache-2.0 as the overall license\n* CC-BY-4.0 for reference datasets (initially was in the Public Domain).\n* Multiple other secondary permissive or copyleft licenses (LGPL, MIT,\n  BSD, GPL 2/3, etc.) for third-party components.\n\n\nSee the NOTICE file and the .ABOUT files that document the origin and license of\nthe third-party code used in ScanCode for more details.\n\n\n.. |appveyor| image:: https://ci.appveyor.com/api/projects/status/4webymu0l2ip8utr?svg=true\n    :target: https://travis-ci.org/nexB/scancode-toolkit\n    :alt: Appveyor tests status (Windows)\n\n.. |azure| image:: https://dev.azure.com/nexB/scancode-toolkit/_apis/build/status/nexB.scancode-toolkit?branchName=develop\n    :target: https://dev.azure.com/nexB/scancode-toolkit/_build/latest?definitionId=1&branchName=develop\n    :alt: Azure tests status (Linux, macOS, Windows)\n\n.. |docs-rtd| image:: https://readthedocs.org/projects/scancode-toolkit/badge/?version=latest\n    :target: https://scancode-toolkit.readthedocs.io/en/latest/?badge=latest\n    :alt: Documentation Status",
+      "release_date": null,
+      "parties": [
+        {
+          "type": "person",
+          "role": "author",
+          "name": "nexB. Inc. and others",
+          "email": "[email protected]",
+          "url": null
+        }
+      ],
+      "keywords": [
+        "open source",
+        "scan",
+        "license",
+        "package",
+        "dependency",
+        "copyright",
+        "filetype",
+        "author",
+        "extract",
+        "licensing",
+        "scan",
+        "sca",
+        "SBOM",
+        "spdx",
+        "cyclonedx",
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Developers",
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3 :: Only",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
+        "Topic :: Software Development",
+        "Topic :: Utilities"
+      ],
+      "homepage_url": "https://github.com/nexB/scancode-toolkit",
+      "download_url": null,
+      "size": null,
+      "sha1": null,
+      "md5": null,
+      "sha256": null,
+      "sha512": null,
+      "bug_tracking_url": null,
+      "code_view_url": null,
+      "vcs_url": null,
+      "copyright": null,
+      "license_expression": "(apache-2.0 AND cc-by-4.0) AND unknown",
+      "declared_license": {
+        "license": "Apache-2.0 AND CC-BY-4.0 AND LicenseRef-scancode-other-permissive AND LicenseRef-scancode-other-copyleft"
+      },
+      "notice_text": null,
+      "source_packages": [],
+      "extra_data": {},
+      "repository_homepage_url": "https://pypi.org/project/scancode-toolkit",
+      "repository_download_url": "https://pypi.org/packages/source/s/scancode-toolkit/scancode-toolkit-31.0.0b1.tar.gz",
+      "api_data_url": "https://pypi.org/pypi/scancode-toolkit/31.0.0b1/json",
+      "package_uid": "pkg:pypi/[email protected]?uuid=fixed-uid-done-for-testing-5642512d1758",
+      "datafile_paths": [
+        "PKG-INFO"
+      ],
+      "datasource_ids": [
+        "pypi_sdist_pkginfo"
+      ],
+      "purl": "pkg:pypi/[email protected]"
+    }
+  ],
   "files": [
     {
       "path": "PKG-INFO",
@@ -106,7 +184,9 @@
           "purl": "pkg:pypi/[email protected]"
         }
       ],
-      "for_packages": [],
+      "for_packages": [
+        "pkg:pypi/[email protected]?uuid=fixed-uid-done-for-testing-5642512d1758"
+      ],
       "scan_errors": []
     }
   ]