diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 42444ed4ce..ff1f149a49 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -35,6 +35,8 @@ v35.4.0 (unreleased) ``scanpipe.pipes.federatedcode.push_changes``. Add ``scanpipe.pipes.federatedcode.write_data_as_yaml``. +- Add ORT ``package-list.yml`` as new downloadable output format. + https://github.com/aboutcode-org/scancode.io/pull/1852 v35.3.0 (2025-08-20) -------------------- diff --git a/scanpipe/api/views.py b/scanpipe/api/views.py index d5d91189cb..2cb48b1222 100644 --- a/scanpipe/api/views.py +++ b/scanpipe/api/views.py @@ -168,6 +168,8 @@ def results_download(self, request, *args, **kwargs): output_file = output.to_cyclonedx(project, **output_kwargs) elif format == "attribution": output_file = output.to_attribution(project) + elif format == "ort-package-list": + output_file = output.to_ort_package_list_yml(project) else: message = {"status": f"Format {format} not supported."} return Response(message, status=status.HTTP_400_BAD_REQUEST) diff --git a/scanpipe/management/commands/output.py b/scanpipe/management/commands/output.py index 5e6f3e74cc..23b69ab7ae 100644 --- a/scanpipe/management/commands/output.py +++ b/scanpipe/management/commands/output.py @@ -25,7 +25,15 @@ from scanpipe.management.commands import ProjectCommand from scanpipe.pipes import output -SUPPORTED_FORMATS = ["json", "csv", "xlsx", "attribution", "spdx", "cyclonedx"] +SUPPORTED_FORMATS = [ + "json", + "csv", + "xlsx", + "attribution", + "spdx", + "cyclonedx", + "ort-package-list", +] class Command(ProjectCommand): @@ -84,6 +92,7 @@ def handle_output(self, output_format): "spdx": output.to_spdx, "cyclonedx": output.to_cyclonedx, "attribution": output.to_attribution, + "ort-package-list": output.to_ort_package_list_yml, }.get(output_format) if not output_function: diff --git a/scanpipe/pipes/ort.py b/scanpipe/pipes/ort.py new file mode 100644 index 0000000000..036b1f1fac --- /dev/null +++ b/scanpipe/pipes/ort.py @@ -0,0 +1,153 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# http://nexb.com and https://github.com/aboutcode-org/scancode.io +# The ScanCode.io software is licensed under the Apache License version 2.0. +# Data generated with ScanCode.io is provided as-is without warranties. +# ScanCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# ScanCode.io should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# +# ScanCode.io is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/aboutcode-org/scancode.io for support and download. + + +from dataclasses import asdict +from dataclasses import dataclass +from dataclasses import field +from pathlib import Path + +import saneyaml + +""" +This module provides Python dataclass models for representing a package list +in a format compatible with the OSS Review Toolkit (ORT) +`CreateAnalyzerResultFromPackageListCommand`. + +The models are simplified adaptations of the Kotlin classes from: +https://github.com/oss-review-toolkit/ort/blob/main/cli-helper/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt + +This module is intended for generating ORT-compatible YAML package lists from Python +objects, allowing integration with ORT's analyzer workflows or manual creation of +package metadata. +""" + + +# private data class SourceArtifact( +# val url: String, +# val hash: Hash? = null +# ) +@dataclass +class SourceArtifact: + url: str + # Cannot coerce empty String ("") to `org.ossreviewtoolkit.model.Hash` value + # hash: str = None + + +# private data class Vcs( +# val type: String? = null, +# val url: String? = null, +# val revision: String? = null, +# val path: String? = null +# ) +@dataclass +class Vcs: + type: str = None + url: str = None + revision: str = None + path: str = None + + +# private data class Dependency( +# val id: Identifier, +# val purl: String? = null, +# val vcs: Vcs? = null, +# val sourceArtifact: SourceArtifact? = null, +# val declaredLicenses: Set = emptySet(), +# val concludedLicense: SpdxExpression? = null, +# val description: String? = null, +# val homepageUrl: String? = null, +# val isExcluded: Boolean = false, +# val isDynamicallyLinked: Boolean = false, +# val labels: Map = emptyMap() +# ) +@dataclass +class Dependency: + id: str + purl: str = None + vcs: Vcs = None + sourceArtifact: SourceArtifact = None + declaredLicenses: list = field(default_factory=set) + # concludedLicense: str = None + description: str = None + homepageUrl: str = None + # isExcluded: bool = False + # isDynamicallyLinked: bool = False + # labels: dict = field(default_factory=dict) + + +# private data class PackageList( +# val projectName: String? = null, +# val projectVcs: Vcs? = null, +# val dependencies: List = emptyList() +# ) +@dataclass +class PackageList: + projectName: str + projectVcs: Vcs = field(default_factory=Vcs) + dependencies: list = field(default_factory=list) + + def to_yaml(self): + """Dump the Project object back to a YAML string.""" + return saneyaml.dump(asdict(self)) + + def to_file(self, filepath): + """Write the Project object to a YAML file.""" + Path(filepath).write_text(self.to_yaml(), encoding="utf-8") + + +def get_ort_project_type(project): + """ + Determine the ORT project type based on the project's input sources. + + Currently, this function checks whether any of the project's + input download URLs start with "docker://". + If at least one Docker URL is found, it returns "docker". + """ + inputs_url = project.inputsources.values_list("download_url", flat=True) + if any(url.startswith("docker://") for url in inputs_url): + return "docker" + + +def to_ort_package_list_yml(project): + """Convert a project object into a YAML string in the ORT package list format.""" + project_type = get_ort_project_type(project) + + dependencies = [] + for package in project.discoveredpackages.all(): + dependency = Dependency( + id=f"{project_type or package.type}::{package.name}:{package.version}", + purl=package.purl, + sourceArtifact=SourceArtifact(url=package.download_url), + declaredLicenses=[package.get_declared_license_expression_spdx()], + vcs=Vcs(url=package.vcs_url), + description=package.description, + homepageUrl=package.homepage_url, + ) + dependencies.append(dependency) + + package_list = PackageList( + projectName=project.name, + dependencies=dependencies, + ) + + return package_list.to_yaml() diff --git a/scanpipe/pipes/output.py b/scanpipe/pipes/output.py index 44b77f120f..3c2ea38f9f 100644 --- a/scanpipe/pipes/output.py +++ b/scanpipe/pipes/output.py @@ -60,6 +60,7 @@ from scanpipe.models import ProjectMessage from scanpipe.pipes import docker from scanpipe.pipes import flag +from scanpipe.pipes import ort from scanpipe.pipes import spdx scanpipe_app = apps.get_app_config("scanpipe") @@ -1058,10 +1059,23 @@ def to_attribution(project): return output_file +def to_ort_package_list_yml(project): + """ + Generate an ORT compatible "package-list.yml" output. + The output file is created in the ``project`` "output/" directory. + Return the path of the generated output file. + """ + output_file = project.get_output_file_path("results", "package-list.yml") + ort_yml = ort.to_ort_package_list_yml(project) + output_file.write_text(ort_yml) + return output_file + + FORMAT_TO_FUNCTION_MAPPING = { "json": to_json, "xlsx": to_xlsx, "spdx": to_spdx, "cyclonedx": to_cyclonedx, "attribution": to_attribution, + "ort-package-list": to_ort_package_list_yml, } diff --git a/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html b/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html index 4fdf083c01..571d0b8ac5 100644 --- a/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html +++ b/scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html @@ -31,6 +31,9 @@ Attribution + + ORT (package-list) + \ No newline at end of file diff --git a/scanpipe/templates/scanpipe/includes/project_downloads.html b/scanpipe/templates/scanpipe/includes/project_downloads.html index d02c747c2d..1604485767 100644 --- a/scanpipe/templates/scanpipe/includes/project_downloads.html +++ b/scanpipe/templates/scanpipe/includes/project_downloads.html @@ -12,11 +12,14 @@
-
\ No newline at end of file diff --git a/scanpipe/tests/data/asgiref/asgiref-3.3.0.package-list.yml b/scanpipe/tests/data/asgiref/asgiref-3.3.0.package-list.yml new file mode 100644 index 0000000000..b7d5d174ed --- /dev/null +++ b/scanpipe/tests/data/asgiref/asgiref-3.3.0.package-list.yml @@ -0,0 +1,437 @@ +projectName: asgiref +projectVcs: + type: + url: + revision: + path: +dependencies: + - id: pypi::asgiref:3.3.0 + purl: pkg:pypi/asgiref@3.3.0 + vcs: + type: + url: + revision: + path: + sourceArtifact: + url: + declaredLicenses: + - BSD-3-Clause + description: | + ASGI specs, helper code, and adapters + asgiref + ======= + + .. image:: https://api.travis-ci.org/django/asgiref.svg + :target: https://travis-ci.org/django/asgiref + + .. image:: https://img.shields.io/pypi/v/asgiref.svg + :target: https://pypi.python.org/pypi/asgiref + + ASGI is a standard for Python asynchronous web apps and servers to communicate + with each other, and positioned as an asynchronous successor to WSGI. You can + read more at https://asgi.readthedocs.io/en/latest/ + + This package includes ASGI base libraries, such as: + + * Sync-to-async and async-to-sync function wrappers, ``asgiref.sync`` + * Server base classes, ``asgiref.server`` + * A WSGI-to-ASGI adapter, in ``asgiref.wsgi`` + + + Function wrappers + ----------------- + + These allow you to wrap or decorate async or sync functions to call them from + the other style (so you can call async functions from a synchronous thread, + or vice-versa). + + In particular: + + * AsyncToSync lets a synchronous subthread stop and wait while the async + function is called on the main thread's event loop, and then control is + returned to the thread when the async function is finished. + + * SyncToAsync lets async code call a synchronous function, which is run in + a threadpool and control returned to the async coroutine when the synchronous + function completes. + + The idea is to make it easier to call synchronous APIs from async code and + asynchronous APIs from synchronous code so it's easier to transition code from + one style to the other. In the case of Channels, we wrap the (synchronous) + Django view system with SyncToAsync to allow it to run inside the (asynchronous) + ASGI server. + + Note that exactly what threads things run in is very specific, and aimed to + keep maximum compatibility with old synchronous code. See + "Synchronous code & Threads" below for a full explanation. By default, + ``sync_to_async`` will run all synchronous code in the program in the same + thread for safety reasons; you can disable this for more performance with + ``@sync_to_async(thread_sensitive=False)``, but make sure that your code does + not rely on anything bound to threads (like database connections) when you do. + + + Threadlocal replacement + ----------------------- + + This is a drop-in replacement for ``threading.local`` that works with both + threads and asyncio Tasks. Even better, it will proxy values through from a + task-local context to a thread-local context when you use ``sync_to_async`` + to run things in a threadpool, and vice-versa for ``async_to_sync``. + + If you instead want true thread- and task-safety, you can set + ``thread_critical`` on the Local object to ensure this instead. + + + Server base classes + ------------------- + + Includes a ``StatelessServer`` class which provides all the hard work of + writing a stateless server (as in, does not handle direct incoming sockets + but instead consumes external streams or sockets to work out what is happening). + + An example of such a server would be a chatbot server that connects out to + a central chat server and provides a "connection scope" per user chatting to + it. There's only one actual connection, but the server has to separate things + into several scopes for easier writing of the code. + + You can see an example of this being used in `frequensgi `_. + + + WSGI-to-ASGI adapter + -------------------- + + Allows you to wrap a WSGI application so it appears as a valid ASGI application. + + Simply wrap it around your WSGI application like so:: + + asgi_application = WsgiToAsgi(wsgi_application) + + The WSGI application will be run in a synchronous threadpool, and the wrapped + ASGI application will be one that accepts ``http`` class messages. + + Please note that not all extended features of WSGI may be supported (such as + file handles for incoming POST bodies). + + + Dependencies + ------------ + + ``asgiref`` requires Python 3.5 or higher. + + + Contributing + ------------ + + Please refer to the + `main Channels contributing docs `_. + + + Testing + ''''''' + + To run tests, make sure you have installed the ``tests`` extra with the package:: + + cd asgiref/ + pip install -e .[tests] + pytest + + + Building the documentation + '''''''''''''''''''''''''' + + The documentation uses `Sphinx `_:: + + cd asgiref/docs/ + pip install sphinx + + To build the docs, you can use the default tools:: + + sphinx-build -b html . _build/html # or `make html`, if you've got make set up + cd _build/html + python -m http.server + + ...or you can use ``sphinx-autobuild`` to run a server and rebuild/reload + your documentation changes automatically:: + + pip install sphinx-autobuild + sphinx-autobuild . _build/html + + + Implementation Details + ---------------------- + + Synchronous code & threads + '''''''''''''''''''''''''' + + The ``asgiref.sync`` module provides two wrappers that let you go between + asynchronous and synchronous code at will, while taking care of the rough edges + for you. + + Unfortunately, the rough edges are numerous, and the code has to work especially + hard to keep things in the same thread as much as possible. Notably, the + restrictions we are working with are: + + * All synchronous code called through ``SyncToAsync`` and marked with + ``thread_sensitive`` should run in the same thread as each other (and if the + outer layer of the program is synchronous, the main thread) + + * If a thread already has a running async loop, ``AsyncToSync`` can't run things + on that loop if it's blocked on synchronous code that is above you in the + call stack. + + The first compromise you get to might be that ``thread_sensitive`` code should + just run in the same thread and not spawn in a sub-thread, fulfilling the first + restriction, but that immediately runs you into the second restriction. + + The only real solution is to essentially have a variant of ThreadPoolExecutor + that executes any ``thread_sensitive`` code on the outermost synchronous + thread - either the main thread, or a single spawned subthread. + + This means you now have two basic states: + + * If the outermost layer of your program is synchronous, then all async code + run through ``AsyncToSync`` will run in a per-call event loop in arbitary + sub-threads, while all ``thread_sensitive`` code will run in the main thread. + + * If the outermost layer of your program is asynchronous, then all async code + runs on the main thread's event loop, and all ``thread_sensitive`` synchronous + code will run in a single shared sub-thread. + + Cruicially, this means that in both cases there is a thread which is a shared + resource that all ``thread_sensitive`` code must run on, and there is a chance + that this thread is currently blocked on its own ``AsyncToSync`` call. Thus, + ``AsyncToSync`` needs to act as an executor for thread code while it's blocking. + + The ``CurrentThreadExecutor`` class provides this functionality; rather than + simply waiting on a Future, you can call its ``run_until_future`` method and + it will run submitted code until that Future is done. This means that code + inside the call can then run code on your thread. + + + Maintenance and Security + ------------------------ + + To report security issues, please contact security@djangoproject.com. For GPG + signatures and more security process information, see + https://docs.djangoproject.com/en/dev/internals/security/. + + To report bugs or request new features, please open a new GitHub issue. + + This repository is part of the Channels project. For the shepherd and maintenance team, please see the + `main Channels readme `_. + homepageUrl: https://github.com/django/asgiref/ + - id: pypi::asgiref:3.3.0 + purl: pkg:pypi/asgiref@3.3.0 + vcs: + type: + url: + revision: + path: + sourceArtifact: + url: + declaredLicenses: + - BSD-3-Clause + description: | + ASGI specs, helper code, and adapters + asgiref + ======= + + .. image:: https://api.travis-ci.org/django/asgiref.svg + :target: https://travis-ci.org/django/asgiref + + .. image:: https://img.shields.io/pypi/v/asgiref.svg + :target: https://pypi.python.org/pypi/asgiref + + ASGI is a standard for Python asynchronous web apps and servers to communicate + with each other, and positioned as an asynchronous successor to WSGI. You can + read more at https://asgi.readthedocs.io/en/latest/ + + This package includes ASGI base libraries, such as: + + * Sync-to-async and async-to-sync function wrappers, ``asgiref.sync`` + * Server base classes, ``asgiref.server`` + * A WSGI-to-ASGI adapter, in ``asgiref.wsgi`` + + + Function wrappers + ----------------- + + These allow you to wrap or decorate async or sync functions to call them from + the other style (so you can call async functions from a synchronous thread, + or vice-versa). + + In particular: + + * AsyncToSync lets a synchronous subthread stop and wait while the async + function is called on the main thread's event loop, and then control is + returned to the thread when the async function is finished. + + * SyncToAsync lets async code call a synchronous function, which is run in + a threadpool and control returned to the async coroutine when the synchronous + function completes. + + The idea is to make it easier to call synchronous APIs from async code and + asynchronous APIs from synchronous code so it's easier to transition code from + one style to the other. In the case of Channels, we wrap the (synchronous) + Django view system with SyncToAsync to allow it to run inside the (asynchronous) + ASGI server. + + Note that exactly what threads things run in is very specific, and aimed to + keep maximum compatibility with old synchronous code. See + "Synchronous code & Threads" below for a full explanation. By default, + ``sync_to_async`` will run all synchronous code in the program in the same + thread for safety reasons; you can disable this for more performance with + ``@sync_to_async(thread_sensitive=False)``, but make sure that your code does + not rely on anything bound to threads (like database connections) when you do. + + + Threadlocal replacement + ----------------------- + + This is a drop-in replacement for ``threading.local`` that works with both + threads and asyncio Tasks. Even better, it will proxy values through from a + task-local context to a thread-local context when you use ``sync_to_async`` + to run things in a threadpool, and vice-versa for ``async_to_sync``. + + If you instead want true thread- and task-safety, you can set + ``thread_critical`` on the Local object to ensure this instead. + + + Server base classes + ------------------- + + Includes a ``StatelessServer`` class which provides all the hard work of + writing a stateless server (as in, does not handle direct incoming sockets + but instead consumes external streams or sockets to work out what is happening). + + An example of such a server would be a chatbot server that connects out to + a central chat server and provides a "connection scope" per user chatting to + it. There's only one actual connection, but the server has to separate things + into several scopes for easier writing of the code. + + You can see an example of this being used in `frequensgi `_. + + + WSGI-to-ASGI adapter + -------------------- + + Allows you to wrap a WSGI application so it appears as a valid ASGI application. + + Simply wrap it around your WSGI application like so:: + + asgi_application = WsgiToAsgi(wsgi_application) + + The WSGI application will be run in a synchronous threadpool, and the wrapped + ASGI application will be one that accepts ``http`` class messages. + + Please note that not all extended features of WSGI may be supported (such as + file handles for incoming POST bodies). + + + Dependencies + ------------ + + ``asgiref`` requires Python 3.5 or higher. + + + Contributing + ------------ + + Please refer to the + `main Channels contributing docs `_. + + + Testing + ''''''' + + To run tests, make sure you have installed the ``tests`` extra with the package:: + + cd asgiref/ + pip install -e .[tests] + pytest + + + Building the documentation + '''''''''''''''''''''''''' + + The documentation uses `Sphinx `_:: + + cd asgiref/docs/ + pip install sphinx + + To build the docs, you can use the default tools:: + + sphinx-build -b html . _build/html # or `make html`, if you've got make set up + cd _build/html + python -m http.server + + ...or you can use ``sphinx-autobuild`` to run a server and rebuild/reload + your documentation changes automatically:: + + pip install sphinx-autobuild + sphinx-autobuild . _build/html + + + Implementation Details + ---------------------- + + Synchronous code & threads + '''''''''''''''''''''''''' + + The ``asgiref.sync`` module provides two wrappers that let you go between + asynchronous and synchronous code at will, while taking care of the rough edges + for you. + + Unfortunately, the rough edges are numerous, and the code has to work especially + hard to keep things in the same thread as much as possible. Notably, the + restrictions we are working with are: + + * All synchronous code called through ``SyncToAsync`` and marked with + ``thread_sensitive`` should run in the same thread as each other (and if the + outer layer of the program is synchronous, the main thread) + + * If a thread already has a running async loop, ``AsyncToSync`` can't run things + on that loop if it's blocked on synchronous code that is above you in the + call stack. + + The first compromise you get to might be that ``thread_sensitive`` code should + just run in the same thread and not spawn in a sub-thread, fulfilling the first + restriction, but that immediately runs you into the second restriction. + + The only real solution is to essentially have a variant of ThreadPoolExecutor + that executes any ``thread_sensitive`` code on the outermost synchronous + thread - either the main thread, or a single spawned subthread. + + This means you now have two basic states: + + * If the outermost layer of your program is synchronous, then all async code + run through ``AsyncToSync`` will run in a per-call event loop in arbitary + sub-threads, while all ``thread_sensitive`` code will run in the main thread. + + * If the outermost layer of your program is asynchronous, then all async code + runs on the main thread's event loop, and all ``thread_sensitive`` synchronous + code will run in a single shared sub-thread. + + Cruicially, this means that in both cases there is a thread which is a shared + resource that all ``thread_sensitive`` code must run on, and there is a chance + that this thread is currently blocked on its own ``AsyncToSync`` call. Thus, + ``AsyncToSync`` needs to act as an executor for thread code while it's blocking. + + The ``CurrentThreadExecutor`` class provides this functionality; rather than + simply waiting on a Future, you can call its ``run_until_future`` method and + it will run submitted code until that Future is done. This means that code + inside the call can then run code on your thread. + + + Maintenance and Security + ------------------------ + + To report security issues, please contact security@djangoproject.com. For GPG + signatures and more security process information, see + https://docs.djangoproject.com/en/dev/internals/security/. + + To report bugs or request new features, please open a new GitHub issue. + + This repository is part of the Channels project. For the shepherd and maintenance team, please see the + `main Channels readme `_. + homepageUrl: https://github.com/django/asgiref/ diff --git a/scanpipe/tests/pipes/test_ort.py b/scanpipe/tests/pipes/test_ort.py new file mode 100644 index 0000000000..101a843916 --- /dev/null +++ b/scanpipe/tests/pipes/test_ort.py @@ -0,0 +1,71 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# http://nexb.com and https://github.com/nexB/scancode.io +# The ScanCode.io software is licensed under the Apache License version 2.0. +# Data generated with ScanCode.io is provided as-is without warranties. +# ScanCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# ScanCode.io should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# +# ScanCode.io is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/scancode.io for support and download. + + +from django.test import TestCase + +import saneyaml + +from scanpipe import pipes +from scanpipe.pipes import ort +from scanpipe.tests import make_project +from scanpipe.tests import package_data1 + + +class ScanPipeORTPipesTest(TestCase): + def test_scanpipe_ort_pipes_get_ort_project_type(self): + project = make_project(name="Analysis") + self.assertIsNone(ort.get_ort_project_type(project)) + + project.add_input_source( + filename="image.tar", download_url="docker://docker-ref" + ) + self.assertEqual("docker", ort.get_ort_project_type(project)) + + def test_scanpipe_ort_pipes_to_ort_package_list_yml(self): + project = make_project(name="Analysis") + pipes.update_or_create_package(project, package_data1) + + package_list_yml = ort.to_ort_package_list_yml(project) + package_list = saneyaml.load(package_list_yml) + + expected = { + "projectName": "Analysis", + "projectVcs": {"type": "", "url": "", "revision": "", "path": ""}, + "dependencies": [ + { + "id": "deb::adduser:3.118", + "purl": "pkg:deb/debian/adduser@3.118?arch=all", + "vcs": { + "type": "", + "url": "https://packages.vcs.url", + "revision": "", + "path": "", + }, + "sourceArtifact": {"url": "https://download.url/package.zip"}, + "declaredLicenses": ["GPL-2.0-only AND GPL-2.0-or-later"], + "description": "add and remove users and groups", + "homepageUrl": "https://packages.debian.org", + } + ], + } + self.assertEqual(expected, package_list) diff --git a/scanpipe/tests/pipes/test_output.py b/scanpipe/tests/pipes/test_output.py index b3354ab230..a7436f51a1 100644 --- a/scanpipe/tests/pipes/test_output.py +++ b/scanpipe/tests/pipes/test_output.py @@ -520,6 +520,18 @@ def test_scanpipe_pipes_outputs_to_spdx_dependencies(self, mock_uuid4): expected_file = self.data / "spdx" / "dependencies.spdx.json" self.assertResultsEqual(expected_file, results) + def test_scanpipe_pipes_outputs_to_to_ort_package_list_yml(self): + fixtures = self.data / "asgiref" / "asgiref-3.3.0_fixtures.json" + call_command("loaddata", fixtures, **{"verbosity": 0}) + project = Project.objects.get(name="asgiref") + + with self.assertNumQueries(2): + output_file = output.to_ort_package_list_yml(project=project) + self.assertIn(output_file.name, project.output_root) + + expected_file = self.data / "asgiref" / "asgiref-3.3.0.package-list.yml" + self.assertResultsEqual(expected_file, output_file.read_text()) + def test_scanpipe_pipes_outputs_make_unknown_license_object(self): licensing = get_licensing() parsed_expression = licensing.parse("some-unknown-license") diff --git a/scanpipe/views.py b/scanpipe/views.py index 7439504f39..c8e8d6bbfd 100644 --- a/scanpipe/views.py +++ b/scanpipe/views.py @@ -1630,6 +1630,8 @@ def get(self, request, *args, **kwargs): output_file = output.to_cyclonedx(project, **output_kwargs) elif format == "attribution": output_file = output.to_attribution(project) + elif format == "ort-package-list": + output_file = output.to_ort_package_list_yml(project) else: raise Http404("Format not supported.")