Add a PurlDB tab in the Package details view #1125 (#1128)

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

CHANGELOG.rst

@@ -39,6 +39,11 @@ v34.1.0 (unreleased)
   A data migration is included to facilitate the migration of existing data.
   https://github.com/nexB/scancode.io/issues/1099
 
+- Add PurlDB tab, displayed when the PURLDB_URL settings is configured.
+  When loading the package details view, a request is made on the PurlDB to fetch and
+  and display any available data.
+  https://github.com/nexB/scancode.io/issues/1125
+
 v34.0.0 (2024-03-04)
 --------------------
 

docs/application-settings.rst

@@ -294,6 +294,10 @@ API key using ``PURLDB_API_KEY``::
 
     PURLDB_API_KEY=insert_your_api_key_here
 
+.. note::
+    Once the PurlDB is configured, a new "PurlDB" tab will be available in the
+    discovered package details view.
+
 .. _scancodeio_settings_vulnerablecode:
 
 VULNERABLECODE

scanpipe/pipes/purldb.py

@@ -330,3 +330,17 @@ def populate_purldb_with_discovered_dependencies(project, logger=logger.info):
         chunk_size=10,
         logger=logger,
     )
+
+
+def get_package_by_purl(package_url):
+    """Get a Package details entry providing its `package_url`."""
+    if results := find_packages({"purl": str(package_url)}):
+        return results[0]
+
+
+def find_packages(payload):
+    """Get Packages using provided `payload` filters on the PurlDB package list."""
+    package_api_url = f"{PURLDB_API_URL}packages/"
+    response = request_get(package_api_url, payload=payload)
+    if response and response.get("count") > 0:
+        return response.get("results")

scanpipe/templates/scanpipe/tabset/tab_purldb_content.html

@@ -0,0 +1,13 @@
+{% if tab_data.fields %}
+  <div class="notification is-link is-light has-text-weight-semibold p-3 mb-4">
+    <i class="fa-solid fa-circle-info mr-1"></i>
+    You are looking at the details for this software package as defined
+    in the PurlDB which was scanned automatically from a public source.
+  </div>
+  {% include 'scanpipe/tabset/tab_default.html' %}
+{% else %}
+  <div class="notification is-warning is-light has-text-weight-semibold p-3 mb-4">
+    <i class="fa-solid fa-triangle-exclamation mr-1"></i>
+    No entries found in the PurlDB for this package.
+  </div>
+{% endif %}

scanpipe/templates/scanpipe/tabset/tab_purldb_loader.html

@@ -0,0 +1,5 @@
+<div hx-get="{% url 'package_purldb_tab' project.slug object.uuid %}" hx-trigger="load" hx-swap="outerHTML">
+  <div class="notification has-text-weight-semibold p-3">
+    <i class="fas fa-spinner fa-spin"></i> Fetching {{ object }} in {{ tab_data.verbose_name }} ...
+  </div>
+</div>

scanpipe/tests/test_views.py

@@ -979,6 +979,41 @@ def test_scanpipe_views_discovered_package_details_view_tab_vulnerabilities(self
         self.assertContains(response, '<section id="tab-vulnerabilities"')
         self.assertContains(response, "VCID-cah8-awtr-aaad")
 
+    @mock.patch("scanpipe.pipes.purldb.is_configured")
+    def test_scanpipe_views_discovered_package_purldb_tab_view(self, mock_configured):
+        package1 = DiscoveredPackage.create_from_data(self.project1, package_data1)
+        package_url = package1.get_absolute_url()
+
+        mock_configured.return_value = False
+        response = self.client.get(package_url)
+        self.assertNotContains(response, "tab-purldb")
+        self.assertNotContains(response, '<section id="tab-purldb"')
+
+        mock_configured.return_value = True
+        response = self.client.get(package_url)
+        self.assertContains(response, "tab-purldb")
+        self.assertContains(response, '<section id="tab-purldb"')
+
+        with mock.patch("scanpipe.pipes.purldb.get_package_by_purl") as get_package:
+            get_package.return_value = None
+            purldb_tab_url = f"{package_url}purldb_tab/"
+            response = self.client.get(purldb_tab_url)
+            msg = "No entries found in the PurlDB for this package"
+            self.assertContains(response, msg)
+
+            get_package.return_value = {
+                "uuid": "9261605f-e2fb-4db9-94ab-0d82d3273cdf",
+                "filename": "abab-2.0.3.tgz",
+                "type": "npm",
+                "name": "abab",
+                "version": "2.0.3",
+                "primary_language": "JavaScript",
+            }
+            response = self.client.get(purldb_tab_url)
+            self.assertContains(response, "abab-2.0.3.tgz")
+            self.assertContains(response, "2.0.3")
+            self.assertContains(response, "JavaScript")
+
     def test_scanpipe_views_discovered_dependency_views(self):
         DiscoveredPackage.create_from_data(self.project1, package_data1)
         make_resource_file(

scanpipe/urls.py

@@ -46,6 +46,11 @@
         views.CodebaseResourceListView.as_view(),
         name="project_resources",
     ),
+    path(
+        "project/<slug:slug>/packages/<uuid:uuid>/purldb_tab/",
+        views.DiscoveredPackagePurlDBTabView.as_view(),
+        name="package_purldb_tab",
+    ),
     path(
         "project/<slug:slug>/packages/<uuid:uuid>/",
         views.DiscoveredPackageDetailsView.as_view(),

scanpipe/views.py

@@ -49,6 +49,7 @@
 from django.urls import reverse
 from django.urls import reverse_lazy
 from django.utils.decorators import method_decorator
+from django.utils.text import capfirst
 from django.views import generic
 from django.views.decorators.http import require_POST
 from django.views.generic.detail import SingleObjectMixin
@@ -89,6 +90,7 @@
 from scanpipe.models import RunInProgressError
 from scanpipe.pipes import count_group_by
 from scanpipe.pipes import output
+from scanpipe.pipes import purldb
 
 scanpipe_app = apps.get_app_config("scanpipe")
 
@@ -177,6 +179,10 @@
 ]
 
 
+def purldb_is_configured(*args):
+    return purldb.is_configured()
+
+
 class PrefetchRelatedViewMixin:
     prefetch_related = []
 
@@ -1631,22 +1637,22 @@ class CodebaseResourceDetailsView(
                 "tag",
                 "rootfs_path",
             ],
-            "icon_class": "fa-solid fa-info-circle",
+            "icon_class": "fa-solid fa-circle-check",
         },
         "others": {
             "fields": [
                 {"field_name": "size", "render_func": filesizeformat},
-                "md5",
-                "sha1",
-                "sha256",
-                "sha512",
+                {"field_name": "md5", "label": "MD5"},
+                {"field_name": "sha1", "label": "SHA1"},
+                {"field_name": "sha256", "label": "SHA256"},
+                {"field_name": "sha512", "label": "SHA512"},
                 "is_binary",
                 "is_text",
                 "is_archive",
                 "is_key_file",
                 "is_media",
             ],
-            "icon_class": "fa-solid fa-plus-square",
+            "icon_class": "fa-solid fa-info-circle",
         },
         "viewer": {
             "icon_class": "fa-solid fa-file-code",
@@ -1692,7 +1698,7 @@ class CodebaseResourceDetailsView(
                 {"field_name": "extra_data", "render_func": render_as_yaml},
             ],
             "verbose_name": "Extra",
-            "icon_class": "fa-solid fa-database",
+            "icon_class": "fa-solid fa-plus-square",
         },
     }
 
@@ -1828,23 +1834,25 @@ class DiscoveredPackageDetailsView(
                 "description",
                 "tag",
             ],
-            "icon_class": "fa-solid fa-info-circle",
+            "icon_class": "fa-solid fa-circle-check",
         },
         "others": {
             "fields": [
                 {"field_name": "size", "render_func": filesizeformat},
                 "release_date",
-                "md5",
-                "sha1",
-                "sha256",
-                "sha512",
+                {"field_name": "md5", "label": "MD5"},
+                {"field_name": "sha1", "label": "SHA1"},
+                {"field_name": "sha256", "label": "SHA256"},
+                {"field_name": "sha512", "label": "SHA512"},
                 "file_references",
                 {"field_name": "parties", "render_func": render_as_yaml},
                 "missing_resources",
                 "modified_resources",
                 "package_uid",
+                "datasource_ids",
+                "datafile_paths",
             ],
-            "icon_class": "fa-solid fa-plus-square",
+            "icon_class": "fa-solid fa-info-circle",
         },
         "terms": {
             "fields": [
@@ -1870,14 +1878,6 @@ class DiscoveredPackageDetailsView(
             ],
             "icon_class": "fa-solid fa-file-contract",
         },
-        "detection": {
-            "fields": [
-                "datasource_ids",
-                "datafile_paths",
-            ],
-            "icon_class": "fa-solid fa-search",
-            "template": "scanpipe/tabset/tab_detections.html",
-        },
         "resources": {
             "fields": ["codebase_resources"],
             "icon_class": "fa-solid fa-folder-open",
@@ -1898,11 +1898,61 @@ class DiscoveredPackageDetailsView(
                 {"field_name": "extra_data", "render_func": render_as_yaml},
             ],
             "verbose_name": "Extra",
+            "icon_class": "fa-solid fa-plus-square",
+        },
+        "purldb": {
+            "fields": ["uuid"],
+            "verbose_name": "PurlDB",
             "icon_class": "fa-solid fa-database",
+            "template": "scanpipe/tabset/tab_purldb_loader.html",
+            "display_condition": purldb_is_configured,
         },
     }
 
 
+class DiscoveredPackagePurlDBTabView(ConditionalLoginRequired, generic.DetailView):
+    model = DiscoveredPackage
+    slug_field = "uuid"
+    slug_url_kwarg = "uuid"
+    template_name = "scanpipe/tabset/tab_purldb_content.html"
+
+    @staticmethod
+    def get_fields_data(purldb_entry):
+        exclude = [
+            "uuid",
+            "purl",
+            "license_detections",
+            "resources",
+        ]
+
+        fields_data = {}
+        for field_name, value in purldb_entry.items():
+            if not value or field_name in exclude:
+                continue
+
+            label = capfirst(
+                field_name.replace("url", "URL")
+                .replace("_", " ")
+                .replace("sha", "SHA")
+                .replace("vcs", "VCS")
+            )
+            fields_data[field_name] = {"label": label, "value": value}
+
+        return fields_data
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        if not purldb.is_configured():
+            raise Http404("PurlDB access is not configured.")
+
+        if purldb_entry := purldb.get_package_by_purl(self.object.package_url):
+            fields = self.get_fields_data(purldb_entry)
+            context["tab_data"] = {"fields": fields}
+
+        return context
+
+
 class DiscoveredDependencyDetailsView(
     ConditionalLoginRequired,
     ProjectRelatedViewMixin,
@@ -1944,7 +1994,7 @@ class DiscoveredDependencyDetailsView(
                 "scope",
                 "datasource_id",
             ],
-            "icon_class": "fa-solid fa-info-circle",
+            "icon_class": "fa-solid fa-circle-check",
         },
         "others": {
             "fields": [
@@ -1954,7 +2004,7 @@ class DiscoveredDependencyDetailsView(
                 "is_optional",
                 "is_resolved",
             ],
-            "icon_class": "fa-solid fa-plus-square",
+            "icon_class": "fa-solid fa-info-circle",
         },
         "vulnerabilities": {
             "fields": ["affected_by_vulnerabilities"],