diff --git a/scancodeio/static/tree-views/expand-collapse.svg b/scancodeio/static/tree-views/expand-collapse.svg
new file mode 100644
index 000000000..f34809c99
--- /dev/null
+++ b/scancodeio/static/tree-views/expand-collapse.svg
@@ -0,0 +1,7 @@
+
+
diff --git a/scancodeio/static/tree-views/tree.css b/scancodeio/static/tree-views/tree.css
new file mode 100644
index 000000000..b14023615
--- /dev/null
+++ b/scancodeio/static/tree-views/tree.css
@@ -0,0 +1,75 @@
+.tree{
+ --spacing : 1.5rem;
+ --radius : 10px;
+}
+
+.tree li{
+ display : block;
+ position : relative;
+ padding-left : calc(2 * var(--spacing) - var(--radius) - 2px);
+}
+
+.tree ul{
+ margin-left : calc(var(--radius) - var(--spacing));
+ padding-left : 0;
+}
+
+.tree ul li{
+ border-left : 2px solid #ddd;
+}
+
+.tree ul li:last-child{
+ border-color : transparent;
+}
+
+.tree ul li::before{
+ content : '';
+ display : block;
+ position : absolute;
+ top : calc(var(--spacing) / -2);
+ left : -2px;
+ width : calc(var(--spacing) + 2px);
+ height : calc(var(--spacing) + 1px);
+ border : solid #ddd;
+ border-width : 0 0 2px 2px;
+}
+
+.tree summary{
+ display : block;
+ cursor : pointer;
+}
+
+.tree summary::marker,
+.tree summary::-webkit-details-marker{
+ display : none;
+}
+
+.tree summary:focus{
+ outline : none;
+}
+
+.tree summary:focus-visible{
+ outline : 1px dotted #000;
+}
+
+.tree li::after,
+.tree summary::before{
+ content : '';
+ display : block;
+ position : absolute;
+ top : calc(var(--spacing) / 2 - var(--radius));
+ left : calc(var(--spacing) - var(--radius) - 1px);
+ width : calc(2 * var(--radius));
+ height : calc(2 * var(--radius));
+ border-radius : 50%;
+ background : #ddd;
+}
+
+.tree summary::before{
+ z-index : 1;
+ background : #696 url('expand-collapse.svg') 0 0;
+}
+
+.tree details[open] > summary::before{
+ background-position : calc(-2 * var(--radius)) 0;
+}
diff --git a/scancodeio/static/tree-views/tree.css.ABOUT b/scancodeio/static/tree-views/tree.css.ABOUT
new file mode 100644
index 000000000..13316e526
--- /dev/null
+++ b/scancodeio/static/tree-views/tree.css.ABOUT
@@ -0,0 +1,10 @@
+about_resource: tree.css
+name: css-tree-views
+homepage_url: https://iamkate.com/code/tree-views/
+description: A tree view (collapsible list) can be created using only html and css, without
+ the need for JavaScript. Accessibility software will see the tree view as lists nested inside
+ disclosure widgets, and the standard keyboard interaction is supported automatically.
+license_expression: cc0-1.0
+licenses:
+ - key: cc0-1.0
+ name: cc0-1.0
diff --git a/scancodeio/static/tree-views/tree.css.NOTICE b/scancodeio/static/tree-views/tree.css.NOTICE
new file mode 100644
index 000000000..319755b97
--- /dev/null
+++ b/scancodeio/static/tree-views/tree.css.NOTICE
@@ -0,0 +1,29 @@
+Free content on iamkate.com
+The web was still young when I first went online in 1998. It felt like a utopian dream of free culture and free knowledge. Anyone could contribute, and within weeks I had learnt html and created my first site, hosted in the 10mb of webspace my isp included as standard.
+
+I’ve watched as the dream has become a nightmare of surveillance and monetisation. Companies such as Google and Facebook offer their services for free to the public because their real products are their advertising networks powered by the personal data of their visitors.
+
+The only concern of these companies and their shareholders is to maximise their income from advertising, regardless of the costs to society. They use dubious schemes to avoid paying tax. They encourage addiction and risk the mental health of their visitors. They threaten democratic institutions.
+
+I have little influence over the wider web, but I can control my small part of it, creating a haven that remains true to the original dream. This page describes my approach to copyright, my promise to protect the privacy of my visitors, and my commitment to transparency.
+
+Copyright
+Copyright limits creativity and holds back progress by restricting our rights to build upon the works of others. Copyleft licences attempt to use copyright against itself, but “the master’s tools will never dismantle the master’s house”, as Audre Lorde remarked in a different context.
+
+All content on my site is released under the terms of the Creative Commons CC0 1.0 Universal Legal Code. This means I have waived all copyright and related rights to the extent possible under law, with the intention of dedicating the content to the public domain. You can use and adapt it without attribution.
+
+Privacy
+Every site is hosted on a server, which is usually operated by a third party due to the expertise needed to manage servers securely. Most sites are accessed indirectly through the servers of a content delivery network, which protects the original server from attacks that could disable the site.
+
+My site is hosted on Cloudflare Pages. Cloudflare is both the host and the content delivery network, avoiding the need to trust two separate third parties. Cloudflare have a strong commitment to privacy and data protection, and frequently write about developing systems to protect visitor privacy.
+
+Almost every site today includes code that tracks visitors for statistical and advertising purposes. Often the site owner includes code with the deliberate aim of tracking their visitors, but sometimes they just want to include a feature provided by a third party, and that provider includes their own tracking code.
+
+My site doesn’t include any tracking code, and doesn’t load any code from third parties. It doesn’t have a cookie banner because it doesn’t use cookies. Instead of an invasive analytics system, Cloudflare Web Analytics gives me the most important statistics without tracking individual visitors.
+
+Transparency
+You probably don’t know me, and shouldn’t have to trust me. Instead, you should be able to check security and privacy claims for yourself. Unfortunately most sites today use a process called code minification, which makes them faster but also makes it harder for other people to understand their code.
+
+The Mozilla Observatory report for my site confirms the presence of various security and privacy features, resulting in a perfect A+ rating. One of these features, the content security policy, prevents browsers from loading code and other resources from third parties.
+
+My site doesn’t need to use code minification in order to load quickly due to its simple design, efficient implementation, and absence of resources loaded from third parties. As a result, other software developers can easily understand how the layout, styling, and interactive features are created.
diff --git a/scanpipe/pipelines/load_sbom.py b/scanpipe/pipelines/load_sbom.py
index 955e54dd9..2fbef7f9d 100644
--- a/scanpipe/pipelines/load_sbom.py
+++ b/scanpipe/pipelines/load_sbom.py
@@ -20,6 +20,7 @@
# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+from scanpipe.models import DiscoveredDependency
from scanpipe.pipelines.scan_codebase import ScanCodebase
from scanpipe.pipes import resolve
@@ -44,7 +45,7 @@ def steps(cls):
cls.flag_empty_files,
cls.flag_ignored_resources,
cls.get_sbom_inputs,
- cls.get_packages_from_sboms,
+ cls.get_data_from_sboms,
cls.create_packages_from_sboms,
cls.create_dependencies_from_sboms,
)
@@ -53,13 +54,13 @@ def get_sbom_inputs(self):
"""Locate all the SBOMs among the codebase resources."""
self.manifest_resources = resolve.get_manifest_resources(self.project)
- def get_packages_from_sboms(self):
+ def get_data_from_sboms(self):
"""Get packages data from SBOMs."""
- self.packages = resolve.get_packages(
+ self.packages, self.dependencies = resolve.get_data_from_manifests(
project=self.project,
package_registry=resolve.sbom_registry,
manifest_resources=self.manifest_resources,
- model="get_packages_from_sboms",
+ model="get_data_from_sboms",
)
def create_packages_from_sboms(self):
@@ -71,4 +72,11 @@ def create_packages_from_sboms(self):
def create_dependencies_from_sboms(self):
"""Create the dependency relationship declared in the SBOMs."""
+ # TODO: Migrate the CycloneDX behavior too, see get_dependencies_from_manifest
resolve.create_dependencies_from_packages_extra_data(project=self.project)
+
+ for dependency_data in self.dependencies:
+ DiscoveredDependency.create_from_data(
+ project=self.project,
+ dependency_data=dependency_data,
+ )
diff --git a/scanpipe/pipes/cyclonedx.py b/scanpipe/pipes/cyclonedx.py
index 573566c93..c6bb5b929 100644
--- a/scanpipe/pipes/cyclonedx.py
+++ b/scanpipe/pipes/cyclonedx.py
@@ -155,12 +155,12 @@ def cyclonedx_component_to_package_data(cdx_component, dependencies=None):
dependencies = dependencies or {}
extra_data = {}
- # Store the original bom_ref and dependencies for future processing.
bom_ref = str(cdx_component.bom_ref)
- if bom_ref:
- extra_data["bom_ref"] = bom_ref
- if depends_on := dependencies.get(bom_ref):
- extra_data["depends_on"] = depends_on
+ if depends_on := dependencies.get(bom_ref):
+ extra_data["depends_on"] = depends_on
+
+ # Store the original "bom_ref" as package_uid for dependencies resolution.
+ package_uid = bom_ref
package_url_dict = {}
if cdx_component.purl:
@@ -176,6 +176,7 @@ def cyclonedx_component_to_package_data(cdx_component, dependencies=None):
extra_data["nestedComponents"] = sorted(nested_purls)
package_data = {
+ "package_uid": package_uid,
"name": cdx_component.name,
"extracted_license_statement": declared_license,
"copyright": cdx_component.copyright,
diff --git a/scanpipe/pipes/output.py b/scanpipe/pipes/output.py
index d4c5f2632..1cf25e64d 100644
--- a/scanpipe/pipes/output.py
+++ b/scanpipe/pipes/output.py
@@ -671,6 +671,28 @@ def _get_spdx_extracted_licenses(license_expressions):
return extracted_licenses
+def get_dependency_as_spdx_relationship(dependency, document_spdx_id, packages_as_spdx):
+ """Return a spdx.Relationship crafted from the provided ``dependency`` instance."""
+ if dependency.is_for_package: # Package dependency
+ parent_id = dependency.for_package.spdx_id
+ else: # Project dependency
+ parent_id = document_spdx_id
+
+ if dependency.is_resolved_to_package: # Resolved to a Package
+ child_id = dependency.resolved_to_package.spdx_id
+ else: # Not resolved to a Package (only package_url value is available)
+ dependency_as_package = dependency.as_spdx_package()
+ packages_as_spdx.append(dependency_as_package)
+ child_id = dependency_as_package.spdx_id
+
+ spdx_relationship = spdx.Relationship(
+ spdx_id=child_id,
+ related_spdx_id=parent_id,
+ relationship="DEPENDENCY_OF",
+ )
+ return spdx_relationship
+
+
def to_spdx(project, include_files=False):
"""
Generate output for the provided ``project`` in SPDX document format.
@@ -682,6 +704,7 @@ def to_spdx(project, include_files=False):
discoveredpackage_qs = get_queryset(project, "discoveredpackage")
discovereddependency_qs = get_queryset(project, "discovereddependency")
+ document_spdx_id = f"SPDXRef-DOCUMENT-{project.uuid}"
packages_as_spdx = []
license_expressions = []
relationships = []
@@ -692,15 +715,12 @@ def to_spdx(project, include_files=False):
license_expressions.append(license_expression)
for dependency in discovereddependency_qs:
- packages_as_spdx.append(dependency.as_spdx_package())
- if dependency.for_package:
- relationships.append(
- spdx.Relationship(
- spdx_id=dependency.spdx_id,
- related_spdx_id=dependency.for_package.spdx_id,
- relationship="DEPENDENCY_OF",
- )
- )
+ spdx_relationship = get_dependency_as_spdx_relationship(
+ dependency,
+ document_spdx_id,
+ packages_as_spdx,
+ )
+ relationships.append(spdx_relationship)
files_as_spdx = []
if include_files:
@@ -710,6 +730,7 @@ def to_spdx(project, include_files=False):
]
document = spdx.Document(
+ spdx_id=document_spdx_id,
name=f"scancodeio_{project.name}",
namespace=f"https://scancode.io/spdxdocs/{project.uuid}",
creation_info=spdx.CreationInfo(tool=f"ScanCode.io-{scancodeio_version}"),
diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py
index 20d6c8b14..5438ade5f 100644
--- a/scanpipe/pipes/resolve.py
+++ b/scanpipe/pipes/resolve.py
@@ -60,12 +60,27 @@ def resolve_manifest_resources(resource, package_registry):
return packages
-def get_packages(project, package_registry, manifest_resources, model=None):
+def get_dependencies_from_manifest(resource):
+ """Get dependency data from resource."""
+ dependencies = []
+
+ default_package_type = get_default_package_type(resource.location)
+ if not default_package_type:
+ return []
+
+ if default_package_type == "spdx":
+ dependencies = resolve_spdx_dependencies(input_location=resource.location)
+
+ return dependencies
+
+
+def get_data_from_manifests(project, package_registry, manifest_resources, model=None):
"""
- Get package data from package manifests/lockfiles/SBOMs or
- get package data for resolved packages from package requirements.
+ Get package and dependency data from package manifests/lockfiles/SBOMs or
+ for resolved packages from package requirements.
"""
resolved_packages = []
+ resolved_dependencies = []
sboms_headers = {}
if not manifest_resources.exists():
@@ -76,7 +91,8 @@ def get_packages(project, package_registry, manifest_resources, model=None):
return []
for resource in manifest_resources:
- if packages := resolve_manifest_resources(resource, package_registry):
+ packages = resolve_manifest_resources(resource, package_registry)
+ if packages:
resolved_packages.extend(packages)
if headers := get_manifest_headers(resource):
sboms_headers[resource.name] = headers
@@ -87,10 +103,14 @@ def get_packages(project, package_registry, manifest_resources, model=None):
object_instance=resource,
)
+ dependencies = get_dependencies_from_manifest(resource)
+ if dependencies:
+ resolved_dependencies.extend(dependencies)
+
if sboms_headers:
project.update_extra_data({"sboms_headers": sboms_headers})
- return resolved_packages
+ return resolved_packages, resolved_dependencies
def create_packages_and_dependencies(project, packages, resolved=False):
@@ -139,7 +159,7 @@ def create_dependencies_from_packages_extra_data(project):
for bom_ref in for_package.extra_data.get("depends_on", []):
try:
- resolved_to_package = project_packages.get(extra_data__bom_ref=bom_ref)
+ resolved_to_package = project_packages.get(package_uid=bom_ref)
except (ObjectDoesNotExist, MultipleObjectsReturned):
project.add_error(
description=f"Could not find resolved_to package entry: {bom_ref}.",
@@ -284,8 +304,12 @@ def convert_spdx_expression(license_expression_spdx):
return get_license_detections_and_expression(license_expression_spdx)[1]
-def spdx_package_to_discovered_package_data(spdx_package):
+def spdx_package_to_package_data(spdx_package):
+ """Convert the provided spdx_package into package_data."""
package_url_dict = {}
+ # Store the original "SPDXID" as package_uid for dependencies resolution.
+ package_uid = spdx_package.spdx_id
+
for ref in spdx_package.external_refs:
if ref.type == "purl":
purl = ref.locator
@@ -302,6 +326,7 @@ def spdx_package_to_discovered_package_data(spdx_package):
declared_expression = convert_spdx_expression(declared_license_expression_spdx)
package_data = {
+ "package_uid": package_uid,
"name": spdx_package.name,
"download_url": spdx_package.download_location,
"declared_license_expression": declared_expression,
@@ -324,8 +349,28 @@ def spdx_package_to_discovered_package_data(spdx_package):
}
-def resolve_spdx_packages(input_location):
- """Resolve the packages from the `input_location` SPDX document file."""
+def spdx_relationship_to_dependency_data(spdx_relationship):
+ """Convert the provided spdx_relationship into dependency_data."""
+ # spdx_id is a dependency of related_spdx_id
+ if spdx_relationship.is_dependency_relationship:
+ for_package_uid = spdx_relationship.related_spdx_id
+ resolve_to_package_uid = spdx_relationship.spdx_id
+ else: # spdx_id depends on related_spdx_id
+ for_package_uid = spdx_relationship.spdx_id
+ resolve_to_package_uid = spdx_relationship.related_spdx_id
+
+ dependency_data = {
+ "for_package_uid": for_package_uid,
+ "resolve_to_package_uid": resolve_to_package_uid,
+ "is_runtime": True,
+ "is_resolved": True,
+ "is_direct": True,
+ }
+ return dependency_data
+
+
+def get_spdx_document_from_file(input_location):
+ """Return the loaded SPDX document from the `input_location` file."""
input_path = Path(input_location)
spdx_document = json.loads(input_path.read_text())
@@ -334,12 +379,32 @@ def resolve_spdx_packages(input_location):
except Exception as e:
raise Exception(f'SPDX document "{input_path.name}" is not valid: {e}')
+ return spdx_document
+
+
+def resolve_spdx_packages(input_location):
+ """Resolve the packages from the `input_location` SPDX document file."""
+ spdx_document = get_spdx_document_from_file(input_location)
return [
- spdx_package_to_discovered_package_data(spdx.Package.from_data(spdx_package))
+ spdx_package_to_package_data(spdx.Package.from_data(spdx_package))
for spdx_package in spdx_document.get("packages", [])
]
+def resolve_spdx_dependencies(input_location):
+ """Resolve the dependencies from the `input_location` SPDX document file."""
+ spdx_document = get_spdx_document_from_file(input_location)
+ spdx_relationships = [
+ spdx.Relationship.from_data(spdx_relationship)
+ for spdx_relationship in spdx_document.get("relationships", [])
+ ]
+
+ return [
+ spdx_relationship_to_dependency_data(spdx_relationship)
+ for spdx_relationship in spdx_relationships
+ ]
+
+
def get_default_package_type(input_location):
"""
Return the package type associated with the provided `input_location`.
diff --git a/scanpipe/pipes/spdx.py b/scanpipe/pipes/spdx.py
index 9cd2285e5..6ab474f99 100644
--- a/scanpipe/pipes/spdx.py
+++ b/scanpipe/pipes/spdx.py
@@ -520,6 +520,18 @@ def from_data(cls, data):
comment=data.get("comment"),
)
+ @property
+ def is_dependency_relationship(self):
+ """
+ Return True if this relationship type implies that the spdx_id element
+ is a dependency of related_spdx_id.
+ """
+ reverse_dependency_types = ["ANCESTOR_OF", "CONTAINS", "DEPENDS_ON"]
+ # Every others types implies that the spdx_id element is a dependency of
+ # related_spdx_id. Such as:
+ # "DEPENDENCY_OF", "DESCENDANT_OF", "PACKAGE_OF", "CONTAINED_BY", ...
+ return self.relationship.upper() not in reverse_dependency_types
+
@dataclass
class Document:
diff --git a/scanpipe/templates/scanpipe/tree/children.html b/scanpipe/templates/scanpipe/tree/children.html
new file mode 100644
index 000000000..ba513c745
--- /dev/null
+++ b/scanpipe/templates/scanpipe/tree/children.html
@@ -0,0 +1,19 @@
+
+ {% for node in children %}
+
+ {% if node.children %}
+
+
+ {% include 'scanpipe/tree/node.html' with node=node only %}
+
+ {% include 'scanpipe/tree/children.html' with children=node.children only %}
+
+ {% else %}
+ {% include 'scanpipe/tree/node.html' with node=node only %}
+ {% endif %}
+