bug: SP-1715 Fixes Parsing of Dependency Field in Policy Checks

Author: agustingroh

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.17.2] - 2024-10-29
+### Fixed
+- Fixed parsing of dependencies in Policy Checks
+
 ## [1.17.1] - 2024-10-24
 ### Fixed
 - Fixed policy summary output
@@ -369,3 +373,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.16.0]: https://github.com/scanoss/scanoss.py/compare/v1.15.0...v1.16.0
 [1.17.0]: https://github.com/scanoss/scanoss.py/compare/v1.16.0...v1.17.0
 [1.17.1]: https://github.com/scanoss/scanoss.py/compare/v1.17.0...v1.17.1
+[1.17.2]: https://github.com/scanoss/scanoss.py/compare/v1.17.1...v1.17.2

src/scanoss/__init__.py

@@ -22,4 +22,4 @@
    THE SOFTWARE.
 """
 
-__version__ = "1.17.1"
+__version__ = "1.17.2"

src/scanoss/inspection/policy_check.py

@@ -133,7 +133,8 @@ def _markdown(self, components: list) -> Dict[str, Any]:
         """
         pass
 
-    def _append_component(self,components: Dict[str, Any], new_component: Dict[str, Any]) -> Dict[str, Any]:
+    def _append_component(self,components: Dict[str, Any], new_component: Dict[str, Any],
+                           id: str, status: str) -> Dict[str, Any]:
         """
         Append a new component to the component's dictionary.
 
@@ -143,15 +144,25 @@ def _append_component(self,components: Dict[str, Any], new_component: Dict[str,
 
         :param components: The existing dictionary of components
         :param new_component: The new component to be added or updated
+        :param id: The new component ID
+        :param status: The new component status
         :return: The updated components dictionary
         """
-        component_key = f"{new_component['purl'][0]}@{new_component['version']}"
+
+        # Determine the component key and purl based on component type
+        if id in [ComponentID.FILE.value, ComponentID.SNIPPET.value]:
+            purl = new_component['purl'][0]  # Take first purl for these component types
+        else:
+            purl = new_component['purl']
+
+        component_key = f"{purl}@{new_component['version']}"
         components[component_key] = {
-            'purl': new_component['purl'][0],
-            'version': new_component['version'],
-            'licenses': {},
-            'status': new_component['status'],
+                'purl': purl,
+                'version': new_component['version'],
+                'licenses': {},
+                'status': status,
         }
+
         if not new_component.get('licenses'):
             self.print_stderr(f'WARNING: Results missing licenses. Skipping.')
             return components
@@ -187,6 +198,10 @@ def _get_components_from_results(self,results: Dict[str, Any]) -> list or None:
                 if not component_id:
                     self.print_stderr(f'WARNING: Result missing id. Skipping.')
                     continue
+                status = c.get('status')
+                if not component_id:
+                    self.print_stderr(f'WARNING: Result missing status. Skipping.')
+                    continue
                 if component_id in [ComponentID.FILE.value, ComponentID.SNIPPET.value]:
                     if not c.get('purl'):
                         self.print_stderr(f'WARNING: Result missing purl. Skipping.')
@@ -200,9 +215,10 @@ def _get_components_from_results(self,results: Dict[str, Any]) -> list or None:
                     component_key = f"{c['purl'][0]}@{c['version']}"
                     # Initialize or update the component entry
                     if component_key not in components:
-                        components = self._append_component(components, c)
+                        components = self._append_component(components, c, component_id, status)
+
                 if c['id'] == ComponentID.DEPENDENCY.value:
-                    if c.get('dependency') is None:
+                    if c.get('dependencies') is None:
                         continue
                     for d in c['dependencies']:
                         if not d.get('purl'):
@@ -214,9 +230,9 @@ def _get_components_from_results(self,results: Dict[str, Any]) -> list or None:
                         if not d.get('version'):
                             self.print_stderr(f'WARNING: Result missing version. Skipping.')
                             continue
-                        component_key = f"{d['purl'][0]}@{d['version']}"
+                        component_key = f"{d['purl']}@{d['version']}"
                         if component_key not in components:
-                            components = self._append_component(components, d)
+                            components = self._append_component(components, d, component_id, status)
                     # End of dependencies loop
                 # End if
             # End of component loop

tests/data/result.json

@@ -415,5 +415,39 @@
       "vendor": "scanoss",
       "version": "4.0.4"
     }
-  ]
+  ],
+   "example_codebase/dependencies/package.json": [
+    {
+      "dependencies": [
+        {
+          "component": "@electron/rebuild",
+          "licenses": [
+            {
+              "is_spdx_approved": true,
+              "name": "MIT",
+              "spdx_id": "MIT"
+            }
+          ],
+          "purl": "pkg:npm/%40electron/rebuild",
+          "url": "https://www.npmjs.com/package/%40electron/rebuild",
+          "version": "3.7.0"
+        },
+        {
+          "component": "@emotion/react",
+          "licenses": [
+            {
+              "is_spdx_approved": true,
+              "name": "MIT",
+              "spdx_id": "MIT"
+            }
+          ],
+          "purl": "pkg:npm/%40emotion/react",
+          "url": "https://www.npmjs.com/package/%40emotion/react",
+          "version": "11.13.3"
+        }
+      ],
+      "id": "dependency",
+      "status": "pending"
+    }
+   ]
 }

tests/policy-inspect-test.py

@@ -110,7 +110,7 @@ def test_copyleft_policy_explicit(self):
         copyleft = Copyleft(filepath=input_file_name, format_type='json', explicit='MIT')
         status, results = copyleft.run()
         details = json.loads(results['details'])
-        self.assertEqual(len(details['components']), 1)
+        self.assertEqual(len(details['components']), 3)
         self.assertEqual(status,0)
 
     """
@@ -138,8 +138,10 @@ def test_copyleft_policy_markdown(self):
         status, results = copyleft.run()
         expected_detail_output = ('### Copyleft licenses \n  | Component | Version | License | URL | Copyleft |\n'
                                   ' | - | :-: | - | - | :-: |\n'
-                                  ' | pkg:github/scanoss/engine | 4.0.4 | MIT | https://spdx.org/licenses/MIT.html | YES | ')
-        expected_summary_output = '1 component(s) with copyleft licenses were found.\n'
+                                  '| pkg:github/scanoss/engine | 4.0.4 | MIT | https://spdx.org/licenses/MIT.html | YES | \n'
+                                  ' | pkg:npm/%40electron/rebuild | 3.7.0 | MIT | https://spdx.org/licenses/MIT.html | YES |\n'
+                                  '| pkg:npm/%40emotion/react | 11.13.3 | MIT | https://spdx.org/licenses/MIT.html | YES | \n')
+        expected_summary_output = '3 component(s) with copyleft licenses were found.\n'
         self.assertEqual(re.sub(r'\s|\\(?!`)|\\(?=`)', '', results['details']),
                          re.sub(r'\s|\\(?!`)|\\(?=`)', '', expected_detail_output))
         self.assertEqual(results['summary'], expected_summary_output)
@@ -167,7 +169,7 @@ def test_undeclared_policy(self):
         status, results = undeclared.run()
         details = json.loads(results['details'])
         summary = results['summary']
-        expected_summary_output = """3 undeclared component(s) were found.
+        expected_summary_output = """5 undeclared component(s) were found.
         Add the following snippet into your `sbom.json` file 
         ```json 
         [
@@ -176,10 +178,16 @@ def test_undeclared_policy(self):
           },
           {
             "purl": "pkg:github/scanoss/wfp"
+          },
+          {
+            "purl": "pkg:npm/%40electron/rebuild"
+          },
+          {
+            "purl": "pkg:npm/%40emotion/react"
           }
         ]```
         """
-        self.assertEqual(len(details['components']), 3)
+        self.assertEqual(len(details['components']), 5)
         self.assertEqual(re.sub(r'\s|\\(?!`)|\\(?=`)', '', summary), re.sub(r'\s|\\(?!`)|\\(?=`)',
                                                                             '', expected_summary_output))
         self.assertEqual(status, 0)
@@ -200,18 +208,26 @@ def test_undeclared_policy_markdown(self):
              | - | - | - | 
              | pkg:github/scanoss/scanner.c | 1.3.3 | BSD-2-Clause - GPL-2.0-only | 
              | pkg:github/scanoss/scanner.c | 1.1.4 | GPL-2.0-only | 
-             | pkg:github/scanoss/wfp | 6afc1f6 | Zlib - GPL-2.0-only | """
+             | pkg:github/scanoss/wfp | 6afc1f6 | Zlib - GPL-2.0-only | 
+             | pkg:npm/%40electron/rebuild | 3.7.0 | MIT | 
+             | pkg:npm/%40emotion/react | 11.13.3 | MIT | """
 
-        expected_summary_output = """3 undeclared component(s) were found.
+        expected_summary_output = """5 undeclared component(s) were found.
            Add the following snippet into your `sbom.json` file 
            ```json 
            [
              {
-               "purl": "pkg:github/scanoss/scanner.c"
-             },
-             {
-               "purl": "pkg:github/scanoss/wfp"
-             }
+                "purl": "pkg:github/scanoss/scanner.c"
+              },
+              {
+                "purl": "pkg:github/scanoss/wfp"
+              },
+              {
+                "purl": "pkg:npm/%40electron/rebuild"
+              },
+              {
+                "purl": "pkg:npm/%40emotion/react"
+              }
            ]```
            """
         self.assertEqual(status, 0)