Fix package checksum reporting

Package checksums were being wrongly ignored in package instance
data update from detected package data, this commit fixes that.

Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>

Author: AyanSinhaMahapatra

src/formattedcode/output_cyclonedx.py

@@ -268,7 +268,7 @@ def from_package(cls, package):
             properties.append(
                 CycloneDxProperty(
                     name='WARNING',
-                    value=f'WARNING: component skipped in CycloneDX output: {self!r}'
+                    value=f'WARNING: component skipped in CycloneDX output: {package!r}'
                 )
             )
 

src/packagedcode/models.py

@@ -853,7 +853,7 @@ def populate_instance_from_package_data(self, package_data_by_path, uuid):
                 logger.debug('Merging package manifest data for: {}'.format(path))
                 logger.debug('package manifest data: {}'.format(repr(package_data)))
             self.package_data_paths.append(path)
-            self.merge_package_data_into_instance(package_data.copy())
+            self.update(package_data.copy())
 
         self.package_data_paths = tuple(self.package_data_paths)
 
@@ -939,12 +939,12 @@ def get_file_patterns(self, manifests):
 
         return manifest_file_patterns
 
-    def merge_package_data_into_instance(self, package_data, replace=False):
+    def update(self, package_data, replace=False):
         """
-        Merge the `package_data` ScannedPackage object into the `package_instance`
-        Package model object.
+        Update the PackageInstance object with data from the `package_data`
+        object.
         When an `package_instance` field has no value one side and and the
-        package_data field has a value, the package_instance field is always
+        `package_data` field has a value, the `package_instance` field is always
         set to this value.
         If `replace` is True and a field has a value on both sides, then
         package_instance field value will be replaced by the package_data
@@ -954,7 +954,7 @@ def merge_package_data_into_instance(self, package_data, replace=False):
         existing_mapping = self.get_package_data()
 
         # Remove PackageData specific attributes
-        for attribute in ('md5', 'sha1', 'sha256', 'sha512', 'root_path'):
+        for attribute in ['root_path']:
             package_data.pop(attribute, None)
             existing_mapping.pop(attribute, None)
 

tests/formattedcode/data/cyclonedx/expected.json

@@ -15,7 +15,12 @@
       "author": "Isaac Z. Schlueter",
       "description": "a package manager for JavaScript",
       "purl": "pkg:npm/npm@2.13.5",
-      "hashes": [],
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "a124386bce4a90506f28ad4b1d1a804a17baaf32"
+        }
+      ],
       "licenses": [
         {
           "expression": "Artistic-2.0"

tests/formattedcode/data/cyclonedx/expected.xml

@@ -17,6 +17,9 @@
       <author>Isaac Z. Schlueter</author>
       <scope>required</scope>
       <purl>pkg:npm/npm@2.13.5</purl>
+      <hashes>
+        <hash alg="SHA-1">a124386bce4a90506f28ad4b1d1a804a17baaf32</hash>
+      </hashes>
       <licenses>
         <expression>Artistic-2.0</expression>
       </licenses>

tests/licensedcode/data/plugin_licenses_reference/scan.expected.json

@@ -49,7 +49,7 @@
       "homepage_url": "https://docs.npmjs.com/",
       "download_url": "https://registry.npmjs.org/npm/-/npm-2.13.5.tgz",
       "size": null,
-      "sha1": null,
+      "sha1": "a124386bce4a90506f28ad4b1d1a804a17baaf32",
       "md5": null,
       "sha256": null,
       "sha512": null,

tests/packagedcode/data/instance/python-manifests-atomicwrites-scanned-result.json

@@ -31,7 +31,7 @@
   "size": null,
   "sha1": null,
   "md5": null,
-  "sha256": null,
+  "sha256": "6e45251662433bf51f96fb3d2204b65416fece329d60e6235c0f0edc416cfe24",
   "sha512": null,
   "bug_tracking_url": null,
   "code_view_url": null,

tests/packagedcode/data/plugin/python-package-expected.json

@@ -14,7 +14,7 @@
       "message": null,
       "errors": [],
       "extra_data": {
-        "spdx_license_list_version": "3.14",
+        "spdx_license_list_version": "3.16",
         "files_count": 8
       }
     }
@@ -328,7 +328,7 @@
       "size": null,
       "sha1": null,
       "md5": null,
-      "sha256": null,
+      "sha256": "6e45251662433bf51f96fb3d2204b65416fece329d60e6235c0f0edc416cfe24",
       "sha512": null,
       "bug_tracking_url": null,
       "code_view_url": null,

tests/packagedcode/test_package_instance.py

@@ -43,7 +43,7 @@ def test_package_data_merge_generic(self, regen=False):
 
         pk_instance = PythonPackageInstance()
         for manifest in manifests:
-            pk_instance.merge_package_data_into_instance(manifest)
+            pk_instance.update(manifest)
 
         self.check_package(pk_instance, expected_file, regen)
 
@@ -56,6 +56,6 @@ def test_package_data_merge_with_dependencies(self, regen=False):
 
         pk_instance = PythonPackageInstance()
         for manifest in manifests:
-            pk_instance.merge_package_data_into_instance(manifest)
+            pk_instance.update(manifest)
 
         self.check_package(pk_instance, expected_file, regen)

tests/summarycode/data/full_summary/summary.expected.json

@@ -16,7 +16,7 @@
       "message": null,
       "errors": [],
       "extra_data": {
-        "spdx_license_list_version": "3.15",
+        "spdx_license_list_version": "3.16",
         "files_count": 26
       }
     }
@@ -3069,7 +3069,7 @@
       "homepage_url": "https://docs.npmjs.com/",
       "download_url": "https://registry.npmjs.org/npm/-/npm-2.13.5.tgz",
       "size": null,
-      "sha1": null,
+      "sha1": "a124386bce4a90506f28ad4b1d1a804a17baaf32",
       "md5": null,
       "sha256": null,
       "sha512": null,

tests/summarycode/data/full_summary/summary_by_facet.expected.json

@@ -27,7 +27,7 @@
       "message": null,
       "errors": [],
       "extra_data": {
-        "spdx_license_list_version": "3.15",
+        "spdx_license_list_version": "3.16",
         "files_count": 26
       }
     }
@@ -3080,7 +3080,7 @@
       "homepage_url": "https://docs.npmjs.com/",
       "download_url": "https://registry.npmjs.org/npm/-/npm-2.13.5.tgz",
       "size": null,
-      "sha1": null,
+      "sha1": "a124386bce4a90506f28ad4b1d1a804a17baaf32",
       "md5": null,
       "sha256": null,
       "sha512": null,