Create DiscoveredDependency model #411

    * Create functions to process dependencies from scans
    * Modify DiscoveredPackages so we can relate DiscoveredDependencies to it

Signed-off-by: Jono Yang <jyang@nexb.com>

Author: JonoYang

scanpipe/migrations/0016_remove_discoveredpackage_dependencies_and_more.py

@@ -0,0 +1,45 @@
+# Generated by Django 4.0.4 on 2022-05-06 19:23
+
+from django.db import migrations, models
+import django.db.models.deletion
+import scanpipe.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0015_alter_codebaseresource_project_and_more'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='discoveredpackage',
+            name='dependencies',
+        ),
+        migrations.CreateModel(
+            name='DiscoveredDependency',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('purl', models.CharField(help_text='The Package URL of this dependency.', max_length=256)),
+                ('extracted_requirement', models.CharField(help_text='The version requirements of this dependency.', max_length=32)),
+                ('scope', models.CharField(help_text='The scope of this dependency, how it is used in a project.', max_length=32)),
+                ('is_runtime', models.BooleanField(default=False)),
+                ('is_optional', models.BooleanField(default=False)),
+                ('is_resolved', models.BooleanField(default=False)),
+                ('dependency_uid', models.CharField(help_text='The unique identifier of this dependency.', max_length=256)),
+                ('for_package_uid', models.CharField(help_text='The unique identifier of the package this dependency is for.', max_length=256)),
+                ('datafile_path', models.CharField(blank=True, help_text='The relative path to the datafile where this dependency was detected from.', max_length=1024)),
+                ('datasource_id', models.CharField(help_text='The identifier for the datafile handler used to obtain this dependency.', max_length=64)),
+                ('project', models.ForeignKey(editable=False, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)ss', to='scanpipe.project')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=(models.Model, scanpipe.models.SaveProjectErrorMixin),
+        ),
+        migrations.AddField(
+            model_name='discoveredpackage',
+            name='dependencies',
+            field=models.ManyToManyField(related_name='for_packages', to='scanpipe.discovereddependency'),
+        ),
+    ]

scanpipe/models.py

@@ -1721,10 +1721,8 @@ class DiscoveredPackage(
     )
     missing_resources = models.JSONField(default=list, blank=True)
     modified_resources = models.JSONField(default=list, blank=True)
-    dependencies = models.JSONField(
-        default=list,
-        blank=True,
-        help_text=_("A list of dependencies for this package."),
+    dependencies = models.ManyToManyField(
+        "DiscoveredDependency", related_name="for_packages"
     )
 
     # `AbstractPackage` model overrides:
@@ -1832,6 +1830,103 @@ def update_from_data(self, package_data):
         return updated_fields
 
 
+class DiscoveredDependency(
+    ProjectRelatedModel,
+    SaveProjectErrorMixin,
+):
+    """
+    A project's Discovered Dependencies are records of the dependencies used by
+    system and application packages discovered in the code under analysis.
+    """
+    purl = models.CharField(
+        max_length=256,
+        help_text=_(
+            "The Package URL of this dependency."
+        ),
+    )
+    extracted_requirement = models.CharField(
+        max_length=32,
+        help_text=_(
+            "The version requirements of this dependency."
+        ),
+    )
+    scope = models.CharField(
+        max_length=32,
+        help_text=_(
+            "The scope of this dependency, how it is used in a project."
+        ),
+    )
+
+    is_runtime = models.BooleanField(default=False)
+    is_optional = models.BooleanField(default=False)
+    is_resolved = models.BooleanField(default=False)
+
+    dependency_uid = models.CharField(
+        max_length=256,
+        help_text=_(
+            "The unique identifier of this dependency."
+        ),
+    )
+    for_package_uid = models.CharField(
+        max_length=256,
+        help_text=_(
+            "The unique identifier of the package this dependency is for."
+        ),
+    )
+    datafile_path = models.CharField(
+        max_length=1024,
+        blank=True,
+        help_text=_(
+            "The relative path to the datafile where this dependency was detected from."
+        ),
+    )
+    datasource_id = models.CharField(
+        max_length=64,
+        help_text=_(
+            "The identifier for the datafile handler used to obtain this dependency."
+        )
+    )
+
+    @classmethod
+    def create_from_data(cls, project, dependency_data):
+        """
+        Creates and returns a DiscoveredPackage for a `project` from the `dependency_data`.
+        """
+        if "resolved_package" in dependency_data:
+            dependency_data.pop("resolved_package")
+        discovered_dependency = cls(project=project, **dependency_data)
+        discovered_dependency.save()
+        return discovered_dependency
+
+    def update_from_data(self, dependency_data):
+        """
+        Update this discovered dependency instance with the provided `dependency_data`.
+        The `save()` is called only if at least one field was modified.
+        """
+        model_fields = DiscoveredPackage.model_fields()
+        updated_fields = []
+
+        for field_name, value in dependency_data.items():
+            skip_reasons = [
+                not value,
+                field_name not in model_fields,
+            ]
+            if any(skip_reasons):
+                continue
+
+            current_value = getattr(self, field_name, None)
+            if not current_value:
+                setattr(self, field_name, value)
+                updated_fields.append(field_name)
+            elif current_value != value:
+                pass  # TODO: handle this case
+
+        if updated_fields:
+            self.save()
+
+        return updated_fields
+
+
 class WebhookSubscription(UUIDPKModel, ProjectRelatedModel):
     target_url = models.URLField(_("Target URL"), max_length=1024)
     sent = models.BooleanField(default=False)

scanpipe/pipes/__init__.py

@@ -32,6 +32,7 @@
 from packageurl import normalize_qualifiers
 
 from scanpipe.models import CodebaseResource
+from scanpipe.models import DiscoveredDependency
 from scanpipe.models import DiscoveredPackage
 from scanpipe.pipes import scancode
 
@@ -69,6 +70,28 @@ def make_codebase_resource(project, location, rootfs_path=None):
     codebase_resource.save(save_error=False)
 
 
+def update_or_create_dependency(project, dependency_data):
+    """
+    Gets, updates, or creates a DiscoveredDependency then returns it.
+    Uses the `project` and `dependency_data` mapping to lookup and creates
+    the DiscoveredDependency.
+    """
+    if "resolved_package" in dependency_data:
+        dependency_data.pop("resolved_package")
+
+    try:
+        dependency = DiscoveredDependency.objects.get(project=project, **dependency_data)
+    except DiscoveredDependency.DoesNotExist:
+        dependency = None
+
+    if dependency:
+        dependency.update_from_data(dependency_data)
+    else:
+        dependency = DiscoveredDependency.create_from_data(project, dependency_data)
+
+    return dependency
+
+
 def update_or_create_package(project, package_data, codebase_resource=None):
     """
     Gets, updates or creates a DiscoveredPackage then returns it.
@@ -98,6 +121,11 @@ def update_or_create_package(project, package_data, codebase_resource=None):
         package_uids.append(package_uid)
         package.update_extra_data({"package_uids": package_uids})
 
+        # Associate all dependencies to this package
+        dependencies = DiscoveredDependency.objects.filter(project=project, for_package_uid=package_uid)
+        for dependency in dependencies:
+            package.dependencies.add(dependency)
+
     return package
 
 

scanpipe/pipes/scancode.py

@@ -404,6 +404,10 @@ def create_discovered_packages(project, scanned_codebase):
     Saves the packages of a ScanCode `scanned_codebase` scancode.resource.Codebase
     object to the database as a DiscoveredPackage of `project`.
     """
+    if hasattr(scanned_codebase.attributes, "dependencies"):
+        for dependency_data in scanned_codebase.attributes.dependencies:
+            pipes.update_or_create_dependency(project, dependency_data)
+
     if hasattr(scanned_codebase.attributes, "packages"):
         for package_data in scanned_codebase.attributes.packages:
             pipes.update_or_create_package(project, package_data)