[license] Add enhancer plugin to integrate with clearlydefined

prabhu commented 6 months ago

https://api.clearlydefined.io/api-docs/

prabhu commented 5 months ago

clearlydefined api doesn't seem to indicate support for purl.

kaptain-ops commented 4 months ago

Hi @prabhu

It is possible to convert purl to format accepted by clearly defined. I just published python tool for filling the license information into CycloneDX boms.

For each type in purl, a provider has to be defined, for example for "npm" packages I chose to use "npmjs" source.

For example purl: pkg:npm/lodash@4.17.21 Would be converted into: npm/npmjs/-/lodash/4.17.21

Conversion snippet:

def get_cd_uri(self, purl_str: str) -> str:
        purl: dict = PackageURL.from_string(purl_str).to_dict()
        package_type: str = purl.get("type", "")
        namespace: str = purl.get("namespace", "-")
        name: str = purl.get("name", "")
        version: str = purl.get("version", "")
        provider: str = self.get_provider(package_type)

        if not provider:
            print(f"Missing provider for type {package_type}", file=sys.stderr)
            return ""

        if namespace is None:
            namespace = "-"
        namespace = namespace.replace("/", "%2F")
        return f"{package_type}/{provider}/{namespace}/{name}/{version}"

Information source map:

PROVIDERS: dict[str, str] = {
        "npm": "npmjs",
        "maven": "mavencentral",
        "git": "github",
        "nuget": "nuget",
        "pypi": "pypi",
        "gem": "rubygems",
        "pod": "cocoapods",
        "crate": "cratesio",
        "debsrc": "debian",
        "deb": "debian",
        "composer": "packagist",
        "go": "golang",
    }

Clearly Defined documentation: https://docs.clearlydefined.io/docs/get-involved/using-data#basics

Full python class performing conversion: https://github.com/kaptain-ops/lbom/blob/main/lbom/clearly_defined/ClearlyDefinedProviders.py

Repository link: https://github.com/kaptain-ops/lbom

I would really like it if this would be implemented into cdxgen

prabhu commented 4 months ago

I am unable to access the privacy and terms page on the clearlydefined site. The whole server appears to be running an older version of scancode, so me thinks why not integrate with scancode directly instead!

CycloneDX / cdxgen

[license] Add enhancer plugin to integrate with clearlydefined #1010