Enhancement request: Auto-assign scan result

[ghsa-retrieval]

Is your enhancement request related to a problem? Please describe. The SBOM import allows to trigger as scan of all contained packages. If a valid URL can be determined for the respective packages, it will be scanned to find key license files. However, it will not automatically assign the findings as the actual license of the package. It would be great if there was an option for the SBOM import to automatically assign the scan results.

What are the benefits of the requested enhancement? Instead of having to manually assign the scan results' license for every single package of a product, the user can check the assignment and scan results for errors. This speeds up the process under the assumption that most scan results will produce accurate license identification and there are far fewer cases that need manual correction.

Describe the solution you would like A checkbox in the SBOM import that controls whether or not the declared license identified by the scan results will be applied to the package automatically. The option should also be included in the API.

Additional notes

[tdruez]

Hi @ghsa-retrieval! The automatic package update from scan results is already implemented in DejaCode.

Could you confirm that you enabled the "Update packages automatically from scan" option on your Dataspace?

When true (checked), enables an automatic DejaCode process to update selected Package fields (such as license expression, primary language, copyright, etc.) when a package scan is completed, depending on the quality of the scan results.

Note that only empty fields are updated during this process. For example, if a license is already defined for a package, it will not be overridden by the scan results.

Now, if you already enabled the feature at the Dataspace level and the automatic updates are not applied, that's a bug and we can look into it. First, can you access the ScanCode.io UI of the instance linked to your DejaCode application. Click on any "Success" green button on the Project list view and confirm that the post-scan webhook is properly submitted and received. This should look like:

A webhook is sent to DejaCode once the Scan completes as a call back to let DejaCode know that Scan results are available for the automatic update. Let's confirm first that this communication between the 2 apps operates properly.

[ghsa-retrieval]

@tdruez Thank you for the quick reply. "Update packages automatically from scan" is enabled, but I will double check my test cases just to be sure and report back.

[ghsa-retrieval]

It seems that there is an error with the webhooks. Checking on project scans that ran successful in ScanCode.io show the following error:

No connection adapters were found for '/products/import_packages_from_scancodeio/IjJjNzA2MGZiLWUxMzAtNDVlZS1hMWRjLWRiMjUyNDNlZDk0ZiI:1sOYrv:2aigIZ7zdZiEBzEF1ORQ6f_JlU3Q4fhSR9Iuyj0eFI8/'

I've also tested this on the public demo instance and there it works properly, so this seems like a configuration issue on the local instance. Could this be network related? What connections from where to where are needed for the webhooks to work?

[tdruez]

@ghsa-retrieval Looking at the "Target URL" value, it looks like it's missing the domain.

You need to define the SITE_URL entry in your DejaCode settings. https://dejacode.readthedocs.io/en/latest/application-settings.html#site-url To be fair, this is not properly documented and I will update the documentation regarding the need for SITE_URL in the context of the ScanCde.io integration at https://dejacode.readthedocs.io/en/latest/dataspace.html#enable-package-scanning-with-your-scancode-io-server

Now, simply set the following in your .env (using on the URL you are using the access the DejaCode app)

For example:

SITE_URL=http://127.0.0.1:8000/

or:

SITE_URL=http://host.docker.internal/

You can then restart DejaCode and try again, further Scan should submit the proper webhook URL for the callback that triggers the automatic data update.

[ghsa-retrieval]

@tdruez Thank you for your help! Setting the SITE_URL unfortunately did not fully resolve it. It looks like ScanCode's webhook runs without errors now, but DejaCode still does not assign the license. Do you have any ideas what else might be wrong? Should the status be on {"message": "Received, packages import started."} or does that indicate something is stuck on DejaCode's side?

Edit: I've checked and the IP matches the one I'm accessing DejaCode under in my browser. This is a setup where DejaCode and ScanCode.io run on separate servers.