aboutcode-org / scancode.io

ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
https://scancodeio.readthedocs.io
Apache License 2.0
120 stars 91 forks source link

Issue with loading new project. #966

Open RajGuru878 opened 1 year ago

RajGuru878 commented 1 year ago

1.While we upload new project, its not moving forward. Its showing only file upload windows.

  1. Unable to select complete folder of our source code.
tdruez commented 1 year ago

@RajGuru878 We would need more context to provide in order to reproduce the issues and provide any kind of help.

RajGuru878 commented 1 year ago

@tdruez please find error screenshot. Screenshot from 2023-10-10 14-43-17

tdruez commented 1 year ago

@RajGuru878 Thanks! Have you followed the instructions at https://scancodeio.readthedocs.io/en/latest/installation.html#run-the-app ?

Screenshot 2023-10-10 at 13 27 54

What is the URL you a trying to reach for example in that screenshort?

RajGuru878 commented 1 year ago

@tdruez yeah i followed and configured same and i am trying with my system ip

tdruez commented 1 year ago

Have you added your system ip in ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS?

RajGuru878 commented 1 year ago

@tdruez added and previously it was scanning but now it is giving that error. Screenshot from 2023-10-10 15-04-23

tdruez commented 1 year ago

@RajGuru878 Have you tried to use http://127.0.0.1 or http://localhost in place of your local ip?

tdruez commented 1 year ago

previously it was scanning but now it is giving that error

Any changes since it was working? Did you update the code or something on the server?

RajGuru878 commented 1 year ago

@tdruez , while in localhost, it is working fine. But it is not scanned any package details and their version. Screenshot from 2023-10-10 15-20-42

tdruez commented 1 year ago

while in localhost, it is working fine. But it is not scanned any package details and their version.

@RajGuru878 Ok but let's not mixed up unrelated issues. I'm assuming your CSRF issues is now fixed.

Now, it seems that you are expecting some data from the scan_package. Is the normcap file input an archive?

RajGuru878 commented 1 year ago

@tdruez , When i load with localhost on that same system where i hosted, its working. When i will try to load that from my system (host) ip no, its giving CSRF error. I used link from github for normcap.

tdruez commented 1 year ago

I used link from github for normcap.

@RajGuru878 Providing the actual link would help to reproduce the problem.

RajGuru878 commented 1 year ago

@tdruez this is the link i used to scan packages, i.e https://github.com/dynobo/normcap.git

tdruez commented 1 year ago

@RajGuru878 scan_package works on archives. From the documentation:

Scan a single package archive with ScanCode-toolkit.

The URL you are providing is a git repo, not an archive.

Use one of the release links and it should work fine, for example: https://github.com/dynobo/normcap/archive/refs/tags/v0.5.0-beta1.zip

RajGuru878 commented 1 year ago

@tdruez It is scanned but it is not showing its package details and their versions. Screenshot from 2023-10-11 09-44-47

tdruez commented 1 year ago

@pombredanne any input on this detection?

RajGuru878 commented 1 year ago

Hello @tdruez Can anybody please help me in this. Whenever i am trying to scan packages, i am unable to get proper details from packages and dependencies section. Its only scanning resources. Not able to fetch dependencies and packages. Please help me to get those packages and dependencies or please guide me how i can scan those?

In below example i used to scan jitsi source code. Here only it is scanning resources not any packages and dependencies. For jitsi code i used this mentioned link https://github.com/jitsi/jitsi-meet Screenshot from 2023-10-31 09-51-02

pombredanne commented 1 year ago

@RajGuru878 there is no "package" metadata that I can see inside the archive at https://github.com/jitsi/docker-jitsi-meet/archive/refs/tags/stable-8960-1.zip ... and it does not contain Jitsi source code proper, just container images build scripts.

Jitsi source code proper would be something such as at https://github.com/jitsi/jitsi-meet/archive/refs/tags/stable/jitsi-meet_8960.tar.gz Or you could be scanning the docker image(s) of Jitsi with a project with a docker pipeline using an input URL such as docker://jitsi/jibri:unstable-2023-10-27

Beyond this, here are a few directions for the case of this standalone repo, because I think we can do better and still report some packages:

  1. We could treat Dockerfiles/Containerfiles as package data. See https://github.com/nexB/scancode-toolkit/issues/3561 but these would not be full top level packages IMHO.

  2. We should create a top level package when using ScanCode.io with a "scan_package" pipeline and may be other pipelines.

For 2. we could infer a PURL from the download URL, and otherwise create a generic PURL.