BUG: Go package mapping fails #462
Description
Describe the bug
A go package for which an entry of the same PURL exists in PurlDB is not properly mapped. This can be seen by the disabled PurlDB tab on the package.
Interestingly the "Improve Packages from PurlDB" does work, as it extends the properties of the package, yet afterwards it still has the disabled PurlDB tab.
One thing that may be relevant, is that the PurlDB entry does not appear to contain hashes, at least none that are being display in DejaCode's UI. The package does not contain a download URL before using "Improve Packages from PurlDB
To Reproduce
Steps to reproduce the behavior:
- Create a product
- Import an SBOM with the go packages (disable "Infer missing download URLs")
- In ScanCode.io run the
load_sbompipeline followed bypopulate_purldbon a modified version with the dependency tree (needed due to bug workaround)- Note: PurlDB must have GitHub token in
GH_TOKENenv var, otherwise it cannot retrieve the needed information
- Note: PurlDB must have GitHub token in
- Check the inventory in DejaCode, package should be mostly empty, but contain the PURL and inferred URL
- Check that the PurlDB tab is deactivated
- Run "Improve Packages from PurlDB" for the product
- Notice information being copied, through matching in tab still does not work
Expected behavior
Given that the PURLs match, there is no other entry in PurlDB the package could be confused with, and no data (as far as I can tell) that would be in conflict with the data in PurlDB, I would have expected the mapping to work. Additional, the needed data seems to be there, otherwise "Improve Packages from PurlDB" would not work either.
If I don't misremember both use cases should rely on get_purldb_entries, which should match based on PURL if no hashes or download URL are found.
Screenshots
Context (OS, Browser, Device, etc.):
- Firefox
- DejaCode 5.6.0