Enhancement request: Auto-assign scan result #139
Comments
ghsa-retrieval
added
design needed
|
Hi @ghsa-retrieval! The automatic package update from scan results is already implemented in DejaCode. Could you confirm that you enabled the "Update packages automatically from scan" option on your Dataspace?
Note that only empty fields are updated during this process. For example, if a license is already defined for a package, it will not be overridden by the scan results. Now, if you already enabled the feature at the Dataspace level and the automatic updates are not applied, that's a bug and we can look into it.
A webhook is sent to DejaCode once the Scan completes as a call back to let DejaCode know that Scan results are available for the automatic update. Let's confirm first that this communication between the 2 apps operates properly. |
|
@tdruez Thank you for the quick reply. "Update packages automatically from scan" is enabled, but I will double check my test cases just to be sure and report back. |
|
It seems that there is an error with the webhooks. Checking on project scans that ran successful in ScanCode.io show the following error: I've also tested this on the public demo instance and there it works properly, so this seems like a configuration issue on the local instance. Could this be network related? What connections from where to where are needed for the webhooks to work? |
|
@ghsa-retrieval Looking at the "Target URL" value, it looks like it's missing the domain. You need to define the Now, simply set the following in your .env (using on the URL you are using the access the DejaCode app) For example: or: You can then restart DejaCode and try again, further Scan should submit the proper webhook URL for the callback that triggers the automatic data update. |
|
@tdruez Thank you for your help! Setting the Edit: I've checked and the IP matches the one I'm accessing DejaCode under in my browser. This is a setup where DejaCode and ScanCode.io run on separate servers.
|
Is your enhancement request related to a problem? Please describe.
The SBOM import allows to trigger as scan of all contained packages. If a valid URL can be determined for the respective packages, it will be scanned to find key license files. However, it will not automatically assign the findings as the actual license of the package. It would be great if there was an option for the SBOM import to automatically assign the scan results.
What are the benefits of the requested enhancement?
Instead of having to manually assign the scan results' license for every single package of a product, the user can check the assignment and scan results for errors. This speeds up the process under the assumption that most scan results will produce accurate license identification and there are far fewer cases that need manual correction.
Describe the solution you would like
A checkbox in the SBOM import that controls whether or not the declared license identified by the scan results will be applied to the package automatically. The option should also be included in the API.
Additional notes
The text was updated successfully, but these errors were encountered: