Description
Is your enhancement request related to a problem? Please describe.
Currently, DejaCode attempts to convert the PURL to a URL in order to submit a scan to ScanCode.io. Since PURLs do not contain any indication where the package is actually stored, this will not work for when the packages are stored in an internal artifact registry service (like Nexus, JFrog Artifactory, or similar). Additionally, attempting to download packages directly from the package registries could trigger rate limits or some organization may block direct downloads for security reasons, so that the use of an artifact proxy registry may be required (essentially, instead of requesting a package from e.g., npm, one would direct the request at the proxy registry on the internal artifact server, which would then request it from npm and the package data would be cached for subsequent requests by the artifact registry service)
What are the benefits of the requested enhancement?
If the target registry could be configured, then downloads from an internal artifact registry would be possible. This would help with analyzing internal packages that are not published to the public registry of the respective package manager and also support usage in security restricted environments.
Describe the solution you would like
This suggested approach would be a tiered configuration, global, per product, and per package, where for each supported package manager one can set the target registry, which would override the default purl2url behavior. Furthermore the configuration for the global configuration would be overridden by the product configuration and the product configuration overridden by the package configuration.
Additional notes
This feature should be compatible with SBOM imports followed by automatic scans (applying the global or product settings, or if package already exists, the package specific one)