Description
Describe the bug
It appears that importing an SBOM that contains a mix of npm and Maven packages only results in npm packages being scanned by ScanCode.io. It seems that DejaCode is unable to retrieve the download URL from the given PURL, perhaps due to missing purl2url implementation (package-url/packageurl-python#179), if no other means of translation to a download URL is available.
To Reproduce
- Ensure that the example package
pkg:maven/commons-cli/[email protected]is not already listed in the packages - Create a DejaCode product
- Import the SBOM with options "Update existing packages with discovered packages data" and "Scan all packages of this product post-import" enabled
mwe-dejacode-258.json
You should be able to see that the load_sbom pipeline is run successfully in ScanCode.io, but not scan_single_package is triggered.
Note: The SBOM is a manually shortened version, since I cannot share the original file
Expected behavior
All packages in the SBOM should be scanned for license information
Screenshots
n.a.
Context (OS, Browser, Device, etc.):
n.a.