Fix the unique_together_lookups in import_package #295 (#298)

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

CHANGELOG.rst

@@ -128,6 +128,11 @@ Release notes
 - Add the ability to download Product "Imports" input file.
   https://github.com/aboutcode-org/dejacode/issues/156
 
+- Fix a logic issue in the ImportPackageFromScanCodeIO.import_package that occurs when
+  multiple packages with the same PURL, but different download_url or filename,
+  are present in the Dataspace.
+  https://github.com/aboutcode-org/dejacode/issues/295
+
 ### Version 5.2.1
 
 - Fix the models documentation navigation.

product_portfolio/importers.py

@@ -10,7 +10,6 @@
 from collections import defaultdict
 
 from django import forms
-from django.core.exceptions import MultipleObjectsReturned
 from django.core.exceptions import ValidationError
 from django.core.validators import EMPTY_VALUES
 from django.db import IntegrityError
@@ -694,16 +693,14 @@ def import_package(self, package_data):
         package_data.pop("affected_by_vulnerabilities", None)
 
         unique_together_lookups = {
-            field: value
-            for field in self.unique_together_fields
-            if (value := package_data.get(field))
+            field: package_data.get(field, "") for field in self.unique_together_fields
         }
 
         # Check if the Package already exists in the local Dataspace
         try:
             package = Package.objects.scope(self.user.dataspace).get(**unique_together_lookups)
             self.existing["package"].append(str(package))
-        except (ObjectDoesNotExist, MultipleObjectsReturned):
+        except ObjectDoesNotExist:
             package = None
 
         # Check if the Package already exists in the reference Dataspace

product_portfolio/tests/test_importers.py

@@ -19,6 +19,7 @@
 
 from component_catalog.models import Component
 from component_catalog.models import Package
+from component_catalog.tests import make_package
 from dje.models import Dataspace
 from dje.tests import create_admin
 from dje.tests import create_superuser
@@ -1055,3 +1056,67 @@ def test_product_portfolio_import_packages_from_scancodeio_importer(
             )
             importer.save()
             mock_fetch.assert_called()
+
+    @mock.patch("dejacode_toolkit.scancodeio.ScanCodeIO.fetch_project_dependencies")
+    @mock.patch("dejacode_toolkit.scancodeio.ScanCodeIO.fetch_project_packages")
+    def test_product_portfolio_import_packages_from_scio_importer_multiple_package_objs(
+        self, mock_fetch_packages, mock_fetch_dependencies
+    ):
+        purl = "pkg:maven/org.apache.activemq/activemq-camel@5.11.0"
+        filename = "activemq-camel.zip"
+
+        package_data = {
+            "type": "maven",
+            "namespace": "org.apache.activemq",
+            "name": "activemq-camel",
+            "version": "5.11.0",
+            "primary_language": "Java",
+            "purl": purl,
+            "declared_license_expression": "bsd-new",
+        }
+        mock_fetch_packages.return_value = [package_data]
+        mock_fetch_dependencies.return_value = []
+
+        package1 = make_package(self.dataspace, package_url=purl)
+        package2 = make_package(self.dataspace, package_url=purl, filename=filename)
+
+        importer = ImportPackageFromScanCodeIO(
+            user=self.super_user,
+            project_uuid=uuid.uuid4(),
+            product=self.product1,
+        )
+        created, existing, errors = importer.save()
+        self.assertEqual({}, created)
+        self.assertEqual(purl, existing["package"][0])
+        self.assertEqual({}, errors)
+        # The package without the filename or download_url is used
+        self.assertEqual(package1, self.product1.packages.get())
+
+        self.product1.productpackages.all().delete()
+        package_data["filename"] = filename
+        importer = ImportPackageFromScanCodeIO(
+            user=self.super_user,
+            project_uuid=uuid.uuid4(),
+            product=self.product1,
+        )
+        created, existing, errors = importer.save()
+        self.assertEqual({}, created)
+        self.assertEqual(purl, existing["package"][0])
+        self.assertEqual({}, errors)
+        # The package with the filename is used
+        self.assertEqual(package2, self.product1.packages.get())
+
+        self.product1.productpackages.all().delete()
+        package_data["filename"] = "DO_NOT_EXISTS"
+        importer = ImportPackageFromScanCodeIO(
+            user=self.super_user,
+            project_uuid=uuid.uuid4(),
+            product=self.product1,
+        )
+        created, existing, errors = importer.save()
+        # New package is created.
+        self.assertEqual(
+            {"package": ["pkg:maven/org.apache.activemq/activemq-camel@5.11.0"]}, created
+        )
+        self.assertEqual({}, existing)
+        self.assertEqual({}, errors)