Add a new "Package Set" tab to the Package details view #276

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

CHANGELOG.rst

@@ -149,6 +149,10 @@ Release notes
   merged and kept for the data update.
   https://github.com/aboutcode-org/dejacode/issues/303
 
+- Add a new "Package Set" tab to the Package details view.
+  This tab displays related packages grouped by their normalized ("plain") Package URL.
+  https://github.com/aboutcode-org/dejacode/issues/276
+
 ### Version 5.2.1
 
 - Fix the models documentation navigation.

component_catalog/models.py

@@ -2616,17 +2616,12 @@ def update_from_purldb(self, user):
             for field_name in [*hash_field_names, *identifier_fields]:
                 package_data.pop(field_name, None)
 
-        # try:
         updated_fields = self.update_from_data(
             user,
             package_data,
             override=False,
             override_unknown=True,
         )
-        # except IntegrityError as e:
-        #     logger.error(f"[update_from_purldb] Skipping {self} due to IntegrityError: {e}")
-        #     return []
-
         return updated_fields
 
     def update_from_scan(self, user):
@@ -2643,6 +2638,32 @@ def update_from_scan(self, user):
             updated_fields = scancodeio.update_from_scan(package=self, user=user)
             return updated_fields
 
+    def get_related_packages_qs(self):
+        """
+        Return a QuerySet of packages that are considered part of the same
+        "Package Set".
+
+        A "Package Set" consists of all packages that share the same "plain"
+        Package URL (PURL), meaning they have identical values for the following PURL
+        components:
+        `type`, `namespace`, `name`, and `version`.
+        The `qualifiers` and `subpath` components  are ignored for this comparison.
+        """
+        plain_package_url = self.plain_package_url
+        if not plain_package_url:
+            return None
+
+        return (
+            self.__class__.objects.scope(self.dataspace)
+            .for_package_url(plain_package_url, exact_match=True)
+            .order_by(
+                *PACKAGE_URL_FIELDS,
+                "filename",
+                "download_url",
+            )
+            .distinct()
+        )
+
 
 class PackageAssignedLicense(DataspacedModel):
     package = models.ForeignKey(

component_catalog/templates/component_catalog/tabs/tab_package_set.html

@@ -0,0 +1,41 @@
+{% load i18n %}
+{% spaceless %}
+<table class="table table-bordered table-hover table-md text-break">
+  <thead>
+    <tr>
+      <th>{% trans 'Package URL' %}</th>
+      <th>{% trans 'Filename' %}</th>
+      <th>{% trans 'Download URL' %}</th>
+      <th>{% trans 'Concluded license' %}</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for package in values %}
+      <tr data-uuid="{{ package.uuid }}">
+        <td class="fw-bold">
+          {% if package.uuid == object.uuid %}
+            {{ package.package_url }}
+            <div>
+              <span class="badge bg-secondary">Current package</span>
+            </div>
+          {% else %}
+            <a href="{{ package.get_absolute_url }}" target="_blank">
+              {{ package.package_url }}
+            </a>
+          {% endif %}
+        </td>
+        <td>{{ package.filename|default_if_none:"" }}</td>
+        <td>
+          {% if package.download_url %}
+            <i class="fa-solid fa-download me-1"></i>
+            {{ package.download_url|urlize }}
+          {% endif %}
+        </td>
+        <td>
+          {{ package.license_expression_linked|default_if_none:"" }}
+        </td>
+      </tr>
+    {% endfor %}
+  </tbody>
+</table>
+{% endspaceless %}

component_catalog/tests/test_models.py

@@ -2693,6 +2693,20 @@ def test_package_model_update_from_purldb_duplicate_exception(self, mock_get_pur
         package_no_download_url.refresh_from_db()
         self.assertEqual(purldb_entry["description"], package_no_download_url.description)
 
+    def test_package_model_get_related_packages_qs(self):
+        package_url = "pkg:pypi/django@5.0"
+        package1 = make_package(self.dataspace, package_url=package_url)
+        related_packages_qs = package1.get_related_packages_qs()
+        self.assertQuerySetEqual(related_packages_qs, [package1])
+
+        package2 = make_package(
+            self.dataspace,
+            package_url=package_url,
+            filename="Django-5.0.tar.gz",
+        )
+        related_packages_qs = package1.get_related_packages_qs()
+        self.assertQuerySetEqual(related_packages_qs, [package1, package2])
+
     def test_package_model_vulnerability_queryset_mixin(self):
         package1 = make_package(self.dataspace, is_vulnerable=True)
         package2 = make_package(self.dataspace)

component_catalog/tests/test_views.py

@@ -39,6 +39,7 @@
 from component_catalog.models import ComponentType
 from component_catalog.models import Package
 from component_catalog.models import Subcomponent
+from component_catalog.tests import make_package
 from component_catalog.views import ComponentAddView
 from component_catalog.views import ComponentListView
 from component_catalog.views import PackageTabScanView
@@ -1239,8 +1240,21 @@ def test_package_list_multi_send_about_files_view(self):
         )
 
     def test_package_details_view_num_queries(self):
+        # Create a Package Set
+        package_url = "pkg:pypi/django@5.0"
+        self.package1.set_package_url(package_url)
+        self.package1.save()
+        license_expression = "{} AND {}".format(self.license1.key, self.license2.key)
+        make_package(self.dataspace, package_url=package_url, license_expression=license_expression)
+        make_package(
+            self.dataspace,
+            package_url=package_url,
+            license_expression=license_expression,
+            filename="Django-5.0.tar.gz",
+        )
+
         self.client.login(username=self.super_user.username, password="secret")
-        with self.assertNumQueries(28):
+        with self.assertNumQueries(30):
             self.client.get(self.package1.get_absolute_url())
 
     def test_package_details_view_content(self):
@@ -1332,6 +1346,25 @@ def test_package_details_view_aboutcode_tab(self):
         self.assertContains(response, "This tab renders a preview of the AboutCode files")
         self.assertContains(response, "about_resource: package1")
 
+    def test_package_details_view_tab_package_set(self):
+        self.client.login(username=self.super_user.username, password="secret")
+
+        package_url = "pkg:pypi/django@5.0"
+        package1 = make_package(self.dataspace, package_url=package_url)
+        details_url = package1.get_absolute_url()
+
+        expected = 'id="tab_package-set-tab"'
+        response = self.client.get(details_url)
+        self.assertNotContains(response, expected)
+
+        make_package(
+            self.dataspace,
+            package_url=package_url,
+            filename="Django-5.0.tar.gz",
+        )
+        response = self.client.get(details_url)
+        self.assertContains(response, expected)
+
     def test_package_list_view_add_to_product(self):
         user = create_user("user", self.dataspace)
         self.client.login(username=user.username, password="secret")

component_catalog/views.py

@@ -65,6 +65,7 @@
 from component_catalog.license_expression_dje import get_dataspace_licensing
 from component_catalog.license_expression_dje import get_formatted_expression
 from component_catalog.license_expression_dje import get_unique_license_keys
+from component_catalog.models import PACKAGE_URL_FIELDS
 from component_catalog.models import Component
 from component_catalog.models import Package
 from component_catalog.models import PackageAlreadyExistsWarning
@@ -1144,6 +1145,7 @@ class PackageDetailsView(
             ],
         },
         "product_usage": {},
+        "package_set": {},
         "activity": {},
         "external_references": {
             "fields": [
@@ -1297,6 +1299,24 @@ def tab_others(self):
 
         return {"fields": fields}
 
+    def tab_package_set(self):
+        related_packages_qs = self.object.get_related_packages_qs()
+        if related_packages_qs is None:
+            return
+
+        related_packages = related_packages_qs.only(
+            "uuid",
+            *PACKAGE_URL_FIELDS,
+            "filename",
+            "download_url",
+            "license_expression",
+            "dataspace__name",
+        ).prefetch_related("licenses")
+
+        template = "component_catalog/tabs/tab_package_set.html"
+        if len(related_packages) > 1:
+            return {"fields": [(None, related_packages, None, template)]}
+
     def tab_product_usage(self):
         user = self.request.user
         # Product data in Package views are not available to AnonymousUser for security reason

dje/tests/test_permissions.py

@@ -110,6 +110,7 @@ def test_permissions_get_all_tabsets(self):
                 "others",
                 "components",
                 "product_usage",
+                "package_set",
                 "activity",
                 "external_references",
                 "usage_policy",