Add new endpoint to create or update a package set

[pombredanne]

I would like to have an API endpoint where I can post a list of PURLs (and package content type?) with an optional Package SET UUID.

• If the package set UUDI is provided, then the PURLs should be added to the set.
• Otherwise the set should be created

There may be some corner cases to consider like what if a package already exists in other stes.

[404-geek]

Hi @pombredanne can you assign me this issue ?

[404-geek]

Hi @pombredanne I was working on this issue.

I am having difficulty in understanding that you will post a list of purls ( with their metadata) something like the below json data or will the post data just contain purls and content type list and keeping everything else empty.

    [{
        "url": "http://127.0.0.1:8001/api/packages/0ff891de-0895-4f5c-ae1b-8a6082ce5f09/",
        "uuid": "0ff891de-0895-4f5c-ae1b-8a6082ce5f09",
        "filename": "yom-1.0-alpha-1.jar",
        "package_sets": [],
        "package_content": null,
        "purl": "pkg:maven/yom/[email protected]",
        "type": "maven",
        "namespace": "yom",
        "name": "yom",
        "version": "1.0-alpha-1",
        "qualifiers": "",
        "subpath": "",
        "primary_language": null,
        "description": null,
        "release_date": "2005-11-22T00:00:00Z",
        "parties": [],
        "keywords": [],
        "homepage_url": null,
        "download_url": "https://repo1.maven.org/maven2/yom/yom/1.0-alpha-1/yom-1.0-alpha-1.jar",
        "bug_tracking_url": null,
        "code_view_url": null,
        "vcs_url": null,
        "repository_homepage_url": null,
        "repository_download_url": null,
        "api_data_url": null,
        "size": 54649,
        "md5": null,
        "sha1": "948b3fd169634d69612ac7f7a5af231024f36234",
        "sha256": null,
        "sha512": null,
        "copyright": null,
        "holder": null,
        "declared_license_expression": null,
        "declared_license_expression_spdx": null,
        "license_detections": [],
        "other_license_expression": null,
        "other_license_expression_spdx": null,
        "other_license_detections": [],
        "extracted_license_statement": null,
        "notice_text": null,
        "source_packages": [],
        "extra_data": {},
        "package_uid": "pkg:maven/yom/[email protected]?uuid=0ff891de-0895-4f5c-ae1b-8a6082ce5f09",
        "datasource_id": null,
        "file_references": [],
        "dependencies": [],
        "resources": "http://127.0.0.1:8001/api/packages/0ff891de-0895-4f5c-ae1b-8a6082ce5f09/resources/"
    }]

[pombredanne]

@404-geek you need to get inputs from @JonoYang and @keshav-space ... but I suggest that you start first by explaining briefly your approach and a high design for the new API endpoint in a comment here.

[404-geek]

Hi @JonoYang @keshav-space

I was thinking of getting a new api endpoint inside purldb_project/urls.py something like this
api_router.register('update_packages', PackageUpdateSet, 'update_packages')

Along with that, I would be creating a PackageUpdateSet class that would be inheriting viewsets.ViewSet.

On the create function, I can create a business logic for taking an array of purls along with their UUID (optional).
Validate the request.data using a serializer class

I can just make a create query in the package table using the Package model if there is no UUID given in the post data. I would create a packageset entry initially and then keep the relation package_package_sets.

For my reference, I saw the function merge_or_create_package code in model_utils.py which I thought would be similar to the endpoint business logic.

Regarding the edge case :

I am still not clear on how to proceed.
As we cannot keep same purls in the package table, will it be fine to keep a relation of the same purl entry in 2 different sets if UUID is provided and the purl entry is already there in package table.

Also while scouring through code of model_utils.py I got a comment # Binary packages can only be part of one set.

Can you please tell me which packages would be binary packages.

This is what I thought I should implement for this endpoint logic. Let me know your thoughts on this or if I misunderstood something.

[pombredanne]

@404-geek this looks like a good high level plan... go for it!
It is always be much easier to review the code in a PR even if this is not yet working.
As for binaries being only in one set, that's likely something we do not and cannot enforce for now. This should not be in your way.

[404-geek]

Thanks @pombredanne for the go ahead.