Add support for mining cpan packageURLs

AyanSinhaMahapatra · AyanSinhaMahapatra · commit 8783ec56452c · 2025-10-01T02:11:20.000+05:30
Reference: #685 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
diff --git a/minecode_pipelines/miners/cpan.py b/minecode_pipelines/miners/cpan.py
@@ -0,0 +1,121 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# purldb is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/purldb for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import gzip
+import requests
+
+from bs4 import BeautifulSoup
+
+
+from packageurl import PackageURL
+
+from minecode_pipelines.utils import get_temp_file
+from minecode_pipelines.pipes import write_data_to_json_file
+
+"""
+Visitors for cpan and cpan-like perl package repositories.
+"""
+
+
+CPAN_REPO = "https://www.cpan.org/"
+CPAN_TYPE = "cpan"
+
+
+def get_cpan_packages(cpan_repo, logger=None):
+    cpan_packages_url = CPAN_REPO + "modules/02packages.details.txt.gz"
+    local_filename = "cpan_packages.gz"
+
+    response = requests.get(cpan_packages_url, stream=True)
+    if not response.ok:
+        return
+
+    with open(local_filename, "wb") as f:
+        for chunk in response.iter_content(chunk_size=8192):
+            f.write(chunk)
+
+    with gzip.open("cpan_packages.gz", "rb") as f_in:
+        with open("cpan_packages.txt", "wb") as f_out:
+            f_out.writelines(f_in)
+
+    with open("cpan_packages.txt", encoding="utf-8") as file:
+        packages_content = file.read()
+
+    package_path_by_name = {}
+
+    modules = packages_content.split("\n")[9:-1]
+    for module in modules:
+        info = [section for section in module.split(" ") if section]
+        package_path = info[-1]
+        path_segments = package_path.split("/")
+        filename = path_segments.pop()
+        path_prefix = "/".join(path_segments)
+
+        name_version = filename.replace(".tar.gz", "").split("-")
+        _version = name_version.pop()
+        name = "-".join(name_version)
+
+        package_path_by_name[name] = path_prefix
+
+    return package_path_by_name
+
+
+def write_packages_json(packages, name):
+    temp_file = get_temp_file(name)
+    write_data_to_json_file(path=temp_file, data=packages)
+    return temp_file
+
+
+def get_cpan_packageurls(name, path_prefix):
+    packageurls = []
+
+    # file extensions found in cpan index
+    ignorable_extensions = [".meta", ".readme", ".tar.gz"]
+
+    cpan_authors_path = "/authors/id/"
+    cpan_authors_url = CPAN_REPO + cpan_authors_path
+
+    cpan_author_page_url = cpan_authors_url + path_prefix
+
+    response = requests.get(cpan_author_page_url)
+    if not response.ok:
+        return packageurls
+
+    soup = BeautifulSoup(response.text, "html.parser")
+    package_list_elements = soup.find("ul").text.split("\n")
+
+    package_elements = [
+        element.replace(" ", "")
+        for element in package_list_elements
+        if element and element not in {" Parent Directory", " CHECKSUMS"}
+    ]
+
+    versions = []
+    for package_file in package_elements:
+        for extension in ignorable_extensions:
+            if extension in package_file:
+                package_file = package_file.replace(extension, "")
+
+        name_version = package_file.split("-")
+        version = name_version.pop()
+        package_name = "-".join(name_version)
+        if package_name != name:
+            continue
+
+        versions.append(version)
+
+    unique_versions = list(set(versions))
+    for version in unique_versions:
+        purl = PackageURL(
+            type=CPAN_TYPE,
+            name=name,
+            version=version,
+        )
+        packageurls.append(purl.to_string())
+
+    return packageurls
diff --git a/minecode_pipelines/pipelines/mine_cpan.py b/minecode_pipelines/pipelines/mine_cpan.py
@@ -0,0 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/aboutcode-org/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+
+from scanpipe.pipelines import Pipeline
+from scanpipe.pipes import federatedcode
+
+from minecode_pipelines import pipes
+from minecode_pipelines.pipes import cpan
+
+
+class MineCpan(Pipeline):
+    """
+    Mine all packageURLs from a cpan index and publish them to
+    a FederatedCode repo.
+    """
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.check_federatedcode_eligibility,
+            cls.mine_cpan_packages,
+            cls.mine_and_publish_cpan_packageurls,
+            cls.delete_cloned_repos,
+        )
+
+    def check_federatedcode_eligibility(self):
+        """
+        Check if the project fulfills the following criteria for
+        pushing the project result to FederatedCode.
+        """
+        federatedcode.check_federatedcode_configured_and_available(logger=self.log)
+
+    def mine_cpan_packages(self):
+        """Mine cpan package names from cpan indexes or checkpoint."""
+        self.cpan_packages = cpan.mine_cpan_packages(logger=self.log)
+
+    def mine_and_publish_cpan_packageurls(self):
+        """Get cpan packageURLs for all mined cpan package names."""
+        self.repos = cpan.mine_and_publish_cpan_packageurls(
+            packages_file=self.cpan_packages,
+            logger=self.log,
+        )
+
+    def delete_cloned_repos(self):
+        pipes.delete_cloned_repos(repos=self.repos, logger=self.log)
diff --git a/minecode_pipelines/pipes/cpan.py b/minecode_pipelines/pipes/cpan.py
@@ -0,0 +1,142 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/aboutcode-org/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+
+from minecode_pipelines import VERSION
+from minecode_pipelines.pipes import write_packageurls_to_file
+
+from minecode_pipelines.miners.cpan import get_cpan_packages
+from minecode_pipelines.miners.cpan import get_cpan_packageurls
+from minecode_pipelines.miners.cpan import CPAN_REPO
+
+from minecode_pipelines.miners.cpan import CPAN_TYPE
+from minecode_pipelines.utils import grouper
+
+from aboutcode.hashid import get_package_base_dir
+from packageurl import PackageURL
+from scanpipe.pipes.federatedcode import clone_repository
+
+from scanpipe.pipes.federatedcode import commit_changes
+from scanpipe.pipes.federatedcode import push_changes
+
+
+# If True, show full details on fetching packageURL for
+# a package name present in the index
+LOG_PACKAGEURL_DETAILS = False
+
+PACKAGE_BATCH_SIZE = 500
+
+
+# We are testing and storing mined packageURLs in one single repo per ecosystem for now
+MINECODE_DATA_CPAN_REPO = "https://github.com/aboutcode-data/minecode-data-cpan-test"
+
+
+def mine_cpan_packages(logger=None):
+    if logger:
+        logger("Getting packages from cpan index")
+
+    package_path_by_name = get_cpan_packages(cpan_repo=CPAN_REPO, logger=logger)
+
+    if logger:
+        packages_count = len(package_path_by_name.keys())
+        logger(f"Mined {packages_count} packages from cpan index")
+
+    return package_path_by_name
+
+
+def mine_and_publish_cpan_packageurls(package_path_by_name, logger=None):
+    if not package_path_by_name:
+        return
+
+    # clone repo
+    cloned_data_repo = clone_repository(repo_url=MINECODE_DATA_CPAN_REPO)
+    if logger:
+        logger(f"{MINECODE_DATA_CPAN_REPO} repo cloned at: {cloned_data_repo.working_dir}")
+
+    for package_batch in grouper(n=PACKAGE_BATCH_SIZE, iterable=package_path_by_name.keys()):
+        packages_mined = []
+        purls = []
+        purl_files = []
+
+        if logger and LOG_PACKAGEURL_DETAILS:
+            logger("Starting package mining for a batch of packages")
+
+        for package_name in package_batch:
+            if not package_name:
+                continue
+
+            # fetch packageURLs for package
+            if logger and LOG_PACKAGEURL_DETAILS:
+                logger(f"getting packageURLs for package: {package_name}")
+
+            path_prefix = package_path_by_name.get(package_name)
+            if not path_prefix:
+                continue
+
+            packageurls = get_cpan_packageurls(name=package_name, path_prefix=path_prefix)
+            if not packageurls:
+                if logger and LOG_PACKAGEURL_DETAILS:
+                    logger(f"Package versions not present for package: {package_name}")
+
+                # We don't want to try fetching versions for these again
+                packages_mined.append(package_name)
+                continue
+
+            # get repo and path for package
+            base_purl = PackageURL(type=CPAN_TYPE, name=package_name).to_string()
+            package_base_dir = get_package_base_dir(purl=base_purl)
+
+            if logger and LOG_PACKAGEURL_DETAILS:
+                logger(f"writing packageURLs for package: {base_purl} at: {package_base_dir}")
+                purls_string = " ".join(packageurls)
+                logger(f"packageURLs: {purls_string}")
+
+            # write packageURLs to file
+            purl_file = write_packageurls_to_file(
+                repo=cloned_data_repo,
+                base_dir=package_base_dir,
+                packageurls=packageurls,
+            )
+            purl_files.append(purl_file)
+            purls.append(base_purl)
+
+            packages_mined.append(package_name)
+
+        if logger:
+            purls_string = " ".join(purls)
+            logger("Committing and pushing changes for a batch of packages: ")
+            logger(f"{purls_string}")
+
+        # commit changes
+        commit_changes(
+            repo=cloned_data_repo,
+            files_to_commit=purl_files,
+            purls=purls,
+            mine_type="packageURL",
+            tool_name="pkg:cpan/minecode-pipelines",
+            tool_version=VERSION,
+        )
+
+        # Push changes to remote repository
+        push_changes(repo=cloned_data_repo)
+
+    repos_to_clean = [cloned_data_repo]
+    return repos_to_clean
diff --git a/pyproject-minecode_pipelines.toml b/pyproject-minecode_pipelines.toml
@@ -42,7 +42,8 @@ dependencies = [
     "scancodeio >= 35.3.0",
     "ftputil >= 5.1.0",
     "jawa >= 2.2.0",
-    "arrow >= 1.3.0"
+    "arrow >= 1.3.0",
+    "beautifulsoup4 >= 4.14.2"
 ]
 
 urls = { Homepage = "https://github.com/aboutcode-org/purldb" }
@@ -54,6 +55,7 @@ mine_cargo = "minecode_pipelines.pipelines.mine_cargo:MineCargo"
 mine_debian = "minecode_pipelines.pipelines.mine_debian:MineDebian"
 mine_alpine = "minecode_pipelines.pipelines.mine_alpine:MineAlpine"
 mine_conan = "minecode_pipelines.pipelines.mine_conan:MineConan"
+mine_cpan = "minecode_pipelines.pipelines.mine_cpan:MineCpan"
 
 [tool.bumpversion]
 current_version = "0.0.1b13"
