From a693e5fe9cd5824e5b29ffe95743c2c7bc58ea69 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Mon, 7 Oct 2024 23:48:24 +0530
Subject: [PATCH 01/16] Add pipeline to publish scan to federatedcode

- Addon pipeline to push package scan to federatedcode

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scancodeio/settings.py                        |   7 +
 .../pipelines/publish_to_federatedcode.py     |  97 ++++++++++++++
 scanpipe/pipes/federatedcode.py               | 123 ++++++++++++++++++
 setup.cfg                                     |   3 +
 4 files changed, 230 insertions(+)
 create mode 100644 scanpipe/pipelines/publish_to_federatedcode.py
 create mode 100644 scanpipe/pipes/federatedcode.py

diff --git a/scancodeio/settings.py b/scancodeio/settings.py
index caa14fd1e..66b4c9f0e 100644
--- a/scancodeio/settings.py
+++ b/scancodeio/settings.py
@@ -418,3 +418,10 @@
 MATCHCODEIO_USER = env.str("MATCHCODEIO_USER", default="")
 MATCHCODEIO_PASSWORD = env.str("MATCHCODEIO_PASSWORD", default="")
 MATCHCODEIO_API_KEY = env.str("MATCHCODEIO_API_KEY", default="")
+
+# FederatedCode integration
+
+FEDERATEDCODE_GIT_ACCOUNT = env.str("FEDERATEDCODE_GIT_ACCOUNT", default="")
+FEDERATEDCODE_GIT_SERVICE_TOKEN = env.str("FEDERATEDCODE_GIT_SERVICE_TOKEN", default="")
+FEDERATEDCODE_GIT_SERVICE_NAME = env.str("FEDERATEDCODE_GIT_SERVICE_NAME", default="")
+FEDERATEDCODE_GIT_SERVICE_EMAIL = env.str("FEDERATEDCODE_GIT_SERVICE_EMAIL", default="")
diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
new file mode 100644
index 000000000..79d19a218
--- /dev/null
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -0,0 +1,97 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/aboutcode-org/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+
+import shutil
+
+from scanpipe.pipelines import Pipeline
+from scanpipe.pipes import federatedcode
+
+
+class PublishToFederatedCode(Pipeline):
+    """Publish package scan to FederatedCode Git repository."""
+
+    download_inputs = False
+    is_addon = True
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.get_package,
+            cls.get_package_repository,
+            cls.clone_repository,
+            cls.add_scan_result,
+            cls.commit_and_push_changes,
+            cls.delete_local_clone,
+        )
+
+    def get_package(self):
+        has_single_package_scan = any(
+            run.pipeline_name == "scan_single_package"
+            for run in self.project.runs.all()
+            if run.task_exitcode == 0
+        )
+
+        if not has_single_package_scan:
+            raise Exception("Run ``scan_single_package`` pipeline to get package scan.")
+
+        if not self.project.discoveredpackages.count() == 1:
+            raise Exception("Scan should be for single package.")
+
+        if not self.project.discoveredpackages.first().version:
+            raise Exception("Scan package is missing version.")
+
+        configured, error = federatedcode.is_configured()
+        if not configured:
+            raise Exception(error)
+
+        self.package = self.project.discoveredpackages.first()
+
+    def get_package_repository(self):
+        self.package_scan_file, self.package_git_repo = (
+            federatedcode.get_package_repository(package=self.package, logger=self.log)
+        )
+
+    def clone_repository(self):
+        """Clone repository to local_path."""
+        self.repo = federatedcode.clone_repository(
+            package_repo_url=self.package_git_repo,
+            logger=self.log,
+        )
+
+    def add_scan_result(self):
+        self.relative_file_path = federatedcode.add_scan_result(
+            project=self.project,
+            repo=self.repo,
+            package_scan_file=self.package_scan_file,
+            logger=self.log,
+        )
+
+    def commit_and_push_changes(self):
+        federatedcode.commit_and_push_changes(
+            repo=self.repo,
+            file_to_commit=str(self.relative_file_path),
+            purl=self.package.purl,
+            logger=self.log,
+        )
+
+    def delete_local_clone(self):
+        shutil.rmtree(self.repo.working_dir)
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
new file mode 100644
index 000000000..345bed87f
--- /dev/null
+++ b/scanpipe/pipes/federatedcode.py
@@ -0,0 +1,123 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/aboutcode-org/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/aboutcode-org/scancode.io for support and download.
+
+
+import tempfile
+import textwrap
+from pathlib import Path
+from urllib.parse import urljoin
+
+from git import Repo
+
+from aboutcode import hashid
+from scancodeio import VERSION
+from scancodeio import settings
+from scanpipe.pipes.output import JSONResultsGenerator
+
+
+def is_configured():
+    """Return True if the required FederatedCode settings have been set."""
+    missing_vars = []
+    if not settings.FEDERATEDCODE_GIT_ACCOUNT:
+        missing_vars.append("FEDERATEDCODE_GIT_ACCOUNT")
+    if not settings.FEDERATEDCODE_GIT_SERVICE_TOKEN:
+        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_TOKEN")
+    if not settings.FEDERATEDCODE_GIT_SERVICE_NAME:
+        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_NAME")
+    if not settings.FEDERATEDCODE_GIT_SERVICE_EMAIL:
+        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_EMAIL")
+
+    if missing_vars:
+        return False, f'Missing environment variables: {", ".join(missing_vars)}'
+
+    return True, ""
+
+
+def clone_repository(package_repo_url, logger=None):
+    """Clone repository to local_path."""
+    local_dir = tempfile.mkdtemp()
+
+    authenticated_repo_url = package_repo_url.replace(
+        "https://",
+        f"https://{settings.FEDERATEDCODE_GIT_SERVICE_TOKEN}@",
+    )
+    repo = Repo.clone_from(url=authenticated_repo_url, to_path=local_dir, depth=1)
+
+    repo.config_writer(config_level="repository").set_value(
+        "user", "name", settings.FEDERATEDCODE_GIT_SERVICE_NAME
+    ).release()
+
+    repo.config_writer(config_level="repository").set_value(
+        "user", "email", settings.FEDERATEDCODE_GIT_SERVICE_EMAIL
+    ).release()
+
+    return repo
+
+
+def get_package_repository(package, logger=None):
+    package_base_dir = hashid.get_package_base_dir(purl=package.purl)
+    package_repo_name = package_base_dir.parts[0]
+
+    package_scan_file = package_base_dir / package.version / "scan.json"
+    package_git_repo_url = urljoin(
+        settings.FEDERATEDCODE_GIT_ACCOUNT, f"{package_repo_name}.git"
+    )
+
+    return package_scan_file, package_git_repo_url
+
+
+def add_scan_result(project, repo, package_scan_file, logger=None):
+    relative_scan_file_path = Path(*package_scan_file.parts[1:])
+
+    write_to = Path(repo.working_dir) / relative_scan_file_path
+
+    write_to.parent.mkdir(parents=True, exist_ok=True)
+    results_generator = JSONResultsGenerator(project)
+    with open(write_to, encoding="utf-8", mode="w") as file:
+        for chunk in results_generator:
+            file.write(chunk)
+
+    return relative_scan_file_path
+
+
+def commit_and_push_changes(repo, file_to_commit, purl, logger=None):
+    author_name = settings.FEDERATEDCODE_GIT_SERVICE_NAME
+    author_email = settings.FEDERATEDCODE_GIT_SERVICE_EMAIL
+    add_or_update = "Update"
+
+    if file_to_commit in repo.untracked_files:
+        add_or_update = "Add"
+
+    commit_message = f"""\
+    {add_or_update} scan result for {purl}
+
+    Tool: pkg:github/aboutcode-org/scancode.io@v{VERSION}
+    Reference: https://{settings.ALLOWED_HOSTS[0]}/
+
+    Signed-off-by: {author_name} <{author_email}>
+    """
+
+    default_branch = repo.active_branch.name
+
+    repo.index.add([file_to_commit])
+    repo.index.commit(textwrap.dedent(commit_message).strip())
+    repo.git.push("origin", default_branch, "--no-verify")
diff --git a/setup.cfg b/setup.cfg
index f4a993dfb..ce09ab621 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -105,6 +105,8 @@ install_requires =
     bleach==6.1.0
     # Antivirus
     clamd==1.0.2
+    # FederatedCode
+    aboutcode.hashid>=0.1.0
 
 [options.extras_require]
 dev =
@@ -146,6 +148,7 @@ scancodeio_pipelines =
     map_deploy_to_develop = scanpipe.pipelines.deploy_to_develop:DeployToDevelop
     match_to_matchcode = scanpipe.pipelines.match_to_matchcode:MatchToMatchCode
     populate_purldb = scanpipe.pipelines.populate_purldb:PopulatePurlDB
+    publish_to_federatedcode = scanpipe.pipelines.publish_to_federatedcode:PublishToFederatedCode
     resolve_dependencies = scanpipe.pipelines.resolve_dependencies:ResolveDependencies
     scan_codebase = scanpipe.pipelines.scan_codebase:ScanCodebase
     scan_for_virus = scanpipe.pipelines.scan_for_virus:ScanForVirus

From 2e2c4766cf77d1ae54b099c7b6ef0cbf81e4b5aa Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Tue, 8 Oct 2024 15:45:38 +0530
Subject: [PATCH 02/16] Add docstrings to pipeline steps

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 .../pipelines/publish_to_federatedcode.py     | 10 +++++--
 scanpipe/pipes/federatedcode.py               | 26 ++++++++++---------
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
index 79d19a218..3719f0162 100644
--- a/scanpipe/pipelines/publish_to_federatedcode.py
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -44,6 +44,7 @@ def steps(cls):
         )
 
     def get_package(self):
+        """Get the package associated with the scan."""
         has_single_package_scan = any(
             run.pipeline_name == "scan_single_package"
             for run in self.project.runs.all()
@@ -66,18 +67,20 @@ def get_package(self):
         self.package = self.project.discoveredpackages.first()
 
     def get_package_repository(self):
-        self.package_scan_file, self.package_git_repo = (
+        """Get the Git repository URL and scan path for a given package."""
+        self.package_git_repo, self.package_scan_file = (
             federatedcode.get_package_repository(package=self.package, logger=self.log)
         )
 
     def clone_repository(self):
         """Clone repository to local_path."""
         self.repo = federatedcode.clone_repository(
-            package_repo_url=self.package_git_repo,
+            repo_url=self.package_git_repo,
             logger=self.log,
         )
 
     def add_scan_result(self):
+        """Add package scan result to the local Git repository."""
         self.relative_file_path = federatedcode.add_scan_result(
             project=self.project,
             repo=self.repo,
@@ -86,12 +89,15 @@ def add_scan_result(self):
         )
 
     def commit_and_push_changes(self):
+        """Commit and push changes to remote repository."""
         federatedcode.commit_and_push_changes(
             repo=self.repo,
             file_to_commit=str(self.relative_file_path),
             purl=self.package.purl,
             logger=self.log,
         )
+        self.log(f"Scan for '{self.package.purl}' pushed to '{self.package_git_repo}'")
 
     def delete_local_clone(self):
+        """Remove local clone."""
         shutil.rmtree(self.repo.working_dir)
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index 345bed87f..fe6710c36 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -52,11 +52,11 @@ def is_configured():
     return True, ""
 
 
-def clone_repository(package_repo_url, logger=None):
+def clone_repository(repo_url, logger=None):
     """Clone repository to local_path."""
     local_dir = tempfile.mkdtemp()
 
-    authenticated_repo_url = package_repo_url.replace(
+    authenticated_repo_url = repo_url.replace(
         "https://",
         f"https://{settings.FEDERATEDCODE_GIT_SERVICE_TOKEN}@",
     )
@@ -74,18 +74,20 @@ def clone_repository(package_repo_url, logger=None):
 
 
 def get_package_repository(package, logger=None):
+    """Return the Git repository URL and scan path for a given package."""
     package_base_dir = hashid.get_package_base_dir(purl=package.purl)
     package_repo_name = package_base_dir.parts[0]
 
-    package_scan_file = package_base_dir / package.version / "scan.json"
+    package_scan_path = package_base_dir / package.version / "scan.json"
     package_git_repo_url = urljoin(
         settings.FEDERATEDCODE_GIT_ACCOUNT, f"{package_repo_name}.git"
     )
 
-    return package_scan_file, package_git_repo_url
+    return package_git_repo_url, package_scan_path
 
 
 def add_scan_result(project, repo, package_scan_file, logger=None):
+    """Add package scan result to the local Git repository."""
     relative_scan_file_path = Path(*package_scan_file.parts[1:])
 
     write_to = Path(repo.working_dir) / relative_scan_file_path
@@ -99,16 +101,16 @@ def add_scan_result(project, repo, package_scan_file, logger=None):
     return relative_scan_file_path
 
 
-def commit_and_push_changes(repo, file_to_commit, purl, logger=None):
+def commit_and_push_changes(
+    repo, file_to_commit, purl, remote_name="origin", logger=None
+):
+    """Commit and push changes to remote repository."""
     author_name = settings.FEDERATEDCODE_GIT_SERVICE_NAME
     author_email = settings.FEDERATEDCODE_GIT_SERVICE_EMAIL
-    add_or_update = "Update"
-
-    if file_to_commit in repo.untracked_files:
-        add_or_update = "Add"
 
+    change_type = "Add" if file_to_commit in repo.untracked_files else "Update"
     commit_message = f"""\
-    {add_or_update} scan result for {purl}
+    {change_type} scan result for {purl}
 
     Tool: pkg:github/aboutcode-org/scancode.io@v{VERSION}
     Reference: https://{settings.ALLOWED_HOSTS[0]}/
@@ -119,5 +121,5 @@ def commit_and_push_changes(repo, file_to_commit, purl, logger=None):
     default_branch = repo.active_branch.name
 
     repo.index.add([file_to_commit])
-    repo.index.commit(textwrap.dedent(commit_message).strip())
-    repo.git.push("origin", default_branch, "--no-verify")
+    repo.index.commit(textwrap.dedent(commit_message))
+    repo.git.push(remote_name, default_branch)

From b51cffa2a241f8c78357ddcc674de530bb370246 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Fri, 11 Oct 2024 18:21:08 +0530
Subject: [PATCH 03/16] Store scan result in scancodeio.json file

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/pipes/federatedcode.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index fe6710c36..11154975a 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -78,7 +78,7 @@ def get_package_repository(package, logger=None):
     package_base_dir = hashid.get_package_base_dir(purl=package.purl)
     package_repo_name = package_base_dir.parts[0]
 
-    package_scan_path = package_base_dir / package.version / "scan.json"
+    package_scan_path = package_base_dir / package.version / "scancodeio.json"
     package_git_repo_url = urljoin(
         settings.FEDERATEDCODE_GIT_ACCOUNT, f"{package_repo_name}.git"
     )

From 930a5cc6c226d2649869dc608f3c69f44646e20a Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Tue, 15 Oct 2024 13:43:42 +0530
Subject: [PATCH 04/16] Add test for federatedcode

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 .../pipelines/publish_to_federatedcode.py     |  3 +-
 scanpipe/pipes/federatedcode.py               | 33 +++++----
 scanpipe/tests/pipes/test_federatedcode.py    | 74 +++++++++++++++++++
 3 files changed, 95 insertions(+), 15 deletions(-)
 create mode 100644 scanpipe/tests/pipes/test_federatedcode.py

diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
index 3719f0162..49b703539 100644
--- a/scanpipe/pipelines/publish_to_federatedcode.py
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -20,7 +20,6 @@
 # ScanCode.io is a free software code scanning tool from nexB Inc. and others.
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
-import shutil
 
 from scanpipe.pipelines import Pipeline
 from scanpipe.pipes import federatedcode
@@ -100,4 +99,4 @@ def commit_and_push_changes(self):
 
     def delete_local_clone(self):
         """Remove local clone."""
-        shutil.rmtree(self.repo.working_dir)
+        federatedcode.delete_local_clone(repo=self.repo)
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index 11154975a..b4e658b46 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -21,6 +21,7 @@
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
 
+import shutil
 import tempfile
 import textwrap
 from pathlib import Path
@@ -52,6 +53,20 @@ def is_configured():
     return True, ""
 
 
+def get_package_repository(package, logger=None):
+    """Return the Git repository URL and scan path for a given package."""
+    FEDERATEDCODE_GIT_ACCOUNT_URL = f'{settings.FEDERATEDCODE_GIT_ACCOUNT.rstrip("/")}/'
+    package_base_dir = hashid.get_package_base_dir(purl=package.purl)
+    package_repo_name = package_base_dir.parts[0]
+
+    package_scan_path = package_base_dir / package.version / "scancodeio.json"
+    package_git_repo_url = urljoin(
+        FEDERATEDCODE_GIT_ACCOUNT_URL, f"{package_repo_name}.git"
+    )
+
+    return package_git_repo_url, package_scan_path
+
+
 def clone_repository(repo_url, logger=None):
     """Clone repository to local_path."""
     local_dir = tempfile.mkdtemp()
@@ -73,19 +88,6 @@ def clone_repository(repo_url, logger=None):
     return repo
 
 
-def get_package_repository(package, logger=None):
-    """Return the Git repository URL and scan path for a given package."""
-    package_base_dir = hashid.get_package_base_dir(purl=package.purl)
-    package_repo_name = package_base_dir.parts[0]
-
-    package_scan_path = package_base_dir / package.version / "scancodeio.json"
-    package_git_repo_url = urljoin(
-        settings.FEDERATEDCODE_GIT_ACCOUNT, f"{package_repo_name}.git"
-    )
-
-    return package_git_repo_url, package_scan_path
-
-
 def add_scan_result(project, repo, package_scan_file, logger=None):
     """Add package scan result to the local Git repository."""
     relative_scan_file_path = Path(*package_scan_file.parts[1:])
@@ -123,3 +125,8 @@ def commit_and_push_changes(
     repo.index.add([file_to_commit])
     repo.index.commit(textwrap.dedent(commit_message))
     repo.git.push(remote_name, default_branch)
+
+
+def delete_local_clone(repo):
+    """Remove local clone."""
+    shutil.rmtree(repo.working_dir)
diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
new file mode 100644
index 000000000..6348300bf
--- /dev/null
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -0,0 +1,74 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+import shutil
+import tempfile
+from pathlib import Path
+from unittest.mock import patch
+
+from django.test import TestCase
+
+import git
+
+from scanpipe import models
+from scanpipe.pipes import federatedcode
+from scanpipe.tests import make_package
+
+
+class ScanPipeFederatedCodeTest(TestCase):
+    def setUp(self):
+        self.project1 = models.Project.objects.create(name="Analysis")
+
+    @patch(
+        "scanpipe.pipes.federatedcode.settings.FEDERATEDCODE_GIT_ACCOUNT",
+        "https://github.com/test/",
+    )
+    def test_scanpipe_pipes_federatedcode_get_package_repository(self):
+        package = make_package(
+            project=self.project1,
+            package_url="pkg:npm/foobar@v1.2.3",
+            version="v.1.2.3",
+        )
+        expected_git_repo = "https://github.com/test/aboutcode-packages-03f1.git"
+        expected_scan_path = "aboutcode-packages-03f1/npm/foobar/v1.2.3/scancodeio.json"
+        git_repo, scan_path = federatedcode.get_package_repository(package=package)
+
+        self.assertEqual(expected_git_repo, git_repo)
+        self.assertEqual(expected_scan_path, str(scan_path))
+
+    def test_scanpipe_pipes_federatedcode_add_scan_result(self):
+        local_dir = tempfile.mkdtemp()
+        repo = git.Repo.init(local_dir)
+
+        federatedcode.add_scan_result(
+            self.project1, repo, Path("repo/npm/foobar/v1.2.3/scancodeio.json")
+        )
+
+        self.assertIn("npm/foobar/v1.2.3/scancodeio.json", repo.untracked_files)
+        shutil.rmtree(repo.working_dir)
+
+    def test_scancpipe_pipes_federatedcode_delete_local_clone(self):
+        local_dir = tempfile.mkdtemp()
+        repo = git.Repo.init(local_dir)
+        federatedcode.delete_local_clone(repo)
+
+        self.assertEqual(False, Path(local_dir).exists())

From fabb3086e53f718797e01bd2316b1255afb56484 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 23 Oct 2024 13:53:18 +0530
Subject: [PATCH 05/16] Add project_purl field to project

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/api/serializers.py                    |  1 +
 scanpipe/forms.py                              | 15 +++++++++++++++
 .../migrations/0068_project_project_purl.py    | 18 ++++++++++++++++++
 scanpipe/models.py                             |  6 ++++++
 .../templates/scanpipe/project_settings.html   |  8 ++++++++
 5 files changed, 48 insertions(+)
 create mode 100644 scanpipe/migrations/0068_project_project_purl.py

diff --git a/scanpipe/api/serializers.py b/scanpipe/api/serializers.py
index 5da4f1186..32c3a3001 100644
--- a/scanpipe/api/serializers.py
+++ b/scanpipe/api/serializers.py
@@ -203,6 +203,7 @@ class Meta:
             "name",
             "url",
             "uuid",
+            "project_purl",
             "upload_file",
             "upload_file_tag",
             "input_urls",
diff --git a/scanpipe/forms.py b/scanpipe/forms.py
index f854235aa..ffbb01828 100644
--- a/scanpipe/forms.py
+++ b/scanpipe/forms.py
@@ -25,6 +25,7 @@
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.exceptions import ValidationError
 
+from packageurl import PackageURL
 from taggit.forms import TagField
 from taggit.forms import TagWidget
 
@@ -458,12 +459,26 @@ class Meta:
         fields = [
             "name",
             "notes",
+            "project_purl",
         ]
         widgets = {
             "name": forms.TextInput(attrs={"class": "input"}),
             "notes": forms.Textarea(attrs={"rows": 3, "class": "textarea is-dynamic"}),
+            "project_purl": forms.TextInput(attrs={"class": "input"}),
         }
 
+    def clean_project_purl(self):
+        """Validate the Project PURL."""
+        project_purl = self.cleaned_data.get("project_purl")
+
+        if project_purl:
+            try:
+                PackageURL.from_string(project_purl)
+            except ValueError:
+                raise forms.ValidationError("Project PURL must be a valid PackageURL")
+
+        return project_purl
+
     def __init__(self, *args, **kwargs):
         """Load initial values from Project ``settings`` field."""
         super().__init__(*args, **kwargs)
diff --git a/scanpipe/migrations/0068_project_project_purl.py b/scanpipe/migrations/0068_project_project_purl.py
new file mode 100644
index 000000000..5d55137af
--- /dev/null
+++ b/scanpipe/migrations/0068_project_project_purl.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.0.7 on 2024-10-22 14:37
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0067_discoveredpackage_notes'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='project',
+            name='project_purl',
+            field=models.CharField(blank=True, help_text='Project Package URL.', max_length=2048),
+        ),
+    ]
diff --git a/scanpipe/models.py b/scanpipe/models.py
index f54395b05..67abdf674 100644
--- a/scanpipe/models.py
+++ b/scanpipe/models.py
@@ -561,6 +561,11 @@ class Project(UUIDPKModel, ExtraDataFieldMixin, UpdateMixin, models.Model):
     notes = models.TextField(blank=True)
     settings = models.JSONField(default=dict, blank=True)
     labels = TaggableManager(through=UUIDTaggedItem)
+    project_purl = models.CharField(
+        max_length=2048,
+        blank=True,
+        help_text=_("Project Package URL."),
+    )
 
     objects = ProjectQuerySet.as_manager()
 
@@ -704,6 +709,7 @@ def clone(
         """Clone this project using the provided ``clone_name`` as new project name."""
         new_project = Project.objects.create(
             name=clone_name,
+            project_purl=self.project_purl,
             settings=self.settings if copy_settings else {},
         )
 
diff --git a/scanpipe/templates/scanpipe/project_settings.html b/scanpipe/templates/scanpipe/project_settings.html
index d2ec52f58..b96ca8242 100644
--- a/scanpipe/templates/scanpipe/project_settings.html
+++ b/scanpipe/templates/scanpipe/project_settings.html
@@ -26,6 +26,14 @@
                     {{ form.name }}
                   </div>
                 </div>
+                <div class="field">
+                  <label class="label" for="{{ form.name.id_for_label }}">
+                    Project PURL
+                  </label>
+                  <div class="control">
+                    {{ form.project_purl }}
+                  </div>
+                </div>
                 <div class="field">
                   <label class="label" for="{{ form.notes.id_for_label }}">
                     {{ form.notes.label }}

From 3d4e414c400521716988069abf79bcdd97d429dd Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 23 Oct 2024 15:35:34 +0530
Subject: [PATCH 06/16] Use project_purl to push scan result

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 .../pipelines/publish_to_federatedcode.py     | 50 ++++++++++++-------
 scanpipe/pipes/federatedcode.py               |  8 +--
 setup.cfg                                     |  2 +-
 3 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
index 49b703539..c6b9d6b71 100644
--- a/scanpipe/pipelines/publish_to_federatedcode.py
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -21,12 +21,14 @@
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
 
+from packageurl import PackageURL
+
 from scanpipe.pipelines import Pipeline
 from scanpipe.pipes import federatedcode
 
 
 class PublishToFederatedCode(Pipeline):
-    """Publish package scan to FederatedCode Git repository."""
+    """Publish package scan to FederatedCode."""
 
     download_inputs = False
     is_addon = True
@@ -34,7 +36,7 @@ class PublishToFederatedCode(Pipeline):
     @classmethod
     def steps(cls):
         return (
-            cls.get_package,
+            cls.get_project_purl,
             cls.get_package_repository,
             cls.clone_repository,
             cls.add_scan_result,
@@ -42,33 +44,42 @@ def steps(cls):
             cls.delete_local_clone,
         )
 
-    def get_package(self):
-        """Get the package associated with the scan."""
-        has_single_package_scan = any(
-            run.pipeline_name == "scan_single_package"
-            for run in self.project.runs.all()
-            if run.task_exitcode == 0
+    def get_project_purl(self):
+        """Get the PURL for the project."""
+        all_executed_pipeline_successful = all(
+            run.task_succeeded for run in self.project.runs.executed()
+        )
+
+        source_is_download_url = any(
+            source.download_url for source in self.project.inputsources.all()
         )
 
-        if not has_single_package_scan:
-            raise Exception("Run ``scan_single_package`` pipeline to get package scan.")
+        if not all_executed_pipeline_successful:
+            raise Exception("Make sure all the pipelines has completed successfully.")
 
-        if not self.project.discoveredpackages.count() == 1:
-            raise Exception("Scan should be for single package.")
+        if not source_is_download_url:
+            raise Exception("Project input should be download_url.")
 
-        if not self.project.discoveredpackages.first().version:
-            raise Exception("Scan package is missing version.")
+        if not self.project.project_purl:
+            raise Exception("Missing Project PURL.")
+
+        project_package_url = PackageURL.from_string(self.project.project_purl)
+
+        if not project_package_url.version:
+            raise Exception("Missing version in Project PURL.")
 
         configured, error = federatedcode.is_configured()
         if not configured:
             raise Exception(error)
 
-        self.package = self.project.discoveredpackages.first()
+        self.project_package_url = project_package_url
 
     def get_package_repository(self):
         """Get the Git repository URL and scan path for a given package."""
         self.package_git_repo, self.package_scan_file = (
-            federatedcode.get_package_repository(package=self.package, logger=self.log)
+            federatedcode.get_package_repository(
+                project_purl=self.project_package_url, logger=self.log
+            )
         )
 
     def clone_repository(self):
@@ -92,10 +103,13 @@ def commit_and_push_changes(self):
         federatedcode.commit_and_push_changes(
             repo=self.repo,
             file_to_commit=str(self.relative_file_path),
-            purl=self.package.purl,
+            purl=str(self.project_package_url),
             logger=self.log,
         )
-        self.log(f"Scan for '{self.package.purl}' pushed to '{self.package_git_repo}'")
+        self.log(
+            f"Scan result for '{str(self.project_package_url)}' "
+            f"pushed to '{self.package_git_repo}'"
+        )
 
     def delete_local_clone(self):
         """Remove local clone."""
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index b4e658b46..ed1c6592f 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -53,13 +53,13 @@ def is_configured():
     return True, ""
 
 
-def get_package_repository(package, logger=None):
+def get_package_repository(project_purl, logger=None):
     """Return the Git repository URL and scan path for a given package."""
     FEDERATEDCODE_GIT_ACCOUNT_URL = f'{settings.FEDERATEDCODE_GIT_ACCOUNT.rstrip("/")}/'
-    package_base_dir = hashid.get_package_base_dir(purl=package.purl)
+    package_base_dir = hashid.get_package_base_dir(purl=str(project_purl))
     package_repo_name = package_base_dir.parts[0]
 
-    package_scan_path = package_base_dir / package.version / "scancodeio.json"
+    package_scan_path = package_base_dir / project_purl.version / "scancodeio.json"
     package_git_repo_url = urljoin(
         FEDERATEDCODE_GIT_ACCOUNT_URL, f"{package_repo_name}.git"
     )
@@ -124,7 +124,7 @@ def commit_and_push_changes(
 
     repo.index.add([file_to_commit])
     repo.index.commit(textwrap.dedent(commit_message))
-    repo.git.push(remote_name, default_branch)
+    repo.git.push(remote_name, default_branch, "--no-verify")
 
 
 def delete_local_clone(repo):
diff --git a/setup.cfg b/setup.cfg
index 0bbb1910b..142512322 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -106,7 +106,7 @@ install_requires =
     # Antivirus
     clamd==1.0.2
     # FederatedCode
-    aboutcode.hashid>=0.1.0
+    aboutcode.hashid==0.1.0
 
 [options.extras_require]
 dev =

From 521522332af37eca08126680dd561b02e621097b Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 23 Oct 2024 15:51:13 +0530
Subject: [PATCH 07/16] Update tests

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/tests/pipes/test_federatedcode.py | 7 ++++---
 scanpipe/tests/test_models.py              | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
index 6348300bf..0c26c60eb 100644
--- a/scanpipe/tests/pipes/test_federatedcode.py
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -26,7 +26,7 @@
 from unittest.mock import patch
 
 from django.test import TestCase
-
+from packageurl import PackageURL
 import git
 
 from scanpipe import models
@@ -43,14 +43,15 @@ def setUp(self):
         "https://github.com/test/",
     )
     def test_scanpipe_pipes_federatedcode_get_package_repository(self):
-        package = make_package(
+        make_package(
             project=self.project1,
             package_url="pkg:npm/foobar@v1.2.3",
             version="v.1.2.3",
         )
+        project_purl = PackageURL.from_string("pkg:npm/foobar@v1.2.3")
         expected_git_repo = "https://github.com/test/aboutcode-packages-03f1.git"
         expected_scan_path = "aboutcode-packages-03f1/npm/foobar/v1.2.3/scancodeio.json"
-        git_repo, scan_path = federatedcode.get_package_repository(package=package)
+        git_repo, scan_path = federatedcode.get_package_repository(project_purl=project_purl)
 
         self.assertEqual(expected_git_repo, git_repo)
         self.assertEqual(expected_scan_path, str(scan_path))
diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py
index 9e1758627..3ba6a6926 100644
--- a/scanpipe/tests/test_models.py
+++ b/scanpipe/tests/test_models.py
@@ -2007,6 +2007,7 @@ def test_scanpipe_webhook_subscription_model_get_payload(self):
             "project": {
                 "name": "Analysis",
                 "uuid": str(self.project1.uuid),
+                "project_purl": "",
                 "is_archived": False,
                 "notes": "",
                 "labels": [],

From f4dcc1d93c9e34d8016d97ce94cb8b0c1461ff0d Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 23 Oct 2024 15:54:19 +0530
Subject: [PATCH 08/16] Validate code format

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/tests/pipes/test_federatedcode.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
index 0c26c60eb..afc1deebf 100644
--- a/scanpipe/tests/pipes/test_federatedcode.py
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -26,8 +26,9 @@
 from unittest.mock import patch
 
 from django.test import TestCase
-from packageurl import PackageURL
+
 import git
+from packageurl import PackageURL
 
 from scanpipe import models
 from scanpipe.pipes import federatedcode
@@ -51,7 +52,9 @@ def test_scanpipe_pipes_federatedcode_get_package_repository(self):
         project_purl = PackageURL.from_string("pkg:npm/foobar@v1.2.3")
         expected_git_repo = "https://github.com/test/aboutcode-packages-03f1.git"
         expected_scan_path = "aboutcode-packages-03f1/npm/foobar/v1.2.3/scancodeio.json"
-        git_repo, scan_path = federatedcode.get_package_repository(project_purl=project_purl)
+        git_repo, scan_path = federatedcode.get_package_repository(
+            project_purl=project_purl
+        )
 
         self.assertEqual(expected_git_repo, git_repo)
         self.assertEqual(expected_scan_path, str(scan_path))

From 868f6170c4c91e7a90ef99b16278062998c1814a Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 30 Oct 2024 18:12:27 +0530
Subject: [PATCH 09/16] Add docs for FederatedCode pipeline

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 CHANGELOG.rst                                 |  9 ++++
 docs/application-settings.rst                 | 22 ++++++++
 docs/built-in-pipelines.rst                   | 14 +++++
 scancodeio/settings.py                        |  2 +-
 .../pipelines/publish_to_federatedcode.py     | 41 ++++++++++-----
 scanpipe/pipes/federatedcode.py               | 52 +++++++++++++------
 scanpipe/tests/pipes/test_federatedcode.py    |  4 +-
 7 files changed, 111 insertions(+), 33 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index d279f4132..67496b04b 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,15 @@
 Changelog
 =========
 
+v34.9.0 (unreleased)
+--------------------
+
+- Add a new ``PublishToFederatedCode`` pipeline (addon) to push scan result
+  to FederatedCode.
+  https://github.com/nexB/scancode.io/pull/1400
+
+- Add new ``project_purl`` field to project model. https://github.com/nexB/scancode.io/pull/1400
+
 v34.8.2 (2024-10-28)
 --------------------
 
diff --git a/docs/application-settings.rst b/docs/application-settings.rst
index dbc7314e0..1e647d53b 100644
--- a/docs/application-settings.rst
+++ b/docs/application-settings.rst
@@ -338,6 +338,28 @@ API key using ``MATCHCODEIO_API_KEY``::
 
     MATCHCODEIO_API_KEY=insert_your_api_key_here
 
+.. _scancodeio_settings_federatedcode:
+
+FEDERATEDCODE
+^^^^^^^^^^^^^
+
+FederatedCode is decentralized and federated metadata for software applications
+stored in Git repositories.
+
+
+To configure your local environment, set the following in your ``.env`` file::
+
+    FEDERATEDCODE_GIT_ACCOUNT_URL=https://<Address to your git account>/
+
+    FEDERATEDCODE_GIT_SERVICE_TOKEN=insert_your_git_api_key_here
+
+Also provide the name and email that will be used to sign off on commits to Git repositories::
+
+    FEDERATEDCODE_GIT_SERVICE_NAME=insert_name_here
+
+    FEDERATEDCODE_GIT_SERVICE_EMAIL=insert_email_here
+
+
 .. _scancodeio_settings_fetch_authentication:
 
 Fetch Authentication
diff --git a/docs/built-in-pipelines.rst b/docs/built-in-pipelines.rst
index e21920d44..a63675463 100644
--- a/docs/built-in-pipelines.rst
+++ b/docs/built-in-pipelines.rst
@@ -188,6 +188,20 @@ Populate PurlDB (addon)
     :members:
     :member-order: bysource
 
+.. _pipeline_publish_to_federatedcode:
+
+Publish To FederatedCode (addon)
+--------------------------------
+
+.. warning::
+    This pipeline requires access to a FederatedCode service.
+    Refer to :ref:`scancodeio_settings_federatedcode` to configure access to
+    FederatedCode in your ScanCode.io instance.
+
+.. autoclass:: scanpipe.pipelines.publish_to_federatedcode.PublishToFederatedCode()
+    :members:
+    :member-order: bysource
+
 .. _pipeline_scan_codebase:
 
 Scan Codebase
diff --git a/scancodeio/settings.py b/scancodeio/settings.py
index 66b4c9f0e..9ac7b43e7 100644
--- a/scancodeio/settings.py
+++ b/scancodeio/settings.py
@@ -421,7 +421,7 @@
 
 # FederatedCode integration
 
-FEDERATEDCODE_GIT_ACCOUNT = env.str("FEDERATEDCODE_GIT_ACCOUNT", default="")
+FEDERATEDCODE_GIT_ACCOUNT_URL = env.str("FEDERATEDCODE_GIT_ACCOUNT_URL", default="")
 FEDERATEDCODE_GIT_SERVICE_TOKEN = env.str("FEDERATEDCODE_GIT_SERVICE_TOKEN", default="")
 FEDERATEDCODE_GIT_SERVICE_NAME = env.str("FEDERATEDCODE_GIT_SERVICE_NAME", default="")
 FEDERATEDCODE_GIT_SERVICE_EMAIL = env.str("FEDERATEDCODE_GIT_SERVICE_EMAIL", default="")
diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
index c6b9d6b71..ad86c7eab 100644
--- a/scanpipe/pipelines/publish_to_federatedcode.py
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -28,7 +28,13 @@
 
 
 class PublishToFederatedCode(Pipeline):
-    """Publish package scan to FederatedCode."""
+    """
+    Publish package scan to FederatedCode.
+
+    This pipeline commits the project scan result in FederatedCode Git repository.
+    It uses ``Project PURL`` to determine the Git repository and the
+    exact directory path where the scan should be stored.
+    """
 
     download_inputs = False
     is_addon = True
@@ -36,7 +42,7 @@ class PublishToFederatedCode(Pipeline):
     @classmethod
     def steps(cls):
         return (
-            cls.get_project_purl,
+            cls.check_federatedcode_eligibility,
             cls.get_package_repository,
             cls.clone_repository,
             cls.add_scan_result,
@@ -44,8 +50,23 @@ def steps(cls):
             cls.delete_local_clone,
         )
 
-    def get_project_purl(self):
-        """Get the PURL for the project."""
+    def check_federatedcode_eligibility(self):
+        """
+        Check if the project fulfills the following criteria for
+        pushing the project result to FederatedCode.
+
+        Criteria:
+            - FederatedCode is configured and available.
+            - All pipelines have completed successfully.
+            - Source is a download_url.
+            - Must have ``project_purl`` with version.
+        """
+        if not federatedcode.is_configured():
+            raise Exception("FederatedCode is not configured.")
+
+        if not federatedcode.is_available():
+            raise Exception("FederatedCode Git account is not available.")
+
         all_executed_pipeline_successful = all(
             run.task_succeeded for run in self.project.runs.executed()
         )
@@ -68,17 +89,11 @@ def get_project_purl(self):
         if not project_package_url.version:
             raise Exception("Missing version in Project PURL.")
 
-        configured, error = federatedcode.is_configured()
-        if not configured:
-            raise Exception(error)
-
-        self.project_package_url = project_package_url
-
     def get_package_repository(self):
         """Get the Git repository URL and scan path for a given package."""
         self.package_git_repo, self.package_scan_file = (
             federatedcode.get_package_repository(
-                project_purl=self.project_package_url, logger=self.log
+                project_purl=self.project.project_purl, logger=self.log
             )
         )
 
@@ -103,11 +118,11 @@ def commit_and_push_changes(self):
         federatedcode.commit_and_push_changes(
             repo=self.repo,
             file_to_commit=str(self.relative_file_path),
-            purl=str(self.project_package_url),
+            purl=self.project.project_purl,
             logger=self.log,
         )
         self.log(
-            f"Scan result for '{str(self.project_package_url)}' "
+            f"Scan result for '{self.project.project_purl}' "
             f"pushed to '{self.package_git_repo}'"
         )
 
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index ed1c6592f..28810a253 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -21,48 +21,66 @@
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
 
+import logging
 import shutil
 import tempfile
 import textwrap
 from pathlib import Path
 from urllib.parse import urljoin
 
+import requests
 from git import Repo
+from packageurl import PackageURL
 
 from aboutcode import hashid
 from scancodeio import VERSION
 from scancodeio import settings
 from scanpipe.pipes.output import JSONResultsGenerator
 
+logger = logging.getLogger(__name__)
+
 
 def is_configured():
     """Return True if the required FederatedCode settings have been set."""
-    missing_vars = []
-    if not settings.FEDERATEDCODE_GIT_ACCOUNT:
-        missing_vars.append("FEDERATEDCODE_GIT_ACCOUNT")
-    if not settings.FEDERATEDCODE_GIT_SERVICE_TOKEN:
-        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_TOKEN")
-    if not settings.FEDERATEDCODE_GIT_SERVICE_NAME:
-        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_NAME")
-    if not settings.FEDERATEDCODE_GIT_SERVICE_EMAIL:
-        missing_vars.append("FEDERATEDCODE_GIT_SERVICE_EMAIL")
+    if all(
+        [
+            settings.FEDERATEDCODE_GIT_ACCOUNT_URL,
+            settings.FEDERATEDCODE_GIT_SERVICE_TOKEN,
+            settings.FEDERATEDCODE_GIT_SERVICE_EMAIL,
+            settings.FEDERATEDCODE_GIT_SERVICE_NAME,
+        ]
+    ):
+        return True
+    return False
+
 
-    if missing_vars:
-        return False, f'Missing environment variables: {", ".join(missing_vars)}'
+def is_available():
+    """Return True if the configured Git account is available."""
+    if not is_configured():
+        return False
 
-    return True, ""
+    try:
+        response = requests.head(settings.FEDERATEDCODE_GIT_ACCOUNT_URL, timeout=5)
+        response.raise_for_status()
+    except requests.exceptions.RequestException as request_exception:
+        logger.debug(f"FederatedCode is_available() error: {request_exception}")
+        return False
+
+    return response.status_code == requests.codes.ok
 
 
 def get_package_repository(project_purl, logger=None):
     """Return the Git repository URL and scan path for a given package."""
-    FEDERATEDCODE_GIT_ACCOUNT_URL = f'{settings.FEDERATEDCODE_GIT_ACCOUNT.rstrip("/")}/'
-    package_base_dir = hashid.get_package_base_dir(purl=str(project_purl))
+    project_package_url = PackageURL.from_string(project_purl)
+
+    git_account_url = f'{settings.FEDERATEDCODE_GIT_ACCOUNT_URL.rstrip("/")}/'
+    package_base_dir = hashid.get_package_base_dir(purl=project_purl)
     package_repo_name = package_base_dir.parts[0]
 
-    package_scan_path = package_base_dir / project_purl.version / "scancodeio.json"
-    package_git_repo_url = urljoin(
-        FEDERATEDCODE_GIT_ACCOUNT_URL, f"{package_repo_name}.git"
+    package_scan_path = (
+        package_base_dir / project_package_url.version / "scancodeio.json"
     )
+    package_git_repo_url = urljoin(git_account_url, f"{package_repo_name}.git")
 
     return package_git_repo_url, package_scan_path
 
diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
index afc1deebf..e99bb4a02 100644
--- a/scanpipe/tests/pipes/test_federatedcode.py
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -40,7 +40,7 @@ def setUp(self):
         self.project1 = models.Project.objects.create(name="Analysis")
 
     @patch(
-        "scanpipe.pipes.federatedcode.settings.FEDERATEDCODE_GIT_ACCOUNT",
+        "scanpipe.pipes.federatedcode.settings.FEDERATEDCODE_GIT_ACCOUNT_URL",
         "https://github.com/test/",
     )
     def test_scanpipe_pipes_federatedcode_get_package_repository(self):
@@ -49,7 +49,7 @@ def test_scanpipe_pipes_federatedcode_get_package_repository(self):
             package_url="pkg:npm/foobar@v1.2.3",
             version="v.1.2.3",
         )
-        project_purl = PackageURL.from_string("pkg:npm/foobar@v1.2.3")
+        project_purl = "pkg:npm/foobar@v1.2.3"
         expected_git_repo = "https://github.com/test/aboutcode-packages-03f1.git"
         expected_scan_path = "aboutcode-packages-03f1/npm/foobar/v1.2.3/scancodeio.json"
         git_repo, scan_path = federatedcode.get_package_repository(

From 1fda4d919f3bf86c40128e11d051c6aa04e5229a Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 30 Oct 2024 18:20:07 +0530
Subject: [PATCH 10/16] Remove unused imports

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/tests/pipes/test_federatedcode.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
index e99bb4a02..c80779abb 100644
--- a/scanpipe/tests/pipes/test_federatedcode.py
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -28,7 +28,6 @@
 from django.test import TestCase
 
 import git
-from packageurl import PackageURL
 
 from scanpipe import models
 from scanpipe.pipes import federatedcode

From 24d05fa3bef3eb3f092090a1f716b4e0f41dea53 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Fri, 8 Nov 2024 18:15:31 +0530
Subject: [PATCH 11/16] Omit __init__.py from namespace package directory

- namespace package should not contain __init__.py
- see https://packaging.python.org/en/latest/guides/packaging-namespace-packages/#native-namespace-packages

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 aboutcode/__init__.py | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 aboutcode/__init__.py

diff --git a/aboutcode/__init__.py b/aboutcode/__init__.py
deleted file mode 100644
index e69de29bb..000000000

From ce215219e6454fa91480576858a8aab2c220e146 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Fri, 8 Nov 2024 19:50:03 +0530
Subject: [PATCH 12/16] Address reviews

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/api/serializers.py                   |  2 +-
 scanpipe/forms.py                             | 16 +++----
 .../migrations/0068_project_project_purl.py   | 18 --------
 scanpipe/migrations/0069_project_purl.py      | 18 ++++++++
 scanpipe/models.py                            |  9 ++--
 .../pipelines/publish_to_federatedcode.py     | 42 ++-----------------
 scanpipe/pipes/federatedcode.py               | 40 ++++++++++++++++++
 .../templates/scanpipe/project_settings.html  |  4 +-
 scanpipe/tests/test_models.py                 |  2 +-
 9 files changed, 80 insertions(+), 71 deletions(-)
 delete mode 100644 scanpipe/migrations/0068_project_project_purl.py
 create mode 100644 scanpipe/migrations/0069_project_purl.py

diff --git a/scanpipe/api/serializers.py b/scanpipe/api/serializers.py
index bd38e1214..96ad0232e 100644
--- a/scanpipe/api/serializers.py
+++ b/scanpipe/api/serializers.py
@@ -209,7 +209,7 @@ class Meta:
             "name",
             "url",
             "uuid",
-            "project_purl",
+            "purl",
             "upload_file",
             "upload_file_tag",
             "input_urls",
diff --git a/scanpipe/forms.py b/scanpipe/forms.py
index 5050c734b..5ce265d72 100644
--- a/scanpipe/forms.py
+++ b/scanpipe/forms.py
@@ -481,25 +481,25 @@ class Meta:
         fields = [
             "name",
             "notes",
-            "project_purl",
+            "purl",
         ]
         widgets = {
             "name": forms.TextInput(attrs={"class": "input"}),
             "notes": forms.Textarea(attrs={"rows": 3, "class": "textarea is-dynamic"}),
-            "project_purl": forms.TextInput(attrs={"class": "input"}),
+            "purl": forms.TextInput(attrs={"class": "input"}),
         }
 
-    def clean_project_purl(self):
+    def clean_purl(self):
         """Validate the Project PURL."""
-        project_purl = self.cleaned_data.get("project_purl")
+        purl = self.cleaned_data.get("purl")
 
-        if project_purl:
+        if purl:
             try:
-                PackageURL.from_string(project_purl)
+                PackageURL.from_string(purl)
             except ValueError:
-                raise forms.ValidationError("Project PURL must be a valid PackageURL")
+                raise forms.ValidationError("PURL must be a valid PackageURL")
 
-        return project_purl
+        return purl
 
     def __init__(self, *args, **kwargs):
         """Load initial values from Project ``settings`` field."""
diff --git a/scanpipe/migrations/0068_project_project_purl.py b/scanpipe/migrations/0068_project_project_purl.py
deleted file mode 100644
index 5d55137af..000000000
--- a/scanpipe/migrations/0068_project_project_purl.py
+++ /dev/null
@@ -1,18 +0,0 @@
-# Generated by Django 5.0.7 on 2024-10-22 14:37
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('scanpipe', '0067_discoveredpackage_notes'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='project',
-            name='project_purl',
-            field=models.CharField(blank=True, help_text='Project Package URL.', max_length=2048),
-        ),
-    ]
diff --git a/scanpipe/migrations/0069_project_purl.py b/scanpipe/migrations/0069_project_purl.py
new file mode 100644
index 000000000..80c503cd0
--- /dev/null
+++ b/scanpipe/migrations/0069_project_purl.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.3 on 2024-11-08 12:47
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0068_rename_discovered_dependencies_attribute'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='project',
+            name='purl',
+            field=models.CharField(blank=True, help_text='Package URL for the project, used for pushing project scan result to FederatedCode. This should be the PURL of the input.', max_length=2048),
+        ),
+    ]
diff --git a/scanpipe/models.py b/scanpipe/models.py
index 07fd613cb..0b51de19a 100644
--- a/scanpipe/models.py
+++ b/scanpipe/models.py
@@ -562,10 +562,13 @@ class Project(UUIDPKModel, ExtraDataFieldMixin, UpdateMixin, models.Model):
     notes = models.TextField(blank=True)
     settings = models.JSONField(default=dict, blank=True)
     labels = TaggableManager(through=UUIDTaggedItem)
-    project_purl = models.CharField(
+    purl = models.CharField(
         max_length=2048,
         blank=True,
-        help_text=_("Project Package URL."),
+        help_text=_(
+            "Package URL for the project, used for pushing project scan result to "
+            "FederatedCode. This should be the PURL of the input."
+        ),
     )
 
     objects = ProjectQuerySet.as_manager()
@@ -710,7 +713,7 @@ def clone(
         """Clone this project using the provided ``clone_name`` as new project name."""
         new_project = Project.objects.create(
             name=clone_name,
-            project_purl=self.project_purl,
+            purl=self.purl,
             settings=self.settings if copy_settings else {},
         )
 
diff --git a/scanpipe/pipelines/publish_to_federatedcode.py b/scanpipe/pipelines/publish_to_federatedcode.py
index ad86c7eab..b3dc6cf7b 100644
--- a/scanpipe/pipelines/publish_to_federatedcode.py
+++ b/scanpipe/pipelines/publish_to_federatedcode.py
@@ -21,8 +21,6 @@
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
 
-from packageurl import PackageURL
-
 from scanpipe.pipelines import Pipeline
 from scanpipe.pipes import federatedcode
 
@@ -54,46 +52,14 @@ def check_federatedcode_eligibility(self):
         """
         Check if the project fulfills the following criteria for
         pushing the project result to FederatedCode.
-
-        Criteria:
-            - FederatedCode is configured and available.
-            - All pipelines have completed successfully.
-            - Source is a download_url.
-            - Must have ``project_purl`` with version.
         """
-        if not federatedcode.is_configured():
-            raise Exception("FederatedCode is not configured.")
-
-        if not federatedcode.is_available():
-            raise Exception("FederatedCode Git account is not available.")
-
-        all_executed_pipeline_successful = all(
-            run.task_succeeded for run in self.project.runs.executed()
-        )
-
-        source_is_download_url = any(
-            source.download_url for source in self.project.inputsources.all()
-        )
-
-        if not all_executed_pipeline_successful:
-            raise Exception("Make sure all the pipelines has completed successfully.")
-
-        if not source_is_download_url:
-            raise Exception("Project input should be download_url.")
-
-        if not self.project.project_purl:
-            raise Exception("Missing Project PURL.")
-
-        project_package_url = PackageURL.from_string(self.project.project_purl)
-
-        if not project_package_url.version:
-            raise Exception("Missing version in Project PURL.")
+        federatedcode.check_federatedcode_eligibility(project=self.project)
 
     def get_package_repository(self):
         """Get the Git repository URL and scan path for a given package."""
         self.package_git_repo, self.package_scan_file = (
             federatedcode.get_package_repository(
-                project_purl=self.project.project_purl, logger=self.log
+                project_purl=self.project.purl, logger=self.log
             )
         )
 
@@ -118,11 +84,11 @@ def commit_and_push_changes(self):
         federatedcode.commit_and_push_changes(
             repo=self.repo,
             file_to_commit=str(self.relative_file_path),
-            purl=self.project.project_purl,
+            purl=self.project.purl,
             logger=self.log,
         )
         self.log(
-            f"Scan result for '{self.project.project_purl}' "
+            f"Scan result for '{self.project.purl}' "
             f"pushed to '{self.package_git_repo}'"
         )
 
diff --git a/scanpipe/pipes/federatedcode.py b/scanpipe/pipes/federatedcode.py
index 28810a253..485a4091a 100644
--- a/scanpipe/pipes/federatedcode.py
+++ b/scanpipe/pipes/federatedcode.py
@@ -85,6 +85,46 @@ def get_package_repository(project_purl, logger=None):
     return package_git_repo_url, package_scan_path
 
 
+def check_federatedcode_eligibility(project):
+    """
+    Check if the project fulfills the following criteria for
+    pushing the project result to FederatedCode.
+
+    Criteria:
+        - FederatedCode is configured and available.
+        - All pipelines have completed successfully.
+        - Source is a download_url.
+        - Must have ``project_purl`` with version.
+    """
+    if not is_configured():
+        raise Exception("FederatedCode is not configured.")
+
+    if not is_available():
+        raise Exception("FederatedCode Git account is not available.")
+
+    all_executed_pipeline_successful = all(
+        run.task_succeeded for run in project.runs.executed()
+    )
+
+    source_is_download_url = any(
+        source.download_url for source in project.inputsources.all()
+    )
+
+    if not all_executed_pipeline_successful:
+        raise Exception("Make sure all the pipelines has completed successfully.")
+
+    if not source_is_download_url:
+        raise Exception("Project input should be download_url.")
+
+    if not project.purl:
+        raise Exception("Missing Project PURL.")
+
+    project_package_url = PackageURL.from_string(project.purl)
+
+    if not project_package_url.version:
+        raise Exception("Missing version in Project PURL.")
+
+
 def clone_repository(repo_url, logger=None):
     """Clone repository to local_path."""
     local_dir = tempfile.mkdtemp()
diff --git a/scanpipe/templates/scanpipe/project_settings.html b/scanpipe/templates/scanpipe/project_settings.html
index b99559746..8d6b556c6 100644
--- a/scanpipe/templates/scanpipe/project_settings.html
+++ b/scanpipe/templates/scanpipe/project_settings.html
@@ -28,10 +28,10 @@
                 </div>
                 <div class="field">
                   <label class="label" for="{{ form.name.id_for_label }}">
-                    Project PURL
+                    PURL
                   </label>
                   <div class="control">
-                    {{ form.project_purl }}
+                    {{ form.purl }}
                   </div>
                 </div>
                 <div class="field">
diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py
index f4513ac13..9c365fde9 100644
--- a/scanpipe/tests/test_models.py
+++ b/scanpipe/tests/test_models.py
@@ -2047,7 +2047,7 @@ def test_scanpipe_webhook_subscription_model_get_payload(self):
             "project": {
                 "name": "Analysis",
                 "uuid": str(self.project1.uuid),
-                "project_purl": "",
+                "purl": "",
                 "is_archived": False,
                 "notes": "",
                 "labels": [],

From b040aeb7b06fa474f12d9e3592ff6d8c6dee58dd Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Fri, 8 Nov 2024 19:52:49 +0530
Subject: [PATCH 13/16] Address reviews

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 CHANGELOG.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5074f79c9..b0e183a33 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -22,7 +22,7 @@ v34.9.0 (unreleased)
   to FederatedCode.
   https://github.com/nexB/scancode.io/pull/1400
 
-- Add new ``project_purl`` field to project model. https://github.com/nexB/scancode.io/pull/1400
+- Add new ``purl`` field to project model. https://github.com/nexB/scancode.io/pull/1400
 
 v34.8.3 (2024-10-30)
 --------------------

From cbcc5dce21d8470eb44e4784d6a726545b20c170 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Mon, 11 Nov 2024 22:00:59 +0530
Subject: [PATCH 14/16] Address review

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/forms.py                                 | 2 +-
 scanpipe/templates/scanpipe/project_settings.html | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/scanpipe/forms.py b/scanpipe/forms.py
index 5ce265d72..c23300d19 100644
--- a/scanpipe/forms.py
+++ b/scanpipe/forms.py
@@ -486,7 +486,7 @@ class Meta:
         widgets = {
             "name": forms.TextInput(attrs={"class": "input"}),
             "notes": forms.Textarea(attrs={"rows": 3, "class": "textarea is-dynamic"}),
-            "purl": forms.TextInput(attrs={"class": "input"}),
+            "purl": forms.TextInput(attrs={"class": "input", "placeholder": "pkg:npm/lodash@4.0.1",}),
         }
 
     def clean_purl(self):
diff --git a/scanpipe/templates/scanpipe/project_settings.html b/scanpipe/templates/scanpipe/project_settings.html
index 8d6b556c6..731e9da0e 100644
--- a/scanpipe/templates/scanpipe/project_settings.html
+++ b/scanpipe/templates/scanpipe/project_settings.html
@@ -33,6 +33,7 @@
                   <div class="control">
                     {{ form.purl }}
                   </div>
+                  <p class="help">{{ form.purl.help_text }}</p>
                 </div>
                 <div class="field">
                   <label class="label" for="{{ form.notes.id_for_label }}">

From c27176842fa6ad899c46f259924efa302a577112 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Mon, 11 Nov 2024 22:04:15 +0530
Subject: [PATCH 15/16] Fix test

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/forms.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scanpipe/forms.py b/scanpipe/forms.py
index c23300d19..ac76f23f4 100644
--- a/scanpipe/forms.py
+++ b/scanpipe/forms.py
@@ -486,7 +486,12 @@ class Meta:
         widgets = {
             "name": forms.TextInput(attrs={"class": "input"}),
             "notes": forms.Textarea(attrs={"rows": 3, "class": "textarea is-dynamic"}),
-            "purl": forms.TextInput(attrs={"class": "input", "placeholder": "pkg:npm/lodash@4.0.1",}),
+            "purl": forms.TextInput(
+                attrs={
+                    "class": "input",
+                    "placeholder": "pkg:npm/lodash@4.0.1",
+                }
+            ),
         }
 
     def clean_purl(self):

From 9b63e21ac80ab4dd42147a3f3c04167df1ef4928 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Tue, 12 Nov 2024 16:26:25 +0530
Subject: [PATCH 16/16] Add unit test for clean_purl

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 scanpipe/forms.py                              |  2 +-
 scanpipe/models.py                             |  6 ++++--
 .../templates/scanpipe/project_settings.html   |  2 +-
 scanpipe/tests/pipes/test_federatedcode.py     |  2 +-
 scanpipe/tests/test_forms.py                   | 18 ++++++++++++++++++
 5 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/scanpipe/forms.py b/scanpipe/forms.py
index ac76f23f4..45fed5d94 100644
--- a/scanpipe/forms.py
+++ b/scanpipe/forms.py
@@ -489,7 +489,7 @@ class Meta:
             "purl": forms.TextInput(
                 attrs={
                     "class": "input",
-                    "placeholder": "pkg:npm/lodash@4.0.1",
+                    "placeholder": "pkg:npm/lodash@4.7.21",
                 }
             ),
         }
diff --git a/scanpipe/models.py b/scanpipe/models.py
index 0b51de19a..0afce189a 100644
--- a/scanpipe/models.py
+++ b/scanpipe/models.py
@@ -566,8 +566,10 @@ class Project(UUIDPKModel, ExtraDataFieldMixin, UpdateMixin, models.Model):
         max_length=2048,
         blank=True,
         help_text=_(
-            "Package URL for the project, used for pushing project scan result to "
-            "FederatedCode. This should be the PURL of the input."
+            "Package URL (PURL) for the project, required for pushing the project's "
+            "scan result to FederatedCode. For example, if the input is an input URL "
+            "like https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz, the "
+            "corresponding PURL would be pkg:npm/lodash@4.17.21."
         ),
     )
 
diff --git a/scanpipe/templates/scanpipe/project_settings.html b/scanpipe/templates/scanpipe/project_settings.html
index 731e9da0e..9bc32b230 100644
--- a/scanpipe/templates/scanpipe/project_settings.html
+++ b/scanpipe/templates/scanpipe/project_settings.html
@@ -33,7 +33,7 @@
                   <div class="control">
                     {{ form.purl }}
                   </div>
-                  <p class="help">{{ form.purl.help_text }}</p>
+                  <p class="help">{{ form.purl.help_text|urlize }}</p>
                 </div>
                 <div class="field">
                   <label class="label" for="{{ form.notes.id_for_label }}">
diff --git a/scanpipe/tests/pipes/test_federatedcode.py b/scanpipe/tests/pipes/test_federatedcode.py
index c80779abb..82175b21a 100644
--- a/scanpipe/tests/pipes/test_federatedcode.py
+++ b/scanpipe/tests/pipes/test_federatedcode.py
@@ -69,7 +69,7 @@ def test_scanpipe_pipes_federatedcode_add_scan_result(self):
         self.assertIn("npm/foobar/v1.2.3/scancodeio.json", repo.untracked_files)
         shutil.rmtree(repo.working_dir)
 
-    def test_scancpipe_pipes_federatedcode_delete_local_clone(self):
+    def test_scanpipe_pipes_federatedcode_delete_local_clone(self):
         local_dir = tempfile.mkdtemp()
         repo = git.Repo.init(local_dir)
         federatedcode.delete_local_clone(repo)
diff --git a/scanpipe/tests/test_forms.py b/scanpipe/tests/test_forms.py
index 2d4ae07cc..b46e312b8 100644
--- a/scanpipe/tests/test_forms.py
+++ b/scanpipe/tests/test_forms.py
@@ -230,6 +230,24 @@ def test_scanpipe_forms_project_settings_form_policies(self):
         self.assertEqual(policies_as_yaml.strip(), project.settings["policies"])
         self.assertEqual(license_policies_index, project.get_policy_index())
 
+    def test_scanpipe_forms_project_settings_form_purl(self):
+        data_invalid_purl = {
+            "name": "proj name",
+            "purl": "pkg/npm/lodash@4.17.21",
+        }
+        data_valid_purl = {
+            "name": "proj name",
+            "purl": "pkg:npm/lodash@4.17.21",
+        }
+
+        form1 = ProjectSettingsForm(data=data_invalid_purl)
+        self.assertFalse(form1.is_valid())
+
+        form2 = ProjectSettingsForm(data=data_valid_purl)
+        self.assertTrue(form2.is_valid())
+        obj = form2.save()
+        self.assertEqual("pkg:npm/lodash@4.17.21", obj.purl)
+
     def test_scanpipe_forms_edit_input_source_tag_form(self):
         data = {}
         form = EditInputSourceTagForm(data=data)