Add Meson WrapDB mining pipeline #803

[Adityakk9031]

Closes #803

Description

Add a new mining pipeline to collect package metadata from the
Meson WrapDB repository.

The WrapDB maintains a curated registry of ~350+ upstream C/C++ packages
used as subproject dependencies in the Meson build system. The pipeline
clones the WrapDB repo, parses its releases.json index, and yields
PURLs in the format pkg:meson/<name>@<version>.

Changes

New Files

• minecode_pipelines/pipes/meson.py — Pipe module that parses
  releases.json and yields (base_purl, [versioned_purls]) tuples
• minecode_pipelines/pipelines/mine_meson.py — Pipeline class
  MineMeson that clones WrapDB, counts packages, and publishes PURLs
  via FederatedCode
• minecode_pipelines/tests/pipes/test_meson.py — Unit tests for
  get_meson_packages (4 test cases)
• minecode_pipelines/tests/test_data/meson/releases.json — Test
  fixture with a 3-package subset of real WrapDB data

Modified Files

• pyproject-minecode_pipelines.toml — Registered mine_meson entry
  point under [project.entry-points."scancodeio_pipelines"]

Design Notes

• PURL type: Uses pkg:meson since WrapDB versions carry a -N
  suffix for build recipe revisions that don't exist upstream (e.g.,
  1.3.6-1), warranting a distinct type.
• Data source: Uses releases.json (single JSON index at repo root)
  rather than individual .wrap files, since .wrap files only describe
  the latest version while releases.json contains all historical
  versions.
• Architecture: Follows the same pattern as the existing Conan
  pipeline (clone repo → count → yield PURLs → publish).

References

• WrapDB repo: https://github.com/mesonbuild/wrapdb
• Wrap docs: https://mesonbuild.com/Wrap-dependency-system-manual.html
• releases.json format: each key is a package name, value has
  dependency_names and versions arrays

[Adityakk9031]

@pombredanne please have a look

[pombredanne]

Out of curiosity, did you use any AI tool to create this code?

[pombredanne]

Thanks. Please see comments. I look forward to your detailed replies.

[pombredanne]

Please use a real extract from the real JSON, not truncated.

[Adityakk9031]

Test data — Replaced with real, complete entries verbatim from WrapDB

releases.json
(adamyaxley-obfuscate, aklomp-base64, apache-orc, bzip2, catch2 — all untruncated).

[pombredanne]

Do not check these one by one. Reuse the data-driven with a JSON expected file

[Adityakk9031]

Switched to fully data-driven approach comparing against

expected_purls.json
. No more one-by-one assertions.

[pombredanne]

Are you really loading the whole file just to get a count?

[Adityakk9031]

HTTP fetch — Removed repo cloning entirely. Now uses requests.get() to fetch just

releases.json
directly.

[pombredanne]

Is this a registered PURL in the spec repo? If not we need one there first

[Adityakk9031]

Removed from

pipes/meson.py
, kept only in

mine_meson.py
where it's used.

[pombredanne]

You are already opening that file before.

[pombredanne]

Where is this used? Why not use that rather than a repo clone?

[pombredanne]

Why do you clone the whole repo for now, since you are using only a single release file? And why try also a release.json URL elsewhere?

[pombredanne]

What is this for?

[Adityakk9031]

@pombredanne Addressed all comments — real test data, data-driven tests, HTTP fetch instead of clone, removed duplicates and unused imports. Regarding the PURL type:

meson
isn't registered yet. Should I open a PR at purl-spec first, or use pkg:generic for now? And yes, I used AI for initial scaffolding but reviewed everything myself.