Package Resources are not associated to packages in application Packages scan step update

[JonoYang]

In updating the application Packages scanning step in the scan_codebase pipeline for #447, I noticed that the CodebaseResources of a Package are not associated with the Packages that was scanned. Looking a little deeper, I see that the Package Resources in scancode.io cannot be properly associated to the Package they are from by using the .assemble() methods from packagedcode's Package handlers. This is because of how for_packages is implemented on the CodebaseResource model in scancode.io and the Resource model in commoncode. In scancode.io, for_packages on the CodebaseResource model is a property that collects the purls for Packages that have been related to that CodebaseResource. In scancode-toolkit/commoncode, for_packages on the Resource model is a list that contains package_uid strings for the Package the Resource is from.

When you run the .assemble() methods from packagedcode Package handlers on a CodebaseResource object, it attempts to append package_uid strings to the for_packages field. This does not properly work since CodebaseResource.for_packages is a property, not an attribute that can be used the same way.

[JonoYang]

This issue has been fixed, following an update to scancode-toolkit where the code has been modified to be able to accept different functions that adds a package to a resource. aboutcode-org/scancode-toolkit#3035