license_conflicts 0.3.0

data/lib/license_conflicts/conflicts_map.rb

@@ -0,0 +1,212 @@
+# frozen_string_literal: true
+
+# All license names in this file use the canonical form returned by
+# LicenseFinder (dependency.licenses.first.name). Input is normalised via
+# LicenseNormalizer before any lookup, so SPDX IDs and common aliases are
+# handled transparently.
+
+module LicenseConflicts
+  APACHE2_CONFLICTS = [
+    "MIT",
+    "New BSD",
+    "Simplified BSD",
+    "Zlib",
+    "MPL 1.1",
+    "CDDL 1.0",
+    "AGPL 1.0"
+  ].freeze
+
+  NEW_BSD_CONFLICTS = [
+    "MIT",
+    "Simplified BSD",
+    "Zlib",
+    "MPL 1.1",
+    "CDDL 1.0",
+    "AGPL 1.0"
+  ].freeze
+
+  GPL2_CONFLICTS = [
+    "MIT",
+    "Simplified BSD",
+    "New BSD",
+    "Apache 2.0",
+    "Zlib",
+    "AFL 3.0",
+    "MPL 1.1",
+    "MPL 2.0",
+    "CDDL 1.0",
+    "LGPL 2.1",
+    "LGPL 3.0",
+    "OSL 3.0",
+    "AGPL 1.0"
+  ].freeze
+
+  GPL3_CONFLICTS = [
+    "MIT",
+    "Simplified BSD",
+    "New BSD",
+    "Apache 2.0",
+    "Zlib",
+    "AFL 3.0",
+    "MPL 1.1",
+    "MPL 2.0",
+    "CDDL 1.0",
+    "LGPL 2.1",
+    "LGPL 3.0",
+    "OSL 3.0",
+    "GPLv2",
+    "AGPL 1.0"
+  ].freeze
+
+  MPL2_CONFLICTS = [
+    "MIT",
+    "Simplified BSD",
+    "New BSD",
+    "Apache 2.0",
+    "Zlib",
+    "AFL 3.0",
+    "MPL 1.1",
+    "CDDL 1.0",
+    "LGPL 3.0",
+    "OSL 3.0",
+    "AGPL 1.0"
+  ].freeze
+
+  SIMPLIFIED_BSD_CONFLICTS = [
+    "MIT",
+    "Zlib",
+    "MPL 1.1",
+    "CDDL 1.0",
+    "AGPL 1.0"
+  ].freeze
+
+  CONFLICTS_MAP = {
+    "MIT" => [
+      "Zlib",
+      "MPL 1.1",
+      "CDDL 1.0",
+      "AGPL 1.0"
+    ],
+    "Simplified BSD" => SIMPLIFIED_BSD_CONFLICTS,
+    "New BSD"        => NEW_BSD_CONFLICTS,
+    "Apache 2.0"     => APACHE2_CONFLICTS,
+    "Zlib" => [
+      "MIT",
+      "New BSD",
+      "Simplified BSD",
+      "MPL 1.1",
+      "CDDL 1.0",
+      "AGPL 1.0"
+    ],
+    "AFL 3.0" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "CDDL 1.0",
+      "LGPL 2.1",
+      "LGPL 3.0",
+      "GPLv2",
+      "GPLv3",
+      "AGPL 3",
+      "Zlib",
+      "AGPL 1.0"
+    ],
+    "MPL 1.1" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "LGPL 3.0",
+      "OSL 3.0",
+      "AGPL 1.0"
+    ],
+    "MPL 2.0"    => MPL2_CONFLICTS,
+    "CDDL 1.0" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "LGPL 2.1",
+      "LGPL 3.0",
+      "OSL 3.0",
+      "GPLv2",
+      "GPLv3",
+      "AGPL 3",
+      "AGPL 1.0"
+    ],
+    "LGPL 2.1" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "CDDL 1.0",
+      "OSL 3.0",
+      "AGPL 1.0"
+    ],
+    "OSL 3.0" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "CDDL 1.0",
+      "LGPL 2.1",
+      "LGPL 3.0",
+      "GPLv2",
+      "GPLv3",
+      "AGPL 3",
+      "AGPL 1.0"
+    ],
+    "GPLv2"  => GPL2_CONFLICTS,
+    "GPLv3"  => GPL3_CONFLICTS,
+    "AGPL 3" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "CDDL 1.0",
+      "LGPL 2.1",
+      "LGPL 3.0",
+      "OSL 3.0",
+      "GPLv2",
+      "GPLv3",
+      "AGPL 1.0"
+    ],
+    "AGPL 1.0" => [
+      "MIT",
+      "Simplified BSD",
+      "New BSD",
+      "Apache 2.0",
+      "Zlib",
+      "AFL 3.0",
+      "MPL 1.1",
+      "MPL 2.0",
+      "CDDL 1.0",
+      "LGPL 2.1",
+      "LGPL 3.0",
+      "OSL 3.0",
+      "GPLv2",
+      "GPLv3"
+    ]
+  }.freeze
+end

data/lib/license_conflicts/finder.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'license_finder'
+require 'license_conflicts/conflicts_map'
+require 'license_conflicts/license_normalizer'
+require 'license_conflicts/project_metadata'
+
+module LicenseConflicts
+  class Finder
+    attr_reader :main_license
+
+    def initialize
+      @config ||= LicenseFinder::Configuration.with_optional_saved_config(license_finder_config)
+    end
+
+    def find_conflicts
+      @main_license = LicenseNormalizer.normalize(project_license)
+
+      raise "Could not detect the project license. Ensure your project metadata file declares a license." if main_license.nil?
+      raise "License '#{main_license}' is not covered by the conflict matrix." unless CONFLICTS_MAP.key?(main_license)
+
+      check_conflicts
+    end
+
+    def dependencies_count
+      unapproved.count { |d| d.name != project_name }
+    end
+
+    def project_license
+      examined_package = unapproved.find { |d| d.name == project_name }
+      examined_package&.licenses&.first&.name || project_metadata.license
+    end
+
+    private
+
+    def project_name
+      project_metadata.name
+    end
+
+    def project_metadata
+      @project_metadata ||= ProjectMetadata.new
+    end
+
+    def license_finder_config
+      {
+        prepare: true,
+        logger: LicenseFinder::Logger::MODE_QUIET
+      }
+    end
+
+    def finder
+      @finder ||= LicenseFinder::LicenseAggregator.new(config, nil)
+    end
+
+    def unapproved
+      @unapproved ||= finder.unapproved
+    end
+
+    def check_conflicts
+      unapproved.filter { |dependency| has_conflict?(dependency.licenses.first&.name) }
+    end
+
+    def has_conflict?(dependency_license)
+      CONFLICTS_MAP[main_license].include?(LicenseNormalizer.normalize(dependency_license))
+    end
+  end
+end

data/lib/license_conflicts/license_normalizer.rb

@@ -0,0 +1,240 @@
+# frozen_string_literal: true
+
+module LicenseConflicts
+  module LicenseNormalizer
+    # Maps known license aliases and SPDX identifiers to the canonical names
+    # used by LicenseFinder (i.e. what `dependency.licenses.first.name` returns).
+    # Sources:
+    #   - LicenseFinder definitions: lib/license_finder/license/definitions.rb
+    #   - SPDX license list: https://spdx.org/licenses/
+    ALIASES = {
+      # -----------------------------------------------------------------------
+      # MIT
+      # -----------------------------------------------------------------------
+      "MIT"                    => "MIT",
+      "Expat"                  => "MIT",
+      "MIT license"            => "MIT",
+      "MIT License"            => "MIT",
+      "MIT License (MIT)"      => "MIT",
+
+      # -----------------------------------------------------------------------
+      # Apache 2.0
+      # -----------------------------------------------------------------------
+      "Apache 2.0"                            => "Apache 2.0",
+      "Apache-2.0"                            => "Apache 2.0",
+      "apache-2.0"                            => "Apache 2.0",
+      "Apache 2"                              => "Apache 2.0",
+      "Apache Software License"               => "Apache 2.0",
+      "Apache License 2.0"                    => "Apache 2.0",
+      "Apache License Version 2.0"            => "Apache 2.0",
+      "Apache Public License 2.0"             => "Apache 2.0",
+      "Apache Software License, Version 2.0"  => "Apache 2.0",
+      "Apache Software License - Version 2.0" => "Apache 2.0",
+      "Apache License, Version 2.0"           => "Apache 2.0",
+      "ASL 2.0"                               => "Apache 2.0",
+      "ASF 2.0"                               => "Apache 2.0",
+
+      # -----------------------------------------------------------------------
+      # Apache 1.1
+      # -----------------------------------------------------------------------
+      "Apache 1.1"                            => "Apache 1.1",
+      "Apache-1.1"                            => "Apache 1.1",
+      "APACHE 1.1"                            => "Apache 1.1",
+      "Apache License 1.1"                    => "Apache 1.1",
+      "Apache License Version 1.1"            => "Apache 1.1",
+      "Apache Public License 1.1"             => "Apache 1.1",
+      "Apache Software License, Version 1.1"  => "Apache 1.1",
+      "Apache Software License - Version 1.1" => "Apache 1.1",
+      "Apache License, Version 1.1"           => "Apache 1.1",
+      "ASL 1.1"                               => "Apache 1.1",
+      "ASF 1.1"                               => "Apache 1.1",
+
+      # -----------------------------------------------------------------------
+      # New BSD (BSD 3-Clause)
+      # -----------------------------------------------------------------------
+      "New BSD"                  => "New BSD",
+      "NewBSD"                   => "New BSD",
+      "BSD-3-Clause"             => "New BSD",
+      "BSD3"                     => "New BSD",
+      "BSD 3"                    => "New BSD",
+      "BSD-3"                    => "New BSD",
+      "Modified BSD"             => "New BSD",
+      "3-clause BSD"             => "New BSD",
+      "3-Clause BSD License"     => "New BSD",
+      "BSD 3-Clause"             => "New BSD",
+      "BSD 3-Clause License"     => "New BSD",
+      "BSD 3-clause New License" => "New BSD",
+      "New BSD License"          => "New BSD",
+      "BSD New license"          => "New BSD",
+      "BSD License 3"            => "New BSD",
+      "BSD Licence 3"            => "New BSD",
+
+      # -----------------------------------------------------------------------
+      # Simplified BSD (BSD 2-Clause)
+      # -----------------------------------------------------------------------
+      "Simplified BSD"         => "Simplified BSD",
+      "BSD-2-Clause"           => "Simplified BSD",
+      "BSD-2"                  => "Simplified BSD",
+      "FreeBSD"                => "Simplified BSD",
+      "2-clause BSD"           => "Simplified BSD",
+      "BSD 2-Clause"           => "Simplified BSD",
+      "BSD 2-Clause License"   => "Simplified BSD",
+
+      # -----------------------------------------------------------------------
+      # GPLv2
+      # -----------------------------------------------------------------------
+      "GPLv2"                                  => "GPLv2",
+      "GPL-2.0"                                => "GPLv2",
+      "GPL-2.0-only"                           => "GPLv2",
+      "GPL-2.0+"                               => "GPLv2",
+      "GPL V2"                                 => "GPLv2",
+      "gpl-v2"                                 => "GPLv2",
+      "GPL 2.0"                                => "GPLv2",
+      "GNU GENERAL PUBLIC LICENSE Version 2"   => "GPLv2",
+
+      # -----------------------------------------------------------------------
+      # GPLv3
+      # -----------------------------------------------------------------------
+      "GPLv3"                                  => "GPLv3",
+      "GPL-3.0"                                => "GPLv3",
+      "GPL-3.0-only"                           => "GPLv3",
+      "GPL-3.0+"                               => "GPLv3",
+      "GPL V3"                                 => "GPLv3",
+      "gpl-v3"                                 => "GPLv3",
+      "GPL 3.0"                                => "GPLv3",
+      "GNU GENERAL PUBLIC LICENSE Version 3"   => "GPLv3",
+
+      # -----------------------------------------------------------------------
+      # LGPL 3.0
+      # -----------------------------------------------------------------------
+      "LGPL"         => "LGPL 3.0",
+      "LGPL 3.0"     => "LGPL 3.0",
+      "LGPL-3"       => "LGPL 3.0",
+      "LGPLv3"       => "LGPL 3.0",
+      "LGPL-3.0"     => "LGPL 3.0",
+      "LGPL-3.0-only" => "LGPL 3.0",
+
+      # -----------------------------------------------------------------------
+      # LGPL 2.1
+      # -----------------------------------------------------------------------
+      "LGPL 2.1"                                    => "LGPL 2.1",
+      "LGPL-2.1"                                    => "LGPL 2.1",
+      "LGPL-2.1-only"                               => "LGPL 2.1",
+      "LGPL v2.1"                                   => "LGPL 2.1",
+      "GNU Lesser General Public License 2.1"       => "LGPL 2.1",
+      "GNU Lesser General Public License version 2.1" => "LGPL 2.1",
+
+      # -----------------------------------------------------------------------
+      # MPL 1.1
+      # -----------------------------------------------------------------------
+      "MPL 1.1"                               => "MPL 1.1",
+      "MPL-1.1"                               => "MPL 1.1",
+      "MPL-1.1+"                              => "MPL 1.1",
+      "Mozilla 1.1"                           => "MPL 1.1",
+      "Mozilla Public License 1.1"            => "MPL 1.1",
+      "Mozilla Public License, Version 1.1"   => "MPL 1.1",
+      "Mozilla Public License version 1.1"    => "MPL 1.1",
+
+      # -----------------------------------------------------------------------
+      # MPL 2.0
+      # -----------------------------------------------------------------------
+      "MPL 2.0"                               => "MPL 2.0",
+      "MPL-2.0"                               => "MPL 2.0",
+      "Mozilla 2.0"                           => "MPL 2.0",
+      "Mozilla Public License 2.0"            => "MPL 2.0",
+      "Mozilla Public License, Version 2.0"   => "MPL 2.0",
+      "Mozilla Public License version 2.0"    => "MPL 2.0",
+
+      # -----------------------------------------------------------------------
+      # AGPL 3
+      # -----------------------------------------------------------------------
+      "AGPL 3"                                        => "AGPL 3",
+      "AGPL3"                                         => "AGPL 3",
+      "AGPL-3.0"                                      => "AGPL 3",
+      "AGPL-3.0-only"                                 => "AGPL 3",
+      "AGPL 3.0"                                      => "AGPL 3",
+      "GNU Affero General Public License v3.0"        => "AGPL 3",
+      "GNU Affero General Public License, Version 3"  => "AGPL 3",
+
+      # -----------------------------------------------------------------------
+      # AGPL 1.0 (older version, not in LicenseFinder definitions but seen in the wild)
+      # -----------------------------------------------------------------------
+      "AGPL 1.0"   => "AGPL 1.0",
+      "AGPL-1.0"   => "AGPL 1.0",
+      "AGPL-1.0+"  => "AGPL 1.0",
+      "AGPL1"      => "AGPL 1.0",
+
+      # -----------------------------------------------------------------------
+      # CDDL 1.0
+      # -----------------------------------------------------------------------
+      "CDDL 1.0"                                                       => "CDDL 1.0",
+      "CDDL-1.0"                                                       => "CDDL 1.0",
+      "Common Development and Distribution License 1.0"                => "CDDL 1.0",
+      "Common Development and Distribution License (CDDL) v1.0"       => "CDDL 1.0",
+      "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0" => "CDDL 1.0",
+
+      # -----------------------------------------------------------------------
+      # AFL 3.0
+      # -----------------------------------------------------------------------
+      "AFL 3.0"                               => "AFL 3.0",
+      "AFL-3.0"                               => "AFL 3.0",
+      "Academic Free License 3.0"             => "AFL 3.0",
+      "Academic Free License, Version 3.0"    => "AFL 3.0",
+
+      # -----------------------------------------------------------------------
+      # OSL 3.0
+      # -----------------------------------------------------------------------
+      "OSL 3.0"                               => "OSL 3.0",
+      "OSL-3.0"                               => "OSL 3.0",
+      "Open Software License 3.0"             => "OSL 3.0",
+      "Open Software License, Version 3.0"    => "OSL 3.0",
+
+      # -----------------------------------------------------------------------
+      # ISC
+      # -----------------------------------------------------------------------
+      "ISC"         => "ISC",
+      "ISC License" => "ISC",
+
+      # -----------------------------------------------------------------------
+      # Zlib
+      # -----------------------------------------------------------------------
+      "Zlib"                => "Zlib",
+      "zlib"                => "Zlib",
+      "zlib/libpng license" => "Zlib",
+      "zlib License"        => "Zlib",
+
+      # -----------------------------------------------------------------------
+      # Unlicense
+      # -----------------------------------------------------------------------
+      "Unlicense"     => "Unlicense",
+      "The Unlicense" => "Unlicense",
+
+      # -----------------------------------------------------------------------
+      # EPL 1.0
+      # -----------------------------------------------------------------------
+      "EPL 1.0"                          => "EPL 1.0",
+      "EPL-1.0"                          => "EPL 1.0",
+      "Eclipse 1.0"                      => "EPL 1.0",
+      "Eclipse Public License 1.0"       => "EPL 1.0",
+      "Eclipse Public License - v 1.0"   => "EPL 1.0",
+
+      # -----------------------------------------------------------------------
+      # EPL 2.0
+      # -----------------------------------------------------------------------
+      "EPL 2.0"                          => "EPL 2.0",
+      "EPL-2.0"                          => "EPL 2.0",
+      "Eclipse 2.0"                      => "EPL 2.0",
+      "Eclipse Public License 2.0"       => "EPL 2.0",
+      "Eclipse Public License - v 2.0"   => "EPL 2.0"
+    }.freeze
+
+    # Returns the canonical license name for the given string.
+    # If the name is not recognised, it is returned as-is so the caller can
+    # decide what to do (e.g. raise "not mapped").
+    def self.normalize(name)
+      return nil if name.nil?
+
+      ALIASES.fetch(name, name)
+    end
+  end
+end

data/lib/license_conflicts/project_metadata.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require "json"
+require "pathname"
+
+module LicenseConflicts
+  class ProjectMetadata
+    def name
+      @name ||= read_name
+    end
+
+    def license
+      @license ||= read_license
+    end
+
+    private
+
+    def read_name
+      package_json_data&.dig("name") ||
+        bower_json_data&.dig("name") ||
+        gemspec_data&.dig(:name) ||
+        setup_cfg_data&.dig(:name) ||
+        pyproject_toml_data&.dig(:name) ||
+        go_mod_data&.dig(:name) ||
+        godeps_data&.dig(:name) ||
+        pom_xml_data&.dig(:name) ||
+        Pathname.pwd.basename.to_s
+    end
+
+    def read_license
+      package_json_data&.dig("license") ||
+        bower_json_data&.dig("license") ||
+        gemspec_data&.dig(:license) ||
+        setup_cfg_data&.dig(:license) ||
+        pyproject_toml_data&.dig(:license) ||
+        pom_xml_data&.dig(:license)
+    end
+
+    def package_json_data
+      return unless File.exist?("./package.json")
+
+      @package_json_data ||= JSON.parse(File.read("./package.json"))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def bower_json_data
+      return unless File.exist?("./bower.json")
+
+      @bower_json_data ||= JSON.parse(File.read("./bower.json"))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def gemspec_data
+      gemspec_file = Dir.glob("./*.gemspec").first
+      return unless gemspec_file
+
+      @gemspec_data ||= begin
+        content = File.read(gemspec_file)
+        name    = content[/\.name\s*=\s*["']([^"']+)["']/, 1]
+        license = content[/\.license\s*=\s*["']([^"']+)["']/, 1]
+        { name: name, license: license }
+      end
+    end
+
+    def setup_cfg_data
+      return unless File.exist?("./setup.cfg")
+
+      @setup_cfg_data ||= begin
+        content = File.read("./setup.cfg")
+        name    = content[/^name\s*=\s*(.+)/, 1]&.strip
+        license = content[/^license\s*=\s*(.+)/, 1]&.strip
+        { name: name, license: license }
+      end
+    end
+
+    def pyproject_toml_data
+      return unless File.exist?("./pyproject.toml")
+
+      @pyproject_toml_data ||= begin
+        require "tomlrb"
+        data    = Tomlrb.load_file("./pyproject.toml")
+        project = data["project"] || data.dig("tool", "poetry") || {}
+        license = project["license"]
+        license = license["text"] if license.is_a?(Hash)
+        { name: project["name"], license: license }
+      rescue LoadError
+        nil
+      end
+    end
+
+    def go_mod_data
+      return unless File.exist?("./go.mod")
+
+      @go_mod_data ||= begin
+        name = File.read("./go.mod")[/^module\s+(\S+)/, 1]
+        { name: name }
+      end
+    end
+
+    def godeps_data
+      return unless File.exist?("./Godeps/Godeps.json")
+
+      @godeps_data ||= begin
+        data = JSON.parse(File.read("./Godeps/Godeps.json"))
+        { name: data["ImportPath"] }
+      rescue JSON::ParserError
+        nil
+      end
+    end
+
+    def pom_xml_data
+      return unless File.exist?("./pom.xml")
+
+      @pom_xml_data ||= begin
+        require "rexml/document"
+        doc     = REXML::Document.new(File.read("./pom.xml"))
+        name    = REXML::XPath.first(doc, "//project/name")&.text ||
+                  REXML::XPath.first(doc, "//project/artifactId")&.text
+        license = REXML::XPath.first(doc, "//project/licenses/license/name")&.text
+        { name: name, license: license }
+      rescue REXML::ParseException
+        nil
+      end
+    end
+  end
+end

data/lib/license_conflicts/report.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'license_finder'
+
+module LicenseConflicts
+  class Report
+    attr_reader :format, :dependencies
+
+    FORMATS = {
+      'text' => LicenseFinder::TextReport,
+      'html' => LicenseFinder::HtmlReport,
+      'markdown' => LicenseFinder::MarkdownReport,
+      'csv' => LicenseFinder::CsvReport,
+      'xml' => LicenseFinder::XmlReport,
+      'json' => LicenseFinder::JsonReport,
+      'junit' => LicenseFinder::JunitReport
+    }.freeze
+
+    def initialize(dependencies, format)
+      @dependencies = dependencies
+      @format = format
+    end
+
+    def report
+      report_class = FORMATS[format] || FORMATS['text']
+      puts report_class.of(dependencies, {})
+    end
+  end
+end

data/lib/license_conflicts/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module LicenseConflicts
+  VERSION = "0.3.0"
+end

data/lib/license_conflicts.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require_relative 'license_conflicts/finder'
+require_relative 'license_conflicts/version'
+require_relative 'license_conflicts/report'
+require_relative 'license_conflicts/project_metadata'
+require_relative 'license_conflicts/license_normalizer'
+
+module LicenseConflicts
+end