license_finder 6.5.0 → 6.12.0

data/ci/tasks/rubocop.yml

@@ -5,6 +5,8 @@ image_resource:
   source:
     repository: ruby
     tag: 2.7.1
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 
 inputs:
 - name: LicenseFinder

data/ci/tasks/update-changelog.yml

@@ -4,6 +4,8 @@ image_resource:
   source:
     repository: brenix/alpine-bash-git-ssh
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 platform: linux
 inputs:
 - name: lf-git

data/examples/Gemfile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gem 'license_finder', path: '..'

data/examples/custom_erb_template.rb

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically generate a report using a custom
+# ERB template. Run with
+# > bundle install
+# > ./custom_erb_template.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Find many more examples of complex ERB templates in
+# lib/license_finder/reports/templates/
+template = Pathname.new('./sample_template.erb')
+print LicenseFinder::ErbReport
+  .new(lf.acknowledged, project_name: lf.project_name)
+  .to_s(template)

data/examples/extract_license_data.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically extract the information that
+# LicenseFinder has about packages and their licenses.
+# > bundle install
+# > ./extract_license_data.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Groups of packages
+lf.acknowledged # All (non-ignored) packages license_finder is tracking
+lf.unapproved # The packages which have not been approved or permitted
+lf.restricted # The packages which have been restricted
+
+# Package details
+lf.acknowledged.each do |package|
+  # Approvals
+  package.approved? # Whether the package has been approved manually or permitted
+  package.approved_manually?
+  package.permitted?
+  package.restricted?
+
+  # Licensing
+  # The set of licenses, each of which has a name and url, which
+  # license_finder will report for this package.
+  package.licenses
+  # Additional information about how these licenses were chosen
+  # (from decision, from spec, from files, or none-found).  See
+  # LicenseFinder::Licensing and LicenseFinder::Activation
+  package.activations
+  # The files that look like licenses, found in the package's
+  # directory.  Caveat: if a package's licenses were specified by a decision or
+  # by the package's spec, the license_files will be ignored.  That means,
+  # package.licenses may report different licenses than those found in
+  # license_files.
+  package.license_files
+  package.license_files.each do |file|
+    # The license found in this file.
+    file.license
+    # The text of the file.  Sometimes this will be an entire README file,
+    # because license_finder has found the phrase "is released under the
+    # MIT license" in it.
+    file.text
+  end
+  package.licensing.activations_from_decisions # If license_finder only knew about decisions, what licenses would it report?
+  package.licensing.activations_from_spec      # If license_finder only knew about package specs, what licenses would it report?
+  package.licensing.activations_from_files     # If license_finder only knew about package files, what licenses would it report?
+  package.licensing.activations_from_files.each do |activation|
+    # Each activation groups together all files that point to the same license.
+    # Each file contains its #license and #text.
+    activation.license
+    activation.files
+  end
+end

data/examples/sample_template.erb

@@ -0,0 +1,7 @@
+Licenses
+
+<%= dependencies.size %> total
+
+<% grouped_dependencies.each do |license_name, group| -%>
+* <%= group.size %> <%= license_name %>
+<% end %>

data/lib/license_finder/cli/base.rb

@@ -11,6 +11,10 @@ module LicenseFinder
                    desc: 'Where decisions are saved. Defaults to doc/dependency_decisions.yml.'
       class_option :log_directory,
                    desc: 'Where logs are saved. Defaults to ./lf_logs/$PROJECT/prepare_$PACKAGE_MANAGER.log'
+      class_option :enabled_package_managers,
+                   desc: 'List of package managers to be enabled. Defaults to all supported package managers.',
+                   type: :array,
+                   enum: LicenseFinder::Scanner.supported_package_manager_ids
 
       no_commands do
         def decisions
@@ -32,6 +36,7 @@ module LicenseFinder
         extract_options(
           :project_path,
           :decisions_file,
+          :enabled_package_managers,
           :go_full_version,
           :gradle_command,
           :gradle_include_groups,
@@ -53,7 +58,9 @@ module LicenseFinder
           :columns,
           :aggregate_paths,
           :recursive,
-          :sbt_include_groups
+          :sbt_include_groups,
+          :conda_bash_setup_script,
+          :composer_check_require_only
         ).merge(
           logger: logger_mode
         )

data/lib/license_finder/cli/inherited_decisions.rb

@@ -20,6 +20,15 @@ module LicenseFinder
         say "Added #{decision_files.join(', ')} to the inherited decisions"
       end
 
+      auditable
+      desc 'add_with_auth URL AUTH_TYPE TOKEN_OR_ENV', 'Add a remote decision file that needs authentication'
+      def add_with_auth(*params)
+        url, auth_type, token_or_env = params
+        auth_info = { 'url' => url, 'authorization' => "#{auth_type} #{token_or_env}" }
+        modifying { decisions.add_decision [:inherit_from, auth_info] }
+        say "Added #{url} to the inherited decisions"
+      end
+
       auditable
       desc 'remove DECISION_FILE...', 'Remove one or more decision files from the inherited decisions'
       def remove(*decision_files)
@@ -27,6 +36,15 @@ module LicenseFinder
         modifying { decision_files.each { |filepath| decisions.remove_inheritance(filepath) } }
         say "Removed #{decision_files.join(', ')} from the inherited decisions"
       end
+
+      auditable
+      desc 'remove_with_auth URL AUTH_TYPE TOKEN_OR_ENV', 'Add a remote decision file that needs authentication'
+      def remove_with_auth(*params)
+        url, auth_type, token_or_env = params
+        auth_info = { 'url' => url, 'authorization' => "#{auth_type} #{token_or_env}" }
+        modifying { decisions.remove_inheritance(auth_info) }
+        say "Removed #{url} from the inherited decisions"
+      end
     end
   end
 end

data/lib/license_finder/cli/main.rb

@@ -19,7 +19,8 @@ module LicenseFinder
         'markdown' => MarkdownReport,
         'csv' => CsvReport,
         'xml' => XmlReport,
-        'json' => JsonReport
+        'json' => JsonReport,
+        'junit' => JunitReport
       }.freeze
 
       class_option :go_full_version, desc: 'Whether dependency version should include full version. Only meaningful if used with a Go project. Defaults to false.'
@@ -37,6 +38,9 @@ module LicenseFinder
       class_option :mix_command, desc: "Command to use when fetching packages through Mix. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'mix'."
       class_option :mix_deps_dir, desc: "Path to Mix dependencies directory. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'deps'."
       class_option :sbt_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Scala/sbt project. Defaults to false.'
+      class_option :conda_bash_setup_script, desc: "Path to conda.sh script. Only meaningful if used with a Conda project. Defaults to '~/miniconda3/etc/profile.d/conda.sh'."
+      class_option :composer_check_require_only,
+                   desc: "Whether to only check for licenses from dependencies on the 'require' section. Only meaningful if used with a Composer project. Defaults to false."
 
       # Method options which are shared between report and action_item
       def self.format_option

data/lib/license_finder/configuration.rb

@@ -35,7 +35,7 @@ module LicenseFinder
     end
 
     def rebar_deps_dir
-      path = get(:rebar_deps_dir) || 'deps'
+      path = get(:rebar_deps_dir) || '_build/default/lib'
       project_path.join(path).expand_path
     end
 
@@ -65,6 +65,10 @@ module LicenseFinder
       Pathname(path_prefix).expand_path
     end
 
+    def enabled_package_manager_ids
+      get(:enabled_package_managers)
+    end
+
     def logger_mode
       get(:logger)
     end
@@ -93,6 +97,10 @@ module LicenseFinder
       get(:pip_requirements_path)
     end
 
+    def conda_bash_setup_script
+      get(:conda_bash_setup_script)
+    end
+
     def python_version
       get(:python_version)
     end
@@ -137,6 +145,10 @@ module LicenseFinder
       get(:sbt_include_groups)
     end
 
+    def composer_check_require_only
+      get(:composer_check_require_only)
+    end
+
     attr_writer :strict_matching
 
     attr_reader :strict_matching

data/lib/license_finder/core.rb

@@ -24,7 +24,7 @@ module LicenseFinder
     # Default +options+:
     # {
     #   project_path: Pathname.pwd
-    #   logger: {},   # can include quiet: true or debug: true
+    #   logger: nil,   # can be :quiet or :debug
     #   decisions_file: "doc/dependency_decisions.yml",
     #   gradle_command: "gradle",
     #   rebar_command: "rebar",
@@ -93,6 +93,7 @@ module LicenseFinder
         project_path: config.project_path,
         log_directory: File.join(config.log_directory, project_name),
         ignored_groups: decisions.ignored_groups,
+        enabled_package_manager_ids: config.enabled_package_manager_ids,
         go_full_version: config.go_full_version,
         gradle_command: config.gradle_command,
         gradle_include_groups: config.gradle_include_groups,
@@ -107,7 +108,9 @@ module LicenseFinder
         mix_deps_dir: config.mix_deps_dir,
         prepare: config.prepare,
         prepare_no_fail: config.prepare_no_fail,
-        sbt_include_groups: config.sbt_include_groups
+        sbt_include_groups: config.sbt_include_groups,
+        conda_bash_setup_script: config.conda_bash_setup_script,
+        composer_check_require_only: config.composer_check_require_only
       }
     end
   end

data/lib/license_finder/decisions.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'open-uri'
+require 'license_finder/license'
 
 module LicenseFinder
   class Decisions
@@ -39,7 +40,15 @@ module LicenseFinder
     end
 
     def permitted?(lic)
-      @permitted.include?(lic)
+      if @permitted.include?(lic)
+        true
+      elsif lic.is_a?(OrLicense)
+        lic.sub_licenses.any? { |sub_lic| @permitted.include?(sub_lic) }
+      elsif lic.is_a?(AndLicense)
+        lic.sub_licenses.all? { |sub_lic| @permitted.include?(sub_lic) }
+      else
+        false
+      end
     end
 
     def restricted?(lic)
@@ -183,19 +192,37 @@ module LicenseFinder
       self
     end
 
-    def inherit_from(filepath)
+    def inherit_from(filepath_info)
       decisions =
-        if filepath =~ %r{^https?://}
-          open_uri(filepath).read
+        if filepath_info.is_a?(Hash)
+          resolve_inheritance(filepath_info)
+        elsif filepath_info =~ %r{^https?://}
+          open_uri(filepath_info).read
         else
-          Pathname(filepath).read
+          Pathname(filepath_info).read
         end
 
-      add_decision [:inherit_from, filepath]
-      @inherited_decisions << filepath
+      add_decision [:inherit_from, filepath_info]
+      @inherited_decisions << filepath_info
       restore_inheritance(decisions)
     end
 
+    def resolve_inheritance(filepath_info)
+      if (gem_name = filepath_info['gem'])
+        Pathname(gem_config_path(gem_name, filepath_info['path'])).read
+      else
+        open_uri(filepath_info['url'], filepath_info['authorization']).read
+      end
+    end
+
+    def gem_config_path(gem_name, relative_config_path)
+      spec = Gem::Specification.find_by_name(gem_name)
+      File.join(spec.gem_dir, relative_config_path)
+    rescue Gem::LoadError => e
+      raise Gem::LoadError,
+            "Unable to find gem #{gem_name}; is the gem installed? #{e}"
+    end
+
     def remove_inheritance(filepath)
       @decisions -= [[:inherit_from, filepath]]
       @inherited_decisions.delete(filepath)
@@ -213,17 +240,31 @@ module LicenseFinder
       self
     end
 
-    def open_uri(uri)
+    def open_uri(uri, auth = nil)
+      header = {}
+      auth_header = resolve_authorization(auth)
+      header['Authorization'] = auth_header if auth_header
+
       # ruby < 2.5.0 URI.open is private
       if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.5.0')
         # rubocop:disable Security/Open
-        open(uri)
+        open(uri, header)
         # rubocop:enable Security/Open
       else
-        URI.open(uri)
+        URI.open(uri, header)
       end
     end
 
+    def resolve_authorization(auth)
+      return unless auth
+
+      token_env = auth.match(/\$(\S.*)/)
+      return auth unless token_env
+
+      token = ENV[token_env[1]]
+      auth.sub(token_env[0], token)
+    end
+
     #########
     # PERSIST
     #########
@@ -240,6 +281,13 @@ module LicenseFinder
       return result unless persisted
 
       actions = YAML.load(persisted)
+
+      list_of_actions = (actions || []).map(&:first)
+
+      if (list_of_actions & %i[whitelist blacklist]).any?
+        raise 'The decisions file seems to have whitelist/blacklist keys which are deprecated. Please replace them with permit/restrict respectively and try again! More info - https://github.com/pivotal/LicenseFinder/commit/a40b22fda11b3a0efbb3c0a021381534bc998dd9'
+      end
+
       (actions || []).each do |action, *args|
         result.send(action, *args)
       end

data/lib/license_finder/license.rb

@@ -19,7 +19,17 @@ module LicenseFinder
 
       def find_by_name(name)
         name ||= 'unknown'
-        all.detect { |l| l.matches_name? l.stripped_name(name) } || Definitions.build_unrecognized(name)
+        license = all.detect { |l| l.matches_name? l.stripped_name(name) }
+
+        if license
+          license
+        elsif name.include?(OrLicense.operator)
+          OrLicense.new(name)
+        elsif name.include?(AndLicense.operator)
+          AndLicense.new(name)
+        else
+          Definitions.build_unrecognized(name)
+        end
       end
 
       def find_by_text(text)
@@ -61,6 +71,10 @@ module LicenseFinder
       name.hash
     end
 
+    def unrecognized_matcher?
+      matcher.is_a?(NoneMatcher)
+    end
+
     private
 
     attr_reader :short_name, :pretty_name, :other_names
@@ -70,4 +84,34 @@ module LicenseFinder
       ([short_name, pretty_name] + other_names).uniq
     end
   end
+  class AndLicense < License
+    def self.operator
+      ' AND '
+    end
+
+    def initialize(name, operator = AndLicense.operator)
+      @short_name = name
+      @pretty_name = name
+      @url = nil
+      @matcher = NoneMatcher.new
+      # removes heading and trailing parentesis and splits
+      name = name[1..-2] if name.start_with?('(')
+      names = name.split(operator)
+      @sub_licenses = names.map do |sub_name|
+        License.find_by_name(sub_name)
+      end
+    end
+
+    attr_reader :sub_licenses
+  end
+
+  class OrLicense < AndLicense
+    def self.operator
+      ' OR '
+    end
+
+    def initialize(name)
+      super(name, OrLicense.operator)
+    end
+  end
 end