license_finder 6.5.0 → 6.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6cb023a2297b083354287a99cd5fb5cb5640fb6fe8e4c449f9407f9198f14dfe
-  data.tar.gz: 7af5d367b73cb9447a78d83e49db2ca810a2d7a6315b313941acb99251bc11ed
+  metadata.gz: e7e3a83f4f274f851f8c7005b05cdfa4d453b44879bab381b59c00a0cf8066cc
+  data.tar.gz: 44bdd7d357c0bc8d4bc111489eb7102690d6cd4a04e92d4c064625b6a97f5591
 SHA512:
-  metadata.gz: c6530566a1e99b1a8b5bdf36d7b9486c2cb95c112e856e7d69525ce139d0d14a1eab1d2ea538009338ce94a822cbe5faf99ae1d4ff5674f417abd25ba0845497
-  data.tar.gz: b6fdc169ec59d8b84ae96a8ab5bbb25a7ce8ee2cc7de6d96acfc63347d00bfc5009a24cf743d39add5de78e21b3c56c52856baa76d05ba6a81996c974ad8074d
+  metadata.gz: 5f361eb0ae74e3cfa6ff1390951f8a1dc18c3f9da9b460e7ab373dba19b195f57b2e891640d595bc48bc37e598f565c537252b09a03f9fd3073c59011a50406c
+  data.tar.gz: a3e85a00c781671cfe1de68bc31a35876705904278bf0a34453ef65a5ac78a4761abb2ce4a537b3ce9d8f31c87733043acea612a8b876ae4944773d979f00005

data/CHANGELOG.md

@@ -1,3 +1,33 @@
+# [6.8.0] / 2020-08-06
+
+# [6.7.0] / 2020-07-23
+
+# [6.6.2] / 2020-07-09
+
+### Added
+* support for rebar3 - [b20e7444](https://github.com/pivotal/LicenseFinder/commit/b20e7444c147d8dbfa46eb4e8e549e03be751e02) - Jeff Jun
+* Support for Go modules projects outside of the current working directory - [56b3bec6](https://github.com/pivotal/LicenseFinder/commit/56b3bec632b3884ce4cad538742b4a13c55fd7c5)
+
+### Changed
+* Change Go modules to only report imported packages (as with other Go package managers) - [34361fda](https://github.com/pivotal/LicenseFinder/commit/34361fdab2dc3f197f7aec6408175018dee3b453) and [dffae4ab](https://github.com/pivotal/LicenseFinder/commit/dffae4ab95e34115b6a54bf681fc0966a8611f01)
+* Detect Go modules based on `go.mod` (instead of `go.sum`) - [667f6be7](https://github.com/pivotal/LicenseFinder/commit/667f6be716504a53ccc2824daae08af085566546)
+
+### Fixed
+* handle empty case for mix dependencies [#173637843] - [fc34b281](https://github.com/pivotal/LicenseFinder/commit/fc34b2813925a709addde675849e199b05fc4a23) - Jeff Jun
+
+### Removed
+* support for rebar2 [#173637980] - [b20e7444](https://github.com/pivotal/LicenseFinder/commit/b20e7444c147d8dbfa46eb4e8e549e03be751e02) - Jeff Jun
+* Removed the unnecessary prepare command for Go modules - [284cc5c8](https://github.com/pivotal/LicenseFinder/commit/284cc5c821270a6e56275e32bac836a3e451f46b)
+
+# [6.6.1] / 2020-06-30
+
+### Changed
+* Handle multiple solution files for nuget [#173021333] - [040d9559](https://github.com/pivotal/LicenseFinder/commit/040d9559a4bda07490255cc34c1a7891081bc511) 
+* matches license names from pypi api call with known licenses to avoid returning misformatted licenses [#173421573] - [6b96d746](https://github.com/pivotal/LicenseFinder/commit/6b96d74600034abcacee6ed2b322aa3abfaa0992) - Jeff Jun
+* Update Nuget Package Manager prepare command - [6ac07066](https://github.com/pivotal/LicenseFinder/commit/6ac070668955bc034da1647658440ce5bb0d9bd2) - Jason Smith
+
+# [6.6.0] / 2020-06-22
+
 # [6.5.0] / 2020-06-01
 
 ### Added
@@ -874,3 +904,8 @@ Bugfixes:
 [6.3.0]: https://github.com/pivotal/LicenseFinder/compare/v6.2.0...v6.3.0
 [6.4.0]: https://github.com/pivotal/LicenseFinder/compare/v6.3.0...v6.4.0
 [6.5.0]: https://github.com/pivotal/LicenseFinder/compare/v6.4.0...v6.5.0
+[6.6.0]: https://github.com/pivotal/LicenseFinder/compare/v6.5.0...v6.6.0
+[6.6.1]: https://github.com/pivotal/LicenseFinder/compare/v6.6.0...v6.6.1
+[6.6.2]: https://github.com/pivotal/LicenseFinder/compare/v6.6.1...v6.6.2
+[6.7.0]: https://github.com/pivotal/LicenseFinder/compare/v6.6.2...v6.7.0
+[6.8.0]: https://github.com/pivotal/LicenseFinder/compare/v6.7.0...v6.8.0

data/Dockerfile

@@ -48,11 +48,13 @@ ENV JAVA_HOME=/opt/jdk-12.0.2
 ENV PATH=$PATH:$JAVA_HOME/bin
 RUN java -version
 
-# install python and rebar
-RUN apt-get install -y python rebar
+# install rebar3
+RUN curl -o rebar3 https://s3.amazonaws.com/rebar3/rebar3 && \
+    sudo chmod +x rebar3 && \
+    sudo mv rebar3 /usr/local/bin/rebar3
 
-# install and update python-pip
-RUN apt-get install -y python-pip python3-pip && \
+# install and update python and python-pip
+RUN apt-get install -y python python-pip python3-pip && \
     pip2 install --no-cache-dir --upgrade pip==$PIP_INSTALL_VERSION  && \
     pip3 install --no-cache-dir --upgrade pip==$PIP3_INSTALL_VERSION
 
@@ -157,7 +159,7 @@ RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5
     apt-get update &&\
     apt-get install -y php7.4-cli &&\
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" &&\
-    php -r "if (hash_file('sha384', 'composer-setup.php') === 'e0012edf3e80b6978849f5eff0d4b4e4c79ff1609dd1e613307e16318854d24ae64f26d17af3ef0bf7cfb710ca74755a') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" &&\
+    php -r "if (hash_file('sha384', 'composer-setup.php') === 'e5325b19b381bfd88ce90a5ddb7823406b2a38cff6bb704b0acc289a09c8128d4a8ce2bbafcd1fcbdc38666422fe2806') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" &&\
     php composer-setup.php &&\
     php -r "unlink('composer-setup.php');" &&\
     mv composer.phar /usr/bin/composer

data/README.md

@@ -43,7 +43,7 @@ and give you an actionable exception report.
 
 ### Experimental project types
 
-* Erlang (via `rebar`)
+* Erlang (via `rebar` and `Erlang.mk`)
 * Objective-C, Swift (via Carthage or CocoaPods \[0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/)\])
 * Objective-C (+ CocoaPods 0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/))
 * Elixir (via `mix`)
@@ -176,6 +176,7 @@ languages, as long as that language has a package definition in the project dire
 * `Podfile` (for `pod`)
 * `Cartfile` (for `carthage`)
 * `rebar.config` (for `rebar`)
+* `Erlang.mk` or `erlang.mk` file (for `Erlang.mk`)
 * `mix.exs` (for `mix`)
 * `packages/` directory (for `nuget`)
 * `*.csproj` (for `dotnet`)
@@ -183,7 +184,7 @@ languages, as long as that language has a package definition in the project dire
 * `glide.lock` file (for `glide`)
 * `vendor/vendor.json` file (for `govendor`)
 * `Gopkg.lock` file (for `dep`)
-* `go.sum` file (for `go mod`)
+* `go.mod` file (for `go mod`)
 * `vendor.conf` file (for `trash`)
 * `yarn.lock` file (for `yarn`)
 * `conanfile.txt` file (for `conan`)
@@ -327,7 +328,7 @@ you should manually research what the actual license is.  When you
 have established the real license, you can record it with:
 
 ```sh
-$ license_finder dependencies add my_unknown_dependency MIT --homepage="www.unknown-code.org"
+$ license_finder licenses add my_unknown_dependency MIT --homepage="www.unknown-code.org"
 ```
 
 This command would assign the MIT license to the dependency
@@ -379,6 +380,26 @@ items, even if someone attempts to manually approve or permit it.  However,
 if a dependency has even one license that is not restricted, it can still be
 manually approved or permitted.
 
+## Decision inheritance
+
+Add or remove decision files you want to inherit from - see `license_finder inherited_decisions help` for more information.
+
+This allows you to have a centralized decision file for approved/restricted licenses. If you have multiple projects it's way easier to have one single place where you approved or restricted licenses defined.
+
+Add one or more decision files to the inherited decisions
+```bash
+license_finder inherited_decisions add DECISION_FILE
+```
+
+Remove one or more decision files from the inherited decisions
+```bash
+license_finder inherited_decisions remove DECISION_FILE
+```
+
+List all the inherited decision files
+```bash
+license_finder inherited_decisions list
+```
 
 ## Configuration
 
@@ -392,7 +413,7 @@ If you have a gradle project, you can invoke gradle with a custom script by
 passing (for example) `--gradle_command gradlew` to `license_finder` or
 `license_finder report`.
 
-Similarly you can invoke a custom rebar script with `--rebar_command rebar2`.
+Similarly you can invoke a custom rebar script with `--rebar_command rebar`.
 If you store rebar dependencies in a custom directory (by setting `deps_dir` in
 `rebar.config`), set `--rebar_deps_dir`.
 
@@ -467,6 +488,8 @@ licenseConfigurations := Set("compile", "provided")
 
 ## Upgrading
 
+To upgrade to `license_finder` version >= 6.0, you have to replace the terminology `whitelist` with `permit` and  `blacklist` with `restrict` in your `dependency_decisions.yml`. See [Changelog](https://github.com/pivotal/LicenseFinder/blob/master/CHANGELOG.md#600--2020-01-22) for more details.
+
 To upgrade from `license_finder` version 1.2 to 2.0, see
 [`license_finder_upgrade`](https://github.com/mainej/license_finder_upgrade).
 To upgrade to 2.0 from a version lower than 1.2, first upgrade to 1.2, and run

data/Rakefile

@@ -6,15 +6,6 @@ Bundler::GemHelper.install_tasks
 require './lib/license_finder/platform'
 require 'rspec/core/rake_task'
 
-namespace :spec do
-  desc 'Run test tagged \'focus\''
-  RSpec::Core::RakeTask.new(:focus) do |t|
-    t.fail_on_error = true
-    t.pattern = './spec/**/*_spec.rb'
-    t.rspec_opts = %w[--color --tag focus]
-  end
-end
-
 desc 'Run all specs in spec/'
 RSpec::Core::RakeTask.new(:spec) do |t|
   t.fail_on_error = true

data/VERSION

@@ -1 +1 @@
-6.5.0
+6.8.0

data/ci/pipelines/release.yml.erb

@@ -123,21 +123,31 @@ jobs:
 
 - name: bump-major
   plan:
-    - put: semver-version
+    - get: semver-version
       tags: ["private-worker"]
       params: {bump: major}
+    - put: semver-version
+      tags: ["private-worker"]
+      params: {file: semver-version/version}
+
 
 - name: bump-minor
   plan:
-    - put: semver-version
+    - get: semver-version
       tags: ["private-worker"]
       params: {bump: minor}
+    - put: semver-version
+      tags: ["private-worker"]
+      params: {file: semver-version/version}
 
 - name: bump-patch
   plan:
-    - put: semver-version
+    - get: semver-version
       tags: ["private-worker"]
       params: {bump: patch}
+    - put: semver-version
+      tags: ["private-worker"]
+      params: {file: semver-version/version}
 
 - name: release
   disable_manual_trigger: true

data/lib/license_finder/cli/inherited_decisions.rb

@@ -20,6 +20,15 @@ module LicenseFinder
         say "Added #{decision_files.join(', ')} to the inherited decisions"
       end
 
+      auditable
+      desc 'add_with_auth URL AUTH_TYPE TOKEN_OR_ENV', 'Add a remote decision file that needs authentication'
+      def add_with_auth(*params)
+        url, auth_type, token_or_env = params
+        auth_info = { 'url' => url, 'authorization' => "#{auth_type} #{token_or_env}" }
+        modifying { decisions.add_decision [:inherit_from, auth_info] }
+        say "Added #{url} to the inherited decisions"
+      end
+
       auditable
       desc 'remove DECISION_FILE...', 'Remove one or more decision files from the inherited decisions'
       def remove(*decision_files)
@@ -27,6 +36,15 @@ module LicenseFinder
         modifying { decision_files.each { |filepath| decisions.remove_inheritance(filepath) } }
         say "Removed #{decision_files.join(', ')} from the inherited decisions"
       end
+
+      auditable
+      desc 'remove_with_auth URL AUTH_TYPE TOKEN_OR_ENV', 'Add a remote decision file that needs authentication'
+      def remove_with_auth(*params)
+        url, auth_type, token_or_env = params
+        auth_info = { 'url' => url, 'authorization' => "#{auth_type} #{token_or_env}" }
+        modifying { decisions.remove_inheritance(auth_info) }
+        say "Removed #{url} from the inherited decisions"
+      end
     end
   end
 end

data/lib/license_finder/configuration.rb

@@ -35,7 +35,7 @@ module LicenseFinder
     end
 
     def rebar_deps_dir
-      path = get(:rebar_deps_dir) || 'deps'
+      path = get(:rebar_deps_dir) || '_build/default/lib'
       project_path.join(path).expand_path
     end
 

data/lib/license_finder/decisions.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'open-uri'
+require 'license_finder/license'
 
 module LicenseFinder
   class Decisions
@@ -39,6 +40,9 @@ module LicenseFinder
     end
 
     def permitted?(lic)
+      return lic.sub_licenses.any? { |sub_lic| @permitted.include?(sub_lic) } if lic.is_a?(OrLicense)
+      return lic.sub_licenses.all? { |sub_lic| @permitted.include?(sub_lic) } if lic.is_a?(AndLicense)
+
       @permitted.include?(lic)
     end
 
@@ -183,19 +187,37 @@ module LicenseFinder
       self
     end
 
-    def inherit_from(filepath)
+    def inherit_from(filepath_info)
       decisions =
-        if filepath =~ %r{^https?://}
-          open_uri(filepath).read
+        if filepath_info.is_a?(Hash)
+          resolve_inheritance(filepath_info)
+        elsif filepath_info =~ %r{^https?://}
+          open_uri(filepath_info).read
         else
-          Pathname(filepath).read
+          Pathname(filepath_info).read
         end
 
-      add_decision [:inherit_from, filepath]
-      @inherited_decisions << filepath
+      add_decision [:inherit_from, filepath_info]
+      @inherited_decisions << filepath_info
       restore_inheritance(decisions)
     end
 
+    def resolve_inheritance(filepath_info)
+      if (gem_name = filepath_info['gem'])
+        Pathname(gem_config_path(gem_name, filepath_info['path'])).read
+      else
+        open_uri(filepath_info['url'], filepath_info['authorization']).read
+      end
+    end
+
+    def gem_config_path(gem_name, relative_config_path)
+      spec = Gem::Specification.find_by_name(gem_name)
+      File.join(spec.gem_dir, relative_config_path)
+    rescue Gem::LoadError => e
+      raise Gem::LoadError,
+            "Unable to find gem #{gem_name}; is the gem installed? #{e}"
+    end
+
     def remove_inheritance(filepath)
       @decisions -= [[:inherit_from, filepath]]
       @inherited_decisions.delete(filepath)
@@ -213,17 +235,31 @@ module LicenseFinder
       self
     end
 
-    def open_uri(uri)
+    def open_uri(uri, auth = nil)
+      header = {}
+      auth_header = resolve_authorization(auth)
+      header['Authorization'] = auth_header if auth_header
+
       # ruby < 2.5.0 URI.open is private
       if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.5.0')
         # rubocop:disable Security/Open
-        open(uri)
+        open(uri, header)
         # rubocop:enable Security/Open
       else
-        URI.open(uri)
+        URI.open(uri, header)
       end
     end
 
+    def resolve_authorization(auth)
+      return unless auth
+
+      token_env = auth.match(/\$(\S.*)/)
+      return auth unless token_env
+
+      token = ENV[token_env[1]]
+      auth.sub(token_env[0], token)
+    end
+
     #########
     # PERSIST
     #########

data/lib/license_finder/license.rb

@@ -19,6 +19,9 @@ module LicenseFinder
 
       def find_by_name(name)
         name ||= 'unknown'
+        return OrLicense.new(name) if name.include?(OrLicense.operator)
+        return AndLicense.new(name) if name.include?(AndLicense.operator)
+
         all.detect { |l| l.matches_name? l.stripped_name(name) } || Definitions.build_unrecognized(name)
       end
 
@@ -61,6 +64,10 @@ module LicenseFinder
       name.hash
     end
 
+    def unrecognized_matcher?
+      matcher.is_a?(NoneMatcher)
+    end
+
     private
 
     attr_reader :short_name, :pretty_name, :other_names
@@ -70,4 +77,34 @@ module LicenseFinder
       ([short_name, pretty_name] + other_names).uniq
     end
   end
+  class AndLicense < License
+    def self.operator
+      ' AND '
+    end
+
+    def initialize(name, operator = AndLicense.operator)
+      @short_name = name
+      @pretty_name = name
+      @url = nil
+      @matcher = NoneMatcher.new
+      # removes heading and trailing parentesis and splits
+      name = name[1..-2] if name.start_with?('(')
+      names = name.split(operator)
+      @sub_licenses = names.map do |sub_name|
+        License.find_by_name(sub_name)
+      end
+    end
+
+    attr_reader :sub_licenses
+  end
+
+  class OrLicense < AndLicense
+    def self.operator
+      ' OR '
+    end
+
+    def initialize(name)
+      super(name, OrLicense.operator)
+    end
+  end
 end

data/lib/license_finder/license/definitions.rb

@@ -19,13 +19,15 @@ module LicenseFinder
           lgpl,
           lgpl2_1,
           mit,
+          mpl1_1,
           mpl2,
           newbsd,
           ofl,
           python,
           ruby,
           simplifiedbsd,
-          wtfpl
+          wtfpl,
+          zerobsd
         ]
       end
 
@@ -181,8 +183,32 @@ module LicenseFinder
         )
       end
 
+      def mpl1_1
+        header_regexp = /Mozilla Public Licen[sc]e.*Version 1\.1/im
+
+        header_regexp_matcher = Matcher.from_regex(header_regexp)
+        mpl1_1_tmpl = Template.named('MPL1_1')
+
+        matcher = AnyMatcher.new(
+          HeaderMatcher.new(header_regexp_matcher, 2),
+          Matcher.from_template(mpl1_1_tmpl)
+        )
+
+        License.new(
+          short_name: 'MPL1_1',
+          pretty_name: 'Mozilla Public License 1.1',
+          other_names: [
+            'MPL-1.1',
+            'Mozilla Public License, Version 1.1',
+            'Mozilla Public License version 1.1'
+          ],
+          url: 'https://www.mozilla.org/media/MPL/1.1/index.0c5913925d40.txt',
+          matcher: matcher
+        )
+      end
+
       def mpl2
-        header_regexp = /Mozilla Public Licen[sc]e, version 2.0/
+        header_regexp = /Mozilla Public Licen[sc]e, version 2\.0/
 
         matcher = AnyMatcher.new(
           Matcher.from_template(Template.named('MPL2')),
@@ -302,6 +328,27 @@ module LicenseFinder
           url: 'http://www.wtfpl.net/'
         )
       end
+
+      def zerobsd
+        matcher = AnyMatcher.new(
+          Matcher.from_template(Template.named('0BSD'))
+        )
+
+        License.new(
+          short_name: '0BSD',
+          pretty_name: 'BSD Zero Clause License',
+          other_names: [
+            '0-Clause BSD',
+            'Zero-Clause BSD',
+            'BSD-0-Clause',
+            'BSD-Zero-Clause',
+            'BSD 0-Clause',
+            'BSD Zero-Clause'
+          ],
+          url: 'https://opensource.org/licenses/0BSD',
+          matcher: matcher
+        )
+      end
     end
   end
 end