license_finder 6.8.1 → 6.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b09e0ff0c5e115f24278e8d4e759562c10c8abf7c70920622c535ae21649c1cb
-  data.tar.gz: a357081ca1404d7f2575c90035f4b564ff5cc5036965f5ce071506767088df8d
+  metadata.gz: f7f4b1f6bb760975dc3d08674ea695ee52f788f3d5fe8f32bf6c22ef4308e6ff
+  data.tar.gz: b095c0577eb83de3f4620b586042a95c7874fe521899df58db6b8d48b900842c
 SHA512:
-  metadata.gz: 0f67f90622514f6a7bae4dc3a501558ae59aec3ed8c221a0255d5106b956d836c1b98bcc8fbcd7bfd22e1023d30223c0b04088da162b79eccf7b37541a455730
-  data.tar.gz: 8dd8c22b3adfd01aa9ddeb91504ce5b9103d429e5ef61cade5f9c30477a5d68497ac192d640005e6c82ed2640d6faa45aa7775f7db7a1c9a0605d49b1c0a372e
+  metadata.gz: 06bb9f32417581b6479c3a4bc3372d6dbf6af2c0133d8f7601216472b5308ae1bc1c168660b775b9eb0790a299dd9d8116b6be7139580d31a44b572880946e92
+  data.tar.gz: eb295649cdedef74dffc95efdc9ac025edcd29d851a7f8d35e5a514ce3739dc8bc246df502f36d789e3af95cc0078d08925d48b4d47cf29d34b56f3a0fd34dcf

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# [6.11.0] / 2021-03-04
+
+### Added
+* Add homepage for go_modules package manager - [912394a8](https://github.com/pivotal/LicenseFinder/commit/912394a8a6ab4c31b6918a21da9f37d5b368ed6b) 
+
+# [6.10.1] / 2021-01-08
+
+# [6.10.0] / 2020-11-27
+
+# [6.9.0] / 2020-10-05
+
+### Changed
+* to recognize permitted licenses with AND in the name [#173997648] - [eab14250](https://github.com/pivotal/LicenseFinder/commit/eab14250d188153f8c2b0b5c0191fec19bcddf55) - Raymond Lee
+
+# [6.8.2] / 2020-09-08
+
 # [6.8.1] / 2020-08-13
 
 # [6.8.0] / 2020-08-06
@@ -912,3 +928,8 @@ Bugfixes:
 [6.7.0]: https://github.com/pivotal/LicenseFinder/compare/v6.6.2...v6.7.0
 [6.8.0]: https://github.com/pivotal/LicenseFinder/compare/v6.7.0...v6.8.0
 [6.8.1]: https://github.com/pivotal/LicenseFinder/compare/v6.8.0...v6.8.1
+[6.8.2]: https://github.com/pivotal/LicenseFinder/compare/v6.8.1...v6.8.2
+[6.9.0]: https://github.com/pivotal/LicenseFinder/compare/v6.8.2...v6.9.0
+[6.10.0]: https://github.com/pivotal/LicenseFinder/compare/v6.9.0...v6.10.0
+[6.10.1]: https://github.com/pivotal/LicenseFinder/compare/v6.10.0...v6.10.1
+[6.11.0]: https://github.com/pivotal/LicenseFinder/compare/v6.10.1...v6.11.0

data/CONTRIBUTING.md

@@ -24,8 +24,8 @@ will use the gem version installed inside the docker image.
 
 ## Useful Tips
 
-To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the 
-dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).  
+To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the
+dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).
 
 To launch the docker image and interact with it via bash:
 ```
@@ -60,13 +60,13 @@ submitting a pull request which adds new columns to
 `lib/license_finder/reports/csv_report.rb`.
 
 It is also possible to generate a custom report from an ERB template.  Use this
-[example](https://gist.github.com/mainej/b190d2f138c2b9e2e20a) as a starting
+[example](https://github.com/pivotal/LicenseFinder/blob/master/examples/custom_erb_template.rb) as a starting
 point.  These reports will have access to the helpers in
 [`LicenseFinder::ErbReport`](https://github.com/pivotal/LicenseFinder/blob/master/lib/license_finder/reports/erb_report.rb).
 
 If you need a report with more detailed data or in a different format, we
 recommend writing a custom ruby script.  This
-[example](https://gist.github.com/mainej/48ac616844505d50f510) will get you
+[example](https://github.com/pivotal/LicenseFinder/blob/master/examples/extract_license_data.rb) will get you
 started.
 
 If you come up with something useful, consider posting it to the Google Group
@@ -91,6 +91,7 @@ To successfully run the test suite, you will need the following installed:
 - Conan
 - NuGet
 - dotnet
+- Conda (requires python)
 
 The [LicenseFinder docker image](https://hub.docker.com/r/licensefinder/license_finder/) already contains these dependencies.
 

data/Dockerfile

@@ -2,7 +2,7 @@ FROM ubuntu:xenial
 
 # Versioning
 ENV PIP_INSTALL_VERSION 19.0.2
-ENV PIP3_INSTALL_VERSION 8.1.1
+ENV PIP3_INSTALL_VERSION 20.0.2
 ENV GO_LANG_VERSION 1.14.3
 ENV MAVEN_VERSION 3.6.0
 ENV SBT_VERSION 1.3.3
@@ -25,7 +25,7 @@ RUN apt-get update && apt-get install -y \
 RUN add-apt-repository ppa:git-core/ppa && apt-get update && apt-get install -y git
 
 # nodejs seems to be required for the one of the gems
-RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - && \
+RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
     apt-get -y install nodejs
 
 # install yarn
@@ -55,8 +55,8 @@ RUN curl -o rebar3 https://s3.amazonaws.com/rebar3/rebar3 && \
 
 # install and update python and python-pip
 RUN apt-get install -y python python-pip python3-pip && \
-    pip2 install --no-cache-dir --upgrade pip==$PIP_INSTALL_VERSION  && \
-    pip3 install --no-cache-dir --upgrade pip==$PIP3_INSTALL_VERSION
+    python3 -m pip install pip==$PIP3_INSTALL_VERSION --upgrade && \
+    python -m pip install pip==$PIP_INSTALL_VERSION --upgrade --force
 
 # install maven
 RUN curl -O https://archive.apache.org/dist/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz && \
@@ -154,16 +154,31 @@ RUN wget -q https://packages.microsoft.com/config/ubuntu/16.04/packages-microsof
   sudo apt-get update &&\
   sudo apt-get install -y dotnet-runtime-2.1 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1
 
+# install Composer
 RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5267A6C &&\
     echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main" | sudo tee /etc/apt/sources.list.d/php.list &&\
     apt-get update &&\
     apt-get install -y php7.4-cli &&\
+    EXPECTED_COMPOSER_INSTALLER_CHECKSUM="$(curl --silent https://composer.github.io/installer.sig)" &&\
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" &&\
-    php -r "if (hash_file('sha384', 'composer-setup.php') === 'e5325b19b381bfd88ce90a5ddb7823406b2a38cff6bb704b0acc289a09c8128d4a8ce2bbafcd1fcbdc38666422fe2806') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" &&\
+    ACTUAL_COMPOSER_INSTALLER_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" &&\
+    test "${ACTUAL_COMPOSER_INSTALLER_CHECKSUM}" = "${EXPECTED_COMPOSER_INSTALLER_CHECKSUM}" || (echo "ERROR: Invalid installer checksum" >&2; false) &&\
     php composer-setup.php &&\
     php -r "unlink('composer-setup.php');" &&\
     mv composer.phar /usr/bin/composer
 
+# install miniconda
+# See https://docs.conda.io/en/latest/miniconda_hashes.html
+# for latest versions and SHAs.
+WORKDIR /tmp
+RUN  \
+  conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
+  ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
+  wget -q https://repo.anaconda.com/miniconda/${conda_installer} &&\
+  sha=`openssl sha256 "${conda_installer}" | cut -d' ' -f2` &&\
+  ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
+  (echo; echo "yes") | sh "${conda_installer}"
+
 # install license_finder
 COPY . /LicenseFinder
 RUN bash -lc "cd /LicenseFinder && bundle config set no-cache 'true' && bundle install -j4 && rake install"

data/README.md

@@ -54,6 +54,7 @@ and give you an actionable exception report.
 * Rust (via `cargo`)
 * Go Modules (via `go mod`)
 * PHP (via `composer`)
+* Python (via Conda [Conda 4.8.3, Python 3.7, Bash; requires an `environment.yml` or `environment.yaml`])
 
 ## Installation
 
@@ -121,9 +122,9 @@ be useful when you need to track down an unexpected package or
 license.
 
 If you do not want to manually run an individual package manager's prepare
-command (ex: `bundle install`, `npm install`, etc) to ensure your project 
+command (ex: `bundle install`, `npm install`, etc) to ensure your project
 is fully prepared to be scanned, use the `--prepare` or `-p` option which will run
-each active package manager's prepare command for you. If you would like to continue 
+each active package manager's prepare command for you. If you would like to continue
 running `license_finder` even if there is an issue with a prepare step, use the
 `--prepare-no-fail` option which prepares but carries on despite any potential failures.
 
@@ -135,7 +136,7 @@ command.
 
 If you have docker installed, try using the included `dlf` script (potentially
 symlinked to be in your path via `ln -s LicenseFinder/dlf /usr/local/bin` or
-whatever method you prefer). This will run any commmands passed to it inside a
+whatever method you prefer). This will run any commands passed to it inside a
 pre-provisioned Docker container to maintain consistent versions of all the
 package managers. For example,
 
@@ -156,10 +157,10 @@ You can better understand the way this script works by looking at its source, bu
 reference it will mount your current directory at the path `/scan` and run any commands
 passed to it from that directory.
 
-Note that the docker image will run the gem which is installed within it. 
+Note that the docker image will run the gem which is installed within it.
 So the docker image tagged `4.0.2` will run *License Finder Version 4.0.2*
 
-See the [contibuting guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development. 
+See the [contributing guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development. 
 
 ### Activation
 
@@ -310,7 +311,7 @@ be approved. The project name at the top of the report can be set with
 `license_finder project_name add`.
 
 ### Note:
-When using the yarn package manager, when a node_module's package.json doesn't 
+When using the yarn package manager, when a node_module's package.json doesn't
 explicitly declare a license, yarn indicates that it has inferred the license based
 on some keywords in other files by appending an asterisk to the license name. If you
 see a * at the end of the license name, this is intended.
@@ -332,7 +333,7 @@ $ license_finder licenses add my_unknown_dependency MIT --homepage="www.unknown-
 ```
 
 This command would assign the MIT license to the dependency
-`my_unknown_dependency`. It will also set its homepage to `wwww.unknown-code.org`.
+`my_unknown_dependency`. It will also set its homepage to `www.unknown-code.org`.
 
 
 ### Adding Hidden Dependencies
@@ -420,6 +421,15 @@ If you store rebar dependencies in a custom directory (by setting `deps_dir` in
 You can also invoke a custom Mix script `remix` with `--mix_command remix` and
 set `--mix_deps_dir` to fetch Mix dependencies from a custom directory.
 
+### Narrow down Package Manager
+
+By default, license_finder will check for all supported package managers,
+but you can narrow it down to use only those you pass to `--enabled-package-managers`.
+For example,
+
+```
+$ license_finder --enabled-package-managers bundler npm
+```
 
 ### Saving Configuration
 
@@ -437,6 +447,11 @@ rebar_command: './rebarw'
 rebar_deps_dir: './rebar_deps'
 mix_command: './mixw'
 mix_deps_dir: './mix_deps'
+enabled_package_managers:
+  - bundler
+  - gradle
+  - rebar
+  - mix
 ```
 
 ### Gradle Projects
@@ -461,9 +476,9 @@ downloadLicenses {
 ### Conan Projects
 
 `license_finder` supports Conan. You need to have the following lines in your conanfile.txt for `license_finder` to retrieve dependencies' licenses.
-Ensure that `conan install` does not generate an error. 
+Ensure that `conan install` does not generate an error.
 
-``` 
+```
 [imports]
 ., license* -> ./licenses @ folder=True, ignore_case=True
 ```
@@ -517,9 +532,9 @@ And save a `LICENSE` file which contains your license text in your repo.
 
 * Bundler
    * When using `--project-path`, Bundler cannot find the Gemfile.
-   
+
 * Yarn
-   * A module that is incompatible with the platform on which 
+   * A module that is incompatible with the platform on which
      license_finder is run will always be reported to have a license type
      of "unknown". ([#456](https://github.com/pivotal/LicenseFinder/issues/456))
 

data/Rakefile

@@ -54,7 +54,7 @@ task :update_pipeline, [:slack_url, :slack_channel] do |_, args|
     puts 'Warning: You should provide slack channel and url to receive slack notifications on build failures'
   end
 
-  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.9.0]
+  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.14.0]
 
   params = []
   params << "ruby_versions=#{ruby_versions.join(',')}"

data/VERSION

@@ -1 +1 @@
-6.8.1
+6.11.0

data/ci/pipelines/pull-request.yml.erb

@@ -13,6 +13,8 @@ resource_types:
   source:
     repository: cfcommunity/slack-notification-resource
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 <% end %>
 
 resources:

data/ci/pipelines/release.yml.erb

@@ -8,6 +8,8 @@ resource_types:
   source:
     repository: cfcommunity/slack-notification-resource
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 <% end %>
 
 resources:
@@ -154,7 +156,7 @@ jobs:
   plan:
   - get: lf-git
     tags: ["private-worker"]
-    passed: [<%= "#{ruby_versions.map{ |version| "ruby-#{version}"}.join(', ')}, rubocop" %>]
+    passed: [<%= "#{ruby_versions.map{ |version| "ruby-#{version}" unless version == "jruby-9.2.14.0" }.compact.join(', ') }, rubocop" %>]
   - get: semver-version
     tags: ["private-worker"]
     trigger: true

data/ci/tasks/rubocop.yml

@@ -5,6 +5,8 @@ image_resource:
   source:
     repository: ruby
     tag: 2.7.1
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 
 inputs:
 - name: LicenseFinder

data/ci/tasks/update-changelog.yml

@@ -4,6 +4,8 @@ image_resource:
   source:
     repository: brenix/alpine-bash-git-ssh
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 platform: linux
 inputs:
 - name: lf-git

data/examples/Gemfile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gem 'license_finder', path: '..'

data/examples/custom_erb_template.rb

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically generate a report using a custom
+# ERB template. Run with
+# > bundle install
+# > ./custom_erb_template.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Find many more examples of complex ERB templates in
+# lib/license_finder/reports/templates/
+template = Pathname.new('./sample_template.erb')
+print LicenseFinder::ErbReport
+  .new(lf.acknowledged, project_name: lf.project_name)
+  .to_s(template)

data/examples/extract_license_data.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically extract the information that
+# LicenseFinder has about packages and their licenses.
+# > bundle install
+# > ./extract_license_data.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Groups of packages
+lf.acknowledged # All (non-ignored) packages license_finder is tracking
+lf.unapproved # The packages which have not been approved or permitted
+lf.restricted # The packages which have been restricted
+
+# Package details
+lf.acknowledged.each do |package|
+  # Approvals
+  package.approved? # Whether the package has been approved manually or permitted
+  package.approved_manually?
+  package.permitted?
+  package.restricted?
+
+  # Licensing
+  # The set of licenses, each of which has a name and url, which
+  # license_finder will report for this package.
+  package.licenses
+  # Additional information about how these licenses were chosen
+  # (from decision, from spec, from files, or none-found).  See
+  # LicenseFinder::Licensing and LicenseFinder::Activation
+  package.activations
+  # The files that look like licenses, found in the package's
+  # directory.  Caveat: if a package's licenses were specified by a decision or
+  # by the package's spec, the license_files will be ignored.  That means,
+  # package.licenses may report different licenses than those found in
+  # license_files.
+  package.license_files
+  package.license_files.each do |file|
+    # The license found in this file.
+    file.license
+    # The text of the file.  Sometimes this will be an entire README file,
+    # because license_finder has found the phrase "is released under the
+    # MIT license" in it.
+    file.text
+  end
+  package.licensing.activations_from_decisions # If license_finder only knew about decisions, what licenses would it report?
+  package.licensing.activations_from_spec      # If license_finder only knew about package specs, what licenses would it report?
+  package.licensing.activations_from_files     # If license_finder only knew about package files, what licenses would it report?
+  package.licensing.activations_from_files.each do |activation|
+    # Each activation groups together all files that point to the same license.
+    # Each file contains its #license and #text.
+    activation.license
+    activation.files
+  end
+end

data/examples/sample_template.erb

@@ -0,0 +1,7 @@
+Licenses
+
+<%= dependencies.size %> total
+
+<% grouped_dependencies.each do |license_name, group| -%>
+* <%= group.size %> <%= license_name %>
+<% end %>

data/lib/license_finder/cli/base.rb

@@ -11,6 +11,10 @@ module LicenseFinder
                    desc: 'Where decisions are saved. Defaults to doc/dependency_decisions.yml.'
       class_option :log_directory,
                    desc: 'Where logs are saved. Defaults to ./lf_logs/$PROJECT/prepare_$PACKAGE_MANAGER.log'
+      class_option :enabled_package_managers,
+                   desc: 'List of package managers to be enabled. Defaults to all supported package managers.',
+                   type: :array,
+                   enum: LicenseFinder::Scanner.supported_package_manager_ids
 
       no_commands do
         def decisions
@@ -32,6 +36,7 @@ module LicenseFinder
         extract_options(
           :project_path,
           :decisions_file,
+          :enabled_package_managers,
           :go_full_version,
           :gradle_command,
           :gradle_include_groups,
@@ -53,7 +58,9 @@ module LicenseFinder
           :columns,
           :aggregate_paths,
           :recursive,
-          :sbt_include_groups
+          :sbt_include_groups,
+          :conda_bash_setup_script,
+          :composer_check_require_only
         ).merge(
           logger: logger_mode
         )

data/lib/license_finder/cli/main.rb

@@ -19,7 +19,8 @@ module LicenseFinder
         'markdown' => MarkdownReport,
         'csv' => CsvReport,
         'xml' => XmlReport,
-        'json' => JsonReport
+        'json' => JsonReport,
+        'junit' => JunitReport
       }.freeze
 
       class_option :go_full_version, desc: 'Whether dependency version should include full version. Only meaningful if used with a Go project. Defaults to false.'
@@ -37,6 +38,9 @@ module LicenseFinder
       class_option :mix_command, desc: "Command to use when fetching packages through Mix. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'mix'."
       class_option :mix_deps_dir, desc: "Path to Mix dependencies directory. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'deps'."
       class_option :sbt_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Scala/sbt project. Defaults to false.'
+      class_option :conda_bash_setup_script, desc: "Path to conda.sh script. Only meaningful if used with a Conda project. Defaults to '~/miniconda3/etc/profile.d/conda.sh'."
+      class_option :composer_check_require_only,
+                   desc: "Whether to only check for licenses from dependencies on the 'require' section. Only meaningful if used with a Composer project. Defaults to false."
 
       # Method options which are shared between report and action_item
       def self.format_option