license_finder 6.9.0 → 6.12.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc2352a955e259632d6033ca1ec13a03ef2d6925c0a0dde89f0bd4bbf125a333
-  data.tar.gz: 275ec53c07253065b18133ea74bfd4dc69f73cb1a6dff6ba6d08f4ee278111e8
+  metadata.gz: 6b7a4a73fc4f78ba9e1d5bb08a603d08f5086e4c55517b35be972eb46cf45425
+  data.tar.gz: 7dc0e9072c02bf89ca269043225179f3ad03fb171d836db1bead5d7d82c3d278
 SHA512:
-  metadata.gz: 657b1f48fc7b0f592dbec7428610b8984c9be7f897b0eb2bd0379399d41286ea77b925298207633c48e388da2ffd46f99859fbd1e57d885b508ee434162316fd
-  data.tar.gz: 02e5b8f9fc1e70ddeb1bd87f55920d4c5537c82511cbbafb7ff96f622dee26f6e4dca3da7e9f03c321a44a1b0bdb6c2135638dd0ca3872169cebdc3731f7b4cc
+  metadata.gz: 10f7be63b0c95dc04fd734b793dc79129530ed8d0a4ad2d5e37158ef9d68f40ea3c44704d2c944946c29342ae5df3f234004f83fe23346a2a0c907104857aa8f
+  data.tar.gz: acf582f691fd9d5e5857d7b90dd021fa3a6ae8a4ed03efb189524f63921003612b075292394830abf2971a04ccda1aa74c0f99759964edec5be5320240b970d7

data/.rubocop.yml

@@ -27,9 +27,9 @@ BlockLength:
 ClassLength:
   Enabled: false
 CyclomaticComplexity:
-  Max: 10
+  Max: 15
 PerceivedComplexity:
-  Max: 10
+  Max: 15
 LineLength:
   Max: 200
 MethodLength:

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# [6.12.1] / 2021-04-12
+
+# [6.12.0] / 2021-03-05
+
+### Added
+* Provide homepage information for GoDep and Go15Vendor package managers - [bae1bda9](https://github.com/pivotal/LicenseFinder/commit/bae1bda9d76cb922405d7efca9c67e2583db70d4) - Jeff Jun
+
+# [6.11.0] / 2021-03-04
+
+### Added
+* Add homepage for go_modules package manager - [912394a8](https://github.com/pivotal/LicenseFinder/commit/912394a8a6ab4c31b6918a21da9f37d5b368ed6b) 
+
+# [6.10.1] / 2021-01-08
+
+# [6.10.0] / 2020-11-27
+
 # [6.9.0] / 2020-10-05
 
 ### Changed
@@ -921,3 +937,8 @@ Bugfixes:
 [6.8.1]: https://github.com/pivotal/LicenseFinder/compare/v6.8.0...v6.8.1
 [6.8.2]: https://github.com/pivotal/LicenseFinder/compare/v6.8.1...v6.8.2
 [6.9.0]: https://github.com/pivotal/LicenseFinder/compare/v6.8.2...v6.9.0
+[6.10.0]: https://github.com/pivotal/LicenseFinder/compare/v6.9.0...v6.10.0
+[6.10.1]: https://github.com/pivotal/LicenseFinder/compare/v6.10.0...v6.10.1
+[6.11.0]: https://github.com/pivotal/LicenseFinder/compare/v6.10.1...v6.11.0
+[6.12.0]: https://github.com/pivotal/LicenseFinder/compare/v6.11.0...v6.12.0
+[6.12.1]: https://github.com/pivotal/LicenseFinder/compare/v6.12.0...v6.12.1

data/CONTRIBUTING.md

@@ -24,8 +24,8 @@ will use the gem version installed inside the docker image.
 
 ## Useful Tips
 
-To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the 
-dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).  
+To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the
+dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).
 
 To launch the docker image and interact with it via bash:
 ```
@@ -60,13 +60,13 @@ submitting a pull request which adds new columns to
 `lib/license_finder/reports/csv_report.rb`.
 
 It is also possible to generate a custom report from an ERB template.  Use this
-[example](https://gist.github.com/mainej/b190d2f138c2b9e2e20a) as a starting
+[example](https://github.com/pivotal/LicenseFinder/blob/master/examples/custom_erb_template.rb) as a starting
 point.  These reports will have access to the helpers in
 [`LicenseFinder::ErbReport`](https://github.com/pivotal/LicenseFinder/blob/master/lib/license_finder/reports/erb_report.rb).
 
 If you need a report with more detailed data or in a different format, we
 recommend writing a custom ruby script.  This
-[example](https://gist.github.com/mainej/48ac616844505d50f510) will get you
+[example](https://github.com/pivotal/LicenseFinder/blob/master/examples/extract_license_data.rb) will get you
 started.
 
 If you come up with something useful, consider posting it to the Google Group
@@ -91,6 +91,7 @@ To successfully run the test suite, you will need the following installed:
 - Conan
 - NuGet
 - dotnet
+- Conda (requires python)
 
 The [LicenseFinder docker image](https://hub.docker.com/r/licensefinder/license_finder/) already contains these dependencies.
 

data/Dockerfile

@@ -2,7 +2,7 @@ FROM ubuntu:xenial
 
 # Versioning
 ENV PIP_INSTALL_VERSION 19.0.2
-ENV PIP3_INSTALL_VERSION 8.1.1
+ENV PIP3_INSTALL_VERSION 20.0.2
 ENV GO_LANG_VERSION 1.14.3
 ENV MAVEN_VERSION 3.6.0
 ENV SBT_VERSION 1.3.3
@@ -25,7 +25,7 @@ RUN apt-get update && apt-get install -y \
 RUN add-apt-repository ppa:git-core/ppa && apt-get update && apt-get install -y git
 
 # nodejs seems to be required for the one of the gems
-RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - && \
+RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
     apt-get -y install nodejs
 
 # install yarn
@@ -55,8 +55,8 @@ RUN curl -o rebar3 https://s3.amazonaws.com/rebar3/rebar3 && \
 
 # install and update python and python-pip
 RUN apt-get install -y python python-pip python3-pip && \
-    pip2 install --no-cache-dir --upgrade pip==$PIP_INSTALL_VERSION  && \
-    pip3 install --no-cache-dir --upgrade pip==$PIP3_INSTALL_VERSION
+    python3 -m pip install pip==$PIP3_INSTALL_VERSION --upgrade && \
+    python -m pip install pip==$PIP_INSTALL_VERSION --upgrade --force
 
 # install maven
 RUN curl -O https://archive.apache.org/dist/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz && \
@@ -154,16 +154,31 @@ RUN wget -q https://packages.microsoft.com/config/ubuntu/16.04/packages-microsof
   sudo apt-get update &&\
   sudo apt-get install -y dotnet-runtime-2.1 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1
 
+# install Composer
 RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5267A6C &&\
     echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main" | sudo tee /etc/apt/sources.list.d/php.list &&\
     apt-get update &&\
     apt-get install -y php7.4-cli &&\
+    EXPECTED_COMPOSER_INSTALLER_CHECKSUM="$(curl --silent https://composer.github.io/installer.sig)" &&\
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" &&\
-    php -r "if (hash_file('sha384', 'composer-setup.php') === '795f976fe0ebd8b75f26a6dd68f78fd3453ce79f32ecb33e7fd087d39bfeb978342fb73ac986cd4f54edd0dc902601dc') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" &&\
+    ACTUAL_COMPOSER_INSTALLER_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" &&\
+    test "${ACTUAL_COMPOSER_INSTALLER_CHECKSUM}" = "${EXPECTED_COMPOSER_INSTALLER_CHECKSUM}" || (echo "ERROR: Invalid installer checksum" >&2; false) &&\
     php composer-setup.php &&\
     php -r "unlink('composer-setup.php');" &&\
     mv composer.phar /usr/bin/composer
 
+# install miniconda
+# See https://docs.conda.io/en/latest/miniconda_hashes.html
+# for latest versions and SHAs.
+WORKDIR /tmp
+RUN  \
+  conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
+  ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
+  wget -q https://repo.anaconda.com/miniconda/${conda_installer} &&\
+  sha=`openssl sha256 "${conda_installer}" | cut -d' ' -f2` &&\
+  ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
+  (echo; echo "yes") | sh "${conda_installer}"
+
 # install license_finder
 COPY . /LicenseFinder
 RUN bash -lc "cd /LicenseFinder && bundle config set no-cache 'true' && bundle install -j4 && rake install"

data/README.md

@@ -54,6 +54,7 @@ and give you an actionable exception report.
 * Rust (via `cargo`)
 * Go Modules (via `go mod`)
 * PHP (via `composer`)
+* Python (via Conda [Conda 4.8.3, Python 3.7, Bash; requires an `environment.yml` or `environment.yaml`])
 
 ## Installation
 
@@ -121,9 +122,9 @@ be useful when you need to track down an unexpected package or
 license.
 
 If you do not want to manually run an individual package manager's prepare
-command (ex: `bundle install`, `npm install`, etc) to ensure your project 
+command (ex: `bundle install`, `npm install`, etc) to ensure your project
 is fully prepared to be scanned, use the `--prepare` or `-p` option which will run
-each active package manager's prepare command for you. If you would like to continue 
+each active package manager's prepare command for you. If you would like to continue
 running `license_finder` even if there is an issue with a prepare step, use the
 `--prepare-no-fail` option which prepares but carries on despite any potential failures.
 
@@ -135,7 +136,7 @@ command.
 
 If you have docker installed, try using the included `dlf` script (potentially
 symlinked to be in your path via `ln -s LicenseFinder/dlf /usr/local/bin` or
-whatever method you prefer). This will run any commmands passed to it inside a
+whatever method you prefer). This will run any commands passed to it inside a
 pre-provisioned Docker container to maintain consistent versions of all the
 package managers. For example,
 
@@ -156,10 +157,10 @@ You can better understand the way this script works by looking at its source, bu
 reference it will mount your current directory at the path `/scan` and run any commands
 passed to it from that directory.
 
-Note that the docker image will run the gem which is installed within it. 
+Note that the docker image will run the gem which is installed within it.
 So the docker image tagged `4.0.2` will run *License Finder Version 4.0.2*
 
-See the [contibuting guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development. 
+See the [contributing guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development. 
 
 ### Activation
 
@@ -310,7 +311,7 @@ be approved. The project name at the top of the report can be set with
 `license_finder project_name add`.
 
 ### Note:
-When using the yarn package manager, when a node_module's package.json doesn't 
+When using the yarn package manager, when a node_module's package.json doesn't
 explicitly declare a license, yarn indicates that it has inferred the license based
 on some keywords in other files by appending an asterisk to the license name. If you
 see a * at the end of the license name, this is intended.
@@ -332,7 +333,7 @@ $ license_finder licenses add my_unknown_dependency MIT --homepage="www.unknown-
 ```
 
 This command would assign the MIT license to the dependency
-`my_unknown_dependency`. It will also set its homepage to `wwww.unknown-code.org`.
+`my_unknown_dependency`. It will also set its homepage to `www.unknown-code.org`.
 
 
 ### Adding Hidden Dependencies
@@ -420,6 +421,15 @@ If you store rebar dependencies in a custom directory (by setting `deps_dir` in
 You can also invoke a custom Mix script `remix` with `--mix_command remix` and
 set `--mix_deps_dir` to fetch Mix dependencies from a custom directory.
 
+### Narrow down Package Manager
+
+By default, license_finder will check for all supported package managers,
+but you can narrow it down to use only those you pass to `--enabled-package-managers`.
+For example,
+
+```
+$ license_finder --enabled-package-managers bundler npm
+```
 
 ### Saving Configuration
 
@@ -437,6 +447,11 @@ rebar_command: './rebarw'
 rebar_deps_dir: './rebar_deps'
 mix_command: './mixw'
 mix_deps_dir: './mix_deps'
+enabled_package_managers:
+  - bundler
+  - gradle
+  - rebar
+  - mix
 ```
 
 ### Gradle Projects
@@ -461,9 +476,9 @@ downloadLicenses {
 ### Conan Projects
 
 `license_finder` supports Conan. You need to have the following lines in your conanfile.txt for `license_finder` to retrieve dependencies' licenses.
-Ensure that `conan install` does not generate an error. 
+Ensure that `conan install` does not generate an error.
 
-``` 
+```
 [imports]
 ., license* -> ./licenses @ folder=True, ignore_case=True
 ```
@@ -517,9 +532,9 @@ And save a `LICENSE` file which contains your license text in your repo.
 
 * Bundler
    * When using `--project-path`, Bundler cannot find the Gemfile.
-   
+
 * Yarn
-   * A module that is incompatible with the platform on which 
+   * A module that is incompatible with the platform on which
      license_finder is run will always be reported to have a license type
      of "unknown". ([#456](https://github.com/pivotal/LicenseFinder/issues/456))
 

data/Rakefile

@@ -54,7 +54,7 @@ task :update_pipeline, [:slack_url, :slack_channel] do |_, args|
     puts 'Warning: You should provide slack channel and url to receive slack notifications on build failures'
   end
 
-  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.9.0]
+  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.14.0]
 
   params = []
   params << "ruby_versions=#{ruby_versions.join(',')}"

data/VERSION

@@ -1 +1 @@
-6.9.0
+6.12.1

data/ci/pipelines/pull-request.yml.erb

@@ -13,6 +13,8 @@ resource_types:
   source:
     repository: cfcommunity/slack-notification-resource
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 <% end %>
 
 resources:

data/ci/pipelines/release.yml.erb

@@ -8,6 +8,8 @@ resource_types:
   source:
     repository: cfcommunity/slack-notification-resource
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 <% end %>
 
 resources:
@@ -154,7 +156,7 @@ jobs:
   plan:
   - get: lf-git
     tags: ["private-worker"]
-    passed: [<%= "#{ruby_versions.map{ |version| "ruby-#{version}"}.join(', ')}, rubocop" %>]
+    passed: [<%= "#{ruby_versions.map{ |version| "ruby-#{version}" unless version == "jruby-9.2.14.0" }.compact.join(', ') }, rubocop" %>]
   - get: semver-version
     tags: ["private-worker"]
     trigger: true

data/ci/tasks/rubocop.yml

@@ -5,6 +5,8 @@ image_resource:
   source:
     repository: ruby
     tag: 2.7.1
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 
 inputs:
 - name: LicenseFinder

data/ci/tasks/update-changelog.yml

@@ -4,6 +4,8 @@ image_resource:
   source:
     repository: brenix/alpine-bash-git-ssh
     tag: latest
+    username: ((LicenseFinderDocker.username))
+    password: ((LicenseFinderDocker.password))
 platform: linux
 inputs:
 - name: lf-git

data/examples/Gemfile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gem 'license_finder', path: '..'

data/examples/custom_erb_template.rb

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically generate a report using a custom
+# ERB template. Run with
+# > bundle install
+# > ./custom_erb_template.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Find many more examples of complex ERB templates in
+# lib/license_finder/reports/templates/
+template = Pathname.new('./sample_template.erb')
+print LicenseFinder::ErbReport
+  .new(lf.acknowledged, project_name: lf.project_name)
+  .to_s(template)

data/examples/extract_license_data.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+# This is an example of how to programatically extract the information that
+# LicenseFinder has about packages and their licenses.
+# > bundle install
+# > ./extract_license_data.rb
+
+require 'license_finder'
+
+# See lib/license_finder/core.rb for more configuration options.
+# A quiet logger is required when running reports...
+lf = LicenseFinder::Core.new(LicenseFinder::Configuration.with_optional_saved_config(logger: :quiet))
+
+# Groups of packages
+lf.acknowledged # All (non-ignored) packages license_finder is tracking
+lf.unapproved # The packages which have not been approved or permitted
+lf.restricted # The packages which have been restricted
+
+# Package details
+lf.acknowledged.each do |package|
+  # Approvals
+  package.approved? # Whether the package has been approved manually or permitted
+  package.approved_manually?
+  package.permitted?
+  package.restricted?
+
+  # Licensing
+  # The set of licenses, each of which has a name and url, which
+  # license_finder will report for this package.
+  package.licenses
+  # Additional information about how these licenses were chosen
+  # (from decision, from spec, from files, or none-found).  See
+  # LicenseFinder::Licensing and LicenseFinder::Activation
+  package.activations
+  # The files that look like licenses, found in the package's
+  # directory.  Caveat: if a package's licenses were specified by a decision or
+  # by the package's spec, the license_files will be ignored.  That means,
+  # package.licenses may report different licenses than those found in
+  # license_files.
+  package.license_files
+  package.license_files.each do |file|
+    # The license found in this file.
+    file.license
+    # The text of the file.  Sometimes this will be an entire README file,
+    # because license_finder has found the phrase "is released under the
+    # MIT license" in it.
+    file.text
+  end
+  package.licensing.activations_from_decisions # If license_finder only knew about decisions, what licenses would it report?
+  package.licensing.activations_from_spec      # If license_finder only knew about package specs, what licenses would it report?
+  package.licensing.activations_from_files     # If license_finder only knew about package files, what licenses would it report?
+  package.licensing.activations_from_files.each do |activation|
+    # Each activation groups together all files that point to the same license.
+    # Each file contains its #license and #text.
+    activation.license
+    activation.files
+  end
+end

data/examples/sample_template.erb

@@ -0,0 +1,7 @@
+Licenses
+
+<%= dependencies.size %> total
+
+<% grouped_dependencies.each do |license_name, group| -%>
+* <%= group.size %> <%= license_name %>
+<% end %>

data/lib/license_finder/cli/base.rb

@@ -11,6 +11,10 @@ module LicenseFinder
                    desc: 'Where decisions are saved. Defaults to doc/dependency_decisions.yml.'
       class_option :log_directory,
                    desc: 'Where logs are saved. Defaults to ./lf_logs/$PROJECT/prepare_$PACKAGE_MANAGER.log'
+      class_option :enabled_package_managers,
+                   desc: 'List of package managers to be enabled. Defaults to all supported package managers.',
+                   type: :array,
+                   enum: LicenseFinder::Scanner.supported_package_manager_ids
 
       no_commands do
         def decisions
@@ -32,6 +36,7 @@ module LicenseFinder
         extract_options(
           :project_path,
           :decisions_file,
+          :enabled_package_managers,
           :go_full_version,
           :gradle_command,
           :gradle_include_groups,
@@ -53,7 +58,9 @@ module LicenseFinder
           :columns,
           :aggregate_paths,
           :recursive,
-          :sbt_include_groups
+          :sbt_include_groups,
+          :conda_bash_setup_script,
+          :composer_check_require_only
         ).merge(
           logger: logger_mode
         )

data/lib/license_finder/cli/main.rb

@@ -19,7 +19,8 @@ module LicenseFinder
         'markdown' => MarkdownReport,
         'csv' => CsvReport,
         'xml' => XmlReport,
-        'json' => JsonReport
+        'json' => JsonReport,
+        'junit' => JunitReport
       }.freeze
 
       class_option :go_full_version, desc: 'Whether dependency version should include full version. Only meaningful if used with a Go project. Defaults to false.'
@@ -37,6 +38,9 @@ module LicenseFinder
       class_option :mix_command, desc: "Command to use when fetching packages through Mix. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'mix'."
       class_option :mix_deps_dir, desc: "Path to Mix dependencies directory. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'deps'."
       class_option :sbt_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Scala/sbt project. Defaults to false.'
+      class_option :conda_bash_setup_script, desc: "Path to conda.sh script. Only meaningful if used with a Conda project. Defaults to '~/miniconda3/etc/profile.d/conda.sh'."
+      class_option :composer_check_require_only,
+                   desc: "Whether to only check for licenses from dependencies on the 'require' section. Only meaningful if used with a Composer project. Defaults to false."
 
       # Method options which are shared between report and action_item
       def self.format_option

data/lib/license_finder/configuration.rb

@@ -65,6 +65,10 @@ module LicenseFinder
       Pathname(path_prefix).expand_path
     end
 
+    def enabled_package_manager_ids
+      get(:enabled_package_managers)
+    end
+
     def logger_mode
       get(:logger)
     end
@@ -93,6 +97,10 @@ module LicenseFinder
       get(:pip_requirements_path)
     end
 
+    def conda_bash_setup_script
+      get(:conda_bash_setup_script)
+    end
+
     def python_version
       get(:python_version)
     end
@@ -137,6 +145,10 @@ module LicenseFinder
       get(:sbt_include_groups)
     end
 
+    def composer_check_require_only
+      get(:composer_check_require_only)
+    end
+
     attr_writer :strict_matching
 
     attr_reader :strict_matching

data/lib/license_finder/core.rb

@@ -24,7 +24,7 @@ module LicenseFinder
     # Default +options+:
     # {
     #   project_path: Pathname.pwd
-    #   logger: {},   # can include quiet: true or debug: true
+    #   logger: nil,   # can be :quiet or :debug
     #   decisions_file: "doc/dependency_decisions.yml",
     #   gradle_command: "gradle",
     #   rebar_command: "rebar",
@@ -93,6 +93,7 @@ module LicenseFinder
         project_path: config.project_path,
         log_directory: File.join(config.log_directory, project_name),
         ignored_groups: decisions.ignored_groups,
+        enabled_package_manager_ids: config.enabled_package_manager_ids,
         go_full_version: config.go_full_version,
         gradle_command: config.gradle_command,
         gradle_include_groups: config.gradle_include_groups,
@@ -107,7 +108,9 @@ module LicenseFinder
         mix_deps_dir: config.mix_deps_dir,
         prepare: config.prepare,
         prepare_no_fail: config.prepare_no_fail,
-        sbt_include_groups: config.sbt_include_groups
+        sbt_include_groups: config.sbt_include_groups,
+        conda_bash_setup_script: config.conda_bash_setup_script,
+        composer_check_require_only: config.composer_check_require_only
       }
     end
   end

data/lib/license_finder/decisions.rb

@@ -281,6 +281,13 @@ module LicenseFinder
       return result unless persisted
 
       actions = YAML.load(persisted)
+
+      list_of_actions = (actions || []).map(&:first)
+
+      if (list_of_actions & %i[whitelist blacklist]).any?
+        raise 'The decisions file seems to have whitelist/blacklist keys which are deprecated. Please replace them with permit/restrict respectively and try again! More info - https://github.com/pivotal/LicenseFinder/commit/a40b22fda11b3a0efbb3c0a021381534bc998dd9'
+      end
+
       (actions || []).each do |action, *args|
         result.send(action, *args)
       end

data/lib/license_finder/package.rb

@@ -38,7 +38,7 @@ module LicenseFinder
 
       ## DESCRIPTION
       @name = name
-      @version = version
+      @version = version || ''
       @authors = options[:authors] || ''
       @summary = options[:summary] || ''
       @description = options[:description] || ''
@@ -198,3 +198,4 @@ require 'license_finder/packages/yarn_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'
+require 'license_finder/packages/conda_package'

data/lib/license_finder/package_manager.rb

@@ -22,6 +22,10 @@ module LicenseFinder
       def takes_priority_over
         nil
       end
+
+      def id
+        name.split('::').last.downcase
+      end
     end
 
     def installed?(logger = Core.default_logger)
@@ -125,10 +129,10 @@ module LicenseFinder
     def log_errors_with_cmd(prep_cmd, stderr)
       logger.info(prep_cmd, 'did not succeed.', color: :red)
       logger.info(prep_cmd, stderr, color: :red)
-      log_to_file stderr
+      log_to_file(prep_cmd, stderr)
     end
 
-    def log_to_file(contents)
+    def log_to_file(prep_cmd, contents)
       FileUtils.mkdir_p @log_directory
 
       # replace whitespace with underscores and remove slashes
@@ -136,7 +140,7 @@ module LicenseFinder
       log_file = File.join(@log_directory, "prepare_#{log_file_name || 'errors'}.log")
 
       File.open(log_file, 'w') do |f|
-        f.write("Prepare command \"#{prepare_command}\" failed with:\n")
+        f.write("Prepare command \"#{prep_cmd}\" failed with:\n")
         f.write("#{contents}\n\n")
       end
     end
@@ -171,5 +175,6 @@ require 'license_finder/package_managers/conan'
 require 'license_finder/package_managers/sbt'
 require 'license_finder/package_managers/cargo'
 require 'license_finder/package_managers/composer'
+require 'license_finder/package_managers/conda'
 
 require 'license_finder/package'

data/lib/license_finder/package_managers/composer.rb

@@ -4,7 +4,10 @@ require 'json'
 
 module LicenseFinder
   class Composer < PackageManager
-    SHELL_COMMAND = 'composer licenses --format=json'
+    def initialize(options = {})
+      super
+      @check_require_only = !!options[:composer_check_require_only]
+    end
 
     def possible_package_paths
       [project_path.join('composer.lock'), project_path.join('composer.json')]
@@ -33,7 +36,7 @@ module LicenseFinder
     end
 
     def prepare_command
-      'composer install --no-plugins --ignore-platform-reqs --no-interaction'
+      'composer install --no-plugins --no-scripts --ignore-platform-reqs --no-interaction'
     end
 
     def package_path
@@ -50,8 +53,9 @@ module LicenseFinder
     end
 
     def composer_json
-      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(Composer::SHELL_COMMAND) }
-      raise "Command '#{Composer::SHELL_COMMAND}' failed to execute: #{stderr}" unless status.success?
+      command = "composer licenses --format=json#{@check_require_only ? ' --no-dev' : ''}"
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
 
       JSON(stdout)
     end

data/lib/license_finder/package_managers/conda.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module LicenseFinder
+  class Conda < PackageManager
+    attr_reader :conda_bash_setup_script
+
+    def initialize(options = {})
+      @conda_bash_setup_script = options[:conda_bash_setup_script] || Pathname("#{ENV['HOME']}/miniconda3/etc/profile.d/conda.sh")
+      super
+    end
+
+    # This command is *not* directly executable. See .conda() below.
+    def prepare_command
+      "conda env create -f #{detected_package_path}"
+    end
+
+    def prepare
+      return if environment_exists?
+
+      prep_cmd = prepare_command
+      _stdout, stderr, status = Dir.chdir(project_path) { conda(prep_cmd) }
+      return if status.success?
+
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+
+    def current_packages
+      conda_list.map do |entry|
+        case entry['channel']
+        when 'pypi'
+          # PyPI is much faster than `conda search`, use it when we can.
+          PipPackage.new(entry['name'], entry['version'], PyPI.definition(entry['name'], entry['version']))
+        else
+          CondaPackage.new(conda_search_info(entry))
+        end
+      end.compact
+    end
+
+    def possible_package_paths
+      [project_path.join('environment.yaml'), project_path.join('environment.yml')]
+    end
+
+    private
+
+    def environment_exists?
+      environments.grep(environment_name).any?
+    end
+
+    def environments
+      command = 'conda env list'
+      stdout, stderr, status = conda command
+
+      environments = []
+      if status.success?
+        environments = stdout.split("\n").grep_v(/^#/).map { |line| line.split.first }
+      else
+        log_errors_with_cmd command, stderr
+      end
+      environments
+    end
+
+    def environment_file
+      detected_package_path
+    end
+
+    def environment_name
+      @environment_name ||= YAML.load_file(environment_file).fetch('name')
+    end
+
+    def conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && #{command}")
+    end
+
+    def activated_conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && conda activate #{environment_name} && #{command}")
+    end
+
+    # Algorithm is based on
+    # https://bioinformatics.stackexchange.com/a/11226
+    # but completely recoded in Ruby. Like the poster, if the package is
+    # actually managed by conda, we assume that all the potential infos (for
+    # various architectures, versions of python, etc) have the same license.
+    def conda_list
+      command = 'conda list'
+      stdout, stderr, status = activated_conda(command)
+
+      if status.success?
+        conda_list = []
+        stdout.each_line do |line|
+          next if line =~ /^\s*#/
+
+          name, version, build, channel = line.split
+          conda_list << {
+            'name' => name,
+            'version' => version,
+            'build' => build,
+            'channel' => channel
+          }
+        end
+        conda_list
+      else
+        log_errors_with_cmd command, stderr
+        []
+      end
+    end
+
+    def conda_search_info(list_entry)
+      command = 'conda search --info --json '
+      command += "--channel #{list_entry['channel']} " if list_entry['channel'] && !list_entry['channel'].empty?
+      command += "'#{list_entry['name']} #{list_entry['version']}'"
+
+      # Errors from conda (in --json mode, at least) show up in stdout, not stderr
+      stdout, _stderr, status = activated_conda(command)
+
+      name = list_entry['name']
+
+      if status.success?
+        JSON(stdout).fetch(name).first
+      else
+        log_errors_with_cmd command, stdout
+        list_entry
+      end
+    rescue KeyError
+      logger.info('Conda', "Key error trying to find #{name} in\n#{JSON(stdout)}")
+      list_entry
+    end
+  end
+end

data/lib/license_finder/package_managers/dep.rb

@@ -18,11 +18,16 @@ module LicenseFinder
         GoPackage.from_dependency({
                                     'ImportPath' => project['name'],
                                     'InstallPath' => project_path.join('vendor', project['name']),
-                                    'Rev' => project['revision']
+                                    'Rev' => project['revision'],
+                                    'Homepage' => repo_name(project['name'])
                                   }, nil, true)
       end
     end
 
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
+
     def self.takes_priority_over
       Go15VendorExperiment
     end

data/lib/license_finder/package_managers/go_15vendorexperiment.rb

@@ -37,11 +37,16 @@ module LicenseFinder
         GoPackage.from_dependency({
                                     'ImportPath' => dep,
                                     'InstallPath' => detected_package_path.join(dep),
-                                    'Rev' => 'vendored-' + project_sha(detected_package_path.join(dep))
+                                    'Rev' => 'vendored-' + project_sha(detected_package_path.join(dep)),
+                                    'Homepage' => repo_name(dep)
                                   }, nil, true)
       end
     end
 
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
+
     def package_management_command
       'go'
     end

data/lib/license_finder/package_managers/go_modules.rb

@@ -76,10 +76,15 @@ module LicenseFinder
       info = {
         'ImportPath' => name,
         'InstallPath' => install_path,
-        'Rev' => version
+        'Rev' => version,
+        'Homepage' => repo_name(name)
       }
 
       GoPackage.from_dependency(info, nil, true)
     end
+
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
   end
 end

data/lib/license_finder/package_managers/npm.rb

@@ -14,7 +14,7 @@ module LicenseFinder
     end
 
     def prepare_command
-      'npm install --no-save'
+      'npm install --no-save --ignore-scripts'
     end
 
     def possible_package_paths

data/lib/license_finder/package_managers/trash.rb

@@ -30,9 +30,14 @@ module LicenseFinder
         GoPackage.from_dependency({
                                     'ImportPath' => import_path,
                                     'InstallPath' => license_path,
-                                    'Rev' => package_hash.fetch('version')
+                                    'Rev' => package_hash.fetch('version'),
+                                    'Homepage' => repo_name(import_path)
                                   }, nil, true)
       end
     end
+
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
   end
 end

data/lib/license_finder/package_managers/yarn.rb

@@ -56,7 +56,7 @@ module LicenseFinder
     end
 
     def prepare_command
-      'yarn install --ignore-engines'
+      'yarn install --ignore-engines --ignore-scripts'
     end
 
     private

data/lib/license_finder/packages/conda_package.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module LicenseFinder
+  class CondaPackage < Package
+    attr_accessor :identifier, :json
+
+    def initialize(conda_json)
+      @json = conda_json
+      @identifier = Identifier.from_hash(conda_json)
+      super(@identifier.name,
+            @identifier.version,
+            spec_licenses: Package.license_names_from_standard_spec(conda_json),
+            children: children)
+    end
+
+    def ==(other)
+      other.is_a?(CondaPackage) && @identifier == other.identifier
+    end
+
+    def to_s
+      @identifier.to_s
+    end
+
+    def package_manager
+      'Conda'
+    end
+
+    def package_url
+      @json['url']
+    end
+
+    def children
+      @json.fetch('depends', []).map { |constraint| constraint.split.first }
+    end
+
+    class Identifier
+      attr_accessor :name, :version
+
+      def initialize(name, version)
+        @name = name
+        @version = version
+      end
+
+      def self.from_hash(hash)
+        name = hash['name']
+        version = hash['version']
+        return nil if name.nil? || version.nil?
+
+        Identifier.new(name, version)
+      end
+
+      def ==(other)
+        other.is_a?(Identifier) && @name == other.name && @version == other.version
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def hash
+        [@name, @version].hash
+      end
+
+      def <=>(other)
+        sort_name = @name <=> other.name
+        sort_name.zero? ? @version <=> other.version : sort_name
+      end
+
+      def to_s
+        "#{@name} - #{@version}"
+      end
+    end
+  end
+end

data/lib/license_finder/report.rb

@@ -30,3 +30,4 @@ require 'license_finder/reports/html_report'
 require 'license_finder/reports/markdown_report'
 require 'license_finder/reports/xml_report'
 require 'license_finder/reports/json_report'
+require 'license_finder/reports/junit_report'

data/lib/license_finder/reports/junit_report.rb

@@ -0,0 +1,19 @@
+require 'license_finder/reports/erb_report'
+
+module LicenseFinder
+  class JunitReport < ErbReport
+    ROOT_PATH = Pathname.new(__FILE__).dirname
+    TEMPLATE_PATH = ROOT_PATH.join('templates')
+
+    def to_s(filename = TEMPLATE_PATH.join("#{template_name}.erb"))
+      template = ERB.new(filename.read, nil, '-')
+      template.result(binding)
+    end
+
+    private
+
+    def template_name
+      'junit_report'
+    end
+  end
+end

data/lib/license_finder/reports/templates/junit_report.erb

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<testsuites failures="<%= unapproved_dependencies.size %>" name="<%= project_name %>" tests="<%= dependencies.size %>">
+<% sorted_dependencies.each_with_index do |dependency, i| -%>
+  <testsuite failures="<%= dependency.approved? ? "0" : "1" -%>" id="<%= i %>" name="<%= dependency.name %>" package="Gemfile.lock" skipped="0" tests="1" timestamp="<%= Time.now.strftime("%Y-%m-%dT%H:%M:%S:%6N") %>">
+    <testcase classname="<%= license_names(dependency) %>" name="<%= dependency.name %>"<%= dependency.approved? ? " /" : "" %>>
+    <%- unless dependency.approved? -%>
+      <failure message="Unapproved license in '<%= dependency.name %>' <%= dependency.version %>">
+Name: <%= dependency.name %>
+Version: <%= dependency.version %>
+Licence:
+<%- if dependency.licenses.any? -%>
+<%- dependency.licenses.each do |license| -%>- <%=license.name %>: <%=license.url %><% end %>
+<%- end -%>
+URL: <%= dependency.package_url %>
+Homepage: <%= dependency.homepage %>
+Summary: <%= REXML::Text.new(dependency.summary, false, nil, false) %>
+Description: <%= REXML::Text.new(dependency.description, false, nil, false) %>
+<% if dependency.parents.any? %>
+Dependencies:
+<% dependency.parents.to_a.each do |dep| -%>
+- <%= dep %>
+<% end -%>
+<% end -%>
+<%- if dependency.children.any? -%>
+Requirements:
+<%- dependency.children.each do |req| -%>
+- <%= req %>
+<% end -%>
+<% end -%>
+      </failure>
+      <system-out>
+stdout
+      </system-out>
+      <system-err>
+stderr
+      </system-err>
+    </testcase>
+  <%- end -%>
+  </testsuite>
+<% end -%>
+</testsuites>

data/lib/license_finder/scanner.rb

@@ -4,7 +4,8 @@ module LicenseFinder
   class Scanner
     PACKAGE_MANAGERS = [
       GoModules, GoDep, GoWorkspace, Go15VendorExperiment, Glide, Gvt, Govendor, Trash, Dep, Bundler, NPM, Pip,
-      Yarn, Bower, Maven, Gradle, CocoaPods, Rebar, Erlangmk, Nuget, Carthage, Mix, Conan, Sbt, Cargo, Dotnet, Composer, Pipenv
+      Yarn, Bower, Maven, Gradle, CocoaPods, Rebar, Erlangmk, Nuget, Carthage, Mix, Conan, Sbt, Cargo, Dotnet, Composer, Pipenv,
+      Conda
     ].freeze
 
     class << self
@@ -12,6 +13,10 @@ module LicenseFinder
         paths.reject { |path| subproject?(Pathname(path)) }
       end
 
+      def supported_package_manager_ids
+        PACKAGE_MANAGERS.map(&:id)
+      end
+
       private
 
       def subproject?(path)
@@ -28,6 +33,7 @@ module LicenseFinder
       @config = config
       @project_path = @config[:project_path]
       @logger = @config[:logger]
+      @enabled_package_manager_ids = @config[:enabled_package_manager_ids]
     end
 
     def active_packages
@@ -40,7 +46,7 @@ module LicenseFinder
       return @package_managers if @package_managers
 
       active_pm_classes = []
-      PACKAGE_MANAGERS.each do |pm_class|
+      enabled_package_managers.each do |pm_class|
         active = pm_class.new(@config).active?
 
         if active
@@ -56,5 +62,22 @@ module LicenseFinder
       active_pm_classes -= active_pm_classes.map(&:takes_priority_over)
       @package_managers = active_pm_classes.map { |pm_class| pm_class.new(@config) }
     end
+
+    private
+
+    def enabled_package_managers
+      enabled_pm_ids = @enabled_package_manager_ids
+
+      return PACKAGE_MANAGERS unless enabled_pm_ids
+
+      enabled_pm_classes = PACKAGE_MANAGERS.select { |pm_class| enabled_pm_ids.include?(pm_class.id) }
+
+      if enabled_pm_classes.length != enabled_pm_ids.length
+        unsupported_pm_ids = enabled_pm_ids - self.class.supported_package_manager_ids
+        raise "Unsupported package manager: #{unsupported_pm_ids.join(', ')}"
+      end
+
+      enabled_pm_classes
+    end
   end
 end

data/license_finder.gemspec

@@ -46,7 +46,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'bundler'
   s.add_dependency 'rubyzip', '>=1', '<3'
   s.add_dependency 'thor', '~> 1.0.1'
-  s.add_dependency 'tomlrb', '~> 1.3.0'
+  s.add_dependency 'tomlrb', '>= 1.3', '< 2.1'
   s.add_dependency 'with_env', '1.1.0'
   s.add_dependency 'xml-simple', '~> 1.1.5'
 
@@ -55,7 +55,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'cocoapods', '>= 1.0.0' if RUBY_PLATFORM =~ /darwin/
   s.add_development_dependency 'fakefs', '~> 1.2.0'
   s.add_development_dependency 'mime-types', '3.3.1'
-  s.add_development_dependency 'pry', '~> 0.13.0'
+  s.add_development_dependency 'pry', '~> 0.14.0'
   s.add_development_dependency 'rake', '~> 13.0.1'
   s.add_development_dependency 'rspec', '~> 3'
   s.add_development_dependency 'rspec-its', '~> 1.3.0'
@@ -63,6 +63,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rubocop-performance', '~> 1.5.0'
   s.add_development_dependency 'webmock', '~> 3.5'
 
+  s.add_development_dependency 'nokogiri', '~>1.10'
   s.add_development_dependency 'rack', '~> 2.2.2'
   s.add_development_dependency 'rack-test', '~> 1.1.0', '> 0.7'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: license_finder
 version: !ruby/object:Gem::Version
-  version: 6.9.0
+  version: 6.12.1
 platform: ruby
 authors:
 - Ryan Collins
@@ -27,7 +27,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-05 00:00:00.000000000 Z
+date: 2021-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -81,16 +81,22 @@ dependencies:
   name: tomlrb
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: with_env
   requirement: !ruby/object:Gem::Requirement
@@ -181,14 +187,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.14.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -273,6 +279,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -351,6 +371,10 @@ files:
 - ci/tasks/run-tests.yml
 - ci/tasks/update-changelog.yml
 - dlf
+- examples/Gemfile
+- examples/custom_erb_template.rb
+- examples/extract_license_data.rb
+- examples/sample_template.erb
 - lib/license_finder.rb
 - lib/license_finder/cli.rb
 - lib/license_finder/cli/approvals.rb
@@ -413,6 +437,7 @@ files:
 - lib/license_finder/package_managers/cocoa_pods.rb
 - lib/license_finder/package_managers/composer.rb
 - lib/license_finder/package_managers/conan.rb
+- lib/license_finder/package_managers/conda.rb
 - lib/license_finder/package_managers/dep.rb
 - lib/license_finder/package_managers/dotnet.rb
 - lib/license_finder/package_managers/erlangmk.rb
@@ -451,6 +476,7 @@ files:
 - lib/license_finder/packages/cocoa_pods_package.rb
 - lib/license_finder/packages/composer_package.rb
 - lib/license_finder/packages/conan_package.rb
+- lib/license_finder/packages/conda_package.rb
 - lib/license_finder/packages/erlangmk_package.rb
 - lib/license_finder/packages/go_package.rb
 - lib/license_finder/packages/gradle_package.rb
@@ -472,10 +498,12 @@ files:
 - lib/license_finder/reports/erb_report.rb
 - lib/license_finder/reports/html_report.rb
 - lib/license_finder/reports/json_report.rb
+- lib/license_finder/reports/junit_report.rb
 - lib/license_finder/reports/markdown_report.rb
 - lib/license_finder/reports/merged_report.rb
 - lib/license_finder/reports/templates/bootstrap.css
 - lib/license_finder/reports/templates/html_report.erb
+- lib/license_finder/reports/templates/junit_report.erb
 - lib/license_finder/reports/templates/markdown_report.erb
 - lib/license_finder/reports/templates/xml_report.erb
 - lib/license_finder/reports/text_report.rb
@@ -505,7 +533,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.16
 signing_key: 
 specification_version: 4
 summary: Audit the OSS licenses of your application's dependencies.