RubyGems - license_finder - Versions diffs - 7.0.1 → 7.2.0 - Mend

license_finder 7.0.1 → 7.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

checksums.yaml +4 -4
data/.github/dependabot.yml +7 -0
data/.pre-commit-hooks.yaml +10 -0
data/.rubocop.yml +5 -1
data/CHANGELOG.md +41 -0
data/CONTRIBUTING.md +1 -0
data/Dockerfile +129 -122
data/README.md +53 -14
data/Rakefile +1 -1
data/VERSION +1 -1
data/ci/pipelines/pull-request.yml.erb +29 -32
data/ci/pipelines/release.yml.erb +17 -41
data/ci/scripts/run-tests.sh +20 -4
data/ci/tasks/rubocop.yml +3 -3
data/ci/tasks/update-changelog.yml +2 -2
data/dlf +6 -1
data/lib/license_finder/cli/base.rb +2 -0
data/lib/license_finder/cli/licenses.rb +8 -3
data/lib/license_finder/cli/main.rb +3 -1
data/lib/license_finder/configuration.rb +8 -0
data/lib/license_finder/core.rb +4 -2
data/lib/license_finder/decision_applier.rb +1 -1
data/lib/license_finder/decisions.rb +24 -6
data/lib/license_finder/license/definitions.rb +129 -19
data/lib/license_finder/license/templates/AGPL3.txt +661 -0
data/lib/license_finder/license/templates/Apache2.txt +0 -2
data/lib/license_finder/license/templates/Artistic.txt +128 -0
data/lib/license_finder/license/templates/CC01_alt.txt +31 -0
data/lib/license_finder/license/templates/CDDL1_1.txt +123 -0
data/lib/license_finder/license/templates/CPL1.txt +217 -0
data/lib/license_finder/license/templates/EPL2.txt +80 -0
data/lib/license_finder/license/templates/Unlicense.txt +24 -0
data/lib/license_finder/license/text.rb +4 -0
data/lib/license_finder/license.rb +1 -1
data/lib/license_finder/manual_licenses.rb +79 -0
data/lib/license_finder/package.rb +1 -0
data/lib/license_finder/package_manager.rb +2 -1
data/lib/license_finder/package_managers/cargo.rb +1 -1
data/lib/license_finder/package_managers/conan.rb +50 -8
data/lib/license_finder/package_managers/dep.rb +43 -41
data/lib/license_finder/package_managers/dotnet.rb +5 -2
data/lib/license_finder/package_managers/go_dep.rb +1 -1
data/lib/license_finder/package_managers/go_workspace.rb +3 -2
data/lib/license_finder/package_managers/maven.rb +18 -10
data/lib/license_finder/package_managers/npm.rb +14 -1
data/lib/license_finder/package_managers/nuget.rb +5 -0
data/lib/license_finder/package_managers/pip.rb +1 -1
data/lib/license_finder/package_managers/pnpm.rb +126 -0
data/lib/license_finder/package_managers/yarn.rb +69 -20
data/lib/license_finder/package_utils/conan_info_parser.rb +2 -2
data/lib/license_finder/package_utils/conan_info_parser_v2.rb +82 -0
data/lib/license_finder/package_utils/license_files.rb +12 -2
data/lib/license_finder/package_utils/licensing.rb +2 -1
data/lib/license_finder/package_utils/maven_dependency_finder.rb +43 -1
data/lib/license_finder/package_utils/notice_files.rb +14 -3
data/lib/license_finder/package_utils/possible_license_file.rb +8 -2
data/lib/license_finder/package_utils/pypi.rb +3 -1
data/lib/license_finder/packages/maven_package.rb +13 -1
data/lib/license_finder/packages/npm_package.rb +56 -9
data/lib/license_finder/packages/pnpm_package.rb +13 -0
data/lib/license_finder/printer.rb +2 -2
data/lib/license_finder/reports/csv_report.rb +10 -1
data/lib/license_finder/scanner.rb +3 -3
data/license_finder.gemspec +12 -11
metadata +54 -28

data/lib/license_finder/license/text.rb CHANGED Viewed

@@ -16,6 +16,8 @@ module LicenseFinder
       NEWLINE_CHARACTER = /\n+/.freeze
       QUOTE_COMMENT_CHARACTER = /^\s*>+/.freeze
       ESCAPED_QUOTES = /\\"/.freeze
+      SPECIAL_CHARACTERS = /§/.freeze
+      SPECIAL_DASHES = /–/.freeze
       def self.normalize_punctuation(text)
         text.dup.force_encoding('UTF-8')
@@ -26,6 +28,8 @@ module LicenseFinder
             .gsub(NEWLINE_CHARACTER, ' ')
             .gsub(ESCAPED_QUOTES, '"')
             .gsub(QUOTES, '"')
+            .gsub(SPECIAL_CHARACTERS, '?')
+            .gsub(SPECIAL_DASHES, '-')
             .strip
       rescue ArgumentError => _e
         text

data/lib/license_finder/license.rb CHANGED Viewed

@@ -85,7 +85,7 @@ module LicenseFinder
     attr_reader :short_name, :pretty_name, :other_names, :spdx_id, :matcher
     def names
-      ([short_name, pretty_name] + other_names).uniq
+      ([short_name, pretty_name, spdx_id] + other_names).uniq
     end
   end

data/lib/license_finder/manual_licenses.rb ADDED Viewed

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+module LicenseFinder
+  class ManualLicenses
+    def initialize
+      @all_versions = {}
+      @specific_versions = {}
+    end
+    def licenses_of(name, version = nil)
+      return @all_versions[name] if @all_versions[name]
+      if version && @specific_versions[name] && @specific_versions[name][version]
+        @specific_versions[name][version]
+      else
+        Set.new
+      end
+    end
+    def assign_to_all_versions(name, lic)
+      # Ex: licenses add foo_gem MIT => Adds MIT at "all" versions for this gem
+      @all_versions[name] ||= Set.new
+      @all_versions[name] << to_license(lic)
+      @specific_versions.delete(name)
+    end
+    def assign_to_specific_versions(name, lic, versions)
+      # Ex: licenses add foo_gem MIT --version=1.0 => Adds MIT at only 1.0 for this gem
+      @specific_versions[name] ||= {}
+      versions.each do |version|
+        @specific_versions[name][version] ||= Set.new
+        @specific_versions[name][version] << to_license(lic)
+      end
+      @all_versions.delete(name)
+    end
+    def unassign_from_all_versions(name, lic = nil)
+      if lic
+        # Ex: licenses remove foo_gem MIT => Removes MIT at all versions for this gem
+        @all_versions[name]&.delete(to_license(lic))
+        @specific_versions[name]&.each_value do |licenses|
+          licenses.delete(to_license(lic))
+        end
+      else
+        # Ex: licenses remove foo_gem => Removes all licenses for all versions of the gem
+        @all_versions.delete(name)
+        @specific_versions.delete(name)
+      end
+    end
+    def unassign_from_specific_versions(name, lic, versions)
+      return unless @specific_versions[name]
+      versions.each do |version|
+        if @specific_versions[name][version]
+          if lic
+            # Ex: licenses remove foo_gem MIT --version=1.0 => Removes MIT at only 1.0 for this gem
+            @specific_versions[name][version].delete(to_license(lic))
+            @specific_versions[name].delete(version) if @specific_versions[name][version].empty?
+          else
+            # Ex: licenses remove foo_gem --version=1.0 => Removes all licenses at only 1.0 for the gem
+            @specific_versions[name].delete(version)
+          end
+        end
+      end
+    end
+    private
+    def to_license(lic)
+      License.find_by_name(lic)
+    end
+  end
+end

data/lib/license_finder/package.rb CHANGED Viewed

@@ -187,6 +187,7 @@ require 'license_finder/packages/merged_package'
 require 'license_finder/packages/nuget_package'
 require 'license_finder/packages/conan_package'
 require 'license_finder/packages/yarn_package'
+require 'license_finder/packages/pnpm_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'

data/lib/license_finder/package_manager.rb CHANGED Viewed

@@ -136,7 +136,7 @@ module LicenseFinder
       FileUtils.mkdir_p @log_directory
       # replace whitespace with underscores and remove slashes
-      log_file_name = package_management_command&.gsub(/\s/, '_')&.gsub(%r{/}, '')
+      log_file_name = package_management_command&.gsub(/\s/, '_')&.delete('/')
       log_file = File.join(@log_directory, "prepare_#{log_file_name || 'errors'}.log")
       File.open(log_file, 'w') do |f|
@@ -158,6 +158,7 @@ require 'license_finder/package_managers/go_modules'
 require 'license_finder/package_managers/trash'
 require 'license_finder/package_managers/bundler'
 require 'license_finder/package_managers/npm'
+require 'license_finder/package_managers/pnpm'
 require 'license_finder/package_managers/yarn'
 require 'license_finder/package_managers/pip'
 require 'license_finder/package_managers/pipenv'

data/lib/license_finder/package_managers/cargo.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module LicenseFinder
   class Cargo < PackageManager
     def current_packages
       cargo_output.map do |package|
-        path = Dir.glob("#{Dir.home}/.cargo/registry/src/**/#{package['name']}-#{package['version']}").first
+        path = Dir.glob("#{Dir.home}/.cargo/registry/src/*/#{package['name']}-#{package['version']}").first
         CargoPackage.new(package, logger: logger, install_path: path)
       end
     end

data/lib/license_finder/package_managers/conan.rb CHANGED Viewed

@@ -1,27 +1,69 @@
 # frozen_string_literal: true
 require 'license_finder/package_utils/conan_info_parser'
+require 'license_finder/package_utils/conan_info_parser_v2'
 module LicenseFinder
   class Conan < PackageManager
     def possible_package_paths
-      [project_path.join('conanfile.txt')]
+      [project_path.join('conanfile.txt'), project_path.join('conanfile.py')]
     end
-    def current_packages
-      install_command = 'conan install .'
+    def license_file_is_good?(license_file_path)
+      !license_file_path.nil? && File.file?(license_file_path)
+    end
+    def license_file(project_path, name)
+      candidates = Dir.glob("#{project_path}/licenses/#{name}/**/LICENSE*")
+      candidates.each do |candidate|
+        return candidate if license_file_is_good?(candidate)
+      end
+      nil
+    end
+    def deps_list_conan_v1(project_path)
       info_command = 'conan info .'
-      Dir.chdir(project_path) { Cmd.run(install_command) }
       info_output, _stderr, _status = Dir.chdir(project_path) { Cmd.run(info_command) }
+      return nil if info_output.empty?
       info_parser = ConanInfoParser.new
+      info_parser.parse(info_output)
+    end
+    def deps_list_conan_v2(project_path)
+      info_command = 'conan graph info .'
+      info_output, stderr, _status = Dir.chdir(project_path) { Cmd.run(info_command) }
+      if info_output.empty?
+        return if stderr.empty?
+        info_output = stderr
+      end
+      info_parser = ConanInfoParserV2.new
+      info_parser.parse(info_output)
+    end
+    def deps_list(project_path)
+      deps = deps_list_conan_v1(project_path)
+      deps = deps_list_conan_v2(project_path) if deps.nil? || deps.empty?
+      deps
+    end
+    def current_packages
+      install_command = 'conan install .'
+      Dir.chdir(project_path) { Cmd.run(install_command) }
+      deps = deps_list(project_path)
+      return [] if deps.nil?
-      deps = info_parser.parse(info_output)
       deps.map do |dep|
         name, version = dep['name'].split('/')
-        url = dep['URL']
-        license_file_path = Dir.glob("#{project_path}/licenses/#{name}/**/LICENSE*").first
-        ConanPackage.new(name, version, File.open(license_file_path).read, url) unless name == 'conanfile.txt'
+        license_file_path = license_file(project_path, name)
+        next unless license_file_is_good?(license_file_path)
+        url = dep['homepage']
+        url = dep['url'] if url.nil?
+        ConanPackage.new(name, version, File.open(license_file_path).read, url)
       end.compact
     end
   end

data/lib/license_finder/package_managers/dep.rb CHANGED Viewed

@@ -1,43 +1,45 @@
 # frozen_string_literal: true
-require 'tomlrb'
-module LicenseFinder
-  class Dep < PackageManager
-    def possible_package_paths
-      [project_path.join('Gopkg.lock')]
-    end
-    def current_packages
-      toml = Tomlrb.load_file(detected_package_path)
-      projects = toml['projects']
-      return [] if projects.nil?
-      projects.map do |project|
-        GoPackage.from_dependency({
-                                    'ImportPath' => project['name'],
-                                    'InstallPath' => project_path.join('vendor', project['name']),
-                                    'Rev' => project['revision'],
-                                    'Homepage' => repo_name(project['name'])
-                                  }, nil, true)
-      end
-    end
-    def repo_name(name)
-      name.split('/')[0..2].join('/')
-    end
-    def self.takes_priority_over
-      Go15VendorExperiment
-    end
-    def prepare_command
-      'dep ensure -vendor-only'
-    end
-    def package_management_command
-      'dep'
-    end
-  end
-end
+# Dep has been deprecated since 2020
+#
+# require 'tomlrb'
+#
+# module LicenseFinder
+#   class Dep < PackageManager
+#     def possible_package_paths
+#       [project_path.join('Gopkg.lock')]
+#     end
+#
+#     def current_packages
+#       toml = Tomlrb.load_file(detected_package_path)
+#       projects = toml['projects']
+#
+#       return [] if projects.nil?
+#
+#       projects.map do |project|
+#         GoPackage.from_dependency({
+#                                     'ImportPath' => project['name'],
+#                                     'InstallPath' => project_path.join('vendor', project['name']),
+#                                     'Rev' => project['revision'],
+#                                     'Homepage' => repo_name(project['name'])
+#                                   }, nil, true)
+#       end
+#     end
+#
+#     def repo_name(name)
+#       name.split('/')[0..2].join('/')
+#     end
+#
+#     def self.takes_priority_over
+#       Go15VendorExperiment
+#     end
+#
+#     def prepare_command
+#       'dep ensure -vendor-only'
+#     end
+#
+#     def package_management_command
+#       'dep'
+#     end
+#   end
+# end

data/lib/license_finder/package_managers/dotnet.rb CHANGED Viewed

@@ -42,9 +42,13 @@ module LicenseFinder
       end
       def read_license_urls
-        possible_spec_paths.flat_map do |path|
+        raw_licenses = possible_spec_paths.flat_map do |path|
           Nuget.nuspec_license_urls(File.read(path)) if File.exist? path
         end.compact
+        raw_licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
       end
       def ==(other)
@@ -61,7 +65,6 @@ module LicenseFinder
       package_metadatas = asset_files
                           .flat_map { |path| AssetFile.new(path).dependencies }
                           .uniq { |d| [d.name, d.version] }
       package_metadatas.map do |d|
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{d.name.downcase}/#{d.version}").first
         NugetPackage.new(d.name, d.version, spec_licenses: d.read_license_urls, install_path: path)

data/lib/license_finder/package_managers/go_dep.rb CHANGED Viewed

@@ -56,7 +56,7 @@ module LicenseFinder
       packages_grouped_by_revision = all_packages.group_by { |package| package['Rev'] }
       result = []
-      packages_grouped_by_revision.each do |_sha, packages_in_group|
+      packages_grouped_by_revision.each_value do |packages_in_group|
         all_paths_in_group = packages_in_group.map { |p| p['ImportPath'] }
         common_paths = CommonPathHelper.longest_common_paths(all_paths_in_group)
         package_info = packages_in_group.first

data/lib/license_finder/package_managers/go_workspace.rb CHANGED Viewed

@@ -51,11 +51,12 @@ module LicenseFinder
     def active?
       return false if @strict_matching
+      # Dep has been deprecated since 2020
       godep = LicenseFinder::GoDep.new(project_path: Pathname(project_path))
-      dep = LicenseFinder::Dep.new(project_path: Pathname(project_path))
       # go workspace is only active if GoDep wasn't. There are some projects
       # that will use the .envrc and have a Godep folder as well.
-      !!(!godep.active? && !dep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
+      # !!(!godep.active? && !dep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
+      !!(!godep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
     end
     private

data/lib/license_finder/package_managers/maven.rb CHANGED Viewed

@@ -13,22 +13,20 @@ module LicenseFinder
     end
     def current_packages
+      # Generate a file "target/generated-resources/licenses.xml" that contains a list of
+      # dependencies including their groupId, artifactId, version and license (name, file, url).
+      # The license file downloaded this way, however, is a generic one without author information.
+      # This file also does not contain further information about the package like its name,
+      # description or website URL.
       command = "#{package_management_command} org.codehaus.mojo:license-maven-plugin:download-licenses"
       command += " -Dlicense.excludedScopes=#{@ignored_groups.to_a.join(',')}" if @ignored_groups && !@ignored_groups.empty?
       command += " #{@maven_options}" unless @maven_options.nil?
       _stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
       raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
-      dependencies = MavenDependencyFinder.new(project_path).dependencies
-      packages = dependencies.flat_map do |xml|
-        options = {
-          'GroupTags' => { 'licenses' => 'license', 'dependencies' => 'dependency' },
-          'ForceArray' => %w[license dependency]
-        }
-        contents = XmlSimple.xml_in(xml, options)['dependencies']
-        contents.map do |dep|
-          MavenPackage.new(dep, logger: logger, include_groups: @include_groups)
-        end
+      dependencies = MavenDependencyFinder.new(project_path, maven_repository_path).dependencies
+      packages = dependencies.map do |dep|
+        MavenPackage.new(dep, logger: logger, include_groups: @include_groups)
       end
       packages.uniq
     end
@@ -57,5 +55,15 @@ module LicenseFinder
       stdout.include?('null object or invalid expression')
     end
+    # Look up the path of the Maven repository (e.g. ~/.m2)
+    def maven_repository_path
+      command = "#{package_management_command} help:evaluate -Dexpression=settings.localRepository -q -DforceStdout"
+      command += " #{@maven_options}" unless @maven_options.nil?
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
+      Pathname(stdout)
+    end
   end
 end

data/lib/license_finder/package_managers/npm.rb CHANGED Viewed

@@ -39,7 +39,7 @@ module LicenseFinder
     private
     def npm_json
-      command = "#{package_management_command} list --json --long#{production_flag}"
+      command = "#{package_management_command} list --json --long#{all_flag}#{production_flag}"
       command += " #{@npm_options}" unless @npm_options.nil?
       stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
       # we can try and continue if we got an exit status 1 - unmet peer dependency
@@ -53,5 +53,18 @@ module LicenseFinder
       @ignored_groups.include?('devDependencies') ? ' --production' : ''
     end
+    def all_flag
+      npm_version >= 7 ? ' --all' : ''
+    end
+    def npm_version
+      command = "#{package_management_command} -v"
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
+      version = stdout.split('.').map(&:to_i)
+      version[0]
+    end
   end
 end

data/lib/license_finder/package_managers/nuget.rb CHANGED Viewed

@@ -51,6 +51,10 @@ module LicenseFinder
     def current_packages
       dependencies.each_with_object({}) do |dep, memo|
         licenses = license_urls(dep)
+        licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{dep.name.downcase}/#{dep.version}").first
         memo[dep.name] ||= NugetPackage.new(dep.name, dep.version, spec_licenses: licenses, install_path: path)
@@ -60,6 +64,7 @@ module LicenseFinder
     def license_urls(dep)
       files = Dir["**/#{dep.name}.#{dep.version}.nupkg"]
       return nil if files.empty?
       file = files.first

data/lib/license_finder/package_managers/pip.rb CHANGED Viewed

@@ -4,7 +4,7 @@ require 'json'
 module LicenseFinder
   class Pip < PackageManager
-    DEFAULT_VERSION = '2'
+    DEFAULT_VERSION = '3'
     def initialize(options = {})
       super

data/lib/license_finder/package_managers/pnpm.rb ADDED Viewed

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+require 'json'
+require 'tempfile'
+module LicenseFinder
+  class PNPM < PackageManager
+    def initialize(options = {})
+      super
+      @pnpm_options = options[:pnpm_options]
+    end
+    SHELL_COMMAND = 'pnpm licenses list --json --long'
+    def possible_package_paths
+      [project_path.join('pnpm-lock.yaml')]
+    end
+    def self.takes_priority_over
+      NPM
+    end
+    def current_packages
+      # check if the minimum version of PNPM is met
+      raise 'The minimum PNPM version is not met, requires 7.17.0 or later' unless supported_pnpm?
+      # check if the project directory has workspace file
+      cmd = PNPM::SHELL_COMMAND.to_s
+      cmd += ' --no-color'
+      cmd += ' --recursive' unless project_has_workspaces == false
+      cmd += " --dir #{project_path}" unless project_path.nil?
+      cmd += " #{@pnpm_options}" unless @pnpm_options.nil?
+      stdout, stderr, status = Cmd.run(cmd)
+      raise "Command '#{cmd}' failed to execute: #{stderr}" unless status.success?
+      json_objects = JSON.parse(stdout)
+      get_pnpm_packages(json_objects)
+    end
+    def get_pnpm_packages(json_objects)
+      packages = []
+      incompatible_packages = []
+      json_objects.map do |_, value|
+        value.each do |pkg|
+          name = pkg['name']
+          if pkg['version']
+            version = pkg['version']
+          elsif pkg['versions']
+            version = pkg['versions'][0]
+          end
+          license = pkg['license']
+          homepage = pkg['vendorUrl']
+          author = pkg['vendorName']
+          module_path = pkg['path']
+          package = PNPMPackage.new(
+            name,
+            version,
+            spec_licenses: [license],
+            homepage: homepage,
+            authors: author,
+            install_path: module_path
+          )
+          packages << package
+        end
+      end
+      packages + incompatible_packages.uniq
+    end
+    def package_management_command
+      'pnpm'
+    end
+    def prepare_command
+      'pnpm install --no-lockfile --ignore-scripts'
+    end
+    def prepare
+      prep_cmd = "#{prepare_command}#{production_flag}"
+      _stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(prep_cmd) }
+      return if status.success?
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+    private
+    def project_has_workspaces
+      Dir.chdir(project_path) do
+        return File.file?('pnpm-workspace.yaml')
+      end
+    end
+    # PNPM introduced the licenses command in 7.17.0
+    def supported_pnpm?
+      Dir.chdir(project_path) do
+        version_string, stderr_str, status = Cmd.run('pnpm --version')
+        raise "Command 'pnpm -v' failed to execute: #{stderr_str}" unless status.success?
+        version = version_string.split('.').map(&:to_i)
+        major = version[0]
+        minor = version[1]
+        patch = version[1]
+        return true if major > 7
+        return true if major == 7 && minor > 17
+        return true if major == 7 && minor == 17 && patch >= 0
+        return false
+      end
+    end
+    def production_flag
+      return '' if @ignored_groups.nil?
+      @ignored_groups.include?('devDependencies') ? ' --prod' : ''
+    end
+  end
+end