RubyGems - license_finder - Versions diffs - 7.0.1 → 7.2.0 - Mend

license_finder 7.0.1 → 7.2.0

Files changed (65) hide show

checksums.yaml +4 -4
data/.github/dependabot.yml +7 -0
data/.pre-commit-hooks.yaml +10 -0
data/.rubocop.yml +5 -1
data/CHANGELOG.md +41 -0
data/CONTRIBUTING.md +1 -0
data/Dockerfile +129 -122
data/README.md +53 -14
data/Rakefile +1 -1
data/VERSION +1 -1
data/ci/pipelines/pull-request.yml.erb +29 -32
data/ci/pipelines/release.yml.erb +17 -41
data/ci/scripts/run-tests.sh +20 -4
data/ci/tasks/rubocop.yml +3 -3
data/ci/tasks/update-changelog.yml +2 -2
data/dlf +6 -1
data/lib/license_finder/cli/base.rb +2 -0
data/lib/license_finder/cli/licenses.rb +8 -3
data/lib/license_finder/cli/main.rb +3 -1
data/lib/license_finder/configuration.rb +8 -0
data/lib/license_finder/core.rb +4 -2
data/lib/license_finder/decision_applier.rb +1 -1
data/lib/license_finder/decisions.rb +24 -6
data/lib/license_finder/license/definitions.rb +129 -19
data/lib/license_finder/license/templates/AGPL3.txt +661 -0
data/lib/license_finder/license/templates/Apache2.txt +0 -2
data/lib/license_finder/license/templates/Artistic.txt +128 -0
data/lib/license_finder/license/templates/CC01_alt.txt +31 -0
data/lib/license_finder/license/templates/CDDL1_1.txt +123 -0
data/lib/license_finder/license/templates/CPL1.txt +217 -0
data/lib/license_finder/license/templates/EPL2.txt +80 -0
data/lib/license_finder/license/templates/Unlicense.txt +24 -0
data/lib/license_finder/license/text.rb +4 -0
data/lib/license_finder/license.rb +1 -1
data/lib/license_finder/manual_licenses.rb +79 -0
data/lib/license_finder/package.rb +1 -0
data/lib/license_finder/package_manager.rb +2 -1
data/lib/license_finder/package_managers/cargo.rb +1 -1
data/lib/license_finder/package_managers/conan.rb +50 -8
data/lib/license_finder/package_managers/dep.rb +43 -41
data/lib/license_finder/package_managers/dotnet.rb +5 -2
data/lib/license_finder/package_managers/go_dep.rb +1 -1
data/lib/license_finder/package_managers/go_workspace.rb +3 -2
data/lib/license_finder/package_managers/maven.rb +18 -10
data/lib/license_finder/package_managers/npm.rb +14 -1
data/lib/license_finder/package_managers/nuget.rb +5 -0
data/lib/license_finder/package_managers/pip.rb +1 -1
data/lib/license_finder/package_managers/pnpm.rb +126 -0
data/lib/license_finder/package_managers/yarn.rb +69 -20
data/lib/license_finder/package_utils/conan_info_parser.rb +2 -2
data/lib/license_finder/package_utils/conan_info_parser_v2.rb +82 -0
data/lib/license_finder/package_utils/license_files.rb +12 -2
data/lib/license_finder/package_utils/licensing.rb +2 -1
data/lib/license_finder/package_utils/maven_dependency_finder.rb +43 -1
data/lib/license_finder/package_utils/notice_files.rb +14 -3
data/lib/license_finder/package_utils/possible_license_file.rb +8 -2
data/lib/license_finder/package_utils/pypi.rb +3 -1
data/lib/license_finder/packages/maven_package.rb +13 -1
data/lib/license_finder/packages/npm_package.rb +56 -9
data/lib/license_finder/packages/pnpm_package.rb +13 -0
data/lib/license_finder/printer.rb +2 -2
data/lib/license_finder/reports/csv_report.rb +10 -1
data/lib/license_finder/scanner.rb +3 -3
data/license_finder.gemspec +12 -11
metadata +54 -28

data/lib/license_finder/license/text.rb CHANGED Viewed

@@ -16,6 +16,8 @@ module LicenseFinder
       NEWLINE_CHARACTER = /\n+/.freeze
       QUOTE_COMMENT_CHARACTER = /^\s*>+/.freeze
       ESCAPED_QUOTES = /\\"/.freeze
+      SPECIAL_CHARACTERS = /§/.freeze
+      SPECIAL_DASHES = /–/.freeze
       def self.normalize_punctuation(text)
         text.dup.force_encoding('UTF-8')
@@ -26,6 +28,8 @@ module LicenseFinder
             .gsub(NEWLINE_CHARACTER, ' ')
             .gsub(ESCAPED_QUOTES, '"')
             .gsub(QUOTES, '"')
+            .gsub(SPECIAL_CHARACTERS, '?')
+            .gsub(SPECIAL_DASHES, '-')
             .strip
       rescue ArgumentError => _e
         text

data/lib/license_finder/license.rb CHANGED Viewed

@@ -85,7 +85,7 @@ module LicenseFinder
     attr_reader :short_name, :pretty_name, :other_names, :spdx_id, :matcher
     def names
-      ([short_name, pretty_name] + other_names).uniq
+      ([short_name, pretty_name, spdx_id] + other_names).uniq
     end
   end

data/lib/license_finder/manual_licenses.rb ADDED Viewed

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+module LicenseFinder
+  class ManualLicenses
+    def initialize
+      @all_versions = {}
+      @specific_versions = {}
+    end
+    def licenses_of(name, version = nil)
+      return @all_versions[name] if @all_versions[name]
+      if version && @specific_versions[name] && @specific_versions[name][version]
+        @specific_versions[name][version]
+      else
+        Set.new
+      end
+    end
+    def assign_to_all_versions(name, lic)
+      # Ex: licenses add foo_gem MIT => Adds MIT at "all" versions for this gem
+      @all_versions[name] ||= Set.new
+      @all_versions[name] << to_license(lic)
+      @specific_versions.delete(name)
+    end
+    def assign_to_specific_versions(name, lic, versions)
+      # Ex: licenses add foo_gem MIT --version=1.0 => Adds MIT at only 1.0 for this gem
+      @specific_versions[name] ||= {}
+      versions.each do |version|
+        @specific_versions[name][version] ||= Set.new
+        @specific_versions[name][version] << to_license(lic)
+      end
+      @all_versions.delete(name)
+    end
+    def unassign_from_all_versions(name, lic = nil)
+      if lic
+        # Ex: licenses remove foo_gem MIT => Removes MIT at all versions for this gem
+        @all_versions[name]&.delete(to_license(lic))
+        @specific_versions[name]&.each_value do |licenses|
+          licenses.delete(to_license(lic))
+        end
+      else
+        # Ex: licenses remove foo_gem => Removes all licenses for all versions of the gem
+        @all_versions.delete(name)
+        @specific_versions.delete(name)
+      end
+    end
+    def unassign_from_specific_versions(name, lic, versions)
+      return unless @specific_versions[name]
+      versions.each do |version|
+        if @specific_versions[name][version]
+          if lic
+            # Ex: licenses remove foo_gem MIT --version=1.0 => Removes MIT at only 1.0 for this gem
+            @specific_versions[name][version].delete(to_license(lic))
+            @specific_versions[name].delete(version) if @specific_versions[name][version].empty?
+          else
+            # Ex: licenses remove foo_gem --version=1.0 => Removes all licenses at only 1.0 for the gem
+            @specific_versions[name].delete(version)
+          end
+        end
+      end
+    end
+    private
+    def to_license(lic)
+      License.find_by_name(lic)
+    end
+  end
+end

data/lib/license_finder/package.rb CHANGED Viewed

@@ -187,6 +187,7 @@ require 'license_finder/packages/merged_package'
 require 'license_finder/packages/nuget_package'
 require 'license_finder/packages/conan_package'
 require 'license_finder/packages/yarn_package'
+require 'license_finder/packages/pnpm_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'

data/lib/license_finder/package_manager.rb CHANGED Viewed

@@ -136,7 +136,7 @@ module LicenseFinder
       FileUtils.mkdir_p @log_directory
       # replace whitespace with underscores and remove slashes
-      log_file_name = package_management_command&.gsub(/\s/, '_')&.gsub(%r{/}, '')
+      log_file_name = package_management_command&.gsub(/\s/, '_')&.delete('/')
       log_file = File.join(@log_directory, "prepare_#{log_file_name || 'errors'}.log")
       File.open(log_file, 'w') do |f|
@@ -158,6 +158,7 @@ require 'license_finder/package_managers/go_modules'
 require 'license_finder/package_managers/trash'
 require 'license_finder/package_managers/bundler'
 require 'license_finder/package_managers/npm'
+require 'license_finder/package_managers/pnpm'
 require 'license_finder/package_managers/yarn'
 require 'license_finder/package_managers/pip'
 require 'license_finder/package_managers/pipenv'

data/lib/license_finder/package_managers/cargo.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module LicenseFinder
   class Cargo < PackageManager
     def current_packages
       cargo_output.map do |package|
-        path = Dir.glob("#{Dir.home}/.cargo/registry/src/**/#{package['name']}-#{package['version']}").first
+        path = Dir.glob("#{Dir.home}/.cargo/registry/src/*/#{package['name']}-#{package['version']}").first
         CargoPackage.new(package, logger: logger, install_path: path)
       end
     end

data/lib/license_finder/package_managers/conan.rb CHANGED Viewed

@@ -1,27 +1,69 @@
 # frozen_string_literal: true
 require 'license_finder/package_utils/conan_info_parser'
+require 'license_finder/package_utils/conan_info_parser_v2'
 module LicenseFinder
   class Conan < PackageManager
     def possible_package_paths
-      [project_path.join('conanfile.txt')]
+      [project_path.join('conanfile.txt'), project_path.join('conanfile.py')]
     end
-    def current_packages
-      install_command = 'conan install .'
+    def license_file_is_good?(license_file_path)
+      !license_file_path.nil? && File.file?(license_file_path)
+    end
+    def license_file(project_path, name)
+      candidates = Dir.glob("#{project_path}/licenses/#{name}/**/LICENSE*")
+      candidates.each do |candidate|
+        return candidate if license_file_is_good?(candidate)
+      end
+      nil
+    end
+    def deps_list_conan_v1(project_path)
       info_command = 'conan info .'
-      Dir.chdir(project_path) { Cmd.run(install_command) }
       info_output, _stderr, _status = Dir.chdir(project_path) { Cmd.run(info_command) }
+      return nil if info_output.empty?
       info_parser = ConanInfoParser.new
+      info_parser.parse(info_output)
+    end
+    def deps_list_conan_v2(project_path)
+      info_command = 'conan graph info .'
+      info_output, stderr, _status = Dir.chdir(project_path) { Cmd.run(info_command) }
+      if info_output.empty?
+        return if stderr.empty?
+        info_output = stderr
+      end
+      info_parser = ConanInfoParserV2.new
+      info_parser.parse(info_output)
+    end
+    def deps_list(project_path)
+      deps = deps_list_conan_v1(project_path)
+      deps = deps_list_conan_v2(project_path) if deps.nil? || deps.empty?
+      deps
+    end
+    def current_packages
+      install_command = 'conan install .'
+      Dir.chdir(project_path) { Cmd.run(install_command) }
+      deps = deps_list(project_path)
+      return [] if deps.nil?
-      deps = info_parser.parse(info_output)
       deps.map do |dep|
         name, version = dep['name'].split('/')
-        url = dep['URL']
-        license_file_path = Dir.glob("#{project_path}/licenses/#{name}/**/LICENSE*").first
-        ConanPackage.new(name, version, File.open(license_file_path).read, url) unless name == 'conanfile.txt'
+        license_file_path = license_file(project_path, name)
+        next unless license_file_is_good?(license_file_path)
+        url = dep['homepage']
+        url = dep['url'] if url.nil?
+        ConanPackage.new(name, version, File.open(license_file_path).read, url)
       end.compact
     end
   end

data/lib/license_finder/package_managers/dep.rb CHANGED Viewed

@@ -1,43 +1,45 @@
 # frozen_string_literal: true
-require 'tomlrb'
-module LicenseFinder
-  class Dep < PackageManager
-    def possible_package_paths
-      [project_path.join('Gopkg.lock')]
-    end
-    def current_packages
-      toml = Tomlrb.load_file(detected_package_path)
-      projects = toml['projects']
-      return [] if projects.nil?
-      projects.map do |project|
-        GoPackage.from_dependency({
-                                    'ImportPath' => project['name'],
-                                    'InstallPath' => project_path.join('vendor', project['name']),
-                                    'Rev' => project['revision'],
-                                    'Homepage' => repo_name(project['name'])
-                                  }, nil, true)
-      end
-    end
-    def repo_name(name)
-      name.split('/')[0..2].join('/')
-    end
-    def self.takes_priority_over
-      Go15VendorExperiment
-    end
-    def prepare_command
-      'dep ensure -vendor-only'
-    end
-    def package_management_command
-      'dep'
-    end
-  end
-end
+# Dep has been deprecated since 2020
+#
+# require 'tomlrb'
+#
+# module LicenseFinder
+#   class Dep < PackageManager
+#     def possible_package_paths
+#       [project_path.join('Gopkg.lock')]
+#     end
+#
+#     def current_packages
+#       toml = Tomlrb.load_file(detected_package_path)
+#       projects = toml['projects']
+#
+#       return [] if projects.nil?
+#
+#       projects.map do |project|
+#         GoPackage.from_dependency({
+#                                     'ImportPath' => project['name'],
+#                                     'InstallPath' => project_path.join('vendor', project['name']),
+#                                     'Rev' => project['revision'],
+#                                     'Homepage' => repo_name(project['name'])
+#                                   }, nil, true)
+#       end
+#     end
+#
+#     def repo_name(name)
+#       name.split('/')[0..2].join('/')
+#     end
+#
+#     def self.takes_priority_over
+#       Go15VendorExperiment
+#     end
+#
+#     def prepare_command
+#       'dep ensure -vendor-only'
+#     end
+#
+#     def package_management_command
+#       'dep'
+#     end
+#   end
+# end

data/lib/license_finder/package_managers/dotnet.rb CHANGED Viewed

@@ -42,9 +42,13 @@ module LicenseFinder
       end
       def read_license_urls
-        possible_spec_paths.flat_map do |path|
+        raw_licenses = possible_spec_paths.flat_map do |path|
           Nuget.nuspec_license_urls(File.read(path)) if File.exist? path
         end.compact
+        raw_licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
       end
       def ==(other)
@@ -61,7 +65,6 @@ module LicenseFinder
       package_metadatas = asset_files
                           .flat_map { |path| AssetFile.new(path).dependencies }
                           .uniq { |d| [d.name, d.version] }
       package_metadatas.map do |d|
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{d.name.downcase}/#{d.version}").first
         NugetPackage.new(d.name, d.version, spec_licenses: d.read_license_urls, install_path: path)

data/lib/license_finder/package_managers/go_dep.rb CHANGED Viewed

@@ -56,7 +56,7 @@ module LicenseFinder
       packages_grouped_by_revision = all_packages.group_by { |package| package['Rev'] }
       result = []
-      packages_grouped_by_revision.each do |_sha, packages_in_group|
+      packages_grouped_by_revision.each_value do |packages_in_group|
         all_paths_in_group = packages_in_group.map { |p| p['ImportPath'] }
         common_paths = CommonPathHelper.longest_common_paths(all_paths_in_group)
         package_info = packages_in_group.first

data/lib/license_finder/package_managers/go_workspace.rb CHANGED Viewed

@@ -51,11 +51,12 @@ module LicenseFinder
     def active?
       return false if @strict_matching
+      # Dep has been deprecated since 2020
       godep = LicenseFinder::GoDep.new(project_path: Pathname(project_path))
-      dep = LicenseFinder::Dep.new(project_path: Pathname(project_path))
       # go workspace is only active if GoDep wasn't. There are some projects
       # that will use the .envrc and have a Godep folder as well.
-      !!(!godep.active? && !dep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
+      # !!(!godep.active? && !dep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
+      !!(!godep.active? && envrc_path && ENVRC_REGEXP.match(IO.read(envrc_path)))
     end
     private

data/lib/license_finder/package_managers/maven.rb CHANGED Viewed

@@ -13,22 +13,20 @@ module LicenseFinder
     end
     def current_packages
+      # Generate a file "target/generated-resources/licenses.xml" that contains a list of
+      # dependencies including their groupId, artifactId, version and license (name, file, url).
+      # The license file downloaded this way, however, is a generic one without author information.
+      # This file also does not contain further information about the package like its name,
+      # description or website URL.
       command = "#{package_management_command} org.codehaus.mojo:license-maven-plugin:download-licenses"
       command += " -Dlicense.excludedScopes=#{@ignored_groups.to_a.join(',')}" if @ignored_groups && !@ignored_groups.empty?
       command += " #{@maven_options}" unless @maven_options.nil?
       _stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
       raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
-      dependencies = MavenDependencyFinder.new(project_path).dependencies
-      packages = dependencies.flat_map do |xml|
-        options = {
-          'GroupTags' => { 'licenses' => 'license', 'dependencies' => 'dependency' },
-          'ForceArray' => %w[license dependency]
-        }
-        contents = XmlSimple.xml_in(xml, options)['dependencies']
-        contents.map do |dep|
-          MavenPackage.new(dep, logger: logger, include_groups: @include_groups)
-        end
+      dependencies = MavenDependencyFinder.new(project_path, maven_repository_path).dependencies
+      packages = dependencies.map do |dep|
+        MavenPackage.new(dep, logger: logger, include_groups: @include_groups)
       end
       packages.uniq
     end
@@ -57,5 +55,15 @@ module LicenseFinder
       stdout.include?('null object or invalid expression')
     end
+    # Look up the path of the Maven repository (e.g. ~/.m2)
+    def maven_repository_path
+      command = "#{package_management_command} help:evaluate -Dexpression=settings.localRepository -q -DforceStdout"
+      command += " #{@maven_options}" unless @maven_options.nil?
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
+      Pathname(stdout)
+    end
   end
 end

data/lib/license_finder/package_managers/npm.rb CHANGED Viewed

@@ -39,7 +39,7 @@ module LicenseFinder
     private
     def npm_json
-      command = "#{package_management_command} list --json --long#{production_flag}"
+      command = "#{package_management_command} list --json --long#{all_flag}#{production_flag}"
       command += " #{@npm_options}" unless @npm_options.nil?
       stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
       # we can try and continue if we got an exit status 1 - unmet peer dependency
@@ -53,5 +53,18 @@ module LicenseFinder
       @ignored_groups.include?('devDependencies') ? ' --production' : ''
     end
+    def all_flag
+      npm_version >= 7 ? ' --all' : ''
+    end
+    def npm_version
+      command = "#{package_management_command} -v"
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
+      version = stdout.split('.').map(&:to_i)
+      version[0]
+    end
   end
 end

data/lib/license_finder/package_managers/nuget.rb CHANGED Viewed

@@ -51,6 +51,10 @@ module LicenseFinder
     def current_packages
       dependencies.each_with_object({}) do |dep, memo|
         licenses = license_urls(dep)
+        licenses&.map! do |license|
+          license.gsub('https://licenses.nuget.org/', '')
+        end
         path = Dir.glob("#{Dir.home}/.nuget/packages/#{dep.name.downcase}/#{dep.version}").first
         memo[dep.name] ||= NugetPackage.new(dep.name, dep.version, spec_licenses: licenses, install_path: path)
@@ -60,6 +64,7 @@ module LicenseFinder
     def license_urls(dep)
       files = Dir["**/#{dep.name}.#{dep.version}.nupkg"]
       return nil if files.empty?
       file = files.first

data/lib/license_finder/package_managers/pip.rb CHANGED Viewed

@@ -4,7 +4,7 @@ require 'json'
 module LicenseFinder
   class Pip < PackageManager
-    DEFAULT_VERSION = '2'
+    DEFAULT_VERSION = '3'
     def initialize(options = {})
       super

data/lib/license_finder/package_managers/pnpm.rb ADDED Viewed

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+require 'json'
+require 'tempfile'
+module LicenseFinder
+  class PNPM < PackageManager
+    def initialize(options = {})
+      super
+      @pnpm_options = options[:pnpm_options]
+    end
+    SHELL_COMMAND = 'pnpm licenses list --json --long'
+    def possible_package_paths
+      [project_path.join('pnpm-lock.yaml')]
+    end
+    def self.takes_priority_over
+      NPM
+    end
+    def current_packages
+      # check if the minimum version of PNPM is met
+      raise 'The minimum PNPM version is not met, requires 7.17.0 or later' unless supported_pnpm?
+      # check if the project directory has workspace file
+      cmd = PNPM::SHELL_COMMAND.to_s
+      cmd += ' --no-color'
+      cmd += ' --recursive' unless project_has_workspaces == false
+      cmd += " --dir #{project_path}" unless project_path.nil?
+      cmd += " #{@pnpm_options}" unless @pnpm_options.nil?
+      stdout, stderr, status = Cmd.run(cmd)
+      raise "Command '#{cmd}' failed to execute: #{stderr}" unless status.success?
+      json_objects = JSON.parse(stdout)
+      get_pnpm_packages(json_objects)
+    end
+    def get_pnpm_packages(json_objects)
+      packages = []
+      incompatible_packages = []
+      json_objects.map do |_, value|
+        value.each do |pkg|
+          name = pkg['name']
+          if pkg['version']
+            version = pkg['version']
+          elsif pkg['versions']
+            version = pkg['versions'][0]
+          end
+          license = pkg['license']
+          homepage = pkg['vendorUrl']
+          author = pkg['vendorName']
+          module_path = pkg['path']
+          package = PNPMPackage.new(
+            name,
+            version,
+            spec_licenses: [license],
+            homepage: homepage,
+            authors: author,
+            install_path: module_path
+          )
+          packages << package
+        end
+      end
+      packages + incompatible_packages.uniq
+    end
+    def package_management_command
+      'pnpm'
+    end
+    def prepare_command
+      'pnpm install --no-lockfile --ignore-scripts'
+    end
+    def prepare
+      prep_cmd = "#{prepare_command}#{production_flag}"
+      _stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(prep_cmd) }
+      return if status.success?
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+    private
+    def project_has_workspaces
+      Dir.chdir(project_path) do
+        return File.file?('pnpm-workspace.yaml')
+      end
+    end
+    # PNPM introduced the licenses command in 7.17.0
+    def supported_pnpm?
+      Dir.chdir(project_path) do
+        version_string, stderr_str, status = Cmd.run('pnpm --version')
+        raise "Command 'pnpm -v' failed to execute: #{stderr_str}" unless status.success?
+        version = version_string.split('.').map(&:to_i)
+        major = version[0]
+        minor = version[1]
+        patch = version[1]
+        return true if major > 7
+        return true if major == 7 && minor > 17
+        return true if major == 7 && minor == 17 && patch >= 0
+        return false
+      end
+    end
+    def production_flag
+      return '' if @ignored_groups.nil?
+      @ignored_groups.include?('devDependencies') ? ' --prod' : ''
+    end
+  end
+end