license_finder 6.10.0 → 6.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 006762262d406303612afa6cecfe8eef1c2812bc845664c976bf93f047775b38
-  data.tar.gz: 70d8bf402df648d8d1ad35038e021b30a66511e80a07e120e520e394d656b909
+  metadata.gz: 73b9ecbd4718f26feaf025ecfe39dc87d3a68538fb5a63118cc7970940930fa2
+  data.tar.gz: 4b7544aef7f9c5a312c2bc58fb277217109f4cc6095a65d252e738a3705a54f0
 SHA512:
-  metadata.gz: f7bf3097774f1babde5e5326a0568412f4bdfb39bcb02923e89cbc20b0bae316e0c08be77d15a92f4a0d28036c44fdc55f1e7984c607f7a17d4e8f8b42273a96
-  data.tar.gz: 2a4e56a8bec0ee4a68b6b91814030bb5b32cf40cb4e2b9cb75e3a082adb96ea27f56f6152dadd46a1b03d4f81e63d1ad78c6071d4a20ee0e14809f1a9e82da61
+  metadata.gz: b51e18d0be7d5b25e62b52fbd4a046ab0a7cdba9ea865210172a4026b63e4c2b566446de40bccf45b331580f9de25ed05f620e1b2ccbb6c182162347f0f8b653
+  data.tar.gz: 58ab33ffa3395bf495fd5b392a89a2fa40d6f1c36228241df10b28534357f76d6cc6ab663a2e0c859684c75a69d4464f6dcd4dc5d8f69e30e84add4589506d0f

data/CHANGELOG.md

@@ -1,3 +1,5 @@
+# [6.10.1] / 2021-01-08
+
 # [6.10.0] / 2020-11-27
 
 # [6.9.0] / 2020-10-05
@@ -924,3 +926,4 @@ Bugfixes:
 [6.8.2]: https://github.com/pivotal/LicenseFinder/compare/v6.8.1...v6.8.2
 [6.9.0]: https://github.com/pivotal/LicenseFinder/compare/v6.8.2...v6.9.0
 [6.10.0]: https://github.com/pivotal/LicenseFinder/compare/v6.9.0...v6.10.0
+[6.10.1]: https://github.com/pivotal/LicenseFinder/compare/v6.10.0...v6.10.1

data/CONTRIBUTING.md

@@ -24,8 +24,8 @@ will use the gem version installed inside the docker image.
 
 ## Useful Tips
 
-To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the 
-dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).  
+To build the docker image simply call `docker build .` or explicitly pass the `Dockerfile`. Prebuilt versions of the
+dockerfile can also be found on [Dockerhub](https://hub.docker.com/r/licensefinder/license_finder/tags/).
 
 To launch the docker image and interact with it via bash:
 ```
@@ -91,6 +91,7 @@ To successfully run the test suite, you will need the following installed:
 - Conan
 - NuGet
 - dotnet
+- Conda (requires python)
 
 The [LicenseFinder docker image](https://hub.docker.com/r/licensefinder/license_finder/) already contains these dependencies.
 

data/Dockerfile

@@ -2,7 +2,7 @@ FROM ubuntu:xenial
 
 # Versioning
 ENV PIP_INSTALL_VERSION 19.0.2
-ENV PIP3_INSTALL_VERSION 8.1.1
+ENV PIP3_INSTALL_VERSION 20.0.2
 ENV GO_LANG_VERSION 1.14.3
 ENV MAVEN_VERSION 3.6.0
 ENV SBT_VERSION 1.3.3
@@ -55,8 +55,8 @@ RUN curl -o rebar3 https://s3.amazonaws.com/rebar3/rebar3 && \
 
 # install and update python and python-pip
 RUN apt-get install -y python python-pip python3-pip && \
-    pip2 install --no-cache-dir --upgrade pip==$PIP_INSTALL_VERSION  && \
-    pip3 install --no-cache-dir --upgrade pip==$PIP3_INSTALL_VERSION
+    python3 -m pip install pip==$PIP3_INSTALL_VERSION --upgrade && \
+    python -m pip install pip==$PIP_INSTALL_VERSION --upgrade --force
 
 # install maven
 RUN curl -O https://archive.apache.org/dist/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz && \
@@ -167,6 +167,18 @@ RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5
     php -r "unlink('composer-setup.php');" &&\
     mv composer.phar /usr/bin/composer
 
+# install miniconda
+# See https://docs.conda.io/en/latest/miniconda_hashes.html
+# for latest versions and SHAs.
+WORKDIR /tmp
+RUN  \
+  conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
+  ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
+  wget -q https://repo.anaconda.com/miniconda/${conda_installer} &&\
+  sha=`openssl sha256 "${conda_installer}" | cut -d' ' -f2` &&\
+  ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
+  (echo; echo "yes") | sh "${conda_installer}"
+
 # install license_finder
 COPY . /LicenseFinder
 RUN bash -lc "cd /LicenseFinder && bundle config set no-cache 'true' && bundle install -j4 && rake install"

data/README.md

@@ -54,6 +54,7 @@ and give you an actionable exception report.
 * Rust (via `cargo`)
 * Go Modules (via `go mod`)
 * PHP (via `composer`)
+* Python (via Conda [Conda 4.8.3, Python 3.7, Bash; requires an `environment.yml` or `environment.yaml`])
 
 ## Installation
 
@@ -121,9 +122,9 @@ be useful when you need to track down an unexpected package or
 license.
 
 If you do not want to manually run an individual package manager's prepare
-command (ex: `bundle install`, `npm install`, etc) to ensure your project 
+command (ex: `bundle install`, `npm install`, etc) to ensure your project
 is fully prepared to be scanned, use the `--prepare` or `-p` option which will run
-each active package manager's prepare command for you. If you would like to continue 
+each active package manager's prepare command for you. If you would like to continue
 running `license_finder` even if there is an issue with a prepare step, use the
 `--prepare-no-fail` option which prepares but carries on despite any potential failures.
 
@@ -156,7 +157,7 @@ You can better understand the way this script works by looking at its source, bu
 reference it will mount your current directory at the path `/scan` and run any commands
 passed to it from that directory.
 
-Note that the docker image will run the gem which is installed within it. 
+Note that the docker image will run the gem which is installed within it.
 So the docker image tagged `4.0.2` will run *License Finder Version 4.0.2*
 
 See the [contributing guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development. 
@@ -310,7 +311,7 @@ be approved. The project name at the top of the report can be set with
 `license_finder project_name add`.
 
 ### Note:
-When using the yarn package manager, when a node_module's package.json doesn't 
+When using the yarn package manager, when a node_module's package.json doesn't
 explicitly declare a license, yarn indicates that it has inferred the license based
 on some keywords in other files by appending an asterisk to the license name. If you
 see a * at the end of the license name, this is intended.
@@ -423,11 +424,11 @@ set `--mix_deps_dir` to fetch Mix dependencies from a custom directory.
 ### Narrow down Package Manager
 
 By default, license_finder will check for all supported package managers,
-but you can narrow it down to use only those you pass to `--enabled-package-manager`.
+but you can narrow it down to use only those you pass to `--enabled-package-managers`.
 For example,
 
 ```
-$ license_finder --enabled-package-manager bundler npm
+$ license_finder --enabled-package-managers bundler npm
 ```
 
 ### Saving Configuration
@@ -475,9 +476,9 @@ downloadLicenses {
 ### Conan Projects
 
 `license_finder` supports Conan. You need to have the following lines in your conanfile.txt for `license_finder` to retrieve dependencies' licenses.
-Ensure that `conan install` does not generate an error. 
+Ensure that `conan install` does not generate an error.
 
-``` 
+```
 [imports]
 ., license* -> ./licenses @ folder=True, ignore_case=True
 ```
@@ -531,9 +532,9 @@ And save a `LICENSE` file which contains your license text in your repo.
 
 * Bundler
    * When using `--project-path`, Bundler cannot find the Gemfile.
-   
+
 * Yarn
-   * A module that is incompatible with the platform on which 
+   * A module that is incompatible with the platform on which
      license_finder is run will always be reported to have a license type
      of "unknown". ([#456](https://github.com/pivotal/LicenseFinder/issues/456))
 

data/Rakefile

@@ -54,7 +54,7 @@ task :update_pipeline, [:slack_url, :slack_channel] do |_, args|
     puts 'Warning: You should provide slack channel and url to receive slack notifications on build failures'
   end
 
-  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.9.0]
+  ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8]
 
   params = []
   params << "ruby_versions=#{ruby_versions.join(',')}"

data/VERSION

@@ -1 +1 @@
-6.10.0
+6.10.1

data/lib/license_finder/cli/base.rb

@@ -58,7 +58,9 @@ module LicenseFinder
           :columns,
           :aggregate_paths,
           :recursive,
-          :sbt_include_groups
+          :sbt_include_groups,
+          :conda_bash_setup_script,
+          :composer_check_require_only
         ).merge(
           logger: logger_mode
         )

data/lib/license_finder/cli/main.rb

@@ -38,6 +38,9 @@ module LicenseFinder
       class_option :mix_command, desc: "Command to use when fetching packages through Mix. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'mix'."
       class_option :mix_deps_dir, desc: "Path to Mix dependencies directory. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'deps'."
       class_option :sbt_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Scala/sbt project. Defaults to false.'
+      class_option :conda_bash_setup_script, desc: "Path to conda.sh script. Only meaningful if used with a Conda project. Defaults to '~/miniconda3/etc/profile.d/conda.sh'."
+      class_option :composer_check_require_only,
+                   desc: "Whether to only check for licenses from dependencies on the 'require' section. Only meaningful if used with a Composer project. Defaults to false."
 
       # Method options which are shared between report and action_item
       def self.format_option

data/lib/license_finder/configuration.rb

@@ -97,6 +97,10 @@ module LicenseFinder
       get(:pip_requirements_path)
     end
 
+    def conda_bash_setup_script
+      get(:conda_bash_setup_script)
+    end
+
     def python_version
       get(:python_version)
     end
@@ -141,6 +145,10 @@ module LicenseFinder
       get(:sbt_include_groups)
     end
 
+    def composer_check_require_only
+      get(:composer_check_require_only)
+    end
+
     attr_writer :strict_matching
 
     attr_reader :strict_matching

data/lib/license_finder/core.rb

@@ -108,7 +108,9 @@ module LicenseFinder
         mix_deps_dir: config.mix_deps_dir,
         prepare: config.prepare,
         prepare_no_fail: config.prepare_no_fail,
-        sbt_include_groups: config.sbt_include_groups
+        sbt_include_groups: config.sbt_include_groups,
+        conda_bash_setup_script: config.conda_bash_setup_script,
+        composer_check_require_only: config.composer_check_require_only
       }
     end
   end

data/lib/license_finder/package.rb

@@ -198,3 +198,4 @@ require 'license_finder/packages/yarn_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'
+require 'license_finder/packages/conda_package'

data/lib/license_finder/package_manager.rb

@@ -129,10 +129,10 @@ module LicenseFinder
     def log_errors_with_cmd(prep_cmd, stderr)
       logger.info(prep_cmd, 'did not succeed.', color: :red)
       logger.info(prep_cmd, stderr, color: :red)
-      log_to_file stderr
+      log_to_file(prep_cmd, stderr)
     end
 
-    def log_to_file(contents)
+    def log_to_file(prep_cmd, contents)
       FileUtils.mkdir_p @log_directory
 
       # replace whitespace with underscores and remove slashes
@@ -140,7 +140,7 @@ module LicenseFinder
       log_file = File.join(@log_directory, "prepare_#{log_file_name || 'errors'}.log")
 
       File.open(log_file, 'w') do |f|
-        f.write("Prepare command \"#{prepare_command}\" failed with:\n")
+        f.write("Prepare command \"#{prep_cmd}\" failed with:\n")
         f.write("#{contents}\n\n")
       end
     end
@@ -175,5 +175,6 @@ require 'license_finder/package_managers/conan'
 require 'license_finder/package_managers/sbt'
 require 'license_finder/package_managers/cargo'
 require 'license_finder/package_managers/composer'
+require 'license_finder/package_managers/conda'
 
 require 'license_finder/package'

data/lib/license_finder/package_managers/composer.rb

@@ -4,7 +4,10 @@ require 'json'
 
 module LicenseFinder
   class Composer < PackageManager
-    SHELL_COMMAND = 'composer licenses --format=json'
+    def initialize(options = {})
+      super
+      @check_require_only = !!options[:composer_check_require_only]
+    end
 
     def possible_package_paths
       [project_path.join('composer.lock'), project_path.join('composer.json')]
@@ -50,8 +53,9 @@ module LicenseFinder
     end
 
     def composer_json
-      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(Composer::SHELL_COMMAND) }
-      raise "Command '#{Composer::SHELL_COMMAND}' failed to execute: #{stderr}" unless status.success?
+      command = "composer licenses --format=json#{@check_require_only ? ' --no-dev' : ''}"
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
 
       JSON(stdout)
     end

data/lib/license_finder/package_managers/conda.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module LicenseFinder
+  class Conda < PackageManager
+    attr_reader :conda_bash_setup_script
+
+    def initialize(options = {})
+      @conda_bash_setup_script = options[:conda_bash_setup_script] || Pathname("#{ENV['HOME']}/miniconda3/etc/profile.d/conda.sh")
+      super
+    end
+
+    # This command is *not* directly executable. See .conda() below.
+    def prepare_command
+      "conda env create -f #{detected_package_path}"
+    end
+
+    def prepare
+      return if environment_exists?
+
+      prep_cmd = prepare_command
+      _stdout, stderr, status = Dir.chdir(project_path) { conda(prep_cmd) }
+      return if status.success?
+
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+
+    def current_packages
+      conda_list.map do |entry|
+        case entry['channel']
+        when 'pypi'
+          # PyPI is much faster than `conda search`, use it when we can.
+          PipPackage.new(entry['name'], entry['version'], PyPI.definition(entry['name'], entry['version']))
+        else
+          CondaPackage.new(conda_search_info(entry))
+        end
+      end.compact
+    end
+
+    def possible_package_paths
+      [project_path.join('environment.yaml'), project_path.join('environment.yml')]
+    end
+
+    private
+
+    def environment_exists?
+      environments.grep(environment_name).any?
+    end
+
+    def environments
+      command = 'conda env list'
+      stdout, stderr, status = conda command
+
+      environments = []
+      if status.success?
+        environments = stdout.split("\n").grep_v(/^#/).map { |line| line.split.first }
+      else
+        log_errors_with_cmd command, stderr
+      end
+      environments
+    end
+
+    def environment_file
+      detected_package_path
+    end
+
+    def environment_name
+      @environment_name ||= YAML.load_file(environment_file).fetch('name')
+    end
+
+    def conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && #{command}")
+    end
+
+    def activated_conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && conda activate #{environment_name} && #{command}")
+    end
+
+    # Algorithm is based on
+    # https://bioinformatics.stackexchange.com/a/11226
+    # but completely recoded in Ruby. Like the poster, if the package is
+    # actually managed by conda, we assume that all the potential infos (for
+    # various architectures, versions of python, etc) have the same license.
+    def conda_list
+      command = 'conda list'
+      stdout, stderr, status = activated_conda(command)
+
+      if status.success?
+        conda_list = []
+        stdout.each_line do |line|
+          next if line =~ /^\s*#/
+
+          name, version, build, channel = line.split
+          conda_list << {
+            'name' => name,
+            'version' => version,
+            'build' => build,
+            'channel' => channel
+          }
+        end
+        conda_list
+      else
+        log_errors_with_cmd command, stderr
+        []
+      end
+    end
+
+    def conda_search_info(list_entry)
+      command = 'conda search --info --json '
+      command += "--channel #{list_entry['channel']} " if list_entry['channel'] && !list_entry['channel'].empty?
+      command += "'#{list_entry['name']} #{list_entry['version']}'"
+
+      # Errors from conda (in --json mode, at least) show up in stdout, not stderr
+      stdout, _stderr, status = activated_conda(command)
+
+      name = list_entry['name']
+
+      if status.success?
+        JSON(stdout).fetch(name).first
+      else
+        log_errors_with_cmd command, stdout
+        list_entry
+      end
+    rescue KeyError
+      logger.info('Conda', "Key error trying to find #{name} in\n#{JSON(stdout)}")
+      list_entry
+    end
+  end
+end

data/lib/license_finder/packages/conda_package.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module LicenseFinder
+  class CondaPackage < Package
+    attr_accessor :identifier, :json
+
+    def initialize(conda_json)
+      @json = conda_json
+      @identifier = Identifier.from_hash(conda_json)
+      super(@identifier.name,
+            @identifier.version,
+            spec_licenses: Package.license_names_from_standard_spec(conda_json),
+            children: children)
+    end
+
+    def ==(other)
+      other.is_a?(CondaPackage) && @identifier == other.identifier
+    end
+
+    def to_s
+      @identifier.to_s
+    end
+
+    def package_manager
+      'Conda'
+    end
+
+    def package_url
+      @json['url']
+    end
+
+    def children
+      @json.fetch('depends', []).map { |constraint| constraint.split.first }
+    end
+
+    class Identifier
+      attr_accessor :name, :version
+
+      def initialize(name, version)
+        @name = name
+        @version = version
+      end
+
+      def self.from_hash(hash)
+        name = hash['name']
+        version = hash['version']
+        return nil if name.nil? || version.nil?
+
+        Identifier.new(name, version)
+      end
+
+      def ==(other)
+        other.is_a?(Identifier) && @name == other.name && @version == other.version
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def hash
+        [@name, @version].hash
+      end
+
+      def <=>(other)
+        sort_name = @name <=> other.name
+        sort_name.zero? ? @version <=> other.version : sort_name
+      end
+
+      def to_s
+        "#{@name} - #{@version}"
+      end
+    end
+  end
+end

data/lib/license_finder/scanner.rb

@@ -4,7 +4,8 @@ module LicenseFinder
   class Scanner
     PACKAGE_MANAGERS = [
       GoModules, GoDep, GoWorkspace, Go15VendorExperiment, Glide, Gvt, Govendor, Trash, Dep, Bundler, NPM, Pip,
-      Yarn, Bower, Maven, Gradle, CocoaPods, Rebar, Erlangmk, Nuget, Carthage, Mix, Conan, Sbt, Cargo, Dotnet, Composer, Pipenv
+      Yarn, Bower, Maven, Gradle, CocoaPods, Rebar, Erlangmk, Nuget, Carthage, Mix, Conan, Sbt, Cargo, Dotnet, Composer, Pipenv,
+      Conda
     ].freeze
 
     class << self

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: license_finder
 version: !ruby/object:Gem::Version
-  version: 6.10.0
+  version: 6.10.1
 platform: ruby
 authors:
 - Ryan Collins
@@ -27,7 +27,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-27 00:00:00.000000000 Z
+date: 2021-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -437,6 +437,7 @@ files:
 - lib/license_finder/package_managers/cocoa_pods.rb
 - lib/license_finder/package_managers/composer.rb
 - lib/license_finder/package_managers/conan.rb
+- lib/license_finder/package_managers/conda.rb
 - lib/license_finder/package_managers/dep.rb
 - lib/license_finder/package_managers/dotnet.rb
 - lib/license_finder/package_managers/erlangmk.rb
@@ -475,6 +476,7 @@ files:
 - lib/license_finder/packages/cocoa_pods_package.rb
 - lib/license_finder/packages/composer_package.rb
 - lib/license_finder/packages/conan_package.rb
+- lib/license_finder/packages/conda_package.rb
 - lib/license_finder/packages/erlangmk_package.rb
 - lib/license_finder/packages/go_package.rb
 - lib/license_finder/packages/gradle_package.rb
@@ -531,7 +533,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.4
 signing_key: 
 specification_version: 4
 summary: Audit the OSS licenses of your application's dependencies.