license_scout 0.1.3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 83b949a77e7dcd991b2de72715882700e160e0eb
-  data.tar.gz: 0f5275681d5db4fe0f6ea19db30131a739d63de1
+SHA256:
+  metadata.gz: e457b9a208151ac27a602231842b51bbb238ab63f8e89352e731e2ccf375dd1b
+  data.tar.gz: 5c77592e6f9a5781ab16e5348abb9246d56056345e363e96a77040b043de99b3
 SHA512:
-  metadata.gz: 6835e670ec069a60fee4b27e5042217c79b59470103d62a4b3c316733edcbf2e12b9bc024250bad67f0a7e6b11cb537449e74ff1a4c55d6ea66e3d61985705a3
-  data.tar.gz: bc383bdc559ad4dc050564647a14674c5667d63fcf64722dac82e201ec08c114cbc277591c9417b25b6b31a10018ec9c1774e1b5648cff9e74f426a666424a11
+  metadata.gz: 892170c7c155c080d93917c3bca10006c812c3fd8becc014b3918d26032533520d056349bf909d9bb7ecc245ae1eb2f7d503c4d4bdaaa7833852ce4ea9af526f
+  data.tar.gz: 62691f59c045e70555cfc5dba3e0d6f5e3eeceb6161f945f84d8b5c4ce96042b61050098b12e15a55f47be9b394a394ba18c7d310174abd9b5411138a224a6e2

data/README.md

@@ -5,16 +5,24 @@ dependencies, including transitive dependencies.
 
 Currently supported project types are:
 
-* Ruby - bundler
+* Chef - Berkshelf
 * Erlang - rebar
-* CPAN - perl
-* Berkshelf - chef
+* Golang - godeps
+* Javascript - npm
+* Perl - CPAN
+* Ruby - bundler
 
 ## Usage
 
-## Thanks
+```bash
+$ bin/license_scout /dir/to/scout/successfully/
+
+$ bin/license_scout /dir/to/scout/unsuccessfully/
+Dependency 'gopkg.in_yaml.v2' version '53feefa2559fb8dfa8d81baad31be332c97d6c77' under 'go_godep' is missing license information.
+>> Found 41 dependencies for go_godep. 40 OK, 1 with problems
+```
 
-Thanks to https://github.com/basho for `config_to_json` binary which helps with parsing Erlang config files. From: https://github.com/basho/erlang_template_helper
+Detailed instructions for fixing licensing failures found by license_scout are now provided in the script's output. See [bin/license_scout](bin/license_scout) for more details.
 
 ## Contributing
 

data/bin/license_scout

@@ -38,4 +38,42 @@ collector = LicenseScout::Collector.new(project_name, project_dir, output_dir, o
 collector.run
 report = collector.issue_report
 
-puts report
+unless report.empty?
+  puts report
+
+  puts <<-EXPLANATION
+
+How to fix this depends on what information license_scout was unable to
+determine:
+
+* If the package is missing license information, that means license_scout was
+  unable to determine which license the package was released under. Depending
+  on the package manager, this is usually specified in the package's metadata,
+  for example, in the gemspec file for rubygems or in the package.json for npm.
+  If you know which license a package was released under, MIT for example, you
+  can add an override in license_scout's overrides.rb file in the section for
+  the appropriate package manager like this:
+    ["package-name", "MIT", nil]
+
+* If the package is missing the license file, that means license_scout could not
+  find the license text in any of the places the license is typically found, for
+  example, in a file named LICENSE in the root of the package. If the package
+  includes the license text in a non standard location or in its source repo,
+  you can indicate this by adding an override in license_scout's overrides.rb
+  file in the section for the appropriate package manager like this:
+    ["package-name", nil, ["https://example.com/foocorp/package-name/master/LICENSE"]],
+
+  If you know that the package was released under one of the common software
+  licenses, MIT for example, but does not include the license text in packaged
+  releases or in its source repo, you can add an override in license_scout's
+  overrides.rb file in the section for the appropriate package manager like
+  this:
+    ["package-name", nil, [canonical("MIT")]]
+
+See the closed pull requests on the license_scout repo for examples of how to
+do this:
+https://github.com/chef/license_scout/pulls?q=is%3Apr+is%3Aclosed
+  EXPLANATION
+
+  exit 2
+end

data/erl_src/rebar_lock_json/README.md

@@ -0,0 +1,17 @@
+rebar_lock_json
+===============
+
+A minimal escript converting a rebar.lock file to json output.
+
+Should work with any version of rebar (2 or 3)'s rebar.lock file.
+
+Build
+-----
+
+    $ rebar3 escriptize # this also copies the escript file to bin/
+
+Run
+---
+
+    $ bin/rebar_lock_json path/to/rebar.lock
+    {"amqp_client":{"type":"git","git_url":"git:\/\/github.com\/seth\/amqp_client.git","git_ref":"7622ad8093a41b7288a1aa44dd16d3e92ce8f833"}}

data/erl_src/rebar_lock_json/rebar.config

@@ -0,0 +1,19 @@
+{erl_opts, [no_debug_info]}.
+{deps, [
+        jsone,
+        {rebar3, {git, "https://github.com/erlang/rebar3", {branch, "master"}}}
+       ]}.
+
+{escript_incl_apps,
+ [rebar_lock_json]}.
+{escript_main_app, rebar_lock_json}.
+{escript_name,  rebar_lock_json}.
+{escript_emu_args, "%%! +sbtu +A0\n"}.
+
+{post_hooks, [
+              {escriptize, "cp $REBAR_BUILD_DIR/bin/rebar_lock_json ../../bin/"}
+             ]}.
+
+{profiles, [{test,
+             [{erl_opts, [debug_info]}
+            ]}]}.

data/erl_src/rebar_lock_json/rebar.lock

@@ -0,0 +1,36 @@
+{"1.1.0",
+[{<<"bbmustache">>,{pkg,<<"bbmustache">>,<<"1.3.0">>},1},
+ {<<"certifi">>,{pkg,<<"certifi">>,<<"0.4.0">>},1},
+ {<<"cf">>,{pkg,<<"cf">>,<<"0.2.2">>},1},
+ {<<"cth_readable">>,{pkg,<<"cth_readable">>,<<"1.2.3">>},1},
+ {<<"erlware_commons">>,{pkg,<<"erlware_commons">>,<<"1.0.0">>},1},
+ {<<"eunit_formatters">>,{pkg,<<"eunit_formatters">>,<<"0.3.1">>},1},
+ {<<"getopt">>,{pkg,<<"getopt">>,<<"0.8.2">>},1},
+ {<<"jiffy">>,{pkg,<<"jiffy">>,<<"0.14.11">>},0},
+ {<<"jsone">>,{pkg,<<"jsone">>,<<"1.4.1">>},0},
+ {<<"providers">>,{pkg,<<"providers">>,<<"1.6.0">>},1},
+ {<<"rebar">>,
+  {git,"https://github.com/erlang/rebar3",
+       {ref,"4725d363c5b5583c9910f078da38c5b3a1d97aab"}},
+  0},
+ {<<"rebar3">>,
+  {git,"https://github.com/erlang/rebar3",
+       {ref,"86e883b8d8d1d16487e245fff02eba8c83da2cdd"}},
+  0},
+ {<<"relx">>,{pkg,<<"relx">>,<<"3.22.2">>},1},
+ {<<"ssl_verify_fun">>,{pkg,<<"ssl_verify_fun">>,<<"1.1.1">>},1}]}.
+[
+{pkg_hash,[
+ {<<"bbmustache">>, <<"2010ADAE78830992A4C69680115ECD7D475DD03A72C076BBADDCCBF2D4B32035">>},
+ {<<"certifi">>, <<"A7966EFB868B179023618D29A407548F70C52466BF1849B9E8EBD0E34B7EA11F">>},
+ {<<"cf">>, <<"7F2913FFF90ABCABD0F489896CFEB0B0674F6C8DF6C10B17A83175448029896C">>},
+ {<<"cth_readable">>, <<"293120673DFF82F0768612C5282E35C40CACC1B6F94FE99077438FD3749D0E27">>},
+ {<<"erlware_commons">>, <<"087467DE5833C0BB5B3CCDD387F9E9C1FB816A75B7A709629BF24B5ED3246C51">>},
+ {<<"eunit_formatters">>, <<"7A6FC351EB5B873E2356B8852EB751E20C13A72FBCA03393CF682B8483509573">>},
+ {<<"getopt">>, <<"B17556DB683000BA50370B16C0619DF1337E7AF7ECBF7D64FBF8D1D6BCE3109B">>},
+ {<<"jiffy">>, <<"919A87D491C5A6B5E3BBC27FAFEDC3A0761CA0B4C405394F121F582FD4E3F0E5">>},
+ {<<"jsone">>, <<"10ECFB2E2FD216D6451AF71CF14F276E063A096E15B685DE7535FD680466C9B5">>},
+ {<<"providers">>, <<"DB0E2F9043AE60C0155205FCD238D68516331D0E5146155E33D1E79DC452964A">>},
+ {<<"relx">>, <<"AEE2EF6E9AC6D21D6661133B7A0BE6E81424DE9CDCA0012FC008BC677297C469">>},
+ {<<"ssl_verify_fun">>, <<"28A4D65B7F59893BC2C7DE786DEC1E1555BD742D336043FE644AE956C3497FBE">>}]}
+].

data/erl_src/rebar_lock_json/src/rebar_lock_json.app.src

@@ -0,0 +1,17 @@
+{application, rebar_lock_json,
+ [{description, "An escript util returning json representation of rebar.lock"},
+  {vsn, "0.1.0"},
+  {registered, []},
+  {applications,
+   [kernel,
+    stdlib,
+    rebar,
+    jsone
+   ]},
+  {env,[]},
+  {modules, []},
+
+  {maintainers, []},
+  {licenses, []},
+  {links, []}
+ ]}.

data/erl_src/rebar_lock_json/src/rebar_lock_json.erl

@@ -0,0 +1,20 @@
+-module(rebar_lock_json).
+
+-export([main/1]).
+
+main([LockPath|_]) ->
+    Deps = rebar_config:consult_lock_file(LockPath),
+    Ejson = lists:map(fun dep_to_ejson/1, Deps),
+    io:format("~s~n", [jsone:encode({Ejson})]).
+
+dep_to_ejson({Name, {pkg, PkgName, PkgVersion, Hash}, Lvl}) ->
+    {Name, {[{<<"type">>, <<"pkg">>},
+             {<<"level">>, Lvl},
+             {<<"pkg_name">>, PkgName},
+             {<<"pkg_version">>, PkgVersion},
+             {<<"pkg_hash">>, Hash}]}};
+dep_to_ejson({Name, {git, GitUrl, {ref, GitRef}}, Lvl}) ->
+    {Name, {[{<<"type">>, <<"git">>},
+             {<<"level">>, Lvl},
+             {<<"git_url">>, erlang:iolist_to_binary(GitUrl)},
+             {<<"git_ref">>, erlang:iolist_to_binary(GitRef)}]}}.

data/lib/license_scout/canonical_licenses/BSD-2-Clause.txt

@@ -0,0 +1,19 @@
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE <COPYRIGHT HOLDERS> "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE <COPYRIGHT HOLDERS> BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/lib/license_scout/canonical_licenses/BSD-3-Clause.txt

@@ -0,0 +1,27 @@
+Copyright (c) <year> <owner> . All rights reserved.  Redistribution and use in
+source and binary forms, with or without modification, are permitted provided
+that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+may be used to endorse or promote products derived from this software without
+specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+

data/lib/license_scout/canonical_licenses/Chef-MLSA.txt

@@ -0,0 +1,5 @@
+Use of this Software is subject to the terms of the Chef Online Master
+License and Services Agreement. You can find the latest copy of the
+agreement here:
+
+https://www.chef.io/online-master-agreement

data/lib/license_scout/collector.rb

@@ -44,7 +44,7 @@ module LicenseScout
     def run
       reset_license_manifest
 
-      if !File.exists?(project_dir)
+      if !File.exist?(project_dir)
         raise LicenseScout::Exceptions::ProjectDirectoryMissing.new(project_dir)
       end
       FileUtils.mkdir_p(output_dir) unless File.exist?(output_dir)

data/lib/license_scout/dependency_manager/base.rb

@@ -16,6 +16,7 @@
 #
 
 require "license_scout/dependency"
+require "license_scout/license_file_analyzer"
 
 module LicenseScout
   module DependencyManager
@@ -24,7 +25,9 @@ module LicenseScout
       POSSIBLE_LICENSE_FILES = %w{
         LICENSE
         LICENSE.txt
+        LICENSE.TXT
         LICENSE.md
+        LICENSE.mkd
         LICENSE.rdoc
         License
         License.text
@@ -36,6 +39,9 @@ module LicenseScout
         license
         LICENCE
         licence
+        license.md
+        licence.md
+        APACHE.LICENSE
         MIT-LICENSE
         MIT-LICENSE.txt
         LICENSE.MIT
@@ -46,6 +52,7 @@ module LicenseScout
         COPYING
         BSD_LICENSE
         LICENSE.BSD
+        UNLICENSE
       }
 
       attr_reader :project_dir
@@ -56,7 +63,7 @@ module LicenseScout
         @options = options
       end
 
-      def create_dependency(dep_name, version, license, license_files, dep_mgr_name = self.name)
+      def create_dependency(dep_name, version, license, license_files, dep_mgr_name = name)
         # add name of the dependency manager `name` to the dependency we are
         # creating.
         Dependency.new(dep_name, version, license, license_files, dep_mgr_name)

data/lib/license_scout/dependency_manager/berkshelf.rb

@@ -36,7 +36,7 @@ module LicenseScout
       end
 
       def detected?
-        File.exists?(berksfile_path) && File.exists?(lockfile_path)
+        File.exist?(berksfile_path) && File.exist?(lockfile_path)
       end
 
       def dependencies

data/lib/license_scout/dependency_manager/bundler.rb

@@ -39,7 +39,7 @@ module LicenseScout
         # that created issues with projects like oc_bifrost which is a rebar
         # project but have a Gemfile at its root to be able to run some rake
         # commands.
-        File.exists?(gemfile_path) && File.exists?(lockfile_path)
+        File.exist?(gemfile_path) && File.exist?(lockfile_path)
       end
 
       def dependency_data

data/lib/license_scout/dependency_manager/cpanm.rb

@@ -0,0 +1,160 @@
+#
+# Copyright:: Copyright 2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "ffi_yajl"
+require "psych"
+require "mixlib/shellout"
+
+require "license_scout/dependency_manager/base"
+require "license_scout/exceptions"
+require "license_scout/dependency"
+
+module LicenseScout
+  module DependencyManager
+    class Cpanm < Base
+
+      class CpanmDependency
+
+        LICENSE_TYPE_MAP = {
+          "perl_5"      => "Perl-5",
+          "perl"        => "Perl-5",
+          "apache_2_0"  => "Apache-2.0",
+          "artistic_2"  => "Artistic-2.0",
+          "gpl_3"       => "GPL-3.0",
+        }.freeze
+
+        attr_reader :unpack_path
+        attr_reader :overrides
+        attr_reader :metadata
+
+        def initialize(unpack_path, overrides)
+          @unpack_path = unpack_path
+          @overrides = overrides
+        end
+
+        def to_dep
+          parse_metadata!
+
+          Dependency.new(
+            name,
+            version.to_s,
+            license,
+            license_files,
+            "perl_cpanm"
+          )
+        end
+
+        def parse_metadata!
+          # Packages can contain metadata files named META.yml, META.json,
+          # MYMETA.json, MYMETA.yml. META.* files are created by the authors of
+          # the plugins whereas MYMETA.* files are created by the build system
+          # after dynamic dependencies are resolved. For our purposes META.*
+          # files are enough. And for no good reason we prioritize json files
+          # over yml files.
+          @metadata ||= begin
+            json_path = File.join(unpack_path, "META.json")
+            yml_path = File.join(unpack_path, "META.yml")
+
+            if File.exist?(json_path)
+              FFI_Yajl::Parser.parse(File.read(json_path))
+            elsif File.exist?(yml_path)
+              Psych.safe_load(File.read(yml_path))
+            else
+              raise LicenseScout::Exceptions::Error.new("Can not find a metadata file for the perl package at '#{unpack_path}'.")
+            end
+          end
+        end
+
+        def name
+          metadata["name"]
+        end
+
+        def version
+          metadata["version"]
+        end
+
+        def license
+          @license ||= begin
+            override_license = overrides.license_for("perl_cpanm", name, version)
+
+            if override_license
+              override_license
+            elsif metadata && metadata.key?("license")
+              given_type = Array(metadata["license"]).reject { |l| l == "unknown" }.first
+
+              # Normalize the common perl license strings to the strings we commonly use
+              LICENSE_TYPE_MAP[given_type] || given_type
+            end
+          end
+        end
+
+        def license_files
+          @license_files ||= begin
+            override_license_files = overrides.license_files_for("perl_cpanm", name, version)
+
+            if override_license_files.empty?
+              find_license_files
+            else
+              override_license_files.resolve_locations(unpack_path)
+            end
+          end
+        end
+
+        def find_license_files
+          Dir["#{unpack_path}/*"].select do |f|
+            Cpanm::POSSIBLE_LICENSE_FILES.include?(File.basename(f))
+          end
+        end
+
+      end
+
+      def name
+        "perl_cpanm"
+      end
+
+      def cpanm_root
+        # By default cpanm downloads all the dependencies into ~/.cpanm directory
+        File.expand_path("~/.cpanm")
+      end
+
+      def dependencies
+        @dependencies ||= begin
+          deps = []
+
+          Dir.glob("#{cpanm_root}/latest-build/*").each do |dep_path|
+            next unless File.directory?(dep_path)
+
+            deps << CpanmDependency.new(dep_path, options.overrides).to_dep
+          end
+
+          deps
+        end
+      end
+
+      # NOTE: it's possible that projects won't have a META.yml, but the two
+      # that we care about for Chef Server do have one. As of 2015, 84% of perl
+      # distribution packages have one: http://neilb.org/2015/10/18/spotters-guide.html
+      def detected?
+        meta_yml_path = File.join(project_dir, "META.yml")
+        meta_json_path = File.join(project_dir, "META.json")
+
+        File.exist?(meta_yml_path) || File.exist?(meta_json_path)
+      end
+
+    end
+  end
+end

data/lib/license_scout/dependency_manager/dep.rb

@@ -0,0 +1,87 @@
+#
+# Copyright:: Copyright 2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "ffi_yajl"
+require "yaml"
+require "toml-rb"
+require "license_scout/dependency_manager/base"
+
+module LicenseScout
+  module DependencyManager
+    # dep(https://github.com/golang/dep) is a new dependency manger available from go 1.8
+    class Dep < Base
+
+      def name
+        "go_dep"
+      end
+
+      def detected?
+        File.exist?(root_dep_file)
+      end
+
+      def dependencies
+        deps = File.open(root_dep_file) do |f|
+          TomlRB.parse(f)
+        end
+        return [] unless deps.has_key?("projects")
+        deps["projects"].map do |pkg_info|
+          pkg_import_name = pkg_info["name"]
+          pkg_file_name = pkg_import_name.tr("/", "_")
+          pkg_version = pkg_info["version"] || pkg_info["revision"]
+          license = options.overrides.license_for("go", pkg_import_name, pkg_version)
+
+          override_license_files = options.overrides.license_files_for("go", pkg_import_name, pkg_version)
+          if override_license_files.empty?
+            license_files = find_license_files_for_package_in_gopath_or_vendor_dir(pkg_import_name)
+          else
+            license_files = override_license_files.resolve_locations(gopath(pkg_import_name))
+          end
+
+          if license.nil? && !license_files.empty?
+            license = scan_licenses(license_files)
+          end
+
+          create_dependency(pkg_file_name, pkg_version, license, license_files)
+        end
+      end
+
+      private
+
+      def scan_licenses(license_files)
+        found_license = LicenseScout::LicenseFileAnalyzer.find_by_text(IO.read(license_files.first))
+        found_license && found_license.short_name
+      end
+
+      def root_dep_file
+        File.join(project_dir, "Gopkg.lock")
+      end
+
+      def gopath(pkg)
+        "#{ENV['GOPATH']}/src/#{pkg}"
+      end
+
+      def vendor_dir(pkg = nil)
+        File.join(project_dir, "vendor/#{pkg}")
+      end
+
+      def find_license_files_for_package_in_gopath_or_vendor_dir(pkg)
+        root_files = Dir["#{gopath(pkg)}/*"] + Dir["#{vendor_dir(pkg)}/*"]
+        root_files.select { |f| POSSIBLE_LICENSE_FILES.include?(File.basename(f)) }
+      end
+    end
+  end
+end

data/lib/license_scout/dependency_manager/glide.rb

@@ -0,0 +1,79 @@
+#
+# Copyright:: Copyright 2017, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+require "license_scout/dependency_manager/base"
+
+module LicenseScout
+  module DependencyManager
+    class Glide < Base
+
+      def name
+        "go_glide"
+      end
+
+      def detected?
+        File.exist?(glide_yaml)
+      end
+
+      def dependencies
+        unless File.file?(glide_yaml_locked)
+          raise "Detected Go/Glide project that is missing its \"glide.lock\" "\
+                "file in #{project_dir}"
+        end
+
+        deps = YAML.load(File.read(glide_yaml_locked))
+        deps["imports"].map { |i| add_glide_dep(i) }
+      end
+
+      private
+
+      def add_glide_dep(import_field)
+        pkg_import_name = import_field["name"]
+        pkg_file_name = pkg_import_name.tr("/", "_")
+        pkg_version = import_field["version"]
+        license = options.overrides.license_for("go", pkg_import_name, pkg_version)
+
+        override_license_files = options.overrides.license_files_for("go", pkg_import_name, pkg_version)
+        if override_license_files.empty?
+          license_files = find_license_files_for_package_in_gopath(pkg_import_name)
+        else
+          license_files = override_license_files.resolve_locations(gopath(pkg_import_name))
+        end
+
+        create_dependency(pkg_file_name, pkg_version, license, license_files)
+      end
+
+      def glide_yaml
+        File.join(project_dir, "glide.yaml")
+      end
+
+      def glide_yaml_locked
+        File.join(project_dir, "glide.lock")
+      end
+
+      def gopath(pkg)
+        "#{ENV['GOPATH']}/src/#{pkg}"
+      end
+
+      def find_license_files_for_package_in_gopath(pkg)
+        root_files = Dir["#{gopath(pkg)}/*"]
+        root_files.select { |f| POSSIBLE_LICENSE_FILES.include?(File.basename(f)) }
+      end
+    end
+  end
+end