license_scout 1.3.17 → 2.0.2

data/lib/license_scout/reporter.rb

@@ -15,97 +15,191 @@
 # limitations under the License.
 #
 
-require "ffi_yajl" unless defined?(FFI_Yajl)
+require "ffi_yajl"
+require "terminal-table"
 
 require "license_scout/exceptions"
 
 module LicenseScout
   class Reporter
 
-    attr_reader :output_directory
-
-    def initialize(output_directory)
-      @output_directory = output_directory
-    end
+    class Result
+      class << self
+        def success(dependency)
+          new(dependency, nil, true)
+        end
 
-    def report
-      report = []
+        def failure(dependency, reason)
+          new(dependency, reason, false)
+        end
+      end
 
-      license_manifest_path = find_license_manifest!
+      attr_reader :dependency
+      attr_reader :reason
 
-      license_report = FFI_Yajl::Parser.parse(File.read(license_manifest_path))
+      def initialize(dependency, reason, did_succeed)
+        @dependency = dependency
+        @reason = reason
+        @did_succeed = did_succeed
+      end
 
-      license_report["dependency_managers"].each do |dependency_manager, dependencies|
+      def <=>(other)
+        dependency.path <=> other.dependency.path
+      end
 
-        ok_deps, problem_deps = 0, 0
+      def succeeded?
+        @did_succeed
+      end
 
-        dependencies.sort_by { |a| a["name"] }.each do |dependency|
-          dep_ok, problems = license_info_ok?(dependency_manager, dependency)
+      def dependency_string
+        dependency.uid
+      end
 
-          if dep_ok
-            ok_deps += 1
-          else
-            problem_deps += 1
-            report.concat(problems)
-          end
-        end
+      def license_string
+        dependency.license.records.map(&:id).compact.uniq.join(", ")
+      end
 
-        if problem_deps > 0
-          report << ">> Found #{dependencies.size} dependencies for #{dependency_manager}. #{ok_deps} OK, #{problem_deps} with problems"
+      def reason_string
+        case reason
+        when :not_allowed
+          "Not Allowed"
+        when :flagged
+          "Flagged"
+        when :undetermined
+          "Undetermined"
+        when :missing
+          "Missing"
+        else
+          "OK"
         end
       end
+    end
 
-      report
+    attr_reader :all_dependencies
+    attr_reader :results
+    attr_reader :dependency_license_manifest
+
+    def initialize(all_dependencies)
+      @all_dependencies = all_dependencies.sort
+      @results = {}
+      @did_fail = false
+      @needs_fallback = false
+      @needs_exception = false
     end
 
-    def license_info_ok?(dependency_manager, dependency)
-      problems = []
-      if dependency["name"].nil? || dependency["name"].empty?
-        problems << "There is a dependency with a missing name in '#{dependency_manager}'."
-      end
+    def report
+      generate_dependency_license_manifest
+      save_manifest_file
+      detect_problems
+      evaluate_results
+    end
 
-      if dependency["version"].nil? || dependency["version"].empty?
-        problems << "Dependency '#{dependency["name"]}' under '#{dependency_manager}' is missing version information."
-      end
+    private
 
-      if dependency["license"].nil? || dependency["license"].empty?
-        problems << "Dependency '#{dependency["name"]}' version '#{dependency["version"]}' under '#{dependency_manager}' is missing license information."
+    def save_manifest_file
+      LicenseScout::Log.info("[reporter] Writing dependency license manifest written to #{license_manifest_path}")
+      File.open(license_manifest_path, "w+") do |file|
+        file.print(FFI_Yajl::Encoder.encode(dependency_license_manifest, pretty: true))
       end
+    end
 
-      if dependency["license_files"].empty?
-        problems << "Dependency '#{dependency["name"]}' version '#{dependency["version"]}' under '#{dependency_manager}' is missing license files information."
-      else
-        dependency["license_files"].each do |license_file|
-          unless File.exist?(full_path_for(license_file))
-            problems << "License file '#{license_file}' for the dependency '#{dependency["name"]}' version '#{dependency["version"]}' under '#{dependency_manager}' is missing."
+    def detect_problems
+      LicenseScout::Log.info("[reporter] Analyzing dependency's license information against requirements")
+
+      LicenseScout::Log.info("[reporter] Allowed licenses: #{LicenseScout::Config.allowed_licenses.join(", ")}") unless LicenseScout::Config.allowed_licenses.empty?
+      LicenseScout::Log.info("[reporter] Flagged licenses: #{LicenseScout::Config.flagged_licenses.join(", ")}") unless LicenseScout::Config.flagged_licenses.empty?
+
+      all_dependencies.each do |dependency|
+        @results[dependency.type] ||= []
+
+        if dependency.license.records.empty?
+          @results[dependency.type] << Result.failure(dependency, :missing)
+          @did_fail = true
+          @needs_fallback = true
+        elsif dependency.license.undetermined?
+          @results[dependency.type] << Result.failure(dependency, :undetermined)
+          @did_fail = true
+          @needs_fallback = true
+        elsif !LicenseScout::Config.allowed_licenses.empty? && !dependency.license.is_allowed?
+          unless dependency.has_exception?
+            @results[dependency.type] << Result.failure(dependency, :not_allowed)
+            @did_fail = true
+            @needs_exception = true
+          else
+            @results[dependency.type] << Result.success(dependency)
           end
+        elsif dependency.license.is_flagged?
+          unless dependency.has_exception?
+            @results[dependency.type] << Result.failure(dependency, :flagged)
+            @did_fail = true
+            @needs_exception = true
+          else
+            @results[dependency.type] << Result.success(dependency)
+          end
+        else
+          @results[dependency.type] << Result.success(dependency)
         end
       end
-
-      [ problems.empty?, problems ]
     end
 
-    def find_license_manifest!
-      unless File.exist?(output_directory)
-        raise LicenseScout::Exceptions::InvalidOutputReport.new("Output directory '#{output_directory}' does not exist.")
-      end
+    def evaluate_results
+      table = Terminal::Table.new
+      table.headings = ["Type", "Dependency", "License(s)", "Results"]
+      table.style = { border_bottom: false } # the extra :separator will add this
 
-      manifests = Dir.glob("#{output_directory}/*-dependency-licenses.json")
+      results.each do |type, results_for_type|
+        type_in_table = false
 
-      if manifests.empty?
-        raise LicenseScout::Exceptions::InvalidOutputReport.new("Can not find a dependency license manifest under '#{output_directory}'.")
-      end
+        results_for_type.each do |result|
+          next if LicenseScout::Config.only_show_failures && result.succeeded?
+
+          modified_row = []
+          modified_row << (type_in_table ? "" : type)
+          modified_row << result.dependency_string
+          modified_row << result.license_string
+          modified_row << result.reason_string
+
+          type_in_table = true
+          table.add_row(modified_row)
+        end
 
-      if manifests.length != 1
-        raise LicenseScout::Exceptions::InvalidOutputReport.new("Found multiple manifests '#{manifests.join(", ")}' under '#{output_directory}'.")
+        table.add_separator if type_in_table
       end
 
-      manifests.first
+      puts table unless LicenseScout::Config.only_show_failures && !@did_fail
+
+      puts
+      puts "Additional steps are required in order to pass Open Source license compliance:"
+      puts "  * Please add fallback licenses for the 'Missing' or 'Undetermined' dependencies"   if @needs_fallback
+      puts "         https://github.com/chef/license_scout#fallback-licenses"                    if @needs_fallback
+      puts "  * Please add exceptions for the 'Flagged' or 'Not Allowed' dependencies"           if @needs_exception
+      puts "         https://github.com/chef/license_scout#dependency-exceptions"                if @needs_exception
+
+      exit 1 if @did_fail
     end
 
-    def full_path_for(license_file_info)
-      File.join(output_directory, license_file_info)
+    def generate_dependency_license_manifest
+      @dependency_license_manifest = {
+        license_manifest_version: 2,
+        generated_on: DateTime.now.to_s,
+        name: LicenseScout::Config.name,
+        dependencies: []
+      }
+
+      all_dependencies.each do |dep|
+        dependency_license_manifest[:dependencies] << {
+          type: dep.type,
+          name: dep.name,
+          version: dep.version,
+          has_exception: dep.has_exception?,
+          exception_reason: dep.exception_reason,
+          licenses: dep.license.records.map(&:to_h),
+        }
+      end
     end
 
+    def license_manifest_path
+      File.join(LicenseScout::Config.output_directory, "#{LicenseScout::Config.name}-dependency-licenses.json")
+    end
   end
 end

data/lib/license_scout/spdx.rb

@@ -0,0 +1,123 @@
+#
+# Copyright:: Copyright 2018 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This library was inspired by (and pulls some logic from) librariesio/spdx
+
+require "ffi_yajl"
+require "fuzzy_match"
+
+module LicenseScout
+  class SPDX
+    class << self
+
+      # Try to find the SPDX ID that most closely matches the given license ID
+      #
+      # @param license_id [String, nil] The license ID
+      # @return [String, nil, false] Returns either the SPDX ID, false if the
+      #   license_id was nil, or nil if we could not find a valid SPDX ID
+      def find(license_id, force = false)
+        return license_id if force
+        return nil if license_id.nil?
+        lookup(license_id) || find_by_special_case(license_id) || closest(license_id) || license_id
+      end
+
+      # Right now this just returns the license keys that are present in the string.
+      # In the future, we should handle a proper compound structure like
+      # https://github.com/jslicense/spdx-expression-parse.js
+      def parse(license_string)
+        license_string.nil? ? [] : (license_string.tr("()", "").split("\s") - spdx_join_words)
+      end
+
+      # @return [Hash] The SPDX license data in Hash form
+      def licenses
+        @@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("../data/licenses.json", __FILE__)))["licenses"]
+      end
+
+      # @return [Hash] The SPDX license data in Hash form
+      def exceptions
+        @@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("../data/exceptions.json", __FILE__)))["exceptions"]
+      end
+
+      def known_ids
+        @@known_ids ||= licenses.map { |l| l["licenseId"] }
+      end
+
+      def known_names
+        @@known_names ||= licenses.map { |l| l["name"] }
+      end
+
+      private
+
+      def lookup(license_id)
+        return license_id if known_ids.include?(license_id)
+        return spdx_for(license_id) if (Array(license_id) & known_names).any?
+        return license_id if (parse(license_id) & known_ids).any?
+      end
+
+      def find_by_special_case(license_id)
+        gpl = gpl_match(license_id)
+        return gpl unless gpl.nil?
+        lookup(special_cases[license_id.downcase])
+      end
+
+      def closest(license_id)
+        spdx_for(FuzzyMatch.new(known_names).find(license_id)) || FuzzyMatch.new(known_ids).find(license_id)
+      end
+
+      def gpl_match(license_id)
+        match = license_id.match(/^(l|a)?gpl-?\s?_?v?(1|2|3)\.?(\d)?(\+)?$/i)
+        return unless match
+        lookup("#{match[1]}GPL-#{match[2]}.#{match[3] || 0}#{match[4]}".upcase)
+      end
+
+      def spdx_for(license_name)
+        licenses.find { |n| n["name"] == license_name }["licenseId"]
+      end
+
+      def spdx_join_words
+        %w{WITH AND OR}
+      end
+
+      def special_cases
+        {
+          # Pulled from http://search.cpan.org/~dagolden/CPAN-Meta-2.150010/lib/CPAN/Meta/Spec.pm#license
+          "agpl_3"      => "AGPL-3.0",
+          "apache_1_1"  => "Apache-1.1",
+          "apache_2_0"  => "Apache-2.0",
+          "artistic_1"  => "Artistic-1.0",
+          "artistic_2"  => "Artistic-2.0",
+          "bsd"         => "BSD-3-Clause",
+          "freebsd"     => "BSD-2-Clause-FreeBSD",
+          "gfdl_1_2"    => "GFDL-1.2-only",
+          "gfdl_1_3"    => "GFDL-1.3-only",
+          "lgpl_2_1"    => "LGPL-2.1-only",
+          "lgpl_3_0"    => "LGPL-3.0-only",
+          "mit"         => "MIT",
+          "mozilla_1_0" => "MPL-1.0",
+          "mozilla_1_1" => "MPL-1.1",
+          "openssl"     => "OpenSSL",
+          "qpl_1_0"     => "QPL-1.0",
+          "perl"        => "Artistic-1.0-Perl",
+          "perl_5"      => "Artistic-1.0-Perl",
+          "ssleay"      => "OpenSSL",
+          "sun"         => "SISSL",
+          "zlib"        => "Zlib",
+        }
+      end
+    end
+  end
+end

data/lib/license_scout/version.rb

@@ -16,5 +16,5 @@
 #
 
 module LicenseScout
-  VERSION = "1.3.17".freeze
+  VERSION = "2.0.2"
 end

data/lib/license_scout.rb

@@ -17,3 +17,5 @@
 
 module LicenseScout
 end
+
+require "license_scout/cli"

data/native_parsers/mix_lock_json/README.md

@@ -0,0 +1,21 @@
+# MixLockJson
+
+**TODO: Add description**
+
+## Installation
+
+If [available in Hex](https://hex.pm/docs/publish), the package can be installed
+by adding `mix_lock_json` to your list of dependencies in `mix.exs`:
+
+```elixir
+def deps do
+  [
+    {:mix_lock_json, "~> 0.1.0"}
+  ]
+end
+```
+
+Documentation can be generated with [ExDoc](https://github.com/elixir-lang/ex_doc)
+and published on [HexDocs](https://hexdocs.pm). Once published, the docs can
+be found at [https://hexdocs.pm/mix_lock_json](https://hexdocs.pm/mix_lock_json).
+

data/native_parsers/mix_lock_json/lib/mix_lock_json.ex

@@ -0,0 +1,20 @@
+defmodule MixLockJson.CLI do
+  def main(mix_lock_path \\ "") do
+    mix_lock_path
+    |> parse_mix_lock
+    |> IO.puts
+  end
+
+  defp parse_mix_lock(mix_lock_path) do
+    {:ok, lockfile} = File.read(mix_lock_path)
+    {lock_deps, _} = lockfile |> Code.eval_string
+
+    Poison.encode!(Enum.reduce(lock_deps, [], fn(i, acc) ->
+      case i do
+        {name, {_, _, version, _hash, _, _child_deps, _}} -> [%{name => version} | acc]
+        {name, {:git, _path, hash, _}} -> [%{name => hash} | acc]
+        _ -> acc
+      end
+    end))
+  end
+end

data/native_parsers/mix_lock_json/mix.exs

@@ -0,0 +1,31 @@
+defmodule MixLockJson.MixProject do
+  use Mix.Project
+
+  def project do
+    [
+      app: :mix_lock_json,
+      version: "0.1.0",
+      escript: escript(),
+      deps: deps()
+    ]
+  end
+
+  def application do
+    [applications: []]
+  end
+
+  defp escript do
+    [
+      main_module: MixLockJson.CLI,
+      path: "../../bin/mix_lock_json",
+      app: nil,
+      embed_elixir: true
+    ]
+  end
+
+  defp deps do
+    [
+      {:poison, "~> 3.1"}
+    ]
+  end
+end

data/native_parsers/mix_lock_json/mix.lock

@@ -0,0 +1,3 @@
+%{
+  "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [:mix], [], "hexpm"},
+}

data/{erl_src → native_parsers}/rebar_lock_json/rebar.lock

@@ -11,11 +11,11 @@
  {<<"providers">>,{pkg,<<"providers">>,<<"1.6.0">>},1},
  {<<"rebar">>,
   {git,"https://github.com/erlang/rebar3",
-       {ref,"4725d363c5b5583c9910f078da38c5b3a1d97aab"}},
+       {ref,"86e883b8d8d1d16487e245fff02eba8c83da2cdd"}},
   0},
  {<<"rebar3">>,
   {git,"https://github.com/erlang/rebar3",
-       {ref,"86e883b8d8d1d16487e245fff02eba8c83da2cdd"}},
+       {ref,"cb743f76cbc26ac780066d285329e8a6c8330605"}},
   0},
  {<<"relx">>,{pkg,<<"relx">>,<<"3.22.2">>},1},
  {<<"ssl_verify_fun">>,{pkg,<<"ssl_verify_fun">>,<<"1.1.1">>},1}]}.