license_scout 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9424ab5a07b97ad3aae865f34272ef0929133dc59a2a2517099733b9f52b2d5d
-  data.tar.gz: 49b5eef3a1c45e5d4941ef213f58e3530151357ab832dd9c5b69014148191543
+  metadata.gz: '083e8edafd9a99be05ba58d2af282874c2afedfef05cc7d5548f68c377178f63'
+  data.tar.gz: a00c763ddafbcf149fdfacc7b005bb372509f3bd07186858b3d9247976b2c5b3
 SHA512:
-  metadata.gz: 0b4e3b501de6f26ec2f01b7a99f9b27620761ba183bc14be7febb6b8a3a54830ec3f3ec064e9fab64469359d44fbc5ae6f5ae91e41ab1537da20fff29c23f1f0
-  data.tar.gz: 42310f9e3474e7b07242103e2f00295063ab87101417e89aa758a436b926959fb2dc8e297e086f9c16d755551001d745b3dd36c032ae9c4a1143b2dd894c828a
+  metadata.gz: c31dcd43c92cd006a7cc644389b8c29993002d6c2ec4d29db92553ce56dd6d551cc11c29a572ed5b54f3ee7d126c615a8b9f9956366c804252485490d7b5fe44
+  data.tar.gz: c4f345b2bd3f5a1cc7d8b36c00a0bbcf9ed4431e1829b0ff18b8e48e4a987dd6c6e134114829a87ba825ff43f4f0948bf0d7bb6cd9f5da11e261bdb475adfcf3

data/lib/license_scout/cli.rb

@@ -117,6 +117,9 @@ module LicenseScout
         reporter = LicenseScout::Reporter.new(collector.dependencies)
         reporter.report
       end
+      exit 0
+    rescue Exceptions::FailExit
+      exit 1
     end
   end
 end

data/lib/license_scout/collector.rb

@@ -35,6 +35,10 @@ module LicenseScout
       dependency_managers.each { |d| collect_licenses_from(d) }
 
       LicenseScout::Log.info("[collector] All licenses successfully collected")
+    rescue Exceptions::PackageNotFound => e
+      LicenseScout::Log.error("[collector] One of the project's transitive dependencies could not be found:")
+      LicenseScout::Log.error("[collector] #{e}")
+      raise Exceptions::FailExit.new(e)
     end
 
     private

data/lib/license_scout/dependency_manager/habitat.rb

@@ -16,6 +16,7 @@
 #
 
 require "license_scout/dependency_manager/base"
+require "license_scout/exceptions"
 
 require "open-uri"
 require "mixlib/shellout"
@@ -24,6 +25,7 @@ module LicenseScout
   module DependencyManager
     class Habitat < Base
       DEFAULT_CHANNEL = "stable".freeze
+      FALLBACK_CHANNEL_FOR_FQ = "unstable".freeze
 
       def name
         "habitat"
@@ -54,20 +56,28 @@ module LicenseScout
 
         tdeps.sort.map do |tdep|
           o, n, v, r = tdep.split("/")
-          c = channel_for_origin(o)
           dep_name = "#{o}/#{n}"
           dep_version = "#{v}-#{r}"
 
           dependency = new_dependency(dep_name, dep_version, nil)
 
           license_from_manifest(pkg_info(tdep)["manifest"]).each do |spdx|
-            dependency.add_license(spdx, "https://bldr.habitat.sh/v1/depot/channels/#{o}/#{c}/pkgs/#{n}/#{v}/#{r}")
+            # We hard code the channel to "unstable" because a package could be
+            # demoted from any given channel except unstable in the future and
+            # we want the url metadata to be stable in order to give end users
+            # the ability to self-audit licenses
+            # tl;dr, we want a permalink not a nowlink
+            dependency.add_license(spdx, "https://bldr.habitat.sh/v1/depot/channels/#{o}/unstable/pkgs/#{n}/#{v}/#{r}")
           end
 
           dependency
         end.compact
       end
 
+      def fetched_urls
+        @fetched_urls ||= {}
+      end
+
       private
 
       def license_from_manifest(manifest_content)
@@ -94,27 +104,51 @@ module LicenseScout
 
       def pkg_info(pkg_ident)
         $habitat_pkg_info ||= {}
-        $habitat_pkg_info[pkg_ident] ||= begin
-          pkg_origin, pkg_name, pkg_version, pkg_release = pkg_ident.split("/")
-          pkg_channel = channel_for_origin(pkg_origin)
-
-          base_api_uri = "https://bldr.habitat.sh/v1/depot/channels/#{pkg_origin}/#{pkg_channel}/pkgs/#{pkg_name}"
-          if pkg_version.nil? && pkg_release.nil?
-            base_api_uri += "/latest"
-          elsif pkg_release.nil?
-            base_api_uri += "/#{pkg_version}/latest"
-          else
-            base_api_uri += "/#{pkg_version}/#{pkg_release}"
-          end
+        $habitat_pkg_info[pkg_ident] ||= pkg_info_with_channel_fallbacks(pkg_ident)
+      end
+
+      def pkg_info_with_channel_fallbacks(pkg_ident)
+        pkg_origin, pkg_name, pkg_version, pkg_release = pkg_ident.split("/")
+        pkg_channel = channel_for_origin(pkg_origin)
+
+        # Channel selection here is similar to the logic that
+        # Habitat uses. First, search in the user-provided channel,
+        # then search in stable, then use unstable IF it is a fully
+        # qualified package
+        info = get_pkg_info(pkg_origin, pkg_channel, pkg_name, pkg_version, pkg_release)
+        return info if info
+
+        if pkg_channel != DEFAULT_CHANNEL
+          LicenseScout::Log.debug("[habitat] Looking for #{pkg_ident} in #{DEFAULT_CHANNEL} channel")
+          info = get_pkg_info(pkg_origin, DEFAULT_CHANNEL, pkg_name, pkg_version, pkg_release)
+          return info if info
+        end
 
-          LicenseScout::Log.debug("[habitat] Fetching pkg_info from #{base_api_uri}")
-          FFI_Yajl::Parser.parse(open(base_api_uri).read)
-        rescue OpenURI::HTTPError
-          pkg_origin, pkg_name, = pkg_ident.split("/")
+        if !pkg_version.nil? && !pkg_release.nil?
+          LicenseScout::Log.debug("[habitat] Looking for #{pkg_ident} in #{FALLBACK_CHANNEL_FOR_FQ} channel since it is fully-qualified")
+          info = get_pkg_info(pkg_origin, FALLBACK_CHANNEL_FOR_FQ, pkg_name, pkg_version, pkg_release)
+          return info if info
+        end
+
+        raise LicenseScout::Exceptions::HabitatPackageNotFound.new("Could not find Habitat package #{pkg_ident}")
+      end
+
+      def get_pkg_info(origin, channel, name, version, release)
+        base_api_uri = "https://bldr.habitat.sh/v1/depot/channels/#{origin}/#{channel}/pkgs/#{name}"
+        if version.nil? && release.nil?
+          base_api_uri += "/latest"
+        elsif release.nil?
+          base_api_uri += "/#{version}/latest"
+        else
+          base_api_uri += "/#{version}/#{release}"
+        end
 
-          LicenseScout::Log.warn("[habitat] Could not find pkg_info for #{pkg_ident} - trying for the latest version of #{pkg_origin}/#{pkg_name}")
-          FFI_Yajl::Parser.parse(open("https://bldr.habitat.sh/v1/depot/channels/#{pkg_origin}/#{pkg_channel}/pkgs/#{pkg_name}/latest").read)
+        LicenseScout::Log.debug("[habitat] Fetching pkg_info from #{base_api_uri}")
+        FFI_Yajl::Parser.parse(open(base_api_uri).read).tap do |bldr_info|
+          fetched_urls["#{origin}/#{name}"] = base_api_uri
         end
+      rescue OpenURI::HTTPError
+        nil
       end
 
       def channel_for_origin(pkg_origin)

data/lib/license_scout/exceptions.rb

@@ -21,5 +21,8 @@ module LicenseScout
     class ConfigError < Error; end
     class MissingSourceDirectory < Error; end
     class UnsupportedExporter < Error; end
+    class PackageNotFound < Error; end
+    class HabitatPackageNotFound < PackageNotFound; end
+    class FailExit < Error; end
   end
 end

data/lib/license_scout/reporter.rb

@@ -175,7 +175,7 @@ module LicenseScout
       puts "  * Please add exceptions for the 'Flagged' or 'Not Allowed' dependencies"           if @needs_exception
       puts "         https://github.com/chef/license_scout#dependency-exceptions"                if @needs_exception
 
-      exit 1 if @did_fail
+      raise Exceptions::FailExit.new("missing or not allowed licenses detected") if @did_fail
     end
 
     def generate_dependency_license_manifest

data/lib/license_scout/version.rb

@@ -16,5 +16,5 @@
 #
 
 module LicenseScout
-  VERSION = "2.1.0"
+  VERSION = "2.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: license_scout
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Serdar Sutay
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-23 00:00:00.000000000 Z
+date: 2018-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi-yajl