license_scout 2.5.0 → 2.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/license_scout +1 -1
- data/lib/license_scout/cli.rb +3 -3
- data/lib/license_scout/config.rb +2 -2
- data/lib/license_scout/dependency_manager/base.rb +6 -6
- data/lib/license_scout/dependency_manager/gomod.rb +42 -1
- data/lib/license_scout/dependency_manager/habitat.rb +55 -41
- data/lib/license_scout/exporter/csv.rb +1 -1
- data/lib/license_scout/license.rb +1 -1
- data/lib/license_scout/reporter.rb +1 -1
- data/lib/license_scout/spdx.rb +3 -3
- data/lib/license_scout/version.rb +1 -1
- metadata +11 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 12546f70b9afac3b276e1cddfec8c3b542a0935f284d32662e5835310b7af58e
|
4
|
+
data.tar.gz: 4097ca31ec4632da0b3951c054fb026909551c16824f98eae8636da2f2ca2e36
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7e69e0a750cbbd2eb17fcbd31246bb04d7582b37ec739eb864f1e007833c849575f5ab2fce2d97f33e89cc4093e0979642cb6a386223c17e63a41140590f26a1
|
7
|
+
data.tar.gz: 9db2e984ec8290cf4128dd69051de1d3c4e6140972052cfc084e35d10000d82f69d4a1e0f750067890bcd4590a61f12f61ce10e6e8de8557c5321f70803579c6
|
data/bin/license_scout
CHANGED
data/lib/license_scout/cli.rb
CHANGED
@@ -15,9 +15,9 @@
|
|
15
15
|
# limitations under the License.
|
16
16
|
#
|
17
17
|
|
18
|
-
require "zlib" # Temporarily require before rugged to fix https://github.com/prontolabs/pronto/issues/23
|
18
|
+
require "zlib" unless defined?(Zlib) # Temporarily require before rugged to fix https://github.com/prontolabs/pronto/issues/23
|
19
19
|
|
20
|
-
require "mixlib/cli"
|
20
|
+
require "mixlib/cli" unless defined?(Mixlib::CLI)
|
21
21
|
require "license_scout/config"
|
22
22
|
require "license_scout/exporter"
|
23
23
|
require "license_scout/collector"
|
@@ -85,7 +85,7 @@ module LicenseScout
|
|
85
85
|
|
86
86
|
LicenseScout::Config.config_files.each do |config_file|
|
87
87
|
if config_file =~ /^http/
|
88
|
-
require "open-uri"
|
88
|
+
require "open-uri" unless defined?(OpenURI)
|
89
89
|
|
90
90
|
LicenseScout::Log.info("[cli] Loading config from #{config_file}")
|
91
91
|
|
data/lib/license_scout/config.rb
CHANGED
@@ -15,8 +15,8 @@
|
|
15
15
|
# limitations under the License.
|
16
16
|
#
|
17
17
|
|
18
|
-
require "mixlib/config"
|
19
|
-
require "tmpdir"
|
18
|
+
require "mixlib/config" unless defined?(Mixlib::Config)
|
19
|
+
require "tmpdir" unless defined?(Dir.mktmpdir)
|
20
20
|
|
21
21
|
require "license_scout/exceptions"
|
22
22
|
require "license_scout/log"
|
@@ -20,14 +20,14 @@ require "license_scout/dependency"
|
|
20
20
|
require "license_scout/exceptions"
|
21
21
|
|
22
22
|
require "bundler"
|
23
|
-
require "ffi_yajl"
|
24
|
-
require "net/http"
|
25
|
-
require "mixlib/shellout"
|
26
|
-
require "pathname"
|
23
|
+
require "ffi_yajl" unless defined?(FFI_Yajl)
|
24
|
+
require "net/http" unless defined?(Net::HTTP)
|
25
|
+
require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
|
26
|
+
require "pathname" unless defined?(Pathname)
|
27
27
|
require "psych"
|
28
|
-
require "set"
|
28
|
+
require "set" unless defined?(Set)
|
29
29
|
require "toml-rb"
|
30
|
-
require "yaml"
|
30
|
+
require "yaml" unless defined?(YAML)
|
31
31
|
|
32
32
|
module LicenseScout
|
33
33
|
# The DependencyManager module (or more accurately, implementations of it) are responsible for recognizing
|
@@ -57,8 +57,27 @@ module LicenseScout
|
|
57
57
|
File.join(directory, "go.sum")
|
58
58
|
end
|
59
59
|
|
60
|
+
def vendor_dir
|
61
|
+
File.join(directory, "vendor")
|
62
|
+
end
|
63
|
+
|
64
|
+
def modules_txt_file
|
65
|
+
File.join(vendor_dir, "modules.txt")
|
66
|
+
end
|
67
|
+
|
60
68
|
def go_modules
|
61
|
-
|
69
|
+
if vendor_mode
|
70
|
+
GoModulesTxtParser.parse(File.read(modules_txt_file), vendor_dir)
|
71
|
+
else
|
72
|
+
FFI_Yajl::Parser.parse(go_modules_json)
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
def vendor_mode
|
77
|
+
if @vendor_mode.nil?
|
78
|
+
@vendor_mode = File.directory?(vendor_dir)
|
79
|
+
end
|
80
|
+
@vendor_mode
|
62
81
|
end
|
63
82
|
|
64
83
|
def go_modules_json
|
@@ -69,4 +88,26 @@ module LicenseScout
|
|
69
88
|
end
|
70
89
|
end
|
71
90
|
end
|
91
|
+
|
92
|
+
module GoModulesTxtParser
|
93
|
+
# The modules.txt file has lines that look like:
|
94
|
+
#
|
95
|
+
# # gopkg.in/square/go-jose.v2 v2.1.3
|
96
|
+
#
|
97
|
+
# We parse these lines and return something that looks like `go
|
98
|
+
# list -m -json all` output.
|
99
|
+
def self.parse(data, base_path)
|
100
|
+
data.lines.map do |l|
|
101
|
+
if l.start_with?("#")
|
102
|
+
parts = l.split
|
103
|
+
{
|
104
|
+
"Main" => false,
|
105
|
+
"Path" => parts[1],
|
106
|
+
"Version" => parts[2],
|
107
|
+
"Dir" => File.join(base_path, parts[1]),
|
108
|
+
}
|
109
|
+
end
|
110
|
+
end.compact
|
111
|
+
end
|
112
|
+
end
|
72
113
|
end
|
@@ -46,28 +46,38 @@ module LicenseScout
|
|
46
46
|
def dependencies
|
47
47
|
tdeps = Set.new(pkg_deps)
|
48
48
|
|
49
|
-
pkg_deps.
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
o, n, v, r = tdep.split("/")
|
55
|
-
dep_name = "#{o}/#{n}"
|
56
|
-
dep_version = "#{v}-#{r}"
|
57
|
-
|
58
|
-
dependency = new_dependency(dep_name, dep_version, nil)
|
59
|
-
|
60
|
-
license_from_manifest(pkg_info(tdep)["manifest"]).each do |spdx|
|
61
|
-
# We hard code the channel to "unstable" because a package could be
|
62
|
-
# demoted from any given channel except unstable in the future and
|
63
|
-
# we want the url metadata to be stable in order to give end users
|
64
|
-
# the ability to self-audit licenses
|
65
|
-
# tl;dr, we want a permalink not a nowlink
|
66
|
-
dependency.add_license(spdx, "https://bldr.habitat.sh/v1/depot/channels/#{o}/unstable/pkgs/#{n}/#{v}/#{r}")
|
49
|
+
if pkg_deps.any?
|
50
|
+
pkg_deps.each do |pkg_dep|
|
51
|
+
unless pkg_info(pkg_dep).nil?
|
52
|
+
pkg_info(pkg_dep)["tdeps"].each { |dep| tdeps << to_ident(dep) }
|
53
|
+
end
|
67
54
|
end
|
68
55
|
|
69
|
-
|
70
|
-
|
56
|
+
tdeps.delete(nil)
|
57
|
+
|
58
|
+
tdeps.sort.map do |tdep|
|
59
|
+
o, n, v, r = tdep.split("/")
|
60
|
+
dep_name = "#{o}/#{n}"
|
61
|
+
dep_version = "#{v}-#{r}"
|
62
|
+
|
63
|
+
dependency = new_dependency(dep_name, dep_version, nil)
|
64
|
+
|
65
|
+
if pkg_info(tdep).nil?
|
66
|
+
LicenseScout::Log.warn("Could not find information for #{tdep} -- skipping")
|
67
|
+
else
|
68
|
+
license_from_manifest(pkg_info(tdep)["manifest"]).each do |spdx|
|
69
|
+
# We hard code the channel to "unstable" because a package could be
|
70
|
+
# demoted from any given channel except unstable in the future and
|
71
|
+
# we want the url metadata to be stable in order to give end users
|
72
|
+
# the ability to self-audit licenses
|
73
|
+
# tl;dr, we want a permalink not a nowlink
|
74
|
+
dependency.add_license(spdx, "https://bldr.habitat.sh/v1/depot/channels/#{o}/unstable/pkgs/#{n}/#{v}/#{r}")
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
dependency
|
79
|
+
end.compact
|
80
|
+
end
|
71
81
|
end
|
72
82
|
|
73
83
|
private
|
@@ -86,7 +96,9 @@ module LicenseScout
|
|
86
96
|
pkg_deps = c.stdout.split("\s")
|
87
97
|
|
88
98
|
# Fetch the fully-qualified pkg_ident for each pkg
|
89
|
-
pkg_deps.map
|
99
|
+
pkg_deps.map do |dep|
|
100
|
+
to_ident(pkg_info(dep)["ident"]) unless pkg_info(dep).nil?
|
101
|
+
end
|
90
102
|
end
|
91
103
|
end
|
92
104
|
|
@@ -100,29 +112,31 @@ module LicenseScout
|
|
100
112
|
end
|
101
113
|
|
102
114
|
def pkg_info_with_channel_fallbacks(pkg_ident)
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
if pkg_channel != DEFAULT_CHANNEL
|
114
|
-
LicenseScout::Log.debug("[habitat] Looking for #{pkg_ident} in #{DEFAULT_CHANNEL} channel")
|
115
|
-
info = get_pkg_info(pkg_origin, DEFAULT_CHANNEL, pkg_name, pkg_version, pkg_release)
|
115
|
+
unless pkg_ident.nil?
|
116
|
+
pkg_origin, pkg_name, pkg_version, pkg_release = pkg_ident.split("/")
|
117
|
+
pkg_channel = channel_for_origin(pkg_origin)
|
118
|
+
|
119
|
+
# Channel selection here is similar to the logic that
|
120
|
+
# Habitat uses. First, search in the user-provided channel,
|
121
|
+
# then search in stable, then use unstable IF it is a fully
|
122
|
+
# qualified package
|
123
|
+
info = get_pkg_info(pkg_origin, pkg_channel, pkg_name, pkg_version, pkg_release)
|
116
124
|
return info if info
|
117
|
-
end
|
118
125
|
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
126
|
+
if pkg_channel != DEFAULT_CHANNEL
|
127
|
+
LicenseScout::Log.debug("[habitat] Looking for #{pkg_ident} in #{DEFAULT_CHANNEL} channel")
|
128
|
+
info = get_pkg_info(pkg_origin, DEFAULT_CHANNEL, pkg_name, pkg_version, pkg_release)
|
129
|
+
return info if info
|
130
|
+
end
|
124
131
|
|
125
|
-
|
132
|
+
if !pkg_version.nil? && !pkg_release.nil?
|
133
|
+
LicenseScout::Log.debug("[habitat] Looking for #{pkg_ident} in #{FALLBACK_CHANNEL_FOR_FQ} channel since it is fully-qualified")
|
134
|
+
info = get_pkg_info(pkg_origin, FALLBACK_CHANNEL_FOR_FQ, pkg_name, pkg_version, pkg_release)
|
135
|
+
return info if info
|
136
|
+
end
|
137
|
+
|
138
|
+
LicenseScout::Log.warn("Could not find information for #{pkg_ident} -- skipping")
|
139
|
+
end
|
126
140
|
end
|
127
141
|
|
128
142
|
def get_pkg_info(origin, channel, name, version, release)
|
@@ -106,7 +106,7 @@ module LicenseScout
|
|
106
106
|
|
107
107
|
begin
|
108
108
|
LicenseScout::Log.debug("[license] Pulling license content for #{license_id} from #{new_url}")
|
109
|
-
open(new_url).read
|
109
|
+
URI.open(new_url).read
|
110
110
|
rescue RuntimeError => e
|
111
111
|
if e.message =~ /redirection forbidden/
|
112
112
|
m = /redirection forbidden:\s+(.+)\s+->\s+(.+)/.match(e.message)
|
data/lib/license_scout/spdx.rb
CHANGED
@@ -17,7 +17,7 @@
|
|
17
17
|
|
18
18
|
# This library was inspired by (and pulls some logic from) librariesio/spdx
|
19
19
|
|
20
|
-
require "ffi_yajl"
|
20
|
+
require "ffi_yajl" unless defined?(FFI_Yajl)
|
21
21
|
require "fuzzy_match"
|
22
22
|
|
23
23
|
module LicenseScout
|
@@ -45,12 +45,12 @@ module LicenseScout
|
|
45
45
|
|
46
46
|
# @return [Hash] The SPDX license data in Hash form
|
47
47
|
def licenses
|
48
|
-
@@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("
|
48
|
+
@@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("data/licenses.json", __dir__)))["licenses"]
|
49
49
|
end
|
50
50
|
|
51
51
|
# @return [Hash] The SPDX license data in Hash form
|
52
52
|
def exceptions
|
53
|
-
@@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("
|
53
|
+
@@license_data ||= FFI_Yajl::Parser.parse(File.read(File.expand_path("data/exceptions.json", __dir__)))["exceptions"]
|
54
54
|
end
|
55
55
|
|
56
56
|
def known_ids
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: license_scout
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.6.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Duffield
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-07-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ffi-yajl
|
@@ -28,16 +28,22 @@ dependencies:
|
|
28
28
|
name: mixlib-shellout
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
33
|
version: '2.2'
|
34
|
+
- - "<"
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: '4.0'
|
34
37
|
type: :runtime
|
35
38
|
prerelease: false
|
36
39
|
version_requirements: !ruby/object:Gem::Requirement
|
37
40
|
requirements:
|
38
|
-
- - "
|
41
|
+
- - ">="
|
39
42
|
- !ruby/object:Gem::Version
|
40
43
|
version: '2.2'
|
44
|
+
- - "<"
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '4.0'
|
41
47
|
- !ruby/object:Gem::Dependency
|
42
48
|
name: toml-rb
|
43
49
|
requirement: !ruby/object:Gem::Requirement
|
@@ -199,7 +205,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
199
205
|
- !ruby/object:Gem::Version
|
200
206
|
version: '0'
|
201
207
|
requirements: []
|
202
|
-
rubygems_version: 3.
|
208
|
+
rubygems_version: 3.1.4
|
203
209
|
signing_key:
|
204
210
|
specification_version: 4
|
205
211
|
summary: Discovers license files of a project's dependencies.
|