license_scout 1.3.7 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 821efe0b7cbe4c23507fd59f9ff95d1f581e31a5de758f99274ace3b201dc759
-  data.tar.gz: 2a8237eb322b64cdd18203d9e971916a032faac03107f683238af38716dd5390
+  metadata.gz: 9b68d1311c50cda672da2ff036a9933a38d45e7a79e8a9c40352d839ba818186
+  data.tar.gz: 5efda8ed1041680fb943017f5f6015765ef33a77fffb428e0c402fb685778446
 SHA512:
-  metadata.gz: 3ecf357fa8c9b1f2926b406a45b729a056fedf4365abb1208c8725521001f3f43164c8210d163cc94f670971e8bb61340f5da7fd5ce1aa2cd10931b89dbdd9e3
-  data.tar.gz: 4dd72ce9855374853248b7fa80090a292474d058033537706a7819d5a5a6e22c8e440558fe4794c95059c263ed7737685df6fa34b6a177917c618d9f79120b1c
+  metadata.gz: 0cfac147a17d18bba538ce8152015c9fea05c7b8956d3a9db6beb0bcea990951bd19d7fb855fef4f4a03a02f2ea71e09608192c6ea882a0b92045f8967da702e
+  data.tar.gz: c337a0bd8b8aa6906a5ed992012df0de3a42fe190dc63fce545c6a1407a4f818f5dccc6abd69304aec334c1ecb3749057605d31404720986b30169ba4ec6042c

data/README.md

@@ -0,0 +1,195 @@
+# License Scout
+
+License Scout is a utility that discovers and aggregates the licenses for your software project's transitive dependencies.
+
+Currently supported Dependency Types and Dependency Managers are:
+
+Dependency Type | Supported Dependency Managers
+--- | ---
+chef_cookbook | berkshelf
+erlang | rebar
+elixir | mix
+golang | dep, godep, glide
+habitat | habitat
+nodejs | npm
+perl | cpan
+ruby | bundler
+
+## Dependencies
+
+* If you wish to scan for `berkshelf` dependencies, you'll need to manually install the Berkshelf gem in the same Ruby as License Scout
+* If you wish to scan for `mix` or `rebar` dependencies, you'll need to install Erlang OTP 18.3 or greater.
+
+## Usage
+
+License Scout's default behavior is to scan the current directory and return a breakdown of all the licenses it can find.
+
+```bash
+my_project $ license_scout
+
++------+------------+------------+---------+
+| Type | Dependency | License(s) | Results |
++------+------------+------------+---------+
+...
+```
+
+LicenseScout will exit `0` if it was able to find licenses for all your dependencies. Otherwise, it will exit `1`.
+
+Under the covers, License Scout leverages [Licensee](http://ben.balter.com/licensee/) (the same Ruby Gem [GitHub](https://developer.github.com/v3/licenses/) uses to detect [OSS licenses](https://spdx.org/licenses/)). In addition to using Licensee to scan your source code for licenses, License Scout will go a step further and attempt to determine if the metadata provided by the Dependency Manager specifies which license each dependency uses. At the end of the process, License Scout will provide you a Dependency Manifest following information:
+
+1. The name of the license(s) (the SPDX ID if the a recognized open source license).
+2. The name of the file where the License Scout found the license.
+3. The contents of the license file (if available).
+
+In addition to the printout provided to STDOUT, License Scout will also save a JSON manifest of all your dependencies to disk.
+
+```json
+{
+  "license_manifest_version": 2,
+  "generated_on": "<DATE>",
+  "name": "<YOUR_PROJECT>",
+  "dependencies": [...]
+}
+```
+
+For more information about the structure of JSON manifest, please check out the full [JSON Schema](lib/license_scout/data/dependency_manifest_v2_schema.json).
+
+### Result Types
+
+License Scout will provide a summary of the licenses it finds to STDOUT. These results are intended to provide direction as to which actions may or may not be necessary to generate a Dependency Manifest that meets all of your compliance requirements. To do this it categorizes its findings into the following results.
+
+Result | Description
+--- | ---
+Flagged | License Scout was able to determine the license for this software dependency, and it is one of the licenses you have explicitly flagged. You should either remove the dependency or [add an Exception](#dependency-exceptions).
+Missing | License Scout could not find any license files or license metadata associated with this dependency. You should contact the maintainer and/or specify a [Fallback License](#fallback-licenses).
+Not Allowed | License Scout was able to determine the license for this software dependency, but it is not one of the licenses you have explicitly allowed. You should either remove the dependency or [add an Exception](#dependency-exceptions).
+OK | There were no issues.
+Undetermined | License Scout found a license file but was unable to determine (with sufficient confidence) what license that file represents. License Scout was also unable to determine the license using Dependency Manager metadata. You should contact the maintainer and/or specify a [Fallback License](#fallback-licenses).
+
+## Advanced Usage
+
+### Configuration File(s)
+
+You can control License Scout's behavior by providing one or more YAML configuration files, available either locally or via HTTP, to the `--config-files` option of the CLI.
+
+```bash
+$ license_scout --config-files http://example.com/license_scout/common.yml,./.license_scout.yml
+```
+
+License Scout evalutes these files in the order they are provided, allowing you to hydrate configuration by composing multiple files together. For example, you can have a single organization-wide configuration file that specifies what licenses are allowed and project-specific configuration file that specifies exceptions and which directories to scan.
+
+#### How multiple configuration files are handled
+
+License Scout uses [mixlib-config](https://github.com/chef/mixlib-config) to handle it's configuration. When loading multiple configuration files, mixlib-config (and thus License Scout) will not perform deep merges of Arrays. That means that License Scout will not merge (for example) `allowed_licenses` (or `flagged_licenses`) from two different configuration files; it will only take the `allowed_licenses` value from the configuration that is loaded last. This logic does not apply to the `fallbacks` or `exceptions`, because those are defined as [`config_contexts`](lib/license_scout/config.rb). It **does** apply to the individuals types specified within the `fallbacks` or `exceptions` however.
+
+### Allowed and Flagged Licenses
+
+License Scout provides you with the ability to provide a list of licenses that are explicitly allowed, or a list of licenses that should be flagged for further scrutiny.
+
+- When you specify a list of `allowed_licenses`, License Scout will exit `1` if it detects a dependency with a license other than one on the list.
+- When you specify a list of `flagged_licenses`, License Scout will exit `1` if it finds a dependency with that license.
+
+To add a license to the list of allowed or flagged licenses, you need only provide the array of licenses as a string in your configuration file. A configuration may have a list of allowed licenses _or_ flagged licenses, it cannot have both. _License Scout does not support regular expressions or glob-patterms for `allowed_licenses` or `flagged_licenses`._
+
+```yaml
+allowed_licenses:
+  - Apache-2.0
+
+# OR
+
+flagged_licenses:
+  - Apache-2.0
+```
+
+License Scout will compare these string values to the licenses it finds within the dependencies. License Scout does its best to resolve everything down to valid [SPDX IDs](https://spdx.org/licenses/), so you should specify licenses using their SDPX ID.
+
+> _Warning: Because we cannot control how maintainers specify licenses in their metadata, there may be a situation where License Scout cannot correctly detect the intended SPDX ID. In this case, you may need to temporarily provide a temporary Fallback License in your configuration. If you encounter this situation, we encourage you to [open an Issue](https://github.com/chef/license_scout) with us._
+
+### Dependency Exceptions
+
+If you specify a list of allowed or flagged licenses, there may be a dependency that does not adhere to the specified license(s) for which you wish to make an exception. License Scout allows you to specify Exceptions to these lsits as part of your Configuration File.
+
+```yaml
+---
+allowed_licenses:
+  - Apache-2.0
+
+exceptions:
+  ruby:
+    - name: bundler
+      reason: Used only during .gem creation
+    - name: json (1.8.3)
+```
+
+Exceptions are organized by `type` (e.g. `ruby` - see Table above). There are two elements to each exception: a `name` and a `reason`.
+
+Property | Description
+--- | ---
+`name` | Can be specified by `dep-name` or `dep-name (dep-version)` where `dep-name` is the name of the dependency as it exists in the Dependency Manifest and `dep-version` can be a traditional version, git reference, or type-specific version specification such as `$pkg_version-$pkg_release` for Habitat.
+`reason` | An optional string that will be included in the Dependency Manifest for documentation purposes.
+
+Simple glob-style pattern matching _is_ supported for Exceptions, so you can have an Exception for a large collection of dependencies without enumerating them all.
+
+```yaml
+---
+exceptions:
+  chef_cookbook:
+    - name: apache2 (5.*)
+      reason: Allowed by TICKET-001
+  habitat:
+    - name: core/bundler (1.15.1-*)
+      reason: Only used for .gem creation
+  ruby:
+    - name: aws-sdk-*
+      reason: Exception granted by Bobo T. Clown on 2018/02/31
+```
+
+### Fallback Licenses
+
+In situations where License Scout is unable to determine the license for a particular dependency, either because Licensee was not able to identify any of the license files or the Dependency Manager did not provide any metadata that incidated how the dependency was licensed, you'll need to provide a Fallback License in your configuration. Like Exceptions, Fallback Licenses are grouped by `type`.
+
+```yaml
+fallbacks:
+  golang:
+    - name: github.com/dchest/siphash
+      license_id: CC0-1.0
+      license_content: https://raw.githubusercontent.com/dchest/siphash/master/README.md
+```
+
+Property | Description
+--- | ---
+name | The name of the dependency as it appears in the JSON manifest.
+license_id | The ID of the license as it appears in the JSON manifest.
+license_content | A URL to a file where the raw text of the license can be downloaded.
+
+In addition to including any files Licensee identified as potential license files (but couldn't identify), License Scout will also include the Fallback License you specified in the Dependency Manifest.
+
+## Configuration
+
+Value | Description | Default
+--- | --- | ---
+directories | The fully-qualified local paths to the directories you wish to scan | _The current working directory._ |
+name | The name you want to give to the scan result. | _The basename of the first directory to be scanned._ |
+output_directory | The path to the directory where the output JSON file should be saved. | _The current working directory._ |
+log_level | What log information should be included in STDOUT | `info` |
+allowed_licenses | Only allow dependencies to have these licenses. | `[]` |
+flagged_licenses | An array of licenses that should be flagged for removal or exception. | `[]` |
+exceptions | An array of Exceptions. | `[]` |
+environment | A hash of additional Environment Variables to pass to [mixlib-shellout](https://github.com/chef/mixlib-shellout) | `{}` |
+escript_bin | The path to the `escript` binary you wish to use when shelling out to Erlang. | `escript` |
+ruby_bin | The path to the `ruby` binary you wish to use when shelling out to Ruby. | `ruby` |
+cpanm_root | The path to where the cpanminus install cache is located. | `~/.cpanm` |
+
+## Contributing
+
+This project is maintained by the contribution guidelines identified for [chef](https://github.com/chef/chef) project. You can find the guidelines here:
+
+https://github.com/chef/chef/blob/master/CONTRIBUTING.md
+
+Pull requests in this project are merged when they have two :+1:s from maintainers.
+
+## Maintainers
+
+- [Dan DeLeo](https://github.com/danielsdeleo)
+- [Tom Duffield](https://github.com/tduffield)
+

data/bin/license_scout

@@ -16,64 +16,8 @@
 # limitations under the License.
 #
 
-$:.unshift File.expand_path("../lib", __dir__)
+$:.unshift File.expand_path("../../lib", __FILE__)
 
-require "license_scout/collector"
-require "license_scout/overrides"
-require "license_scout/options"
+require "license_scout"
 
-project_dir = ARGV[0] || File.expand_path(Dir.pwd)
-project_name = File.basename(project_dir)
-
-# Create the output files under a specific directory in order not to pollute the
-# project_dir too much.
-output_dir = File.join(project_dir, "license-cache")
-
-overrides = LicenseScout::Overrides.new
-
-opts = LicenseScout::Options.new(overrides: overrides)
-
-collector = LicenseScout::Collector.new(project_name, project_dir, output_dir, opts)
-
-collector.run
-report = collector.issue_report
-
-unless report.empty?
-  puts report
-
-  puts <<~EXPLANATION
-
-    How to fix this depends on what information license_scout was unable to
-    determine:
-
-    * If the package is missing license information, that means license_scout was
-      unable to determine which license the package was released under. Depending
-      on the package manager, this is usually specified in the package's metadata,
-      for example, in the gemspec file for rubygems or in the package.json for npm.
-      If you know which license a package was released under, MIT for example, you
-      can add an override in license_scout's overrides.rb file in the section for
-      the appropriate package manager like this:
-        ["package-name", "MIT", nil]
-
-    * If the package is missing the license file, that means license_scout could not
-      find the license text in any of the places the license is typically found, for
-      example, in a file named LICENSE in the root of the package. If the package
-      includes the license text in a non standard location or in its source repo,
-      you can indicate this by adding an override in license_scout's overrides.rb
-      file in the section for the appropriate package manager like this:
-        ["package-name", nil, ["https://example.com/foocorp/package-name/master/LICENSE"]],
-
-      If you know that the package was released under one of the common software
-      licenses, MIT for example, but does not include the license text in packaged
-      releases or in its source repo, you can add an override in license_scout's
-      overrides.rb file in the section for the appropriate package manager like
-      this:
-        ["package-name", nil, [canonical("MIT")]]
-
-    See the closed pull requests on the license_scout repo for examples of how to
-    do this:
-    https://github.com/chef/license_scout/pulls?q=is%3Apr+is%3Aclosed
-  EXPLANATION
-
-  exit 2
-end
+LicenseScout::CLI.new.run

data/lib/license_scout/cli.rb

@@ -0,0 +1,99 @@
+#
+# Copyright:: Copyright 2018, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "mixlib/cli"
+require "license_scout/config"
+require "license_scout/collector"
+require "license_scout/reporter"
+
+module LicenseScout
+  class CLI
+    include Mixlib::CLI
+
+    #
+    # These config values should match values available in LicenseScout::Config
+    #
+    option :config_files,
+      short: "-c CONFIG_FILES",
+      long: "--config-files CONFIG_FILES",
+      description: "Comma-separated list of local (or remote) YAML configuration file(s) evaluated in order specified (priority goes to last file)",
+      proc: Proc.new { |c| c.split(",") }
+
+    option :directories,
+      short: "-d DIRECTORIES",
+      long: "--directories DIRECTORIES",
+      description: "Comma-separated list of directories to scan",
+      proc: Proc.new { |d| d.split(",") }
+
+    option :log_level,
+      short: "-l LEVEL",
+      long: "--log-level LEVEL",
+      description: "Set the log level (debug, info, warn, error, fatal)",
+      proc: Proc.new { |l| l.to_sym }
+
+    option :only_show_failures,
+      long: "--only-show-failures",
+      description: "Only print results for dependencies with licenses that failed checks",
+      boolean: true
+
+    option :help,
+      short: "-h",
+      long: "--help",
+      description: "Show this message",
+      on: :tail,
+      boolean: true,
+      show_options: true,
+      exit: 0
+
+    def run(argv = ARGV)
+      parse_options(argv)
+
+      LicenseScout::Config.merge!(config)
+
+      LicenseScout::Log.level = LicenseScout::Config.log_level
+      LicenseScout::Log.formatter = proc do |sev, datetime, progname, msg|
+        "#{sev.ljust(5)} #{msg}\n"
+      end
+
+      LicenseScout::Config.config_files.each do |config_file|
+        if config_file =~ /^http/
+          require "open-uri"
+
+          LicenseScout::Log.info("[cli] Loading config from #{config_file}")
+
+          Dir.mktmpdir do |dir|
+            local_tmp_file = File.join(dir, File.basename(config_file))
+            IO.copy_stream(open(config_file), local_tmp_file)
+            LicenseScout::Config.from_file(local_tmp_file)
+          end
+        else
+          full_config_file = File.expand_path(config_file)
+          LicenseScout::Log.info("[cli] Loading config from #{full_config_file}")
+          LicenseScout::Config.from_file(full_config_file)
+        end
+      end
+
+      LicenseScout::Config.validate!
+
+      collector = LicenseScout::Collector.new
+      collector.collect
+
+      reporter = LicenseScout::Reporter.new(collector.dependencies)
+      reporter.report
+    end
+  end
+end

data/lib/license_scout/collector.rb

@@ -15,103 +15,51 @@
 # limitations under the License.
 #
 
+require "license_scout/log"
 require "license_scout/exceptions"
 require "license_scout/dependency_manager"
-require "license_scout/reporter"
-
-require "ffi_yajl" unless defined?(FFI_Yajl)
+require "license_scout/license"
 
 module LicenseScout
   class Collector
 
-    attr_reader :project_name
-    attr_reader :project_dir
-    attr_reader :output_dir
-    attr_reader :license_manifest_data
-    attr_reader :options
+    attr_reader :dependencies
 
-    def initialize(project_name, project_dir, output_dir, options)
-      @project_name = project_name
-      @project_dir = project_dir
-      @output_dir = output_dir
-      @options = options
-    end
-
-    def dependency_managers
-      @dependency_managers ||= all_dependency_managers.select(&:detected?)
-    end
-
-    def run
-      reset_license_manifest
-
-      unless File.exist?(project_dir)
-        raise LicenseScout::Exceptions::ProjectDirectoryMissing.new(project_dir)
-      end
-
-      FileUtils.mkdir_p(output_dir) unless File.exist?(output_dir)
+    def collect
+      @dependencies = Set.new
 
       if dependency_managers.empty?
-        raise LicenseScout::Exceptions::UnsupportedProjectType.new(project_dir)
+        raise LicenseScout::Exceptions::Error.new("Failed to find any files associated with known dependency managers in the following directories:\n#{LicenseScout::Config.directories.map { |dir| "\t• #{dir}" }.join("\n")}\n")
       end
 
       dependency_managers.each { |d| collect_licenses_from(d) }
 
-      File.open(license_manifest_path, "w+") do |file|
-        file.print(FFI_Yajl::Encoder.encode(license_manifest_data, pretty: true))
-      end
-    end
-
-    def issue_report
-      Reporter.new(output_dir).report
+      LicenseScout::Log.info("[collector] All licenses successfully collected")
     end
 
     private
 
-    def reset_license_manifest
-      @license_manifest_data = {
-        license_manifest_version: 1,
-        project_name: project_name,
-        dependency_managers: {},
-      }
-    end
-
-    def license_manifest_path
-      File.join(output_dir, "#{project_name}-dependency-licenses.json")
-    end
-
-    def collect_licenses_from(dependency_manager)
-      dependency_manager.dependencies.each do |dep|
-        license_manifest_data[:dependency_managers][dep.dep_mgr_name] ||= []
-
-        license_data = {
-          name: dep.name,
-          version: dep.version,
-          license: dep.license,
-          license_files: [],
-        }
-
-        dep.license_files.each do |license_file|
-          output_license_filename = [
-            dependency_manager.name,
-            dep.name,
-            dep.version,
-            File.basename(license_file),
-          ].join("-")
-          output_license_path = File.join(output_dir, output_license_filename)
-          FileUtils.cp(license_file, output_license_path)
-
-          license_data[:license_files] << output_license_filename
-        end
-
-        license_manifest_data[:dependency_managers][dep.dep_mgr_name] << license_data
-
+    def collect_licenses_from(dep_mgr)
+      LicenseScout::Log.info("[collector] Collecting licenses for #{dep_mgr.type} dependencies found in #{dep_mgr.directory}/#{dep_mgr.signature}")
+      dep_mgr.dependencies.each do |dep|
+        @dependencies << dep
       end
+    rescue LicenseScout::Exceptions::MissingSourceDirectory => e
+      raise LicenseScout::Exceptions::Error.new("#{e.message}\n\n\tPlease try running `#{dep_mgr.install_command}` to download the dependency.\n")
     end
 
-    def all_dependency_managers
-      LicenseScout::DependencyManager.implementations.map do |implementation|
-        implementation.new(project_dir, options)
-      end
+    def dependency_managers
+      @dependency_managers ||= LicenseScout::Config.directories.map do |dir|
+        LicenseScout::DependencyManager.implementations.map do |implementation|
+          dep_mgr = implementation.new(File.expand_path(dir))
+          if dep_mgr.detected?
+            LicenseScout::Log.info("[collector] Found #{dep_mgr.signature} in #{dir}")
+            dep_mgr
+          else
+            nil
+          end
+        end
+      end.flatten.compact
     end
   end
 end

data/lib/license_scout/config.rb

@@ -0,0 +1,94 @@
+#
+# Copyright:: Copyright 2018, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "mixlib/config"
+require "tmpdir"
+
+require "license_scout/exceptions"
+require "license_scout/log"
+require "license_scout/license"
+
+module LicenseScout
+  module Config
+    extend Mixlib::Config
+
+    # Inputs
+    default :directories, [File.expand_path(Dir.pwd)]
+    default :name, File.basename(directories.first)
+    default :config_files, [File.join(File.expand_path(Dir.pwd), ".license_scout.yml")]
+
+    # Output
+    default :log_level, :info
+    default :output_directory, Dir.pwd
+    default :only_show_failures, false
+
+    # Compliance Specifications
+    default :allowed_licenses, []
+    default :flagged_licenses, []
+
+    config_context :exceptions do
+      default :chef_cookbook, []
+      default :elixir, []
+      default :erlang, []
+      default :golang, []
+      default :habitat, []
+      default :nodejs, []
+      default :perl, []
+      default :ruby, []
+    end
+
+    config_context :fallbacks do
+      default :chef_cookbook, []
+      default :elixir, []
+      default :erlang, []
+      default :golang, []
+      default :habitat, []
+      default :nodejs, []
+      default :perl, []
+      default :ruby, []
+    end
+
+    # Runtime Parameters
+    default :environment, {}
+    default :ruby_bin, "ruby"
+    default :escript_bin, "escript"
+    default :cpanm_root, "#{ENV["HOME"]}/.cpanm"
+
+    #
+    # Helpers
+    #
+
+    class << self
+
+      def validate!
+        if !allowed_licenses.empty? && !flagged_licenses.empty?
+          raise LicenseScout::Exceptions::ConfigError.new("You may specify a list of licenses to allow or flag. You may not specify both.")
+        end
+
+        if (allowed_licenses.empty? && flagged_licenses.empty?) && dependency_exceptions?
+          LicenseScout::Log.warn("You have specified one or more dependency exceptions, but no allowed or flagged licenses. License Scout will ignore the depdendency exceptions.")
+        end
+
+        directories.each do |dir|
+          unless File.directory?(File.expand_path(dir))
+            raise LicenseScout::Exceptions::ConfigError.new("The '#{dir}' directory could not be found.")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/license_scout/data/dependeny_manifest_v2_schema.json

@@ -0,0 +1,62 @@
+{
+  "$schema": "http://json-schema.org/draft-06/schema#",
+  "title": "LicenseScout Manifest v2",
+  "description": "A breakdown of all the dependencies (and their licenses) for a software project",
+  "type": "object",
+  "properties": {
+    "license_manifest_version": {
+      "description": "The schema version for this document",
+      "type": "integer"
+    },
+    "generated_on": {
+      "description": "The timestamp corresponding with when the manifest was generated.",
+      "type": "string"
+    },
+    "name": {
+      "description": "The name to associate with the manifest. This is useful for configurations that include multiple directories.",
+      "type": "string"
+    },
+    "dependencies": {
+      "type": "object",
+      "properties": {
+        "type": {
+          "description": "The Depedency Type",
+          "type": "string"
+        },
+        "name": {
+          "description": "The name of the dependency",
+          "type": "string"
+        },
+        "version": {
+          "description": "The version of the dependendency. Can be a traditional version, git reference, or type-specific version specification such as `$pkg_version-$pkg_release` for Habitat",
+          "type": "string"
+        },
+        "has_exception": {
+          "description": "Whether or not an exception was specified for this dependency",
+          "type": "boolean"
+        },
+        "exception_reason": {
+          "description": "The user-provided reason for the exception",
+          "type": "string"
+        },
+        "licenses": {
+          "type": "object",
+          "properties": {
+            "id": {
+              "description": "The license ID. This can either be the null (if no license was determeind), the SPDX ID, or some other license name provided by the dependency maintainer.",
+              "type": ["string", "null"]
+            },
+            "source": {
+              "description": "From when the license ID was determined",
+              "type": "string"
+            },
+            "content": {
+              "description": "The actual content of the license (if available)",
+              "type": ["string", "null"]
+            }
+          }
+        }
+      }
+    }
+  }
+}