licensed 2.11.0 → 2.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cb9d80097e4329d3aa276faf53b72cac7fed2c2f4c09edc500bc627fb8d942b
-  data.tar.gz: f2ba113cfac5f807980f44a7d60a40dd6c946c85a351bf8161854b72d715d625
+  metadata.gz: a4477f07cae2650a7d8679a9042f73a7d14d8de019088be22d09f30e0f8af4c2
+  data.tar.gz: b4cbd8769c1f98b1a0729e5d603ff08c15d2d5c5e4e8e029cd3bce7f69f395c1
 SHA512:
-  metadata.gz: dcdc95e2d512dbf8f9e84f76409f4d94b93ae3bdf95d17fa4b668f04e996cdcda340c5e7f09dd499c509b122e92cfc90d58838f33df24d690fd4ae1b759550b0
-  data.tar.gz: bba8ba26db299965d6fc7e2d783060d827e5f45cd7f1a287414f63c39298b39dfb6739beebe46d152e6619830705a8abf822a33ce01d94335fc195596a65e6cb
+  metadata.gz: 83e7612e7a1fe2dbb77d48893c68db036630a45cdbc37f38f6630be0380231d9ac7fc0d37298d3a8a349d4bd43eb1dad64b7ec26a4b8d795806fb682091d94b7
+  data.tar.gz: 26e4fed8cede2d4de43fc511a85a82507dcc0cbcc9a66537d39a189d533a7cfbb22fdf2be5ad242ae72f4943fde6676c23b0bdcdf906beeecef813369177c158

data/.github/workflows/test.yml

@@ -116,7 +116,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ 2.4.x, 2.5.x, 2.6.x ]
+        ruby: [ 2.4.x, 2.5.x, 2.6.x, 2.7.x ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby

data/CHANGELOG.md

@@ -6,6 +6,45 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.13.0
+2020-09-23
+
+### Added
+- `status` command results can be output in YAML and JSON formats (:tada: @julianvilas https://github.com/github/licensed/pull/303)
+
+### Fixed
+- `licensed` no longer crashes when parsing invalid YAML from cached records (https://github.com/github/licensed/pull/306)
+- NPM source will no longer crash when invalid JSON is returned from npm CLI calls (https://github.com/github/licensed/pull/300)
+- Bundler source is fixed to work properly with `gems.rb` lockfiles (https://github.com/github/licensed/pull/299)
+
+## 2.12.2
+2020-07-07
+
+### Changed
+- Cleaned up ruby 2.7 warnings (:tada: @jurre https://github.com/github/licensed/pull/292)
+- Cleaned up additional warnings in tests (https://github.com/github/licensed/pull/293)
+
+## 2.12.1
+2020-06-30
+
+### Fixed
+- `licensed` no longer exits an error code when using the `--sources` CLI argument (https://github.com/github/licensed/pull/290)
+
+## 2.12.0
+2020-06-19
+
+### Added
+- `--sources` argument for cache, list, status and notices commands to filter running sources (https://github.com/github/licensed/pull/287)
+
+### Fixed
+- `cache` command will not remove files outside of enabled source cache paths (https://github.com/github/licensed/pull/287)
+
+## 2.11.1
+2020-06-09
+
+### Fixed
+- `notices` command properly reads cached dependency notices contents (https://github.com/github/licensed/pull/283)
+
 ## 2.11.0
 2020-06-02
 
@@ -312,4 +351,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.11.0...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.13.0...HEAD

data/docs/commands.md

@@ -6,10 +6,14 @@ Run `licensed -h` to see help content for running licensed commands.
 
 Running the list command finds the dependencies for all sources in all configured applications.  No additional actions are taken on each dependency.
 
+An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
+
 ## `cache`
 
 The cache command finds all dependencies and ensures that each dependency has an up-to-date cached record.
 
+An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
+
 Dependency records will be saved if:
 1. The `force` option is set
 2. No cached record is found
@@ -22,6 +26,8 @@ After the cache command is run, any cached records that don't match up to a curr
 
 The status command finds all dependencies and checks whether each dependency has a valid cached record.
 
+An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
+
 A dependency will fail the status checks if:
 1. No cached record is found
 2. The cached record's version is different than the current dependency's version
@@ -35,6 +41,8 @@ A dependency will fail the status checks if:
 
 Outputs license and notice text for all dependencies in each app into a `NOTICE` file in the app's `cache_path`.  If an app uses a shared cache path, the file name will contain the app name as well, e.g. `NOTICE.my_app`.
 
+An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
+
 The `NOTICE` file contents are retrieved from cached records, with the assumption that cached records have already been reviewed in a compliance workflow.
 
 ## `env`

data/lib/licensed/cli.rb

@@ -10,29 +10,40 @@ module Licensed
       desc: "Overwrite licenses even if version has not changed."
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
+    method_option :sources, aliases: "-s", type: :array,
+      desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
     def cache
-      run Licensed::Commands::Cache.new(config: config), force: options[:force]
+      run Licensed::Commands::Cache.new(config: config),
+          force: options[:force], sources: options[:sources]
     end
 
     desc "status", "Check status of dependencies' cached licenses"
+    method_option :format, enum: ["yaml", "json"],
+      desc: "Output format"
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
+    method_option :sources, aliases: "-s", type: :array,
+      desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
     def status
-      run Licensed::Commands::Status.new(config: config)
+      run Licensed::Commands::Status.new(config: config), sources: options[:sources], reporter: options[:format]
     end
 
     desc "list", "List dependencies"
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
+    method_option :sources, aliases: "-s", type: :array,
+      desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
     def list
-      run Licensed::Commands::List.new(config: config)
+      run Licensed::Commands::List.new(config: config), sources: options[:sources]
     end
 
     desc "notices", "Generate a NOTICE file from cached records"
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
+    method_option :sources, aliases: "-s", type: :array,
+      desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
     def notices
-      run Licensed::Commands::Notices.new(config: config)
+      run Licensed::Commands::Notices.new(config: config), sources: options[:sources]
     end
 
     map "-v" => :version
@@ -48,7 +59,7 @@ module Licensed
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
     def env
-      run Licensed::Commands::Environment.new(config: config), format: options[:format]
+      run Licensed::Commands::Environment.new(config: config), reporter: options[:format]
     end
 
     desc "migrate", "Migrate from a previous version of licensed"
@@ -87,7 +98,7 @@ module Licensed
     end
 
     def run(command, **args)
-      exit command.run(args)
+      exit command.run(**args)
     end
   end
 end

data/lib/licensed/commands/cache.rb

@@ -2,12 +2,12 @@
 module Licensed
   module Commands
     class Cache < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
-      # Raises a Licensed::Reporters::CacheReporter
-      def create_reporter(options)
+      # Returns a Licensed::Reporters::CacheReporter
+      def default_reporter(options)
         Licensed::Reporters::CacheReporter.new
       end
 
@@ -32,19 +32,26 @@ module Licensed
 
       protected
 
-      # Run the command for all enabled sources for an application configuration,
+      # Run the command for all enumerated dependencies found in a dependency source,
       # recording results in a report.
+      # Enumerating dependencies in the source is skipped if a :sources option
+      # is provided and the evaluated `source.class.type` is not in the :sources values
       #
-      # app - An application configuration
+      # app - The application configuration for the source
+      # source - A dependency source enumerator
       #
-      # Returns whether the command succeeded for the application.
-      def run_app(app)
-        result = super
-
-        # add the full cache path to the list of cache paths evaluted during this run
-        cache_paths << app.cache_path
+      # Returns whether the command succeeded for the dependency source enumerator
+      def run_source(app, source)
+        super do |report|
+          if Array(options[:sources]).any? && !options[:sources].include?(source.class.type)
+            report.warnings << "skipped source"
+            next :skip
+          end
 
-        result
+          # add the full cache path to the list of cache paths
+          # that should be cleaned up after the command run
+          cache_paths << app.cache_path.join(source.class.type)
+        end
       end
 
       # Cache dependency record data.

data/lib/licensed/commands/command.rb

@@ -21,7 +21,9 @@ module Licensed
         begin
           result = reporter.report_run(self) do |report|
             # allow additional report data to be given by commands
-            yield report if block_given?
+            if block_given?
+              next true if (yield report) == :skip
+            end
 
             config.apps.sort_by { |app| app["name"] }
                        .map { |app| run_app(app) }
@@ -35,13 +37,29 @@ module Licensed
         result
       end
 
-      # Create a reporter to use during a command run
+      # Creates a reporter to use during a command run
       #
       # options - The options the command was run with
       #
-      # Raises an error
+      # Returns the reporter to use during the command run
       def create_reporter(options)
-        raise "`create_reporter` must be implemented by commands"
+        return options[:reporter] if options[:reporter].is_a?(Licensed::Reporters::Reporter)
+
+        if options[:reporter].is_a?(String)
+          klass = "#{options[:reporter].capitalize}Reporter"
+          return Licensed::Reporters.const_get(klass).new if Licensed::Reporters.const_defined?(klass)
+        end
+
+        default_reporter(options)
+      end
+
+      # Returns the default reporter to use during the command run
+      #
+      # options - The options the command was run with
+      #
+      # Raises an error
+      def default_reporter(options)
+        raise "`default_reporter` must be implemented by commands"
       end
 
       protected
@@ -57,7 +75,9 @@ module Licensed
           Dir.chdir app.source_path do
             begin
               # allow additional report data to be given by commands
-              yield report if block_given?
+              if block_given?
+                next true if (yield report) == :skip
+              end
 
               app.sources.select(&:enabled?)
                          .sort_by { |source| source.class.type }
@@ -81,7 +101,9 @@ module Licensed
         reporter.report_source(source) do |report|
           begin
             # allow additional report data to be given by commands
-            yield report if block_given?
+            if block_given?
+              next true if (yield report) == :skip
+            end
 
             source.dependencies.sort_by { |dependency| dependency.name }
                                .map { |dependency| run_dependency(app, source, dependency) }
@@ -114,10 +136,12 @@ module Licensed
 
           begin
             # allow additional report data to be given by commands
-            yield report if block_given?
+            if block_given?
+              next true if (yield report) == :skip
+            end
 
             evaluate_dependency(app, source, dependency, report)
-          rescue Licensed::Shell::Error => err
+          rescue Licensed::DependencyRecord::Error, Licensed::Shell::Error => err
             report.errors << err.message
             false
           end

data/lib/licensed/commands/environment.rb

@@ -35,13 +35,13 @@ module Licensed
         end
       end
 
-      def create_reporter(options)
-        case options[:format]
-        when "json"
-          Licensed::Reporters::JsonReporter.new
-        else
-          Licensed::Reporters::YamlReporter.new
-        end
+      # Returns the default reporter to use during the command run
+      #
+      # options - The options the command was run with
+      #
+      # Returns a Licensed::Reporters::StatusReporter
+      def default_reporter(options)
+        Licensed::Reporters::YamlReporter.new
       end
 
       protected

data/lib/licensed/commands/list.rb

@@ -2,17 +2,36 @@
 module Licensed
   module Commands
     class List < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
       # Returns a Licensed::Reporters::ListReporter
-      def create_reporter(options)
+      def default_reporter(options)
         Licensed::Reporters::ListReporter.new
       end
 
       protected
 
+      # Run the command for all enumerated dependencies found in a dependency source,
+      # recording results in a report.
+      # Enumerating dependencies in the source is skipped if a :sources option
+      # is provided and the evaluated `source.class.type` is not in the :sources values
+      #
+      # app - The application configuration for the source
+      # source - A dependency source enumerator
+      #
+      # Returns whether the command succeeded for the dependency source enumerator
+      def run_source(app, source)
+        super do |report|
+          next if Array(options[:sources]).empty?
+          next if options[:sources].include?(source.class.type)
+
+          report.warnings << "skipped source"
+          :skip
+        end
+      end
+
       # Listing dependencies requires no extra work.
       #
       # app - The application configuration for the dependency

data/lib/licensed/commands/notices.rb

@@ -2,17 +2,36 @@
 module Licensed
   module Commands
     class Notices < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
-      # Raises a Licensed::Reporters::CacheReporter
-      def create_reporter(options)
+      # Returns a Licensed::Reporters::CacheReporter
+      def default_reporter(options)
         Licensed::Reporters::NoticesReporter.new
       end
 
       protected
 
+      # Run the command for all enumerated dependencies found in a dependency source,
+      # recording results in a report.
+      # Enumerating dependencies in the source is skipped if a :sources option
+      # is provided and the evaluated `source.class.type` is not in the :sources values
+      #
+      # app - The application configuration for the source
+      # source - A dependency source enumerator
+      #
+      # Returns whether the command succeeded for the dependency source enumerator
+      def run_source(app, source)
+        super do |report|
+          next if Array(options[:sources]).empty?
+          next if options[:sources].include?(source.class.type)
+
+          report.warnings << "skipped source"
+          :skip
+        end
+      end
+
       # Load stored dependency record data to add to the notices report.
       #
       # app - The application configuration for the dependency
@@ -25,7 +44,7 @@ module Licensed
         filename = app.cache_path.join(source.class.type, "#{dependency.name}.#{DependencyRecord::EXTENSION}")
         report["cached_record"] = Licensed::DependencyRecord.read(filename)
         if !report["cached_record"]
-          report["warning"] = "expected cached record not found at #{filename}"
+          report.warnings << "expected cached record not found at #{filename}"
         end
 
         true

data/lib/licensed/commands/status.rb

@@ -4,17 +4,36 @@ require "yaml"
 module Licensed
   module Commands
     class Status < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
       # Returns a Licensed::Reporters::StatusReporter
-      def create_reporter(options)
+      def default_reporter(options)
         Licensed::Reporters::StatusReporter.new
       end
 
       protected
 
+      # Run the command for all enumerated dependencies found in a dependency source,
+      # recording results in a report.
+      # Enumerating dependencies in the source is skipped if a :sources option
+      # is provided and the evaluated `source.class.type` is not in the :sources values
+      #
+      # app - The application configuration for the source
+      # source - A dependency source enumerator
+      #
+      # Returns whether the command succeeded for the dependency source enumerator
+      def run_source(app, source)
+        super do |report|
+          next if Array(options[:sources]).empty?
+          next if options[:sources].include?(source.class.type)
+
+          report.warnings << "skipped source"
+          :skip
+        end
+      end
+
       # Verifies that a cached record exists, is up to date and
       # has license data that complies with the licensed configuration.
       #

data/lib/licensed/dependency_record.rb

@@ -5,6 +5,8 @@ require "licensee"
 
 module Licensed
   class DependencyRecord
+    class Error < StandardError; end
+
     class License
       attr_reader :text, :sources
       def initialize(content)
@@ -46,6 +48,8 @@ module Licensed
         notices: data.delete("notices"),
         metadata: data
       )
+    rescue Psych::SyntaxError => e
+      raise Licensed::DependencyRecord::Error.new(e.message)
     end
 
     def_delegators :@metadata, :[], :[]=

data/lib/licensed/reporters/list_reporter.rb

@@ -28,6 +28,22 @@ module Licensed
           shell.info "  #{source.class.type}"
           result = yield report
 
+          warning_reports = report.all_reports.select { |r| r.warnings.any? }.to_a
+          if warning_reports.any?
+            shell.newline
+            shell.warn "  * Warnings:"
+            warning_reports.each do |r|
+              display_metadata = r.map { |k, v| "#{k}: #{v}" }.join(", ")
+
+              shell.warn "    * #{r.name}"
+              shell.warn "    #{display_metadata}" unless display_metadata.empty?
+              r.warnings.each do |warning|
+                shell.warn "      - #{warning}"
+              end
+              shell.newline
+            end
+          end
+
           errored_reports = report.all_reports.select { |r| r.errors.any? }.to_a
           if errored_reports.any?
             shell.newline

data/lib/licensed/reporters/notices_reporter.rb

@@ -33,6 +33,26 @@ module Licensed
         end
       end
 
+
+      # Reports on a dependency source enumerator in a notices command run.
+      # Shows warnings encountered during the run.
+      #
+      # source - A dependency source enumerator
+      #
+      # Returns the result of the yielded method
+      # Note - must be called from inside the `report_run` scope
+      def report_source(source)
+        super do |report|
+          result = yield report
+
+          report.warnings.each do |warning|
+            shell.warn "* #{report.name}: #{warning}"
+          end
+
+          result
+        end
+      end
+
       # Reports on a dependency in a notices command run.
       #
       # dependency - An application dependency
@@ -42,7 +62,9 @@ module Licensed
       def report_dependency(dependency)
         super do |report|
           result = yield report
-          shell.warn "* #{report["warning"]}" if report["warning"]
+          report.warnings.each do |warning|
+            shell.warn "* #{report.name}: #{warning}"
+          end
           result
         end
       end
@@ -55,7 +77,16 @@ module Licensed
         return unless cached_record
 
         texts = cached_record.licenses.map(&:text)
-        texts.concat(cached_record.notices)
+        cached_record.notices.each do |notice|
+          case notice
+          when Hash
+            texts << notice["text"]
+          when String
+            texts << notice
+          else
+            shell.warn "* unable to parse notices for #{report.target.name}"
+          end
+        end
 
         <<~NOTICE
           #{cached_record["name"]}@#{cached_record["version"]}

data/lib/licensed/reporters/status_reporter.rb

@@ -15,6 +15,23 @@ module Licensed
           result = yield report
 
           all_reports = report.all_reports
+
+          warning_reports = all_reports.select { |r| r.warnings.any? }.to_a
+          if warning_reports.any?
+            shell.newline
+            shell.warn "Warnings:"
+            warning_reports.each do |r|
+              display_metadata = r.map { |k, v| "#{k}: #{v}" }.join(", ")
+
+              shell.warn "* #{r.name}"
+              shell.warn "  #{display_metadata}" unless display_metadata.empty?
+              r.warnings.each do |warning|
+                shell.warn "    - #{warning}"
+              end
+              shell.newline
+            end
+          end
+
           errored_reports = all_reports.select { |r| r.errors.any? }.to_a
 
           dependency_count = all_reports.select { |r| r.target.is_a?(Licensed::Dependency) }.size

data/lib/licensed/sources/bundler.rb

@@ -74,7 +74,7 @@ module Licensed
         end
       end
 
-      GEMFILES = %w{Gemfile gems.rb}.freeze
+      GEMFILES = { "Gemfile" => "Gemfile.lock", "gems.rb" => "gems.locked" }
       DEFAULT_WITHOUT_GROUPS = %i{development test}
 
       def enabled?
@@ -272,14 +272,15 @@ module Licensed
 
       # Returns the path to the Bundler Gemfile
       def gemfile_path
-        @gemfile_path ||= GEMFILES.map { |g| config.pwd.join g }
+        @gemfile_path ||= GEMFILES.keys
+                                  .map { |g| config.pwd.join g }
                                   .find { |f| f.exist? }
       end
 
       # Returns the path to the Bundler Gemfile.lock
       def lockfile_path
         return unless gemfile_path
-        @lockfile_path ||= gemfile_path.dirname.join("#{gemfile_path.basename}.lock")
+        @lockfile_path ||= gemfile_path.dirname.join(GEMFILES[gemfile_path.basename.to_s])
       end
 
       # Returns the configured bundler executable to use, or "bundle" by default.

data/lib/licensed/sources/npm.rb

@@ -30,7 +30,7 @@ module Licensed
       end
 
       def packages
-        root_dependencies = JSON.parse(package_metadata_command)["dependencies"]
+        root_dependencies = package_metadata["dependencies"]
         recursive_dependencies(root_dependencies).each_with_object({}) do |(name, results), hsh|
           results.uniq! { |package| package["version"] }
           if results.size == 1
@@ -56,6 +56,18 @@ module Licensed
         result
       end
 
+      # Returns parsed package metadata returned from `npm list`
+      def package_metadata
+        return @package_metadata if defined?(@package_metadata)
+
+        @package_metadata = begin
+          JSON.parse(package_metadata_command)
+        rescue JSON::ParserError => e
+          raise Licensed::Sources::Source::Error,
+            "Licensed was unable to parse the output from 'npm list'. Please run 'npm list --json --long' and check for errors. Error: #{e.message}"
+        end
+      end
+
       # Returns the output from running `npm list` to get package metadata
       def package_metadata_command
         args = %w(--json --long)

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.11.0".freeze
+  VERSION = "2.13.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -38,5 +38,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rubocop", "~> 0.49", "< 0.67"
   spec.add_development_dependency "rubocop-github", "~> 0.6"
   spec.add_development_dependency "byebug", "~> 10.0.0"
-  spec.add_development_dependency "spy",  "~> 1.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.11.0
+  version: 2.13.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-06-02 00:00:00.000000000 Z
+date: 2020-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -218,20 +218,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 10.0.0
-- !ruby/object:Gem::Dependency
-  name: spy
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.0
 description: Licensed automates extracting and validating the licenses of dependencies.
 email:
 - opensource+licensed@github.com