licensed 2.12.2 → 2.14.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42da8bbc3e526abe154311e85c5dcb1ffaeba7a631e3b6eab6dbb976a94d9c4d
-  data.tar.gz: b0884fb5ae8a8c332c8ea8684075a57e3efe86c6026656279eb2ffe0ae50105a
+  metadata.gz: 33331f661a6431bafe0966bfc183f734c9775412a23a9d952b0c232482254899
+  data.tar.gz: d6fc25e79d8ca274eb3ca1dbf22bc187fa6a0ac1547b08777aafde2fd71612dd
 SHA512:
-  metadata.gz: e5d14b32dffb12a412090348429a116f9732bb6413bc35fb677dbf248e8af415ca531d7980bafeaa5a81ed2f083e798821cd21be7fd8eed1037a6659f24d4693
-  data.tar.gz: 411785733af02c33cc0b239980558f79389b8bfdc144bf862530fde111dc3ad0c8fd64040b9fdecba022ae93158287b0f45e26a10719567dda3022024a60728b
+  metadata.gz: 7572045fdc55e4c53fd5230baed547ff4d20aa7b5bcea226f7f57035eacdf335e2ec364e3df9ad9bce6222fe46fc134066979c6cbc8a42b283070bd0a6695f74
+  data.tar.gz: cc6ed29bffe75f17dd0c25d449afa83f3122caf442bcad6582cbc07a93c28389e5c4543ea9dea5e67f94797a24e223658cf7e4671f165f0502e385424a8402c2

data/.github/workflows/release.yml

@@ -1,18 +1,12 @@
-name: Create release
+name: Build and publish release assets
 
-on: create
+on:
+  release:
+    types: [created]
 
 jobs:
-  tag_filter:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - run: exit 0
-
   package_linux:
     runs-on: ubuntu-latest
-    needs: tag_filter
-
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
@@ -23,17 +17,15 @@ jobs:
     - name: Build package
       run: script/packages/linux
       env:
-        VERSION: ${{github.event.ref}}
+        VERSION: ${{github.event.release.tag_name}}
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.ref}}-linux
-        path: pkg/${{github.event.ref}}/licensed-${{github.event.ref}}-linux-x64.tar.gz
+        name: ${{github.event.release.tag_name}}-linux
+        path: pkg/${{github.event.release.tag_name}}/licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
 
   package_mac:
     runs-on: macOS-latest
-    needs: tag_filter
-
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
@@ -44,17 +36,15 @@ jobs:
     - name: Build package
       run: script/packages/mac
       env:
-        VERSION: ${{github.event.ref}}
+        VERSION: ${{github.event.release.tag_name}}
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.ref}}-darwin
-        path: pkg/${{github.event.ref}}/licensed-${{github.event.ref}}-darwin-x64.tar.gz
+        name: ${{github.event.release.tag_name}}-darwin
+        path: pkg/${{github.event.release.tag_name}}/licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
 
   build_gem:
     runs-on: ubuntu-latest
-    needs: tag_filter
-
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
@@ -63,25 +53,16 @@ jobs:
         ruby-version: 2.6.x
 
     - name: Build gem
-      run: gem build *.gemspec
+      run: gem build licensed.gemspec -o licensed-${{github.event.release.tag_name}}.gem
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.ref}}-gem
-        path: licensed-${{github.event.ref}}.gem
-
-  create_release:
-    runs-on: ubuntu-latest
-    needs: [package_linux, package_mac, build_gem]
-    steps:
-    - uses: Roang-zero1/github-create-release-action@v1.0.2
-      env:
-        GITHUB_TOKEN: ${{ secrets.API_AUTH_TOKEN }}
-        VERSION_REGEX: "^[[:digit:]]+\\.[[:digit:]]+\\.[[:digit:]]+"
+        name: ${{github.event.release.tag_name}}-gem
+        path: licensed-${{github.event.release.tag_name}}.gem
 
   upload_packages:
     runs-on: ubuntu-latest
-    needs: [create_release]
+    needs: [package_linux, package_mac, build_gem]
 
     steps:
     - name: Set up Ruby 2.6
@@ -92,32 +73,45 @@ jobs:
     - name: Download linux package
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.ref}}-linux
+        name: ${{github.event.release.tag_name}}-linux
 
     - name: Download macOS package
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.ref}}-darwin
+        name: ${{github.event.release.tag_name}}-darwin
 
     - name: Download gem
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.ref}}-gem
+        name: ${{github.event.release.tag_name}}-gem
 
-    - name: Publish packages to GitHub Release
-      uses: Roang-zero1/github-upload-release-artifacts-action@v2.0.0
+    - name: Publish linux package
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        args: licensed-${{github.event.ref}}-linux-x64.tar.gz licensed-${{github.event.ref}}-darwin-x64.tar.gz
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
+        asset_name: licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
+        asset_content_type: application/gzip
+
+    - name: Publish mac package
+      uses: actions/upload-release-asset@v1
       env:
-        GITHUB_TOKEN: ${{secrets.API_AUTH_TOKEN}}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
+        asset_name: licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
+        asset_content_type: application/gzip
 
     - name: Publish gem to RubyGems
       run: |
         mkdir -p $HOME/.gem
         touch $HOME/.gem/credentials
         chmod 0600 $HOME/.gem/credentials
-        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${RUBYGEMS_API_KEY}\n" > $HOME/.gem/credentials
         gem push $GEM
       env:
-        GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
-        GEM: licensed-${{github.event.ref}}.gem
+        RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
+        GEM: licensed-${{github.event.release.tag_name}}.gem

data/.github/workflows/test.yml

@@ -116,7 +116,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ 2.4.x, 2.5.x, 2.6.x ]
+        ruby: [ 2.4.x, 2.5.x, 2.6.x, 2.7.x ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
@@ -165,7 +165,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.7.x', '1.10.x', '1.11.x', '1.12.x', '1.13.x', '1.14.x' ]
+        go: [ '1.10.x', '1.11.x', '1.12.x', '1.13.x', '1.14.x', '1.15.x' ]
     steps:
     - uses: actions/checkout@v2
     - name: Setup go

data/CHANGELOG.md

@@ -6,6 +6,45 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.14.3
+2020-12-11
+
+## Fixed
+- Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun https://github.com/github/licensed/pull/328)
+
+## 2.14.2
+2020-11-20
+
+## Fixed
+- Yarn source correctly finds dependency paths on disk (https://github.com/github/licensed/pull/326)
+- Go source better handles finding dependencies that have been vendored (https://github.com/github/licensed/pull/323)
+
+## 2.14.1
+2020-10-09
+
+### Fixed
+- Shell command output is encoded to UTF8 (https://github.com/github/licensed/pull/319)
+
+## 2.14.0
+2020-10-04
+
+### Added
+- `reviewed` dependencies can use glob pattern matching (https://github.com/github/licensed/pull/313)
+
+### Fixed
+- Fix configuring source path globs that expand into a single directory (https://github.com/github/licensed/pull/312)
+
+## 2.13.0
+2020-09-23
+
+### Added
+- `status` command results can be output in YAML and JSON formats (:tada: @julianvilas https://github.com/github/licensed/pull/303)
+
+### Fixed
+- `licensed` no longer crashes when parsing invalid YAML from cached records (https://github.com/github/licensed/pull/306)
+- NPM source will no longer crash when invalid JSON is returned from npm CLI calls (https://github.com/github/licensed/pull/300)
+- Bundler source is fixed to work properly with `gems.rb` lockfiles (https://github.com/github/licensed/pull/299)
+
 ## 2.12.2
 2020-07-07
 
@@ -17,7 +56,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 2020-06-30
 
 ### Fixed
-- `licensed` no longer exits an error code when using the `--sources` CLI argument(https://github.com/github/licensed/pull/290)
+- `licensed` no longer exits an error code when using the `--sources` CLI argument (https://github.com/github/licensed/pull/290)
 
 ## 2.12.0
 2020-06-19
@@ -340,4 +379,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.12.2...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.14.3...HEAD

data/CONTRIBUTING.md

@@ -39,7 +39,7 @@ Pull requests that include a new dependency source must also
 ## Releasing
 If you are the current maintainer of this gem:
 
-1. Create a branch for the release: git checkout -b cut-release-vxx.xx.xx
+1. Create a branch for the release: git checkout -b cut-release-xx.xx.xx
 2. Make sure your local dependencies are up to date: `script/bootstrap`
 3. Ensure that tests are green: `bundle exec rake test`
 4. Bump gem version in lib/licensed/version.rb.
@@ -51,15 +51,16 @@ If you are the current maintainer of this gem:
    2. Install the new gem locally
    3. Test behavior locally, branch deploy, whatever needs to happen
 9. Merge github/licensed PR
-10. Tag and push: `git tag x.xx.xx; git push --tags`
+10. Create a new [github/licensed release](https://github.com/github/licensed/releases)
+   - Set the release name and tag to the release version - `x.xx.x`
+   - Set the release body to the changelog entries for the release
 
 The following steps will happen automatically from a GitHub Actions workflow
-after pushing a new tag. In case that fails, the following steps can be performed manually
+after creating the release. In case that fails, the following steps can be performed manually
 
-11. Push to rubygems.org -- `gem push licensed-x.xx.xx.gem`
+11. Push the gem from (7) to rubygems.org -- `gem push licensed-x.xx.xx.gem`
 12. Build packages for new tag: `VERSION=x.xx.xx bundle exec rake package`
-13. Create release for new tag at github/licensed.
-14. Add built packages to new release
+13. Upload packages from (12) to release from (10)
 
 ## Resources
 

data/docs/configuration.md

@@ -23,7 +23,7 @@ If a root path is not specified, it will default to using the following, in orde
 
 The `source_path` property can use a glob path to share configuration properties across multiple application entrypoints.
 
-For example, there is a common pattern in go projects to include multiple executable entrypoints under folders in `cmd`.  Using a glob pattern allows users to avoid manually configuring and maintaining multiple licensed application `source_path`s.  Using a glob pattern will also ensure that any new entrypoints matching the pattern are automatically picked up by licensed commands as they are added.
+For example, there is a common pattern in Go projects to include multiple executable entrypoints under folders in `cmd`.  Using a glob pattern allows users to avoid manually configuring and maintaining multiple licensed application `source_path`s.  Using a glob pattern will also ensure that any new entrypoints matching the pattern are automatically picked up by licensed commands as they are added.
 
 ```yml
 sources:
@@ -118,12 +118,6 @@ ignored:
   bower:
     - some-internal-package
 
-  go:
-    # ignore all go packages from import paths starting with github.com/internal-package
-    # see the `File.fnmatch?` documentation for details on how patterns are matched.
-    # comparisons use the FNM_CASEFOLD and FNM_PATHNAME flags
-    - github.com/internal-package/**/*
-
 # These dependencies have licenses not on the `allowed` list and have been reviewed.
 # They will be cached and checked, but will not raise errors or warnings for a
 # non-allowed license.  Dependencies on this list will still raise errors if

data/docs/sources/go.md

@@ -24,6 +24,26 @@ The setting supports absolute, relative and expandable (e.g. "~") paths.  Relati
 
 Non-empty `GOPATH` configuration settings will override the `GOPATH` environment variable while enumerating `go` dependencies.  The `GOPATH` environment variable is restored once dependencies have been enumerated.
 
+#### Reviewing and ignoring all packages from a Go module
+
+Go's package and module structure has common conventions that documentation and metadata for all packages in a module live in the module root.  In this scenario all packages share the same LICENSE information and can be reviewed or ignored at the module level rather than per-package using glob patterns.
+
+```yaml
+reviewed:
+  go:
+    # review all Go packages from import paths starting with github.com/external-package
+    # see the `File.fnmatch?` documentation for details on how patterns are matched.
+    # comparisons use the FNM_CASEFOLD and FNM_PATHNAME flags
+    - github.com/external-package/**/*
+
+ignored:
+  go:
+    # ignore all Go packages from import paths starting with github.com/internal-package
+    # see the `File.fnmatch?` documentation for details on how patterns are matched.
+    # comparisons use the FNM_CASEFOLD and FNM_PATHNAME flags
+    - github.com/internal-package/**/*
+```
+
 #### Versioning
 
 The go source supports multiple versioning strategies to determine if cached dependency metadata is stale.  A version strategy is chosen based on the availability of go module information along with the current app configuration.

data/lib/licensed/cli.rb

@@ -18,12 +18,14 @@ module Licensed
     end
 
     desc "status", "Check status of dependencies' cached licenses"
+    method_option :format, enum: ["yaml", "json"],
+      desc: "Output format"
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
     method_option :sources, aliases: "-s", type: :array,
       desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
     def status
-      run Licensed::Commands::Status.new(config: config), sources: options[:sources]
+      run Licensed::Commands::Status.new(config: config), sources: options[:sources], reporter: options[:format]
     end
 
     desc "list", "List dependencies"
@@ -57,7 +59,7 @@ module Licensed
     method_option :config, aliases: "-c", type: :string,
       desc: "Path to licensed configuration file"
     def env
-      run Licensed::Commands::Environment.new(config: config), format: options[:format]
+      run Licensed::Commands::Environment.new(config: config), reporter: options[:format]
     end
 
     desc "migrate", "Migrate from a previous version of licensed"

data/lib/licensed/commands/cache.rb

@@ -2,12 +2,12 @@
 module Licensed
   module Commands
     class Cache < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
-      # Raises a Licensed::Reporters::CacheReporter
-      def create_reporter(options)
+      # Returns a Licensed::Reporters::CacheReporter
+      def default_reporter(options)
         Licensed::Reporters::CacheReporter.new
       end
 

data/lib/licensed/commands/command.rb

@@ -37,13 +37,29 @@ module Licensed
         result
       end
 
-      # Create a reporter to use during a command run
+      # Creates a reporter to use during a command run
       #
       # options - The options the command was run with
       #
-      # Raises an error
+      # Returns the reporter to use during the command run
       def create_reporter(options)
-        raise "`create_reporter` must be implemented by commands"
+        return options[:reporter] if options[:reporter].is_a?(Licensed::Reporters::Reporter)
+
+        if options[:reporter].is_a?(String)
+          klass = "#{options[:reporter].capitalize}Reporter"
+          return Licensed::Reporters.const_get(klass).new if Licensed::Reporters.const_defined?(klass)
+        end
+
+        default_reporter(options)
+      end
+
+      # Returns the default reporter to use during the command run
+      #
+      # options - The options the command was run with
+      #
+      # Raises an error
+      def default_reporter(options)
+        raise "`default_reporter` must be implemented by commands"
       end
 
       protected
@@ -56,6 +72,12 @@ module Licensed
       # Returns whether the command succeeded for the application.
       def run_app(app)
         reporter.report_app(app) do |report|
+          # ensure the app source path exists before evaluation
+          if !Dir.exist?(app.source_path)
+            report.errors << "No such directory #{app.source_path}"
+            next false
+          end
+
           Dir.chdir app.source_path do
             begin
               # allow additional report data to be given by commands
@@ -125,7 +147,7 @@ module Licensed
             end
 
             evaluate_dependency(app, source, dependency, report)
-          rescue Licensed::Shell::Error => err
+          rescue Licensed::DependencyRecord::Error, Licensed::Shell::Error => err
             report.errors << err.message
             false
           end

data/lib/licensed/commands/environment.rb

@@ -35,13 +35,13 @@ module Licensed
         end
       end
 
-      def create_reporter(options)
-        case options[:format]
-        when "json"
-          Licensed::Reporters::JsonReporter.new
-        else
-          Licensed::Reporters::YamlReporter.new
-        end
+      # Returns the default reporter to use during the command run
+      #
+      # options - The options the command was run with
+      #
+      # Returns a Licensed::Reporters::StatusReporter
+      def default_reporter(options)
+        Licensed::Reporters::YamlReporter.new
       end
 
       protected

data/lib/licensed/commands/list.rb

@@ -2,12 +2,12 @@
 module Licensed
   module Commands
     class List < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
       # Returns a Licensed::Reporters::ListReporter
-      def create_reporter(options)
+      def default_reporter(options)
         Licensed::Reporters::ListReporter.new
       end
 

data/lib/licensed/commands/notices.rb

@@ -2,12 +2,12 @@
 module Licensed
   module Commands
     class Notices < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
-      # Raises a Licensed::Reporters::CacheReporter
-      def create_reporter(options)
+      # Returns a Licensed::Reporters::CacheReporter
+      def default_reporter(options)
         Licensed::Reporters::NoticesReporter.new
       end
 

data/lib/licensed/commands/status.rb

@@ -4,12 +4,12 @@ require "yaml"
 module Licensed
   module Commands
     class Status < Command
-      # Create a reporter to use during a command run
+      # Returns the default reporter to use during the command run
       #
       # options - The options the command was run with
       #
       # Returns a Licensed::Reporters::StatusReporter
-      def create_reporter(options)
+      def default_reporter(options)
         Licensed::Reporters::StatusReporter.new
       end
 

data/lib/licensed/configuration.rb

@@ -69,7 +69,9 @@ module Licensed
 
     # Is the given dependency reviewed?
     def reviewed?(dependency)
-      Array(self["reviewed"][dependency["type"]]).include?(dependency["name"])
+      Array(self["reviewed"][dependency["type"]]).any? do |pattern|
+        File.fnmatch?(pattern, dependency["name"], File::FNM_PATHNAME | File::FNM_CASEFOLD)
+      end
     end
 
     # Is the given dependency ignored?
@@ -158,19 +160,22 @@ module Licensed
     def self.expand_app_source_path(app_config)
       return app_config if app_config["source_path"].to_s.empty?
 
+      # check if the source path maps to an existing directory
       source_path = File.expand_path(app_config["source_path"], AppConfiguration.root_for(app_config))
+      return app_config if Dir.exist?(source_path)
+
+      # try to expand the source path for glob patterns
       expanded_source_paths = Dir.glob(source_path).select { |p| File.directory?(p) }
-      # return the original configuration if glob didn't result in multiple paths
-      return app_config if expanded_source_paths.size <= 1
+      configs = expanded_source_paths.map { |path| app_config.merge("source_path" => path) }
 
-      # map the expanded paths to new application configurations
-      expanded_source_paths.map do |path|
-        config = app_config.merge("source_path" => path)
+      # if no directories are found for the source path, return the original config
+      return app_config if configs.size == 0
 
-        # update configured values for name and cache_path for uniqueness.
-        # this is only needed when values are explicitly set, AppConfiguration
-        # will handle configurations that don't have these explicitly set
-        dir_name = File.basename(path)
+      # update configured values for name and cache_path for uniqueness.
+      # this is only needed when values are explicitly set, AppConfiguration
+      # will handle configurations that don't have these explicitly set
+      configs.each do |config|
+        dir_name = File.basename(config["source_path"])
         config["name"] = "#{config["name"]}-#{dir_name}" if config["name"]
 
         # if a cache_path is set and is not marked as shared, append the app name
@@ -178,9 +183,9 @@ module Licensed
         if config["cache_path"] && config["shared_cache"] != true
           config["cache_path"] = File.join(config["cache_path"], dir_name)
         end
-
-        config
       end
+
+      configs
     end
 
     # Find a default configuration file in the given directory.

data/lib/licensed/dependency.rb

@@ -142,6 +142,7 @@ module Licensed
     def generated_license_contents
       return unless license
       return if license.key == "other"
+      return if license.text.nil?
 
       # strip copyright clauses and any extra newlines
       # many package managers don't provide enough information to

data/lib/licensed/dependency_record.rb

@@ -5,6 +5,8 @@ require "licensee"
 
 module Licensed
   class DependencyRecord
+    class Error < StandardError; end
+
     class License
       attr_reader :text, :sources
       def initialize(content)
@@ -46,6 +48,8 @@ module Licensed
         notices: data.delete("notices"),
         metadata: data
       )
+    rescue Psych::SyntaxError => e
+      raise Licensed::DependencyRecord::Error.new(e.message)
     end
 
     def_delegators :@metadata, :[], :[]=

data/lib/licensed/shell.rb

@@ -9,11 +9,12 @@ module Licensed
     def self.execute(cmd, *args, allow_failure: false, env: {})
       stdout, stderr, status = Open3.capture3(env, cmd, *args)
 
-      if status.success? || allow_failure
-        stdout.strip
-      else
-        raise Error.new([cmd, *args], status.exitstatus, stderr)
+      if !status.success? && !allow_failure
+        raise Error.new([cmd, *args], status.exitstatus, encode_content(stderr))
       end
+
+      # ensure that returned data is properly encoded
+      encode_content(stdout.strip)
     end
 
     # Executes a command and returns a boolean value indicating if the command
@@ -55,5 +56,21 @@ module Licensed
         end.join(" ")
       end
     end
+
+    private
+
+    ENCODING = Encoding::UTF_8
+    ENCODING_OPTIONS = {
+      invalid: :replace,
+      undef:   :replace,
+      replace: "",
+      univeral_newline: true
+    }.freeze
+
+    # Ensure that content that is returned from shell commands is in a usable
+    # encoding for the rest of the application
+    def self.encode_content(content)
+      content.encode(ENCODING, **ENCODING_OPTIONS)
+    end
   end
 end

data/lib/licensed/sources/bundler.rb

@@ -74,7 +74,7 @@ module Licensed
         end
       end
 
-      GEMFILES = %w{Gemfile gems.rb}.freeze
+      GEMFILES = { "Gemfile" => "Gemfile.lock", "gems.rb" => "gems.locked" }
       DEFAULT_WITHOUT_GROUPS = %i{development test}
 
       def enabled?
@@ -272,14 +272,15 @@ module Licensed
 
       # Returns the path to the Bundler Gemfile
       def gemfile_path
-        @gemfile_path ||= GEMFILES.map { |g| config.pwd.join g }
+        @gemfile_path ||= GEMFILES.keys
+                                  .map { |g| config.pwd.join g }
                                   .find { |f| f.exist? }
       end
 
       # Returns the path to the Bundler Gemfile.lock
       def lockfile_path
         return unless gemfile_path
-        @lockfile_path ||= gemfile_path.dirname.join("#{gemfile_path.basename}.lock")
+        @lockfile_path ||= gemfile_path.dirname.join(GEMFILES[gemfile_path.basename.to_s])
       end
 
       # Returns the configured bundler executable to use, or "bundle" by default.

data/lib/licensed/sources/go.rb

@@ -15,8 +15,7 @@ module Licensed
       def enumerate_dependencies
         with_configured_gopath do
           packages.map do |package|
-            import_path = non_vendored_path(package["ImportPath"], root_package["ImportPath"])
-            import_path ||= package["ImportPath"]
+            import_path = non_vendored_import_path(package)
             error = package.dig("Error", "Err") if package["Error"]
 
             Dependency.new(
@@ -81,34 +80,26 @@ module Licensed
         # return true if package self-identifies
         return true if package["Standard"]
 
-        import_path = package["ImportPath"]
+        import_path = non_vendored_import_path(package)
         return false unless import_path
 
-        # true if go standard packages includes the import path as given
-        return true if go_std_packages.include?(import_path)
-        return true if go_std_packages.include?("vendor/#{import_path}")
-        return true if go_std_packages.include?(import_path.sub("golang.org", "internal"))
-
-        # additional checks are only for vendored dependencies - return false
-        # if package isn't vendored
-        non_vendored_import_path = non_vendored_path(import_path, root_package["ImportPath"])
-        return false unless non_vendored_import_path
-
-        # return true if any of the go standard packages matches against
-        # the non-vendored import path
-        return true if go_std_packages.include?(non_vendored_import_path)
-        return true if go_std_packages.include?(non_vendored_import_path.sub("golang.org", "internal"))
-
-        # modify the import path to look like the import path `go list` returns for vendored std packages
-        vendor_path = import_path.sub("#{root_package["ImportPath"]}/", "")
-        go_std_packages.include?(vendor_path) || go_std_packages.include?(vendor_path.sub("golang.org", "golang_org"))
+        # check different variations of the import path to match against
+        # what's returned from `go list std`
+        [
+          import_path,
+          import_path.sub("golang.org", "internal"),
+          import_path.sub("golang.org", "golang_org"),
+        ].any? do |path|
+          # true if go standard packages includes the path or "vendor/<path>"
+          go_std_packages.include?(path) || go_std_packages.include?("vendor/#{path}")
+        end
       end
 
       # Returns whether the package is local to the current project
       def local_package?(package)
-        return false unless package && package["ImportPath"]
-        import_path = package["ImportPath"]
-        import_path.start_with?(root_package["ImportPath"]) && !import_path.include?("vendor/")
+        return false unless package && package["Dir"]
+        return false unless File.fnmatch?("#{config.root.to_s}*", package["Dir"])
+        vendored_path_parts(package).nil?
       end
 
       # Returns the version for a given package
@@ -155,36 +146,45 @@ module Licensed
 
         # search root choices:
         # 1. module directory if using go modules and directory is available
-        # 2. vendor folder if package is vendored
-        # 3. package root value if available
-        # 4. GOPATH if the package directory is under the gopath
-        # 5. nil
         module_dir = package.dig("Module", "Dir")
         return module_dir if module_dir
-        return package["Dir"].match("^(.*/vendor)/.*$")[1] if vendored_path?(package["Dir"], config.root)
+
+        # 2. vendor folder if package is vendored
+        parts = vendored_path_parts(package)
+        return parts[:vendor_path] if parts
+
+        # 3. package root value if available
         return package["Root"] if package["Root"]
+
+        # 4. GOPATH if the package directory is under the gopath
         return gopath if package["Dir"]&.start_with?(gopath)
+
+        # 5. nil
         nil
       end
 
-      # Returns whether a package is vendored or not based on a base path and
-      # whether the path contains a vendor component
+      # If the package is vendored, returns a Match object containing named
+      # :vendor_path and :import_path match groups based on the packages "Dir" value
+      #
+      # If the package is not vendored, returns nil
       #
-      # path - Package path to test
-      # base - The base path that the input must start with
-      def vendored_path?(path, base)
-        return false if path.nil? || base.nil?
-        path.start_with?(base.to_s) && path.include?("vendor/")
+      # package - Package to get vendored path information for
+      def vendored_path_parts(package)
+        return if package.nil? || package["Dir"].nil?
+        package["Dir"].match(/^(?<vendor_path>#{config.root}(\/.+)*\/[^\/]*vendor[^\/]*)\/(?<import_path>.+)$/i)
       end
 
-      # Returns the path parameter without the vendor component if one is found
+      # Returns the non-vendored portion of the package import path if vendored,
+      # otherwise returns the package's import path as given
       #
-      # path - Package path with vendor component
-      # base - The base path that the input must start with
-      def non_vendored_path(path, base)
-        return unless path
-        return unless vendored_path?(path, base)
-        path.split("vendor/")[1]
+      # package - Package to get the non-vendored import path for
+      def non_vendored_import_path(package)
+        return if package.nil?
+        parts = vendored_path_parts(package)
+        return parts[:import_path] if parts
+
+        # if a package isn't vendored, return the packages "ImportPath"
+        package["ImportPath"]
       end
 
       # Returns a hash of information about the package with a given import path

data/lib/licensed/sources/npm.rb

@@ -30,7 +30,7 @@ module Licensed
       end
 
       def packages
-        root_dependencies = JSON.parse(package_metadata_command)["dependencies"]
+        root_dependencies = package_metadata["dependencies"]
         recursive_dependencies(root_dependencies).each_with_object({}) do |(name, results), hsh|
           results.uniq! { |package| package["version"] }
           if results.size == 1
@@ -56,6 +56,18 @@ module Licensed
         result
       end
 
+      # Returns parsed package metadata returned from `npm list`
+      def package_metadata
+        return @package_metadata if defined?(@package_metadata)
+
+        @package_metadata = begin
+          JSON.parse(package_metadata_command)
+        rescue JSON::ParserError => e
+          raise Licensed::Sources::Source::Error,
+            "Licensed was unable to parse the output from 'npm list'. Please run 'npm list --json --long' and check for errors. Error: #{e.message}"
+        end
+      end
+
       # Returns the output from running `npm list` to get package metadata
       def package_metadata_command
         args = %w(--json --long)

data/lib/licensed/sources/yarn.rb

@@ -36,7 +36,7 @@ module Licensed
       def packages
         return [] if yarn_package_tree.nil?
         all_dependencies = {}
-        recursive_dependencies(config.pwd, yarn_package_tree).each do |name, results|
+        recursive_dependencies(yarn_package_tree).each do |name, results|
           results.uniq! { |package| package["version"] }
           if results.size == 1
             # if there is only one package for a name, reference it by name
@@ -55,26 +55,34 @@ module Licensed
 
       # Recursively parse dependency JSON data.  Returns a hash mapping the
       # package name to it's metadata
-      def recursive_dependencies(path, dependencies, result = {})
+      def recursive_dependencies(dependencies, result = {})
         dependencies.each do |dependency|
           # "shadow" indicate a dependency requirement only, not a
           # resolved package identifier
           next if dependency["shadow"]
           name, _, version = dependency["name"].rpartition("@")
 
-          # the dependency should be found under the parent's "node_modules" path
-          dependency_path = path.join("node_modules", name)
           (result[name] ||= []) << {
             "id" => dependency["name"],
             "name" => name,
             "version" => version,
-            "path" => dependency_path
+            "path" => dependency_paths[dependency["name"]]
           }
-          recursive_dependencies(dependency_path, dependency["children"], result)
+          recursive_dependencies(dependency["children"], result)
         end
         result
       end
 
+      # Returns a hash that maps all dependency names to their location on disk
+      # by parsing every package.json file under node_modules.
+      def dependency_paths
+        @dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
+          dirname = File.dirname(file)
+          json = JSON.parse(File.read(file))
+          hsh["#{json["name"]}@#{json["version"]}"] = dirname
+        end
+      end
+
       # Finds and returns the yarn package tree listing from `yarn list` output
       def yarn_package_tree
         return @yarn_package_tree if defined?(@yarn_package_tree)

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.12.2".freeze
+  VERSION = "2.14.3".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -38,5 +38,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rubocop", "~> 0.49", "< 0.67"
   spec.add_development_dependency "rubocop-github", "~> 0.6"
   spec.add_development_dependency "byebug", "~> 10.0.0"
-  spec.add_development_dependency "spy",  "~> 1.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.12.2
+  version: 2.14.3
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-07-07 00:00:00.000000000 Z
+date: 2020-12-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -218,20 +218,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 10.0.0
-- !ruby/object:Gem::Dependency
-  name: spy
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.0
 description: Licensed automates extracting and validating the licenses of dependencies.
 email:
 - opensource+licensed@github.com