licensed 2.14.1 → 2.15.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e51a39bfeaf0f48ca7a05b08047b8a64236b276097a0ee7f301dc1ca4e1ad1f
-  data.tar.gz: ee8de1cdebb66fa213f25b4b4bcd38957a4746b86bed6375a057cdd372603cc7
+  metadata.gz: fdbf2bbf20f191470109be01b9ae1e284d99d1f078005c13e4a188c3f202926e
+  data.tar.gz: c32a7d0bc2488bd1f1217e3552268b96dc09c442195facf30378d0451f328145
 SHA512:
-  metadata.gz: 583a36dbc2a4e2cb6c9ae76a8976f01e61c2ec3f855d36aac3ce68f303170c7ddd2f0a5ed1e7acc5e67ae26eedd05ee05c1b884cf73a5a6836b2e81879b12078
-  data.tar.gz: ca025576af3f1a385f6517d2534a39e83ae2bc6a575933559f0457cab3afd28037ab16aef79e068958c225bdacec293b21afa3e4d2f5238bde473a3a3a924daa
+  metadata.gz: 84aec8c6f41dd9549d6e18239344b5927abdea80de9238aa493bf3af9e4b89714e321a684534aab1fe14b1e0636aad49b00356486a4eccfd05dcff2fd51a99ec
+  data.tar.gz: 23f7f2b0f681e3f53ea56ae2b2e56306ca4beb377819e8ac5318f762147835c2c7eb6b24f844c03ebdb7598f4ba536da53b3c7707a01e898baf1d76b396c4dcb

data/.github/workflows/release.yml

@@ -3,96 +3,192 @@ name: Build and publish release assets
 on:
   release:
     types: [created]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Commit-like version of github/licensed to build package at'
+        required: true
+      release_tag:
+        description: 'Release tag to upload built packages to'
+        required: false
 
 jobs:
-  package_linux:
+  vars:
+    name: "Gather values for remainder of steps"
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_version.outputs.result }}
+      upload_url: ${{ steps.get_url.outputs.result }}
+      ref: ${{ steps.get_ref.outputs.result }}
+    steps:
+      - id: get_version
+        name: Get package version
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          result-encoding: string
+          script: |
+            let version = "${{ github.event.release.tag_name }}"
+            if (!version) {
+              version = "${{ github.event.inputs.version }}"
+            }
+
+            if (!version) {
+              throw new Error("unable to find package build version")
+            }
+
+            return version
+
+      - id: get_url
+        name: Get release upload url
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          result-encoding: string
+          script: |
+            let uploadUrl = "${{ github.event.release.upload_url}}"
+            const tag = "${{ github.event.inputs.release_tag }}"
+            if (!uploadUrl && tag) {
+              const { data: release } = await github.repos.getReleaseByTag({
+                ...context.repo,
+                tag
+              })
+
+              if (!release.upload_url) {
+                throw new Error("unable to find a release upload url")
+              }
+
+              uploadUrl = release.upload_url
+            }
+
+            return uploadUrl
+
+      - id: get_ref
+        name: Get checkout ref for custom build scripts
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          result-encoding: string
+          script: |
+            let ref = "${{ github.event.release.tag_name }}"
+            if (!ref) {
+              ref = "${{ github.event.ref }}".replace(/refs\/[^\/]+\//, '')
+            }
+
+            if (!ref) {
+              throw new Error("unable to find a ref for action")
+            }
+
+            return ref
+
+  package_linux:
+    needs: vars
+    runs-on: ubuntu-18.04
     steps:
     - uses: actions/checkout@v2
+      with:
+        # checkout at the ref for the action, separate from the target build version
+        # this allows running build scripts independent of the target version
+        ref: ${{needs.vars.outputs.ref}}
+        fetch-depth: 0
+
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build package
       run: script/packages/linux
       env:
-        VERSION: ${{github.event.release.tag_name}}
+        VERSION: ${{needs.vars.outputs.version}}
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-linux
-        path: pkg/${{github.event.release.tag_name}}/licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
+        name: ${{needs.vars.outputs.version}}-linux
+        path: pkg/${{needs.vars.outputs.version}}/licensed-${{needs.vars.outputs.version}}-linux-x64.tar.gz
 
   package_mac:
+    needs: vars
     runs-on: macOS-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        # checkout at the ref for the action, separate from the target build version
+        # this allows running build scripts independent of the target version
+        ref: ${{needs.vars.outputs.ref}}
+        fetch-depth: 0
+
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build package
       run: script/packages/mac
       env:
-        VERSION: ${{github.event.release.tag_name}}
+        VERSION: ${{needs.vars.outputs.version}}
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-darwin
-        path: pkg/${{github.event.release.tag_name}}/licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
+        name: ${{needs.vars.outputs.version}}-darwin
+        path: pkg/${{needs.vars.outputs.version}}/licensed-${{needs.vars.outputs.version}}-darwin-x64.tar.gz
 
   build_gem:
+    needs: vars
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        # building a gem doesn't use a different ref from the version input
+        ref: ${{needs.vars.outputs.version}}
+
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build gem
-      run: gem build licensed.gemspec -o licensed-${{github.event.release.tag_name}}.gem
+      run: gem build licensed.gemspec -o licensed-${{needs.vars.outputs.version}}.gem
 
     - uses: actions/upload-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-gem
-        path: licensed-${{github.event.release.tag_name}}.gem
+        name: ${{needs.vars.outputs.version}}-gem
+        path: licensed-${{needs.vars.outputs.version}}.gem
 
   upload_packages:
+    if: ${{ needs.vars.outputs.upload_url != '' }}
     runs-on: ubuntu-latest
-    needs: [package_linux, package_mac, build_gem]
+    needs: [vars, package_linux, package_mac, build_gem]
 
     steps:
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Download linux package
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-linux
+        name: ${{needs.vars.outputs.version}}-linux
 
     - name: Download macOS package
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-darwin
+        name: ${{needs.vars.outputs.version}}-darwin
 
     - name: Download gem
       uses: actions/download-artifact@v2
       with:
-        name: ${{github.event.release.tag_name}}-gem
+        name: ${{needs.vars.outputs.version}}-gem
 
     - name: Publish linux package
       uses: actions/upload-release-asset@v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
-        asset_name: licensed-${{github.event.release.tag_name}}-linux-x64.tar.gz
+        upload_url: ${{ needs.vars.outputs.upload_url }}
+        asset_path: ./licensed-${{needs.vars.outputs.version}}-linux-x64.tar.gz
+        asset_name: licensed-${{needs.vars.outputs.version}}-linux-x64.tar.gz
         asset_content_type: application/gzip
 
     - name: Publish mac package
@@ -100,9 +196,9 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
-        asset_name: licensed-${{github.event.release.tag_name}}-darwin-x64.tar.gz
+        upload_url: ${{ needs.vars.outputs.upload_url }}
+        asset_path: ./licensed-${{needs.vars.outputs.version}}-darwin-x64.tar.gz
+        asset_name: licensed-${{needs.vars.outputs.version}}-darwin-x64.tar.gz
         asset_content_type: application/gzip
 
     - name: Publish gem to RubyGems
@@ -114,4 +210,4 @@ jobs:
         gem push $GEM
       env:
         RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
-        GEM: licensed-${{github.event.release.tag_name}}.gem
+        GEM: licensed-${{needs.vars.outputs.version}}.gem

data/.github/workflows/test.yml

@@ -8,15 +8,15 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: 8
     - name: Install Bower
       run: npm install -g bower
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -37,9 +37,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - name: Set up Bundler
       run: |
         yes | gem uninstall bundler --all
@@ -60,16 +60,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ghc: [ '8.2.2', '8.6.5' ]
-        cabal: [ '2.2', '2.4', '3.0', 'latest' ]
+        ghc: [ '8.2', '8.6', '8.8', '8.10' ]
+        cabal: [ '2.4', '3.0', '3.2' ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - name: Setup Haskell
-      uses: actions/setup-haskell@v1
+      uses: haskell/actions/setup@v1
       with:
         ghc-version: ${{ matrix.ghc }}
         cabal-version: ${{ matrix.cabal }}
@@ -89,17 +89,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php: [ '5.6', '7.1', '7.2', '7.3' ]
+        php: [ '7.3', '7.4' ]
     steps:
     - uses: actions/checkout@v2
     - name: Setup php
-      uses: nanasess/setup-php@v3.0.4
+      uses: nanasess/setup-php@v3.0.6
       with:
         php-version: ${{ matrix.php }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -116,11 +116,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ 2.4.x, 2.5.x, 2.6.x, 2.7.x ]
+        ruby: [ 2.5, 2.6, 2.7 ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{matrix.ruby}}
     - name: Set up Bundler
@@ -146,9 +146,9 @@ jobs:
       with:
         go-version: 1.10.x
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -173,9 +173,9 @@ jobs:
       with:
         go-version: ${{ matrix.go }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -193,9 +193,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -213,9 +213,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -230,18 +230,18 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        otp: [21.x, 22.x]
-        elixir: [1.8.x, 1.9.x]
+        otp: [21.x, 22.x, 23.x]
+        elixir: [ 1.10.x, 1.11.x ]
     steps:
     - uses: actions/checkout@v2
-    - uses: actions/setup-elixir@v1.0.0
+    - uses: erlef/setup-elixir@v1.6.0
       with:
         otp-version: ${{matrix.otp}}
         elixir-version: ${{matrix.elixir}}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -258,17 +258,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node_version: [ 8, 10, 12 ]
+        node_version: [ 10, 12, 14, 15 ]
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: ${{ matrix.node_version }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -290,9 +290,9 @@ jobs:
       with:
         dotnet-version: 3.1.202
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -318,9 +318,9 @@ jobs:
         python-version: ${{ matrix.python }}
         architecture: x64
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -345,9 +345,9 @@ jobs:
         python-version: '3.x'
         architecture: x64
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -371,7 +371,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: 12
     - name: Install Yarn
@@ -379,9 +379,9 @@ jobs:
       env:
         YARN_VERSION: ${{ matrix.yarn_version }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:

data/.gitignore

@@ -17,6 +17,7 @@ test/fixtures/bower/bower_components
 
 test/fixtures/npm/node_modules
 test/fixtures/npm/package-lock.json
+test/fixtures/npm/package.json
 
 test/fixtures/go/src/*
 test/fixtures/go/pkg

data/CHANGELOG.md

@@ -6,6 +6,43 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.15.1
+
+2021-03-29
+
+### Changed
+
+- The npm source will ignore dependencies that are marked as both extraneous and missing (https://github.com/github/licensed/pull/347)
+
+## 2.15.0
+2021-03-24
+
+### Added
+- Support for npm 7 (https://github.com/github/licensed/pull/341)
+
+### Fixed
+- Files in the manifest source will be found correctly for apps that are not at the repository root (https://github.com/github/licensed/pull/345)
+
+## 2.14.4
+2021-02-09
+
+### Added
+- `list` and `cache` commands optionally print output in JSON or YML formats using the `--format/-f` flag (https://github.com/github/licensed/pull/334)
+- `list` command will include detected license keys using the `--licenses/-l` flag (https://github.com/github/licensed/pull/334)
+
+## 2.14.3
+2020-12-11
+
+### Fixed
+- Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun https://github.com/github/licensed/pull/328)
+
+## 2.14.2
+2020-11-20
+
+### Fixed
+- Yarn source correctly finds dependency paths on disk (https://github.com/github/licensed/pull/326)
+- Go source better handles finding dependencies that have been vendored (https://github.com/github/licensed/pull/323)
+
 ## 2.14.1
 2020-10-09
 
@@ -366,4 +403,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.14.1...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.15.1...HEAD

data/README.md

@@ -110,7 +110,7 @@ Dependencies will be automatically detected for all of the following sources by
 1. [Gradle](./docs/sources/gradle.md)
 1. [Manifest lists (manifests)](./docs/sources/manifests.md)
 1. [Mix](./docs/sources/mix.md)
-1. [NPM](./docs/sources/npm.md)
+1. [npm](./docs/sources/npm.md)
 1. [NuGet](./docs/sources/nuget.md)
 1. [Pip](./docs/sources/pip.md)
 1. [Pipenv](./docs/sources/pipenv.md)

data/docker/Dockerfile.build-linux

@@ -12,3 +12,4 @@ RUN gem update --system && gem update bundler
 ENV CPPFLAGS="-P"
 ENV RUBYC="/usr/local/bin/rubyc"
 ENV LANG=C.UTF-8
+ENV SSL_CERT_DIR="/etc/ssl/certs"

data/docs/sources/npm.md

@@ -1,4 +1,4 @@
-# NPM
+# npm
 
 The npm source will detect dependencies `package.json` is found at an apps `source_path`.  It uses `npm list` to enumerate dependencies and metadata.
 

data/lib/licensed/cli.rb

@@ -12,9 +12,11 @@ module Licensed
       desc: "Path to licensed configuration file"
     method_option :sources, aliases: "-s", type: :array,
       desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
+    method_option :format, aliases: "-f", enum: ["yaml", "json"],
+      desc: "Output format"
     def cache
       run Licensed::Commands::Cache.new(config: config),
-          force: options[:force], sources: options[:sources]
+          force: options[:force], sources: options[:sources], reporter: options[:format]
     end
 
     desc "status", "Check status of dependencies' cached licenses"
@@ -33,8 +35,12 @@ module Licensed
       desc: "Path to licensed configuration file"
     method_option :sources, aliases: "-s", type: :array,
       desc: "Individual source(s) to evaluate.  Must also be enabled via configuration."
+    method_option :format, aliases: "-f", enum: ["yaml", "json"],
+      desc: "Output format"
+    method_option :licenses, aliases: "-l", type: :boolean,
+      desc: "Include detected licenses in output"
     def list
-      run Licensed::Commands::List.new(config: config), sources: options[:sources]
+      run Licensed::Commands::List.new(config: config), sources: options[:sources], reporter: options[:format], licenses: options[:licenses]
     end
 
     desc "notices", "Generate a NOTICE file from cached records"

data/lib/licensed/commands/list.rb

@@ -41,6 +41,13 @@ module Licensed
       #
       # Returns true.
       def evaluate_dependency(app, source, dependency, report)
+        report["dependency"] = dependency.name
+        report["version"] = dependency.version
+
+        if options[:licenses]
+          report["license"] = dependency.license_key
+        end
+
         true
       end
     end

data/lib/licensed/dependency.rb

@@ -142,6 +142,7 @@ module Licensed
     def generated_license_contents
       return unless license
       return if license.key == "other"
+      return if license.text.nil?
 
       # strip copyright clauses and any extra newlines
       # many package managers don't provide enough information to

data/lib/licensed/reporters/list_reporter.rb

@@ -75,7 +75,9 @@ module Licensed
       def report_dependency(dependency)
         super do |report|
           result = yield report
-          shell.info "    #{dependency.name} (#{dependency.version})"
+          info = "#{dependency.name} (#{dependency.version})"
+          info = "#{info}: #{report["license"]}" if report["license"]
+          shell.info "    #{info}"
 
           result
         end

data/lib/licensed/sources/cabal.rb

@@ -222,14 +222,25 @@ module Licensed
 
       # Returns a package info structure with an error set
       def missing_package(id)
-        name, _, version = if id.index(/\s/).nil?
-          id.rpartition("-") # e.g. to match the right-most dash from ipid fused-effects-1.0.0.0
-        else
-          id.partition(/\s/) # e.g. to match the left-most space from constraint fused-effects > 1.0.0.0
-        end
-
+        name, version = package_id_name_version(id)
         { "name" => name, "version" => version, "error" => "package not found" }
       end
+
+      # Parses the name and version pieces from an id or package requirement string
+      def package_id_name_version(id)
+        name, version = id.split(" ", 2)
+        return [name, version] if version
+
+        # split by dashes, find the rightmost thing that looks like an
+        parts = id.split("-")
+        version_start_index = parts.rindex { |part| part.match?(/^[\d\.]+$/) }
+        return [id, nil] if version_start_index.nil?
+
+        [
+          parts[0...version_start_index].join("-"),
+          parts[version_start_index..-1].join("-")
+        ]
+      end
     end
   end
 end

data/lib/licensed/sources/go.rb

@@ -15,8 +15,7 @@ module Licensed
       def enumerate_dependencies
         with_configured_gopath do
           packages.map do |package|
-            import_path = non_vendored_path(package["ImportPath"], root_package["ImportPath"])
-            import_path ||= package["ImportPath"]
+            import_path = non_vendored_import_path(package)
             error = package.dig("Error", "Err") if package["Error"]
 
             Dependency.new(
@@ -81,34 +80,26 @@ module Licensed
         # return true if package self-identifies
         return true if package["Standard"]
 
-        import_path = package["ImportPath"]
+        import_path = non_vendored_import_path(package)
         return false unless import_path
 
-        # true if go standard packages includes the import path as given
-        return true if go_std_packages.include?(import_path)
-        return true if go_std_packages.include?("vendor/#{import_path}")
-        return true if go_std_packages.include?(import_path.sub("golang.org", "internal"))
-
-        # additional checks are only for vendored dependencies - return false
-        # if package isn't vendored
-        non_vendored_import_path = non_vendored_path(import_path, root_package["ImportPath"])
-        return false unless non_vendored_import_path
-
-        # return true if any of the go standard packages matches against
-        # the non-vendored import path
-        return true if go_std_packages.include?(non_vendored_import_path)
-        return true if go_std_packages.include?(non_vendored_import_path.sub("golang.org", "internal"))
-
-        # modify the import path to look like the import path `go list` returns for vendored std packages
-        vendor_path = import_path.sub("#{root_package["ImportPath"]}/", "")
-        go_std_packages.include?(vendor_path) || go_std_packages.include?(vendor_path.sub("golang.org", "golang_org"))
+        # check different variations of the import path to match against
+        # what's returned from `go list std`
+        [
+          import_path,
+          import_path.sub("golang.org", "internal"),
+          import_path.sub("golang.org", "golang_org"),
+        ].any? do |path|
+          # true if go standard packages includes the path or "vendor/<path>"
+          go_std_packages.include?(path) || go_std_packages.include?("vendor/#{path}")
+        end
       end
 
       # Returns whether the package is local to the current project
       def local_package?(package)
-        return false unless package && package["ImportPath"]
-        import_path = package["ImportPath"]
-        import_path.start_with?(root_package["ImportPath"]) && !import_path.include?("vendor/")
+        return false unless package && package["Dir"]
+        return false unless File.fnmatch?("#{config.root.to_s}*", package["Dir"])
+        vendored_path_parts(package).nil?
       end
 
       # Returns the version for a given package
@@ -155,36 +146,45 @@ module Licensed
 
         # search root choices:
         # 1. module directory if using go modules and directory is available
-        # 2. vendor folder if package is vendored
-        # 3. package root value if available
-        # 4. GOPATH if the package directory is under the gopath
-        # 5. nil
         module_dir = package.dig("Module", "Dir")
         return module_dir if module_dir
-        return package["Dir"].match("^(.*/vendor)/.*$")[1] if vendored_path?(package["Dir"], config.root)
+
+        # 2. vendor folder if package is vendored
+        parts = vendored_path_parts(package)
+        return parts[:vendor_path] if parts
+
+        # 3. package root value if available
         return package["Root"] if package["Root"]
+
+        # 4. GOPATH if the package directory is under the gopath
         return gopath if package["Dir"]&.start_with?(gopath)
+
+        # 5. nil
         nil
       end
 
-      # Returns whether a package is vendored or not based on a base path and
-      # whether the path contains a vendor component
+      # If the package is vendored, returns a Match object containing named
+      # :vendor_path and :import_path match groups based on the packages "Dir" value
+      #
+      # If the package is not vendored, returns nil
       #
-      # path - Package path to test
-      # base - The base path that the input must start with
-      def vendored_path?(path, base)
-        return false if path.nil? || base.nil?
-        path.start_with?(base.to_s) && path.include?("vendor/")
+      # package - Package to get vendored path information for
+      def vendored_path_parts(package)
+        return if package.nil? || package["Dir"].nil?
+        package["Dir"].match(/^(?<vendor_path>#{config.root}(\/.+)*\/[^\/]*vendor[^\/]*)\/(?<import_path>.+)$/i)
       end
 
-      # Returns the path parameter without the vendor component if one is found
+      # Returns the non-vendored portion of the package import path if vendored,
+      # otherwise returns the package's import path as given
       #
-      # path - Package path with vendor component
-      # base - The base path that the input must start with
-      def non_vendored_path(path, base)
-        return unless path
-        return unless vendored_path?(path, base)
-        path.split("vendor/")[1]
+      # package - Package to get the non-vendored import path for
+      def non_vendored_import_path(package)
+        return if package.nil?
+        parts = vendored_path_parts(package)
+        return parts[:import_path] if parts
+
+        # if a package isn't vendored, return the packages "ImportPath"
+        package["ImportPath"]
       end
 
       # Returns a hash of information about the package with a given import path

data/lib/licensed/sources/manifest.rb

@@ -170,7 +170,7 @@ module Licensed
       def all_files
         # remove files if they are tracked but don't exist on the file system
         @all_files ||= Set.new(Licensed::Git.files || [])
-                          .delete_if { |f| !File.exist?(f) }
+                          .delete_if { |f| !File.exist?(File.join(Licensed::Git.repository_root, f)) }
       end
 
       class Dependency < Licensed::Dependency

data/lib/licensed/sources/npm.rb

@@ -4,6 +4,25 @@ require "json"
 module Licensed
   module Sources
     class NPM < Source
+      class Dependency < ::Licensed::Dependency
+        # override license_metadata to pull homepage and summary information
+        # from a packages package.json file, if it exists
+        # this accounts for the lack of this information in npm 7's `npm list` output
+        def license_metadata
+          data = super
+          return data if !data["homepage"].to_s.empty? && !data["summary"].to_s.empty?
+
+          package_json_path = File.join(path, "package.json")
+          return data unless File.exist?(package_json_path)
+
+          package_json = JSON.parse(File.read(package_json_path))
+          data["homepage"] = package_json["homepage"]
+          data["summary"] = package_json["description"]
+
+          data
+        end
+      end
+
       def self.type
         "npm"
       end
@@ -50,6 +69,9 @@ module Licensed
         dependencies.each do |name, dependency|
           next if dependency["peerMissing"]
           next if yarn_lock_present && dependency["missing"]
+          next if dependency["extraneous"] && dependency["missing"]
+
+          dependency["name"] = name
           (result[name] ||= []) << dependency
           recursive_dependencies(dependency["dependencies"] || {}, result)
         end
@@ -59,22 +81,50 @@ module Licensed
       # Returns parsed package metadata returned from `npm list`
       def package_metadata
         return @package_metadata if defined?(@package_metadata)
+        @package_metadata = JSON.parse(package_metadata_command)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'npm list'. JSON Error: #{e.message}"
+        npm_error = package_metadata_error
+        message = "#{message}. npm Error: #{npm_error}" if npm_error
+        raise Licensed::Sources::Source::Error, message
+      end
 
-        @package_metadata = begin
-          JSON.parse(package_metadata_command)
-        rescue JSON::ParserError => e
-          raise Licensed::Sources::Source::Error,
-            "Licensed was unable to parse the output from 'npm list'. Please run 'npm list --json --long' and check for errors. Error: #{e.message}"
-        end
+      # Returns an error, if one exists, from running `npm list` to get package metadata
+      def package_metadata_error
+        Licensed::Shell.execute("npm", "list", *package_metadata_args)
+        return ""
+      rescue Licensed::Shell::Error => e
+        return e.message
       end
 
       # Returns the output from running `npm list` to get package metadata
       def package_metadata_command
         args = %w(--json --long)
-        args << "--production" unless include_non_production?
+        args.concat(package_metadata_args)
+
         Licensed::Shell.execute("npm", "list", *args, allow_failure: true)
       end
 
+      # Returns an array of arguments that should be used for all `npm list`
+      # calls, regardless of how the output is formatted
+      def package_metadata_args
+        args = []
+        args << "--production" unless include_non_production?
+
+        # on npm 7+, the --all argument is necessary to evaluate the project's
+        # full dependency tree
+        args << "--all" if npm_version >= Gem::Version.new("7.0.0")
+
+        return args
+      end
+
+      # Returns the currently installed version of npm as a Gem::Version object
+      def npm_version
+        @npm_version ||= begin
+          Gem::Version.new(Licensed::Shell.execute("npm", "-v").strip)
+        end
+      end
+
       # Returns true if a yarn.lock file exists in the current directory
       def yarn_lock_present
         @yarn_lock_present ||= File.exist?(config.pwd.join("yarn.lock"))

data/lib/licensed/sources/yarn.rb

@@ -36,7 +36,7 @@ module Licensed
       def packages
         return [] if yarn_package_tree.nil?
         all_dependencies = {}
-        recursive_dependencies(config.pwd, yarn_package_tree).each do |name, results|
+        recursive_dependencies(yarn_package_tree).each do |name, results|
           results.uniq! { |package| package["version"] }
           if results.size == 1
             # if there is only one package for a name, reference it by name
@@ -55,26 +55,34 @@ module Licensed
 
       # Recursively parse dependency JSON data.  Returns a hash mapping the
       # package name to it's metadata
-      def recursive_dependencies(path, dependencies, result = {})
+      def recursive_dependencies(dependencies, result = {})
         dependencies.each do |dependency|
           # "shadow" indicate a dependency requirement only, not a
           # resolved package identifier
           next if dependency["shadow"]
           name, _, version = dependency["name"].rpartition("@")
 
-          # the dependency should be found under the parent's "node_modules" path
-          dependency_path = path.join("node_modules", name)
           (result[name] ||= []) << {
             "id" => dependency["name"],
             "name" => name,
             "version" => version,
-            "path" => dependency_path
+            "path" => dependency_paths[dependency["name"]]
           }
-          recursive_dependencies(dependency_path, dependency["children"], result)
+          recursive_dependencies(dependency["children"], result)
         end
         result
       end
 
+      # Returns a hash that maps all dependency names to their location on disk
+      # by parsing every package.json file under node_modules.
+      def dependency_paths
+        @dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
+          dirname = File.dirname(file)
+          json = JSON.parse(File.read(file))
+          hsh["#{json["name"]}@#{json["version"]}"] = dirname
+        end
+      end
+
       # Finds and returns the yarn package tree listing from `yarn list` output
       def yarn_package_tree
         return @yarn_package_tree if defined?(@yarn_package_tree)

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.14.1".freeze
+  VERSION = "2.15.1".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/script/packages/build

@@ -51,8 +51,11 @@ cd $COPY_DIR
     trap "git checkout $CURRENT_BRANCH" EXIT
   fi
 
+  # get the openssl dir to use when building based on ruby's default ssl cert dir
+  OPENSSL_DIR="$(cd "$(ruby -e 'require "net/https"; puts OpenSSL::X509::DEFAULT_CERT_DIR')/.." && pwd)"
+
   # build the licensed rubyc executable
-  "$RUBYC" --clean-tmpdir -o "$BUILD_DIR/licensed" "$COPY_DIR/exe/licensed"
+  "$RUBYC" --openssl-dir "$OPENSSL_DIR" --clean-tmpdir -o "$BUILD_DIR/licensed" "$COPY_DIR/exe/licensed"
   chmod +x $BUILD_DIR/licensed
 )
 

data/script/packages/linux

@@ -34,6 +34,9 @@ build_linux_local() {
   sudo apt-get update
   sudo apt-get install -y --no-install-recommends cmake make gcc pkg-config squashfs-tools curl bison git rsync
 
+  sudo gem update --system
+  sudo gem update bundler
+
   RUBYC="$BASE_DIR/bin/rubyc-linux"
   if [ ! -f "$RUBYC" ]; then
     mkdir -p "$(dirname "$RUBYC")"
@@ -42,6 +45,7 @@ build_linux_local() {
   fi
 
   export CPPFLAGS="-P"
+  export SSL_CERT_DIR="/etc/ssl/certs"
   export RUBYC
   "$BASE_DIR"/script/packages/build
 }

data/script/packages/mac

@@ -28,6 +28,9 @@ brew update
 brew list "squashfs" &>/dev/null || brew install "squashfs"
 brew list "pkg-config" &>/dev/null || brew install "pkg-config"
 
+gem update --system
+gem update bundler
+
 if [ ! -f "$RUBYC" ]; then
   mkdir -p "$(dirname "$RUBYC")"
   curl -L https://github.com/kontena/ruby-packer/releases/download/2.6.0-0.6.0/rubyc-2.6.0-0.6.0-osx-amd64.gz | gunzip > "$RUBYC"

data/script/source-setup/npm

@@ -10,8 +10,25 @@ fi
 BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd $BASE_PATH/test/fixtures/npm
 
+FORCE=""
 if [ "$1" == "-f" ]; then
-  find . -not -regex "\.*" -and -not -name "package\.json" -print0 | xargs -0 rm -rf
+  FORCE=1
+fi
+
+NPM_MAJOR_VERSION="$(npm -v | cut -d'.' -f1)"
+if [ "$NPM_MAJOR_VERSION" -ge "7" ]; then
+  PACKAGE_JSON_SRC="package.json.npm7"
+else
+  PACKAGE_JSON_SRC="package.json.npm6"
+fi
+
+if [ ! -f "package.json" ] || [ "$(cat package.json | md5sum )" != "$(cat "$PACKAGE_JSON_SRC" | md5sum)" ]; then
+  FORCE=1
+  cp -f "$PACKAGE_JSON_SRC" package.json
+fi
+
+if [ -n "$FORCE" ]; then
+  find . -not -regex "\.*" -and -not -name "package\.json*" -print0 | xargs -0 rm -rf
 fi
 
 npm install

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.14.1
+  version: 2.15.1
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-09 00:00:00.000000000 Z
+date: 2021-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee