licensed 2.14.4 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1042edfc8e49ab1430a73001612f260fb20f80931139649f8b8ae6f044d74463
-  data.tar.gz: 386c548165ed4c4ed1b5b78131635552c11ec03f6a09e8f75e328d1446b129a7
+  metadata.gz: f8e24e2f900732197c5d4b91212a7477dd7ab68a61892e0ea56ae1a99f4c29e6
+  data.tar.gz: 19c679898ccab8f60d219d739c18a14b849cdd87ad04608b24dcf1ea67613f82
 SHA512:
-  metadata.gz: c163d4d2bbffe0756b4aecfa353a99d8d3be92ea7fe5b536d00dc79b1581132b31bf69fd0947a85de095ec2d5604da547d175507a199427b1e74da25e8b63a03
-  data.tar.gz: 719df2438ad31e8e525f15ae2b9948f1fc3a0a83b5e72f2e109b10d498f65734d6ab49af99fb92486e31d4314a635a0a2d5bdca793bd51412804b76d9b48042a
+  metadata.gz: 171905b06dca655364341c888c5e8845e6dff8d163ffb009f28de624e4d14d399c7add250d80ebb7391b4c94316c8a3c9bbae7bdfb7b219996a8415f463b7a5c
+  data.tar.gz: 054fc3dd7ccb7e3a92b6585e757b85efd0880b1b9c3fa93855ba50ba79d0c7727d707a76d30f588a94b9f7bb1dd0d6bc6f3959e40bf96685f5dda5ea1a7d127f

data/.github/workflows/release.yml

@@ -83,7 +83,7 @@ jobs:
 
   package_linux:
     needs: vars
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-18.04
     steps:
     - uses: actions/checkout@v2
       with:
@@ -93,9 +93,9 @@ jobs:
         fetch-depth: 0
 
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build package
       run: script/packages/linux
@@ -119,9 +119,9 @@ jobs:
         fetch-depth: 0
 
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build package
       run: script/packages/mac
@@ -143,9 +143,9 @@ jobs:
         ref: ${{needs.vars.outputs.version}}
 
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Build gem
       run: gem build licensed.gemspec -o licensed-${{needs.vars.outputs.version}}.gem
@@ -162,9 +162,9 @@ jobs:
 
     steps:
     - name: Set up Ruby 2.6
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
 
     - name: Download linux package
       uses: actions/download-artifact@v2

data/.github/workflows/test.yml

@@ -8,15 +8,15 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: 8
     - name: Install Bower
       run: npm install -g bower
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -37,9 +37,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - name: Set up Bundler
       run: |
         yes | gem uninstall bundler --all
@@ -60,16 +60,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ghc: [ '8.2.2', '8.6.5' ]
-        cabal: [ '2.2', '2.4', '3.0', 'latest' ]
+        ghc: [ '8.2', '8.6', '8.8', '8.10' ]
+        cabal: [ '2.4', '3.0', '3.2' ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - name: Setup Haskell
-      uses: actions/setup-haskell@v1
+      uses: haskell/actions/setup@v1
       with:
         ghc-version: ${{ matrix.ghc }}
         cabal-version: ${{ matrix.cabal }}
@@ -89,17 +89,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php: [ '5.6', '7.1', '7.2', '7.3' ]
+        php: [ '7.3', '7.4' ]
     steps:
     - uses: actions/checkout@v2
     - name: Setup php
-      uses: nanasess/setup-php@v3.0.4
+      uses: nanasess/setup-php@v3.0.6
       with:
         php-version: ${{ matrix.php }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -116,11 +116,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ 2.4.x, 2.5.x, 2.6.x, 2.7.x ]
+        ruby: [ 2.5, 2.6, 2.7 ]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{matrix.ruby}}
     - name: Set up Bundler
@@ -146,9 +146,9 @@ jobs:
       with:
         go-version: 1.10.x
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -173,9 +173,9 @@ jobs:
       with:
         go-version: ${{ matrix.go }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -193,9 +193,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -213,9 +213,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -230,18 +230,18 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        otp: [21.x, 22.x]
-        elixir: [1.8.x, 1.9.x]
+        otp: [21.x, 22.x, 23.x]
+        elixir: [ 1.10.x, 1.11.x ]
     steps:
     - uses: actions/checkout@v2
-    - uses: actions/setup-elixir@v1.0.0
+    - uses: erlef/setup-elixir@v1.6.0
       with:
         otp-version: ${{matrix.otp}}
         elixir-version: ${{matrix.elixir}}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -258,17 +258,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node_version: [ 8, 10, 12 ]
+        node_version: [ 10, 12, 14, 15 ]
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: ${{ matrix.node_version }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -290,9 +290,9 @@ jobs:
       with:
         dotnet-version: 3.1.202
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -318,9 +318,9 @@ jobs:
         python-version: ${{ matrix.python }}
         architecture: x64
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -345,9 +345,9 @@ jobs:
         python-version: '3.x'
         architecture: x64
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:
@@ -371,7 +371,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Setup node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v2
       with:
         node-version: 12
     - name: Install Yarn
@@ -379,9 +379,9 @@ jobs:
       env:
         YARN_VERSION: ${{ matrix.yarn_version }}
     - name: Set up Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.6
     - run: bundle lock
     - uses: actions/cache@v1
       with:

data/.gitignore

@@ -17,6 +17,7 @@ test/fixtures/bower/bower_components
 
 test/fixtures/npm/node_modules
 test/fixtures/npm/package-lock.json
+test/fixtures/npm/package.json
 
 test/fixtures/go/src/*
 test/fixtures/go/pkg

data/CHANGELOG.md

@@ -6,23 +6,66 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 3.0.1
+
+2021-05-17
+
+### Fixed
+
+- The bundler source will correctly enumerate dependencies pulled with a `git:` directive (https://github.com/github/licensed/pull/360)
+
+## 3.0.0
+
+2021-04-27
+
+**This is a major release and includes potentially breaking changes to bundler dependency enumeration.**
+
+### Changed
+
+- The bundler source will return an error when run from an executable.  Please install licensed as a gem to continue using the bundler source.  Please see the [v3 migration document](./docs/migrations/v3.md) for full details and migration strategies.
+
+## 2.15.2
+
+2021-04-06
+
+### Fixed
+
+- The pip source works with package names containing periods (:tada: @bcskda https://github.com/github/licensed/pull/350)
+
+## 2.15.1
+
+2021-03-29
+
+### Changed
+
+- The npm source will ignore dependencies that are marked as both extraneous and missing (https://github.com/github/licensed/pull/347)
+
+## 2.15.0
+2021-03-24
+
+### Added
+- Support for npm 7 (https://github.com/github/licensed/pull/341)
+
+### Fixed
+- Files in the manifest source will be found correctly for apps that are not at the repository root (https://github.com/github/licensed/pull/345)
+
 ## 2.14.4
 2021-02-09
 
-## Added
+### Added
 - `list` and `cache` commands optionally print output in JSON or YML formats using the `--format/-f` flag (https://github.com/github/licensed/pull/334)
 - `list` command will include detected license keys using the `--licenses/-l` flag (https://github.com/github/licensed/pull/334)
 
 ## 2.14.3
 2020-12-11
 
-## Fixed
+### Fixed
 - Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun https://github.com/github/licensed/pull/328)
 
 ## 2.14.2
 2020-11-20
 
-## Fixed
+### Fixed
 - Yarn source correctly finds dependency paths on disk (https://github.com/github/licensed/pull/326)
 - Go source better handles finding dependencies that have been vendored (https://github.com/github/licensed/pull/323)
 
@@ -386,4 +429,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.14.4...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/3.0.1...HEAD

data/README.md

@@ -12,12 +12,24 @@ Licensed is **not** a complete open source license compliance solution. Please u
 
 Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
 
+## Licensed v3
+
+Licensed v3 includes a breaking change if both of the following are true:
+
+1. a project uses bundler to manage ruby dependencies
+2. a project uses the self-contained executable build of licensed
+
+All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.  
+
+See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
+See the [v3 migration documentation](./docs/migrations/v3.md) for more info on migrating to v3.
+
 ## Licensed v2
 
 Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future.  While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions.  Fortunately, migrating is easy using the `licensed migrate` command.
 
 See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
-See the [migration documentation](./docs/migrating_to_newer_versions.md) for more info on migrating to v2, or run `licensed help migrate`.
+See the [v2 migration documentation](./docs/migrations/v2.md) for more info on migrating to v2, or run `licensed help migrate`.
 
 ## Installation
 
@@ -82,7 +94,6 @@ The [bundler-licensed plugin](https://github.com/sergey-alekseev/bundler-license
 The [licensed-ci](https://github.com/marketplace/actions/licensed-ci) GitHub Action runs `licensed` as part of an opinionated CI workflow and can be configured to run on any GitHub Action event.  See the linked actions for usage and details.
 
 The [setup-licensed](https://github.com/marketplace/actions/setup-github-licensed) GitHub Action installs `licensed` to the workflow environment.  See the linked actions for usage and details.
-   - This action is intended for projects that don't have a ruby installation setup.  If your workflow has ruby setup please install `licensed` via `Gemfile` + `bundle install` or with `gem install`.
 
 ### Configuration
 
@@ -110,7 +121,7 @@ Dependencies will be automatically detected for all of the following sources by
 1. [Gradle](./docs/sources/gradle.md)
 1. [Manifest lists (manifests)](./docs/sources/manifests.md)
 1. [Mix](./docs/sources/mix.md)
-1. [NPM](./docs/sources/npm.md)
+1. [npm](./docs/sources/npm.md)
 1. [NuGet](./docs/sources/nuget.md)
 1. [Pip](./docs/sources/pip.md)
 1. [Pipenv](./docs/sources/pipenv.md)

data/docs/{migrating_to_newer_versions.md → migrations/v2.md}

@@ -1,3 +1,3 @@
-# Migrating your licensed configuration and cached records to the latest version of licensed
+# Migrating your licensed configuration and cached records to licensed v2
 
 Licensed v2+ ships with an additional executable, `licensed-migrator`, that can be used to update your licensed files to the format expected by the currently installed version.  To run, execute `licensed migrate --from v1 -c <path to licensed configuration file>`, replacing `v1` with the major version of licensed to migrate from.

data/docs/migrations/v3.md

@@ -0,0 +1,109 @@
+# Breaking changes to bundler dependency enumeration in v3
+
+**NOTE** If you are migrating from a version earlier than v2, please first [migrate to v2](./v2.md) before continuing.
+
+Licensed v3 includes a breaking change to bundler dependency enumeration when using the executable form of licensed.  Bundler dependency enumeration will no longer work with the licensed executable as of 3.0.0.
+
+**If your project does not use bundler, or if you already install the licensed gem, you are not affected by this breaking change.**
+
+## Migrating bundler enumeration for v3
+
+When using licensed v3 with bundler dependencies, licensed must be installed from its [gem](https://rubygems.org/gems/licensed).  This can be accomplished with `gem install`, or by adding licensed to a bundler gem file.
+
+### Usage in a GitHub Actions workflow
+
+Using licensed to enumerate bundler dependencies in a GitHub Actions workflow will require ruby to be available in the actions VM environment.  Ruby can be setup in an actions workflow using [ruby/setup-ruby](https://github.com/ruby/setup-ruby)(preferred) or [actions/setup-ruby](https://github.com/actions/setup-ruby)(deprecated).
+
+If you are using licensed in a GitHub Actions workflow, [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed) has been updated according to this breaking change.  `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available.  Alternatively, you can `gem install` licensed directly as an actions step.
+
+This is an example workflow definition that runs [jonabc/licensed-ci](https://github.com/jonabc/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using 
+- `gem install`
+- [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed)
+- installing when included in a bundler gem file
+
+```yml
+name: Cache and verify dependency license metadata
+
+on:
+  # run when PRs are opened, reopened or updated
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+  # run on demand
+  workflow_dispatch:
+
+jobs:
+  # install licensed with setup-licensed
+  licensed-ci-setup-licensed:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed gem using setup-licensed
+      - uses: jonabc/setup-licensed@v1
+        with:
+          version: '3.x'
+
+      # install dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+
+  # OR 
+  
+  # install licensed using gem install
+  licensed-ci-gem:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby and bundler
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed gem using setup-licensed
+      - run: gem install licensed -v '~> 3.0'
+
+      # install dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+
+  # OR
+
+  # install licensed as part of bundle installation
+  licensed-ci-bundle:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby and bundler
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed and other dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+        with:
+          command: 'bundle exec licensed' # run licensed within the bundler context
+```

data/docs/sources/bundler.md

@@ -2,17 +2,7 @@
 
 The bundler source will detect dependencies `Gemfile` and `Gemfile.lock` files are found at an apps `source_path`.  The source uses the `Bundler` API to enumerate dependencies from `Gemfile` and `Gemfile.lock`.
 
-### Enumerating bundler dependencies when using the licensed executable
-
-**Note** this content only applies to running licensed from an executable.  It does not apply when using licensed as a gem.
-
-_It is required that the ruby runtime is available when running the licensed executable._
-
-The licensed executable contains and runs a version of ruby.  When using the Bundler APIs, a mismatch between the version of ruby built into the licensed executable and the version of licensed used during `bundle install` can occur.  This mismatch can lead to licensed raising errors due to not finding dependencies.
-
-For example, if `bundle install` was run with ruby 2.5.0 then the bundler specification path would be `<bundle path>/ruby/2.5.0/specifications`.  However, if the licensed executable contains ruby 2.4.0, then licensed will be looking for specifications at `<bundle path>/ruby/2.4.0/specifications`.  That path may not exist, or it may contain invalid or stale content.
-
-To prevent confusion, licensed uses the local ruby runtime to determine the ruby version for local gems during `bundle install`.  If bundler is also available, then the ruby command will be run from a `bundle exec` context.
+**Note** The bundler source cannot be used when running the [packaged licensed executable](../packaging.md)
 
 ### Excluding gem groups
 

data/docs/sources/npm.md

@@ -1,4 +1,4 @@
-# NPM
+# npm
 
 The npm source will detect dependencies `package.json` is found at an apps `source_path`.  It uses `npm list` to enumerate dependencies and metadata.
 

data/lib/licensed/cli.rb

@@ -74,11 +74,14 @@ module Licensed
     method_option :from, aliases: "-f", type: :string, required: true,
       desc: "Licensed version to migrate from - #{Licensed.previous_major_versions.map { |major| "v#{major}" }.join(", ")}"
     def migrate
+      shell = Thor::Base.shell.new
       case options["from"]
       when "v1"
         Licensed::Migrations::V2.migrate(options["config"])
+      when "v2"
+        shell.say "No configuration or cached file migration needed."
+        shell.say "Please see the documentation at https://github.com/github/licensed/tree/master/docs/migrations/v3.md for details."
       else
-        shell = Thor::Base.shell.new
         shell.say "Unrecognized option from=#{options["from"]}", :red
         CLI.command_help(shell, "migrate")
         exit 1

data/lib/licensed/sources/bundler.rb

@@ -2,50 +2,13 @@
 require "delegate"
 begin
   require "bundler"
+  require "licensed/sources/bundler/missing_specification"
 rescue LoadError
 end
 
 module Licensed
   module Sources
     class Bundler < Source
-      class MissingSpecification < Gem::BasicSpecification
-        attr_reader :name, :requirement
-        alias_method :version, :requirement
-        def initialize(name:, requirement:)
-          @name = name
-          @requirement = requirement
-        end
-
-        def dependencies
-          []
-        end
-
-        def source
-          nil
-        end
-
-        def platform; end
-        def gem_dir; end
-        def gems_dir
-          Gem.dir
-        end
-        def summary; end
-        def homepage; end
-
-        def error
-          "could not find #{name} (#{requirement}) in any sources"
-        end
-      end
-
-      class BundlerSpecification < ::SimpleDelegator
-        def gem_dir
-          dir = super
-          return dir if File.exist?(dir)
-
-          File.join(Gem.dir, "gems", full_name)
-        end
-      end
-
       class Dependency < Licensed::Dependency
         attr_reader :loaded_from
 
@@ -76,6 +39,7 @@ module Licensed
 
       GEMFILES = { "Gemfile" => "Gemfile.lock", "gems.rb" => "gems.locked" }
       DEFAULT_WITHOUT_GROUPS = %i{development test}
+      RUBY_PACKER_ERROR = "The bundler source cannot be used from the executable built with ruby-packer.  Please install licensed using `gem install` or using bundler."
 
       def enabled?
         # running a ruby-packer-built licensed exe when ruby isn't available
@@ -85,13 +49,18 @@ module Licensed
       end
 
       def enumerate_dependencies
+        raise Licensed::Sources::Source::Error.new(RUBY_PACKER_ERROR) if ruby_packer?
+
         with_local_configuration do
           specs.map do |spec|
+            next if spec.name == "bundler" && !include_bundler?
+            next if spec.name == config["name"]
+
             error = spec.error if spec.respond_to?(:error)
             Dependency.new(
               name: spec.name,
               version: spec.version.to_s,
-              path: spec.gem_dir,
+              path: spec.full_gem_path,
               loaded_from: spec.loaded_from,
               errors: Array(error),
               metadata: {
@@ -106,136 +75,18 @@ module Licensed
 
       # Returns an array of Gem::Specifications for all gem dependencies
       def specs
-        # get the specifications for all dependencies in a Gemfile
-        root_dependencies = definition.dependencies.select { |d| include?(d, nil) }
-        root_specs = specs_for_dependencies(root_dependencies, nil).compact
-
-        # recursively find the remaining specifications
-        all_specs = recursive_specs(root_specs)
-
-        # delete any specifications loaded from a gemspec
-        all_specs.delete_if { |s| s.source.is_a?(::Bundler::Source::Gemspec) }
-      end
-
-      # Recursively finds the dependencies for Gem specifications.
-      # Returns a `Set` containing the package names for all dependencies
-      def recursive_specs(specs, results = Set.new)
-        return [] if specs.nil? || specs.empty?
-
-        new_specs = Set.new(specs) - results.to_a
-        return [] if new_specs.empty?
-
-        results.merge new_specs
-
-        dependency_specs = new_specs.flat_map { |s| specs_for_dependencies(s.dependencies, s.source) }
-
-        return results if dependency_specs.empty?
-
-        results.merge recursive_specs(dependency_specs, results)
+        @specs ||= definition.specs_for(groups)
       end
 
-      # Returns the specs for dependencies that pass the checks in `include?`.
-      # Returns a `MissingSpecification` if a gem specification isn't found.
-      def specs_for_dependencies(dependencies, source)
-        included_dependencies = dependencies.select { |d| include?(d, source) }
-        included_dependencies.map do |dep|
-          gem_spec(dep) || MissingSpecification.new(name: dep.name, requirement: dep.requirement)
-        end
-      end
-
-      # Returns a Gem::Specification for the provided gem argument.
-      def gem_spec(dependency)
-        return unless dependency
-
-        # find a specifiction from the resolved ::Bundler::Definition specs
-        spec = definition.resolve.find { |s| s.satisfies?(dependency) }
-
-        # a nil spec should be rare, generally only seen from bundler
-        return matching_spec(dependency) || bundle_exec_gem_spec(dependency.name, dependency.requirement) if spec.nil?
-
-        # try to find a non-lazy specification that matches `spec`
-        # spec.source.specs gives access to specifications with more
-        # information than spec itself, including platform-specific gems.
-        # these objects should have all the information needed to detect license metadata
-        source_spec = spec.source.specs.find { |s| s.name == spec.name && s.version == spec.version }
-        return source_spec if source_spec
-
-        # look for a specification at the bundler specs path
-        spec_path = ::Bundler.specs_path.join("#{spec.full_name}.gemspec")
-        return Gem::Specification.load(spec_path.to_s) if File.exist?(spec_path.to_s)
-
-        # if the specification file doesn't exist, get the specification using
-        # the bundler and gem CLI
-        bundle_exec_gem_spec(dependency.name, dependency.requirement)
-      end
-
-      # Returns whether a dependency should be included in the final
-      def include?(dependency, source)
-        # ::Bundler::Dependency has an extra `should_include?`
-        return false unless dependency.should_include? if dependency.respond_to?(:should_include?)
-
-        # Don't return gems added from `add_development_dependency` in a gemspec
-        # if the :development group is excluded
-        gemspec_source = source.is_a?(::Bundler::Source::Gemspec)
-        return false if dependency.type == :development && (!gemspec_source || exclude_development_dependencies?)
-
-        # Gem::Dependency don't have groups - in our usage these objects always
-        # come as child-dependencies and are never directly from a Gemfile.
-        # We assume that all Gem::Dependencies are ok at this point
-        return true if dependency.groups.nil?
-
-        # check if the dependency is in any groups we're interested in
-        (dependency.groups & groups).any?
-      end
-
-      # Returns whether development dependencies should be excluded
-      def exclude_development_dependencies?
-        @include_development ||= begin
-          # check whether the development dependency group is explicitly removed
-          # or added via bundler and licensed configurations
-          groups = [:development] - Array(::Bundler.settings[:without]) + Array(::Bundler.settings[:with]) - exclude_groups
-          !groups.include?(:development)
-        end
-      end
-
-      # Load a gem specification from the YAML returned from `gem specification`
-      # This is a last resort when licensed can't obtain a specification from other means
-      def bundle_exec_gem_spec(name, requirement)
-        # `gem` must be available to run `gem specification`
-        return unless Licensed::Shell.tool_available?("gem")
-
-        # use `gem specification` with a clean ENV and clean Gem.dir paths
-        # to get gem specification at the right directory
-        begin
-          ::Bundler.with_original_env do
-            ::Bundler.rubygems.clear_paths
-            yaml = Licensed::Shell.execute(*ruby_command_args("gem", "specification", name, "-v", requirement.to_s))
-            spec = Gem::Specification.from_yaml(yaml)
-            # this is horrible, but it will cache the gem_dir using the clean env
-            # so that it can be used outside of this block when running from
-            # the ruby packer executable environment
-            spec.gem_dir if ruby_packer?
-            spec
-          end
-        rescue Licensed::Shell::Error
-          # return nil
-        ensure
-          ::Bundler.configure
-        end
-      end
-
-      # Loads a dependency specification using rubygems' built-in
-      # `Dependency#matching_specs` and `Dependency#to_spec`, from the original
-      # gem environment
-      def matching_spec(dependency)
-        begin
-          ::Bundler.with_original_env do
-            ::Bundler.rubygems.clear_paths
-            return unless dependency.matching_specs(true).any?
-            BundlerSpecification.new(dependency.to_spec)
-          end
-        ensure
-          ::Bundler.configure
+      # Returns whether to include bundler as a listed dependency of the project
+      def include_bundler?
+        @include_bundler ||= begin
+          # include if bundler is listed as a direct dependency that should be included
+          requested_dependencies = definition.dependencies.select { |d| (d.groups & groups).any? && d.should_include? }
+          return true if requested_dependencies.any? { |d| d.name == "bundler" }
+          # include if bundler is an indirect dependency
+          return true if specs.flat_map(&:dependencies).any? { |d| d.name == "bundler" }
+          false
         end
       end
 
@@ -283,23 +134,6 @@ module Licensed
         @lockfile_path ||= gemfile_path.dirname.join(GEMFILES[gemfile_path.basename.to_s])
       end
 
-      # Returns the configured bundler executable to use, or "bundle" by default.
-      def bundler_exe
-        @bundler_exe ||= begin
-          exe = config.dig("bundler", "bundler_exe")
-          return "bundle" unless exe
-          return exe if Licensed::Shell.tool_available?(exe)
-          config.root.join(exe)
-        end
-      end
-
-      # Determines if the configured bundler executable is available and returns
-      # shell command args with or without `bundle exec` depending on availability.
-      def ruby_command_args(*args)
-        return Array(args) unless Licensed::Shell.tool_available?(bundler_exe)
-        [bundler_exe, "exec", *args]
-      end
-
       private
 
       # helper to clear all bundler environment around a yielded block
@@ -307,18 +141,8 @@ module Licensed
         # force bundler to use the local gem file
         original_bundle_gemfile, ENV["BUNDLE_GEMFILE"] = ENV["BUNDLE_GEMFILE"], gemfile_path.to_s
 
-        if ruby_packer?
-          # if running under ruby-packer, set environment from host
-
-          # hack: setting this ENV var allows licensed to use Gem paths outside
-          # of the ruby-packer filesystem.  this is needed to find spec sources
-          # from the host filesystem
-          ENV["ENCLOSE_IO_RUBYC_1ST_PASS"] = "1"
-          ruby_version = Gem::ConfigMap[:ruby_version]
-          # set the ruby version in Gem::ConfigMap to the ruby version from the host.
-          # this helps Bundler find the correct spec sources and paths
-          Gem::ConfigMap[:ruby_version] = host_ruby_version
-        end
+        # silence any bundler warnings while running licensed
+        bundler_ui, ::Bundler.ui = ::Bundler.ui, ::Bundler::UI::Silent.new
 
         # reset all bundler configuration
         ::Bundler.reset!
@@ -327,15 +151,10 @@ module Licensed
 
         yield
       ensure
-        if ruby_packer?
-          # if running under ruby-packer, restore environment after block is finished
-          ENV.delete("ENCLOSE_IO_RUBYC_1ST_PASS")
-          Gem::ConfigMap[:ruby_version] = ruby_version
-        end
-
         ENV["BUNDLE_GEMFILE"] = original_bundle_gemfile
+        ::Bundler.ui = bundler_ui
+
         # restore bundler configuration
-        ::Bundler.reset!
         ::Bundler.configure
       end
 
@@ -343,11 +162,6 @@ module Licensed
       def ruby_packer?
         @ruby_packer ||= RbConfig::TOPDIR =~ /__enclose_io_memfs__/
       end
-
-      # Returns the ruby version found in the bundler environment
-      def host_ruby_version
-        Licensed::Shell.execute(*ruby_command_args("ruby", "-e", "puts Gem::ConfigMap[:ruby_version]"))
-      end
     end
   end
 end

data/lib/licensed/sources/bundler/missing_specification.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require "bundler/match_platform"
+
+# Bundler normally raises a "GemNotFound" error when a specification
+# can't be materialized which halts bundler dependency enumeration.
+
+# This monkey patch instead creates MissingSpecification objects to
+# identify missing specs without raising errors and halting enumeration.
+# It was the most minimal-touch solution I could think of that should reliably
+# work across many bundler versions
+
+module Licensed
+  module Bundler
+    class MissingSpecification < Gem::BasicSpecification
+      include ::Bundler::MatchPlatform
+
+      attr_reader :name, :version, :platform, :source
+      def initialize(name:, version:, platform:, source:)
+        @name = name
+        @version = version
+        @platform = platform
+        @source = source
+      end
+
+      def dependencies
+        []
+      end
+
+      def gem_dir; end
+      def gems_dir
+        Gem.dir
+      end
+      def summary; end
+      def homepage; end
+
+      def error
+        "could not find #{name} (#{version}) in any sources"
+      end
+    end
+  end
+end
+
+module Bundler
+  class LazySpecification
+    alias_method :orig_materialize, :__materialize__
+    def __materialize__
+      spec = orig_materialize
+      return spec if spec
+
+      Licensed::Bundler:: MissingSpecification.new(name: name, version: version, platform: platform, source: source)
+    end
+  end
+end

data/lib/licensed/sources/cabal.rb

@@ -222,14 +222,25 @@ module Licensed
 
       # Returns a package info structure with an error set
       def missing_package(id)
-        name, _, version = if id.index(/\s/).nil?
-          id.rpartition("-") # e.g. to match the right-most dash from ipid fused-effects-1.0.0.0
-        else
-          id.partition(/\s/) # e.g. to match the left-most space from constraint fused-effects > 1.0.0.0
-        end
-
+        name, version = package_id_name_version(id)
         { "name" => name, "version" => version, "error" => "package not found" }
       end
+
+      # Parses the name and version pieces from an id or package requirement string
+      def package_id_name_version(id)
+        name, version = id.split(" ", 2)
+        return [name, version] if version
+
+        # split by dashes, find the rightmost thing that looks like an
+        parts = id.split("-")
+        version_start_index = parts.rindex { |part| part.match?(/^[\d\.]+$/) }
+        return [id, nil] if version_start_index.nil?
+
+        [
+          parts[0...version_start_index].join("-"),
+          parts[version_start_index..-1].join("-")
+        ]
+      end
     end
   end
 end

data/lib/licensed/sources/manifest.rb

@@ -170,7 +170,7 @@ module Licensed
       def all_files
         # remove files if they are tracked but don't exist on the file system
         @all_files ||= Set.new(Licensed::Git.files || [])
-                          .delete_if { |f| !File.exist?(f) }
+                          .delete_if { |f| !File.exist?(File.join(Licensed::Git.repository_root, f)) }
       end
 
       class Dependency < Licensed::Dependency

data/lib/licensed/sources/npm.rb

@@ -4,6 +4,25 @@ require "json"
 module Licensed
   module Sources
     class NPM < Source
+      class Dependency < ::Licensed::Dependency
+        # override license_metadata to pull homepage and summary information
+        # from a packages package.json file, if it exists
+        # this accounts for the lack of this information in npm 7's `npm list` output
+        def license_metadata
+          data = super
+          return data if !data["homepage"].to_s.empty? && !data["summary"].to_s.empty?
+
+          package_json_path = File.join(path, "package.json")
+          return data unless File.exist?(package_json_path)
+
+          package_json = JSON.parse(File.read(package_json_path))
+          data["homepage"] = package_json["homepage"]
+          data["summary"] = package_json["description"]
+
+          data
+        end
+      end
+
       def self.type
         "npm"
       end
@@ -50,6 +69,9 @@ module Licensed
         dependencies.each do |name, dependency|
           next if dependency["peerMissing"]
           next if yarn_lock_present && dependency["missing"]
+          next if dependency["extraneous"] && dependency["missing"]
+
+          dependency["name"] = name
           (result[name] ||= []) << dependency
           recursive_dependencies(dependency["dependencies"] || {}, result)
         end
@@ -59,22 +81,50 @@ module Licensed
       # Returns parsed package metadata returned from `npm list`
       def package_metadata
         return @package_metadata if defined?(@package_metadata)
+        @package_metadata = JSON.parse(package_metadata_command)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'npm list'. JSON Error: #{e.message}"
+        npm_error = package_metadata_error
+        message = "#{message}. npm Error: #{npm_error}" if npm_error
+        raise Licensed::Sources::Source::Error, message
+      end
 
-        @package_metadata = begin
-          JSON.parse(package_metadata_command)
-        rescue JSON::ParserError => e
-          raise Licensed::Sources::Source::Error,
-            "Licensed was unable to parse the output from 'npm list'. Please run 'npm list --json --long' and check for errors. Error: #{e.message}"
-        end
+      # Returns an error, if one exists, from running `npm list` to get package metadata
+      def package_metadata_error
+        Licensed::Shell.execute("npm", "list", *package_metadata_args)
+        return ""
+      rescue Licensed::Shell::Error => e
+        return e.message
       end
 
       # Returns the output from running `npm list` to get package metadata
       def package_metadata_command
         args = %w(--json --long)
-        args << "--production" unless include_non_production?
+        args.concat(package_metadata_args)
+
         Licensed::Shell.execute("npm", "list", *args, allow_failure: true)
       end
 
+      # Returns an array of arguments that should be used for all `npm list`
+      # calls, regardless of how the output is formatted
+      def package_metadata_args
+        args = []
+        args << "--production" unless include_non_production?
+
+        # on npm 7+, the --all argument is necessary to evaluate the project's
+        # full dependency tree
+        args << "--all" if npm_version >= Gem::Version.new("7.0.0")
+
+        return args
+      end
+
+      # Returns the currently installed version of npm as a Gem::Version object
+      def npm_version
+        @npm_version ||= begin
+          Gem::Version.new(Licensed::Shell.execute("npm", "-v").strip)
+        end
+      end
+
       # Returns true if a yarn.lock file exists in the current directory
       def yarn_lock_present
         @yarn_lock_present ||= File.exist?(config.pwd.join("yarn.lock"))

data/lib/licensed/sources/pip.rb

@@ -8,7 +8,7 @@ module Licensed
   module Sources
     class Pip < Source
       VERSION_OPERATORS = %w(< > <= >= == !=).freeze
-      PACKAGE_REGEX = /^([\w-]+)(#{VERSION_OPERATORS.join("|")})?/
+      PACKAGE_REGEX = /^([\w\.-]+)(#{VERSION_OPERATORS.join("|")})?/
 
       def enabled?
         return unless virtual_env_pip && Licensed::Shell.tool_available?(virtual_env_pip)

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.14.4".freeze
+  VERSION = "3.0.1".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/script/packages/build

@@ -51,8 +51,11 @@ cd $COPY_DIR
     trap "git checkout $CURRENT_BRANCH" EXIT
   fi
 
+  # get the openssl dir to use when building based on ruby's default ssl cert dir
+  OPENSSL_DIR="$(cd "$(ruby -e 'require "net/https"; puts OpenSSL::X509::DEFAULT_CERT_DIR')/.." && pwd)"
+
   # build the licensed rubyc executable
-  "$RUBYC" --clean-tmpdir -o "$BUILD_DIR/licensed" "$COPY_DIR/exe/licensed"
+  "$RUBYC" --openssl-dir "$OPENSSL_DIR" --clean-tmpdir -o "$BUILD_DIR/licensed" "$COPY_DIR/exe/licensed"
   chmod +x $BUILD_DIR/licensed
 )
 

data/script/packages/mac

@@ -28,6 +28,9 @@ brew update
 brew list "squashfs" &>/dev/null || brew install "squashfs"
 brew list "pkg-config" &>/dev/null || brew install "pkg-config"
 
+gem update --system
+gem update bundler
+
 if [ ! -f "$RUBYC" ]; then
   mkdir -p "$(dirname "$RUBYC")"
   curl -L https://github.com/kontena/ruby-packer/releases/download/2.6.0-0.6.0/rubyc-2.6.0-0.6.0-osx-amd64.gz | gunzip > "$RUBYC"

data/script/source-setup/npm

@@ -10,8 +10,25 @@ fi
 BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd $BASE_PATH/test/fixtures/npm
 
+FORCE=""
 if [ "$1" == "-f" ]; then
-  find . -not -regex "\.*" -and -not -name "package\.json" -print0 | xargs -0 rm -rf
+  FORCE=1
+fi
+
+NPM_MAJOR_VERSION="$(npm -v | cut -d'.' -f1)"
+if [ "$NPM_MAJOR_VERSION" -ge "7" ]; then
+  PACKAGE_JSON_SRC="package.json.npm7"
+else
+  PACKAGE_JSON_SRC="package.json.npm6"
+fi
+
+if [ ! -f "package.json" ] || [ "$(cat package.json | md5sum )" != "$(cat "$PACKAGE_JSON_SRC" | md5sum)" ]; then
+  FORCE=1
+  cp -f "$PACKAGE_JSON_SRC" package.json
+fi
+
+if [ -n "$FORCE" ]; then
+  find . -not -regex "\.*" -and -not -name "package\.json*" -print0 | xargs -0 rm -rf
 fi
 
 npm install

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.14.4
+  version: 3.0.1
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2021-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -243,7 +243,8 @@ files:
 - docs/adding_a_new_source.md
 - docs/commands.md
 - docs/configuration.md
-- docs/migrating_to_newer_versions.md
+- docs/migrations/v2.md
+- docs/migrations/v3.md
 - docs/packaging.md
 - docs/reporters.md
 - docs/sources/bower.md
@@ -290,6 +291,7 @@ files:
 - lib/licensed/sources.rb
 - lib/licensed/sources/bower.rb
 - lib/licensed/sources/bundler.rb
+- lib/licensed/sources/bundler/missing_specification.rb
 - lib/licensed/sources/cabal.rb
 - lib/licensed/sources/composer.rb
 - lib/licensed/sources/dep.rb
@@ -348,7 +350,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.