licensed 2.15.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e90a33d845fe81078014cc53dd61cc5044fc908df4fe65e3c3ce05e11884e3f
-  data.tar.gz: b0c1f03b192d70ec84d27f6b614d7874f32238a98a606f44e777cd1ee2e436ce
+  metadata.gz: 9411b608edb8210d926f1c927bcaa65e396eac39dbf6300b946e842a33071a23
+  data.tar.gz: a4dd2527919e79c111107482233945f476df72d9f282431abf99f40a3516b221
 SHA512:
-  metadata.gz: d57bca03f12516e4802c50f4ac5483966659debe879f43f54ddec8d17a6ea05e88048693288a67e73ee68992981d127205025a16eb7fec7ae165554c3ea52d79
-  data.tar.gz: 74d3df3dbdd3f52f7c22d2ca006cb0893f8ec32873bab9b7d56998ad4c1ade63080f608498561834273c23a0e8b8e29fbad0b39a5942951c75b0b04350b8532a
+  metadata.gz: 07f9153972ac85375a1cb8273d9990052a8d13bc3918c0cd7697c7a0686ef31ed45045065b10091b569a53ad0f2494ae32f0cf2392ae937d242b2954af92c0f6
+  data.tar.gz: 90364cc7be14673627b0280b018498a0feffc962b1c48a89094b9503d5743362f99ee0c36d601478b1818b10ee48d5b1ef97bdd120d6fbc7299b55efa9c5278c

data/.github/workflows/test.yml

@@ -362,6 +362,33 @@ jobs:
     - name: Run tests
       run: script/test pipenv
 
+  swift:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        swift: [ "5.4", "5.3" ]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Swift
+      uses: fwal/setup-swift@v1
+      with:
+        swift-version: ${{ matrix.swift }}
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - run: bundle lock
+    - uses: actions/cache@v1
+      with:
+        path: vendor/gems
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
+    - name: Bootstrap
+      run: script/bootstrap
+    - name: Set up fixtures
+      run: script/source-setup/swift
+    - name: Run tests
+      run: script/test swift
+
   yarn:
     runs-on: ubuntu-latest
     strategy:

data/CHANGELOG.md

@@ -6,6 +6,58 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 3.1.0
+
+2021-06-16
+
+### Added
+
+- Licensed supports Swift/Swift package manager as a dependency source (:tada: @mattt https://github.com/github/licensed/pull/363)'
+
+### Changed
+
+- The `source_path` configuration property accepts arrays of inclusion and exclusion glob patterns (https://github.com/github/licensed/pull/368)
+- The Nuget source now uses configured fallback folders to find dependencies that are not in found in the project folder (https://github.com/github/licensed/pull/366)
+- The Nuget source supports a configurable property for the path from the project source path to the project's `obj` folder (https://github.com/github/licensed/pull/365)
+
+### Fixed
+- The Go source's checks for local packages will correctly find paths in case-insensitive file systems (https://github.com/github/licensed/pull/370)
+- The Bundler source will no longer unnecessarily reset the local Bundler environment configuration (https://github.com/github/licensed/pull/372)
+
+## 3.0.1
+
+2021-05-17
+
+### Fixed
+
+- The bundler source will correctly enumerate dependencies pulled with a `git:` directive (https://github.com/github/licensed/pull/360)
+
+## 3.0.0
+
+2021-04-27
+
+**This is a major release and includes potentially breaking changes to bundler dependency enumeration.**
+
+### Changed
+
+- The bundler source will return an error when run from an executable.  Please install licensed as a gem to continue using the bundler source.  Please see the [v3 migration document](./docs/migrations/v3.md) for full details and migration strategies.
+
+## 2.15.2
+
+2021-04-06
+
+### Fixed
+
+- The pip source works with package names containing periods (:tada: @bcskda https://github.com/github/licensed/pull/350)
+
+## 2.15.1
+
+2021-03-29
+
+### Changed
+
+- The npm source will ignore dependencies that are marked as both extraneous and missing (https://github.com/github/licensed/pull/347)
+
 ## 2.15.0
 2021-03-24
 
@@ -395,4 +447,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.15.0...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/3.1.0...HEAD

data/README.md

@@ -12,12 +12,24 @@ Licensed is **not** a complete open source license compliance solution. Please u
 
 Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
 
+## Licensed v3
+
+Licensed v3 includes a breaking change if both of the following are true:
+
+1. a project uses bundler to manage ruby dependencies
+2. a project uses the self-contained executable build of licensed
+
+All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.  
+
+See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
+See the [v3 migration documentation](./docs/migrations/v3.md) for more info on migrating to v3.
+
 ## Licensed v2
 
 Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future.  While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions.  Fortunately, migrating is easy using the `licensed migrate` command.
 
 See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
-See the [migration documentation](./docs/migrating_to_newer_versions.md) for more info on migrating to v2, or run `licensed help migrate`.
+See the [v2 migration documentation](./docs/migrations/v2.md) for more info on migrating to v2, or run `licensed help migrate`.
 
 ## Installation
 
@@ -82,7 +94,6 @@ The [bundler-licensed plugin](https://github.com/sergey-alekseev/bundler-license
 The [licensed-ci](https://github.com/marketplace/actions/licensed-ci) GitHub Action runs `licensed` as part of an opinionated CI workflow and can be configured to run on any GitHub Action event.  See the linked actions for usage and details.
 
 The [setup-licensed](https://github.com/marketplace/actions/setup-github-licensed) GitHub Action installs `licensed` to the workflow environment.  See the linked actions for usage and details.
-   - This action is intended for projects that don't have a ruby installation setup.  If your workflow has ruby setup please install `licensed` via `Gemfile` + `bundle install` or with `gem install`.
 
 ### Configuration
 
@@ -114,6 +125,7 @@ Dependencies will be automatically detected for all of the following sources by
 1. [NuGet](./docs/sources/nuget.md)
 1. [Pip](./docs/sources/pip.md)
 1. [Pipenv](./docs/sources/pipenv.md)
+1. [Swift](./docs/sources/swift.md)
 1. [Yarn](./docs/sources/yarn.md)
 
 You can disable any of them in the configuration file:

data/docs/configuration.md

@@ -19,9 +19,13 @@ If a root path is not specified, it will default to using the following, in orde
 1. the root of the local git repository, if run inside a git repository
 2. the current directory
 
-### Source path glob patterns
+### Source paths
 
-The `source_path` property can use a glob path to share configuration properties across multiple application entrypoints.
+A source path is the directory in which licensed should run to enumerate dependencies.  This is often dependent on the project type, for example the bundler source should be run from the directory containing a `Gemfile` or `gems.rb` while the go source should be run from the directory containing an entrypoint function.
+
+#### Using glob patterns
+
+The `source_path` property can use one or more glob patterns to share configuration properties across multiple application entrypoints.
 
 For example, there is a common pattern in Go projects to include multiple executable entrypoints under folders in `cmd`.  Using a glob pattern allows users to avoid manually configuring and maintaining multiple licensed application `source_path`s.  Using a glob pattern will also ensure that any new entrypoints matching the pattern are automatically picked up by licensed commands as they are added.
 
@@ -33,6 +37,14 @@ sources:
 source_path: cmd/*
 ```
 
+In order to better filter the results from glob patterns, the `source_path` property also accepts an array of inclusion and exclusion glob patterns similar to gitignore files.  Inclusion patterns will add matching directory paths to resulting set of source paths, while exclusion patterns will remove matching directory paths.
+
+```yml
+source_path:
+  - "projects/*" # include by default all directories under "projects"
+  - "!projects/*Test" # exclude all projects ending in "Test"
+```
+
 Glob patterns are syntactic sugar for, and provide the same functionality as, manually specifying multiple `source_path` values. See the instructions on [specifying multiple apps](./#specifying-multiple-apps) below for additional considerations when using multiple apps.
 
 ## Restricting sources

data/docs/{migrating_to_newer_versions.md → migrations/v2.md}

@@ -1,3 +1,3 @@
-# Migrating your licensed configuration and cached records to the latest version of licensed
+# Migrating your licensed configuration and cached records to licensed v2
 
 Licensed v2+ ships with an additional executable, `licensed-migrator`, that can be used to update your licensed files to the format expected by the currently installed version.  To run, execute `licensed migrate --from v1 -c <path to licensed configuration file>`, replacing `v1` with the major version of licensed to migrate from.

data/docs/migrations/v3.md

@@ -0,0 +1,109 @@
+# Breaking changes to bundler dependency enumeration in v3
+
+**NOTE** If you are migrating from a version earlier than v2, please first [migrate to v2](./v2.md) before continuing.
+
+Licensed v3 includes a breaking change to bundler dependency enumeration when using the executable form of licensed.  Bundler dependency enumeration will no longer work with the licensed executable as of 3.0.0.
+
+**If your project does not use bundler, or if you already install the licensed gem, you are not affected by this breaking change.**
+
+## Migrating bundler enumeration for v3
+
+When using licensed v3 with bundler dependencies, licensed must be installed from its [gem](https://rubygems.org/gems/licensed).  This can be accomplished with `gem install`, or by adding licensed to a bundler gem file.
+
+### Usage in a GitHub Actions workflow
+
+Using licensed to enumerate bundler dependencies in a GitHub Actions workflow will require ruby to be available in the actions VM environment.  Ruby can be setup in an actions workflow using [ruby/setup-ruby](https://github.com/ruby/setup-ruby)(preferred) or [actions/setup-ruby](https://github.com/actions/setup-ruby)(deprecated).
+
+If you are using licensed in a GitHub Actions workflow, [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed) has been updated according to this breaking change.  `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available.  Alternatively, you can `gem install` licensed directly as an actions step.
+
+This is an example workflow definition that runs [jonabc/licensed-ci](https://github.com/jonabc/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using 
+- `gem install`
+- [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed)
+- installing when included in a bundler gem file
+
+```yml
+name: Cache and verify dependency license metadata
+
+on:
+  # run when PRs are opened, reopened or updated
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+  # run on demand
+  workflow_dispatch:
+
+jobs:
+  # install licensed with setup-licensed
+  licensed-ci-setup-licensed:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed gem using setup-licensed
+      - uses: jonabc/setup-licensed@v1
+        with:
+          version: '3.x'
+
+      # install dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+
+  # OR 
+  
+  # install licensed using gem install
+  licensed-ci-gem:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby and bundler
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed gem using setup-licensed
+      - run: gem install licensed -v '~> 3.0'
+
+      # install dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+
+  # OR
+
+  # install licensed as part of bundle installation
+  licensed-ci-bundle:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout the repo
+      - uses: actions/checkout@v1
+      
+      # install ruby and bundler
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.0"
+
+      # install licensed and other dependencies in CI environment
+      - run: bundle install
+
+      # run licensed-ci to cache any metadata changes and verify compliance
+      - uses: jonabc/licensed-ci@v1
+        with:
+          command: 'bundle exec licensed' # run licensed within the bundler context
+```

data/docs/sources/bundler.md

@@ -2,17 +2,7 @@
 
 The bundler source will detect dependencies `Gemfile` and `Gemfile.lock` files are found at an apps `source_path`.  The source uses the `Bundler` API to enumerate dependencies from `Gemfile` and `Gemfile.lock`.
 
-### Enumerating bundler dependencies when using the licensed executable
-
-**Note** this content only applies to running licensed from an executable.  It does not apply when using licensed as a gem.
-
-_It is required that the ruby runtime is available when running the licensed executable._
-
-The licensed executable contains and runs a version of ruby.  When using the Bundler APIs, a mismatch between the version of ruby built into the licensed executable and the version of licensed used during `bundle install` can occur.  This mismatch can lead to licensed raising errors due to not finding dependencies.
-
-For example, if `bundle install` was run with ruby 2.5.0 then the bundler specification path would be `<bundle path>/ruby/2.5.0/specifications`.  However, if the licensed executable contains ruby 2.4.0, then licensed will be looking for specifications at `<bundle path>/ruby/2.4.0/specifications`.  That path may not exist, or it may contain invalid or stale content.
-
-To prevent confusion, licensed uses the local ruby runtime to determine the ruby version for local gems during `bundle install`.  If bundler is also available, then the ruby command will be run from a `bundle exec` context.
+**Note** The bundler source cannot be used when running the [packaged licensed executable](../packaging.md)
 
 ### Excluding gem groups
 

data/docs/sources/swift.md

@@ -0,0 +1,4 @@
+# Swift
+
+The Swift source uses `swift package` subcommands
+to enumerate dependencies and properties.

data/lib/licensed/cli.rb

@@ -74,11 +74,14 @@ module Licensed
     method_option :from, aliases: "-f", type: :string, required: true,
       desc: "Licensed version to migrate from - #{Licensed.previous_major_versions.map { |major| "v#{major}" }.join(", ")}"
     def migrate
+      shell = Thor::Base.shell.new
       case options["from"]
       when "v1"
         Licensed::Migrations::V2.migrate(options["config"])
+      when "v2"
+        shell.say "No configuration or cached file migration needed."
+        shell.say "Please see the documentation at https://github.com/github/licensed/tree/master/docs/migrations/v3.md for details."
       else
-        shell = Thor::Base.shell.new
         shell.say "Unrecognized option from=#{options["from"]}", :red
         CLI.command_help(shell, "migrate")
         exit 1

data/lib/licensed/configuration.rb

@@ -158,18 +158,41 @@ module Licensed
     private
 
     def self.expand_app_source_path(app_config)
-      return app_config if app_config["source_path"].to_s.empty?
+      # map a source_path configuration value to an array of non-empty values
+      source_path_array = Array(app_config["source_path"])
+                            .reject { |path| path.to_s.empty? }
+                            .compact
+      app_root = AppConfiguration.root_for(app_config)
+      return app_config.merge("source_path" => app_root) if source_path_array.empty?
 
       # check if the source path maps to an existing directory
-      source_path = File.expand_path(app_config["source_path"], AppConfiguration.root_for(app_config))
-      return app_config if Dir.exist?(source_path)
+      if source_path_array.length == 1
+        source_path = File.expand_path(source_path_array[0], app_root)
+        return app_config.merge("source_path" => source_path) if Dir.exist?(source_path)
+      end
 
       # try to expand the source path for glob patterns
-      expanded_source_paths = Dir.glob(source_path).select { |p| File.directory?(p) }
+      expanded_source_paths = source_path_array.reduce(Set.new) do |matched_paths, pattern|
+        current_matched_paths = if pattern.start_with?("!")
+          # if the pattern is an exclusion, remove all matching files
+          # from the result
+          matched_paths - Dir.glob(pattern[1..-1])
+        else
+          # if the pattern is an inclusion, add all matching files
+          # to the result
+          matched_paths + Dir.glob(pattern)
+        end
+
+        current_matched_paths.select { |p| File.directory?(p) }
+      end
+
       configs = expanded_source_paths.map { |path| app_config.merge("source_path" => path) }
 
       # if no directories are found for the source path, return the original config
-      return app_config if configs.size == 0
+      if configs.size == 0
+        app_config["source_path"] = app_root if app_config["source_path"].is_a?(Array)
+        return app_config
+      end
 
       # update configured values for name and cache_path for uniqueness.
       # this is only needed when values are explicitly set, AppConfiguration

data/lib/licensed/sources.rb

@@ -14,6 +14,7 @@ module Licensed
     require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
+    require "licensed/sources/swift"
     require "licensed/sources/gradle"
     require "licensed/sources/mix"
     require "licensed/sources/yarn"

data/lib/licensed/sources/bundler.rb

@@ -2,50 +2,13 @@
 require "delegate"
 begin
   require "bundler"
+  require "licensed/sources/bundler/missing_specification"
 rescue LoadError
 end
 
 module Licensed
   module Sources
     class Bundler < Source
-      class MissingSpecification < Gem::BasicSpecification
-        attr_reader :name, :requirement
-        alias_method :version, :requirement
-        def initialize(name:, requirement:)
-          @name = name
-          @requirement = requirement
-        end
-
-        def dependencies
-          []
-        end
-
-        def source
-          nil
-        end
-
-        def platform; end
-        def gem_dir; end
-        def gems_dir
-          Gem.dir
-        end
-        def summary; end
-        def homepage; end
-
-        def error
-          "could not find #{name} (#{requirement}) in any sources"
-        end
-      end
-
-      class BundlerSpecification < ::SimpleDelegator
-        def gem_dir
-          dir = super
-          return dir if File.exist?(dir)
-
-          File.join(Gem.dir, "gems", full_name)
-        end
-      end
-
       class Dependency < Licensed::Dependency
         attr_reader :loaded_from
 
@@ -76,6 +39,7 @@ module Licensed
 
       GEMFILES = { "Gemfile" => "Gemfile.lock", "gems.rb" => "gems.locked" }
       DEFAULT_WITHOUT_GROUPS = %i{development test}
+      RUBY_PACKER_ERROR = "The bundler source cannot be used from the executable built with ruby-packer.  Please install licensed using `gem install` or using bundler."
 
       def enabled?
         # running a ruby-packer-built licensed exe when ruby isn't available
@@ -85,13 +49,18 @@ module Licensed
       end
 
       def enumerate_dependencies
+        raise Licensed::Sources::Source::Error.new(RUBY_PACKER_ERROR) if ruby_packer?
+
         with_local_configuration do
           specs.map do |spec|
+            next if spec.name == "bundler" && !include_bundler?
+            next if spec.name == config["name"]
+
             error = spec.error if spec.respond_to?(:error)
             Dependency.new(
               name: spec.name,
               version: spec.version.to_s,
-              path: spec.gem_dir,
+              path: spec.full_gem_path,
               loaded_from: spec.loaded_from,
               errors: Array(error),
               metadata: {
@@ -106,136 +75,18 @@ module Licensed
 
       # Returns an array of Gem::Specifications for all gem dependencies
       def specs
-        # get the specifications for all dependencies in a Gemfile
-        root_dependencies = definition.dependencies.select { |d| include?(d, nil) }
-        root_specs = specs_for_dependencies(root_dependencies, nil).compact
-
-        # recursively find the remaining specifications
-        all_specs = recursive_specs(root_specs)
-
-        # delete any specifications loaded from a gemspec
-        all_specs.delete_if { |s| s.source.is_a?(::Bundler::Source::Gemspec) }
-      end
-
-      # Recursively finds the dependencies for Gem specifications.
-      # Returns a `Set` containing the package names for all dependencies
-      def recursive_specs(specs, results = Set.new)
-        return [] if specs.nil? || specs.empty?
-
-        new_specs = Set.new(specs) - results.to_a
-        return [] if new_specs.empty?
-
-        results.merge new_specs
-
-        dependency_specs = new_specs.flat_map { |s| specs_for_dependencies(s.dependencies, s.source) }
-
-        return results if dependency_specs.empty?
-
-        results.merge recursive_specs(dependency_specs, results)
-      end
-
-      # Returns the specs for dependencies that pass the checks in `include?`.
-      # Returns a `MissingSpecification` if a gem specification isn't found.
-      def specs_for_dependencies(dependencies, source)
-        included_dependencies = dependencies.select { |d| include?(d, source) }
-        included_dependencies.map do |dep|
-          gem_spec(dep) || MissingSpecification.new(name: dep.name, requirement: dep.requirement)
-        end
-      end
-
-      # Returns a Gem::Specification for the provided gem argument.
-      def gem_spec(dependency)
-        return unless dependency
-
-        # find a specifiction from the resolved ::Bundler::Definition specs
-        spec = definition.resolve.find { |s| s.satisfies?(dependency) }
-
-        # a nil spec should be rare, generally only seen from bundler
-        return matching_spec(dependency) || bundle_exec_gem_spec(dependency.name, dependency.requirement) if spec.nil?
-
-        # try to find a non-lazy specification that matches `spec`
-        # spec.source.specs gives access to specifications with more
-        # information than spec itself, including platform-specific gems.
-        # these objects should have all the information needed to detect license metadata
-        source_spec = spec.source.specs.find { |s| s.name == spec.name && s.version == spec.version }
-        return source_spec if source_spec
-
-        # look for a specification at the bundler specs path
-        spec_path = ::Bundler.specs_path.join("#{spec.full_name}.gemspec")
-        return Gem::Specification.load(spec_path.to_s) if File.exist?(spec_path.to_s)
-
-        # if the specification file doesn't exist, get the specification using
-        # the bundler and gem CLI
-        bundle_exec_gem_spec(dependency.name, dependency.requirement)
-      end
-
-      # Returns whether a dependency should be included in the final
-      def include?(dependency, source)
-        # ::Bundler::Dependency has an extra `should_include?`
-        return false unless dependency.should_include? if dependency.respond_to?(:should_include?)
-
-        # Don't return gems added from `add_development_dependency` in a gemspec
-        # if the :development group is excluded
-        gemspec_source = source.is_a?(::Bundler::Source::Gemspec)
-        return false if dependency.type == :development && (!gemspec_source || exclude_development_dependencies?)
-
-        # Gem::Dependency don't have groups - in our usage these objects always
-        # come as child-dependencies and are never directly from a Gemfile.
-        # We assume that all Gem::Dependencies are ok at this point
-        return true if dependency.groups.nil?
-
-        # check if the dependency is in any groups we're interested in
-        (dependency.groups & groups).any?
-      end
-
-      # Returns whether development dependencies should be excluded
-      def exclude_development_dependencies?
-        @include_development ||= begin
-          # check whether the development dependency group is explicitly removed
-          # or added via bundler and licensed configurations
-          groups = [:development] - Array(::Bundler.settings[:without]) + Array(::Bundler.settings[:with]) - exclude_groups
-          !groups.include?(:development)
-        end
-      end
-
-      # Load a gem specification from the YAML returned from `gem specification`
-      # This is a last resort when licensed can't obtain a specification from other means
-      def bundle_exec_gem_spec(name, requirement)
-        # `gem` must be available to run `gem specification`
-        return unless Licensed::Shell.tool_available?("gem")
-
-        # use `gem specification` with a clean ENV and clean Gem.dir paths
-        # to get gem specification at the right directory
-        begin
-          ::Bundler.with_original_env do
-            ::Bundler.rubygems.clear_paths
-            yaml = Licensed::Shell.execute(*ruby_command_args("gem", "specification", name, "-v", requirement.to_s))
-            spec = Gem::Specification.from_yaml(yaml)
-            # this is horrible, but it will cache the gem_dir using the clean env
-            # so that it can be used outside of this block when running from
-            # the ruby packer executable environment
-            spec.gem_dir if ruby_packer?
-            spec
-          end
-        rescue Licensed::Shell::Error
-          # return nil
-        ensure
-          ::Bundler.configure
-        end
+        @specs ||= definition.specs_for(groups)
       end
 
-      # Loads a dependency specification using rubygems' built-in
-      # `Dependency#matching_specs` and `Dependency#to_spec`, from the original
-      # gem environment
-      def matching_spec(dependency)
-        begin
-          ::Bundler.with_original_env do
-            ::Bundler.rubygems.clear_paths
-            return unless dependency.matching_specs(true).any?
-            BundlerSpecification.new(dependency.to_spec)
-          end
-        ensure
-          ::Bundler.configure
+      # Returns whether to include bundler as a listed dependency of the project
+      def include_bundler?
+        @include_bundler ||= begin
+          # include if bundler is listed as a direct dependency that should be included
+          requested_dependencies = definition.dependencies.select { |d| (d.groups & groups).any? && d.should_include? }
+          return true if requested_dependencies.any? { |d| d.name == "bundler" }
+          # include if bundler is an indirect dependency
+          return true if specs.flat_map(&:dependencies).any? { |d| d.name == "bundler" }
+          false
         end
       end
 
@@ -283,71 +134,39 @@ module Licensed
         @lockfile_path ||= gemfile_path.dirname.join(GEMFILES[gemfile_path.basename.to_s])
       end
 
-      # Returns the configured bundler executable to use, or "bundle" by default.
-      def bundler_exe
-        @bundler_exe ||= begin
-          exe = config.dig("bundler", "bundler_exe")
-          return "bundle" unless exe
-          return exe if Licensed::Shell.tool_available?(exe)
-          config.root.join(exe)
-        end
-      end
-
-      # Determines if the configured bundler executable is available and returns
-      # shell command args with or without `bundle exec` depending on availability.
-      def ruby_command_args(*args)
-        return Array(args) unless Licensed::Shell.tool_available?(bundler_exe)
-        [bundler_exe, "exec", *args]
-      end
-
-      private
-
       # helper to clear all bundler environment around a yielded block
       def with_local_configuration
-        # force bundler to use the local gem file
-        original_bundle_gemfile, ENV["BUNDLE_GEMFILE"] = ENV["BUNDLE_GEMFILE"], gemfile_path.to_s
+        # silence any bundler warnings while running licensed
+        bundler_ui, ::Bundler.ui = ::Bundler.ui, ::Bundler::UI::Silent.new
 
-        if ruby_packer?
-          # if running under ruby-packer, set environment from host
+        original_bundle_gemfile = nil
+        if gemfile_path.to_s != ENV["BUNDLE_GEMFILE"]
+          # force bundler to use the local gem file
+          original_bundle_gemfile, ENV["BUNDLE_GEMFILE"] = ENV["BUNDLE_GEMFILE"], gemfile_path.to_s
 
-          # hack: setting this ENV var allows licensed to use Gem paths outside
-          # of the ruby-packer filesystem.  this is needed to find spec sources
-          # from the host filesystem
-          ENV["ENCLOSE_IO_RUBYC_1ST_PASS"] = "1"
-          ruby_version = Gem::ConfigMap[:ruby_version]
-          # set the ruby version in Gem::ConfigMap to the ruby version from the host.
-          # this helps Bundler find the correct spec sources and paths
-          Gem::ConfigMap[:ruby_version] = host_ruby_version
+          # reset all bundler configuration
+          ::Bundler.reset!
+          # and re-configure with settings for current directory
+          ::Bundler.configure
         end
 
-        # reset all bundler configuration
-        ::Bundler.reset!
-        # and re-configure with settings for current directory
-        ::Bundler.configure
-
         yield
       ensure
-        if ruby_packer?
-          # if running under ruby-packer, restore environment after block is finished
-          ENV.delete("ENCLOSE_IO_RUBYC_1ST_PASS")
-          Gem::ConfigMap[:ruby_version] = ruby_version
+        if original_bundle_gemfile
+          ENV["BUNDLE_GEMFILE"] = original_bundle_gemfile
+
+          # restore bundler configuration
+          ::Bundler.reset!
+          ::Bundler.configure
         end
 
-        ENV["BUNDLE_GEMFILE"] = original_bundle_gemfile
-        # restore bundler configuration
-        ::Bundler.reset!
-        ::Bundler.configure
+        ::Bundler.ui = bundler_ui
       end
 
       # Returns whether the current licensed execution is running ruby-packer
       def ruby_packer?
         @ruby_packer ||= RbConfig::TOPDIR =~ /__enclose_io_memfs__/
       end
-
-      # Returns the ruby version found in the bundler environment
-      def host_ruby_version
-        Licensed::Shell.execute(*ruby_command_args("ruby", "-e", "puts Gem::ConfigMap[:ruby_version]"))
-      end
     end
   end
 end

data/lib/licensed/sources/bundler/missing_specification.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require "bundler/match_platform"
+
+# Bundler normally raises a "GemNotFound" error when a specification
+# can't be materialized which halts bundler dependency enumeration.
+
+# This monkey patch instead creates MissingSpecification objects to
+# identify missing specs without raising errors and halting enumeration.
+# It was the most minimal-touch solution I could think of that should reliably
+# work across many bundler versions
+
+module Licensed
+  module Bundler
+    class MissingSpecification < Gem::BasicSpecification
+      include ::Bundler::MatchPlatform
+
+      attr_reader :name, :version, :platform, :source
+      def initialize(name:, version:, platform:, source:)
+        @name = name
+        @version = version
+        @platform = platform
+        @source = source
+      end
+
+      def dependencies
+        []
+      end
+
+      def gem_dir; end
+      def gems_dir
+        Gem.dir
+      end
+      def summary; end
+      def homepage; end
+
+      def error
+        "could not find #{name} (#{version}) in any sources"
+      end
+    end
+  end
+end
+
+module Bundler
+  class LazySpecification
+    alias_method :orig_materialize, :__materialize__
+    def __materialize__
+      spec = orig_materialize
+      return spec if spec
+
+      Licensed::Bundler::MissingSpecification.new(name: name, version: version, platform: platform, source: source)
+    end
+  end
+end

data/lib/licensed/sources/go.rb

@@ -98,7 +98,7 @@ module Licensed
       # Returns whether the package is local to the current project
       def local_package?(package)
         return false unless package && package["Dir"]
-        return false unless File.fnmatch?("#{config.root.to_s}*", package["Dir"])
+        return false unless File.fnmatch?("#{config.root.to_s}*", package["Dir"], File::FNM_CASEFOLD)
         vendored_path_parts(package).nil?
       end
 

data/lib/licensed/sources/npm.rb

@@ -69,6 +69,8 @@ module Licensed
         dependencies.each do |name, dependency|
           next if dependency["peerMissing"]
           next if yarn_lock_present && dependency["missing"]
+          next if dependency["extraneous"] && dependency["missing"]
+
           dependency["name"] = name
           (result[name] ||= []) << dependency
           recursive_dependencies(dependency["dependencies"] || {}, result)

data/lib/licensed/sources/nuget.rb

@@ -164,7 +164,7 @@ module Licensed
       end
 
       def project_assets_file_path
-        File.join(config.pwd, "project.assets.json")
+        File.join(config.pwd, nuget_obj_path, "project.assets.json")
       end
 
       def project_assets_file
@@ -172,6 +172,17 @@ module Licensed
         @project_assets_file = File.read(project_assets_file_path)
       end
 
+      def project_assets_json
+        @project_assets_json ||= JSON.parse(project_assets_file)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to read the project.assets.json file. Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      def nuget_obj_path
+        config.dig("nuget", "obj_path") || ""
+      end
+
       def enabled?
         File.exist?(project_assets_file_path)
       end
@@ -180,32 +191,51 @@ module Licensed
       # Ideally we'd use `dotnet list package` instead, but its output isn't
       # easily machine readable and doesn't contain everything we need.
       def enumerate_dependencies
-        json = JSON.parse(project_assets_file)
-        nuget_packages_dir = json["project"]["restore"]["packagesPath"]
-        json["targets"].each_with_object({}) do |(_, target), dependencies|
-          target.each do |reference_key, reference|
-            # Ignore project references
-            next unless reference["type"] == "package"
-            package_id_parts = reference_key.partition("/")
-            name = package_id_parts[0]
-            version = package_id_parts[-1]
-            id = "#{name}-#{version}"
-
-            # Already know this package from another target
-            next if dependencies.key?(id)
-
-            path = File.join(nuget_packages_dir, json["libraries"][reference_key]["path"])
-            dependencies[id] = NuGetDependency.new(
-              name: id,
-              version: version,
-              path: path,
-              metadata: {
-                "type" => NuGet.type,
-                "name" => name
-              }
-            )
-          end
-        end.values
+        reference_keys.map do |reference_key|
+          package_id_parts = reference_key.partition("/")
+          name = package_id_parts[0]
+          version = package_id_parts[-1]
+          id = "#{name}-#{version}"
+
+          path = full_dependency_path(reference_key)
+          error = "Package #{id} path was not found in project.assets.json, or does not exist on disk at any project package folder" if path.nil?
+
+          NuGetDependency.new(
+            name: id,
+            version: version,
+            path: path,
+            errors: Array(error),
+            metadata: {
+              "type" => NuGet.type,
+              "name" => name
+            }
+          )
+        end
+      end
+
+      # Returns a unique set of the package reference keys used across all target groups
+      def reference_keys
+        all_reference_keys = project_assets_json["targets"].flat_map do |_, references|
+          references.select { |key, reference| reference["type"] == "package" }
+                    .keys
+        end
+
+        Set.new(all_reference_keys)
+      end
+
+      # Returns a dependency's path, if it exists, in one of the project's global or fallback package folders
+      def full_dependency_path(reference_key)
+        dependency_path = project_assets_json.dig("libraries", reference_key, "path")
+        return unless dependency_path
+
+        nuget_package_dirs = [
+          project_assets_json.dig("project", "restore", "packagesPath"),
+          *Array(project_assets_json.dig("project", "restore", "fallbackFolders"))
+        ].compact
+
+        nuget_package_dirs.map { |dir| File.join(dir, dependency_path) }
+                          .select { |path| File.directory?(path) }
+                          .first
       end
     end
   end

data/lib/licensed/sources/pip.rb

@@ -8,7 +8,7 @@ module Licensed
   module Sources
     class Pip < Source
       VERSION_OPERATORS = %w(< > <= >= == !=).freeze
-      PACKAGE_REGEX = /^([\w-]+)(#{VERSION_OPERATORS.join("|")})?/
+      PACKAGE_REGEX = /^([\w\.-]+)(#{VERSION_OPERATORS.join("|")})?/
 
       def enabled?
         return unless virtual_env_pip && Licensed::Shell.tool_available?(virtual_env_pip)

data/lib/licensed/sources/swift.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+require "json"
+require "pathname"
+require "uri"
+
+module Licensed
+  module Sources
+    class Swift < Source
+      def enabled?
+        return unless Licensed::Shell.tool_available?("swift") && swift_package?
+        File.exist?(package_resolved_file_path)
+      end
+
+      def enumerate_dependencies
+        pins.map { |pin|
+          name = pin["package"]
+          version = pin.dig("state", "version")
+          path = dependency_path_for_url(pin["repositoryURL"])
+          error = "Unable to determine project path from #{url}" unless path
+
+          Dependency.new(
+            name: name,
+            path: path,
+            version: version,
+            errors: Array(error),
+            metadata: {
+              "type"      => Swift.type,
+              "homepage"  => homepage_for_url(pin["repositoryURL"])
+            }
+          )
+        }
+      end
+
+      private
+
+      def pins
+        return @pins if defined?(@pins)
+
+        @pins = begin
+          json = JSON.parse(File.read(package_resolved_file_path))
+          json.dig("object", "pins")
+        rescue => e
+          message = "Licensed was unable to read the Package.resolved file. Error: #{e.message}"
+          raise Licensed::Sources::Source::Error, message
+        end
+      end
+
+      def dependency_path_for_url(url)
+        last_path_component = URI(url).path.split("/").last.sub(/\.git$/, "")
+        File.join(config.pwd, ".build", "checkouts", last_path_component)
+      rescue URI::InvalidURIError
+      end
+
+      def homepage_for_url(url)
+        return unless %w{http https}.include?(URI(url).scheme)
+        url.sub(/\.git$/, "")
+      rescue URI::InvalidURIError
+      end
+
+      def package_resolved_file_path
+        File.join(config.pwd, "Package.resolved")
+      end
+
+      def swift_package?
+        Licensed::Shell.success?("swift", "package", "describe")
+      end
+    end
+  end
+end

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.15.0".freeze
+  VERSION = "3.1.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/script/source-setup/swift

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+if [ -z "$(which swift)" ]; then
+  echo "A local swift installation is required for swift development." >&2
+  exit 127
+fi
+
+swift --version
+
+BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd $BASE_PATH/test/fixtures/swift
+
+if [ "$1" == "-f" ]; then
+  find . -not -regex "\.*" \
+    -and -not -path "*/Package.swift" \
+    -and -not -path "*/Sources*" \
+    -and -not -path "*/Tests*" \
+    -print0 | xargs -0 rm -rf
+fi
+
+swift package resolve

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.15.0
+  version: 3.1.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-24 00:00:00.000000000 Z
+date: 2021-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -243,7 +243,8 @@ files:
 - docs/adding_a_new_source.md
 - docs/commands.md
 - docs/configuration.md
-- docs/migrating_to_newer_versions.md
+- docs/migrations/v2.md
+- docs/migrations/v3.md
 - docs/packaging.md
 - docs/reporters.md
 - docs/sources/bower.md
@@ -261,6 +262,7 @@ files:
 - docs/sources/pip.md
 - docs/sources/pipenv.md
 - docs/sources/stack.md
+- docs/sources/swift.md
 - docs/sources/yarn.md
 - exe/licensed
 - lib/licensed.rb
@@ -290,6 +292,7 @@ files:
 - lib/licensed/sources.rb
 - lib/licensed/sources/bower.rb
 - lib/licensed/sources/bundler.rb
+- lib/licensed/sources/bundler/missing_specification.rb
 - lib/licensed/sources/cabal.rb
 - lib/licensed/sources/composer.rb
 - lib/licensed/sources/dep.rb
@@ -304,6 +307,7 @@ files:
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
 - lib/licensed/sources/source.rb
+- lib/licensed/sources/swift.rb
 - lib/licensed/sources/yarn.rb
 - lib/licensed/ui/shell.rb
 - lib/licensed/version.rb
@@ -327,6 +331,7 @@ files:
 - script/source-setup/nuget
 - script/source-setup/pip
 - script/source-setup/pipenv
+- script/source-setup/swift
 - script/source-setup/yarn
 - script/test
 homepage: https://github.com/github/licensed
@@ -348,7 +353,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.