licensed 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 45476f98c8dd054a36758218f6337826e90b1112
-  data.tar.gz: e040ac55ae8dbd3b7dd498318b8046a271c58832
+SHA256:
+  metadata.gz: 94e3cbc840104e6f0d4733c82ea38805aa2db680070708b88f107420405a1956
+  data.tar.gz: d04aea6f7ac531c7ab5826b90ece5f3bd0936845a7d8a0e0e44d54c7119e9f08
 SHA512:
-  metadata.gz: 6773ae7dc4f41afd8f0597c11e3ea4bda59c10de44654c9fd9b6b91bce6f2a0b0b092ecccb95dc39ce6da5678736672d6fb3fa9b48b47bf82eb1758cecc91297
-  data.tar.gz: 80c82cfccb88980bc3b1b04da520e740683bb18d52cc3dcc5e60801e529f5c926d64c9df80a24dfc431e4ff2271a4fef67389b7bf4b9779edd7aeb739d015036
+  metadata.gz: aab7fc74e7905ab4acad59d1e997c3ea95c8121299ba5cd52ae96bc2a7451314de1155754d5c41fe7834037217469e49b8b2fc4c88b68b1b08036bedc06a0ee7
+  data.tar.gz: 8572722b1cfca8af7527278f269b410a7c4edc699dc0ffba6e991e2ececb78d575addf0fe548ae95ac6347b7c59431ec553d1c0003b8a4abbd3f2dbfd534abc5

data/.github/workflows/release.yml

@@ -5,10 +5,9 @@ on: create
 jobs:
   tag_filter:
     runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
     steps:
-    - uses: actions/bin/filter@master
-      with:
-        args: 'tag'
+      - run: exit 0
 
   package_linux:
     runs-on: ubuntu-latest
@@ -119,7 +118,7 @@ jobs:
         touch $HOME/.gem/credentials
         chmod 0600 $HOME/.gem/credentials
         printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
-        gem push "$GEM"
+        gem push $GEM
       env:
         GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
         GEM: ${{github.event.ref}}-gem/*.gem

data/.github/workflows/test.yml

@@ -1,6 +1,6 @@
 name: Test
 
-on: 
+on:
   push:
     branches:
     - "*"
@@ -51,12 +51,21 @@ jobs:
 
   cabal:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ghc: [ '8.2.2', '8.6.5' ]
+        cabal: [ '2.0', '3.0' ]
     steps:
     - uses: actions/checkout@master
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
         version: 2.6.x
+    - name: Setup Haskell
+      uses: actions/setup-haskell@v1
+      with:
+        ghc-version: ${{ matrix.ghc }}
+        cabal-version: ${{ matrix.cabal }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -230,3 +239,26 @@ jobs:
       run: script/source-setup/composer
     - name: Run tests
       run: script/test composer
+
+  mix:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        otp: [21.x, 22.x]
+        elixir: [1.8.x, 1.9.x]
+    steps:
+    - uses: actions/checkout@master
+    - uses: actions/setup-elixir@v1.0.0
+      with:
+        otp-version: ${{matrix.otp}}
+        elixir-version: ${{matrix.elixir}}
+    - name: Set up Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        version: 2.6.x
+    - name: Bootstrap
+      run: script/bootstrap
+    - name: Set up fixtures
+      run: script/source-setup/mix
+    - name: Run tests
+      run: script/test mix

data/.gitignore

@@ -28,6 +28,9 @@ test/fixtures/pipenv/Pipfile.lock
 !test/fixtures/migrations/**/*
 test/fixtures/composer/**/*
 !test/fixtures/composer/composer.json
+test/fixtures/mix/_build
+test/fixtures/mix/deps
+test/fixtures/mix/mix.lock
 
 vendor/licenses
 .licenses

data/CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.6.0
+2019-10-22
+
+### Added
+- Mix source for Elixir (:tada: @bruce https://github.com/github/licensed/pull/195)
+
 ## 2.5.0
 2019-09-26
 
@@ -223,4 +229,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.5.0...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.6.0...HEAD

data/LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2018 GitHub, Inc. and contributors
+Copyright (c) 2015-2019 GitHub, Inc. and contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -16,7 +16,7 @@ Licensed is in active development and currently used at GitHub.  See the [open i
 
 Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future.  While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions.  Fortunately, migrating is easy using the `licensed migrate` command.
 
-See [CHANGELOG.md](./CHANGELOG.md) for more details on whats changed.
+See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
 See the [migration documentation](./docs/migrating_to_newer_versions.md) for more info on migrating to v2, or run `licensed help migrate`.
 
 ## Installation
@@ -50,7 +50,7 @@ For system wide usage, install licensed to a location on `$PATH`, e.g. `/usr/loc
 
 #### Dependencies
 
-Licensed uses the the `libgit2` bindings for Ruby provided by `rugged`. `rugged` has its own dependencies - `cmake` and `pkg-config` - which you may need to install before you can install Licensed.
+Licensed uses the `libgit2` bindings for Ruby provided by `rugged`. `rugged` has its own dependencies - `cmake` and `pkg-config` - which you may need to install before you can install Licensed.
 
 For example, on macOS with Homebrew: `brew install cmake pkg-config` and on Ubuntu: `apt-get install cmake pkg-config`.
 
@@ -63,6 +63,10 @@ For example, on macOS with Homebrew: `brew install cmake pkg-config` and on Ubun
 
 See the [commands documentation](./docs/commands.md) for additional documentation, or run `licensed -h` to see all of the current available commands.
 
+### Automation
+
+The [bundler-licensed plugin](https://github.com/sergey-alekseev/bundler-licensed) runs `licensed cache` automatically when using `bundler`.  See the linked repo for usage and details.
+
 ### Configuration
 
 All commands, except `version`, accept a `-c|--config` option to specify a path to a configuration file or directory.
@@ -90,6 +94,7 @@ Dependencies will be automatically detected for all of the following sources by
 1. [Pip](./docs/sources/pip.md)
 1. [Pipenv](./docs/sources/pipenv.md)
 1. [Git Submodules (git_submodule)](./docs/sources/git_submodule.md)
+1. [Mix](./docs/sources/mix.md)
 
 You can disable any of them in the configuration file:
 

data/docs/configuration.md

@@ -87,6 +87,7 @@ allowed:
   - cc0-1.0
 
 # These dependencies are explicitly ignored.
+# They shouldn't be cached at all, and will not have cached metadata written to the repo.
 ignored:
   bundler:
     - some-internal-gem
@@ -95,6 +96,7 @@ ignored:
     - some-internal-package
 
 # These dependencies have been reviewed.
+# They need to be cached and checked, but do not have a license found that matches the allowed configured licenses.
 reviewed:
   bundler:
     - bcrypt-ruby

data/docs/sources/mix.md

@@ -0,0 +1,23 @@
+# Mix
+
+The mix source will detect `mix.lock` lockfiles, and parse their contents to enumerate dependencies.
+
+The `mix` CLI tool itself isn't used to extract dependency data, and no project compilation occurs during license extraction, but your dependencies should be present in your project `deps/` directory, as is conventional with Elixir projects.
+
+## Installing Dependencies
+
+Your project should contain a `deps/` directory containing the dependency sources. You can download your dependencies (which are defined in `mix.exs`) using `mix`:
+
+```
+mix deps.get
+```
+
+This will create your `mix.lock` lockfile if needed.
+
+Be sure to re-run this command whenever your `mix.exs` dependencies change to update your lockfile and dependency sources.
+
+## Limitations
+
+Because `mix deps.get` does not generate `mix.lock` entries for `:path` dependencies (nor are they stored in `deps/`), license information is not extracted from them.
+
+If you need to extract license information from dependencies from another local directory (that is a Git repository), consider using a `:git` dependency with a file path in your `mix.exs`.

data/lib/licensed/sources.rb

@@ -14,5 +14,6 @@ module Licensed
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
     require "licensed/sources/gradle"
+    require "licensed/sources/mix"
   end
 end

data/lib/licensed/sources/mix.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+module Licensed
+  module Sources
+    class Mix < Source
+
+      LOCKFILE = "mix.lock"
+
+      # Returns whether a mix.lock is present
+      def enabled?
+        File.exist?(lockfile_path)
+      end
+
+      def enumerate_dependencies
+        find_packages.map do |package|
+          convert_package_to_dependency(package)
+        end
+      end
+
+      private
+
+      # Returns the parsed mix.lock information as an Array of Hash objects.
+      def find_packages
+        LockfileParser.read(lockfile_path)
+      end
+
+      # Returns the absolute path to the mix.lock as a Pathname.
+      def lockfile_path
+        config.pwd.join(LOCKFILE)
+      end
+
+      # Converts a raw package representation to a dependency.
+      #
+      # name - The name of the package as a String.
+      # pkg  - The parsed package data as a Hash.
+      #
+      # Returns a Dependency.
+      def convert_package_to_dependency(pkg)
+        path, errors = check_dep_path(pkg)
+        Dependency.new(
+          name: pkg[:name],
+          version: pkg[:version],
+          path: path,
+          metadata: pkg[:metadata].merge("type" => self.class.type),
+          errors: errors + Array(pkg[:error])
+        )
+      end
+
+      # Check that the package has been installed in deps/.
+      #
+      # pkg - The package information as a Hash
+      #
+      # Returns an Array with two members; the path as a String and an Array of
+      # any errors.
+      def check_dep_path(pkg)
+        path = dep_path(pkg[:name])
+        if File.directory?(path)
+          return [path, []]
+        else
+          return [path, ["Not installed by `mix deps.get` in deps/"]]
+        end
+      end
+
+      # Generate the absolute path to the named package.
+      #
+      # name - The name of the package dependency as a String.
+      #
+      # Returns a Pathname.
+      def dep_path(name)
+        config.pwd.join("deps", name)
+      end
+
+      class LockfileParser
+
+        class ParseError < RuntimeError; end
+
+        # Top-level pattern extracting the name and Mix.SCM type
+        LINE_PATTERN = /
+          \A                 # At the beginning of input
+          \s*                # after any number of spaces
+          "(?<name>.*?)"     # capture the contents of a double-quoted string as the name
+          :\s*\{             # then skipping a colon, any number of spaces, and an opening brace,
+          :(?<scm>hex|git)   # capture the contents of a Elixir atom as the scm
+          ,\s*               # and, skipping a comma and any number of spaces,
+          (?<contents>.*)    # capture the rest of input as the contents.
+        /x
+
+        # Patterns to extract the version and repo information for each Mix.SCM type.
+        SCM_PATTERN = {
+          # The Hex Package Manager
+          "hex" => /
+            \A                # At the beginning of input
+            :[a-zA-Z0-9_]+    # after an Elixir atom,
+            ,\s*              # and skipping a comma and any number of spaces,
+            "(?<version>.*?)" # capture the contents of a double-quoted string as the version,
+            .*                # and later
+            "(?<repo>.*?)"    # capture the contents of a double-quoted string as the repo
+            \},?\s*\Z         # right before the final closing brace.
+          /x,
+
+          # Git
+          "git" => /
+            \A                # At the beginning of input
+            "(?<repo>.*?)"    # capture the contents of a double-quoted string as the repo
+            ,\s*              # and, skipping a comma and any number of spaces,
+            "(?<version>.*?)" # capture the contents of a second double-quoted string as the version.
+          /x
+        }
+
+        # Parses a mix.lock to extract raw package information.
+        #
+        # path - The path to the mix.lock as a Pathname or String.
+        #
+        # Returns an Array of Hash package entries, or raises a ParserError if
+        # unsuccessful.
+        def self.read(path)
+          lines = File.readlines(path)
+          new(lines).result
+        end
+
+        def initialize(lines)
+          @lines = lines
+        end
+
+        # Parses the input lines.
+        #
+        # Returns an Array of Hash package entries, or raises a ParseError if
+        # unsuccessful.
+        def result
+          # Ignore the first and last lines of the file (the beginning and
+          # ending of the enclosing map).
+          @lines[1..-2].map do |line|
+            parse_line(line)
+          end
+        end
+
+        private
+
+        # Parse a line from the mix.lock file.
+        #
+        # line - A line of input as a String.
+        #
+        # Returns a Hash package entry, or raises a ParserError if unsuccessful.
+        def parse_line(line)
+          match = LINE_PATTERN.match(line)
+          if match
+            data = SCM_PATTERN[match[:scm]].match(match[:contents])
+            if data
+              valid_package_entry(match, data)
+            else
+              invalid_package_entry(match, line)
+            end
+          else
+            raise Licensed::Sources::Source::Error, "Unknown mix.lock line format: #{line}"
+          end
+        end
+
+        # Format a valid package entry.
+        #
+        # match - A MatchData containing name and scm information.
+        # data  - A MatchData containing version and repo information.
+        #
+        # Returns a Hash representing the package.
+        def valid_package_entry(match, data)
+          {
+            name: match[:name],
+            version: data[:version],
+            metadata: {
+              "scm" => match[:scm],
+              "repo" => data[:repo]
+            }
+          }
+        end
+
+        # Format an invalid package entry.
+        #
+        # match - A MatchData containing name and scm information.
+        # line  - The line from mix.lock that could not be parsed, as a String.
+        #
+        # Returns a Hash representing the package, with error information.
+        def invalid_package_entry(match, line)
+          {
+            name: match[:name],
+            version: nil,
+            metadata: {
+              "scm" => match[:scm]
+            },
+            error: "Could not extract data from mix.lock line: #{line}"
+          }
+        end
+      end
+    end
+  end
+end

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.5.0".freeze
+  VERSION = "2.6.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/script/source-setup/cabal

@@ -16,4 +16,4 @@ if [ "$1" == "-f" ]; then
   find . -not -regex "\.*" -and -not -path "*app*" -print0 | xargs -0 rm -rf
 fi
 
-cabal new-build || (cabal update && cabal install)
+(cabal new-update && cabal new-build) || (cabal update && cabal install)

data/script/source-setup/mix

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+if [ -z "$(which mix)" ]; then
+  echo "A local mix installation is required for elixir development." >&2
+  exit 127
+fi
+
+# setup test fixtures
+BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd $BASE_PATH/test/fixtures/mix
+
+if [ "$1" == "-f" ]; then
+  echo "removing old fixture setup..."
+  mix deps.clean --all || true
+  mix clean || true
+fi
+
+mix deps.get

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-09-27 00:00:00.000000000 Z
+date: 2019-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -235,6 +235,7 @@ files:
 - docs/sources/go.md
 - docs/sources/gradle.md
 - docs/sources/manifests.md
+- docs/sources/mix.md
 - docs/sources/npm.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
@@ -273,6 +274,7 @@ files:
 - lib/licensed/sources/gradle.rb
 - lib/licensed/sources/helpers/content_versioning.rb
 - lib/licensed/sources/manifest.rb
+- lib/licensed/sources/mix.rb
 - lib/licensed/sources/npm.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
@@ -294,6 +296,7 @@ files:
 - script/source-setup/composer
 - script/source-setup/git_submodule
 - script/source-setup/go
+- script/source-setup/mix
 - script/source-setup/npm
 - script/source-setup/pip
 - script/source-setup/pipenv
@@ -317,8 +320,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.