licensed 2.8.0 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2613c80ad97c8d19cea10560588a08406388e1860b21c18bfbd322843db428cc
-  data.tar.gz: b34fc3f921feccd667898554166d69cb8d7b327e3756c30a3e418364d57cc4a6
+  metadata.gz: 64aab6dfce9359aa8e821d75416c11d276b67668d14b5db2c135301fd32fcbdd
+  data.tar.gz: 96862d7720c79ae99b7d500c5d15b0956a8a54bab54b811df4f12828427a8bc9
 SHA512:
-  metadata.gz: 720754f1245f1043a2ff4721e0c2b7a403d020cb886277992d1d56a4c2145c588514fdcb18c3a1cd5aaf0d9409a5f839d73691ef0b167fbce69304c9aaf061ed
-  data.tar.gz: f33e96346dbb63b48f78de856094992fa4bf58acd5ff811e9193e8e65e71308d91f4a4dc54bfa2b5b80bba1c3fc5348d94454bc00ddb7d012c20ecbed26ba441
+  metadata.gz: 2b57cd2414d204f2d547b3e1bcc64c026b7816a35afa370cdb315bdbdeccfb06b43b76abcc865cf468ea548b111c8bcce5396818537414732cba0a2256ca0525
+  data.tar.gz: 57f5618394751f20ff73f57209726400ec9197e1c21130cd8123864da7c4f7f3e868bf021d4fe6de0508a2328635178b696180d76e9aa7ff07d5ef6a49b22753

data/.github/workflows/test.yml

@@ -170,7 +170,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.7.x', '1.10.x', '1.11.1' ]
+        go: [ '1.7.x', '1.10.x', '1.11.x', '1.12.x', '1.13.x', '1.14.x' ]
     steps:
     - uses: actions/checkout@master
     - name: Setup go
@@ -342,7 +342,7 @@ jobs:
       run: script/source-setup/pipenv
     - name: Run tests
       run: script/test pipenv
-      
+
   yarn:
     runs-on: ubuntu-latest
     strategy:

data/CHANGELOG.md

@@ -6,6 +6,21 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.9.0
+2020-03-19
+
+## Added
+- Source paths use glob pattern matching (https://github.com/github/licensed/pull/245)
+
+## Fixed
+- Mix source supports updates to mix.lock format (:tada: @bruce https://github.com/github/licensed/pull/242)
+- Go source supports `go list` format changes in go 1.14 (https://github.com/github/licensed/pull/247)
+
+## Changed
+- `licensed cache` will flag dependencies for re-review when license text changes (https://github.com/github/licensed/pull/248)
+- `licensed status` will raise errors on dependencies that need re-review (https://github.com/github/licensed/pull/248)
+- `licensee` minimum version bumped to 9.13.1 (https://github.com/github/licensed/pull/251)
+
 ## 2.8.0
 2020-01-03
 
@@ -265,4 +280,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.8.0...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.9.0...HEAD

data/docs/commands.md

@@ -28,6 +28,8 @@ A dependency will fail the status checks if:
 3. The cached record's `licenses` data is empty
 4. The cached record's `license` metadata doesn't match an `allowed` license from the dependency's application configuration.
    - If `license: other` is specified and all of the `licenses` entries match an `allowed` license a failure will not be logged
+5. The cached record is flagged for re-review.
+   - This occurs when the record's license text has changed since the record was reviewed.
 
 ## `env`
 

data/docs/configuration.md

@@ -19,6 +19,22 @@ If a root path is not specified, it will default to using the following, in orde
 1. the root of the local git repository, if run inside a git repository
 2. the current directory
 
+### Source path glob patterns
+
+The `source_path` property can use a glob path to share configuration properties across multiple application entrypoints.
+
+For example, there is a common pattern in go projects to include multiple executable entrypoints under folders in `cmd`.  Using a glob pattern allows users to avoid manually configuring and maintaining multiple licensed application `source_path`s.  Using a glob pattern will also ensure that any new entrypoints matching the pattern are automatically picked up by licensed commands as they are added.
+
+```yml
+sources:
+  go: true
+
+# treat all directories under `cmd` as separate apps
+source_path: cmd/*
+```
+
+Glob patterns are syntactic sugar for, and provide the same functionality as, manually specifying multiple `source_path` values. See the instructions on [specifying multiple apps](./#specifying-multiple-apps) below for additional considerations when using multiple apps.
+
 ## Restricting sources
 
 The `sources` configuration property specifies which sources `licensed` will use to enumerate dependencies.

data/lib/licensed/commands/cache.rb

@@ -45,8 +45,15 @@ module Licensed
         filename = app.cache_path.join(source.class.type, "#{dependency.name}.#{DependencyRecord::EXTENSION}")
         cached_record = Licensed::DependencyRecord.read(filename)
         if options[:force] || save_dependency_record?(dependency, cached_record)
-          # use the cached license value if the license text wasn't updated
-          dependency.record["license"] = cached_record["license"] if dependency.record.matches?(cached_record)
+          if dependency.record.matches?(cached_record)
+            # use the cached license value if the license text wasn't updated
+            dependency.record["license"] = cached_record["license"]
+          elsif cached_record && app.reviewed?(dependency.record)
+            # if the license text changed and the dependency is set as reviewed
+            # force a re-review of the dependency
+            dependency.record["review_changed_license"] = true
+          end
+
           dependency.record.save(filename)
           report["cached"] = true
         end

data/lib/licensed/commands/environment.rb

@@ -23,14 +23,14 @@ module Licensed
             "allowed" => config["allowed"],
             "ignored" => config["ignored"],
             "reviewed" => config["reviewed"],
-            "version_strategy" => self.version_strategy
+            "version_strategy" => self.version_strategy,
+            "root" => config.root
           }
         end
       end
 
       def run(**options)
         super do |report|
-          report["root"] = config.root
           report["git_repo"] = Licensed::Git.git_repo?
         end
       end

data/lib/licensed/commands/status.rb

@@ -35,7 +35,11 @@ module Licensed
         else
           report.errors << "cached dependency record out of date" if cached_record["version"] != dependency.version
           report.errors << "missing license text" if cached_record.licenses.empty?
-          report.errors << "license needs review: #{cached_record["license"]}" if license_needs_review?(app, cached_record)
+          if cached_record["review_changed_license"]
+            report.errors << "license text has changed and needs re-review. if the new text is ok, remove the `review_changed_license` flag from the cached record"
+          elsif license_needs_review?(app, cached_record)
+            report.errors << "license needs review: #{cached_record["license"]}"
+          end
         end
 
         report.errors.empty?

data/lib/licensed/configuration.rb

@@ -4,40 +4,39 @@ require "pathname"
 module Licensed
   class AppConfiguration < Hash
     DEFAULT_CACHE_PATH = ".licenses".freeze
-    DEFAULT_CONFIG_FILES = [
-      ".licensed.yml".freeze,
-      ".licensed.yaml".freeze,
-      ".licensed.json".freeze
-    ].freeze
+
+    # Returns the root for a configuration in following order of precendence:
+    # 1. explicitly configured "root" property
+    # 2. a found git repository root
+    # 3. the current directory
+    def self.root_for(configuration)
+      configuration["root"] || Licensed::Git.repository_root || Dir.pwd
+    end
 
     def initialize(options = {}, inherited_options = {})
       super()
 
       # update order:
       # 1. anything inherited from root config
-      # 2. app defaults
-      # 3. explicitly configured app settings
+      # 2. explicitly configured app settings
       update(inherited_options)
-      update(defaults_for(options, inherited_options))
       update(options)
+      verify_arg "source_path"
 
       self["sources"] ||= {}
       self["reviewed"] ||= {}
       self["ignored"] ||= {}
       self["allowed"] ||= []
-
-      # default the root to the git repository root,
-      # or the current directory if no other options are available
-      self["root"] ||= Licensed::Git.repository_root || Dir.pwd
-
-      verify_arg "source_path"
-      verify_arg "cache_path"
+      self["root"] = AppConfiguration.root_for(self)
+      # defaults to the directory name of the source path if not set
+      self["name"] ||= File.basename(self["source_path"])
+      # setting the cache path might need a valid app name
+      self["cache_path"] = detect_cache_path(options, inherited_options)
     end
 
     # Returns the path to the workspace root as a Pathname.
-    # Defaults to Licensed::Git.repository_root if not explicitly set
     def root
-      Pathname.new(self["root"])
+      @root ||= Pathname.new(self["root"])
     end
 
     # Returns the path to the app cache directory as a Pathname
@@ -102,13 +101,15 @@ module Licensed
 
     private
 
-    def defaults_for(options, inherited_options)
-      name = options["name"] || File.basename(options["source_path"])
+    # Returns the cache path for the application based on:
+    # 1. An explicitly set cache path for the application, if set
+    # 2. An inherited root cache path joined with the app name
+    # 3. The default cache path joined with the app name
+    def detect_cache_path(options, inherited_options)
+      return options["cache_path"] unless options["cache_path"].to_s.empty?
+
       cache_path = inherited_options["cache_path"] || DEFAULT_CACHE_PATH
-      {
-        "name" => name,
-        "cache_path" => File.join(cache_path, name)
-      }
+      File.join(cache_path, self["name"])
     end
 
     def verify_arg(property)
@@ -118,9 +119,18 @@ module Licensed
     end
   end
 
-  class Configuration < AppConfiguration
+  class Configuration
+    DEFAULT_CONFIG_FILES = [
+      ".licensed.yml".freeze,
+      ".licensed.yaml".freeze,
+      ".licensed.json".freeze
+    ].freeze
+
     class LoadError < StandardError; end
 
+    # An array of the applications in this licensed configuration.
+    attr_reader :apps
+
     # Loads and returns a Licensed::Configuration object from the given path.
     # The path can be relative or absolute, and can point at a file or directory.
     # If the path given is a directory, the directory will be searched for a
@@ -133,21 +143,36 @@ module Licensed
 
     def initialize(options = {})
       apps = options.delete("apps") || []
-      super(default_options.merge(options))
-
-      self["apps"] = apps.map { |app| AppConfiguration.new(app, options) }
-    end
-
-    # Returns an array of the applications for this licensed configuration.
-    # If the configuration did not explicitly configure any applications,
-    # return self as an application configuration.
-    def apps
-      return [self] if self["apps"].empty?
-      self["apps"]
+      apps << default_options.merge(options) if apps.empty?
+      apps = apps.flat_map { |app| self.class.expand_app_source_path(app) }
+      @apps = apps.map { |app| AppConfiguration.new(app, options) }
     end
 
     private
 
+    def self.expand_app_source_path(app_config)
+      return app_config if app_config["source_path"].to_s.empty?
+
+      source_path = File.expand_path(app_config["source_path"], AppConfiguration.root_for(app_config))
+      expanded_source_paths = Dir.glob(source_path).select { |p| File.directory?(p) }
+      # return the original configuration if glob didn't result in multiple paths
+      return app_config if expanded_source_paths.size <= 1
+
+      # map the expanded paths to new application configurations
+      expanded_source_paths.map do |path|
+        config = app_config.merge("source_path" => path)
+
+        # update configured values for name and cache_path for uniqueness.
+        # this is only needed when values are explicitly set, AppConfiguration
+        # will handle configurations that don't have these explicitly set
+        dir_name = File.basename(path)
+        config["name"] = "#{config["name"]}-#{dir_name}" if config["name"]
+        config["cache_path"] = File.join(config["cache_path"], dir_name) if config["cache_path"]
+
+        config
+      end
+    end
+
     # Find a default configuration file in the given directory.
     # File preference is given by the order of elements in DEFAULT_CONFIG_FILES
     #
@@ -198,7 +223,7 @@ module Licensed
       # manually set a cache path without additional name
       {
         "source_path" => Dir.pwd,
-        "cache_path" => DEFAULT_CACHE_PATH
+        "cache_path" => AppConfiguration::DEFAULT_CACHE_PATH
       }
     end
   end

data/lib/licensed/git.rb

@@ -11,7 +11,9 @@ module Licensed
       # or nil if not in a git repository.
       def repository_root
         return unless available?
-        Licensed::Shell.execute("git", "rev-parse", "--show-toplevel", allow_failure: true)
+        root = Licensed::Shell.execute("git", "rev-parse", "--show-toplevel", allow_failure: true)
+        return nil if root.empty?
+        root
       end
 
       # Returns true if a git repository is found, false otherwise

data/lib/licensed/sources/go.rb

@@ -15,7 +15,8 @@ module Licensed
       def enumerate_dependencies
         with_configured_gopath do
           packages.map do |package|
-            import_path = non_vendored_import_path(package["ImportPath"])
+            import_path = non_vendored_path(package["ImportPath"], root_package["ImportPath"])
+            import_path ||= package["ImportPath"]
             error = package.dig("Error", "Err") if package["Error"]
 
             Dependency.new(
@@ -86,14 +87,17 @@ module Licensed
         # true if go standard packages includes the import path as given
         return true if go_std_packages.include?(import_path)
         return true if go_std_packages.include?("vendor/#{import_path}")
+        return true if go_std_packages.include?(import_path.sub("golang.org", "internal"))
 
         # additional checks are only for vendored dependencies - return false
         # if package isn't vendored
-        return false unless vendored_path?(import_path)
+        non_vendored_import_path = non_vendored_path(import_path, root_package["ImportPath"])
+        return false unless non_vendored_import_path
 
         # return true if any of the go standard packages matches against
         # the non-vendored import path
-        return true if go_std_packages.include?(non_vendored_import_path(import_path))
+        return true if go_std_packages.include?(non_vendored_import_path)
+        return true if go_std_packages.include?(non_vendored_import_path.sub("golang.org", "internal"))
 
         # modify the import path to look like the import path `go list` returns for vendored std packages
         vendor_path = import_path.sub("#{root_package["ImportPath"]}/", "")
@@ -104,7 +108,7 @@ module Licensed
       def local_package?(package)
         return false unless package && package["ImportPath"]
         import_path = package["ImportPath"]
-        import_path.start_with?(root_package["ImportPath"]) && !vendored_path?(import_path)
+        import_path.start_with?(root_package["ImportPath"]) && !import_path.include?("vendor/")
       end
 
       # Returns the version for a given package
@@ -150,34 +154,37 @@ module Licensed
         return if package.nil?
 
         # search root choices:
-        # 1. module directory if using go modules
+        # 1. module directory if using go modules and directory is available
         # 2. vendor folder if package is vendored
         # 3. package root value if available
         # 4. GOPATH if the package directory is under the gopath
         # 5. nil
-        return package.dig("Module", "Dir") if package["Module"]
-        return package["Dir"].match("^(.*/vendor)/.*$")[1] if vendored_path?(package["Dir"])
+        module_dir = package.dig("Module", "Dir")
+        return module_dir if module_dir
+        return package["Dir"].match("^(.*/vendor)/.*$")[1] if vendored_path?(package["Dir"], config.root)
         return package["Root"] if package["Root"]
         return gopath if package["Dir"]&.start_with?(gopath)
         nil
       end
 
-      # Returns whether a package is vendored or not based on the package
-      # import_path
+      # Returns whether a package is vendored or not based on a base path and
+      # whether the path contains a vendor component
       #
       # path - Package path to test
-      def vendored_path?(path)
-        return false if path.nil?
-        path.start_with?(root_package["ImportPath"]) && path.include?("vendor/")
+      # base - The base path that the input must start with
+      def vendored_path?(path, base)
+        return false if path.nil? || base.nil?
+        path.start_with?(base.to_s) && path.include?("vendor/")
       end
 
-      # Returns the import path parameter without the vendor component
+      # Returns the path parameter without the vendor component if one is found
       #
-      # import_path - Package import path with vendor component
-      def non_vendored_import_path(import_path)
-        return unless import_path
-        return import_path unless vendored_path?(import_path)
-        import_path.split("vendor/")[1]
+      # path - Package path with vendor component
+      # base - The base path that the input must start with
+      def non_vendored_path(path, base)
+        return unless path
+        return unless vendored_path?(path, base)
+        path.split("vendor/")[1]
       end
 
       # Returns a hash of information about the package with a given import path

data/lib/licensed/sources/mix.rb

@@ -93,8 +93,12 @@ module Licensed
             :[a-zA-Z0-9_]+    # after an Elixir atom,
             ,\s*              # and skipping a comma and any number of spaces,
             "(?<version>.*?)" # capture the contents of a double-quoted string as the version,
-            .*                # and later
+            .*?\],\s*         # and later
             "(?<repo>.*?)"    # capture the contents of a double-quoted string as the repo
+            (?:
+              ,\s*            # a comma
+              "[a-f0-9]{64}"  # a digest
+            )?
             \},?\s*\Z         # right before the final closing brace.
           /x,
 

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.8.0".freeze
+  VERSION = "2.9.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ">= 2.3.0"
 
-  spec.add_dependency "licensee", "~> 9.10"
+  spec.add_dependency "licensee", ">= 9.13.1", "< 10.0.0"
   spec.add_dependency "thor", "~> 0.19"
   spec.add_dependency "pathname-common_prefix", "~> 0.0.1"
   spec.add_dependency "tomlrb", "~> 1.2"
@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "ruby-xxHash", "~> 0.4"
   spec.add_dependency "parallel", ">= 0.18.0"
 
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "minitest", "~> 5.8"
   spec.add_development_dependency "mocha", "~> 1.0"
   spec.add_development_dependency "rubocop", "~> 0.49", "< 0.67"

data/script/bootstrap

@@ -2,4 +2,5 @@
 set -euo pipefail
 IFS=$'\n\t'
 
-bundle install --path vendor/gems
+bundle config set path 'vendor/gems'
+bundle install

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: 2.9.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-03 00:00:00.000000000 Z
+date: 2020-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 9.13.1
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '9.10'
+        version: 10.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '9.10'
+        version: 9.13.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 10.0.0
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -112,16 +118,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement