licensed 2.9.0 → 2.11.1

data/lib/licensed/reporters/reporter.rb

@@ -47,6 +47,9 @@ module Licensed
 
       def initialize(shell = Licensed::UI::Shell.new)
         @shell = shell
+        @run_report = nil
+        @app_report = nil
+        @source_report = nil
       end
 
       # Generate a report for a licensed command execution

data/lib/licensed/reporters/status_reporter.rb

@@ -15,20 +15,20 @@ module Licensed
           result = yield report
 
           all_reports = report.all_reports
-          errored_reports = all_reports.select { |report| report.errors.any? }.to_a
+          errored_reports = all_reports.select { |r| r.errors.any? }.to_a
 
-          dependency_count = all_reports.select { |report| report.target.is_a?(Licensed::Dependency) }.size
-          error_count = errored_reports.sum { |report| report.errors.size }
+          dependency_count = all_reports.select { |r| r.target.is_a?(Licensed::Dependency) }.size
+          error_count = errored_reports.sum { |r| r.errors.size }
 
           if error_count > 0
             shell.newline
             shell.error "Errors:"
-            errored_reports.each do |report|
-              display_metadata = report.map { |k, v| "#{k}: #{v}" }.join(", ")
+            errored_reports.each do |r|
+              display_metadata = r.map { |k, v| "#{k}: #{v}" }.join(", ")
 
-              shell.error "* #{report.name}"
+              shell.error "* #{r.name}"
               shell.error "  #{display_metadata}" unless display_metadata.empty?
-              report.errors.each do |error|
+              r.errors.each do |error|
                 shell.error "    - #{error}"
               end
               shell.newline

data/lib/licensed/sources.rb

@@ -11,6 +11,7 @@ module Licensed
     require "licensed/sources/go"
     require "licensed/sources/manifest"
     require "licensed/sources/npm"
+    require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
     require "licensed/sources/gradle"

data/lib/licensed/sources/cabal.rb

@@ -111,11 +111,11 @@ module Licensed
         info = package_info_command(id).strip
         return missing_package(id) if info.empty?
 
-        info.lines.each_with_object({}) do |line, info|
+        info.lines.each_with_object({}) do |line, hsh|
           key, value = line.split(":", 2).map(&:strip)
           next unless key && value
 
-          info[key] = value
+          hsh[key] = value
         end
       end
 

data/lib/licensed/sources/go.rb

@@ -120,12 +120,12 @@ module Licensed
         return go_mod["Version"] if go_mod
 
         package_directory = package["Dir"]
-        return unless package_directory
+        return unless package_directory && File.exist?(package_directory)
 
         # find most recent git SHA for a package, or nil if SHA is
         # not available
         Dir.chdir package_directory do
-          contents_version *contents_version_arguments
+          contents_version(*contents_version_arguments)
         end
       end
 

data/lib/licensed/sources/npm.rb

@@ -48,6 +48,7 @@ module Licensed
       # package name to it's metadata
       def recursive_dependencies(dependencies, result = {})
         dependencies.each do |name, dependency|
+          next if dependency["peerMissing"]
           next if yarn_lock_present && dependency["missing"]
           (result[name] ||= []) << dependency
           recursive_dependencies(dependency["dependencies"] || {}, result)

data/lib/licensed/sources/nuget.rb

@@ -0,0 +1,212 @@
+# frozen_string_literal: true
+require "json"
+require "reverse_markdown"
+
+module Licensed
+  module Sources
+    # Only supports ProjectReference (project.assets.json) style restore used in .NET Core.
+    # Does not currently support packages.config style restore.
+    class NuGet < Source
+      def self.type
+        "nuget"
+      end
+
+      class NuGetDependency < Licensed::Dependency
+        LICENSE_FILE_REGEX = /<license\s*type\s*=\s*\"\s*file\s*\"\s*>\s*(.*)\s*<\/license>/ix.freeze
+        LICENSE_URL_REGEX = /<licenseUrl>\s*(.*)\s*<\/licenseUrl>/ix.freeze
+        PROJECT_URL_REGEX = /<projectUrl>\s*(.*)\s*<\/projectUrl>/ix.freeze
+        PROJECT_DESC_REGEX = /<description>\s*(.*)\s*<\/description>/ix.freeze
+
+        # Returns the metadata that represents this dependency.  This metadata
+        # is written to YAML in the dependencys cached text file
+        def license_metadata
+          super.tap do |record_metadata|
+            record_metadata["homepage"] = project_url if project_url
+            record_metadata["summary"] = description if description
+          end
+        end
+
+        def nuspec_path
+          name = @metadata["name"]
+          File.join(self.path, "#{name.downcase}.nuspec")
+        end
+
+        def nuspec_contents
+          return @nuspec_contents if defined?(@nuspec_contents)
+          @nuspec_contents = begin
+            return unless nuspec_path && File.exist?(nuspec_path)
+            File.read(nuspec_path)
+          end
+        end
+
+        def project_url
+          return @project_url if defined?(@project_url)
+          @project_url = begin
+            return unless nuspec_contents
+            match = nuspec_contents.match PROJECT_URL_REGEX
+            match[1] if match && match[1]
+          end
+        end
+
+        def description
+          return @description if defined?(@description)
+          @description = begin
+            return unless nuspec_contents
+            match = nuspec_contents.match PROJECT_DESC_REGEX
+            match[1] if match && match[1]
+          end
+        end
+
+        def project_files
+          @nuget_project_files ||= begin
+            files = super().flatten.compact
+
+            # Only include the local file if it's a file licensee didn't already detect
+            nuspec_license_filename = File.basename(nuspec_local_license_file.filename) if nuspec_local_license_file
+            if nuspec_license_filename && files.none? { |file| File.basename(file.filename) == nuspec_license_filename }
+              files.push(nuspec_local_license_file)
+            end
+
+            # Only download licenseUrl if no recognized license was found locally
+            if files.none? { |file| file.license && file.license.key != "other" }
+              files.push(nuspec_remote_license_file)
+            end
+
+            files.compact
+          end
+        end
+
+        # Look for a <license type="file"> element in the nuspec that points to an
+        # on-disk license file (which licensee may not find due to a non-standard filename)
+        def nuspec_local_license_file
+          return @nuspec_local_license_file if defined?(@nuspec_local_license_file)
+          return unless nuspec_contents
+
+          match = nuspec_contents.match LICENSE_FILE_REGEX
+          return unless match && match[1]
+
+          license_path = File.join(File.dirname(nuspec_path), match[1])
+          return unless File.exist?(license_path)
+
+          license_data = File.read(license_path)
+          @nuspec_local_license_file = Licensee::ProjectFiles::LicenseFile.new(license_data, license_path)
+        end
+
+        # Look for a <licenseUrl> element in the nuspec that either is known to contain a license identifier
+        # in the URL, or points to license text on the internet that can be downloaded.
+        def nuspec_remote_license_file
+          return @nuspec_remote_license_file if defined?(@nuspec_remote_license_file)
+          return unless nuspec_contents
+
+          match = nuspec_contents.match LICENSE_URL_REGEX
+          return unless match && match[1]
+
+          # Attempt to fetch the license content
+          license_content = self.class.retrieve_license(match[1])
+          @nuspec_remote_license_file = Licensee::ProjectFiles::LicenseFile.new(license_content, { uri: match[1] }) if license_content
+        end
+
+        class << self
+          def strip_html(html)
+            return unless html
+
+            return html unless html.downcase.include?("<html")
+            ReverseMarkdown.convert(html, unknown_tags: :bypass)
+          end
+
+          def ignored_url?(url)
+            # Many Microsoft packages that now use <license> use this for <licenseUrl>
+            # No need to fetch this page - it just contains NuGet documentation
+            url == "https://aka.ms/deprecateLicenseUrl"
+          end
+
+          def text_content_url(url)
+            # Convert github file URLs to raw URLs
+            return url unless match = url.match(/https?:\/\/(?:www\.)?github.com\/([^\/]+)\/([^\/]+)\/blob\/(.*)/i)
+            "https://github.com/#{match[1]}/#{match[2]}/raw/#{match[3]}"
+          end
+
+          def retrieve_license(url)
+            return unless url
+            return if ignored_url?(url)
+
+            # Transform URLs that are known to return HTML but have a corresponding text-based URL
+            text_url = text_content_url(url)
+
+            raw_content = fetch_content(text_url)
+            strip_html(raw_content)
+          end
+
+          def fetch_content(url, redirect_limit = 5)
+            url = URI.parse(url) if url.instance_of? String
+            return @response_by_url[url] if (@response_by_url ||= {}).key?(url)
+            return if redirect_limit == 0
+
+            begin
+              response = Net::HTTP.get_response(url)
+              case response
+              when Net::HTTPSuccess     then
+                @response_by_url[url] = response.body
+              when Net::HTTPRedirection then
+                redirect_url = URI.parse(response["location"])
+                if redirect_url.relative?
+                  redirect_url = url + redirect_url
+                end
+                # The redirect might be to a URL that requires transformation, i.e. a github file
+                redirect_url = text_content_url(redirect_url.to_s)
+                @response_by_url[url] = fetch_content(redirect_url, redirect_limit - 1)
+              end
+            rescue
+              # Host might no longer exist or some other error, ignore
+            end
+          end
+        end
+      end
+
+      def project_assets_file_path
+        File.join(config.pwd, "project.assets.json")
+      end
+
+      def project_assets_file
+        return @project_assets_file if defined?(@project_assets_file)
+        @project_assets_file = File.read(project_assets_file_path)
+      end
+
+      def enabled?
+        File.exist?(project_assets_file_path)
+      end
+
+      # Inspect project.assets.json files for package references.
+      # Ideally we'd use `dotnet list package` instead, but its output isn't
+      # easily machine readable and doesn't contain everything we need.
+      def enumerate_dependencies
+        json = JSON.parse(project_assets_file)
+        nuget_packages_dir = json["project"]["restore"]["packagesPath"]
+        json["targets"].each_with_object({}) do |(_, target), dependencies|
+          target.each do |reference_key, reference|
+            # Ignore project references
+            next unless reference["type"] == "package"
+            package_id_parts = reference_key.partition("/")
+            name = package_id_parts[0]
+            version = package_id_parts[-1]
+            id = "#{name}-#{version}"
+
+            # Already know this package from another target
+            next if dependencies.key?(id)
+
+            path = File.join(nuget_packages_dir, json["libraries"][reference_key]["path"])
+            dependencies[id] = NuGetDependency.new(
+              name: id,
+              version: version,
+              path: path,
+              metadata: {
+                "type" => NuGet.type,
+                "name" => name
+              }
+            )
+          end
+        end.values
+      end
+    end
+  end
+end

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.9.0".freeze
+  VERSION = "2.11.1".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -23,13 +23,14 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ">= 2.3.0"
 
-  spec.add_dependency "licensee", ">= 9.13.1", "< 10.0.0"
-  spec.add_dependency "thor", "~> 0.19"
+  spec.add_dependency "licensee", ">= 9.14.0", "< 10.0.0"
+  spec.add_dependency "thor", ">= 0.19"
   spec.add_dependency "pathname-common_prefix", "~> 0.0.1"
   spec.add_dependency "tomlrb", "~> 1.2"
   spec.add_dependency "bundler", ">= 1.10"
   spec.add_dependency "ruby-xxHash", "~> 0.4"
   spec.add_dependency "parallel", ">= 0.18.0"
+  spec.add_dependency "reverse_markdown", "~> 1.0"
 
   spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "minitest", "~> 5.8"

data/script/source-setup/nuget

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+if [ -z "$(which dotnet)" ]; then
+  echo "A local dotnet installation is required for dotnet/nuget development." >&2
+  exit 127
+fi
+
+# setup test fixtures
+BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd $BASE_PATH/test/fixtures/nuget
+
+if [ "$1" == "-f" ]; then
+  dotnet clean
+fi
+
+dotnet restore

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.9.0
+  version: 2.11.1
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-03-19 00:00:00.000000000 Z
+date: 2020-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 9.13.1
+        version: 9.14.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 10.0.0
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 9.13.1
+        version: 9.14.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 10.0.0
@@ -34,14 +34,14 @@ dependencies:
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.19'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.19'
 - !ruby/object:Gem::Dependency
@@ -114,6 +114,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.18.0
+- !ruby/object:Gem::Dependency
+  name: reverse_markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -257,6 +271,7 @@ files:
 - docs/sources/manifests.md
 - docs/sources/mix.md
 - docs/sources/npm.md
+- docs/sources/nuget.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
 - docs/sources/stack.md
@@ -269,6 +284,7 @@ files:
 - lib/licensed/commands/command.rb
 - lib/licensed/commands/environment.rb
 - lib/licensed/commands/list.rb
+- lib/licensed/commands/notices.rb
 - lib/licensed/commands/status.rb
 - lib/licensed/configuration.rb
 - lib/licensed/dependency.rb
@@ -280,6 +296,7 @@ files:
 - lib/licensed/reporters/cache_reporter.rb
 - lib/licensed/reporters/json_reporter.rb
 - lib/licensed/reporters/list_reporter.rb
+- lib/licensed/reporters/notices_reporter.rb
 - lib/licensed/reporters/reporter.rb
 - lib/licensed/reporters/status_reporter.rb
 - lib/licensed/reporters/yaml_reporter.rb
@@ -297,6 +314,7 @@ files:
 - lib/licensed/sources/manifest.rb
 - lib/licensed/sources/mix.rb
 - lib/licensed/sources/npm.rb
+- lib/licensed/sources/nuget.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
 - lib/licensed/sources/source.rb
@@ -320,6 +338,7 @@ files:
 - script/source-setup/go
 - script/source-setup/mix
 - script/source-setup/npm
+- script/source-setup/nuget
 - script/source-setup/pip
 - script/source-setup/pipenv
 - script/source-setup/yarn