licensed 3.0.1 → 3.2.2

data/lib/licensed/sources/npm.rb

@@ -33,11 +33,12 @@ module Licensed
 
       def enumerate_dependencies
         packages.map do |name, package|
-          path = package["path"]
+          errors = package["problems"] unless package["path"]
           Dependency.new(
             name: name,
-            version: package["version"],
-            path: path,
+            version: package["version"] || package["required"],
+            path: package["path"],
+            errors: Array(errors),
             metadata: {
               "type"     => NPM.type,
               "name"     => package["name"],

data/lib/licensed/sources/nuget.rb

@@ -164,7 +164,7 @@ module Licensed
       end
 
       def project_assets_file_path
-        File.join(config.pwd, "project.assets.json")
+        File.join(config.pwd, nuget_obj_path, "project.assets.json")
       end
 
       def project_assets_file
@@ -172,6 +172,17 @@ module Licensed
         @project_assets_file = File.read(project_assets_file_path)
       end
 
+      def project_assets_json
+        @project_assets_json ||= JSON.parse(project_assets_file)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to read the project.assets.json file. Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      def nuget_obj_path
+        config.dig("nuget", "obj_path") || ""
+      end
+
       def enabled?
         File.exist?(project_assets_file_path)
       end
@@ -180,32 +191,50 @@ module Licensed
       # Ideally we'd use `dotnet list package` instead, but its output isn't
       # easily machine readable and doesn't contain everything we need.
       def enumerate_dependencies
-        json = JSON.parse(project_assets_file)
-        nuget_packages_dir = json["project"]["restore"]["packagesPath"]
-        json["targets"].each_with_object({}) do |(_, target), dependencies|
-          target.each do |reference_key, reference|
-            # Ignore project references
-            next unless reference["type"] == "package"
-            package_id_parts = reference_key.partition("/")
-            name = package_id_parts[0]
-            version = package_id_parts[-1]
-            id = "#{name}-#{version}"
-
-            # Already know this package from another target
-            next if dependencies.key?(id)
-
-            path = File.join(nuget_packages_dir, json["libraries"][reference_key]["path"])
-            dependencies[id] = NuGetDependency.new(
-              name: id,
-              version: version,
-              path: path,
-              metadata: {
-                "type" => NuGet.type,
-                "name" => name
-              }
-            )
-          end
-        end.values
+        reference_keys.map do |reference_key|
+          package_id_parts = reference_key.partition("/")
+          name = package_id_parts[0]
+          version = package_id_parts[-1]
+          id = "#{name}-#{version}"
+
+          path = full_dependency_path(reference_key)
+          error = "Package #{id} path was not found in project.assets.json, or does not exist on disk at any project package folder" if path.nil?
+
+          NuGetDependency.new(
+            name: id,
+            version: version,
+            path: path,
+            errors: Array(error),
+            metadata: {
+              "type" => NuGet.type,
+              "name" => name
+            }
+          )
+        end
+      end
+
+      # Returns a unique set of the package reference keys used across all target groups
+      def reference_keys
+        all_reference_keys = project_assets_json["targets"].flat_map do |_, references|
+          references.select { |key, reference| reference["type"] == "package" }
+                    .keys
+        end
+
+        Set.new(all_reference_keys)
+      end
+
+      # Returns a dependency's path, if it exists, in one of the project's global or fallback package folders
+      def full_dependency_path(reference_key)
+        dependency_path = project_assets_json.dig("libraries", reference_key, "path")
+        return unless dependency_path
+
+        nuget_package_dirs = [
+          project_assets_json.dig("project", "restore", "packagesPath"),
+          *Array(project_assets_json.dig("project", "restore", "fallbackFolders"))
+        ].compact
+
+        nuget_package_dirs.map { |dir| File.join(dir, dependency_path) }
+                          .find { |path| File.directory?(path) }
       end
     end
   end

data/lib/licensed/sources/swift.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+require "json"
+require "pathname"
+require "uri"
+
+module Licensed
+  module Sources
+    class Swift < Source
+      def enabled?
+        return unless Licensed::Shell.tool_available?("swift") && swift_package?
+        File.exist?(package_resolved_file_path)
+      end
+
+      def enumerate_dependencies
+        pins.map { |pin|
+          name = pin["package"]
+          version = pin.dig("state", "version")
+          path = dependency_path_for_url(pin["repositoryURL"])
+          error = "Unable to determine project path from #{url}" unless path
+
+          Dependency.new(
+            name: name,
+            path: path,
+            version: version,
+            errors: Array(error),
+            metadata: {
+              "type"      => Swift.type,
+              "homepage"  => homepage_for_url(pin["repositoryURL"])
+            }
+          )
+        }
+      end
+
+      private
+
+      def pins
+        return @pins if defined?(@pins)
+
+        @pins = begin
+          json = JSON.parse(File.read(package_resolved_file_path))
+          json.dig("object", "pins")
+        rescue => e
+          message = "Licensed was unable to read the Package.resolved file. Error: #{e.message}"
+          raise Licensed::Sources::Source::Error, message
+        end
+      end
+
+      def dependency_path_for_url(url)
+        last_path_component = URI(url).path.split("/").last.sub(/\.git$/, "")
+        File.join(config.pwd, ".build", "checkouts", last_path_component)
+      rescue URI::InvalidURIError
+      end
+
+      def homepage_for_url(url)
+        return unless %w{http https}.include?(URI(url).scheme)
+        url.sub(/\.git$/, "")
+      rescue URI::InvalidURIError
+      end
+
+      def package_resolved_file_path
+        File.join(config.pwd, "Package.resolved")
+      end
+
+      def swift_package?
+        Licensed::Shell.success?("swift", "package", "describe")
+      end
+    end
+  end
+end

data/lib/licensed/sources.rb

@@ -14,6 +14,7 @@ module Licensed
     require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
+    require "licensed/sources/swift"
     require "licensed/sources/gradle"
     require "licensed/sources/mix"
     require "licensed/sources/yarn"

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "3.0.1".freeze
+  VERSION = "3.2.2".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/lib/licensed.rb

@@ -6,6 +6,7 @@ require "licensed/dependency"
 require "licensed/git"
 require "licensed/sources"
 require "licensed/configuration"
+require "licensed/report"
 require "licensed/reporters"
 require "licensed/commands"
 require "licensed/ui/shell"

data/licensed.gemspec

@@ -26,16 +26,16 @@ Gem::Specification.new do |spec|
   spec.add_dependency "licensee", ">= 9.14.0", "< 10.0.0"
   spec.add_dependency "thor", ">= 0.19"
   spec.add_dependency "pathname-common_prefix", "~> 0.0.1"
-  spec.add_dependency "tomlrb", "~> 1.2"
+  spec.add_dependency "tomlrb", ">= 1.2", "< 3.0"
   spec.add_dependency "bundler", ">= 1.10"
   spec.add_dependency "ruby-xxHash", "~> 0.4"
   spec.add_dependency "parallel", ">= 0.18.0"
-  spec.add_dependency "reverse_markdown", "~> 1.0"
+  spec.add_dependency "reverse_markdown", ">= 1", "< 3"
 
   spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "minitest", "~> 5.8"
   spec.add_development_dependency "mocha", "~> 1.0"
-  spec.add_development_dependency "rubocop", "~> 0.49", "< 0.67"
+  spec.add_development_dependency "rubocop", "~> 0.49", "< 1.20"
   spec.add_development_dependency "rubocop-github", "~> 0.6"
-  spec.add_development_dependency "byebug", "~> 10.0.0"
+  spec.add_development_dependency "byebug", "~> 11.0.1"
 end

data/script/source-setup/go

@@ -25,7 +25,7 @@ if [ "$1" == "-f" ]; then
   fi
 fi
 
-(cd src/test && go get)
+(export GO111MODULE=off && cd src/test && go get)
 if go help mod >/dev/null; then
   (cd src/modules_test && GO111MODULE=on go mod download)
 fi

data/script/source-setup/swift

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+if [ -z "$(which swift)" ]; then
+  echo "A local swift installation is required for swift development." >&2
+  exit 127
+fi
+
+swift --version
+
+BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd $BASE_PATH/test/fixtures/swift
+
+if [ "$1" == "-f" ]; then
+  find . -not -regex "\.*" \
+    -and -not -path "*/Package.swift" \
+    -and -not -path "*/Sources*" \
+    -and -not -path "*/Tests*" \
+    -print0 | xargs -0 rm -rf
+fi
+
+swift package resolve

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.2.2
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-05-18 00:00:00.000000000 Z
+date: 2021-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -62,16 +62,22 @@ dependencies:
   name: tomlrb
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -118,16 +124,22 @@ dependencies:
   name: reverse_markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -179,7 +191,7 @@ dependencies:
         version: '0.49'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.67'
+        version: '1.20'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -189,7 +201,7 @@ dependencies:
         version: '0.49'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.67'
+        version: '1.20'
 - !ruby/object:Gem::Dependency
   name: rubocop-github
   requirement: !ruby/object:Gem::Requirement
@@ -210,14 +222,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.0.0
+        version: 11.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.0.0
+        version: 11.0.1
 description: Licensed automates extracting and validating the licenses of dependencies.
 email:
 - opensource+licensed@github.com
@@ -226,6 +238,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/release.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
@@ -241,8 +254,25 @@ files:
 - Rakefile
 - docker/Dockerfile.build-linux
 - docs/adding_a_new_source.md
-- docs/commands.md
+- docs/commands/README.md
+- docs/commands/cache.md
+- docs/commands/env.md
+- docs/commands/list.md
+- docs/commands/migrate.md
+- docs/commands/notices.md
+- docs/commands/status.md
+- docs/commands/version.md
 - docs/configuration.md
+- docs/configuration/README.md
+- docs/configuration/allowed_licenses.md
+- docs/configuration/application_name.md
+- docs/configuration/application_source.md
+- docs/configuration/configuration_root.md
+- docs/configuration/configuring_multiple_apps.md
+- docs/configuration/dependency_source_enumerators.md
+- docs/configuration/ignoring_dependencies.md
+- docs/configuration/metadata_cache.md
+- docs/configuration/reviewing_dependencies.md
 - docs/migrations/v2.md
 - docs/migrations/v3.md
 - docs/packaging.md
@@ -262,6 +292,7 @@ files:
 - docs/sources/pip.md
 - docs/sources/pipenv.md
 - docs/sources/stack.md
+- docs/sources/swift.md
 - docs/sources/yarn.md
 - exe/licensed
 - lib/licensed.rb
@@ -279,6 +310,7 @@ files:
 - lib/licensed/git.rb
 - lib/licensed/migrations.rb
 - lib/licensed/migrations/v2.rb
+- lib/licensed/report.rb
 - lib/licensed/reporters.rb
 - lib/licensed/reporters/cache_reporter.rb
 - lib/licensed/reporters/json_reporter.rb
@@ -291,6 +323,7 @@ files:
 - lib/licensed/sources.rb
 - lib/licensed/sources/bower.rb
 - lib/licensed/sources/bundler.rb
+- lib/licensed/sources/bundler/definition.rb
 - lib/licensed/sources/bundler/missing_specification.rb
 - lib/licensed/sources/cabal.rb
 - lib/licensed/sources/composer.rb
@@ -306,6 +339,7 @@ files:
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
 - lib/licensed/sources/source.rb
+- lib/licensed/sources/swift.rb
 - lib/licensed/sources/yarn.rb
 - lib/licensed/ui/shell.rb
 - lib/licensed/version.rb
@@ -329,6 +363,7 @@ files:
 - script/source-setup/nuget
 - script/source-setup/pip
 - script/source-setup/pipenv
+- script/source-setup/swift
 - script/source-setup/yarn
 - script/test
 homepage: https://github.com/github/licensed

data/docs/commands.md

@@ -1,95 +0,0 @@
-# Commands
-
-Run `licensed -h` to see help content for running licensed commands.
-
-## `list`
-
-Running the list command finds the dependencies for all sources in all configured applications.  No additional actions are taken on each dependency.
-
-An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
-
-## `cache`
-
-The cache command finds all dependencies and ensures that each dependency has an up-to-date cached record.
-
-An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
-
-Dependency records will be saved if:
-1. The `force` option is set
-2. No cached record is found
-3. The cached record's version is different than the current dependency's version
-   - If the cached record's license text contents matches the current dependency's license text then the `license` metadata from the cached record is retained for the new saved record.
-
-After the cache command is run, any cached records that don't match up to a current application dependency will be deleted.
-
-## `status`
-
-The status command finds all dependencies and checks whether each dependency has a valid cached record.
-
-An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
-
-A dependency will fail the status checks if:
-1. No cached record is found
-2. The cached record's version is different than the current dependency's version
-3. The cached record's `licenses` data is empty
-4. The cached record's `license` metadata doesn't match an `allowed` license from the dependency's application configuration.
-   - If `license: other` is specified and all of the `licenses` entries match an `allowed` license a failure will not be logged
-5. The cached record is flagged for re-review.
-   - This occurs when the record's license text has changed since the record was reviewed.
-
-## `notices`
-
-Outputs license and notice text for all dependencies in each app into a `NOTICE` file in the app's `cache_path`.  If an app uses a shared cache path, the file name will contain the app name as well, e.g. `NOTICE.my_app`.
-
-An optional `--sources` flag can be given to limit which dependency sources are run.  This is a filter over sources that are enabled via the licensed configuration file and cannot be used to run licensed with a disabled source.
-
-The `NOTICE` file contents are retrieved from cached records, with the assumption that cached records have already been reviewed in a compliance workflow.
-
-## `env`
-
-Prints the runtime environment used by licensed after loading a configuration file.  By default the output is in YAML format, but can be output in JSON using the `--json` flag.
-
-The output will not be equivalent to configuration input.  For example, all paths will be
-
-## `version`
-
-Displays the current licensed version.
-
-# Adding a new command
-
-## Implement new `Command` class
-
-Licensed commands inherit and override the [`Licensed::Sources::Command`](../lib/licensed/commands/command.rb) class.
-
-#### Required method overrides
-1. `Licensed::Commands::Command#evaluate_dependency`
-   - Runs a command execution on an application dependency.
-
-The `evaluate_dependency` method should contain the specific command logic.  This method has access to the application configuration, dependency source enumerator and dependency currently being evaluated as well as a reporting hash to contain information about the command execution.
-
-#### Optional method overrides
-
-The following methods break apart the different levels of command execution.  Each method wraps lower levels of command execution in a corresponding reporter method.
-
-1. `Licensed::Commands::Command#run`
-   - Runs `run_app` for each application configuration found.  Wraps the execution of all applications in `Reporter#report_run`.
-2. `Licensed::Commands::Command#run_app`
-   - Runs `run_source` for each dependency source enumerator enabled for the application configuration.  Wraps the execution of all sources in `Reporter#report_app`.
-3. `Licensed::Commands::Command#run_source`
-   - Runs `run_dependency` for each dependency found in the source.  Wraps the execution of all dependencies in `Reporter#report_source`.
-4. `Licensed::Commands::Command#run_dependency`
-   - Runs `evaluate_dependency` for the dependency.  Wraps the execution of all dependencies in `Reporter#report_dependency`.
-
-As an example, `Licensed::Commands::Command#run_app` calls `Reporter#report_app` to wrap every call to `Licensed::Commands::Command#run_source`.
-
-##### Specifying additional report data
-
-The `run` methods can be overridden and pass a block to `super` to provide additional reporting data or functionality.
-
-```ruby
-def run_app(app)
-  super do |report|
-    report["my_app_data"] = true
-  end
-end
-```