licensed 3.2.1 → 3.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 157405d5c26fe8026b4c8d521a5753be821bb2727d9713f7732e2601699660e7
-  data.tar.gz: 1f02c3bf319500352632331f72dfc40cbfaf6a0d00350570223d3b37b2496ca7
+  metadata.gz: 204627468559ebbf7283c41b74374a244f5aed5c885c4b9dcfc6fe59a8443c4a
+  data.tar.gz: f6db3198bf7bd592e8e1512803e408091dfe6230984c9aa166bbdf7d16edb1df
 SHA512:
-  metadata.gz: fa9b3832cfda8a30f99c7718a6e4c9433145e37cb51070c5e1a59009ff5b29269353ddeb68480196bd1f1680bd8c01c4ddd3538bea2f7401fcddcdb542f62ada
-  data.tar.gz: ee5718fb34a1d23738849101b121db785fdc83d587d0f7750c2cc1e613f0c8a6ece707e427bb18473f04ef67569499db28e75ce80f14f0dde2cd09e18ed14053
+  metadata.gz: 5669804505cd5277a292eb51b6d46beda9f9a16e9ede968855ab9df95cdd45bd43564c15fdc45e80a9fe109c190584b93078f45588de78c689f0a93c86278bec
+  data.tar.gz: 7c57aa1d0a8bbe39860464a5efcec2d72bf06bd61b6b018c3b856547e7e0a6900e3dba4a440a41fed211b71b368a300d453a811f6fd11b65d82aa612bb7b203a

data/CHANGELOG.md

@@ -6,6 +6,47 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 3.3.1
+
+2021-10-07
+
+### Fixed
+
+- Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol https://github.com/github/licensed/pull/411)
+
+### Changed
+
+- Manifest source evaluation performance improvements (https://github.com/github/licensed/pull/407)
+
+## 3.3.0
+
+2021-09-18
+
+### Added
+
+- New cargo source enumerates rust dependencies (https://github.com/github/licensed/pull/404)
+
+### Changed
+
+- Removed non-functional files from gem builds (https://github.com/github/licensed/pull/405)
+
+## 3.2.3
+
+2021-09-14
+
+### Fixed
+
+- Bundler source will no longer infinitely recurse when enumerating specifications (https://github.com/github/licensed/pull/402)
+- Using the `--sources` command line option will no longer delete skipped sources' cached files (https://github.com/github/licensed/pull/401)
+
+## 3.2.2
+
+2021-09-09
+
+### Fixed
+
+- Bundler source works properly again when used outside of `bundle exec` (https://github.com/github/licensed/pull/397)
+
 ## 3.2.1
 
 2021-09-06
@@ -480,4 +521,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/3.2.1...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/3.3.1...HEAD

data/docs/sources/cargo.md

@@ -0,0 +1,19 @@
+# Cargo
+
+The cargo source will detect dependencies when `Cargo.toml` is found at an apps `source_path`.  The source uses the `cargo metadata` CLI and reports on all dependencies that are listed in the output in `resolve.nodes`, excluding packages that are listed in `workspace_members`.
+
+## Metadata CLI options
+
+Licensed by default runs `cargo metadata --format-version=1`.  You can specify additional CLI options by specifying them in your licensed configuration file under `cargo.metadata_options`.  The configuration can be set as a string, or as an array of strings for multiple options.
+
+```yml
+cargo:
+  metadata_options: '--all-features'
+```
+
+```yml
+cargo:
+  metadata_options:
+    - '--all-features'
+    - '--filter-platform x86_64-pc-windows-msvc'
+```

data/lib/licensed/commands/cache.rb

@@ -39,11 +39,13 @@ module Licensed
       #
       # Returns whether the command succeeded for the dependency source enumerator
       def run_source(app, source, report)
+        result = super
+
         # add the full cache path to the list of cache paths
         # that should be cleaned up after the command run
-        cache_paths << app.cache_path.join(source.class.type)
+        cache_paths << app.cache_path.join(source.class.type) unless result == :skipped
 
-        super
+        result
       end
 
       # Cache dependency record data.

data/lib/licensed/commands/command.rb

@@ -121,13 +121,16 @@ module Licensed
       # source - A dependency source enumerator
       # report - A report object for this source
       #
-      # Returns whether the command succeeded for the dependency source enumerator
+      # Returns whether the command succeeded, failed, or was skipped for the dependency source enumerator
       def run_source(app, source, report)
         reporter.begin_report_source(source, report)
 
         if !sources_overrides.empty? && !sources_overrides.include?(source.class.type)
           report.warnings << "skipped source"
-          return true
+
+          # return a symbol to speficy the source was skipped.
+          # This is truthy and will result in the source being considered successful
+          return :skipped
         end
 
         dependencies = source.dependencies.sort_by { |dependency| dependency.name }

data/lib/licensed/sources/bundler/missing_specification.rb

@@ -38,17 +38,20 @@ module Licensed
         "could not find #{name} (#{version}) in any sources"
       end
     end
+
+    module LazySpecification
+      def __materialize__
+        spec = super
+        return spec if spec
+
+        Licensed::Bundler::MissingSpecification.new(name: name, version: version, platform: platform, source: source)
+      end
+    end
   end
 end
 
 module Bundler
   class LazySpecification
-    alias_method :orig_materialize, :__materialize__
-    def __materialize__
-      spec = orig_materialize
-      return spec if spec
-
-      Licensed::Bundler::MissingSpecification.new(name: name, version: version, platform: platform, source: source)
-    end
+    prepend ::Licensed::Bundler::LazySpecification
   end
 end

data/lib/licensed/sources/bundler.rb

@@ -109,9 +109,11 @@ module Licensed
 
             # reset bundler to load from the current app's source path
             ::Bundler.reset!
-            ::Bundler.load
           end
 
+          # ensure the bundler environment is loaded before enumeration
+          ::Bundler.load
+
           yield
         end
       ensure
@@ -119,8 +121,10 @@ module Licensed
           # restore bundler configuration
           ENV.replace(backup)
           ::Bundler.reset!
-          ::Bundler.load
         end
+
+        # reload the bundler environment after enumeration
+        ::Bundler.load
       end
 
       # Returns whether the current licensed execution is running ruby-packer

data/lib/licensed/sources/cargo.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Licensed
+  module Sources
+    class Cargo < Source
+      # Source is enabled when the cargo tool and Cargo.toml manifest file are available
+      def enabled?
+        return false unless Licensed::Shell.tool_available?("cargo")
+        config.pwd.join("Cargo.toml").exist?
+      end
+
+      def enumerate_dependencies
+        packages.map do |package|
+          Dependency.new(
+            name: "#{package["name"]}-#{package["version"]}",
+            version: package["version"],
+            path: File.dirname(package["manifest_path"]),
+            metadata: {
+              "name" => package["name"],
+              "type" => Cargo.type,
+              "summary" => package["description"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+
+      # Returns the package data for all dependencies used to build the current package
+      def packages
+        cargo_metadata_resolved_node_ids.map { |id| cargo_metadata_packages[id] }
+      end
+
+      # Returns the ids of all resolved nodes used to build the current package
+      def cargo_metadata_resolved_node_ids
+        cargo_metadata.dig("resolve", "nodes")
+                      .map { |node| node["id"] }
+                      .reject { |id| cargo_metadata_workspace_members.include?(id) }
+
+      end
+
+      # Returns a hash of id => package pairs sourced from the "packages" cargo metadata property
+      def cargo_metadata_packages
+        @cargo_metadata_packages ||= cargo_metadata["packages"].each_with_object({}) do |package, hsh|
+          hsh[package["id"]] = package
+        end
+      end
+
+      # Returns a set of the ids of packages in the current workspace
+      def cargo_metadata_workspace_members
+        @cargo_metadata_workspace_members ||= Set.new(Array(cargo_metadata["workspace_members"]))
+      end
+
+      # Returns parsed JSON metadata returned from the cargo CLI
+      def cargo_metadata
+        @cargo_metadata ||= JSON.parse(cargo_metadata_command)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'cargo metadata'. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      # Runs a command to get cargo metadata for the current package
+      def cargo_metadata_command
+        options = Array(config.dig("cargo", "metadata_options")).flat_map(&:split)
+        Licensed::Shell.execute("cargo", "metadata", "--format-version=1", *options)
+      end
+    end
+  end
+end

data/lib/licensed/sources/manifest.rb

@@ -61,7 +61,7 @@ module Licensed
         manifest.each_with_object({}) do |(src, package_name), hsh|
           next if src.nil? || src.empty?
           hsh[package_name] ||= []
-          hsh[package_name] << File.join(config.root, src)
+          hsh[package_name] << File.absolute_path(src, config.root)
         end
       end
 
@@ -130,19 +130,17 @@ module Licensed
         @configured_dependencies ||= begin
           dependencies = config.dig("manifest", "dependencies")&.dup || {}
 
-          dependencies.each do |name, patterns|
+          dependencies.each_with_object({}) do |(name, patterns), hsh|
             # map glob pattern(s) listed for the dependency to a listing
             # of files that match the patterns and are not excluded
-            dependencies[name] = files_from_pattern_list(patterns) & included_files
+            hsh[name] = files_from_pattern_list(patterns) & included_files
           end
-
-          dependencies
         end
       end
 
       # Returns the set of project files that are included in dependency evaluation
       def included_files
-        @sources ||= all_files - files_from_pattern_list(config.dig("manifest", "exclude"))
+        @included_files ||= tracked_files - files_from_pattern_list(config.dig("manifest", "exclude"))
       end
 
       # Finds and returns all files in the project that match
@@ -151,26 +149,23 @@ module Licensed
         return Set.new if patterns.nil? || patterns.empty?
 
         # evaluate all patterns from the project root
-        Dir.chdir config.root do
-          Array(patterns).reduce(Set.new) do |files, pattern|
-            if pattern.start_with?("!")
-              # if the pattern is an exclusion, remove all matching files
-              # from the result
-              files - Dir.glob(pattern[1..-1], File::FNM_DOTMATCH)
-            else
-              # if the pattern is an inclusion, add all matching files
-              # to the result
-              files + Dir.glob(pattern, File::FNM_DOTMATCH)
-            end
+        Array(patterns).each_with_object(Set.new) do |pattern, files|
+          if pattern.start_with?("!")
+            # if the pattern is an exclusion, remove all matching files
+            # from the result
+            files.subtract(Dir.glob(pattern[1..-1], File::FNM_DOTMATCH, base: config.root))
+          else
+            # if the pattern is an inclusion, add all matching files
+            # to the result
+            files.merge(Dir.glob(pattern, File::FNM_DOTMATCH, base: config.root))
           end
         end
       end
 
-      # Returns all tracked files in the project
-      def all_files
-        # remove files if they are tracked but don't exist on the file system
-        @all_files ||= Set.new(Licensed::Git.files || [])
-                          .delete_if { |f| !File.exist?(File.join(Licensed::Git.repository_root, f)) }
+      # Returns all tracked files in the project as the intersection of what git tracks and the files in the project
+      def tracked_files
+        @tracked_files ||= Set.new(Array(Licensed::Git.files)) &
+                           Set.new(Dir.glob("**/*", File::FNM_DOTMATCH, base: config.root))
       end
 
       class Dependency < Licensed::Dependency

data/lib/licensed/sources/npm.rb

@@ -66,15 +66,17 @@ module Licensed
 
       # Recursively parse dependency JSON data.  Returns a hash mapping the
       # package name to it's metadata
-      def recursive_dependencies(dependencies, result = {})
+      def recursive_dependencies(dependencies, result = {}, parent = nil)
         dependencies.each do |name, dependency|
-          next if dependency["peerMissing"]
+          next if missing_peer?(parent, dependency, name)
           next if yarn_lock_present && dependency["missing"]
           next if dependency["extraneous"] && dependency["missing"]
 
           dependency["name"] = name
+          dependency["version"] ||= extract_version(parent, name) if dependency["missing"]
+
           (result[name] ||= []) << dependency
-          recursive_dependencies(dependency["dependencies"] || {}, result)
+          recursive_dependencies(dependency["dependencies"] || {}, result, dependency)
         end
         result
       end
@@ -135,6 +137,18 @@ module Licensed
       def include_non_production?
         config.dig("npm", "production_only") == false
       end
+
+      def missing_peer?(parent, dependency, name)
+        dependency["peerMissing"] || (dependency["missing"] && peer_dependency(parent, name))
+      end
+
+      def peer_dependency(parent, name)
+        parent&.dig("peerDependencies", name)
+      end
+
+      def extract_version(parent, name)
+        parent&.dig("_dependencies", name) || peer_dependency(parent, name)
+      end
     end
   end
 end

data/lib/licensed/sources.rb

@@ -5,6 +5,7 @@ module Licensed
     require "licensed/sources/bower"
     require "licensed/sources/bundler"
     require "licensed/sources/cabal"
+    require "licensed/sources/cargo"
     require "licensed/sources/composer"
     require "licensed/sources/dep"
     require "licensed/sources/git_submodule"

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "3.2.1".freeze
+  VERSION = "3.3.1".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/github/licensed"
   spec.license       = "MIT"
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test/|script/|docker/|\..+)}) }
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 3.3.1
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-09-06 00:00:00.000000000 Z
+date: 2021-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -238,13 +238,6 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/dependabot.yml"
-- ".github/workflows/release.yml"
-- ".github/workflows/test.yml"
-- ".gitignore"
-- ".licensed.yml"
-- ".rubocop.yml"
-- ".ruby-version"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -252,7 +245,6 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- docker/Dockerfile.build-linux
 - docs/adding_a_new_source.md
 - docs/commands/README.md
 - docs/commands/cache.md
@@ -280,6 +272,7 @@ files:
 - docs/sources/bower.md
 - docs/sources/bundler.md
 - docs/sources/cabal.md
+- docs/sources/cargo.md
 - docs/sources/composer.md
 - docs/sources/dep.md
 - docs/sources/git_submodule.md
@@ -326,6 +319,7 @@ files:
 - lib/licensed/sources/bundler/definition.rb
 - lib/licensed/sources/bundler/missing_specification.rb
 - lib/licensed/sources/cabal.rb
+- lib/licensed/sources/cargo.rb
 - lib/licensed/sources/composer.rb
 - lib/licensed/sources/dep.rb
 - lib/licensed/sources/git_submodule.rb
@@ -344,28 +338,6 @@ files:
 - lib/licensed/ui/shell.rb
 - lib/licensed/version.rb
 - licensed.gemspec
-- script/bootstrap
-- script/cibuild
-- script/console
-- script/package
-- script/packages/build
-- script/packages/linux
-- script/packages/mac
-- script/setup
-- script/source-setup/bower
-- script/source-setup/bundler
-- script/source-setup/cabal
-- script/source-setup/composer
-- script/source-setup/git_submodule
-- script/source-setup/go
-- script/source-setup/mix
-- script/source-setup/npm
-- script/source-setup/nuget
-- script/source-setup/pip
-- script/source-setup/pipenv
-- script/source-setup/swift
-- script/source-setup/yarn
-- script/test
 homepage: https://github.com/github/licensed
 licenses:
 - MIT

data/.github/dependabot.yml

@@ -1,19 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: daily
-  - package-ecosystem: bundler
-    directory: /
-    schedule:
-      interval: weekly
-  - package-ecosystem: docker
-    directory: docker
-    schedule:
-      interval: weekly