licensed 3.9.1 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8fc5dda597e72ea3231515620aa042c3daaa07ae652d78328000048fb476386e
-  data.tar.gz: a772502d860cefdd4a6710432a3a5406abc2c81bd99dd82307b9ddbaf47d40cd
+  metadata.gz: 7606d0b5e5f3755ee329a1963cda970c021deab08680c619731ed6fb3ba547da
+  data.tar.gz: 668a2d87d8019284b6ce02bccdda851ad186f03cc7d389fbdd659473affc08cf
 SHA512:
-  metadata.gz: f5dd491826706986ac7503340ab6dddd122653f394b313e96f3cf0652502cedfc0e201b660ac657591e3e4fde507e6c60237680118e90ca053ab27effa35b0f6
-  data.tar.gz: aed36ca1cf19673579fa8ffdf0e196e3e8edff5111515dcd0b3c0afcdf90d1b2e79ba558366f548ede7d6a86bdc1f37218967ed28943f9c05151d5a5450fbefb
+  metadata.gz: '064129baadae7345b5c05e2635cc1850b8ce8321f1e2df803b5fc6d6704556a1337c7d1561024775801cf5cb4158b6c25657b06a0a9baf5ccac7a7453f35fa53'
+  data.tar.gz: b3c6ba7179d7b777665f29b5cace4536181a428a5995c5e7d1d168b4ba6012fd333d191eb6ce23ab7b971a9cb8231dbfb999743c72bf91a1efe78ddec78223b7

data/CHANGELOG.md

@@ -6,6 +6,58 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 4.1.0
+
+### Added
+
+- Custom license terms can be added to dependencies via new configuration options (https://github.com/github/licensed/pull/624)
+- Licensed is now integrated with pnpm to enumerate dependencies (https://github.com/github/licensed/pull/626)
+
+## 4.0.4
+
+### Changed
+
+- Dependency version requirements are more relaxed (https://github.com/github/licensed/pull/619)
+
+## 4.0.3
+
+### Changed
+
+- Cocoapods dependency enumeration has been disabled (https://github.com/github/licensed/pull/616)
+
+### Fixed
+
+- Fixed method signature change in Bundler API with Bundler >= 2.4.4 (:tada: @CvX https://github.com/github/licensed/pull/614)
+- Fixed installation dependency compatibility with Rails >= 7.0 (https://github.com/github/licensed/pull/616)
+
+## 4.0.2
+
+### Fixed
+
+- The path to a gradlew executable can be configured when enumerating gradle dependencies (:tada: @LouisBoudreau https://github.com/github/licensed/pull/610)
+
+## 4.0.1
+
+### Fixed
+
+- Running gradle tests will no longer fail when gradle is not available (https://github.com/github/licensed/pull/606)
+
+## 4.0.0
+
+### Added
+
+- Licensed supports Cocoapods as a dependency source (:tada: @LouisBoudreau https://github.com/github/licensed/pull/584)
+- Licensed supports Gradle multi-project builds (:tada: @LouisBoudreau https://github.com/github/licensed/pull/583)
+
+### Fixed
+
+- Licensed no longer crashes when run with Bundler >= 2.4.0 (:tada: @JoshReedSchramm https://github.com/github/licensed/pull/597)
+
+### Changed
+
+- BREAKING: Licensed no longer ships executables with releases (https://github.com/github/licensed/pull/586)
+- BREAKING: Licensed no longer includes support for Go <= 1.11 (https://github.com/github/licensed/pull/602)
+
 ## 3.9.1
 
 ### Fixed
@@ -661,4 +713,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/3.9.1...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.1.0...HEAD

data/CONTRIBUTING.md

@@ -59,8 +59,6 @@ The following steps will happen automatically from a GitHub Actions workflow
 after creating the release. In case that fails, the following steps can be performed manually
 
 11. Push the gem from (7) to rubygems.org -- `gem push licensed-x.xx.xx.gem`
-12. Build packages for new tag: `VERSION=x.xx.xx bundle exec rake package`
-13. Upload packages from (12) to release from (10)
 
 ## Resources
 

data/Gemfile.lock

@@ -0,0 +1,112 @@
+PATH
+  remote: .
+  specs:
+    licensed (4.1.0)
+      json (~> 2.6)
+      licensee (~> 9.16)
+      parallel (~> 1.22)
+      pathname-common_prefix (~> 0.0.1)
+      reverse_markdown (~> 2.1)
+      ruby-xxHash (~> 0.4.0)
+      thor (~> 1.2)
+      tomlrb (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (7.0.4.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    ast (2.4.2)
+    byebug (11.1.3)
+    concurrent-ruby (1.2.0)
+    dotenv (2.8.1)
+    faraday (2.7.4)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.2)
+    i18n (1.12.0)
+      concurrent-ruby (~> 1.0)
+    json (2.6.3)
+    licensee (9.16.0)
+      dotenv (~> 2.0)
+      octokit (>= 4.20, < 7.0)
+      reverse_markdown (>= 1, < 3)
+      rugged (>= 0.24, < 2.0)
+      thor (>= 0.19, < 2.0)
+    mini_portile2 (2.8.1)
+    minitest (5.17.0)
+    mocha (2.0.2)
+      ruby2_keywords (>= 0.0.5)
+    nokogiri (1.14.0)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    octokit (6.0.1)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
+    parallel (1.22.1)
+    parser (3.2.0.0)
+      ast (~> 2.4.1)
+    pathname-common_prefix (0.0.1)
+    public_suffix (5.0.1)
+    racc (1.6.2)
+    rack (3.0.4.1)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.6.2)
+    reverse_markdown (2.1.1)
+      nokogiri
+    rexml (3.2.5)
+    rubocop (1.44.1)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.2.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.24.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.24.1)
+      parser (>= 3.1.1.0)
+    rubocop-github (0.20.0)
+      rubocop (>= 1.37)
+      rubocop-performance (>= 1.15)
+      rubocop-rails (>= 2.17)
+    rubocop-performance (1.15.2)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    rubocop-rails (2.17.4)
+      activesupport (>= 4.2.0)
+      rack (>= 1.1)
+      rubocop (>= 1.33.0, < 2.0)
+    ruby-progressbar (1.11.0)
+    ruby-xxHash (0.4.0.2)
+    ruby2_keywords (0.0.5)
+    rugged (1.5.1)
+    sawyer (0.9.2)
+      addressable (>= 2.3.5)
+      faraday (>= 0.17.3, < 3)
+    thor (1.2.1)
+    tomlrb (2.0.3)
+    tzinfo (2.0.5)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.4.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  byebug (~> 11.1)
+  licensed!
+  minitest (~> 5.17)
+  mocha (~> 2.0)
+  rake (~> 13.0)
+  rubocop-github (~> 0.20)
+
+BUNDLED WITH
+   2.3.26

data/README.md

@@ -1,8 +1,6 @@
 # Licensed
 
-Licensed caches the licenses of dependencies and checks their status.
-
-Licensed is available as a Ruby gem for Ruby environments, and as a self-contained executable for non-Ruby environments.
+Licensed caches the licenses of dependencies and checks their status, and is available as a Ruby gem.
 
 Licensed is **not** a complete open source license compliance solution. Please understand the important [disclaimer](#disclaimer) below to make appropriate use of Licensed.
 
@@ -12,6 +10,10 @@ Licensed is **not** a complete open source license compliance solution. Please u
 
 Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
 
+## Licensed v4 - **Removed support for non-Ruby environments**
+
+Licensed v4 no longer provides a self-contained executable build of licensed.  Please see [the deprecation notice](https://github.com/github/licensed/issues/585) for more context.
+
 ## Licensed v3
 
 Licensed v3 includes a breaking change if both of the following are true:
@@ -59,19 +61,12 @@ And then execute:
 $> bundle
 ```
 
-### As an executable
-
-Download a package from GitHub and extract the executable.  Executable packages are available for each release starting with version 1.2.0.
+### With a Homebrew (on macOS)
 
 ```bash
-$> curl -sSL https://github.com/github/licensed/releases/download/<version>/licensed-<version>-<os>-x64.tar.gz > licensed.tar.gz
-$> tar -xzf licensed.tar.gz
-$> rm -f licensed.tar.gz
-$> ./licensed list
+brew install licensed
 ```
 
-For system wide usage, install licensed to a location on `$PATH`, e.g. `/usr/local/bin`.
-
 ## Usage
 
 See [getting started](./docs/getting_started.md) for guidance using Licensed as part of your developer workflow.

data/Rakefile

@@ -72,32 +72,6 @@ Rake::TestTask.new(:test) do |t|
   t.test_files = FileList["test/**/*_test.rb"].exclude("test/fixtures/**/*_test.rb")
 end
 
-packages_search = File.expand_path("script/packages/*", __dir__)
-platforms = Dir[packages_search].map { |f| File.basename(f, ".*") }
-                                .reject { |f| f == "build" }
-
-namespace :package do
-  platforms.each do |platform|
-    desc "Package licensed for #{platform}"
-    task platform.to_sym do
-      puts "Packaging licensed for #{platform}"
-
-      if Bundler.with_original_env { system("script/packages/#{platform}") }
-        # green
-        puts "\033[32mCompleted packaging for #{platform}.\e[0m"
-      else
-        # red
-        puts "\033[31mEncountered an error packaging for #{platform}.\e[0m"
-      end
-
-      puts
-    end
-  end
-end
-
-desc "Package licensed for all platforms"
-task package: platforms.map { |platform| "package:#{platform}" }
-
 # add rubocop task
 # -S adds styleguide urls to offense messages
 RuboCop::RakeTask.new do |t|

data/docs/configuration/README.md

@@ -9,3 +9,4 @@
 1. [Allowed licenses](./allowed_licenses.md)
 1. [Ignoring dependencies](./ignoring_dependencies.md)
 1. [Reviewing dependencies](./reviewing_dependencies.md)
+1. [Additional license terms](./additional_terms.md)

data/docs/configuration/additional_terms.md

@@ -0,0 +1,41 @@
+# Additional terms
+
+The `additional_terms` configuration option is used to specify paths to files containing extra licensing terms that do not ship with the dependency package. All files specified are expected to be plain text.
+
+Files containing additional content can be located anywhere on disk that is accessible to licensed.  File paths can be specified as a string or array and can contain glob values to simplify configuration inputs.  All file paths are evaluated from the [configuration root](./configuration_root.md).
+
+## Examples
+
+**Note** The examples below specify paths to additional files under the `.licenses` folder.  This is a logical place to store files containing license terms, but be careful not to store files under paths managed by licensed like `.licenses/<source type>/...`.  Running `licensed cache` in the future will delete any files under licensed managed paths that licensed did not create.  This is why the below examples use paths like `.licenses/amendments/bundler/...` instead of not `.licenses/bundler/amendments/...`.
+
+### With a string
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and path to an additional file
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/terms.txt
+```
+
+### With a glob string
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and one or more additional files with a glob pattern
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/*.txt
+```
+
+### With an array of strings
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and array of paths to additional files
+    <gem-name>:
+      - .licenses/amendments/bundler/<gem-name>/terms-1.txt
+      - .licenses/amendments/bundler/<gem-name>/terms-2.txt
+```

data/docs/configuration.md

@@ -67,6 +67,13 @@ reviewed:
   - classlist # public domain
   - octicons
 
+# Specify additional license terms that have been obtained from a dependency's owner
+# which apply to the dependency's license 
+additional_terms:
+  bundler:
+    bcrypt-ruby:
+      - .licenses/amendments/bundler/bcrypt-ruby/amendment.txt
+
 # A single configuration file can be used to enumerate dependencies for multiple
 # projects.  Each configuration is referred to as an "application" and must include
 # a source path, at a minimum

data/docs/sources/bundler.md

@@ -2,8 +2,6 @@
 
 The bundler source will detect dependencies `Gemfile` and `Gemfile.lock` files are found at an apps `source_path`.  The source uses the `Bundler` API to enumerate dependencies from `Gemfile` and `Gemfile.lock`.
 
-**Note** The bundler source cannot be used when running the [packaged licensed executable](../packaging.md)
-
 ### Excluding gem groups
 
 The bundler source determines which gem groups to include or exclude with the following logic, in order of precedence.

data/docs/sources/cocoapods.md

@@ -0,0 +1,17 @@
+# CocoaPods
+
+**NOTE!**: Enumerating Cocoapods dependencies is disabled until the cocoapods-core gem is compatible with Rails 7+.  See https://github.com/CocoaPods/Core/pull/733
+
+The cocoapods source will detect dependencies when `Podfile` and `Podfile.lock` are found at an app's `source_path`.
+
+It uses the `pod` CLI commands to enumerate dependencies and gather metadata on each package.
+
+## Evaluating dependencies from a specific target
+
+The `cocoapods.targets` property is used to specify which targets to analyze dependencies from. By default, dependencies from all targets will be analyzed.
+
+```yml
+cocoapods:
+  targets:
+    - ios
+```

data/docs/sources/gradle.md

@@ -14,3 +14,21 @@ gradle:
     - runtime
     - runtimeClassPath
 ```
+
+### Multi-build projects
+
+To run `licensed` for specific projects in a [multi-build project](https://docs.gradle.org/current/userguide/multi_project_builds.html) you must specify the [apps](../configuration/application_source.md) configuration key.
+
+```yml
+apps:
+  - source_path: ./path/to/subproject
+```
+
+### Gradlew
+
+The `gradle.gradlew` property is used to determine where the `gradlew` executable is. The default location the [configuration root](../configuration/configuration_root.md).
+
+```yml
+gradle:
+  gradlew: path/from/root/to/gradle/gradlew
+```

data/docs/sources/pnpm.md

@@ -0,0 +1,18 @@
+# pnpm
+
+The npm source will detect dependencies when `pnpm-lock.yaml` is found at an apps `source_path`.  It uses `pnpm licenses list` to enumerate dependencies and metadata.
+
+**NOTE** [pnpm licenses list](https://pnpm.io/cli/licenses) is an experimental CLI command and subject to change.  If changes to pnpm result in unexpected or broken behavior in licensed please open an [issue](https://github.com/github/licensed/issues/new).
+
+## Including development dependencies
+
+By default, the npm source will exclude all development dependencies. To include development or test dependencies, set `production_only: false` in the licensed configuration.
+
+```yml
+pnpm:
+  production_only: false
+```
+
+## Using licensed with pnpm workspaces
+
+Licensed will locate all dependencies from all pnpm workspaces and cannot enumerate dependencies from individual project workspaces.  This is a limitation from the pnpm CLI.

data/lib/licensed/configuration.rb

@@ -109,6 +109,12 @@ module Licensed
       self["allowed"] << license
     end
 
+    # Returns an array of paths to files containing additional license terms.
+    def additional_terms_for_dependency(dependency)
+      amendment_paths = Array(self.dig("additional_terms", dependency["type"], dependency["name"]))
+      amendment_paths.flat_map { |path| Dir.glob(self.root.join(path)) }
+    end
+
     private
 
     def any_list_pattern_matched?(list, dependency, match_version: false)
@@ -355,7 +361,6 @@ module Licensed
     def default_options
       # manually set a cache path without additional name
       {
-        "source_path" => Dir.pwd,
         "cache_path" => AppConfiguration::DEFAULT_CACHE_PATH
       }
     end

data/lib/licensed/dependency.rb

@@ -9,6 +9,7 @@ module Licensed
     attr_reader :version
     attr_reader :errors
     attr_reader :path
+    attr_reader :additional_terms
 
     # Create a new project dependency
     #
@@ -28,6 +29,7 @@ module Licensed
       @errors = errors
       path = path.to_s
       @path = path
+      @additional_terms = []
 
       # enforcing absolute paths makes life much easier when determining
       # an absolute file path in #notices
@@ -80,6 +82,13 @@ module Licensed
       files.compact
     end
 
+
+    # Override the behavior of Licensee::Projects::FSProject#project_files to include
+    # additional license terms
+    def project_files
+      super + additional_license_terms_files
+    end
+
     # Returns legal notices found at the dependency path
     def notice_contents
       Dir.glob(dir_path.join("*"))
@@ -102,6 +111,7 @@ module Licensed
     def license_content_sources(files)
       paths = Array(files).map do |file|
         next file[:uri] if file[:uri]
+        next file[:source] if file[:source]
 
         path = dir_path.join(file[:dir], file[:name])
         normalize_source_path(path)
@@ -157,5 +167,22 @@ module Licensed
         "text" => text
       }
     end
+
+    # Returns an array of Licensee::ProjectFiles::LicenseFile created from
+    # this dependency's additional license terms
+    def additional_license_terms_files
+      @additional_license_terms_files ||= begin
+        files = additional_terms.map do |path|
+          next unless File.file?(path)
+
+          metadata = { dir: File.dirname(path), name: File.basename(path) }
+          Licensee::ProjectFiles::LicenseFile.new(
+            load_file(metadata),
+            { source: "License terms loaded from #{metadata[:name]}" }
+          )
+        end
+        files.compact
+      end
+    end
   end
 end

data/lib/licensed/sources/bundler/definition.rb

@@ -18,7 +18,7 @@ module Licensed
 
           all_dependencies = requested_dependencies.concat(specs.flat_map(&:dependencies))
           if all_dependencies.any? { |d| d.name == "bundler" } && !specs["bundler"].any?
-            bundler = sources.metadata_source.specs.search(Gem::Dependency.new("bundler", ::Bundler::VERSION)).last
+            bundler = sources.metadata_source.specs.search(bundler_query).last
             specs["bundler"] = bundler
           end
 
@@ -26,6 +26,14 @@ module Licensed
         end
       end
 
+      def bundler_query
+        if Gem::Version.new(::Bundler::VERSION) >= Gem::Version.new("2.4.0")
+          ["bundler", ::Bundler.gem_version]
+        else
+          Gem::Dependency.new("bundler", ::Bundler::VERSION)
+        end
+      end
+
       # Override requested_groups to also exclude any groups that are
       # in the "bundler.without" section of the licensed configuration file.
       def requested_groups

data/lib/licensed/sources/bundler/missing_specification.rb

@@ -47,8 +47,8 @@ module Licensed
         Licensed::Bundler::MissingSpecification.new(name: name, version: version, platform: platform, source: source)
       end
 
-      def __materialize__(*args)
-        spec = super(*args)
+      def __materialize__(*args, **kwargs)
+        spec = super(*args, **kwargs)
         return spec if spec
 
         Licensed::Bundler::MissingSpecification.new(name: name, version: version, platform: platform, source: source)

data/lib/licensed/sources/bundler.rb

@@ -39,13 +39,8 @@ module Licensed
       end
 
       DEFAULT_WITHOUT_GROUPS = %i{development test}
-      RUBY_PACKER_ERROR = "The bundler source cannot be used from the executable built with ruby-packer.  Please install licensed using `gem install` or using bundler."
 
       def enabled?
-        # running a ruby-packer-built licensed exe when ruby isn't available
-        # could lead to errors if the host ruby doesn't exist
-        return false if ruby_packer? && !Licensed::Shell.tool_available?("ruby")
-
         # if Bundler isn't loaded, this enumerator won't work!
         return false unless defined?(::Bundler)
 
@@ -55,8 +50,6 @@ module Licensed
       end
 
       def enumerate_dependencies
-        raise Licensed::Sources::Source::Error.new(RUBY_PACKER_ERROR) if ruby_packer?
-
         with_application_environment do
           definition.specs.map do |spec|
             next if spec.name == config["name"]
@@ -126,11 +119,6 @@ module Licensed
         # reload the bundler environment after enumeration
         ::Bundler.load
       end
-
-      # Returns whether the current licensed execution is running ruby-packer
-      def ruby_packer?
-        @ruby_packer ||= RbConfig::TOPDIR =~ /__enclose_io_memfs__/
-      end
     end
   end
 end

data/lib/licensed/sources/cocoapods.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+require "json"
+require "pathname"
+require "uri"
+
+# **NOTE** Cocoapods is disabled until cocoapods-core supports recent rails versions
+# https://github.com/CocoaPods/Core/pull/733
+# require "cocoapods-core"
+
+module Licensed
+  module Sources
+    class Cocoapods < Source
+      def enabled?
+        false
+
+        # return unless Licensed::Shell.tool_available?("pod")
+
+        # config.pwd.join("Podfile").exist? && config.pwd.join("Podfile.lock").exist?
+      end
+
+      def enumerate_dependencies
+        pods.map do |pod|
+          name = pod.name
+          path = dependency_path(pod.root_name)
+          version = lockfile.version(name).version
+
+          Dependency.new(
+            path: path,
+            name: name,
+            version: version,
+            metadata: { "type" => Cocoapods.type }
+          )
+        end
+      end
+
+      private
+
+      def pods
+        return lockfile.dependencies if targets.nil?
+
+        targets_to_validate = podfile.target_definition_list.filter { |t| targets.include?(t.label) }
+        if targets_to_validate.any?
+          targets_to_validate.map(&:dependencies).flatten
+        else
+          raise Licensed::Sources::Source::Error, "Unable to find any target in the Podfile matching the ones provided in the config."
+        end
+      end
+
+      def targets
+        @targets ||= config.dig("cocoapods", "targets")&.map { |t| "Pods-#{t}" }
+      end
+
+      def lockfile
+        @lockfile = nil
+        # @lockfile ||= Pod::Lockfile.from_file(config.pwd.join("Podfile.lock"))
+      end
+
+      def podfile
+        @podfile = nil
+        # @podfile ||= Pod::Podfile.from_file(config.pwd.join("Podfile"))
+      end
+
+      def dependency_path(name)
+        config.pwd.join("Pods/#{name}")
+      end
+    end
+  end
+end