RubyGems - licensed - Versions diffs - 4.0.4 → 4.1.0 - Mend

licensed 4.0.4 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -1
data/Gemfile.lock +1 -1
data/docs/configuration/README.md +1 -0
data/docs/configuration/additional_terms.md +41 -0
data/docs/configuration.md +7 -0
data/docs/sources/pnpm.md +18 -0
data/lib/licensed/configuration.rb +6 -0
data/lib/licensed/dependency.rb +27 -0
data/lib/licensed/sources/pnpm.rb +52 -0
data/lib/licensed/sources/source.rb +8 -1
data/lib/licensed/sources.rb +4 -3
data/lib/licensed/version.rb +1 -1
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4862d2463055e895e3aac366c32821ee047360646946860d0cd6eb86ef9701f
-  data.tar.gz: b75cf3b200090387ef2f104295bb90fc8874668bd895797335f02a23c9357296
+  metadata.gz: 7606d0b5e5f3755ee329a1963cda970c021deab08680c619731ed6fb3ba547da
+  data.tar.gz: 668a2d87d8019284b6ce02bccdda851ad186f03cc7d389fbdd659473affc08cf
 SHA512:
-  metadata.gz: 766f5196aea9b41034c0a76e11ebe7e7272ce1554661d552ad88895dd45cc43544cb737f7c36173ab612fc71f352d14ac30d2449f7414f8b7813174e294828c5
-  data.tar.gz: 0c6a31ae81db6abe8744d4a64b07e695b86b18536ce7308f7757c0c69183684e6d39d91082c87edd5a693617f30884a6c322ec3aa0e017a87bc137bf1e0793b7
+  metadata.gz: '064129baadae7345b5c05e2635cc1850b8ce8321f1e2df803b5fc6d6704556a1337c7d1561024775801cf5cb4158b6c25657b06a0a9baf5ccac7a7453f35fa53'
+  data.tar.gz: b3c6ba7179d7b777665f29b5cace4536181a428a5995c5e7d1d168b4ba6012fd333d191eb6ce23ab7b971a9cb8231dbfb999743c72bf91a1efe78ddec78223b7

data/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
+## 4.1.0
+### Added
+- Custom license terms can be added to dependencies via new configuration options (https://github.com/github/licensed/pull/624)
+- Licensed is now integrated with pnpm to enumerate dependencies (https://github.com/github/licensed/pull/626)
 ## 4.0.4
 ### Changed
@@ -706,4 +713,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 Initial release :tada:
-[Unreleased]: https://github.com/github/licensed/compare/4.0.4...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.1.0...HEAD

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    licensed (4.0.4)
+    licensed (4.1.0)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)

data/docs/configuration/README.md CHANGED Viewed

@@ -9,3 +9,4 @@
 1. [Allowed licenses](./allowed_licenses.md)
 1. [Ignoring dependencies](./ignoring_dependencies.md)
 1. [Reviewing dependencies](./reviewing_dependencies.md)
+1. [Additional license terms](./additional_terms.md)

data/docs/configuration/additional_terms.md ADDED Viewed

@@ -0,0 +1,41 @@
+# Additional terms
+The `additional_terms` configuration option is used to specify paths to files containing extra licensing terms that do not ship with the dependency package. All files specified are expected to be plain text.
+Files containing additional content can be located anywhere on disk that is accessible to licensed.  File paths can be specified as a string or array and can contain glob values to simplify configuration inputs.  All file paths are evaluated from the [configuration root](./configuration_root.md).
+## Examples
+**Note** The examples below specify paths to additional files under the `.licenses` folder.  This is a logical place to store files containing license terms, but be careful not to store files under paths managed by licensed like `.licenses/<source type>/...`.  Running `licensed cache` in the future will delete any files under licensed managed paths that licensed did not create.  This is why the below examples use paths like `.licenses/amendments/bundler/...` instead of not `.licenses/bundler/amendments/...`.
+### With a string
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and path to an additional file
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/terms.txt
+```
+### With a glob string
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and one or more additional files with a glob pattern
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/*.txt
+```
+### With an array of strings
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and array of paths to additional files
+    <gem-name>:
+      - .licenses/amendments/bundler/<gem-name>/terms-1.txt
+      - .licenses/amendments/bundler/<gem-name>/terms-2.txt
+```

data/docs/configuration.md CHANGED Viewed

@@ -67,6 +67,13 @@ reviewed:
   - classlist # public domain
   - octicons
+# Specify additional license terms that have been obtained from a dependency's owner
+# which apply to the dependency's license
+additional_terms:
+  bundler:
+    bcrypt-ruby:
+      - .licenses/amendments/bundler/bcrypt-ruby/amendment.txt
 # A single configuration file can be used to enumerate dependencies for multiple
 # projects.  Each configuration is referred to as an "application" and must include
 # a source path, at a minimum

data/docs/sources/pnpm.md ADDED Viewed

@@ -0,0 +1,18 @@
+# pnpm
+The npm source will detect dependencies when `pnpm-lock.yaml` is found at an apps `source_path`.  It uses `pnpm licenses list` to enumerate dependencies and metadata.
+**NOTE** [pnpm licenses list](https://pnpm.io/cli/licenses) is an experimental CLI command and subject to change.  If changes to pnpm result in unexpected or broken behavior in licensed please open an [issue](https://github.com/github/licensed/issues/new).
+## Including development dependencies
+By default, the npm source will exclude all development dependencies. To include development or test dependencies, set `production_only: false` in the licensed configuration.
+```yml
+pnpm:
+  production_only: false
+```
+## Using licensed with pnpm workspaces
+Licensed will locate all dependencies from all pnpm workspaces and cannot enumerate dependencies from individual project workspaces.  This is a limitation from the pnpm CLI.

data/lib/licensed/configuration.rb CHANGED Viewed

@@ -109,6 +109,12 @@ module Licensed
       self["allowed"] << license
     end
+    # Returns an array of paths to files containing additional license terms.
+    def additional_terms_for_dependency(dependency)
+      amendment_paths = Array(self.dig("additional_terms", dependency["type"], dependency["name"]))
+      amendment_paths.flat_map { |path| Dir.glob(self.root.join(path)) }
+    end
     private
     def any_list_pattern_matched?(list, dependency, match_version: false)

data/lib/licensed/dependency.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module Licensed
     attr_reader :version
     attr_reader :errors
     attr_reader :path
+    attr_reader :additional_terms
     # Create a new project dependency
     #
@@ -28,6 +29,7 @@ module Licensed
       @errors = errors
       path = path.to_s
       @path = path
+      @additional_terms = []
       # enforcing absolute paths makes life much easier when determining
       # an absolute file path in #notices
@@ -80,6 +82,13 @@ module Licensed
       files.compact
     end
+    # Override the behavior of Licensee::Projects::FSProject#project_files to include
+    # additional license terms
+    def project_files
+      super + additional_license_terms_files
+    end
     # Returns legal notices found at the dependency path
     def notice_contents
       Dir.glob(dir_path.join("*"))
@@ -102,6 +111,7 @@ module Licensed
     def license_content_sources(files)
       paths = Array(files).map do |file|
         next file[:uri] if file[:uri]
+        next file[:source] if file[:source]
         path = dir_path.join(file[:dir], file[:name])
         normalize_source_path(path)
@@ -157,5 +167,22 @@ module Licensed
         "text" => text
       }
     end
+    # Returns an array of Licensee::ProjectFiles::LicenseFile created from
+    # this dependency's additional license terms
+    def additional_license_terms_files
+      @additional_license_terms_files ||= begin
+        files = additional_terms.map do |path|
+          next unless File.file?(path)
+          metadata = { dir: File.dirname(path), name: File.basename(path) }
+          Licensee::ProjectFiles::LicenseFile.new(
+            load_file(metadata),
+            { source: "License terms loaded from #{metadata[:name]}" }
+          )
+        end
+        files.compact
+      end
+    end
   end
 end

data/lib/licensed/sources/pnpm.rb ADDED Viewed

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+require "json"
+module Licensed
+  module Sources
+    class PNPM < Source
+      # Returns true when pnpm is installed and a pnpm-lock.yaml file is found,
+      # otherwise false
+      def enabled?
+        return false unless Licensed::Shell.tool_available?("pnpm")
+        File.exist?(File.join(config.pwd, "pnpm-lock.yaml"))
+      end
+      def enumerate_dependencies
+        packages.map do |package|
+          name_with_version = "#{package["name"]}@#{package["version"]}"
+          Dependency.new(
+            name: name_with_version,
+            version: package["version"],
+            path: package["path"],
+            metadata: {
+              "type"     => PNPM.type,
+              "name"     => package["name"],
+              "summary"  => package["description"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+      # Returns package metadata returned from `pnpm licensed list`
+      def packages
+        JSON.parse(package_metadata_command).values.flatten
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'pnpm licenses list'. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+      # Returns the output from running `pnpm licenses list` to get package metadata
+      def package_metadata_command
+        args = %w(--json --long)
+        args << "--prod" unless include_non_production?
+        Licensed::Shell.execute("pnpm", "licenses", "list", *args, allow_failure: true)
+      end
+      # Returns whether to include non production dependencies based on the licensed configuration settings
+      def include_non_production?
+        config.dig("pnpm", "production_only") == false
+      end
+    end
+  end
+end

data/lib/licensed/sources/source.rb CHANGED Viewed

@@ -69,7 +69,9 @@ module Licensed
       # Returns all dependencies that should be evaluated.
       # Excludes ignored dependencies.
       def dependencies
-        cached_dependencies.reject { |d| ignored?(d) }
+        cached_dependencies
+          .reject { |d| ignored?(d) }
+          .each { |d| add_additional_terms_from_configuration(d) }
       end
       # Enumerate all source dependencies.  Must be implemented by each source class.
@@ -88,6 +90,11 @@ module Licensed
       def cached_dependencies
         @dependencies ||= enumerate_dependencies.compact
       end
+      # Add any additional_terms for this dependency that have been added to the configuration
+      def add_additional_terms_from_configuration(dependency)
+        dependency.additional_terms.concat config.additional_terms_for_dependency("type" => self.class.type, "name" => dependency.name)
+      end
     end
   end
 end

data/lib/licensed/sources.rb CHANGED Viewed

@@ -6,19 +6,20 @@ module Licensed
     require "licensed/sources/bundler"
     require "licensed/sources/cabal"
     require "licensed/sources/cargo"
+    require "licensed/sources/cocoapods"
     require "licensed/sources/composer"
     require "licensed/sources/dep"
     require "licensed/sources/git_submodule"
     require "licensed/sources/go"
+    require "licensed/sources/gradle"
     require "licensed/sources/manifest"
+    require "licensed/sources/mix"
     require "licensed/sources/npm"
     require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
+    require "licensed/sources/pnpm"
     require "licensed/sources/swift"
-    require "licensed/sources/gradle"
-    require "licensed/sources/mix"
     require "licensed/sources/yarn"
-    require "licensed/sources/cocoapods"
   end
 end

data/lib/licensed/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.0.4".freeze
+  VERSION = "4.1.0".freeze
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.0.4
+  version: 4.1.0
 platform: ruby
 authors:
 - GitHub
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-01-26 00:00:00.000000000 Z
+date: 2023-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -219,6 +219,7 @@ files:
 - docs/commands/version.md
 - docs/configuration.md
 - docs/configuration/README.md
+- docs/configuration/additional_terms.md
 - docs/configuration/allowed_licenses.md
 - docs/configuration/application_name.md
 - docs/configuration/application_source.md
@@ -249,6 +250,7 @@ files:
 - docs/sources/nuget.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
+- docs/sources/pnpm.md
 - docs/sources/stack.md
 - docs/sources/swift.md
 - docs/sources/yarn.md
@@ -298,6 +300,7 @@ files:
 - lib/licensed/sources/nuget.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
+- lib/licensed/sources/pnpm.rb
 - lib/licensed/sources/source.rb
 - lib/licensed/sources/swift.rb
 - lib/licensed/sources/yarn.rb