RubyGems - licensed - Versions diffs - 4.0.4 → 4.1.0 - Mend

licensed 4.0.4 → 4.1.0

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -1
data/Gemfile.lock +1 -1
data/docs/configuration/README.md +1 -0
data/docs/configuration/additional_terms.md +41 -0
data/docs/configuration.md +7 -0
data/docs/sources/pnpm.md +18 -0
data/lib/licensed/configuration.rb +6 -0
data/lib/licensed/dependency.rb +27 -0
data/lib/licensed/sources/pnpm.rb +52 -0
data/lib/licensed/sources/source.rb +8 -1
data/lib/licensed/sources.rb +4 -3
data/lib/licensed/version.rb +1 -1
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4862d2463055e895e3aac366c32821ee047360646946860d0cd6eb86ef9701f
-  data.tar.gz: b75cf3b200090387ef2f104295bb90fc8874668bd895797335f02a23c9357296
+  metadata.gz: 7606d0b5e5f3755ee329a1963cda970c021deab08680c619731ed6fb3ba547da
+  data.tar.gz: 668a2d87d8019284b6ce02bccdda851ad186f03cc7d389fbdd659473affc08cf
 SHA512:
-  metadata.gz: 766f5196aea9b41034c0a76e11ebe7e7272ce1554661d552ad88895dd45cc43544cb737f7c36173ab612fc71f352d14ac30d2449f7414f8b7813174e294828c5
-  data.tar.gz: 0c6a31ae81db6abe8744d4a64b07e695b86b18536ce7308f7757c0c69183684e6d39d91082c87edd5a693617f30884a6c322ec3aa0e017a87bc137bf1e0793b7
+  metadata.gz: '064129baadae7345b5c05e2635cc1850b8ce8321f1e2df803b5fc6d6704556a1337c7d1561024775801cf5cb4158b6c25657b06a0a9baf5ccac7a7453f35fa53'
+  data.tar.gz: b3c6ba7179d7b777665f29b5cace4536181a428a5995c5e7d1d168b4ba6012fd333d191eb6ce23ab7b971a9cb8231dbfb999743c72bf91a1efe78ddec78223b7

data/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
+## 4.1.0
+### Added
+- Custom license terms can be added to dependencies via new configuration options (https://github.com/github/licensed/pull/624)
+- Licensed is now integrated with pnpm to enumerate dependencies (https://github.com/github/licensed/pull/626)
 ## 4.0.4
 ### Changed
@@ -706,4 +713,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 Initial release :tada:
-[Unreleased]: https://github.com/github/licensed/compare/4.0.4...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.1.0...HEAD

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    licensed (4.0.4)
+    licensed (4.1.0)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)

data/docs/configuration/README.md CHANGED Viewed

@@ -9,3 +9,4 @@
 1. [Allowed licenses](./allowed_licenses.md)
 1. [Ignoring dependencies](./ignoring_dependencies.md)
 1. [Reviewing dependencies](./reviewing_dependencies.md)
+1. [Additional license terms](./additional_terms.md)

data/docs/configuration/additional_terms.md ADDED Viewed

@@ -0,0 +1,41 @@
+# Additional terms
+The `additional_terms` configuration option is used to specify paths to files containing extra licensing terms that do not ship with the dependency package. All files specified are expected to be plain text.
+Files containing additional content can be located anywhere on disk that is accessible to licensed.  File paths can be specified as a string or array and can contain glob values to simplify configuration inputs.  All file paths are evaluated from the [configuration root](./configuration_root.md).
+## Examples
+**Note** The examples below specify paths to additional files under the `.licenses` folder.  This is a logical place to store files containing license terms, but be careful not to store files under paths managed by licensed like `.licenses/<source type>/...`.  Running `licensed cache` in the future will delete any files under licensed managed paths that licensed did not create.  This is why the below examples use paths like `.licenses/amendments/bundler/...` instead of not `.licenses/bundler/amendments/...`.
+### With a string
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and path to an additional file
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/terms.txt
+```
+### With a glob string
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and one or more additional files with a glob pattern
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/*.txt
+```
+### With an array of strings
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and array of paths to additional files
+    <gem-name>:
+      - .licenses/amendments/bundler/<gem-name>/terms-1.txt
+      - .licenses/amendments/bundler/<gem-name>/terms-2.txt
+```

data/docs/configuration.md CHANGED Viewed

@@ -67,6 +67,13 @@ reviewed:
   - classlist # public domain
   - octicons
+# Specify additional license terms that have been obtained from a dependency's owner
+# which apply to the dependency's license
+additional_terms:
+  bundler:
+    bcrypt-ruby:
+      - .licenses/amendments/bundler/bcrypt-ruby/amendment.txt
 # A single configuration file can be used to enumerate dependencies for multiple
 # projects.  Each configuration is referred to as an "application" and must include
 # a source path, at a minimum

data/docs/sources/pnpm.md ADDED Viewed

@@ -0,0 +1,18 @@
+# pnpm
+The npm source will detect dependencies when `pnpm-lock.yaml` is found at an apps `source_path`.  It uses `pnpm licenses list` to enumerate dependencies and metadata.
+**NOTE** [pnpm licenses list](https://pnpm.io/cli/licenses) is an experimental CLI command and subject to change.  If changes to pnpm result in unexpected or broken behavior in licensed please open an [issue](https://github.com/github/licensed/issues/new).
+## Including development dependencies
+By default, the npm source will exclude all development dependencies. To include development or test dependencies, set `production_only: false` in the licensed configuration.
+```yml
+pnpm:
+  production_only: false
+```
+## Using licensed with pnpm workspaces
+Licensed will locate all dependencies from all pnpm workspaces and cannot enumerate dependencies from individual project workspaces.  This is a limitation from the pnpm CLI.

data/lib/licensed/configuration.rb CHANGED Viewed

@@ -109,6 +109,12 @@ module Licensed
       self["allowed"] << license
     end
+    # Returns an array of paths to files containing additional license terms.
+    def additional_terms_for_dependency(dependency)
+      amendment_paths = Array(self.dig("additional_terms", dependency["type"], dependency["name"]))
+      amendment_paths.flat_map { |path| Dir.glob(self.root.join(path)) }
+    end
     private
     def any_list_pattern_matched?(list, dependency, match_version: false)

data/lib/licensed/dependency.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module Licensed
     attr_reader :version
     attr_reader :errors
     attr_reader :path
+    attr_reader :additional_terms
     # Create a new project dependency
     #
@@ -28,6 +29,7 @@ module Licensed
       @errors = errors
       path = path.to_s
       @path = path
+      @additional_terms = []
       # enforcing absolute paths makes life much easier when determining
       # an absolute file path in #notices
@@ -80,6 +82,13 @@ module Licensed
       files.compact
     end
+    # Override the behavior of Licensee::Projects::FSProject#project_files to include
+    # additional license terms
+    def project_files
+      super + additional_license_terms_files
+    end
     # Returns legal notices found at the dependency path
     def notice_contents
       Dir.glob(dir_path.join("*"))
@@ -102,6 +111,7 @@ module Licensed
     def license_content_sources(files)
       paths = Array(files).map do |file|
         next file[:uri] if file[:uri]
+        next file[:source] if file[:source]
         path = dir_path.join(file[:dir], file[:name])
         normalize_source_path(path)
@@ -157,5 +167,22 @@ module Licensed
         "text" => text
       }
     end
+    # Returns an array of Licensee::ProjectFiles::LicenseFile created from
+    # this dependency's additional license terms
+    def additional_license_terms_files
+      @additional_license_terms_files ||= begin
+        files = additional_terms.map do |path|
+          next unless File.file?(path)
+          metadata = { dir: File.dirname(path), name: File.basename(path) }
+          Licensee::ProjectFiles::LicenseFile.new(
+            load_file(metadata),
+            { source: "License terms loaded from #{metadata[:name]}" }
+          )
+        end
+        files.compact
+      end
+    end
   end
 end

data/lib/licensed/sources/pnpm.rb ADDED Viewed

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+require "json"
+module Licensed
+  module Sources
+    class PNPM < Source
+      # Returns true when pnpm is installed and a pnpm-lock.yaml file is found,
+      # otherwise false
+      def enabled?
+        return false unless Licensed::Shell.tool_available?("pnpm")
+        File.exist?(File.join(config.pwd, "pnpm-lock.yaml"))
+      end
+      def enumerate_dependencies
+        packages.map do |package|
+          name_with_version = "#{package["name"]}@#{package["version"]}"
+          Dependency.new(
+            name: name_with_version,
+            version: package["version"],
+            path: package["path"],
+            metadata: {
+              "type"     => PNPM.type,
+              "name"     => package["name"],
+              "summary"  => package["description"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+      # Returns package metadata returned from `pnpm licensed list`
+      def packages
+        JSON.parse(package_metadata_command).values.flatten
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'pnpm licenses list'. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+      # Returns the output from running `pnpm licenses list` to get package metadata
+      def package_metadata_command
+        args = %w(--json --long)
+        args << "--prod" unless include_non_production?
+        Licensed::Shell.execute("pnpm", "licenses", "list", *args, allow_failure: true)
+      end
+      # Returns whether to include non production dependencies based on the licensed configuration settings
+      def include_non_production?
+        config.dig("pnpm", "production_only") == false
+      end
+    end
+  end
+end

data/lib/licensed/sources/source.rb CHANGED Viewed

@@ -69,7 +69,9 @@ module Licensed
       # Returns all dependencies that should be evaluated.
       # Excludes ignored dependencies.
       def dependencies
-        cached_dependencies.reject { |d| ignored?(d) }
+        cached_dependencies
+          .reject { |d| ignored?(d) }
+          .each { |d| add_additional_terms_from_configuration(d) }
       end
       # Enumerate all source dependencies.  Must be implemented by each source class.
@@ -88,6 +90,11 @@ module Licensed
       def cached_dependencies
         @dependencies ||= enumerate_dependencies.compact
       end
+      # Add any additional_terms for this dependency that have been added to the configuration
+      def add_additional_terms_from_configuration(dependency)
+        dependency.additional_terms.concat config.additional_terms_for_dependency("type" => self.class.type, "name" => dependency.name)
+      end
     end
   end
 end

data/lib/licensed/sources.rb CHANGED Viewed

@@ -6,19 +6,20 @@ module Licensed
     require "licensed/sources/bundler"
     require "licensed/sources/cabal"
     require "licensed/sources/cargo"
+    require "licensed/sources/cocoapods"
     require "licensed/sources/composer"
     require "licensed/sources/dep"
     require "licensed/sources/git_submodule"
     require "licensed/sources/go"
+    require "licensed/sources/gradle"
     require "licensed/sources/manifest"
+    require "licensed/sources/mix"
     require "licensed/sources/npm"
     require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
+    require "licensed/sources/pnpm"
     require "licensed/sources/swift"
-    require "licensed/sources/gradle"
-    require "licensed/sources/mix"
     require "licensed/sources/yarn"
-    require "licensed/sources/cocoapods"
   end
 end

data/lib/licensed/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.0.4".freeze
+  VERSION = "4.1.0".freeze
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.0.4
+  version: 4.1.0
 platform: ruby
 authors:
 - GitHub
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-01-26 00:00:00.000000000 Z
+date: 2023-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -219,6 +219,7 @@ files:
 - docs/commands/version.md
 - docs/configuration.md
 - docs/configuration/README.md
+- docs/configuration/additional_terms.md
 - docs/configuration/allowed_licenses.md
 - docs/configuration/application_name.md
 - docs/configuration/application_source.md
@@ -249,6 +250,7 @@ files:
 - docs/sources/nuget.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
+- docs/sources/pnpm.md
 - docs/sources/stack.md
 - docs/sources/swift.md
 - docs/sources/yarn.md
@@ -298,6 +300,7 @@ files:
 - lib/licensed/sources/nuget.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
+- lib/licensed/sources/pnpm.rb
 - lib/licensed/sources/source.rb
 - lib/licensed/sources/swift.rb
 - lib/licensed/sources/yarn.rb