licensed 4.0.4 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4862d2463055e895e3aac366c32821ee047360646946860d0cd6eb86ef9701f
-  data.tar.gz: b75cf3b200090387ef2f104295bb90fc8874668bd895797335f02a23c9357296
+  metadata.gz: 2b65e198a420b03486b2680a6a83fb04b4e67684d28bc4ba9ef00c466ffd7489
+  data.tar.gz: ab2b10c6e854d3f1d7faa918e48addb497032838fd1cea942ff823053b891150
 SHA512:
-  metadata.gz: 766f5196aea9b41034c0a76e11ebe7e7272ce1554661d552ad88895dd45cc43544cb737f7c36173ab612fc71f352d14ac30d2449f7414f8b7813174e294828c5
-  data.tar.gz: 0c6a31ae81db6abe8744d4a64b07e695b86b18536ce7308f7757c0c69183684e6d39d91082c87edd5a693617f30884a6c322ec3aa0e017a87bc137bf1e0793b7
+  metadata.gz: 8dee38c45e73cb03b7c94a9260bb9bc6f5919f53156b69a751238693920e2f120a3dcb0d43f66270fa9abc8305705fdced290978e51bfe762be5f0e5ba00230d
+  data.tar.gz: d352b46e40f545f0bd3e1aa29e3bb62454e2e329c64ce9197ba1f9c38b4f11bcbbbecc789658dcff0e6b79e43b4ee9cc839b5476e23cab44a559a605ddbd77b6

data/CHANGELOG.md

@@ -6,6 +6,23 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 4.2.0
+
+### Added
+
+- Reviewed and ignored configuration lists support matching on versions and version ranges (https://github.com/github/licensed/pull/629)
+
+### Fixed
+
+- Licensed should more reliably source dependencies from Gradle >= 8.0 (https://github.com/github/licensed/pull/630)
+
+## 4.1.0
+
+### Added
+
+- Custom license terms can be added to dependencies via new configuration options (https://github.com/github/licensed/pull/624)
+- Licensed is now integrated with pnpm to enumerate dependencies (https://github.com/github/licensed/pull/626)
+
 ## 4.0.4
 
 ### Changed
@@ -706,4 +723,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/4.0.4...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.2.0...HEAD

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    licensed (4.0.4)
+    licensed (4.2.0)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)

data/docs/configuration/README.md

@@ -9,3 +9,4 @@
 1. [Allowed licenses](./allowed_licenses.md)
 1. [Ignoring dependencies](./ignoring_dependencies.md)
 1. [Reviewing dependencies](./reviewing_dependencies.md)
+1. [Additional license terms](./additional_terms.md)

data/docs/configuration/additional_terms.md

@@ -0,0 +1,41 @@
+# Additional terms
+
+The `additional_terms` configuration option is used to specify paths to files containing extra licensing terms that do not ship with the dependency package. All files specified are expected to be plain text.
+
+Files containing additional content can be located anywhere on disk that is accessible to licensed.  File paths can be specified as a string or array and can contain glob values to simplify configuration inputs.  All file paths are evaluated from the [configuration root](./configuration_root.md).
+
+## Examples
+
+**Note** The examples below specify paths to additional files under the `.licenses` folder.  This is a logical place to store files containing license terms, but be careful not to store files under paths managed by licensed like `.licenses/<source type>/...`.  Running `licensed cache` in the future will delete any files under licensed managed paths that licensed did not create.  This is why the below examples use paths like `.licenses/amendments/bundler/...` instead of not `.licenses/bundler/amendments/...`.
+
+### With a string
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and path to an additional file
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/terms.txt
+```
+
+### With a glob string
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and one or more additional files with a glob pattern
+    <gem-name>: .licenses/amendments/bundler/<gem-name>/*.txt
+```
+
+### With an array of strings
+
+```yaml
+additional_terms:
+  # specify the type of dependency
+  bundler:
+    # specify the dependency name and array of paths to additional files
+    <gem-name>:
+      - .licenses/amendments/bundler/<gem-name>/terms-1.txt
+      - .licenses/amendments/bundler/<gem-name>/terms-2.txt
+```

data/docs/configuration/ignoring_dependencies.md

@@ -17,3 +17,16 @@ ignored:
   go:
     - github.com/me/my-repo/**/*
 ```
+
+## Ignoring dependencies at specific versions
+
+Ignore a dependency at specific versions by appending `@<version>` to the end of the dependency's name in an `ignore` list.  If a dependency is configured to be ignored at a specific version, licensed will not ignore non-matching versions of the dependency.
+
+The version value can be one of:
+
+1. `"*"` - match any version value
+1. any version string, or version range string, that can be parsed by `Gem::Requirement`
+   - a semantic version - `dependency@1.2.3`
+   - a gem requirement range - `dependency@~> 1.0.0` or `dependency@< 3.0`
+   - see the [Rubygems version guides](https://guides.rubygems.org/patterns/#pessimistic-version-constraint) for more details about specifying gem version requirements
+1. a value that can't be parsed by `Gem::Requirement`, which will only match dependencies with the same version string

data/docs/configuration/reviewing_dependencies.md

@@ -16,3 +16,16 @@ reviewed:
   bundler:
     - gem-using-unallowed-license
 ```
+
+## Reviewing dependencies at specific versions
+
+Review a dependency at specific versions by appending `@<version>` to the end of the dependency's name in an `reviewed` list.  If a dependency is configured to be reviewed at a specific version, licensed will not recognize non-matching versions of the dependency as being manually reviewed and accepted.
+
+The version value can be one of:
+
+1. `"*"` - match any version value
+1. any version string, or version range string, that can be parsed by `Gem::Requirement`
+   - a semantic version - `dependency@1.2.3`
+   - a gem requirement range - `dependency@~> 1.0.0` or `dependency@< 3.0`
+   - see the [Rubygems version guides](https://guides.rubygems.org/patterns/#pessimistic-version-constraint) for more details about specifying gem version requirements
+1. a value that can't be parsed by `Gem::Requirement`, which will only match dependencies with the same version string

data/docs/configuration.md

@@ -67,6 +67,13 @@ reviewed:
   - classlist # public domain
   - octicons
 
+# Specify additional license terms that have been obtained from a dependency's owner
+# which apply to the dependency's license 
+additional_terms:
+  bundler:
+    bcrypt-ruby:
+      - .licenses/amendments/bundler/bcrypt-ruby/amendment.txt
+
 # A single configuration file can be used to enumerate dependencies for multiple
 # projects.  Each configuration is referred to as an "application" and must include
 # a source path, at a minimum

data/docs/sources/pnpm.md

@@ -0,0 +1,20 @@
+# pnpm
+
+The npm source will detect dependencies when `pnpm-lock.yaml` is found at an apps `source_path`.  It uses `pnpm licenses list` to enumerate dependencies and metadata.
+
+All dependencies enumerated by the pnpm source include the dependency version in the dependency's name identifier.  All [reviewed](../configuration/reviewing_dependencies.md) or [ignored](../configuration/ignoring_dependencies.md) dependencies must include a version signifier in the configured dependency name.
+
+**NOTE** [pnpm licenses list](https://pnpm.io/cli/licenses) is an experimental CLI command and subject to change.  If changes to pnpm result in unexpected or broken behavior in licensed please open an [issue](https://github.com/github/licensed/issues/new).
+
+## Including development dependencies
+
+By default, the npm source will exclude all development dependencies. To include development or test dependencies, set `production_only: false` in the licensed configuration.
+
+```yml
+pnpm:
+  production_only: false
+```
+
+## Using licensed with pnpm workspaces
+
+Licensed will locate all dependencies from all pnpm workspaces and cannot enumerate dependencies from individual project workspaces.  This is a limitation from the pnpm CLI.

data/lib/licensed/commands/cache.rb

@@ -83,7 +83,7 @@ module Licensed
         report["version"] = dependency.version
 
         if save_dependency_record?(dependency, cached_record)
-          update_dependency_from_cached_record(app, dependency, cached_record)
+          update_dependency_from_cached_record(app, source, dependency, cached_record)
 
           dependency.record.save(filename)
           report["cached"] = true
@@ -123,14 +123,14 @@ module Licensed
       # Update dependency metadata from the cached record, to support:
       # 1. continuity between cache runs to cut down on churn
       # 2. notifying users when changed content needs to be reviewed
-      def update_dependency_from_cached_record(app, dependency, cached_record)
+      def update_dependency_from_cached_record(app, source, dependency, cached_record)
         return if cached_record.nil?
         return if options[:force]
 
         if dependency.record.matches?(cached_record)
           # use the cached license value if the license text wasn't updated
           dependency.record["license"] = cached_record["license"]
-        elsif app.reviewed?(dependency.record)
+        elsif app.reviewed?(dependency.record, require_version: source.class.require_matched_dependency_version)
           # if the license text changed and the dependency is set as reviewed
           # force a re-review of the dependency
           dependency.record["review_changed_license"] = true

data/lib/licensed/commands/status.rb

@@ -60,7 +60,7 @@ module Licensed
           report.errors << "missing license text" if record.licenses.empty?
           if record["review_changed_license"]
             report.errors << "license text has changed and needs re-review. if the new text is ok, remove the `review_changed_license` flag from the cached record"
-          elsif license_needs_review?(app, record)
+          elsif license_needs_review?(app, source, record)
             report.errors << needs_review_error_message(app, record)
           end
         end
@@ -70,9 +70,10 @@ module Licensed
 
       # Returns true if a cached record needs further review based on the
       # record's license(s) and the app's configuration
-      def license_needs_review?(app, record)
+      def license_needs_review?(app, source, record)
         # review is not needed if the record is set as reviewed
-        return false if app.reviewed?(record, match_version: data_source == "configuration")
+        require_version = data_source == "configuration" || source.class.require_matched_dependency_version
+        return false if app.reviewed?(record, require_version: require_version)
 
         # review is not needed if the top level license is allowed
         return false if app.allowed?(record["license"])
@@ -99,7 +100,7 @@ module Licensed
         error = "dependency needs review"
 
         # look for an unversioned reviewed list match
-        if app.reviewed?(record, match_version: false)
+        if app.reviewed?(record, require_version: false)
           error += ", unversioned 'reviewed' match found: #{record["name"]}"
         end
 

data/lib/licensed/configuration.rb

@@ -10,6 +10,8 @@ module Licensed
 
     DEFAULT_CACHE_PATH = ".licenses".freeze
 
+    ANY_VERSION_REQUIREMENT = "*".freeze
+
     # Returns the root for a configuration in following order of precedence:
     # 1. explicitly configured "root" property
     # 2. a found git repository root
@@ -73,8 +75,8 @@ module Licensed
     end
 
     # Is the given dependency reviewed?
-    def reviewed?(dependency, match_version: false)
-      any_list_pattern_matched? self["reviewed"][dependency["type"]], dependency, match_version: match_version
+    def reviewed?(dependency, require_version: false)
+      any_list_pattern_matched? self["reviewed"][dependency["type"]], dependency, require_version: require_version
     end
 
     # Find all reviewed dependencies that match the provided dependency's name
@@ -83,8 +85,8 @@ module Licensed
     end
 
     # Is the given dependency ignored?
-    def ignored?(dependency)
-      any_list_pattern_matched? self["ignored"][dependency["type"]], dependency
+    def ignored?(dependency, require_version: false)
+      any_list_pattern_matched? self["ignored"][dependency["type"]], dependency, require_version: require_version
     end
 
     # Is the license of the dependency allowed?
@@ -93,8 +95,10 @@ module Licensed
     end
 
     # Ignore a dependency
-    def ignore(dependency)
-      (self["ignored"][dependency["type"]] ||= []) << dependency["name"]
+    def ignore(dependency, at_version: false)
+      id = dependency["name"]
+      id += "@#{dependency["version"]}" if at_version && dependency["version"]
+      (self["ignored"][dependency["type"]] ||= []) << id
     end
 
     # Set a dependency as reviewed
@@ -109,17 +113,49 @@ module Licensed
       self["allowed"] << license
     end
 
+    # Returns an array of paths to files containing additional license terms.
+    def additional_terms_for_dependency(dependency)
+      amendment_paths = Array(self.dig("additional_terms", dependency["type"], dependency["name"]))
+      amendment_paths.flat_map { |path| Dir.glob(self.root.join(path)) }
+    end
+
     private
 
-    def any_list_pattern_matched?(list, dependency, match_version: false)
+    def any_list_pattern_matched?(list, dependency, require_version: false)
       Array(list).any? do |pattern|
-        if match_version
-          at_version = "@#{dependency["version"]}"
-          pattern, pattern_version = pattern.rpartition(at_version).values_at(0, 1)
-          next false if pattern == "" || pattern_version == ""
+        # parse a name and version requirement value from the pattern
+        name, requirement = pattern.rpartition("@").values_at(0, 2).map(&:strip)
+
+        if name == ""
+          # if name == "", then the pattern doesn't contain a valid version value.
+          # treat the entire pattern as the dependency name with no version.
+          name = pattern
+          requirement = nil
+        elsif !requirement.to_s.empty?
+          # check if the version requirement is a valid Gem::Requirement
+          # for range matching
+          requirements = requirement.split(",").map(&:strip)
+          if requirements.all? { |r| Gem::Requirement::PATTERN.match?(r) }
+            requirement = Gem::Requirement.new(requirements)
+          end
         end
 
-        File.fnmatch?(pattern, dependency["name"], File::FNM_PATHNAME | File::FNM_CASEFOLD)
+        # the pattern's name must match the dependency's name
+        next false unless File.fnmatch?(name, dependency["name"], File::FNM_PATHNAME | File::FNM_CASEFOLD)
+
+        # if there is no version requirement configured or if the dependency doesn't have a version
+        # specified, return a value based on whether a version match is required
+        next !require_version if requirement.nil? || dependency["version"].to_s.empty?
+
+        case requirement
+        when String
+          # string match the requirement against "*" or the dependency's version
+          [ANY_VERSION_REQUIREMENT, dependency["version"]].any? { |r| requirement == r }
+        when Gem::Requirement
+          # if the version was parsed as a gem requirement, check whether the version requirement
+          # matches the dependency's version
+          Gem::Version.correct?(dependency["version"]) && requirement.satisfied_by?(Gem::Version.new(dependency["version"]))
+        end
       end
     end
 

data/lib/licensed/dependency.rb

@@ -9,6 +9,7 @@ module Licensed
     attr_reader :version
     attr_reader :errors
     attr_reader :path
+    attr_reader :additional_terms
 
     # Create a new project dependency
     #
@@ -28,6 +29,7 @@ module Licensed
       @errors = errors
       path = path.to_s
       @path = path
+      @additional_terms = []
 
       # enforcing absolute paths makes life much easier when determining
       # an absolute file path in #notices
@@ -80,6 +82,13 @@ module Licensed
       files.compact
     end
 
+
+    # Override the behavior of Licensee::Projects::FSProject#project_files to include
+    # additional license terms
+    def project_files
+      super + additional_license_terms_files
+    end
+
     # Returns legal notices found at the dependency path
     def notice_contents
       Dir.glob(dir_path.join("*"))
@@ -90,6 +99,17 @@ module Licensed
          .select { |notice| notice["text"].length > 0 } # files with content only
     end
 
+    # Returns a hash of basic metadata about the dependency - name, version, type, etc
+    def metadata
+      {
+        # can be overriden by values in @metadata
+        "name" => name,
+        "version" => version
+      }.merge(
+        @metadata
+      )
+    end
+
     private
 
     def read_file_with_encoding_check(file_path)
@@ -102,6 +122,7 @@ module Licensed
     def license_content_sources(files)
       paths = Array(files).map do |file|
         next file[:uri] if file[:uri]
+        next file[:source] if file[:source]
 
         path = dir_path.join(file[:dir], file[:name])
         normalize_source_path(path)
@@ -125,14 +146,8 @@ module Licensed
     # Returns the metadata that represents this dependency.  This metadata
     # is written to YAML in the dependencys cached text file
     def license_metadata
-      {
-        # can be overriden by values in @metadata
-        "name" => name,
-        "version" => version
-      }.merge(
-        @metadata
-      ).merge({
-        # overrides all other values
+      metadata.merge({
+        # overrides all metadata values
         "license" => license_key
       })
     end
@@ -157,5 +172,22 @@ module Licensed
         "text" => text
       }
     end
+
+    # Returns an array of Licensee::ProjectFiles::LicenseFile created from
+    # this dependency's additional license terms
+    def additional_license_terms_files
+      @additional_license_terms_files ||= begin
+        files = additional_terms.map do |path|
+          next unless File.file?(path)
+
+          metadata = { dir: File.dirname(path), name: File.basename(path) }
+          Licensee::ProjectFiles::LicenseFile.new(
+            load_file(metadata),
+            { source: "License terms loaded from #{metadata[:name]}" }
+          )
+        end
+        files.compact
+      end
+    end
   end
 end

data/lib/licensed/sources/gradle.rb

@@ -9,7 +9,7 @@ require "fileutils"
 module Licensed
   module Sources
     class Gradle < Source
-      DEFAULT_CONFIGURATIONS   = ["runtime", "runtimeClasspath"].freeze
+      DEFAULT_CONFIGURATIONS   = ["runtimeOnly", "runtimeClasspath"].freeze
       GRADLE_LICENSES_PATH     = ".gradle-licenses".freeze
       GRADLE_LICENSES_CSV_NAME = "licenses.csv".freeze
       class Dependency < Licensed::Dependency
@@ -46,7 +46,7 @@ module Licensed
       end
 
       def enumerate_dependencies
-        JSON.parse(gradle_runner.run("printDependencies", config.source_path)).map do |package|
+        JSON.parse(gradle_runner.run("printDependencies")).map do |package|
           name = "#{package['group']}:#{package['name']}"
           Dependency.new(
             name: name,
@@ -73,7 +73,7 @@ module Licensed
       end
 
       def gradle_runner
-        @gradle_runner ||= Runner.new(config.pwd, configurations, executable)
+        @gradle_runner ||= Runner.new(configurations, executable)
       end
 
       # Returns the configurations to include in license generation.
@@ -113,7 +113,7 @@ module Licensed
         begin
           # create the CSV file including dependency license urls using the gradle plugin
           gradle_licenses_dir = File.join(config.root, GRADLE_LICENSES_PATH)
-          gradle_runner.run("generateLicenseReport", config.source_path)
+          gradle_runner.run("generateLicenseReport")
 
           # parse the CSV report for dependency license urls
           CSV.foreach(File.join(gradle_licenses_dir, GRADLE_LICENSES_CSV_NAME), headers: true).each_with_object({}) do |row, hsh|
@@ -134,80 +134,82 @@ module Licensed
       # The Gradle::Runner class is a wrapper which provides
       # an interface to run gradle commands with the init script initialized
       class Runner
-        def initialize(root_path, configurations, executable)
-          @root_path = root_path
+        def initialize(configurations, executable)
           @executable = executable
-          @init_script = create_init_script(root_path, configurations)
+          @init_script = create_init_script(configurations)
         end
 
-        def run(command, source_path)
-          args = [format_command(command, source_path)]
+        def run(command)
+          args = [command]
           # The configuration cache is an incubating feature that can be activated manually.
           # The gradle plugin for licenses does not support it so we prevent it to run for gradle version supporting it.
-          args << "--no-configuration-cache" if gradle_version >= "6.6"
+          args << "--no-configuration-cache" if gradle_version >= Gem::Version.new("6.6")
           Licensed::Shell.execute(@executable, "-q", "--init-script", @init_script.path, *args)
         end
 
         private
 
-        def gradle_version
-          @gradle_version ||= Licensed::Shell.execute(@executable, "--version").scan(/Gradle [\d+]\.[\d+]/).last.split(" ").last
-        end
-
-        def create_init_script(path, configurations)
-          Dir.chdir(path) do
-            f = Tempfile.new(["init", ".gradle"], @root_path)
-            f.write(
-              <<~EOF
-                  import com.github.jk1.license.render.CsvReportRenderer
-                  import com.github.jk1.license.filter.LicenseBundleNormalizer
-                  final configs = #{configurations.inspect}
-
-                  initscript {
-                    repositories {
-                      maven {
-                        url "https://plugins.gradle.org/m2/"
-                      }
-                    }
-                    dependencies {
-                      classpath "com.github.jk1:gradle-license-report:#{gradle_version >= "7.0" ? "2.0" : "1.17"}"
+        def create_init_script(configurations)
+          # we need to create extensions in the event that the user hasn't configured custom configurations
+          # to avoid hitting errors where core Gradle configurations are set with canBeResolved=false
+          configuration_map = configurations.map { |c| [c, "licensed#{c}"] }.to_h
+          configuration_dsl = configuration_map.map { |orig, custom| "#{custom}.extendsFrom(#{orig})" }
+
+          f = Tempfile.new(["init", ".gradle"])
+          f.write(
+            <<~EOF
+                import com.github.jk1.license.render.CsvReportRenderer
+                import com.github.jk1.license.filter.LicenseBundleNormalizer
+                final configs = #{configuration_map.values.inspect}
+
+                initscript {
+                  repositories {
+                    maven {
+                      url "https://plugins.gradle.org/m2/"
                     }
                   }
+                  dependencies {
+                    classpath "com.github.jk1:gradle-license-report:#{gradle_version >= Gem::Version.new("7.0") ? "2.0" : "1.17"}"
+                  }
+                }
 
-                  allprojects {
-                    apply plugin: com.github.jk1.license.LicenseReportPlugin
-                    licenseReport {
-                        outputDir = "$rootDir/.gradle-licenses"
-                        configurations = configs
-                        renderers = [new CsvReportRenderer()]
-                        filters = [new LicenseBundleNormalizer()]
-                    }
+                allprojects {
+                  configurations {
+                    #{configuration_dsl.join("\n") }
+                  }
+
+                  apply plugin: com.github.jk1.license.LicenseReportPlugin
+                  licenseReport {
+                      outputDir = "$rootDir/#{GRADLE_LICENSES_PATH}"
+                      configurations = configs
+                      renderers = [new CsvReportRenderer()]
+                      filters = [new LicenseBundleNormalizer()]
+                  }
 
-                    task printDependencies {
-                      doLast {
-                          def dependencies = []
-                          configs.each {
-                              configurations[it].resolvedConfiguration.resolvedArtifacts.each { artifact ->
-                                  def id = artifact.moduleVersion.id
-                                  dependencies << "{ \\"group\\": \\"${id.group}\\", \\"name\\": \\"${id.name}\\", \\"version\\": \\"${id.version}\\" }"
-                              }
-                          }
-                          println "[${dependencies.join(", ")}]"
-                      }
+                  task printDependencies {
+                    doLast {
+                        def dependencies = []
+                        configs.each {
+                            configurations[it].resolvedConfiguration.resolvedArtifacts.each { artifact ->
+                                def id = artifact.moduleVersion.id
+                                dependencies << "{ \\"group\\": \\"${id.group}\\", \\"name\\": \\"${id.name}\\", \\"version\\": \\"${id.version}\\" }"
+                            }
+                        }
+                        println "[${dependencies.join(", ")}]"
                     }
                   }
-                EOF
-              )
-            f.close
-            f
-          end
+                }
+              EOF
+            )
+          f.close
+          f
         end
 
-        # Prefixes the gradle command with the project name for multi-build projects.
-        def format_command(command, source_path)
-          Dir.chdir(source_path) do
-            path = Licensed::Shell.execute(@executable, "properties", "-Dorg.gradle.logging.level=quiet").scan(/path:.*/).last.split(" ").last
-            path == ":" ? command : "#{path}:#{command}"
+        # Returns the version of gradle used during execution
+        def gradle_version
+          @gradle_version ||= begin
+            version = Licensed::Shell.execute(@executable, "--version").scan(/Gradle [\d+]\.[\d+]/).last.split(" ").last
+            Gem::Version.new(version)
           end
         end
       end

data/lib/licensed/sources/pnpm.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+require "json"
+
+module Licensed
+  module Sources
+    class PNPM < Source
+      # The PNPM source requires matching reviewed or ignored dependencies
+      # on both name and version
+      def self.require_matched_dependency_version
+        true
+      end
+
+      # Returns true when pnpm is installed and a pnpm-lock.yaml file is found,
+      # otherwise false
+      def enabled?
+        return false unless Licensed::Shell.tool_available?("pnpm")
+        File.exist?(File.join(config.pwd, "pnpm-lock.yaml"))
+      end
+
+      def enumerate_dependencies
+        packages.map do |package|
+          name_with_version = "#{package["name"]}@#{package["version"]}"
+          Dependency.new(
+            name: name_with_version,
+            version: package["version"],
+            path: package["path"],
+            metadata: {
+              "type"     => PNPM.type,
+              "name"     => package["name"],
+              "summary"  => package["description"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+
+      # Returns package metadata returned from `pnpm licensed list`
+      def packages
+        JSON.parse(package_metadata_command).values.flatten
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'pnpm licenses list'. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      # Returns the output from running `pnpm licenses list` to get package metadata
+      def package_metadata_command
+        args = %w(--json --long)
+        args << "--prod" unless include_non_production?
+        Licensed::Shell.execute("pnpm", "licenses", "list", *args, allow_failure: true)
+      end
+
+      # Returns whether to include non production dependencies based on the licensed configuration settings
+      def include_non_production?
+        config.dig("pnpm", "production_only") == false
+      end
+    end
+  end
+end

data/lib/licensed/sources/source.rb

@@ -51,6 +51,12 @@ module Licensed
                    .downcase
                    .split("::")
         end
+
+        # Returns true if the source requires matching reviewed and ignored dependencies'
+        # versions as well as their name
+        def require_matched_dependency_version
+          false
+        end
       end
 
       # all sources have a configuration
@@ -69,7 +75,9 @@ module Licensed
       # Returns all dependencies that should be evaluated.
       # Excludes ignored dependencies.
       def dependencies
-        cached_dependencies.reject { |d| ignored?(d) }
+        cached_dependencies
+          .reject { |d| ignored?(d) }
+          .each { |d| add_additional_terms_from_configuration(d) }
       end
 
       # Enumerate all source dependencies.  Must be implemented by each source class.
@@ -79,7 +87,7 @@ module Licensed
 
       # Returns whether a dependency is ignored in the configuration.
       def ignored?(dependency)
-        config.ignored?("type" => self.class.type, "name" => dependency.name)
+        config.ignored?(dependency.metadata, require_version: self.class.require_matched_dependency_version)
       end
 
       private
@@ -88,6 +96,11 @@ module Licensed
       def cached_dependencies
         @dependencies ||= enumerate_dependencies.compact
       end
+
+      # Add any additional_terms for this dependency that have been added to the configuration
+      def add_additional_terms_from_configuration(dependency)
+        dependency.additional_terms.concat config.additional_terms_for_dependency("type" => self.class.type, "name" => dependency.name)
+      end
     end
   end
 end

data/lib/licensed/sources.rb

@@ -6,19 +6,20 @@ module Licensed
     require "licensed/sources/bundler"
     require "licensed/sources/cabal"
     require "licensed/sources/cargo"
+    require "licensed/sources/cocoapods"
     require "licensed/sources/composer"
     require "licensed/sources/dep"
     require "licensed/sources/git_submodule"
     require "licensed/sources/go"
+    require "licensed/sources/gradle"
     require "licensed/sources/manifest"
+    require "licensed/sources/mix"
     require "licensed/sources/npm"
     require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
+    require "licensed/sources/pnpm"
     require "licensed/sources/swift"
-    require "licensed/sources/gradle"
-    require "licensed/sources/mix"
     require "licensed/sources/yarn"
-    require "licensed/sources/cocoapods"
   end
 end

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.0.4".freeze
+  VERSION = "4.2.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.0.4
+  version: 4.2.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-01-26 00:00:00.000000000 Z
+date: 2023-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -219,6 +219,7 @@ files:
 - docs/commands/version.md
 - docs/configuration.md
 - docs/configuration/README.md
+- docs/configuration/additional_terms.md
 - docs/configuration/allowed_licenses.md
 - docs/configuration/application_name.md
 - docs/configuration/application_source.md
@@ -249,6 +250,7 @@ files:
 - docs/sources/nuget.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
+- docs/sources/pnpm.md
 - docs/sources/stack.md
 - docs/sources/swift.md
 - docs/sources/yarn.md
@@ -298,6 +300,7 @@ files:
 - lib/licensed/sources/nuget.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
+- lib/licensed/sources/pnpm.rb
 - lib/licensed/sources/source.rb
 - lib/licensed/sources/swift.rb
 - lib/licensed/sources/yarn.rb