licensed 4.3.1 → 4.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e25ec11aa1545ab3a63cd560c95dd5f12c0008867a68668005473ab68b20ff
-  data.tar.gz: 9dd7d0fafc53407683ba844ae7f9ce4da2b52a72ebda61334739e9fb010b1af9
+  metadata.gz: d7d2ea0e055fe77e271036b11cc0494a3258e4a7f912bea4b135da327f7c6b16
+  data.tar.gz: eba319d54b8bc1865e25c325113b85fe3e151f5dfe52fe17059400bfbff4d6ea
 SHA512:
-  metadata.gz: 234bf05e1fd4aa01c19220ed566820b291169fb55714c5841dad75f3a01c06c37011dcc8a943008ff0b36325fb00637fcbbd3175c94cb9b18e65cbbcf2ed6514
-  data.tar.gz: 812597ad63783d2b16cf7cf33ab81e793ee9c8ae103b61927655019d8418a1ef5778d61ec288c817caf5e687776c8e15531cfc1c20dd1e650720ccd4f274296f
+  metadata.gz: cb1676bd29d609faf6bab6b32a8c54599ab7a3b508e0ade9c59ca6f6538923420540b78ac2074af343bc3dc8eceb611a74f4f3dc921ea0fef95eefc596f77395
+  data.tar.gz: 26ca34201fe2c44c1dfe2bf2168720b885b051aca5e143225348febfc34d24d5e3b17845224fb543e5187aea370bcbf2c446f5e37e3d5c8028054f3cc3e061c3

data/CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 4.4.0
+
+### Added
+
+- Licensed status command will alert on stale cached dependency records (https://github.com/github/licensed/pull/657)
+
 ## 4.3.1
 
 ### Changed
@@ -735,4 +741,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/4.3.1...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.4.0...HEAD

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    licensed (4.3.1)
+    licensed (4.5.0)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)
@@ -14,24 +14,33 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.4.3)
+    activesupport (7.1.3.2)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.7)
     byebug (11.1.3)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
+    connection_pool (2.4.1)
     dotenv (2.8.1)
+    drb (2.2.1)
     faraday (2.7.4)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
-    i18n (1.12.0)
+    i18n (1.14.4)
       concurrent-ruby (~> 1.0)
-    json (2.6.3)
+    json (2.7.2)
     licensee (9.16.0)
       dotenv (~> 2.0)
       octokit (>= 4.20, < 7.0)
@@ -39,30 +48,32 @@ GEM
       rugged (>= 0.24, < 2.0)
       thor (>= 0.19, < 2.0)
     mini_portile2 (2.8.1)
-    minitest (5.18.0)
-    minitest-hooks (1.5.0)
+    minitest (5.24.1)
+    minitest-hooks (1.5.1)
       minitest (> 5.3)
-    mocha (2.0.2)
+    mocha (2.4.5)
       ruby2_keywords (>= 0.0.5)
-    nokogiri (1.14.3)
+    mutex_m (0.2.0)
+    nokogiri (1.15.6)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     octokit (6.1.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
-    parallel (1.22.1)
+    parallel (1.25.1)
     parser (3.2.0.0)
       ast (~> 2.4.1)
-    pathname-common_prefix (0.0.1)
+    pathname-common_prefix (0.0.2)
     public_suffix (5.0.1)
     racc (1.6.2)
-    rack (3.0.7)
+    rack (3.0.9.1)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.2.1)
     regexp_parser (2.6.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.2.5)
+    rexml (3.3.3)
+      strscan
     rubocop (1.45.1)
       json (~> 2.3)
       parallel (~> 1.10)
@@ -93,7 +104,8 @@ GEM
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    thor (1.2.1)
+    strscan (3.1.0)
+    thor (1.3.1)
     tomlrb (2.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)

data/README.md

@@ -8,7 +8,7 @@ Licensed is **not** a complete open source license compliance solution. Please u
 
 ![Build status](https://github.com/github/licensed/workflows/Test/badge.svg)
 
-Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
+Licensed is currently in **low maintenance mode**. At this point, we're only looking to maintain this repository for security fixes.
 
 ## Licensed v4 - **Removed support for non-Ruby environments**
 

data/docs/commands/status.md

@@ -31,6 +31,21 @@ A dependency will fail the status checks if:
    - If `license: other` is specified and all of the `licenses` entries match an `allowed` license a failure will not be logged
    - A `reviewed` entry must reference a specific version of the depdency, e.g. `<name>@<version>`.  The version identifier must specify a specific dependency version, ranges are not allowed.
 
+## Detect and alert on stale cached metadata files
+
+Licensed can alert on any metadata files that don't correlate to a currently used dependency when `licensed status` is run.  To configure this behavior, set a root-level `stale_records_action` value in your [licensed configuration file](./../configuration.md).
+
+Available values are:
+
+1. `'error'`: Treat stale cached records as errors.  Licensed will output errors for any stale metadata files and will cause `licensed status` to fail.
+1. `'warn'`, `''`, or unset (default): Treat stale cached records as warnings.  Licensed will output warnings for any stale metadata files but will not cause `licensed status` to fail.
+1. `'ignore'`, any other value: Ignore stale cached records.  Licensed will not output any notifications about stale metadata files.
+
+```yaml
+# in the licensed configuration file
+stale_records_action: 'warn'
+```
+
 ## Options
 
 - `--config`/`-c`: the path to the licensed configuration file

data/docs/configuration/customizing_licensee.md

@@ -1,6 +1,6 @@
 # Customize Licensee's behavior
 
-Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and evaluate OSS licenses for project dependencies found during source enumeration.  Licensed can optionally [customize Licensee's behavior](https://github.com/licensee/licensee/blob/jonabc-patch-1/docs/customizing.md#customizing-licensees-behavior) based on options set in the configuration file.
+Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and evaluate OSS licenses for project dependencies found during source enumeration. Licensed can optionally [customize Licensee's behavior](https://github.com/licensee/licensee/blob/main/docs/customizing.md#customizing-licensees-behavior) based on options set in the configuration file.
 
 **NOTE** Matching licenses based on package manager metadata and README references is always enabled and cannot currently be configured.
 
@@ -8,6 +8,6 @@ Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and eva
 licensee:
   # the confidence threshold is an integer between 1 and 100. the value represents
   # the minimum percentage confidence that Licensee must have to report a matched license
-  # https://github.com/licensee/licensee/blob/master/docs/customizing.md#adjusting-the-confidence-threshold
+  # https://github.com/licensee/licensee/blob/main/docs/customizing.md#adjusting-the-confidence-threshold
   confidence_threshold: 90 # default value: 98
 ```

data/docs/configuration.md

@@ -26,6 +26,15 @@ cache_path: 'relative/path/to/cache'
 # Defaults to current directory when running `licensed`
 source_path: 'relative/path/to/source'
 
+# Whether to take any action when records are detected in the cache paths that don't map to evaluated
+# dependencies.
+# Available values are:
+# - 'error': treat stale cached records as errors.  Notify the user and fail status checks
+# - 'warn', '', unset: treat stale cached records as warnings.  Notify the user but do not fail status checks
+# - 'ignore': Ignore stale cached records.  Do not notify the user and do not fail status checks
+# Optional, when not set this defaults to 'warn' behavior
+stale_records_action: 'warn'
+
 # Sources of metadata
 sources:
   bower: true

data/docs/migrations/v3.md

@@ -14,11 +14,11 @@ When using licensed v3 with bundler dependencies, licensed must be installed fro
 
 Using licensed to enumerate bundler dependencies in a GitHub Actions workflow will require ruby to be available in the actions VM environment.  Ruby can be setup in an actions workflow using [ruby/setup-ruby](https://github.com/ruby/setup-ruby)(preferred) or [actions/setup-ruby](https://github.com/actions/setup-ruby)(deprecated).
 
-If you are using licensed in a GitHub Actions workflow, [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed) has been updated according to this breaking change.  `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available.  Alternatively, you can `gem install` licensed directly as an actions step.
+If you are using licensed in a GitHub Actions workflow, [github/setup-licensed](https://github.com/github/setup-licensed) has been updated according to this breaking change.  `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available.  Alternatively, you can `gem install` licensed directly as an actions step.
 
-This is an example workflow definition that runs [jonabc/licensed-ci](https://github.com/jonabc/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using 
+This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI.  It includes jobs that demonstrate installing licensed using 
 - `gem install`
-- [jonabc/setup-licensed](https://github.com/jonabc/setup-licensed)
+- [github/setup-licensed](https://github.com/github/setup-licensed)
 - installing when included in a bundler gem file
 
 ```yml
@@ -50,7 +50,7 @@ jobs:
           ruby-version: "3.0"
 
       # install licensed gem using setup-licensed
-      - uses: jonabc/setup-licensed@v1
+      - uses: github/setup-licensed@v1
         with:
           version: '3.x'
 
@@ -58,7 +58,7 @@ jobs:
       - run: bundle install
 
       # run licensed-ci to cache any metadata changes and verify compliance
-      - uses: jonabc/licensed-ci@v1
+      - uses: github/licensed-ci@v1
 
   # OR 
   
@@ -82,7 +82,7 @@ jobs:
       - run: bundle install
 
       # run licensed-ci to cache any metadata changes and verify compliance
-      - uses: jonabc/licensed-ci@v1
+      - uses: github/licensed-ci@v1
 
   # OR
 
@@ -103,7 +103,7 @@ jobs:
       - run: bundle install
 
       # run licensed-ci to cache any metadata changes and verify compliance
-      - uses: jonabc/licensed-ci@v1
+      - uses: github/licensed-ci@v1
         with:
           command: 'bundle exec licensed' # run licensed within the bundler context
 ```

data/docs/sources/cocoapods.md

@@ -2,7 +2,7 @@
 
 The cocoapods source will detect dependencies when `Podfile` and `Podfile.lock` are found at an app's `source_path`.  The cocoapods source uses the [cocoapods-dependencies-list](https://github.com/jonabc/cocoapods-dependencies-list) plugin to enumerate dependencies and gather metadata on each package.
 
-**NOTE:  Licensed does not install the [cocoapods-dependencies-list](https://github.com/jonanc/cocoapods-dependencies-list) plugin.  Users must install the gem alongside the cocoapods gem to enumerate cocoapods dependencies.**
+**NOTE:  Licensed does not install the [cocoapods-dependencies-list](https://github.com/jonabc/cocoapods-dependencies-list) plugin.  Users must install the gem alongside the cocoapods gem to enumerate cocoapods dependencies.**
 
 ## Evaluating dependencies from a specific target
 

data/lib/licensed/commands/cache.rb

@@ -23,6 +23,7 @@ module Licensed
       def run_command(report)
         super do |result|
           clear_stale_cached_records if result
+          result
         end
       ensure
         cache_paths.clear

data/lib/licensed/commands/command.rb

@@ -69,7 +69,7 @@ module Licensed
 
         result = results.all?
 
-        yield(result) if block_given?
+        result = yield(result) if block_given?
 
         result
       ensure
@@ -103,7 +103,7 @@ module Licensed
 
           result = results.all?
 
-          yield(result) if block_given?
+          result = yield(result) if block_given?
 
           result
         end
@@ -142,7 +142,7 @@ module Licensed
 
         result = results.all?
 
-        yield(result) if block_given?
+        result = yield(result) if block_given?
 
         result
       rescue Licensed::Shell::Error => err
@@ -175,7 +175,7 @@ module Licensed
 
         result = evaluate_dependency(app, source, dependency, report)
 
-        yield(result) if block_given?
+        result = yield(result) if block_given?
 
         result
       rescue Licensed::DependencyRecord::Error, Licensed::Shell::Error => err

data/lib/licensed/commands/status.rb

@@ -23,10 +23,48 @@ module Licensed
       # Returns whether the command succeeded based on the call to super
       def run_command(report)
         super do |result|
-          next if result
+          stale_records = stale_cached_records
+          if stale_records.any?
+            messages = stale_records.map { |f| "Stale dependency record found: #{f}" }
+            messages << "Please run the licensed cache command to clean up stale records"
+
+            case config["stale_records_action"].to_s
+            when "error"
+              report.errors.concat messages
+              result = false
+            when "warn", ""
+              report.warnings.concat messages
+            end
+          end
+
+          next result if result
 
           report.errors << "Licensed found errors during source enumeration.  Please see https://github.com/github/licensed/tree/master/docs/commands/status.md#status-errors-and-resolutions for possible resolutions."
+
+          result
         end
+      ensure
+        cache_paths.clear
+        files.clear
+      end
+
+      # Run the command for all enumerated dependencies found in a dependency source,
+      # recording results in a report.
+      # Enumerating dependencies in the source is skipped if a :sources option
+      # is provided and the evaluated `source.class.type` is not in the :sources values
+      #
+      # app - The application configuration for the source
+      # source - A dependency source enumerator
+      #
+      # Returns whether the command succeeded for the dependency source enumerator
+      def run_source(app, source, report)
+        result = super
+
+        # add the full cache path to the list of cache paths
+        # that should be checked for extra files after the command run
+        cache_paths << app.cache_path.join(source.class.type) unless result == :skipped
+
+        result
       end
 
       # Evaluates a dependency for any compliance errors.
@@ -49,6 +87,9 @@ module Licensed
           filename = app.cache_path.join(source.class.type, "#{dependency.name}.#{DependencyRecord::EXTENSION}")
           report["filename"] = filename
           record = cached_record(filename)
+
+          # add the absolute dependency file path to the list of files seen during this licensed run
+          files << filename.to_s
         end
 
         if record.nil?
@@ -133,6 +174,26 @@ module Licensed
 
         licenses.sort_by { |license| license != "other" ? 0 : 1 }.first
       end
+
+      # Check for cached files that don't match current dependencies
+      #
+      # Returns an array of any cached records that do not match a currently used dependency
+      def stale_cached_records
+        cache_paths.flat_map do |cache_path|
+          record_search_glob_pattern = cache_path.join("**/*.#{DependencyRecord::EXTENSION}")
+          Dir.glob(record_search_glob_pattern).select { |file| !files.include?(file) }
+        end.uniq
+      end
+
+      # Set of unique cache paths that are evaluted during the run
+      def cache_paths
+        @cache_paths ||= Set.new
+      end
+
+      # Set of unique absolute file paths of cached records evaluted during the run
+      def files
+        @files ||= Set.new
+      end
     end
   end
 end

data/lib/licensed/configuration.rb

@@ -274,6 +274,7 @@ module Licensed
     end
 
     def initialize(options = {})
+      @options = options
       apps = options.delete("apps") || []
       apps << default_options.merge(options) if apps.empty?
 
@@ -285,6 +286,10 @@ module Licensed
       @apps = apps.map { |app| AppConfiguration.new(app, options) }
     end
 
+    def [](key)
+      @options&.fetch(key, nil)
+    end
+
     private
 
     def self.expand_app_source_path(app_config)

data/lib/licensed/reporters/status_reporter.rb

@@ -8,6 +8,11 @@ module Licensed
       # command - The command being run
       # report - A report object containing information about the command run
       def end_report_command(command, report)
+        if report.warnings.any?
+          shell.newline
+          report.warnings.each { |e| shell.warn e }
+        end
+
         if report.errors.any?
           shell.newline
           report.errors.each { |e| shell.error e }

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.3.1".freeze
+  VERSION = "4.5.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.3.1
+  version: 4.5.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-04-12 00:00:00.000000000 Z
+date: 2024-08-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -342,7 +342,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.19
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.