licensed 4.4.0 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -1
- data/Gemfile.lock +27 -15
- data/README.md +3 -3
- data/docs/configuration/customizing_licensee.md +2 -2
- data/docs/migrations/v3.md +7 -7
- data/docs/sources/cocoapods.md +1 -1
- data/lib/licensed/sources/cabal.rb +6 -0
- data/lib/licensed/version.rb +1 -1
- data/licensed.gemspec +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 418a3151f8331f3377eb4ff5b1a322733c006478c1bb84de7c023b2b1e567876
|
|
4
|
+
data.tar.gz: ffceca317c9924f12d732781aec5a9311bccac316ca9cf0b4e5e2a02b5b5967a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d6a33da199f2e60fd5ed19c08ad830aab62b8c2c0016c40844af94ba7b002ba58a2aa87e05b7a771054f9e95b333ed7f9bab7934d0cee6bdf981482f0b1f4a82
|
|
7
|
+
data.tar.gz: 60da525db6d11b5df8aef42042ad11e0d796bae937e894510764ab8c3eb2dcea36501441382f97d2896f8f9d3fea162e788516038c07156b584c090a61ac9d4f
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,23 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
6
6
|
|
|
7
7
|
## [Unreleased]
|
|
8
8
|
|
|
9
|
+
## 5.0.0
|
|
10
|
+
|
|
11
|
+
### Breaking change
|
|
12
|
+
|
|
13
|
+
- Only supports Ruby 3.0+ due to nokogiri upgrade
|
|
14
|
+
|
|
15
|
+
### Changed
|
|
16
|
+
|
|
17
|
+
- Ensure homepage string is not too long in cabal.rb to avoid DOS attack
|
|
18
|
+
- Update dependencies
|
|
19
|
+
|
|
20
|
+
## 4.5.0
|
|
21
|
+
|
|
22
|
+
### Changed
|
|
23
|
+
|
|
24
|
+
- Bumped a number of dependencies for security fixes
|
|
25
|
+
|
|
9
26
|
## 4.4.0
|
|
10
27
|
|
|
11
28
|
### Added
|
|
@@ -132,7 +149,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
132
149
|
### Fixed
|
|
133
150
|
|
|
134
151
|
- Comparing dependency license contents now finds matching contents regardless of the order of the licenses (https://github.com/github/licensed/pull/516)
|
|
135
|
-
- Fixed typo in a link in README.md (https://github.com/github/licensed/pull/514)
|
|
152
|
+
- Fixed typo in a link in README.md (https://github.com/github/licensed/pull/514)
|
|
136
153
|
|
|
137
154
|
### Changed
|
|
138
155
|
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
licensed (
|
|
4
|
+
licensed (5.0.0)
|
|
5
5
|
json (~> 2.6)
|
|
6
6
|
licensee (~> 9.16)
|
|
7
7
|
parallel (~> 1.22)
|
|
@@ -14,24 +14,33 @@ PATH
|
|
|
14
14
|
GEM
|
|
15
15
|
remote: https://rubygems.org/
|
|
16
16
|
specs:
|
|
17
|
-
activesupport (7.
|
|
17
|
+
activesupport (7.1.3.2)
|
|
18
|
+
base64
|
|
19
|
+
bigdecimal
|
|
18
20
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
21
|
+
connection_pool (>= 2.2.5)
|
|
22
|
+
drb
|
|
19
23
|
i18n (>= 1.6, < 2)
|
|
20
24
|
minitest (>= 5.1)
|
|
25
|
+
mutex_m
|
|
21
26
|
tzinfo (~> 2.0)
|
|
22
27
|
addressable (2.8.1)
|
|
23
28
|
public_suffix (>= 2.0.2, < 6.0)
|
|
24
29
|
ast (2.4.2)
|
|
30
|
+
base64 (0.2.0)
|
|
31
|
+
bigdecimal (3.1.7)
|
|
25
32
|
byebug (11.1.3)
|
|
26
|
-
concurrent-ruby (1.2.
|
|
33
|
+
concurrent-ruby (1.2.3)
|
|
34
|
+
connection_pool (2.4.1)
|
|
27
35
|
dotenv (2.8.1)
|
|
36
|
+
drb (2.2.1)
|
|
28
37
|
faraday (2.7.4)
|
|
29
38
|
faraday-net_http (>= 2.0, < 3.1)
|
|
30
39
|
ruby2_keywords (>= 0.0.4)
|
|
31
40
|
faraday-net_http (3.0.2)
|
|
32
|
-
i18n (1.
|
|
41
|
+
i18n (1.14.4)
|
|
33
42
|
concurrent-ruby (~> 1.0)
|
|
34
|
-
json (2.
|
|
43
|
+
json (2.7.2)
|
|
35
44
|
licensee (9.16.0)
|
|
36
45
|
dotenv (~> 2.0)
|
|
37
46
|
octokit (>= 4.20, < 7.0)
|
|
@@ -39,30 +48,32 @@ GEM
|
|
|
39
48
|
rugged (>= 0.24, < 2.0)
|
|
40
49
|
thor (>= 0.19, < 2.0)
|
|
41
50
|
mini_portile2 (2.8.1)
|
|
42
|
-
minitest (5.
|
|
43
|
-
minitest-hooks (1.5.
|
|
51
|
+
minitest (5.25.1)
|
|
52
|
+
minitest-hooks (1.5.2)
|
|
44
53
|
minitest (> 5.3)
|
|
45
|
-
mocha (2.
|
|
54
|
+
mocha (2.4.5)
|
|
46
55
|
ruby2_keywords (>= 0.0.5)
|
|
47
|
-
|
|
56
|
+
mutex_m (0.2.0)
|
|
57
|
+
nokogiri (1.16.5)
|
|
48
58
|
mini_portile2 (~> 2.8.0)
|
|
49
59
|
racc (~> 1.4)
|
|
50
60
|
octokit (6.1.0)
|
|
51
61
|
faraday (>= 1, < 3)
|
|
52
62
|
sawyer (~> 0.9)
|
|
53
|
-
parallel (1.
|
|
63
|
+
parallel (1.26.3)
|
|
54
64
|
parser (3.2.0.0)
|
|
55
65
|
ast (~> 2.4.1)
|
|
56
|
-
pathname-common_prefix (0.0.
|
|
66
|
+
pathname-common_prefix (0.0.2)
|
|
57
67
|
public_suffix (5.0.1)
|
|
58
68
|
racc (1.6.2)
|
|
59
|
-
rack (3.0.
|
|
69
|
+
rack (3.0.9.1)
|
|
60
70
|
rainbow (3.1.1)
|
|
61
|
-
rake (13.
|
|
71
|
+
rake (13.2.1)
|
|
62
72
|
regexp_parser (2.6.2)
|
|
63
73
|
reverse_markdown (2.1.1)
|
|
64
74
|
nokogiri
|
|
65
|
-
rexml (3.
|
|
75
|
+
rexml (3.3.6)
|
|
76
|
+
strscan
|
|
66
77
|
rubocop (1.45.1)
|
|
67
78
|
json (~> 2.3)
|
|
68
79
|
parallel (~> 1.10)
|
|
@@ -93,7 +104,8 @@ GEM
|
|
|
93
104
|
sawyer (0.9.2)
|
|
94
105
|
addressable (>= 2.3.5)
|
|
95
106
|
faraday (>= 0.17.3, < 3)
|
|
96
|
-
|
|
107
|
+
strscan (3.1.0)
|
|
108
|
+
thor (1.3.2)
|
|
97
109
|
tomlrb (2.0.3)
|
|
98
110
|
tzinfo (2.0.6)
|
|
99
111
|
concurrent-ruby (~> 1.0)
|
data/README.md
CHANGED
|
@@ -8,7 +8,7 @@ Licensed is **not** a complete open source license compliance solution. Please u
|
|
|
8
8
|
|
|
9
9
|
|
|
10
10
|
|
|
11
|
-
Licensed is in
|
|
11
|
+
Licensed is currently in **low maintenance mode**. At this point, we're only looking to maintain this repository for security fixes.
|
|
12
12
|
|
|
13
13
|
## Licensed v4 - **Removed support for non-Ruby environments**
|
|
14
14
|
|
|
@@ -21,7 +21,7 @@ Licensed v3 includes a breaking change if both of the following are true:
|
|
|
21
21
|
1. a project uses bundler to manage ruby dependencies
|
|
22
22
|
2. a project uses the self-contained executable build of licensed
|
|
23
23
|
|
|
24
|
-
All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.
|
|
24
|
+
All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.
|
|
25
25
|
|
|
26
26
|
See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
|
|
27
27
|
See the [v3 migration documentation](./docs/migrations/v3.md) for more info on migrating to v3.
|
|
@@ -94,7 +94,7 @@ To get started after checking out the repo, run
|
|
|
94
94
|
|
|
95
95
|
You can also run `script/console` for an interactive prompt that will allow you to experiment.
|
|
96
96
|
|
|
97
|
-
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then
|
|
97
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then create a release on GitHub.
|
|
98
98
|
|
|
99
99
|
### Adding a new source
|
|
100
100
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Customize Licensee's behavior
|
|
2
2
|
|
|
3
|
-
Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and evaluate OSS licenses for project dependencies found during source enumeration.
|
|
3
|
+
Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and evaluate OSS licenses for project dependencies found during source enumeration. Licensed can optionally [customize Licensee's behavior](https://github.com/licensee/licensee/blob/main/docs/customizing.md#customizing-licensees-behavior) based on options set in the configuration file.
|
|
4
4
|
|
|
5
5
|
**NOTE** Matching licenses based on package manager metadata and README references is always enabled and cannot currently be configured.
|
|
6
6
|
|
|
@@ -8,6 +8,6 @@ Licensed uses [Licensee](https://github.com/licensee/licensee) to detect and eva
|
|
|
8
8
|
licensee:
|
|
9
9
|
# the confidence threshold is an integer between 1 and 100. the value represents
|
|
10
10
|
# the minimum percentage confidence that Licensee must have to report a matched license
|
|
11
|
-
# https://github.com/licensee/licensee/blob/
|
|
11
|
+
# https://github.com/licensee/licensee/blob/main/docs/customizing.md#adjusting-the-confidence-threshold
|
|
12
12
|
confidence_threshold: 90 # default value: 98
|
|
13
13
|
```
|
data/docs/migrations/v3.md
CHANGED
|
@@ -14,11 +14,11 @@ When using licensed v3 with bundler dependencies, licensed must be installed fro
|
|
|
14
14
|
|
|
15
15
|
Using licensed to enumerate bundler dependencies in a GitHub Actions workflow will require ruby to be available in the actions VM environment. Ruby can be setup in an actions workflow using [ruby/setup-ruby](https://github.com/ruby/setup-ruby)(preferred) or [actions/setup-ruby](https://github.com/actions/setup-ruby)(deprecated).
|
|
16
16
|
|
|
17
|
-
If you are using licensed in a GitHub Actions workflow, [
|
|
17
|
+
If you are using licensed in a GitHub Actions workflow, [github/setup-licensed](https://github.com/github/setup-licensed) has been updated according to this breaking change. `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available. Alternatively, you can `gem install` licensed directly as an actions step.
|
|
18
18
|
|
|
19
|
-
This is an example workflow definition that runs [
|
|
19
|
+
This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI. It includes jobs that demonstrate installing licensed using
|
|
20
20
|
- `gem install`
|
|
21
|
-
- [
|
|
21
|
+
- [github/setup-licensed](https://github.com/github/setup-licensed)
|
|
22
22
|
- installing when included in a bundler gem file
|
|
23
23
|
|
|
24
24
|
```yml
|
|
@@ -50,7 +50,7 @@ jobs:
|
|
|
50
50
|
ruby-version: "3.0"
|
|
51
51
|
|
|
52
52
|
# install licensed gem using setup-licensed
|
|
53
|
-
- uses:
|
|
53
|
+
- uses: github/setup-licensed@v1
|
|
54
54
|
with:
|
|
55
55
|
version: '3.x'
|
|
56
56
|
|
|
@@ -58,7 +58,7 @@ jobs:
|
|
|
58
58
|
- run: bundle install
|
|
59
59
|
|
|
60
60
|
# run licensed-ci to cache any metadata changes and verify compliance
|
|
61
|
-
- uses:
|
|
61
|
+
- uses: github/licensed-ci@v1
|
|
62
62
|
|
|
63
63
|
# OR
|
|
64
64
|
|
|
@@ -82,7 +82,7 @@ jobs:
|
|
|
82
82
|
- run: bundle install
|
|
83
83
|
|
|
84
84
|
# run licensed-ci to cache any metadata changes and verify compliance
|
|
85
|
-
- uses:
|
|
85
|
+
- uses: github/licensed-ci@v1
|
|
86
86
|
|
|
87
87
|
# OR
|
|
88
88
|
|
|
@@ -103,7 +103,7 @@ jobs:
|
|
|
103
103
|
- run: bundle install
|
|
104
104
|
|
|
105
105
|
# run licensed-ci to cache any metadata changes and verify compliance
|
|
106
|
-
- uses:
|
|
106
|
+
- uses: github/licensed-ci@v1
|
|
107
107
|
with:
|
|
108
108
|
command: 'bundle exec licensed' # run licensed within the bundler context
|
|
109
109
|
```
|
data/docs/sources/cocoapods.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
The cocoapods source will detect dependencies when `Podfile` and `Podfile.lock` are found at an app's `source_path`. The cocoapods source uses the [cocoapods-dependencies-list](https://github.com/jonabc/cocoapods-dependencies-list) plugin to enumerate dependencies and gather metadata on each package.
|
|
4
4
|
|
|
5
|
-
**NOTE: Licensed does not install the [cocoapods-dependencies-list](https://github.com/
|
|
5
|
+
**NOTE: Licensed does not install the [cocoapods-dependencies-list](https://github.com/jonabc/cocoapods-dependencies-list) plugin. Users must install the gem alongside the cocoapods gem to enumerate cocoapods dependencies.**
|
|
6
6
|
|
|
7
7
|
## Evaluating dependencies from a specific target
|
|
8
8
|
|
|
@@ -71,6 +71,12 @@ module Licensed
|
|
|
71
71
|
# Returns a homepage url that enforces https and removes url fragments
|
|
72
72
|
def safe_homepage(homepage)
|
|
73
73
|
return unless homepage
|
|
74
|
+
# Ensure there's no denial of service issue with a long homepage
|
|
75
|
+
# 1000 characters is likely enough for any real project homepage
|
|
76
|
+
# See https://github.com/github/licensed/security/code-scanning/1
|
|
77
|
+
if homepage.length > 1000
|
|
78
|
+
raise ArgumentError, "Input too long"
|
|
79
|
+
end
|
|
74
80
|
# use https and remove url fragment
|
|
75
81
|
homepage.gsub(/http:/, "https:")
|
|
76
82
|
.gsub(/#[^?]*\z/, "")
|
data/lib/licensed/version.rb
CHANGED
data/licensed.gemspec
CHANGED
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
|
|
|
21
21
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
|
22
22
|
spec.require_paths = ["lib"]
|
|
23
23
|
|
|
24
|
-
spec.required_ruby_version = ">=
|
|
24
|
+
spec.required_ruby_version = ">= 3.0.0"
|
|
25
25
|
|
|
26
26
|
spec.add_dependency "licensee", "~> 9.16"
|
|
27
27
|
spec.add_dependency "thor", "~> 1.2"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: licensed
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 5.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitHub
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-10-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: licensee
|
|
@@ -335,7 +335,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
335
335
|
requirements:
|
|
336
336
|
- - ">="
|
|
337
337
|
- !ruby/object:Gem::Version
|
|
338
|
-
version:
|
|
338
|
+
version: 3.0.0
|
|
339
339
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
340
340
|
requirements:
|
|
341
341
|
- - ">="
|