licensed 0.11.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07a4512e6681c74b22d225a707385fadff416963
-  data.tar.gz: 544d91cf0ae2a71d6a3c977cb8e824958e2449a7
+  metadata.gz: ef8089cc373cef406eedfd056eeac368a466eaf0
+  data.tar.gz: 719ee8e1f6a6c5012f8c48c4bd517ddfbc57c95f
 SHA512:
-  metadata.gz: 9be7b972bf47b4171798b715a7c4705d034c946fde19c574dea609e95e82c938918d33ddc9195cd8f856d5a1f052c5ec467740075730d524a63b799b38d7fe88
-  data.tar.gz: 2911f4eeda12b5096eae5452d60c5a6a4c0600f3c5af86389a179a7ddd4b3374eb4ee9f472e77deb0323c05eb284d8c09f645a831c3247d21acef7387e0b158d
+  metadata.gz: d1455873b445ccfdc882750627b7680ff4e062b99d815b1eb21d673b6461dcc08bc6f6e8dc1b2018476f48f61fa1d9d18c314047c14f4d5c0afc66f2edae1b33
+  data.tar.gz: 18c392f7cacd7199543acdbea24d203bc8196ec14122c70bbcb0bf2f8c184f02a1a18526d93bda03742219f4d28bb0f8998090bafcf5122f5410ebed5dd611db

data/.gitignore

@@ -7,11 +7,20 @@
 /pkg/
 /spec/reports/
 /tmp/
-test/fixtures/bower_components
-test/fixtures/node_modules
+
+# test fixtures
+test/fixtures/bundler/.bundle/
+test/fixtures/bundler/vendor/
+test/fixtures/bundler/Gemfile.lock
+test/fixtures/bower/bower_components
+test/fixtures/npm/node_modules
+test/fixtures/npm/package-lock.json
 test/fixtures/go/src/*
+test/fixtures/go/pkg
 !test/fixtures/go/src/test
-test/**/.stack-work
-test/**/haskell/dist*
+test/fixtures/haskell/dist*
+
 vendor/licenses
+.licenses
 *.gem
+vendor/gems

data/.rubocop.yml

@@ -0,0 +1,3 @@
+inherit_gem:
+  rubocop-github:
+    - config/default.yml

data/.ruby-version

@@ -0,0 +1 @@
+2.4.0

data/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## 1.0.0 - 2018-??-??
+
+Initial release :tada:
+
+[Unreleased]: https://github.com/github/licensed/compare/v1.0.0...HEAD

data/CODE_OF_CONDUCT.md

@@ -1,15 +1,15 @@
-Contributor Covenant Code of Conduct
+# Contributor Covenant Code of Conduct
 
-Our Pledge
+## Our Pledge
 
 In the interest of fostering an open and welcoming environment, we as
 contributors and maintainers pledge to making participation in our project and
 our community a harassment-free experience for everyone, regardless of age, body
 size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
 
-Our Standards
+## Our Standards
 
 Examples of behavior that contributes to creating a positive environment
 include:
@@ -23,7 +23,7 @@ include:
 Examples of unacceptable behavior by participants include:
 
 * The use of sexualized language or imagery and unwelcome sexual attention or
-advances
+  advances
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic
@@ -31,7 +31,7 @@ advances
 * Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
-Our Responsibilities
+## Our Responsibilities
 
 Project maintainers are responsible for clarifying the standards of acceptable
 behavior and are expected to take appropriate and fair corrective action in
@@ -43,7 +43,7 @@ that are not aligned to this Code of Conduct, or to ban temporarily or
 permanently any contributor for other behaviors that they deem inappropriate,
 threatening, offensive, or harmful.
 
-Scope
+## Scope
 
 This Code of Conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community. Examples of
@@ -52,7 +52,7 @@ address, posting via an official social media account, or acting as an appointed
 representative at an online or offline event. Representation of a project may be
 further defined and clarified by project maintainers.
 
-Enforcement
+## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project team at opensource+licensed@github.com. All
@@ -65,7 +65,9 @@ Project maintainers who do not follow or enforce the Code of Conduct in good
 faith may face temporary or permanent repercussions as determined by other
 members of the project's leadership.
 
-Attribution
+## Attribution
 
-This Code of Conduct is adapted from the Contributor Covenant, version 1.4,
-available at http://contributor-covenant.org/version/1/4/
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

data/CONTRIBUTING.md

@@ -0,0 +1,51 @@
+## Contributing
+
+[fork]: https://github.com/github/licensed/fork
+[pr]: https://github.com/github/licensed/compare
+[style]: https://github.com/styleguide/ruby
+[code-of-conduct]: CODE_OF_CONDUCT.md
+
+Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
+
+Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
+
+## Submitting a pull request
+
+0. [Fork][fork] and clone the repository
+0. Configure and install the dependencies: `script/bootstrap`
+0. Make sure the tests pass on your machine: `rake`
+0. Create a new branch: `git checkout -b my-branch-name`
+0. Make your change, add tests, and make sure the tests still pass
+0. Push to your fork and [submit a pull request][pr]
+0. Pat your self on the back and wait for your pull request to be reviewed and merged.
+
+Here are a few things you can do that will increase the likelihood of your pull request being accepted:
+
+- Follow the [style guide][style].
+- Write tests.
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
+- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
+
+## Releasing
+If you are the current maintainer of this gem:
+
+1. Create a branch for the release: git checkout -b cut-release-vxx.xx.xx
+2. Make sure your local dependencies are up to date: script/bootstrap
+3. Ensure that tests are green: bundle exec rake test
+4. Bump gem version in lib/licensed/version.rb.
+5. Update [`CHANGELOG.md`](CHANGELOG.md)
+6. Make a PR to github/licensed.
+7. Build a local gem: bundle exec rake build
+8. Test the gem:
+   1. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
+   2. Install the new gem locally
+   3. Test behavior locally, branch deploy, whatever needs to happen
+9. Merge github/licensed PR
+10. Tag and push: git tag vx.xx.xx; git push --tags
+11. Push to rubygems.org -- gem push licensed-x.xx.xx.gem
+
+## Resources
+
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
+- [GitHub Help](https://help.github.com)

data/Gemfile

@@ -1,4 +1,5 @@
-source 'https://rubygems.org'
+# frozen_string_literal: true
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in licensed.gemspec
 gemspec

data/{LICENSE.txt → LICENSE}

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015 GitHub, Inc. and contributors
+Copyright (c) 2015-2018 GitHub, Inc. and contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,6 +1,12 @@
 # Licensed
 
-Licensed is a Ruby gem to cache and verify the licenses of dependencies.
+Licensed is a Ruby gem to cache the licenses of dependencies and check their status.
+
+Licensed is **not** a complete open source license compliance solution. Please understand the important [disclaimer](#disclaimer) below to make appropriate use of Licensed.
+
+## Current Status
+
+Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
 
 ## Installation
 
@@ -12,27 +18,37 @@ gem 'licensed', :group => 'development'
 
 And then execute:
 
-    $ bundle
+```bash
+$ bundle
+```
+
+#### Dependencies
+
+Licensed uses the the `libgit2` bindings for Ruby provided by `rugged`. `rugged` has its own dependencies - `cmake` and `pkg-config` - which you may need to install before you can install Licensed.
+
+For example, on macOS with Homebrew: `brew install cmake pkg-config` and on Ubuntu: `apt-get install cmake pkg-config`.
 
 ## Usage
 
-- `licensed cache`: Cache licenses and metadata in `vendor/licenses`
+- `licensed list`: Output enumerated dependencies only.
 
-- `licensed verify`: Check for issues with the licenses of dependencies. For example:
+- `licensed cache`: Cache licenses and metadata.
+
+- `licensed status`: Check status of dependencies' cached licenses. For example:
 
 ```
-$ bundle exec licensed verify
-Verifying licenses for 3 dependencies
+$ bundle exec licensed status
+Checking licenses for 3 dependencies
 
 Warnings:
 
-vendor/licenses/rubygem/bundler.txt:
+.licenses/rubygem/bundler.txt:
   - license needs reviewed: mit.
 
-vendor/licenses/rubygem/licensee.txt:
-  - missing license data
+.licenses/rubygem/licensee.txt:
+  - cached license data missing
 
-vendor/licenses/bower/jquery.txt:
+.licenses/bower/jquery.txt:
   - license needs reviewed: mit.
   - cached license data out of date
 
@@ -41,94 +57,51 @@ vendor/licenses/bower/jquery.txt:
 
 ### Configuration
 
-Configuration is managed by `vendor/licenses/config.yml`.
+All commands accept a `-c|--config` option to specify a path to a configuration file or directory.
 
-```yml
-# Dependencies with these licenses are approved by default.
-whitelist:
-  - mit
-  - apache-2.0
-  - bsd-2-clause
-  - bsd-3-clause
-  - cc0-1.0
-
-# These dependencies are explicitly ignored.
-ignored:
-  rubygem:
-    - some-internal-gem
-
-  bower:
-    - some-internal-package
-
-# These dependencies have been reviewed.
-reviewed:
-  rubygem:
-    - bcrypt-ruby
-
-  bower:
-  - classlist # public domain
-  - octicons
-```
+If a directory is specified, `licensed` will look in that directory for a file named (in order of preference):
+1. `.licensed.yml`
+2. `.licensed.yaml`
+3. `.licensed.json`
+
+If the option is not specified, the value will be set to the current directory.
+
+See the [configuration file documentation](./docs/configuration.md) for more details on the configuration format.
 
 ### Sources
 
 Dependencies will be automatically detected for
-1. Bundler (rubygem)
-2. NPM
-3. Bower
-4. HaskellStack
-5. Cabal
-6. Go
-7. Manifest lists
+1. [Bower](./docs/sources/bower.md)
+2. [Bundler (rubygem)](./docs/sources/bundler.md)
+3. [Cabal](./docs/sources/cabal.md)
+4. [Go](./docs/sources/go.md)
+5. [Manifest lists](./docs/sources/manifests.md)
+6. [NPM](./docs/sources/npm.md)
 
-You can disable any of them in `vendor/licenses/config.yml`:
+You can disable any of them in the configuration file:
 
 ```yml
 sources:
   rubygem: false
   npm: false
   bower: false
-  stack: false
-```
-
-#### Special Considerations for Sources
-##### rubygem
-The rubygem source will explicitly exclude gems in the `:development` and `:test` groups.  Be aware that if you have a local
-bundler configuration (e.g. `.bundle`), that configuration will be respected as well.  For example, if you have a local
-configuration set for `without: [':server']`, the rubygem source will exclude all gems in the `:server` group.
-
-##### cabal
-Cabal sourced dependencies are found exclusively through `ghc-pkg`. `licensed` makes no assumptions on where `ghc` package dbs are found.
-As a result, it is up to the caller to set `GHC_PACKAGE_PATHS` to all package db directories prior to calling into `licensed`.
-
-##### manifests
-Manifests are intended to be a stopgap if no package managers are available.  The manifest is a JSON file that should be placed in
-the same directory as `config.yml` and should have the following format
-```JSON
-{
-  "file1": "package1",
-  "path/to/file2": "package1",
-  "other/file3": "package2"
-}
+  cabal: false
 ```
-Paths to files are expected to be relative to the git repository root.  Package names will match 1:1 with metadata files at `<licenses directory>/manifest/*.txt`.
-
-It is the responsibility of the repository owner to maintain the manifest file.
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `script/bootstrap` to install dependencies. Then, run `script/cibuild` to run the tests. You can also run `script/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 #### Adding sources
 
-When adding new dependency sources, ensure that `bin/setup` scripting and tests are only run if the required tooling is available on the development machine.
+When adding new dependency sources, ensure that `script/bootstrap` scripting and tests are only run if the required tooling is available on the development machine.
 
-* See `bin/setup` for examples of gating scripting based on whether tooling executables are found.
-* Use `tool_available?` when writing test files to gate running a test suite when tooling executables aren't available.
+* See `script/bootstrap` for examples of gating scripting based on whether tooling executables are found.
+* Use `Licensed::Shell.tool_available?` when writing test files to gate running a test suite when tooling executables aren't available.
 ```ruby
-if tool_available?('bundle')
+if Licensed::Shell.tool_available?('bundle')
   describe Licensed::Source::Bundler do
     ...
   end
@@ -137,7 +110,13 @@ end
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org/) code of conduct.
+Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org/) code of conduct.  See [CONTRIBUTING](CONTRIBUTING.md) for more details.
+
+## Disclaimer
+
+Licensed is **not** a complete open source license compliance solution. Like any bug, licensing issues are far cheaper to fix if found early. Licensed is intended to provide automation around documenting the licenses of dependencies and whether they  are configured to be allowed by a user of licensed, in other words, to surface the most obvious licensing issues early.
+
+Licensed is not a substitute for human review of each dependency for licensing or any other issues. It is not the goal of Licensed or GitHub, Inc. to provide legal advice about licensing or any other issues. If you have any questions regarding licensing compliance for your code or any other legal issues relating to it, it’s up to you to do further research or consult with a professional.
 
 ## License
 

data/Rakefile

@@ -1,10 +1,11 @@
+# frozen_string_literal: true
 require "bundler/gem_tasks"
 require "rake/testtask"
 
 Rake::TestTask.new(:test) do |t|
   t.libs << "test"
   t.libs << "lib"
-  t.test_files = FileList['test/**/*_test.rb']
+  t.test_files = FileList["test/**/*_test.rb"]
 end
 
-task :default => :test
+task default: :test

data/docs/configuration.md

@@ -0,0 +1,131 @@
+# Configuration file
+
+A configuration file specifies the details of enumerating and operating on license metadata for apps.
+
+Configuration can be specified in either YML or JSON formats.  Examples below are given in YML.
+
+## Applications
+
+What is an "app"?  In the context of `licensed`, an app is a combination of a source path and a cache path.
+
+Configuration can be set up for single or multiple applications in the same repo.  There are a number of settings available for each app:
+```yml
+# If not set, defaults to the directory name of `source_path`
+name: 'My application'
+
+# Path is relative to git repository root
+# If not set, defaults to '.licenses'
+cache_path: 'relative/path/to/cache'
+
+# Path is relative to git repository root and specifies the working directory when enumerating dependencies
+# Optional for single app configuration, required when specifying multiple apps
+# Defaults to current directory when running `licensed`
+source_path: 'relative/path/to/source'
+
+# Sources of metadata
+# All sources will attempt to run unless explicitly disabled
+sources:
+  - bower: true
+  - rubygem: false
+
+# Dependencies with these licenses are allowed by default.
+allowed:
+  - mit
+  - apache-2.0
+  - bsd-2-clause
+  - bsd-3-clause
+  - cc0-1.0
+
+# These dependencies are explicitly ignored.
+ignored:
+  rubygem:
+    - some-internal-gem
+
+  bower:
+    - some-internal-package
+
+# These dependencies have been reviewed.
+reviewed:
+  rubygem:
+    - bcrypt-ruby
+
+  bower:
+  - classlist # public domain
+  - octicons
+```
+
+### Specifying a single app
+To specify a single app, either include a single app with `source_path` in the `apps` configuration, or remove the `apps` setting entirely.
+
+If the configuration does not contain an `apps` value, the root configuration will be used as an app definition.  In this scenario, the `source_path` is not a required value and will default to the directory that `licensed` was executed from.
+
+If the configuration contains an `apps` value with a single app configuration, `source_path` must be specified.  Additionally, the applications inherited `cache_path` value will contain the application name.  See [Inherited cache_path values](#inherited_cache_path_values)
+
+### Specifying multiple apps
+The configuration file can specify multiple source paths to enumerate metadata, each with their own configuration.
+
+Nearly all configuration settings can be inherited from root configuration to app configuration.  Only `source_path` is required to define an app.
+
+Here are some examples:
+
+#### Inheriting configuration
+```yml
+sources:
+  - go: true
+  - rubygem: false
+
+ignored:
+  rubygem:
+    - some-internal-gem
+
+reviewed:
+  rubygem:
+    - bcrypt-ruby
+
+cache_path: 'path/to/cache'
+apps:
+  - source_path: 'path/to/app1'
+  - source_path: 'path/to/app2'
+    sources:
+      - rubygem: true
+      - go: false
+```
+
+In this example, two apps have been declared.  The first app, with `source_path` `path/to/app1`, inherits all configuration settings from the root configuration.  The second app, with `source_path` `path/to/app2`, overrides the `sources` configuration and inherits all other settings.
+
+#### Default app names
+An app will not inherit a name set from the root configuration.  If not provided, the `name` value will default to the directory name from `source_path`.
+```yml
+apps:
+  - source_path: 'path/to/app1'
+  - source_path: 'path/to/app2'
+```
+
+In this example, the apps have names of `app1` and `app2`, respectively.
+
+#### Inherited cache_path values
+When an app inherits a `cache_path` from the root configuration, it will automatically append it's name to the end of the path to separate it's metadata from other apps.  To force multiple apps to use the same path to cached metadata, explicitly set the `cache_path` value for each app.
+```yml
+cache_path: 'path/to/cache'
+apps:
+  - source_path: 'path/to/app1'
+    name: 'app1'
+  - source_path: 'path/to/app2'
+    name: 'app2'
+  - source_path: 'path/to/app3'
+    name: 'app3'
+    cache_path: 'path/to/app3/cache'
+```
+
+In this example `app1` and `app2` have `cache_path` values of `path/to/cache/app1` and `path/to/cache/app2`, respectively.  `app3` has an explicit path set to `path/to/app3/cache`
+
+```yml
+apps:
+  - source_path: 'path/to/app1'
+```
+
+In this example, the root configuration will contain a default cache path of `.licenses`.  `app1` will inherit this value and append it's name, resulting in a cache path of `.licenses/app1`.
+
+## Source specific configuration
+
+See the [source documentation](./sources) for details on any source specific configuration.