licensed 1.5.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 87be3d9de274a4f66698f8880f5c858c2733c35f
-  data.tar.gz: eb8125c0b348a042e814bf72732e1fbdce0e4426
+  metadata.gz: cd572795c842f263e5fc3c180b1bf716404b9021
+  data.tar.gz: '094c5d5227704cbac518df12e20b05456a4bba03'
 SHA512:
-  metadata.gz: 53376c057796cd662142d49b5122101d70d6ffc759f945d2da2d26ef0c72f403e5b07a92c8d367aecfcd1f0efa4706a893035d6f9671cb3bddaa948707b05b1b
-  data.tar.gz: ceff661d0fdfda3bfb0920cf246cce9220a13c7675e1547b8be6c3ae8d9f29bb2e78e5541e56c3af3d388a16b5944adb11324e6191afb19d9c9cf95c8aa7086f
+  metadata.gz: be757c8f540285eaa610799963f184522e923c14bdb54d6250709511a13e6f08d3cac1da1e72b5d625687a5b0b4b874cfab50f8589ad3614cf2673a8b1781766
+  data.tar.gz: 836885af14623a25feb9ebaf8a697a9c7878bd9bc839615c4dc5e685f913059ddeb93b122b9b7ba19a2419965b2a8009c2d6f8594cbafcba922f2259505d1a72

data/.gitignore

@@ -23,6 +23,8 @@ test/fixtures/cabal/*
 !test/fixtures/cabal/app*
 test/fixtures/git_submodule/*
 !test/fixtures/git_submodule/README
+test/fixtures/pip/venv
+!test/fixtures/migrations/**/*
 
 vendor/licenses
 .licenses

data/CHANGELOG.md

@@ -6,6 +6,27 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.0.0 - 2019-02-09
+
+**This is a major release and includes breaking changes to the configuration and cached record file formats**
+
+### Added
+- New `migrate` command to automatically update configuration and cached record file formats
+- New extensible reporting infrastructure
+- New base command and source classes to abstract away implementation details
+
+### Changes
+- Cached dependency metadata files are now stored entirely as YAML, with `.dep.yml` extension
+- The Bundler dependency source is now identified in configuration files and output as `bundler` instead of `rubygem`
+- Refactored sources for better consistency between classes
+- Refactored commands for better consistency between classes
+- Command outputs have changed for better consistency
+- Updated Dependency classes for better integration with `licensee`
+
+### Fixed
+- Licensed no longer exits on errors when evaluating dependency sources or finding dependencies
+- The Bundler dependency source correctly finds the `bundler` gem as a dependency in more cases
+
 ## 1.5.2 - 2018-12-27
 
 ### Changes
@@ -112,4 +133,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/1.5.2...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.0.0...HEAD

data/CONTRIBUTING.md

@@ -13,8 +13,8 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 0. [Fork][fork] and clone the repository
 0. Configure and install the dependencies: `script/bootstrap`
-0. Setup test fixtures: `rake setup`
-0. Make sure the tests pass on your machine: `rake test`
+0. Setup test fixtures: `bundle exec rake setup`
+0. Make sure the tests pass on your machine: `bundle exec rake test`
 0. Create a new branch: `git checkout -b my-branch-name`
 0. Make your change, add tests, and make sure the tests still pass
 0. Push to your fork and [submit a pull request][pr]

data/README.md

@@ -12,6 +12,13 @@ Licensed is **not** a complete open source license compliance solution. Please u
 
 Licensed is in active development and currently used at GitHub.  See the [open issues](https://github.com/github/licensed/issues) for a list of potential work.
 
+## Licensed v2
+
+Licensed v2 includes many internal changes intended to make licensed more extensible and easier to update in the future.  While not too much has changed externally, v2 is incompatible with configuration files and cached records from previous versions.  Fortunately, migrating is easy using the `licensed migrate` command.
+
+See [CHANGELOG.md](./CHANGELOG.md) for more details on whats changed.
+See the [migration documentation](./docs/migrating_to_newer_versions.md) for more info on migrating to v2, or run `licensed help migrate`.
+
 ## Installation
 
 ### With a Gemfile
@@ -50,32 +57,12 @@ For example, on macOS with Homebrew: `brew install cmake pkg-config` and on Ubun
 ## Usage
 
 - `licensed list`: Output enumerated dependencies only.
-
 - `licensed cache`: Cache licenses and metadata.
-
 - `licensed status`: Check status of dependencies' cached licenses. For example:
-
-```
-$ bundle exec licensed status
-Checking licenses for 3 dependencies
-
-Warnings:
-
-.licenses/rubygem/bundler.txt:
-  - license needs reviewed: mit.
-
-.licenses/rubygem/licensee.txt:
-  - cached license data missing
-
-.licenses/bower/jquery.txt:
-  - license needs reviewed: mit.
-  - cached license data out of date
-
-3 dependencies checked, 3 warnings found.
-```
-
 - `licensed version`: Show current installed version of Licensed. Aliases: `-v|--version`
 
+See the [commands documentation](./docs/commands.md) for additional documentation, or run `licensed -h` to see all of the current available commands.
+
 ### Configuration
 
 All commands, except `version`, accept a `-c|--config` option to specify a path to a configuration file or directory.
@@ -93,7 +80,7 @@ See the [configuration file documentation](./docs/configuration.md) for more det
 
 Dependencies will be automatically detected for all of the following sources by default.
 1. [Bower (bower)](./docs/sources/bower.md)
-2. [Bundler (rubygem)](./docs/sources/bundler.md)
+2. [Bundler](./docs/sources/bundler.md)
 3. [Cabal (cabal)](./docs/sources/cabal.md)
 4. [Go (go)](./docs/sources/go.md)
 5. [Go Dep (dep)](./docs/sources/dep.md)
@@ -106,7 +93,7 @@ You can disable any of them in the configuration file:
 
 ```yml
 sources:
-  rubygem: false
+  bundler: false
   npm: false
   bower: false
   cabal: false
@@ -138,6 +125,12 @@ if Licensed::Shell.tool_available?('bundle')
 end
 ```
 
+See the [documentation on adding new sources](./docs/adding_a_new_source.md) for more information.
+
+#### Adding Commands
+
+See the [documentation on commands](./docs/commands.md) for information about adding a new CLI command.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org/) code of conduct.  See [CONTRIBUTING](CONTRIBUTING.md) for more details.

data/Rakefile

@@ -27,7 +27,7 @@ task :setup, [:arguments] do |task, args|
   end
 end
 
-sources_search = File.expand_path("lib/licensed/source/*.rb", __dir__)
+sources_search = File.expand_path("lib/licensed/sources/*.rb", __dir__)
 sources = Dir[sources_search].map { |f| File.basename(f, ".*") }
 
 namespace :test do
@@ -47,7 +47,7 @@ namespace :test do
 
       # use negative lookahead to exclude all source tests except
       # the tests for `source`
-      t.test_files = FileList["test/**/*_test.rb"].exclude(/test\/source\/(?!#{source}).*?_test.rb/,
+      t.test_files = FileList["test/**/*_test.rb"].exclude(/test\/sources\/(?!#{source}).*?_test.rb/,
                                                            "test/fixtures/**/*_test.rb")
     end
   end

data/docs/adding_a_new_source.md

@@ -0,0 +1,93 @@
+# Adding a new source dependency enumerator
+
+## Implement new `Source` class
+
+Dependency enumerators inherit and override the [`Licensed::Sources::Source`](../lib/licensed/sources/source.rb) class.
+
+#### Required method overrides
+1. `Licensed::Sources::Source#enabled?`
+   - Returns whether dependencies can be enumerated in the current environment.
+2. `Licensed::Sources::Source#enumerate_dependencies`
+   - Returns an enumeration of `Licensed::Dependency` objects found which map to the dependencies of the current project.
+
+#### Optional method overrides
+1. `Licensed::Sources::Source.type`
+   - Returns the name of the current dependency enumerator as it is found in a licensed configuration file.
+
+## Determining if dependencies should be enumerated
+
+This section covers the `Licensed::Sources::Source#enabled?` method.  This method should return a truthy/falsey value indicating
+whether `Licensed::Source::Sources#enumerate_dependencies` should be called on the current dependency source object.
+
+Determining whether dependencies should be enumerated depends on whether all the tools or files needed to find dependencies are present.
+For example, to enumerate `npm` dependencies the `npm` CLI tool must be found with `Licensed::Shell.tool_available?` and a `package.json` file needs to exist in the licensed app's configured [`source_path`](./configuration.md#configuration-paths).
+
+#### Gating functionality when required tools are not available.
+
+When adding new dependency sources, ensure that `script/bootstrap` scripting and tests are only run if the required tooling is available on the development machine.
+
+* See `script/bootstrap` for examples of gating scripting based on whether tooling executables are found.
+* Use `Licensed::Shell.tool_available?` when writing test files to gate running a test suite when tooling executables aren't available.
+```ruby
+if Licensed::Shell.tool_available?('bundle')
+  describe Licensed::Source::Bundler do
+    ...
+  end
+end
+```
+
+## Enumerating dependencies
+
+This section covers the `Licensed::Sources::Source#enumerate_dependencies` method.  This method should return an enumeration of
+`Licensed::Dependency` objects.
+
+Enumerating dependencies will require some knowledge of the package manager, language or framework that manages the dependencies.
+
+Relying on external tools always has a risk that the tool could change.  It's generally preferred to not rely on package manager files
+or other implementation details as these could change over time.  CLI tools that provides the necessary information are generally preferred
+as they will more likely have requirements for backwards compatibility.
+
+#### Creating dependency objects
+
+Creating a new `Licensed::Dependency` object requires name, version, and path arguments.  Dependency objects optionally accept a path to use as search root when finding licenses along with any other metadata that is useful to identify the dependency.
+
+##### `Licensed::Dependency` arguments
+
+1. name (required)
+   - The name of the dependency. Together with the version, this should uniquely identify the dependency.
+2. version (required)
+   - The current version of the dependency, used to determine when a dependency has changed. Together with the name, this should uniquely identify the dependency.
+3. path (required)
+   - A path used by [`Licensee`](https://github.com/benbalter/licensee) to find dependency license content.  Can be either a folder or a file.
+4. search_root (optional)
+   - The root of the directory hierarchy to search for a license file.
+5. metadata (optional)
+   - Any additional metadata that would be useful in identifying the dependency.
+   - suggested metadata
+      1. summary
+         - A short description of the dependencies purpose.
+      2. homepage
+         - The dependency's homepage.
+6. errors (optional)
+  - Any errors found when loading dependency information.
+
+#### Finding licenses
+
+In some cases, license content will be in a parent directory of the specified location.  For instance, this can happen with Golang packages
+that share a license file, e.g. `github.com/go/pkg/1` and `github.com/go/pkg/2` might share a license at `github.com/go/pkg`.  In this case, create a `Licensed::Dependency` with the optional `search_root` property, which denotes the root of the directory hierarchy that should be searched.  Directories will be examined in order from the given license location to the `search_root` location to prefer license files with more specificity, i.e. `github.com/go/pkg/1` will be searched before `github.com/go/pkg`.
+
+#### Handling errors when enumerating dependencies
+
+External tools have their own error handling which, if left unhandled, can cause dependency enumeration as a whole to fail either for an individual dependency source or for licensed as a whole.  These errors should be gracefully handled to allow for the best possible user experience.
+
+##### Handling errors related to a specific dependency
+
+`Licensed::Dependency#initialize` will already set errors related to `nil` or empty `path:` arguments, as well as paths that don't exist.  Additional errors can be set to a dependency using the `errors:` argument, e.g. `Licensed::Dependency.new(errors: ["error"])`.
+
+When a dependency contains errors, all errors will be reported to the user and `Licensed::Command::Command#evaluate_dependency` will be not be called.
+
+##### Handling errors related to source evaluation
+
+When an error occurs related to a specific source, raise a `Licensed::Sources::Source::Error` with an informative message.  The error will be caught and reported to the user, and further evaluation of the source will be halted.
+
+As an example, this could be useful if a source is enabled but incorrectly configured.

data/docs/commands.md

@@ -0,0 +1,81 @@
+# Commands
+
+Run `licensed -h` to see help content for running licensed commands.
+
+## `list`
+
+Running the list command finds the dependencies for all sources in all configured applications.  No additional actions are taken on each dependency.
+
+## `cache`
+
+The cache command finds all dependencies and ensures that each dependency has an up-to-date cached record.
+
+Dependency records will be saved if:
+1. The `force` option is set
+2. No cached record is found
+3. The cached record's version is different than the current dependency's version
+   - If the cached record's license text contents matches the current dependency's license text then the `license` metadata from the cached record is retained for the new saved record.
+
+After the cache command is run, any cached records that don't match up to a current application dependency will be deleted.
+
+## `status`
+
+The status command finds all dependencies and checks whether each dependency has a valid cached record.
+
+A dependency will fail the status checks if:
+1. No cached record is found
+2. The cached record's version is different than the current dependency's version
+3. The cached record doesn't contain any license text
+4. The cached record's `license` metadata doesn't match an `allowed` license from the dependency's application configuration.
+
+## `version`
+
+Displays the current licensed version.
+
+# Adding a new command
+
+## Implement new `Command` class
+
+Licensed commands inherit and override the [`Licensed::Sources::Command`](../lib/licensed/commands/command.rb) class.
+
+#### Required method overrides
+1. `Licensed::Commands::Command#evaluate_dependency`
+   - Runs a command execution on an application dependency.
+   
+The `evaluate_dependency` method should contain the specific command logic.  This method has access to the application configuration, dependency source enumerator and dependency currently being evaluated as well as a reporting hash to contain information about the command execution.
+
+#### Optional method overrides
+
+The following methods break apart the different levels of command execution.  Each method wraps lower levels of command execution in a corresponding reporter method.
+
+1. `Licensed::Commands::Command#run`
+   - Runs `run_app` for each application configuration found.  Wraps the execution of all applications in `Reporter#report_run`.
+2. `Licensed::Commands::Command#run_app`
+   - Runs `run_source` for each dependency source enumerator enabled for the application configuration.  Wraps the execution of all sources in `Reporter#report_app`.
+3. `Licensed::Commands::Command#run_source`
+   - Runs `run_dependency` for each dependency found in the source.  Wraps the execution of all dependencies in `Reporter#report_source`.
+4. `Licensed::Commands::Command#run_dependency`
+   - Runs `evaluate_dependency` for the dependency.  Wraps the execution of all dependencies in `Reporter#report_dependency`.
+
+As an example, `Licensed::Commands::Command#run_app` calls `Reporter#report_app` to wrap every call to `Licensed::Commands::Command#run_source`.
+
+##### Overriding optional methods
+
+The `run` methods can be overridden to provide additional reporting data or functionality.  Overriding a method should call the original method with a block for the additional logic.
+
+```ruby
+def run_app(app)
+  super do |report|
+    result = yield report
+    
+    # do other thing
+    call_additional_functionality(app)
+    
+    # add reporting information
+    report["result"] = result
+    
+    # return the result
+    result
+  end
+end
+```

data/docs/configuration.md

@@ -32,7 +32,7 @@ it may still determine that it can't enumerate dependencies for a project.
 ```yml
 sources:
   bower: true
-  rubygem: false
+  bundler: false
 ```
 
 `licensed` determines which sources will try to enumerate dependencies based on the following rules:
@@ -76,7 +76,7 @@ source_path: 'relative/path/to/source'
 # Sources of metadata
 sources:
   bower: true
-  rubygem: false
+  bundler: false
 
 # Dependencies with these licenses are allowed by default.
 allowed:
@@ -88,7 +88,7 @@ allowed:
 
 # These dependencies are explicitly ignored.
 ignored:
-  rubygem:
+  bundler:
     - some-internal-gem
 
   bower:
@@ -96,7 +96,7 @@ ignored:
 
 # These dependencies have been reviewed.
 reviewed:
-  rubygem:
+  bundler:
     - bcrypt-ruby
 
   bower:
@@ -122,14 +122,14 @@ Here are some examples:
 ```yml
 sources:
   go: true
-  rubygem: false
+  bundler: false
 
 ignored:
-  rubygem:
+  bundler:
     - some-internal-gem
 
 reviewed:
-  rubygem:
+  bundler:
     - bcrypt-ruby
 
 cache_path: 'path/to/cache'
@@ -137,7 +137,7 @@ apps:
   - source_path: 'path/to/app1'
   - source_path: 'path/to/app2'
     sources:
-      rubygem: true
+      bundler: true
       go: false
 ```
 

data/docs/migrating_to_newer_versions.md

@@ -0,0 +1,3 @@
+# Migrating your licensed configuration and cached records to the latest version of licensed
+
+Licensed v2+ ships with an additional executable, `licensed-migrator`, that can be used to update your licensed files to the format expected by the currently installed version.  To run, execute `licensed migrate --from v1 -c <path to licensed configuration file>`, replacing `v1` with the major version of licensed to migrate from.

data/docs/reporters.md

@@ -0,0 +1,174 @@
+# Licensed Command Reporters
+
+Reporters are responsible for providing feedback for a command execution.  They have
+access points for each level of data encountered when executing a command.
+```
+command run
+|
+| - app
+    |
+    | - source
+        |
+        | - dependency
+```
+
+## Reporters
+
+### Cache reporter
+
+This reporter presents the results of running a cache command in a human-readable format.
+It outputs the name for each app configuration and dependency source, as well
+as showing whether a dependency was cached or if a cached record was found and reused.
+
+example output
+```
+Caching dependency records for licensed
+  bundler
+    Caching licensee (9.11.0)
+    Caching thor (0.20.3)
+    Caching pathname-common_prefix (0.0.1)
+    Caching tomlrb (1.2.8)
+    Caching bundler (1.16.3)
+    Caching dotenv (2.6.0)
+    Caching octokit (4.8.0)
+    Caching rugged (0.27.7)
+    Caching sawyer (0.8.1)
+    Caching addressable (2.5.2)
+    Caching faraday (0.15.4)
+    Caching public_suffix (3.0.3)
+    Caching multipart-post (2.0.0)
+  * 13 bundler dependencies
+```
+
+### List reporter
+
+This reporter presents the results of running a list command in a human-readable format.
+It outputs the name for each app configuration and dependency source, as well
+the name and version of each dependency found.
+
+example output
+```
+Listing dependencies for licensed
+  bundler
+    addressable (2.5.2)
+    bundler (1.16.3)
+    dotenv (2.6.0)
+    faraday (0.15.4)
+    licensee (9.11.0)
+    multipart-post (2.0.0)
+    octokit (4.8.0)
+    pathname-common_prefix (0.0.1)
+    public_suffix (3.0.3)
+    rugged (0.27.7)
+    sawyer (0.8.1)
+    thor (0.20.3)
+    tomlrb (1.2.8)
+  * 13 bundler dependencies
+```
+
+### Status reporter
+
+This reporter presents the results of running a status command in a human-readable format.
+It outputs the name for each app configuration and dependency source, as well
+as whether each cached dependency record has any errors using a dot format.
+All errors found are displayed as well.
+
+example output
+```
+Checking cached dependency records for licensed
+..F.F....F...
+
+Errors:
+
+* bundler.pathname-common_prefix
+  filename: /Users/jonabc/github/licensed/.licenses/bundler/pathname-common_prefix.dep.yml
+    - license needs review: other
+
+* bundler.bundler
+  filename: /Users/jonabc/github/licensed/.licenses/bundler/bundler.dep.yml
+    - cached dependency record not found  
+
+* bundler.addressable
+  filename: /Users/jonabc/github/licensed/.licenses/bundler/addressable.dep.yml
+    - license needs review: apache-2.0
+```
+
+## Creating a new reporter
+
+For examples of reporters, please see [`lib/licensed/reporters`](../lib/licensed/reporters).
+
+All reporters should inherit from `Licensed::Reporters::Reporter` and override
+each reporting method needed to return the appropriate data.
+
+The following reporting points are available to give context or results from different scopes:
+1. `#report_run` - reporting on a command execution
+2. `#report_app(app)` - reporting on an application configuration
+3. `#report_source(source)` - reporting on a dependency source enumerator
+4. `#report_dependency(dependency)` - reporting on an individual dependency
+
+Each method expects the caller to provide a block to execute for that reporting scope.
+The block will be given a `report` hash object that the caller can use to provide any additional
+details about the operations done in the reporting scope.
+
+For example, the cache command lets the reporter know whether a dependency record
+was cached or reused by setting a `cached` report value
+```ruby
+reporter.report_dependency(dependency) do |report|
+  cached_record = Licensed::DependencyRecord.read(filename)
+  report["cached"] = force || save_dependency_record?(dependency, cached_record)
+  ...
+end
+```
+
+When implementing each reporting method, defining a new nested block gives flexibility
+to display messages both before and after the scope execution.
+
+For example, a reporter can show header and footer content to a source scope with
+```ruby
+super do |report|
+  shell.info "  dependencies:"
+  result yield report
+  shell.confirm "  * #{report.size} dependencies"
+  ...
+  result
+end
+```
+
+Reporting methods should also return the result of the yielded block as seen above,
+in order to allow transparent data returns through reporting blocks.
+
+### Data reports
+
+Report hashes are nested and available to higher scopes. As an example, when a
+`report_source` block has finished, the source scope's `report` hash will
+contain all of the dependency reports that were obtained during the `report_source` block.
+
+Reports are keyed by:
+- `app`: `app["name"]`
+- `source`: `source.class.type`
+- `dependency`: `dependency.name`
+
+When a `report_run` yielded block finishes, its `report` object will contain all app reports.
+Each of those app reports in turn contain each of their source's reports, and so on.
+This is particularly useful if a reporter should need to review the entire execution
+of a command.
+
+For this reason though, **reporting methods MUST be used in order**.
+
+This is valid
+```ruby
+report_run do
+  report_app(app) do
+    report_source(source) do
+      report_dependency(dependency) { }
+    end
+  end
+end
+```
+
+This is not valid
+```ruby
+report_run do
+  report_dependency(dependency) { }
+end
+```