licensed 2.9.2 → 2.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5d614629bc40a6943d7559bac1b1eb070ea69edb
-  data.tar.gz: 4ee2fcae1f10b35ee656f8525318d22784ae7641
+SHA256:
+  metadata.gz: 8b47685dba77cc47406dfa9aa2dd805c5f4a1746ea547a5b34c39a6d2ec47dcf
+  data.tar.gz: 0eef1add309449ee2f00a33831d780cf6250990bb74be08077cf786ab28996a2
 SHA512:
-  metadata.gz: 62e67b0b4659935131e62f340ca85d922313b30683ef9ad4993d1ee27948429a136a12c2b3749969ea1cddcedcd7d1d9a071c64118f68f1bcbb349e05c4e5521
-  data.tar.gz: 693472a314b0393705cb11da11ee801e48f705dbd3a58cd1f7900e662e1925882abdf4a2a7e6bca54076dcf409bf86d6e8f23e22e1dec4691a8b41bf3e36e003
+  metadata.gz: e01ca0150f1690ade72d0c95743d435af9796269d6b3a51496d39b5e98c186dc0cf78dd824f565c7070dc75e8a85e5af0aad21c8382b92b1578bd09edbe89dd3
+  data.tar.gz: 0d00ed4c4b0596f96cb2ec77972fe36352bc17a84ee7043b5c3d002db9d9b2f15c9ddf87a2b67ebf36b99eb8dc8b02b4a917e68f9d83d2d42457bb26ee3a5314

data/.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
     needs: tag_filter
 
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
       uses: actions/setup-ruby@v1
       with:
@@ -25,7 +25,7 @@ jobs:
       env:
         VERSION: ${{github.event.ref}}
 
-    - uses: actions/upload-artifact@master
+    - uses: actions/upload-artifact@v2
       with:
         name: ${{github.event.ref}}-linux
         path: pkg/${{github.event.ref}}/licensed-${{github.event.ref}}-linux-x64.tar.gz
@@ -35,7 +35,7 @@ jobs:
     needs: tag_filter
 
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
       uses: actions/setup-ruby@v1
       with:
@@ -46,7 +46,7 @@ jobs:
       env:
         VERSION: ${{github.event.ref}}
 
-    - uses: actions/upload-artifact@master
+    - uses: actions/upload-artifact@v2
       with:
         name: ${{github.event.ref}}-darwin
         path: pkg/${{github.event.ref}}/licensed-${{github.event.ref}}-darwin-x64.tar.gz
@@ -56,7 +56,7 @@ jobs:
     needs: tag_filter
 
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby 2.6
       uses: actions/setup-ruby@v1
       with:
@@ -65,7 +65,7 @@ jobs:
     - name: Build gem
       run: gem build *.gemspec
 
-    - uses: actions/upload-artifact@master
+    - uses: actions/upload-artifact@v2
       with:
         name: ${{github.event.ref}}-gem
         path: licensed-${{github.event.ref}}.gem
@@ -74,7 +74,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: [package_linux, package_mac, build_gem]
     steps:
-    - uses: actions/checkout@master
     - uses: Roang-zero1/github-create-release-action@v1.0.2
       env:
         GITHUB_TOKEN: ${{ secrets.API_AUTH_TOKEN }}
@@ -91,24 +90,24 @@ jobs:
         ruby-version: 2.6.x
 
     - name: Download linux package
-      uses: actions/download-artifact@master
+      uses: actions/download-artifact@v2
       with:
         name: ${{github.event.ref}}-linux
 
     - name: Download macOS package
-      uses: actions/download-artifact@master
+      uses: actions/download-artifact@v2
       with:
         name: ${{github.event.ref}}-darwin
 
     - name: Download gem
-      uses: actions/download-artifact@master
+      uses: actions/download-artifact@v2
       with:
         name: ${{github.event.ref}}-gem
 
     - name: Publish packages to GitHub Release
       uses: Roang-zero1/github-upload-release-artifacts-action@v2.0.0
       with:
-        args: ${{github.event.ref}}-linux ${{github.event.ref}}-darwin
+        args: licensed-${{github.event.ref}}-linux-x64.tar.gz licensed-${{github.event.ref}}-darwin-x64.tar.gz
       env:
         GITHUB_TOKEN: ${{secrets.API_AUTH_TOKEN}}
 
@@ -121,4 +120,4 @@ jobs:
         gem push $GEM
       env:
         GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
-        GEM: ${{github.event.ref}}-gem/*.gem
+        GEM: licensed-${{github.event.ref}}.gem

data/.github/workflows/test.yml

@@ -1,17 +1,12 @@
 name: Test
 
-on:
-  push:
-    branches:
-    - "*"
-    tags:
-    - "!*"
+on: pull_request
 
 jobs:
   bower:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup node
       uses: actions/setup-node@v1
       with:
@@ -23,10 +18,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -40,7 +35,7 @@ jobs:
       matrix:
         bundler: [ '~> 1.15.0', '~> 1.16.0', '~> 1.17.0', '~> 2.0.0' ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
@@ -50,10 +45,10 @@ jobs:
         yes | gem uninstall bundler --all
         gem install bundler -v "${{ matrix.bundler }}"
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -66,9 +61,9 @@ jobs:
     strategy:
       matrix:
         ghc: [ '8.2.2', '8.6.5' ]
-        cabal: [ '2.0', '3.0' ]
+        cabal: [ '2.2', '2.4', '3.0', 'latest' ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
@@ -79,10 +74,10 @@ jobs:
         ghc-version: ${{ matrix.ghc }}
         cabal-version: ${{ matrix.cabal }}
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -96,7 +91,7 @@ jobs:
       matrix:
         php: [ '5.6', '7.1', '7.2', '7.3' ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup php
       uses: nanasess/setup-php@v1.0.2
       with:
@@ -106,10 +101,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -123,7 +118,7 @@ jobs:
       matrix:
         ruby: [ 2.4.x, 2.5.x, 2.6.x ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
@@ -131,10 +126,10 @@ jobs:
     - name: Set up Bundler
       run: gem install bundler
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-${{ matrix.ruby }}-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-${{ matrix.ruby }}-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Build and lint
@@ -145,7 +140,7 @@ jobs:
   dep:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup go
       uses: actions/setup-go@v1
       with:
@@ -155,10 +150,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -172,7 +167,7 @@ jobs:
       matrix:
         go: [ '1.7.x', '1.10.x', '1.11.x', '1.12.x', '1.13.x', '1.14.x' ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup go
       uses: actions/setup-go@v1
       with:
@@ -182,10 +177,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -196,16 +191,16 @@ jobs:
   gradle:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Gradle version
@@ -216,16 +211,16 @@ jobs:
   manifest:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: actions/setup-ruby@v1
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Run tests
@@ -238,7 +233,7 @@ jobs:
         otp: [21.x, 22.x]
         elixir: [1.8.x, 1.9.x]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - uses: actions/setup-elixir@v1.0.0
       with:
         otp-version: ${{matrix.otp}}
@@ -248,10 +243,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -265,7 +260,7 @@ jobs:
       matrix:
         node_version: [ 8, 10, 12 ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup node
       uses: actions/setup-node@v1
       with:
@@ -275,10 +270,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures
@@ -286,13 +281,37 @@ jobs:
     - name: Run tests
       run: script/test npm
 
+  nuget:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 3.1.202
+    - name: Set up Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+    - run: bundle lock
+    - uses: actions/cache@v1
+      with:
+        path: vendor/gems
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
+    - name: Bootstrap
+      run: script/bootstrap
+    - name: Set up fixtures
+      run: script/source-setup/nuget
+    - name: Run tests
+      run: script/test nuget
+
   pip:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python: [ '2.x', '3.x' ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup python
       uses: actions/setup-python@v1
       with:
@@ -303,10 +322,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Install virtualenv
@@ -319,7 +338,7 @@ jobs:
   pipenv:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup python
       uses: actions/setup-python@v1
       with:
@@ -330,10 +349,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Install pipenv
@@ -350,7 +369,7 @@ jobs:
         # not using 1.0.0 because it doesn't support `yarn list --production`
         yarn_version: [ 1.4.0, latest ]
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v2
     - name: Setup node
       uses: actions/setup-node@v1
       with:
@@ -364,10 +383,10 @@ jobs:
       with:
         ruby-version: 2.6.x
     - run: bundle lock
-    - uses: actions/cache@preview
+    - uses: actions/cache@v1
       with:
         path: vendor/gems
-        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles(format('{0}{1}', github.workspace, '/Gemfile.lock')) }}
+        key: ${{ runner.os }}-gem-2.6.x-${{ hashFiles('**/Gemfile.lock') }}
     - name: Bootstrap
       run: script/bootstrap
     - name: Set up fixtures

data/CHANGELOG.md

@@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 2.10.0
+2020-05-15
+
+### Changed
+- NPM source ignores missing peer dependencies (https://github.com/github/licensed/pull/267)
+
+### Added
+- Nuget source (:tada: @zarenner https://github.com/github/licensed/pull/261)
+- Multiple apps can share a single cache location (https://github.com/github/licensed/pull/263)
+
 ## 2.9.2
 2020-04-28
 
@@ -292,4 +302,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/2.9.2...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/2.10.0...HEAD

data/README.md

@@ -102,14 +102,16 @@ Dependencies will be automatically detected for all of the following sources by
 1. [Bundler](./docs/sources/bundler.md)
 1. [Cabal](./docs/sources/cabal.md)
 1. [Composer](./docs/sources/composer.md)
+1. [Git Submodules (git_submodule)](./docs/sources/git_submodule.md)
 1. [Go](./docs/sources/go.md)
 1. [Go Dep (dep)](./docs/sources/dep.md)
+1. [Gradle](./docs/sources/gradle.md)
 1. [Manifest lists (manifests)](./docs/sources/manifests.md)
+1. [Mix](./docs/sources/mix.md)
 1. [NPM](./docs/sources/npm.md)
+1. [NuGet](./docs/sources/nuget.md)
 1. [Pip](./docs/sources/pip.md)
 1. [Pipenv](./docs/sources/pipenv.md)
-1. [Git Submodules (git_submodule)](./docs/sources/git_submodule.md)
-1. [Mix](./docs/sources/mix.md)
 1. [Yarn](./docs/sources/yarn.md)
 
 You can disable any of them in the configuration file:

data/docs/configuration.md

@@ -209,6 +209,26 @@ apps:
 
 In this example, the root configuration will contain a default cache path of `.licenses`.  `app1` will inherit this value and append it's name, resulting in a cache path of `.licenses/app1`.
 
+### Sharing caches between apps
+
+Dependency caches can be shared between apps by setting the same cache path on each app.
+
+```yaml
+apps:
+  - source_path: "path/to/app1"
+    cache_path: ".licenses/apps"
+  - source_path: "path/to/app2"
+    cache_path: ".licenses/apps"
+```
+
+When using a source path with a glob pattern, the apps created from the glob pattern can share a dependency by setting an explicit cache path and setting `shared_cache` to true.
+
+```yaml
+source_path: "path/to/apps/*"
+cache_path: ".licenses/apps"
+shared_cache: true
+```
+
 ## Source specific configuration
 
 See the [source documentation](./sources) for details on any source specific configuration.

data/docs/sources/nuget.md

@@ -0,0 +1,14 @@
+# NuGet
+
+The NuGet source will detect ProjectReference-style restored packages by inspecting `project.assets.json` files for dependencies. It requires that `dotnet restore` has already ran on the project.
+
+The source currently expects that `source_path` is set to the `obj` directory containing the `project.assets.json`.
+For example, if your project lives at `foo/foo.proj`, you likely want to set `source_path` to `foo/obj`.
+If in MSBuild you have customized your `obj` paths (e.g. to live outside your source tree), you may need to set `source_path` to something different such as `../obj/foo`.
+
+### Search strategy
+This source looks for licenses:
+1. Specified by SPDX expression via `<license type="expression">` in a package's `.nuspec` (via licensee)
+2. In license files such as `LICENSE.txt`, even if not specified in the `.nuspec` (via licensee)
+3. Specified by filepath via `<license type="file">` in a package's `.nuspec`, even if not a standard license filename.
+4. By downloading and inspecting the contents of `<licenseUrl>` in a package's `.nuspec`, if not found otherwise.

data/lib/licensed/commands/cache.rb

@@ -11,20 +11,39 @@ module Licensed
         Licensed::Reporters::CacheReporter.new
       end
 
+      # Run the command.
+      # Removes any cached records that don't match a current application
+      # dependency.
+      #
+      # options - Options to run the command with
+      #
+      # Returns whether the command was a success
+      def run(**options)
+        begin
+          result = super
+          clear_stale_cached_records if result
+
+          result
+        ensure
+          cache_paths.clear
+          files.clear
+        end
+      end
+
       protected
 
-      # Run the command for all enumerated dependencies found in a dependency source,
+      # Run the command for all enabled sources for an application configuration,
       # recording results in a report.
-      # Removes any cached records that don't match a current application
-      # dependency.
       #
-      # app - The application configuration for the source
-      # source - A dependency source enumerator
+      # app - An application configuration
       #
-      # Returns whether the command succeeded for the dependency source enumerator
-      def run_source(app, source)
+      # Returns whether the command succeeded for the application.
+      def run_app(app)
         result = super
-        clear_stale_cached_records(app, source) if result
+
+        # add the full cache path to the list of cache paths evaluted during this run
+        cache_paths << app.cache_path
+
         result
       end
 
@@ -62,6 +81,9 @@ module Licensed
           report.warnings << "expected dependency path #{dependency.path} does not exist"
         end
 
+        # add the absolute dependency file path to the list of files seen during this licensed run
+        files << filename.to_s
+
         true
       end
 
@@ -86,18 +108,26 @@ module Licensed
 
       # Clean up cached files that dont match current dependencies
       #
-      # app - An application configuration
-      # source - A dependency source enumerator
-      #
       # Returns nothing
-      def clear_stale_cached_records(app, source)
-        names = source.dependencies.map { |dependency| File.join(source.class.type, dependency.name) }
-        Dir.glob(app.cache_path.join(source.class.type, "**/*.#{DependencyRecord::EXTENSION}")).each do |file|
-          file_path = Pathname.new(file)
-          relative_path = file_path.relative_path_from(app.cache_path).to_s
-          FileUtils.rm(file) unless names.include?(relative_path.chomp(".#{DependencyRecord::EXTENSION}"))
+      def clear_stale_cached_records
+        cache_paths.each do |cache_path|
+          Dir.glob(cache_path.join("**/*.#{DependencyRecord::EXTENSION}")).each do |file|
+            next if files.include?(file)
+
+            FileUtils.rm(file)
+          end
         end
       end
+
+      # Set of unique cache paths that are evaluted during the run
+      def cache_paths
+        @cache_paths ||= Set.new
+      end
+
+      # Set of unique absolute file paths of cached records evaluted during the run
+      def files
+        @files ||= Set.new
+      end
     end
   end
 end

data/lib/licensed/configuration.rb

@@ -108,7 +108,12 @@ module Licensed
     def detect_cache_path(options, inherited_options)
       return options["cache_path"] unless options["cache_path"].to_s.empty?
 
-      cache_path = inherited_options["cache_path"] || DEFAULT_CACHE_PATH
+      # if cache_path and shared_cache are both set in inherited_options,
+      # don't append the app name to the cache path
+      cache_path = inherited_options["cache_path"]
+      return cache_path if cache_path && inherited_options["shared_cache"] == true
+
+      cache_path ||= DEFAULT_CACHE_PATH
       File.join(cache_path, self["name"])
     end
 
@@ -167,7 +172,12 @@ module Licensed
         # will handle configurations that don't have these explicitly set
         dir_name = File.basename(path)
         config["name"] = "#{config["name"]}-#{dir_name}" if config["name"]
-        config["cache_path"] = File.join(config["cache_path"], dir_name) if config["cache_path"]
+
+        # if a cache_path is set and is not marked as shared, append the app name
+        # to the end of the cache path to make a unique cache path for the app
+        if config["cache_path"] && config["shared_cache"] != true
+          config["cache_path"] = File.join(config["cache_path"], dir_name)
+        end
 
         config
       end

data/lib/licensed/reporters/reporter.rb

@@ -47,6 +47,9 @@ module Licensed
 
       def initialize(shell = Licensed::UI::Shell.new)
         @shell = shell
+        @run_report = nil
+        @app_report = nil
+        @source_report = nil
       end
 
       # Generate a report for a licensed command execution

data/lib/licensed/sources.rb

@@ -11,6 +11,7 @@ module Licensed
     require "licensed/sources/go"
     require "licensed/sources/manifest"
     require "licensed/sources/npm"
+    require "licensed/sources/nuget"
     require "licensed/sources/pip"
     require "licensed/sources/pipenv"
     require "licensed/sources/gradle"

data/lib/licensed/sources/go.rb

@@ -125,7 +125,7 @@ module Licensed
         # find most recent git SHA for a package, or nil if SHA is
         # not available
         Dir.chdir package_directory do
-          contents_version *contents_version_arguments
+          contents_version(*contents_version_arguments)
         end
       end
 

data/lib/licensed/sources/npm.rb

@@ -48,6 +48,7 @@ module Licensed
       # package name to it's metadata
       def recursive_dependencies(dependencies, result = {})
         dependencies.each do |name, dependency|
+          next if dependency["peerMissing"]
           next if yarn_lock_present && dependency["missing"]
           (result[name] ||= []) << dependency
           recursive_dependencies(dependency["dependencies"] || {}, result)

data/lib/licensed/sources/nuget.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+require "json"
+require "reverse_markdown"
+
+module Licensed
+  module Sources
+    # Only supports ProjectReference (project.assets.json) style restore used in .NET Core.
+    # Does not currently support packages.config style restore.
+    class NuGet < Source
+      def self.type
+        "nuget"
+      end
+
+      class NuGetDependency < Licensed::Dependency
+        LICENSE_FILE_REGEX = /<license\s*type\s*=\s*\"\s*file\s*\"\s*>\s*(.*)\s*<\/license>/ix.freeze
+        LICENSE_URL_REGEX = /<licenseUrl>\s*(.*)\s*<\/licenseUrl>/ix.freeze
+        PROJECT_URL_REGEX = /<projectUrl>\s*(.*)\s*<\/projectUrl>/ix.freeze
+        PROJECT_DESC_REGEX = /<description>\s*(.*)\s*<\/description>/ix.freeze
+
+        def initialize(name:, version:, path:, search_root: nil, metadata: {}, errors: [])
+          super(name: name, version: version, path: path, search_root: search_root, metadata: metadata, errors: errors)
+          @metadata["homepage"] = project_url if project_url
+          @metadata["summary"] = description if description
+        end
+
+        def nuspec_path
+          name = @metadata["name"]
+          File.join(self.path, "#{name.downcase}.nuspec")
+        end
+
+        def nuspec_contents
+          return unless nuspec_path
+          @nuspec_contents ||= File.read(nuspec_path)
+        end
+
+        def project_url
+          return @project_url if defined?(@project_url)
+          return unless nuspec_contents
+          @project_url = begin
+            match = nuspec_contents.match PROJECT_URL_REGEX
+            match[1] if match && match[1]
+          end
+        end
+
+        def description
+          return @description if defined?(@description)
+          return unless nuspec_contents
+          @description = begin
+            match = nuspec_contents.match PROJECT_DESC_REGEX
+            match[1] if match && match[1]
+          end
+        end
+
+        def project_files
+          @nuget_project_files ||= begin
+            files = super().flatten.compact
+
+            # Only include the local file if it's a file licensee didn't already detect
+            nuspec_license_filename = File.basename(nuspec_local_license_file.filename) if nuspec_local_license_file
+            if nuspec_license_filename && files.none? { |file| File.basename(file.filename) == nuspec_license_filename }
+              files.push(nuspec_local_license_file)
+            end
+
+            # Only download licenseUrl if no recognized license was found locally
+            if files.none? { |file| file.license && file.license.key != "other" }
+              files.push(nuspec_remote_license_file)
+            end
+
+            files.compact
+          end
+        end
+
+        # Look for a <license type="file"> element in the nuspec that points to an
+        # on-disk license file (which licensee may not find due to a non-standard filename)
+        def nuspec_local_license_file
+          return @nuspec_local_license_file if defined?(@nuspec_local_license_file)
+          return unless nuspec_contents
+
+          match = nuspec_contents.match LICENSE_FILE_REGEX
+          return unless match && match[1]
+
+          license_path = File.join(File.dirname(nuspec_path), match[1])
+          return unless File.exist?(license_path)
+
+          license_data = File.read(license_path)
+          @nuspec_local_license_file = Licensee::ProjectFiles::LicenseFile.new(license_data, license_path)
+        end
+
+        # Look for a <licenseUrl> element in the nuspec that either is known to contain a license identifier
+        # in the URL, or points to license text on the internet that can be downloaded.
+        def nuspec_remote_license_file
+          return @nuspec_remote_license_file if defined?(@nuspec_remote_license_file)
+          return unless nuspec_contents
+
+          match = nuspec_contents.match LICENSE_URL_REGEX
+          return unless match && match[1]
+
+          # Attempt to fetch the license content
+          license_content = self.class.retrieve_license(match[1])
+          @nuspec_remote_license_file = Licensee::ProjectFiles::LicenseFile.new(license_content, { uri: match[1] }) if license_content
+        end
+
+        class << self
+          def strip_html(html)
+            return unless html
+
+            return html unless html.downcase.include?("<html")
+            ReverseMarkdown.convert(html, unknown_tags: :bypass)
+          end
+
+          def ignored_url?(url)
+            # Many Microsoft packages that now use <license> use this for <licenseUrl>
+            # No need to fetch this page - it just contains NuGet documentation
+            url == "https://aka.ms/deprecateLicenseUrl"
+          end
+
+          def text_content_url(url)
+            # Convert github file URLs to raw URLs
+            return url unless match = url.match(/https?:\/\/(?:www\.)?github.com\/([^\/]+)\/([^\/]+)\/blob\/(.*)/i)
+            "https://github.com/#{match[1]}/#{match[2]}/raw/#{match[3]}"
+          end
+
+          def retrieve_license(url)
+            return unless url
+            return if ignored_url?(url)
+
+            # Transform URLs that are known to return HTML but have a corresponding text-based URL
+            text_url = text_content_url(url)
+
+            raw_content = fetch_content(text_url)
+            strip_html(raw_content)
+          end
+
+          def fetch_content(url, redirect_limit = 5)
+            url = URI.parse(url) if url.instance_of? String
+            return @response_by_url[url] if (@response_by_url ||= {}).key?(url)
+            return if redirect_limit == 0
+
+            begin
+              response = Net::HTTP.get_response(url)
+              case response
+              when Net::HTTPSuccess     then
+                @response_by_url[url] = response.body
+              when Net::HTTPRedirection then
+                redirect_url = URI.parse(response["location"])
+                if redirect_url.relative?
+                  redirect_url = url + redirect_url
+                end
+                # The redirect might be to a URL that requires transformation, i.e. a github file
+                redirect_url = text_content_url(redirect_url.to_s)
+                @response_by_url[url] = fetch_content(redirect_url, redirect_limit - 1)
+              end
+            rescue
+              # Host might no longer exist or some other error, ignore
+            end
+          end
+        end
+      end
+
+      def project_assets_file_path
+        File.join(config.pwd, "project.assets.json")
+      end
+
+      def project_assets_file
+        return @project_assets_file if defined?(@project_assets_file)
+        @project_assets_file = File.read(project_assets_file_path)
+      end
+
+      def enabled?
+        File.exist?(project_assets_file_path)
+      end
+
+      # Inspect project.assets.json files for package references.
+      # Ideally we'd use `dotnet list package` instead, but its output isn't
+      # easily machine readable and doesn't contain everything we need.
+      def enumerate_dependencies
+        json = JSON.parse(project_assets_file)
+        nuget_packages_dir = json["project"]["restore"]["packagesPath"]
+        json["targets"].each_with_object({}) do |(_, target), dependencies|
+          target.each do |reference_key, reference|
+            # Ignore project references
+            next unless reference["type"] == "package"
+            package_id_parts = reference_key.partition("/")
+            name = package_id_parts[0]
+            version = package_id_parts[-1]
+            id = "#{name}-#{version}"
+
+            # Already know this package from another target
+            next if dependencies.key?(id)
+
+            path = File.join(nuget_packages_dir, json["libraries"][reference_key]["path"])
+            dependencies[id] = NuGetDependency.new(
+              name: id,
+              version: version,
+              path: path,
+              metadata: {
+                "type" => NuGet.type,
+                "name" => name
+              }
+            )
+          end
+        end.values
+      end
+    end
+  end
+end

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "2.9.2".freeze
+  VERSION = "2.10.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -23,13 +23,14 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ">= 2.3.0"
 
-  spec.add_dependency "licensee", ">= 9.13.2", "< 10.0.0"
+  spec.add_dependency "licensee", ">= 9.14.0", "< 10.0.0"
   spec.add_dependency "thor", ">= 0.19"
   spec.add_dependency "pathname-common_prefix", "~> 0.0.1"
   spec.add_dependency "tomlrb", "~> 1.2"
   spec.add_dependency "bundler", ">= 1.10"
   spec.add_dependency "ruby-xxHash", "~> 0.4"
   spec.add_dependency "parallel", ">= 0.18.0"
+  spec.add_dependency "reverse_markdown", "~> 1.0"
 
   spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "minitest", "~> 5.8"

data/script/source-setup/nuget

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+if [ -z "$(which dotnet)" ]; then
+  echo "A local dotnet installation is required for dotnet/nuget development." >&2
+  exit 127
+fi
+
+# setup test fixtures
+BASE_PATH="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd $BASE_PATH/test/fixtures/nuget
+
+if [ "$1" == "-f" ]; then
+  dotnet clean
+fi
+
+dotnet restore

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 2.9.2
+  version: 2.10.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-04-29 00:00:00.000000000 Z
+date: 2020-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 9.13.2
+        version: 9.14.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 10.0.0
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 9.13.2
+        version: 9.14.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 10.0.0
@@ -114,6 +114,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.18.0
+- !ruby/object:Gem::Dependency
+  name: reverse_markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -257,6 +271,7 @@ files:
 - docs/sources/manifests.md
 - docs/sources/mix.md
 - docs/sources/npm.md
+- docs/sources/nuget.md
 - docs/sources/pip.md
 - docs/sources/pipenv.md
 - docs/sources/stack.md
@@ -297,6 +312,7 @@ files:
 - lib/licensed/sources/manifest.rb
 - lib/licensed/sources/mix.rb
 - lib/licensed/sources/npm.rb
+- lib/licensed/sources/nuget.rb
 - lib/licensed/sources/pip.rb
 - lib/licensed/sources/pipenv.rb
 - lib/licensed/sources/source.rb
@@ -320,6 +336,7 @@ files:
 - script/source-setup/go
 - script/source-setup/mix
 - script/source-setup/npm
+- script/source-setup/nuget
 - script/source-setup/pip
 - script/source-setup/pipenv
 - script/source-setup/yarn
@@ -343,8 +360,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.