licensed 4.1.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7606d0b5e5f3755ee329a1963cda970c021deab08680c619731ed6fb3ba547da
-  data.tar.gz: 668a2d87d8019284b6ce02bccdda851ad186f03cc7d389fbdd659473affc08cf
+  metadata.gz: 2b65e198a420b03486b2680a6a83fb04b4e67684d28bc4ba9ef00c466ffd7489
+  data.tar.gz: ab2b10c6e854d3f1d7faa918e48addb497032838fd1cea942ff823053b891150
 SHA512:
-  metadata.gz: '064129baadae7345b5c05e2635cc1850b8ce8321f1e2df803b5fc6d6704556a1337c7d1561024775801cf5cb4158b6c25657b06a0a9baf5ccac7a7453f35fa53'
-  data.tar.gz: b3c6ba7179d7b777665f29b5cace4536181a428a5995c5e7d1d168b4ba6012fd333d191eb6ce23ab7b971a9cb8231dbfb999743c72bf91a1efe78ddec78223b7
+  metadata.gz: 8dee38c45e73cb03b7c94a9260bb9bc6f5919f53156b69a751238693920e2f120a3dcb0d43f66270fa9abc8305705fdced290978e51bfe762be5f0e5ba00230d
+  data.tar.gz: d352b46e40f545f0bd3e1aa29e3bb62454e2e329c64ce9197ba1f9c38b4f11bcbbbecc789658dcff0e6b79e43b4ee9cc839b5476e23cab44a559a605ddbd77b6

data/CHANGELOG.md

@@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 4.2.0
+
+### Added
+
+- Reviewed and ignored configuration lists support matching on versions and version ranges (https://github.com/github/licensed/pull/629)
+
+### Fixed
+
+- Licensed should more reliably source dependencies from Gradle >= 8.0 (https://github.com/github/licensed/pull/630)
+
 ## 4.1.0
 
 ### Added
@@ -713,4 +723,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/4.1.0...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/4.2.0...HEAD

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    licensed (4.1.0)
+    licensed (4.2.0)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)

data/docs/configuration/ignoring_dependencies.md

@@ -17,3 +17,16 @@ ignored:
   go:
     - github.com/me/my-repo/**/*
 ```
+
+## Ignoring dependencies at specific versions
+
+Ignore a dependency at specific versions by appending `@<version>` to the end of the dependency's name in an `ignore` list.  If a dependency is configured to be ignored at a specific version, licensed will not ignore non-matching versions of the dependency.
+
+The version value can be one of:
+
+1. `"*"` - match any version value
+1. any version string, or version range string, that can be parsed by `Gem::Requirement`
+   - a semantic version - `dependency@1.2.3`
+   - a gem requirement range - `dependency@~> 1.0.0` or `dependency@< 3.0`
+   - see the [Rubygems version guides](https://guides.rubygems.org/patterns/#pessimistic-version-constraint) for more details about specifying gem version requirements
+1. a value that can't be parsed by `Gem::Requirement`, which will only match dependencies with the same version string

data/docs/configuration/reviewing_dependencies.md

@@ -16,3 +16,16 @@ reviewed:
   bundler:
     - gem-using-unallowed-license
 ```
+
+## Reviewing dependencies at specific versions
+
+Review a dependency at specific versions by appending `@<version>` to the end of the dependency's name in an `reviewed` list.  If a dependency is configured to be reviewed at a specific version, licensed will not recognize non-matching versions of the dependency as being manually reviewed and accepted.
+
+The version value can be one of:
+
+1. `"*"` - match any version value
+1. any version string, or version range string, that can be parsed by `Gem::Requirement`
+   - a semantic version - `dependency@1.2.3`
+   - a gem requirement range - `dependency@~> 1.0.0` or `dependency@< 3.0`
+   - see the [Rubygems version guides](https://guides.rubygems.org/patterns/#pessimistic-version-constraint) for more details about specifying gem version requirements
+1. a value that can't be parsed by `Gem::Requirement`, which will only match dependencies with the same version string

data/docs/sources/pnpm.md

@@ -2,6 +2,8 @@
 
 The npm source will detect dependencies when `pnpm-lock.yaml` is found at an apps `source_path`.  It uses `pnpm licenses list` to enumerate dependencies and metadata.
 
+All dependencies enumerated by the pnpm source include the dependency version in the dependency's name identifier.  All [reviewed](../configuration/reviewing_dependencies.md) or [ignored](../configuration/ignoring_dependencies.md) dependencies must include a version signifier in the configured dependency name.
+
 **NOTE** [pnpm licenses list](https://pnpm.io/cli/licenses) is an experimental CLI command and subject to change.  If changes to pnpm result in unexpected or broken behavior in licensed please open an [issue](https://github.com/github/licensed/issues/new).
 
 ## Including development dependencies

data/lib/licensed/commands/cache.rb

@@ -83,7 +83,7 @@ module Licensed
         report["version"] = dependency.version
 
         if save_dependency_record?(dependency, cached_record)
-          update_dependency_from_cached_record(app, dependency, cached_record)
+          update_dependency_from_cached_record(app, source, dependency, cached_record)
 
           dependency.record.save(filename)
           report["cached"] = true
@@ -123,14 +123,14 @@ module Licensed
       # Update dependency metadata from the cached record, to support:
       # 1. continuity between cache runs to cut down on churn
       # 2. notifying users when changed content needs to be reviewed
-      def update_dependency_from_cached_record(app, dependency, cached_record)
+      def update_dependency_from_cached_record(app, source, dependency, cached_record)
         return if cached_record.nil?
         return if options[:force]
 
         if dependency.record.matches?(cached_record)
           # use the cached license value if the license text wasn't updated
           dependency.record["license"] = cached_record["license"]
-        elsif app.reviewed?(dependency.record)
+        elsif app.reviewed?(dependency.record, require_version: source.class.require_matched_dependency_version)
           # if the license text changed and the dependency is set as reviewed
           # force a re-review of the dependency
           dependency.record["review_changed_license"] = true

data/lib/licensed/commands/status.rb

@@ -60,7 +60,7 @@ module Licensed
           report.errors << "missing license text" if record.licenses.empty?
           if record["review_changed_license"]
             report.errors << "license text has changed and needs re-review. if the new text is ok, remove the `review_changed_license` flag from the cached record"
-          elsif license_needs_review?(app, record)
+          elsif license_needs_review?(app, source, record)
             report.errors << needs_review_error_message(app, record)
           end
         end
@@ -70,9 +70,10 @@ module Licensed
 
       # Returns true if a cached record needs further review based on the
       # record's license(s) and the app's configuration
-      def license_needs_review?(app, record)
+      def license_needs_review?(app, source, record)
         # review is not needed if the record is set as reviewed
-        return false if app.reviewed?(record, match_version: data_source == "configuration")
+        require_version = data_source == "configuration" || source.class.require_matched_dependency_version
+        return false if app.reviewed?(record, require_version: require_version)
 
         # review is not needed if the top level license is allowed
         return false if app.allowed?(record["license"])
@@ -99,7 +100,7 @@ module Licensed
         error = "dependency needs review"
 
         # look for an unversioned reviewed list match
-        if app.reviewed?(record, match_version: false)
+        if app.reviewed?(record, require_version: false)
           error += ", unversioned 'reviewed' match found: #{record["name"]}"
         end
 

data/lib/licensed/configuration.rb

@@ -10,6 +10,8 @@ module Licensed
 
     DEFAULT_CACHE_PATH = ".licenses".freeze
 
+    ANY_VERSION_REQUIREMENT = "*".freeze
+
     # Returns the root for a configuration in following order of precedence:
     # 1. explicitly configured "root" property
     # 2. a found git repository root
@@ -73,8 +75,8 @@ module Licensed
     end
 
     # Is the given dependency reviewed?
-    def reviewed?(dependency, match_version: false)
-      any_list_pattern_matched? self["reviewed"][dependency["type"]], dependency, match_version: match_version
+    def reviewed?(dependency, require_version: false)
+      any_list_pattern_matched? self["reviewed"][dependency["type"]], dependency, require_version: require_version
     end
 
     # Find all reviewed dependencies that match the provided dependency's name
@@ -83,8 +85,8 @@ module Licensed
     end
 
     # Is the given dependency ignored?
-    def ignored?(dependency)
-      any_list_pattern_matched? self["ignored"][dependency["type"]], dependency
+    def ignored?(dependency, require_version: false)
+      any_list_pattern_matched? self["ignored"][dependency["type"]], dependency, require_version: require_version
     end
 
     # Is the license of the dependency allowed?
@@ -93,8 +95,10 @@ module Licensed
     end
 
     # Ignore a dependency
-    def ignore(dependency)
-      (self["ignored"][dependency["type"]] ||= []) << dependency["name"]
+    def ignore(dependency, at_version: false)
+      id = dependency["name"]
+      id += "@#{dependency["version"]}" if at_version && dependency["version"]
+      (self["ignored"][dependency["type"]] ||= []) << id
     end
 
     # Set a dependency as reviewed
@@ -117,15 +121,41 @@ module Licensed
 
     private
 
-    def any_list_pattern_matched?(list, dependency, match_version: false)
+    def any_list_pattern_matched?(list, dependency, require_version: false)
       Array(list).any? do |pattern|
-        if match_version
-          at_version = "@#{dependency["version"]}"
-          pattern, pattern_version = pattern.rpartition(at_version).values_at(0, 1)
-          next false if pattern == "" || pattern_version == ""
+        # parse a name and version requirement value from the pattern
+        name, requirement = pattern.rpartition("@").values_at(0, 2).map(&:strip)
+
+        if name == ""
+          # if name == "", then the pattern doesn't contain a valid version value.
+          # treat the entire pattern as the dependency name with no version.
+          name = pattern
+          requirement = nil
+        elsif !requirement.to_s.empty?
+          # check if the version requirement is a valid Gem::Requirement
+          # for range matching
+          requirements = requirement.split(",").map(&:strip)
+          if requirements.all? { |r| Gem::Requirement::PATTERN.match?(r) }
+            requirement = Gem::Requirement.new(requirements)
+          end
         end
 
-        File.fnmatch?(pattern, dependency["name"], File::FNM_PATHNAME | File::FNM_CASEFOLD)
+        # the pattern's name must match the dependency's name
+        next false unless File.fnmatch?(name, dependency["name"], File::FNM_PATHNAME | File::FNM_CASEFOLD)
+
+        # if there is no version requirement configured or if the dependency doesn't have a version
+        # specified, return a value based on whether a version match is required
+        next !require_version if requirement.nil? || dependency["version"].to_s.empty?
+
+        case requirement
+        when String
+          # string match the requirement against "*" or the dependency's version
+          [ANY_VERSION_REQUIREMENT, dependency["version"]].any? { |r| requirement == r }
+        when Gem::Requirement
+          # if the version was parsed as a gem requirement, check whether the version requirement
+          # matches the dependency's version
+          Gem::Version.correct?(dependency["version"]) && requirement.satisfied_by?(Gem::Version.new(dependency["version"]))
+        end
       end
     end
 

data/lib/licensed/dependency.rb

@@ -99,6 +99,17 @@ module Licensed
          .select { |notice| notice["text"].length > 0 } # files with content only
     end
 
+    # Returns a hash of basic metadata about the dependency - name, version, type, etc
+    def metadata
+      {
+        # can be overriden by values in @metadata
+        "name" => name,
+        "version" => version
+      }.merge(
+        @metadata
+      )
+    end
+
     private
 
     def read_file_with_encoding_check(file_path)
@@ -135,14 +146,8 @@ module Licensed
     # Returns the metadata that represents this dependency.  This metadata
     # is written to YAML in the dependencys cached text file
     def license_metadata
-      {
-        # can be overriden by values in @metadata
-        "name" => name,
-        "version" => version
-      }.merge(
-        @metadata
-      ).merge({
-        # overrides all other values
+      metadata.merge({
+        # overrides all metadata values
         "license" => license_key
       })
     end

data/lib/licensed/sources/gradle.rb

@@ -9,7 +9,7 @@ require "fileutils"
 module Licensed
   module Sources
     class Gradle < Source
-      DEFAULT_CONFIGURATIONS   = ["runtime", "runtimeClasspath"].freeze
+      DEFAULT_CONFIGURATIONS   = ["runtimeOnly", "runtimeClasspath"].freeze
       GRADLE_LICENSES_PATH     = ".gradle-licenses".freeze
       GRADLE_LICENSES_CSV_NAME = "licenses.csv".freeze
       class Dependency < Licensed::Dependency
@@ -46,7 +46,7 @@ module Licensed
       end
 
       def enumerate_dependencies
-        JSON.parse(gradle_runner.run("printDependencies", config.source_path)).map do |package|
+        JSON.parse(gradle_runner.run("printDependencies")).map do |package|
           name = "#{package['group']}:#{package['name']}"
           Dependency.new(
             name: name,
@@ -73,7 +73,7 @@ module Licensed
       end
 
       def gradle_runner
-        @gradle_runner ||= Runner.new(config.pwd, configurations, executable)
+        @gradle_runner ||= Runner.new(configurations, executable)
       end
 
       # Returns the configurations to include in license generation.
@@ -113,7 +113,7 @@ module Licensed
         begin
           # create the CSV file including dependency license urls using the gradle plugin
           gradle_licenses_dir = File.join(config.root, GRADLE_LICENSES_PATH)
-          gradle_runner.run("generateLicenseReport", config.source_path)
+          gradle_runner.run("generateLicenseReport")
 
           # parse the CSV report for dependency license urls
           CSV.foreach(File.join(gradle_licenses_dir, GRADLE_LICENSES_CSV_NAME), headers: true).each_with_object({}) do |row, hsh|
@@ -134,80 +134,82 @@ module Licensed
       # The Gradle::Runner class is a wrapper which provides
       # an interface to run gradle commands with the init script initialized
       class Runner
-        def initialize(root_path, configurations, executable)
-          @root_path = root_path
+        def initialize(configurations, executable)
           @executable = executable
-          @init_script = create_init_script(root_path, configurations)
+          @init_script = create_init_script(configurations)
         end
 
-        def run(command, source_path)
-          args = [format_command(command, source_path)]
+        def run(command)
+          args = [command]
           # The configuration cache is an incubating feature that can be activated manually.
           # The gradle plugin for licenses does not support it so we prevent it to run for gradle version supporting it.
-          args << "--no-configuration-cache" if gradle_version >= "6.6"
+          args << "--no-configuration-cache" if gradle_version >= Gem::Version.new("6.6")
           Licensed::Shell.execute(@executable, "-q", "--init-script", @init_script.path, *args)
         end
 
         private
 
-        def gradle_version
-          @gradle_version ||= Licensed::Shell.execute(@executable, "--version").scan(/Gradle [\d+]\.[\d+]/).last.split(" ").last
-        end
-
-        def create_init_script(path, configurations)
-          Dir.chdir(path) do
-            f = Tempfile.new(["init", ".gradle"], @root_path)
-            f.write(
-              <<~EOF
-                  import com.github.jk1.license.render.CsvReportRenderer
-                  import com.github.jk1.license.filter.LicenseBundleNormalizer
-                  final configs = #{configurations.inspect}
-
-                  initscript {
-                    repositories {
-                      maven {
-                        url "https://plugins.gradle.org/m2/"
-                      }
-                    }
-                    dependencies {
-                      classpath "com.github.jk1:gradle-license-report:#{gradle_version >= "7.0" ? "2.0" : "1.17"}"
+        def create_init_script(configurations)
+          # we need to create extensions in the event that the user hasn't configured custom configurations
+          # to avoid hitting errors where core Gradle configurations are set with canBeResolved=false
+          configuration_map = configurations.map { |c| [c, "licensed#{c}"] }.to_h
+          configuration_dsl = configuration_map.map { |orig, custom| "#{custom}.extendsFrom(#{orig})" }
+
+          f = Tempfile.new(["init", ".gradle"])
+          f.write(
+            <<~EOF
+                import com.github.jk1.license.render.CsvReportRenderer
+                import com.github.jk1.license.filter.LicenseBundleNormalizer
+                final configs = #{configuration_map.values.inspect}
+
+                initscript {
+                  repositories {
+                    maven {
+                      url "https://plugins.gradle.org/m2/"
                     }
                   }
+                  dependencies {
+                    classpath "com.github.jk1:gradle-license-report:#{gradle_version >= Gem::Version.new("7.0") ? "2.0" : "1.17"}"
+                  }
+                }
 
-                  allprojects {
-                    apply plugin: com.github.jk1.license.LicenseReportPlugin
-                    licenseReport {
-                        outputDir = "$rootDir/.gradle-licenses"
-                        configurations = configs
-                        renderers = [new CsvReportRenderer()]
-                        filters = [new LicenseBundleNormalizer()]
-                    }
+                allprojects {
+                  configurations {
+                    #{configuration_dsl.join("\n") }
+                  }
+
+                  apply plugin: com.github.jk1.license.LicenseReportPlugin
+                  licenseReport {
+                      outputDir = "$rootDir/#{GRADLE_LICENSES_PATH}"
+                      configurations = configs
+                      renderers = [new CsvReportRenderer()]
+                      filters = [new LicenseBundleNormalizer()]
+                  }
 
-                    task printDependencies {
-                      doLast {
-                          def dependencies = []
-                          configs.each {
-                              configurations[it].resolvedConfiguration.resolvedArtifacts.each { artifact ->
-                                  def id = artifact.moduleVersion.id
-                                  dependencies << "{ \\"group\\": \\"${id.group}\\", \\"name\\": \\"${id.name}\\", \\"version\\": \\"${id.version}\\" }"
-                              }
-                          }
-                          println "[${dependencies.join(", ")}]"
-                      }
+                  task printDependencies {
+                    doLast {
+                        def dependencies = []
+                        configs.each {
+                            configurations[it].resolvedConfiguration.resolvedArtifacts.each { artifact ->
+                                def id = artifact.moduleVersion.id
+                                dependencies << "{ \\"group\\": \\"${id.group}\\", \\"name\\": \\"${id.name}\\", \\"version\\": \\"${id.version}\\" }"
+                            }
+                        }
+                        println "[${dependencies.join(", ")}]"
                     }
                   }
-                EOF
-              )
-            f.close
-            f
-          end
+                }
+              EOF
+            )
+          f.close
+          f
         end
 
-        # Prefixes the gradle command with the project name for multi-build projects.
-        def format_command(command, source_path)
-          Dir.chdir(source_path) do
-            path = Licensed::Shell.execute(@executable, "properties", "-Dorg.gradle.logging.level=quiet").scan(/path:.*/).last.split(" ").last
-            path == ":" ? command : "#{path}:#{command}"
+        # Returns the version of gradle used during execution
+        def gradle_version
+          @gradle_version ||= begin
+            version = Licensed::Shell.execute(@executable, "--version").scan(/Gradle [\d+]\.[\d+]/).last.split(" ").last
+            Gem::Version.new(version)
           end
         end
       end

data/lib/licensed/sources/pnpm.rb

@@ -4,6 +4,12 @@ require "json"
 module Licensed
   module Sources
     class PNPM < Source
+      # The PNPM source requires matching reviewed or ignored dependencies
+      # on both name and version
+      def self.require_matched_dependency_version
+        true
+      end
+
       # Returns true when pnpm is installed and a pnpm-lock.yaml file is found,
       # otherwise false
       def enabled?

data/lib/licensed/sources/source.rb

@@ -51,6 +51,12 @@ module Licensed
                    .downcase
                    .split("::")
         end
+
+        # Returns true if the source requires matching reviewed and ignored dependencies'
+        # versions as well as their name
+        def require_matched_dependency_version
+          false
+        end
       end
 
       # all sources have a configuration
@@ -81,7 +87,7 @@ module Licensed
 
       # Returns whether a dependency is ignored in the configuration.
       def ignored?(dependency)
-        config.ignored?("type" => self.class.type, "name" => dependency.name)
+        config.ignored?(dependency.metadata, require_version: self.class.require_matched_dependency_version)
       end
 
       private

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.1.0".freeze
+  VERSION = "4.2.0".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.2.0
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-02-08 00:00:00.000000000 Z
+date: 2023-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee