licensure 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6759a51d14e8f88b4d718fb1368cf9e2593660e43863949d73bb929062be7c12
-  data.tar.gz: 396ad8b96f81968fffab0dce383b368632ae6c12f71c8055589c3b361b6a0fb8
+  metadata.gz: 2805125ca2b8cc001a334352f8b5799fd95687e28f3f452a8b9ddd3363e1ca6a
+  data.tar.gz: a3cbb3378e66fb24a4239c7d317c39c2c35ccb5765900b862ebf4eb9edb879d8
 SHA512:
-  metadata.gz: 69a98b94fe4fe29946a48d8281ce993632db4be662e6cefb70cb5826d38807546a2dc8d4d1bf8598d63265ef4613b19b1797490b83efd84754d7a1a2a59f9a49
-  data.tar.gz: df348e79ddac7e9f8bb783a6743a0706b1fac62de1100268fceaa51b895c80813ebd730d0edb734be0905a95d4b88fdc0b666670baefbb6225664bccd0f831ee
+  metadata.gz: d495b2ee905388c8683376c37b94cba58c7519228b434851dd2f1c4f3b009ab2f43df8479fc3a15cabe6620b5f4de1e983c77eeb36a309a0dd2e693cbd1c005e
+  data.tar.gz: f7a3e6aa8ea488b1173a7a9767d0ad23b1c1f05edb79c880ba607a8411f4a5263d302c0a24fe69f5b1b32f66e2bc33c8f5df8d0a2d18e1e396f3da312e4faf0c

data/README.md

@@ -1,4 +1,4 @@
-# Licensure
+# Licensure [![Gem Version](https://badge.fury.io/rb/licensure.svg)](https://badge.fury.io/rb/licensure) [![Ruby](https://github.com/ydah/licensure/actions/workflows/main.yml/badge.svg)](https://github.com/ydah/licensure/actions/workflows/main.yml)
 
 Licensure is a RubyGem CLI tool that inspects dependency licenses from `Gemfile.lock` and checks them against a configurable allow list.
 
@@ -56,10 +56,12 @@ ignored_gems:
 deny_unknown: true
 ```
 
-- `allowed_licenses`: Allowed license identifiers. Empty means allow all.
+- `allowed_licenses`: Allowed license identifiers. Empty means allow all. For gems with multiple licenses, all reported licenses must be included.
 - `ignored_gems`: Gem names excluded from checks.
 - `deny_unknown`: Treat gems without license metadata as warnings.
 
+When a gem reports non-SPDX license text and its `source_code_uri` or `homepage` points to GitHub, Licensure queries the GitHub repository license API and normalizes matched labels to `spdx_id` (for example, `Apache License, Version 2.0` -> `Apache-2.0`). Set `GITHUB_TOKEN` in CI to reduce API rate-limit risk.
+
 ## Commands
 
 ```bash

data/lib/licensure/license_checker.rb

@@ -34,12 +34,13 @@ module Licensure
           next
         end
 
-        if allowed_license?(info.licenses)
+        disallowed = disallowed_licenses(info.licenses)
+        if disallowed.empty?
           passed << info
           next
         end
 
-        reason = "License '#{info.licenses.join(", ")}' is not in the allowed list"
+        reason = "Licenses '#{disallowed.join(", ")}' are not in the allowed list"
         violations << Violation.new(gem_info: info, reason: reason)
       end
 
@@ -49,9 +50,17 @@ module Licensure
     private
 
     # @param licenses [Array<String>]
+    # @return [Array<String>]
+    def disallowed_licenses(licenses)
+      licenses.reject { |license| allowed_license?(license) }
+    end
+
+    # @param license [String]
     # @return [Boolean]
-    def allowed_license?(licenses)
-      licenses.any? { |license| @configuration.allowed_licenses.include?(license) }
+    def allowed_license?(license)
+      @configuration.allowed_licenses.any? do |allowed_license|
+        LicenseMatcher.match?(allowed_license, license)
+      end
     end
   end
 end

data/lib/licensure/license_fetcher.rb

@@ -7,6 +7,7 @@ module Licensure
   # Fetches gem license data from local gemspecs and RubyGems API.
   class LicenseFetcher
     RUBYGEMS_ENDPOINT = "https://rubygems.org/api/v1/gems".freeze
+    GITHUB_LICENSE_ENDPOINT = "https://api.github.com/repos".freeze
     REQUEST_TIMEOUT = 5
 
     # @param dependencies [Array<Hash{Symbol => String}>]
@@ -20,16 +21,32 @@ module Licensure
     # @return [Licensure::GemLicenseInfo]
     def fetch(name, version)
       local = fetch_from_gemspec(name)
-      return build_info(name, version, local[:licenses], :gemspec, local[:homepage]) if local
+      return build_info_from_payload(name, version, local, :gemspec) if local
 
       remote = fetch_from_api(name)
-      return build_info(name, version, remote[:licenses], :api, remote[:homepage]) if remote
+      return build_info_from_payload(name, version, remote, :api) if remote
 
       build_info(name, version, [], :unknown, nil)
     end
 
     private
 
+    # @param name [String]
+    # @param version [String]
+    # @param payload [Hash]
+    # @param source [Symbol]
+    # @return [Licensure::GemLicenseInfo]
+    def build_info_from_payload(name, version, payload, source)
+      licenses = normalize_with_github(
+        payload[:licenses],
+        payload[:source_code_uri],
+        payload[:homepage]
+      )
+      homepage = payload[:homepage] || payload[:source_code_uri]
+
+      build_info(name, version, licenses, source, homepage)
+    end
+
     # @param name [String]
     # @return [Hash, nil]
     def fetch_from_gemspec(name)
@@ -37,7 +54,11 @@ module Licensure
       licenses = normalize_licenses(spec.licenses, spec.license)
       return nil if licenses.empty?
 
-      { licenses: licenses, homepage: spec.homepage }
+      {
+        licenses: licenses,
+        homepage: spec.homepage,
+        source_code_uri: spec.metadata&.[]("source_code_uri")
+      }
     rescue Gem::LoadError
       nil
     end
@@ -56,7 +77,11 @@ module Licensure
       licenses = normalize_licenses(payload["licenses"], payload["license"])
       return nil if licenses.empty?
 
-      { licenses: licenses, homepage: payload["homepage_uri"] || payload["homepage"] }
+      {
+        licenses: licenses,
+        homepage: payload["homepage_uri"] || payload["homepage"],
+        source_code_uri: payload["source_code_uri"]
+      }
     rescue JSON::ParserError, StandardError
       nil
     end
@@ -85,6 +110,98 @@ module Licensure
            .uniq
     end
 
+    # @param licenses [Array<String>]
+    # @param source_code_uri [String, nil]
+    # @param homepage [String, nil]
+    # @return [Array<String>]
+    def normalize_with_github(licenses, source_code_uri, homepage)
+      return licenses if licenses.empty?
+      return licenses unless github_normalization_needed?(licenses)
+
+      repository = github_repository(source_code_uri || homepage)
+      return licenses unless repository
+
+      github_license = fetch_github_license(repository[:owner], repository[:repo])
+      return licenses unless github_license
+
+      canonicalize_licenses(
+        licenses,
+        github_license[:spdx_id],
+        github_license[:name],
+        github_license[:key]
+      )
+    end
+
+    # @param licenses [Array<String>]
+    # @return [Boolean]
+    def github_normalization_needed?(licenses)
+      licenses.any? { |license| license.match?(/\s|,|\blicense\b|\bversion\b/i) }
+    end
+
+    # @param url [String, nil]
+    # @return [Hash{Symbol => String}, nil]
+    def github_repository(url)
+      return nil if url.to_s.strip.empty?
+
+      uri = URI(url)
+      host = uri.host.to_s.downcase
+      return nil unless %w[github.com www.github.com].include?(host)
+
+      segments = uri.path.to_s.split("/").reject(&:empty?)
+      return nil if segments.size < 2
+
+      owner = segments[0]
+      repo = segments[1].sub(/\.git\z/, "")
+      return nil if owner.empty? || repo.empty?
+
+      { owner: owner, repo: repo }
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    # @param owner [String]
+    # @param repo [String]
+    # @return [Hash{Symbol => String}, nil]
+    def fetch_github_license(owner, repo)
+      uri = URI("#{GITHUB_LICENSE_ENDPOINT}/#{owner}/#{repo}/license")
+      request = Net::HTTP::Get.new(uri)
+      request["Accept"] = "application/vnd.github+json"
+      request["X-GitHub-Api-Version"] = "2022-11-28"
+      request["User-Agent"] = "Licensure/#{Licensure::VERSION}"
+
+      token = ENV["GITHUB_TOKEN"]
+      request["Authorization"] = "Bearer #{token}" unless token.to_s.empty?
+
+      response = http_client_for(uri).request(request)
+      return nil unless response.is_a?(Net::HTTPSuccess)
+
+      payload = JSON.parse(response.body)
+      license = payload["license"]
+      return nil unless license.is_a?(Hash)
+
+      spdx_id = license["spdx_id"].to_s.strip
+      return nil if spdx_id.empty? || spdx_id == "NOASSERTION"
+
+      { spdx_id: spdx_id, name: license["name"], key: license["key"] }
+    rescue JSON::ParserError, StandardError
+      nil
+    end
+
+    # @param licenses [Array<String>]
+    # @param spdx_id [String]
+    # @param name [String, nil]
+    # @param key [String, nil]
+    # @return [Array<String>]
+    def canonicalize_licenses(licenses, spdx_id, name, key)
+      fingerprints = [spdx_id, name, key].filter_map { |value| LicenseMatcher.fingerprint(value) }.uniq
+      return licenses if fingerprints.empty?
+
+      licenses.map do |license|
+        fingerprint = LicenseMatcher.fingerprint(license)
+        fingerprints.include?(fingerprint) ? spdx_id : license
+      end.uniq
+    end
+
     # @param name [String]
     # @param version [String]
     # @param licenses [Array<String>]

data/lib/licensure/license_matcher.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Licensure
+  # Compares license labels with lightweight normalization.
+  module LicenseMatcher
+    module_function
+
+    # @param left [String]
+    # @param right [String]
+    # @return [Boolean]
+    def match?(left, right)
+      return true if left == right
+
+      left_fingerprint = fingerprint(left)
+      right_fingerprint = fingerprint(right)
+      return false unless left_fingerprint && right_fingerprint
+
+      left_fingerprint == right_fingerprint
+    end
+
+    # @param value [String, nil]
+    # @return [String, nil]
+    def fingerprint(value)
+      normalized = value.to_s.downcase
+                        .gsub(/\b(the|license|version)\b/, "")
+                        .gsub(/[^a-z0-9]/, "")
+      return nil if normalized.empty?
+
+      normalized
+    end
+  end
+end

data/lib/licensure/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Licensure
-  VERSION = "0.1.0"
+  VERSION = "0.2.1"
 end

data/lib/licensure.rb

@@ -6,6 +6,7 @@ require_relative "licensure/types"
 require_relative "licensure/configuration"
 require_relative "licensure/dependency_resolver"
 require_relative "licensure/license_fetcher"
+require_relative "licensure/license_matcher"
 require_relative "licensure/license_checker"
 require_relative "licensure/formatters/base"
 require_relative "licensure/formatters/table"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: licensure
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Yudai Takada
@@ -63,6 +63,7 @@ files:
 - lib/licensure/formatters/table.rb
 - lib/licensure/license_checker.rb
 - lib/licensure/license_fetcher.rb
+- lib/licensure/license_matcher.rb
 - lib/licensure/types.rb
 - lib/licensure/version.rb
 homepage: https://github.com/ydah/licensure