spandx 0.15.1 → 0.18.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 120ae97e54f2a138b7d1053d9e71c8b702174cf70fbac0fc861b8971f4aec0bd
-  data.tar.gz: c89d3ffe76d00d0a6fb18e91b5cdd3ef1487a826047213dd264be3d59796d188
+  metadata.gz: bb37d5c085e6c24f08f563a34abe6395448e63a0f8a7571cd16ee7353fcf0e86
+  data.tar.gz: 8cb0c804cf63410200d1a8d7b28e7ba7ec1cf57e180d1e66e63664f3daf2e4b8
 SHA512:
-  metadata.gz: ab85f497f8ce4fe46a03b31d25ffa07816975dcbcb91a1438cf09bcd38f857ed652a1003569e2a8cbb091c5fb5b5b88a52043f4a61eec71337eff58107c75737
-  data.tar.gz: e73a923228358065c7d67bdfa8aaea328657269758f2c2d664621b5e6dd6da449b1d585655ae351e0edd99dbd155ef2efa24f0e37c95cd24c75f85da517503af
+  metadata.gz: '0815ee42c9a013e2d4979d662166ca44d898d513b64250635ab36e8c65ab55d2eb1d7683b7cd1dcf4c2d8bc365d55433aba88713b3d4e2613c47dc62a7b53ba7'
+  data.tar.gz: 1dd8fa583d48f9007162b2eda18e07b0e58e906791c06491dd1d43dece6304c6831b279a4840761e8a370c6aaf6d7304e16eb2baa2a9f80b627bdffbf0ae2632

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-Version 0.15.1
+Version 0.18.1
 
 # Changelog
 
@@ -9,6 +9,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.18.1] - 2021-06-02
+### Fixed
+- Parse `.terraform.lock.hcl` files with multiple providers.
+
+## [0.18.0] - 2021-05-10
+### Added
+- Add support for parsing `.terraform.lock.hcl` files.
+
+## [0.17.0] - 2020-12-28
+### Added
+- Allow indexing gems from index.rubygems.org.
+
+## [0.16.1] - 2020-11-19
+### Fixed
+- Start spinner for table printer only
+
+## [0.16.0] - 2020-11-19
+### Changed
+- Pull smaller license cache.
+- Print index files after building them.
+
 ## [0.15.1] - 2020-11-18
 ### Fixed
 - Rebuild index after pulling latest cache.
@@ -211,7 +232,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Provide ruby API to the latest SPDX catalogue.
 
-[Unreleased]: https://github.com/spandx/spandx/compare/v0.15.1...HEAD
+[Unreleased]: https://github.com/spandx/spandx/compare/v0.18.1...HEAD
+[0.18.1]: https://github.com/spandx/spandx/compare/v0.18.0...v0.18.1
+[0.18.0]: https://github.com/spandx/spandx/compare/v0.17.0...v0.18.0
+[0.17.0]: https://github.com/spandx/spandx/compare/v0.16.1...v0.17.0
+[0.16.1]: https://github.com/spandx/spandx/compare/v0.16.0...v0.16.1
+[0.16.0]: https://github.com/spandx/spandx/compare/v0.15.1...v0.16.0
 [0.15.1]: https://github.com/spandx/spandx/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/spandx/spandx/compare/v0.14.0...v0.15.0
 [0.14.0]: https://github.com/spandx/spandx/compare/v0.13.5...v0.14.0

data/README.md

@@ -4,7 +4,7 @@
 
 # Spandx ![badge](https://github.com/spandx/spandx/workflows/ci/badge.svg)
 
-A ruby API for interacting with the https://spdx.org software license catalogue.
+A Ruby API for interacting with the https://spdx.org software license catalogue.
 This gem includes a command line interface to scan a software project for the
 software licenses that are associated with each dependency in the project.
 `spandx` leverages an offline cache of software licenses for known dependencies.
@@ -104,7 +104,7 @@ end
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/cibuild` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/lib/spandx.rb

@@ -11,6 +11,7 @@ require 'nokogiri'
 require 'oj'
 require 'parslet'
 require 'pathname'
+require 'sorted_set'
 require 'yaml'
 require 'zeitwerk'
 require 'spandx/spandx'
@@ -45,7 +46,7 @@ module Spandx
       @git ||= {
         cache: ::Spandx::Core::Git.new(url: 'https://github.com/spandx/cache.git'),
         rubygems: ::Spandx::Core::Git.new(url: 'https://github.com/spandx/rubygems-cache.git'),
-        spdx: ::Spandx::Core::Git.new(url: 'https://github.com/spdx/license-list-data.git'),
+        spdx: ::Spandx::Core::Git.new(url: 'https://github.com/spdx/license-list-data.git', default_branch: 'master'),
       }
     end
   end

data/lib/spandx/cli/commands/build.rb

@@ -5,10 +5,11 @@ module Spandx
     module Commands
       class Build
         INDEXES = {
+          dotnet: Spandx::Dotnet::Index,
           maven: Spandx::Java::Index,
           nuget: Spandx::Dotnet::Index,
-          dotnet: Spandx::Dotnet::Index,
           pypi: Spandx::Python::Index,
+          rubygems: Spandx::Ruby::Index,
         }.freeze
 
         def initialize(options)

data/lib/spandx/cli/commands/pull.rb

@@ -4,13 +4,20 @@ module Spandx
   module Cli
     module Commands
       class Pull
+        attr_reader :cache_dir, :rubygems_cache_dir
+
         def initialize(options)
           @options = options
+          @cache_dir = Spandx.git[:cache].root.join('.index')
+          @rubygems_cache_dir = Spandx.git[:rubygems].root.join('.index')
         end
 
         def execute(output: $stderr)
           sync(output)
           build(output, ::Spandx::Core::Dependency::PACKAGE_MANAGERS.values.uniq)
+          index_files_in(cache_dir, rubygems_cache_dir).each do |item|
+            output.puts item.to_s.gsub(Dir.home, '~')
+          end
           output.puts 'OK'
         end
 
@@ -25,14 +32,11 @@ module Spandx
         end
 
         def build(output, sources)
-          index_path = Spandx.git[:cache].root.join('.index')
-
-          with_spinner('Rebuilding index...', output: output) do
+          with_spinner('Building index...', output: output) do
             sources.each do |source|
-              Spandx::Core::Cache
-                .new(source, root: index_path)
-                .rebuild_index
+              Spandx::Core::Cache.new(source, root: cache_dir).rebuild_index
             end
+            Spandx::Core::Cache.new(:rubygems, root: rubygems_cache_dir).rebuild_index
           end
         end
 
@@ -41,9 +45,15 @@ module Spandx
           spinner.auto_spin
           yield
           spinner.success('(done)')
+        rescue StandardError => error
+          spinner.error("(#{error.message})")
         ensure
           spinner.stop
         end
+
+        def index_files_in(*dirs)
+          dirs.map { |x| x.glob('**/*.idx') }.flatten.sort
+        end
       end
     end
   end

data/lib/spandx/cli/main.rb

@@ -12,15 +12,11 @@ module Spandx
       method_option :pull, aliases: '-p', type: :boolean, desc: 'Pull the latest cache before the scan', default: false
       method_option :require, aliases: '-r', type: :string, desc: 'Causes spandx to load the library using require.', default: nil
       def scan(lockfile = Pathname.pwd)
-        if options[:help]
-          invoke :help, ['scan']
-        else
-          Oj.default_options = { mode: :strict }
-          Spandx.airgap = options[:airgap]
-          Spandx.logger = Logger.new(options[:logfile])
-          pull if options[:pull]
-          Spandx::Cli::Commands::Scan.new(lockfile, options).execute
-        end
+        return invoke :help, ['scan'] if options[:help]
+
+        prepare(options)
+        pull if options[:pull]
+        Spandx::Cli::Commands::Scan.new(lockfile, options).execute
       end
 
       desc 'pull', 'Pull the latest offline cache'
@@ -52,6 +48,14 @@ module Spandx
         puts "v#{Spandx::VERSION}"
       end
       map %w[--version -v] => :version
+
+      private
+
+      def prepare(options)
+        Oj.default_options = { mode: :strict }
+        Spandx.airgap = options[:airgap]
+        Spandx.logger = Logger.new(options[:logfile])
+      end
     end
   end
 end

data/lib/spandx/cli/printers/table.rb

@@ -8,7 +8,6 @@ module Spandx
 
         def initialize(output: $stderr)
           @spinner = TTY::Spinner.new('[:spinner] Scanning...', output: output, clear: true, format: :dots)
-          @spinner.auto_spin
         end
 
         def match?(format)
@@ -16,6 +15,7 @@ module Spandx
         end
 
         def print_header(_io)
+          @spinner.auto_spin
           @dependencies = SortedSet.new
         end
 

data/lib/spandx/core/data_file.rb

@@ -56,6 +56,10 @@ module Spandx
         @index ||= IndexFile.new(self)
       end
 
+      def to_s
+        absolute_path.to_s
+      end
+
       private
 
       def to_csv(array)

data/lib/spandx/core/git.rb

@@ -3,10 +3,11 @@
 module Spandx
   module Core
     class Git
-      attr_reader :root, :url
+      attr_reader :root, :url, :default_branch
 
-      def initialize(url:)
+      def initialize(url:, default_branch: 'main')
         @url = url
+        @default_branch = default_branch
         @root = path_for(url)
       end
 
@@ -31,14 +32,15 @@ module Spandx
         root.join('.git').directory?
       end
 
-      def clone!
+      def clone!(branch: default_branch)
         system('rm', '-rf', root.to_s) if root.exist?
-        system('git', 'clone', '--quiet', '--depth=1', '--single-branch', '--branch', 'master', url, root.to_s)
+        system('git', 'clone', '--quiet', '--depth=1', '--single-branch', '--branch', branch, url, root.to_s)
       end
 
-      def pull!
+      def pull!(remote: 'origin', branch: default_branch)
         Dir.chdir(root) do
-          system('git', 'pull', '--no-rebase', '--quiet', 'origin', 'master')
+          system('git', 'fetch', '--quiet', '--depth=1', '--prune', '--no-tags', remote)
+          system('git', 'checkout', '--quiet', branch)
         end
       end
     end

data/lib/spandx/ruby/gateway.rb

@@ -8,8 +8,21 @@ module Spandx
         @http = http
       end
 
+      def each
+        response = http.get('https://index.rubygems.org/versions')
+        return unless http.ok?(response)
+
+        parse_each_from(StringIO.new(response.body)) do |item|
+          yield item
+        end
+      end
+
       def licenses_for(dependency)
-        details_on(dependency.name, dependency.version)['licenses'] || []
+        licenses(dependency.name, dependency.version)
+      end
+
+      def licenses(name, version)
+        details_on(name, version)['licenses'] || []
       end
 
       def matches?(dependency)
@@ -20,6 +33,17 @@ module Spandx
 
       attr_reader :http
 
+      def parse_each_from(io)
+        _created_at = io.readline
+        _triple_dash = io.readline
+        until io.eof?
+          name, versions, _digest = io.readline.split(' ')
+          versions.split(',').each do |version|
+            yield({ name: name, version: version })
+          end
+        end
+      end
+
       def details_on(name, version)
         url = "https://rubygems.org/api/v2/rubygems/#{name}/versions/#{version}.json"
         response = http.get(url, default: {})

data/lib/spandx/ruby/index.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Ruby
+    class Index
+      include Enumerable
+
+      attr_reader :directory, :name, :rubygems
+
+      def initialize(directory:)
+        @directory = directory
+        @name = 'rubygems'
+        @cache = ::Spandx::Core::Cache.new(@name, root: directory)
+        @rubygems = ::Spandx::Ruby::Gateway.new
+      end
+
+      def update!(*)
+        queue = Queue.new
+        [fetch(queue), save(queue)].each(&:join)
+        cache.rebuild_index
+      end
+
+      private
+
+      attr_reader :cache
+
+      def fetch(queue)
+        Thread.new do
+          rubygems.each do |item|
+            queue.enq(
+              item.merge(
+                licenses: rubygems.licenses(item[:name], item[:version])
+              )
+            )
+          end
+          queue.enq(:stop)
+        end
+      end
+
+      def save(queue)
+        Thread.new do
+          loop do
+            item = queue.deq
+            break if item == :stop
+
+            cache.insert(item[:name], item[:version], item[:licenses])
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spandx/terraform/parsers/hcl.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Terraform
+    module Parsers
+      class Hcl < Parslet::Parser
+        rule(:alpha) { match['a-zA-Z'] }
+        rule(:assign) { str('=') }
+        rule(:colon) { str(':') }
+        rule(:comma) { str(',') }
+        rule(:comment) { (str('#') | str('//')) >> ((str("\n") >> str("\r").maybe).absent? >> any).repeat >> eol }
+        rule(:crlf) { match('[\r\n]') }
+        rule(:digit) { match('\d') }
+        rule(:dot) { str('.') }
+        rule(:eol) { whitespace? >> crlf.repeat }
+        rule(:greater_than_or_equal_to) { str('>=') }
+        rule(:hyphen) { str('-') }
+        rule(:lbracket) { str('[') }
+        rule(:lcurly) { str('{') }
+        rule(:major) { number }
+        rule(:major_minor) { (number >> dot >> number) }
+        rule(:major_minor_patch) { number >> dot >> number >> dot >> number }
+        rule(:multiline_comment) { str('/*') >> (str('*/').absent? >> any).repeat >> str('*/') }
+        rule(:number) { digit.repeat }
+        rule(:plus) { str('+') }
+        rule(:pre_release) { hyphen >> (alpha | digit).repeat }
+        rule(:pre_release?) { pre_release.maybe }
+        rule(:quote) { str('"') }
+        rule(:rbracket) { str(']') }
+        rule(:rcurly) { str('}') }
+        rule(:slash) { str('/') }
+        rule(:space) { match('\s') }
+        rule(:tilda_wacka) { str('~>') }
+        rule(:version) { number >> dot >> number >> dot >> number >> pre_release? }
+        rule(:whitespace) { (multiline_comment | comment | space).repeat }
+        rule(:whitespace?) { whitespace.maybe }
+
+        rule(:pessimistic_version_constraint) do
+          tilda_wacka >> whitespace >> (
+            major_minor_patch |
+            major_minor |
+            major
+          )
+        end
+
+        rule(:greater_than_or_equal_to_version) do
+          greater_than_or_equal_to >> whitespace >> (
+            major_minor_patch |
+            major_minor |
+            major
+          )
+        end
+
+        rule(:version_constraint) do
+          pessimistic_version_constraint | greater_than_or_equal_to_version
+        end
+
+        rule :version_assignment do
+          str('version') >> whitespace >> assign >> whitespace >> quote >> version.as(:version) >> quote
+        end
+
+        rule :constraint_assignment do
+          str('constraints') >> whitespace >> assign >> whitespace >> quote >> version_constraint.as(:constraints) >> quote
+        end
+
+        rule :string do
+          quote >> (
+            digit | dot | alpha | str('~> ') | slash | colon | assign | plus
+          ).repeat(1).as(:value) >> quote
+        end
+
+        rule :array_item do
+          whitespace? >> string >> comma.maybe >> eol
+        end
+
+        rule :array do
+          lbracket >> eol >> array_item.repeat >> whitespace >> rbracket
+        end
+
+        rule :argument_value do
+          (array.as(:values) | string) >> eol
+        end
+
+        rule :argument do
+          whitespace >> alpha.repeat(1).as(:name) >> whitespace >> assign >> whitespace >> argument_value
+        end
+
+        rule :block_body do
+          lcurly >> crlf >> argument.repeat.as(:arguments) >> rcurly
+        end
+
+        rule :identifier do
+          whitespace >> quote >> (alpha | dot | slash).repeat(1).as(:name) >> quote >> whitespace
+        end
+
+        rule :block do
+          alpha.repeat(1).as(:type) >> identifier >> block_body
+        end
+
+        rule :blocks do
+          whitespace? >> (block >> eol.maybe).repeat(1).as(:blocks)
+        end
+
+        root(:blocks)
+      end
+    end
+  end
+end

data/lib/spandx/terraform/parsers/lock_file.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Terraform
+    module Parsers
+      class LockFile < ::Spandx::Core::Parser
+        def initialize
+          @parser = Spandx::Terraform::Parsers::Hcl.new
+        end
+
+        def match?(pathname)
+          basename = pathname.basename
+          basename.fnmatch?('.terraform.lock.hcl')
+        end
+
+        def parse(path)
+          tree = @parser.parse(path.read)
+          tree[:blocks].map do |block|
+            version_arg = version_arg_from(block)
+            ::Spandx::Core::Dependency.new(
+              name: block[:name].to_s,
+              version: version_arg[:value]&.to_s,
+              path: path
+            )
+          end
+        end
+
+        private
+
+        def version_arg_from(block)
+          block[:arguments].find do |x|
+            x[:name] == 'version'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spandx/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spandx
-  VERSION = '0.15.1'
+  VERSION = '0.18.1'
 end

data/spandx.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata['homepage_uri'] = spec.homepage
   spec.metadata['source_code_uri'] = 'https://github.com/spandx/spandx'
-  spec.metadata['changelog_uri'] = 'https://github.com/spandx/spandx/blob/master/CHANGELOG.md'
+  spec.metadata['changelog_uri'] = 'https://github.com/spandx/spandx/blob/main/CHANGELOG.md'
 
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
     Dir.glob('exe/*') +
@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'nokogiri', '~> 1.10'
   spec.add_dependency 'oj', '~> 3.10'
   spec.add_dependency 'parslet', '~> 2.0'
+  spec.add_dependency 'sorted_set', '~> 1.0'
   spec.add_dependency 'terminal-table', '~> 1.8'
   spec.add_dependency 'thor'
   spec.add_dependency 'tty-spinner', '~> 0.9'

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: spandx
 version: !ruby/object:Gem::Version
-  version: 0.15.1
+  version: 0.18.1
 platform: ruby
 authors:
 - Can Eldem
 - mo khan
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-19 00:00:00.000000000 Z
+date: 2021-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -101,6 +101,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: sorted_set
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
@@ -413,12 +427,15 @@ files:
 - lib/spandx/python/pypi.rb
 - lib/spandx/python/source.rb
 - lib/spandx/ruby/gateway.rb
+- lib/spandx/ruby/index.rb
 - lib/spandx/ruby/parsers/gemfile_lock.rb
 - lib/spandx/spdx/catalogue.rb
 - lib/spandx/spdx/composite_license.rb
 - lib/spandx/spdx/expression.rb
 - lib/spandx/spdx/gateway.rb
 - lib/spandx/spdx/license.rb
+- lib/spandx/terraform/parsers/hcl.rb
+- lib/spandx/terraform/parsers/lock_file.rb
 - lib/spandx/version.rb
 - spandx.gemspec
 homepage: https://spandx.github.io/
@@ -427,8 +444,8 @@ licenses:
 metadata:
   homepage_uri: https://spandx.github.io/
   source_code_uri: https://github.com/spandx/spandx
-  changelog_uri: https://github.com/spandx/spandx/blob/master/CHANGELOG.md
-post_install_message: 
+  changelog_uri: https://github.com/spandx/spandx/blob/main/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -443,8 +460,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.19
+signing_key:
 specification_version: 4
 summary: A ruby interface to the SPDX catalogue.
 test_files: []