spandx 0.16.0 → 0.18.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -2
- data/README.md +2 -2
- data/lib/spandx.rb +2 -0
- data/lib/spandx/cli/commands/build.rb +2 -1
- data/lib/spandx/cli/commands/scan.rb +0 -4
- data/lib/spandx/cli/main.rb +13 -9
- data/lib/spandx/cli/printers/table.rb +1 -1
- data/lib/spandx/core/dependency.rb +2 -0
- data/lib/spandx/ruby/gateway.rb +25 -1
- data/lib/spandx/ruby/index.rb +52 -0
- data/lib/spandx/terraform/parsers/lock_file.rb +38 -0
- data/lib/spandx/version.rb +1 -1
- data/spandx.gemspec +3 -1
- metadata +37 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 28d95986ecfe3d8616d52256ecf28003eb4cc6c28e30a6733e9e4e1012cf5375
|
4
|
+
data.tar.gz: bd8f7c53dbfa43e13a2f1a4f54c7a2517e70f3e529b1792b18ce6ef9cc208091
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b97733866a711008bebc338ff77e452696d5ae1f7c8b486fb13b08adc20c8fd2483cc288766920525057967889b3e42632abb0f6dd5cf03f273965ae27b0d1c8
|
7
|
+
data.tar.gz: fa296185eacf57b16c7f9b54cd9d1b19c8bfa524ce3de6b256b007a1c9d9cf41c51eb7c99e10331265d48b415c94119c1e2097f10764c2d4f420eb91762cf1f9
|
data/CHANGELOG.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
Version 0.
|
1
|
+
Version 0.18.2
|
2
2
|
|
3
3
|
# Changelog
|
4
4
|
|
@@ -9,6 +9,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
9
9
|
|
10
10
|
## [Unreleased]
|
11
11
|
|
12
|
+
## [0.18.2] - 2021-06-05
|
13
|
+
### Fixed
|
14
|
+
- fix(dpkg): detect package manager for related dependencies
|
15
|
+
- fix(terraform): detect package manager for related dependencies
|
16
|
+
|
17
|
+
## [0.18.1] - 2021-06-02
|
18
|
+
### Fixed
|
19
|
+
- Parse `.terraform.lock.hcl` files with multiple providers.
|
20
|
+
|
21
|
+
## [0.18.0] - 2021-05-10
|
22
|
+
### Added
|
23
|
+
- Add support for parsing `.terraform.lock.hcl` files.
|
24
|
+
|
25
|
+
## [0.17.0] - 2020-12-28
|
26
|
+
### Added
|
27
|
+
- Allow indexing gems from index.rubygems.org.
|
28
|
+
|
29
|
+
## [0.16.1] - 2020-11-19
|
30
|
+
### Fixed
|
31
|
+
- Start spinner for table printer only
|
32
|
+
|
12
33
|
## [0.16.0] - 2020-11-19
|
13
34
|
### Changed
|
14
35
|
- Pull smaller license cache.
|
@@ -216,7 +237,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
216
237
|
### Added
|
217
238
|
- Provide ruby API to the latest SPDX catalogue.
|
218
239
|
|
219
|
-
[Unreleased]: https://github.com/spandx/spandx/compare/v0.
|
240
|
+
[Unreleased]: https://github.com/spandx/spandx/compare/v0.18.2...HEAD
|
241
|
+
[0.18.2]: https://github.com/spandx/spandx/compare/v0.18.1...v0.18.2
|
242
|
+
[0.18.1]: https://github.com/spandx/spandx/compare/v0.18.0...v0.18.1
|
243
|
+
[0.18.0]: https://github.com/spandx/spandx/compare/v0.17.0...v0.18.0
|
244
|
+
[0.17.0]: https://github.com/spandx/spandx/compare/v0.16.1...v0.17.0
|
245
|
+
[0.16.1]: https://github.com/spandx/spandx/compare/v0.16.0...v0.16.1
|
220
246
|
[0.16.0]: https://github.com/spandx/spandx/compare/v0.15.1...v0.16.0
|
221
247
|
[0.15.1]: https://github.com/spandx/spandx/compare/v0.15.0...v0.15.1
|
222
248
|
[0.15.0]: https://github.com/spandx/spandx/compare/v0.14.0...v0.15.0
|
data/README.md
CHANGED
@@ -4,7 +4,7 @@
|
|
4
4
|
|
5
5
|
# Spandx ![badge](https://github.com/spandx/spandx/workflows/ci/badge.svg)
|
6
6
|
|
7
|
-
A
|
7
|
+
A Ruby API for interacting with the https://spdx.org software license catalogue.
|
8
8
|
This gem includes a command line interface to scan a software project for the
|
9
9
|
software licenses that are associated with each dependency in the project.
|
10
10
|
`spandx` leverages an offline cache of software licenses for known dependencies.
|
@@ -104,7 +104,7 @@ end
|
|
104
104
|
|
105
105
|
## Development
|
106
106
|
|
107
|
-
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/
|
107
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
108
108
|
|
109
109
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
110
110
|
|
data/lib/spandx.rb
CHANGED
@@ -4,6 +4,7 @@ require 'addressable/uri'
|
|
4
4
|
require 'bundler'
|
5
5
|
require 'csv'
|
6
6
|
require 'forwardable'
|
7
|
+
require 'hcl2'
|
7
8
|
require 'json'
|
8
9
|
require 'logger'
|
9
10
|
require 'net/hippie'
|
@@ -11,6 +12,7 @@ require 'nokogiri'
|
|
11
12
|
require 'oj'
|
12
13
|
require 'parslet'
|
13
14
|
require 'pathname'
|
15
|
+
require 'sorted_set'
|
14
16
|
require 'yaml'
|
15
17
|
require 'zeitwerk'
|
16
18
|
require 'spandx/spandx'
|
@@ -5,10 +5,11 @@ module Spandx
|
|
5
5
|
module Commands
|
6
6
|
class Build
|
7
7
|
INDEXES = {
|
8
|
+
dotnet: Spandx::Dotnet::Index,
|
8
9
|
maven: Spandx::Java::Index,
|
9
10
|
nuget: Spandx::Dotnet::Index,
|
10
|
-
dotnet: Spandx::Dotnet::Index,
|
11
11
|
pypi: Spandx::Python::Index,
|
12
|
+
rubygems: Spandx::Ruby::Index,
|
12
13
|
}.freeze
|
13
14
|
|
14
15
|
def initialize(options)
|
data/lib/spandx/cli/main.rb
CHANGED
@@ -12,15 +12,11 @@ module Spandx
|
|
12
12
|
method_option :pull, aliases: '-p', type: :boolean, desc: 'Pull the latest cache before the scan', default: false
|
13
13
|
method_option :require, aliases: '-r', type: :string, desc: 'Causes spandx to load the library using require.', default: nil
|
14
14
|
def scan(lockfile = Pathname.pwd)
|
15
|
-
if options[:help]
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
Spandx.logger = Logger.new(options[:logfile])
|
21
|
-
pull if options[:pull]
|
22
|
-
Spandx::Cli::Commands::Scan.new(lockfile, options).execute
|
23
|
-
end
|
15
|
+
return invoke :help, ['scan'] if options[:help]
|
16
|
+
|
17
|
+
prepare(options)
|
18
|
+
pull if options[:pull]
|
19
|
+
Spandx::Cli::Commands::Scan.new(lockfile, options).execute
|
24
20
|
end
|
25
21
|
|
26
22
|
desc 'pull', 'Pull the latest offline cache'
|
@@ -52,6 +48,14 @@ module Spandx
|
|
52
48
|
puts "v#{Spandx::VERSION}"
|
53
49
|
end
|
54
50
|
map %w[--version -v] => :version
|
51
|
+
|
52
|
+
private
|
53
|
+
|
54
|
+
def prepare(options)
|
55
|
+
Oj.default_options = { mode: :strict }
|
56
|
+
Spandx.airgap = options[:airgap]
|
57
|
+
Spandx.logger = Logger.new(options[:logfile])
|
58
|
+
end
|
55
59
|
end
|
56
60
|
end
|
57
61
|
end
|
@@ -8,7 +8,6 @@ module Spandx
|
|
8
8
|
|
9
9
|
def initialize(output: $stderr)
|
10
10
|
@spinner = TTY::Spinner.new('[:spinner] Scanning...', output: output, clear: true, format: :dots)
|
11
|
-
@spinner.auto_spin
|
12
11
|
end
|
13
12
|
|
14
13
|
def match?(format)
|
@@ -16,6 +15,7 @@ module Spandx
|
|
16
15
|
end
|
17
16
|
|
18
17
|
def print_header(_io)
|
18
|
+
@spinner.auto_spin
|
19
19
|
@dependencies = SortedSet.new
|
20
20
|
end
|
21
21
|
|
@@ -14,6 +14,8 @@ module Spandx
|
|
14
14
|
Spandx::Python::Parsers::PipfileLock => :pypi,
|
15
15
|
Spandx::Ruby::Parsers::GemfileLock => :rubygems,
|
16
16
|
Spandx::Os::Parsers::Apk => :apk,
|
17
|
+
Spandx::Os::Parsers::Dpkg => :dpkg,
|
18
|
+
Spandx::Terraform::Parsers::LockFile => :terraform,
|
17
19
|
}.freeze
|
18
20
|
attr_reader :path, :name, :version, :licenses, :meta
|
19
21
|
|
data/lib/spandx/ruby/gateway.rb
CHANGED
@@ -8,8 +8,21 @@ module Spandx
|
|
8
8
|
@http = http
|
9
9
|
end
|
10
10
|
|
11
|
+
def each
|
12
|
+
response = http.get('https://index.rubygems.org/versions')
|
13
|
+
return unless http.ok?(response)
|
14
|
+
|
15
|
+
parse_each_from(StringIO.new(response.body)) do |item|
|
16
|
+
yield item
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
11
20
|
def licenses_for(dependency)
|
12
|
-
|
21
|
+
licenses(dependency.name, dependency.version)
|
22
|
+
end
|
23
|
+
|
24
|
+
def licenses(name, version)
|
25
|
+
details_on(name, version)['licenses'] || []
|
13
26
|
end
|
14
27
|
|
15
28
|
def matches?(dependency)
|
@@ -20,6 +33,17 @@ module Spandx
|
|
20
33
|
|
21
34
|
attr_reader :http
|
22
35
|
|
36
|
+
def parse_each_from(io)
|
37
|
+
_created_at = io.readline
|
38
|
+
_triple_dash = io.readline
|
39
|
+
until io.eof?
|
40
|
+
name, versions, _digest = io.readline.split(' ')
|
41
|
+
versions.split(',').each do |version|
|
42
|
+
yield({ name: name, version: version })
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
23
47
|
def details_on(name, version)
|
24
48
|
url = "https://rubygems.org/api/v2/rubygems/#{name}/versions/#{version}.json"
|
25
49
|
response = http.get(url, default: {})
|
@@ -0,0 +1,52 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Spandx
|
4
|
+
module Ruby
|
5
|
+
class Index
|
6
|
+
include Enumerable
|
7
|
+
|
8
|
+
attr_reader :directory, :name, :rubygems
|
9
|
+
|
10
|
+
def initialize(directory:)
|
11
|
+
@directory = directory
|
12
|
+
@name = 'rubygems'
|
13
|
+
@cache = ::Spandx::Core::Cache.new(@name, root: directory)
|
14
|
+
@rubygems = ::Spandx::Ruby::Gateway.new
|
15
|
+
end
|
16
|
+
|
17
|
+
def update!(*)
|
18
|
+
queue = Queue.new
|
19
|
+
[fetch(queue), save(queue)].each(&:join)
|
20
|
+
cache.rebuild_index
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
attr_reader :cache
|
26
|
+
|
27
|
+
def fetch(queue)
|
28
|
+
Thread.new do
|
29
|
+
rubygems.each do |item|
|
30
|
+
queue.enq(
|
31
|
+
item.merge(
|
32
|
+
licenses: rubygems.licenses(item[:name], item[:version])
|
33
|
+
)
|
34
|
+
)
|
35
|
+
end
|
36
|
+
queue.enq(:stop)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
def save(queue)
|
41
|
+
Thread.new do
|
42
|
+
loop do
|
43
|
+
item = queue.deq
|
44
|
+
break if item == :stop
|
45
|
+
|
46
|
+
cache.insert(item[:name], item[:version], item[:licenses])
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Spandx
|
4
|
+
module Terraform
|
5
|
+
module Parsers
|
6
|
+
class LockFile < ::Spandx::Core::Parser
|
7
|
+
def initialize
|
8
|
+
@parser = Hcl2::Parser.new
|
9
|
+
end
|
10
|
+
|
11
|
+
def match?(pathname)
|
12
|
+
basename = pathname.basename
|
13
|
+
basename.fnmatch?('.terraform.lock.hcl')
|
14
|
+
end
|
15
|
+
|
16
|
+
def parse(path)
|
17
|
+
tree = @parser.parse(path.read)
|
18
|
+
tree[:blocks].map do |block|
|
19
|
+
version_arg = version_arg_from(block)
|
20
|
+
::Spandx::Core::Dependency.new(
|
21
|
+
name: block[:name].to_s,
|
22
|
+
version: version_arg[:value]&.to_s,
|
23
|
+
path: path
|
24
|
+
)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def version_arg_from(block)
|
31
|
+
block[:arguments].find do |x|
|
32
|
+
x[:name] == 'version'
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
data/lib/spandx/version.rb
CHANGED
data/spandx.gemspec
CHANGED
@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
|
|
14
14
|
spec.description = 'Spanx is a ruby API for interacting with the spdx.org software license catalogue. This gem includes a command line interface to scan a software project for the software licenses that are associated with each dependency in the project. Spandx also allows you to hook additional information for each dependency found. For instance, you can add plugin to Spandx to find and report vulnerabilities for the dependencies it found.'
|
15
15
|
spec.homepage = 'https://spandx.github.io/'
|
16
16
|
spec.license = 'MIT'
|
17
|
-
spec.required_ruby_version = Gem::Requirement.new('>= 2.
|
17
|
+
spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
|
18
18
|
|
19
19
|
spec.metadata['homepage_uri'] = spec.homepage
|
20
20
|
spec.metadata['source_code_uri'] = 'https://github.com/spandx/spandx'
|
@@ -34,10 +34,12 @@ Gem::Specification.new do |spec|
|
|
34
34
|
|
35
35
|
spec.add_dependency 'addressable', '~> 2.7'
|
36
36
|
spec.add_dependency 'bundler', '>= 1.16', '< 3.0.0'
|
37
|
+
spec.add_dependency 'hcl2', '~> 0.1'
|
37
38
|
spec.add_dependency 'net-hippie', '~> 1.0'
|
38
39
|
spec.add_dependency 'nokogiri', '~> 1.10'
|
39
40
|
spec.add_dependency 'oj', '~> 3.10'
|
40
41
|
spec.add_dependency 'parslet', '~> 2.0'
|
42
|
+
spec.add_dependency 'sorted_set', '~> 1.0'
|
41
43
|
spec.add_dependency 'terminal-table', '~> 1.8'
|
42
44
|
spec.add_dependency 'thor'
|
43
45
|
spec.add_dependency 'tty-spinner', '~> 0.9'
|
metadata
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: spandx
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.18.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Can Eldem
|
8
8
|
- mo khan
|
9
|
-
autorequire:
|
9
|
+
autorequire:
|
10
10
|
bindir: exe
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2021-06-05 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: addressable
|
@@ -45,6 +45,20 @@ dependencies:
|
|
45
45
|
- - "<"
|
46
46
|
- !ruby/object:Gem::Version
|
47
47
|
version: 3.0.0
|
48
|
+
- !ruby/object:Gem::Dependency
|
49
|
+
name: hcl2
|
50
|
+
requirement: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0.1'
|
55
|
+
type: :runtime
|
56
|
+
prerelease: false
|
57
|
+
version_requirements: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0.1'
|
48
62
|
- !ruby/object:Gem::Dependency
|
49
63
|
name: net-hippie
|
50
64
|
requirement: !ruby/object:Gem::Requirement
|
@@ -101,6 +115,20 @@ dependencies:
|
|
101
115
|
- - "~>"
|
102
116
|
- !ruby/object:Gem::Version
|
103
117
|
version: '2.0'
|
118
|
+
- !ruby/object:Gem::Dependency
|
119
|
+
name: sorted_set
|
120
|
+
requirement: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - "~>"
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '1.0'
|
125
|
+
type: :runtime
|
126
|
+
prerelease: false
|
127
|
+
version_requirements: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - "~>"
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '1.0'
|
104
132
|
- !ruby/object:Gem::Dependency
|
105
133
|
name: terminal-table
|
106
134
|
requirement: !ruby/object:Gem::Requirement
|
@@ -413,12 +441,14 @@ files:
|
|
413
441
|
- lib/spandx/python/pypi.rb
|
414
442
|
- lib/spandx/python/source.rb
|
415
443
|
- lib/spandx/ruby/gateway.rb
|
444
|
+
- lib/spandx/ruby/index.rb
|
416
445
|
- lib/spandx/ruby/parsers/gemfile_lock.rb
|
417
446
|
- lib/spandx/spdx/catalogue.rb
|
418
447
|
- lib/spandx/spdx/composite_license.rb
|
419
448
|
- lib/spandx/spdx/expression.rb
|
420
449
|
- lib/spandx/spdx/gateway.rb
|
421
450
|
- lib/spandx/spdx/license.rb
|
451
|
+
- lib/spandx/terraform/parsers/lock_file.rb
|
422
452
|
- lib/spandx/version.rb
|
423
453
|
- spandx.gemspec
|
424
454
|
homepage: https://spandx.github.io/
|
@@ -428,7 +458,7 @@ metadata:
|
|
428
458
|
homepage_uri: https://spandx.github.io/
|
429
459
|
source_code_uri: https://github.com/spandx/spandx
|
430
460
|
changelog_uri: https://github.com/spandx/spandx/blob/main/CHANGELOG.md
|
431
|
-
post_install_message:
|
461
|
+
post_install_message:
|
432
462
|
rdoc_options: []
|
433
463
|
require_paths:
|
434
464
|
- lib
|
@@ -436,15 +466,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
436
466
|
requirements:
|
437
467
|
- - ">="
|
438
468
|
- !ruby/object:Gem::Version
|
439
|
-
version: 2.
|
469
|
+
version: 2.6.0
|
440
470
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
441
471
|
requirements:
|
442
472
|
- - ">="
|
443
473
|
- !ruby/object:Gem::Version
|
444
474
|
version: '0'
|
445
475
|
requirements: []
|
446
|
-
rubygems_version: 3.
|
447
|
-
signing_key:
|
476
|
+
rubygems_version: 3.2.19
|
477
|
+
signing_key:
|
448
478
|
specification_version: 4
|
449
479
|
summary: A ruby interface to the SPDX catalogue.
|
450
480
|
test_files: []
|