spandx 0.16.0 → 0.18.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 252cdcff5bb25e6699751e6f842159e46a1a19485e889dca067d2120063bd11b
-  data.tar.gz: 4a1c66430fd54d64d8fa18a4a015dbe49d94454bd2800369d384b09e1c5fc984
+  metadata.gz: 28d95986ecfe3d8616d52256ecf28003eb4cc6c28e30a6733e9e4e1012cf5375
+  data.tar.gz: bd8f7c53dbfa43e13a2f1a4f54c7a2517e70f3e529b1792b18ce6ef9cc208091
 SHA512:
-  metadata.gz: 3699f961272816332c5c1ec0ab97fc5f769cfeafc80d8058bb03671f8f3eaee89a3ac831ba8c40304e5d63a59c37436ca30472da4eec8bf69496f3875fb793ee
-  data.tar.gz: 8b06322b0d3103eadd726a77cf8dfd43759c94d67c628710e50247946112dba479bd0f317c45639f2bf99aed083c665edde36f0c06e2860dc97c6afe1f08cb1d
+  metadata.gz: b97733866a711008bebc338ff77e452696d5ae1f7c8b486fb13b08adc20c8fd2483cc288766920525057967889b3e42632abb0f6dd5cf03f273965ae27b0d1c8
+  data.tar.gz: fa296185eacf57b16c7f9b54cd9d1b19c8bfa524ce3de6b256b007a1c9d9cf41c51eb7c99e10331265d48b415c94119c1e2097f10764c2d4f420eb91762cf1f9

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-Version 0.16.0
+Version 0.18.2
 
 # Changelog
 
@@ -9,6 +9,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.18.2] - 2021-06-05
+### Fixed
+- fix(dpkg): detect package manager for related dependencies
+- fix(terraform): detect package manager for related dependencies
+
+## [0.18.1] - 2021-06-02
+### Fixed
+- Parse `.terraform.lock.hcl` files with multiple providers.
+
+## [0.18.0] - 2021-05-10
+### Added
+- Add support for parsing `.terraform.lock.hcl` files.
+
+## [0.17.0] - 2020-12-28
+### Added
+- Allow indexing gems from index.rubygems.org.
+
+## [0.16.1] - 2020-11-19
+### Fixed
+- Start spinner for table printer only
+
 ## [0.16.0] - 2020-11-19
 ### Changed
 - Pull smaller license cache.
@@ -216,7 +237,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Provide ruby API to the latest SPDX catalogue.
 
-[Unreleased]: https://github.com/spandx/spandx/compare/v0.16.0...HEAD
+[Unreleased]: https://github.com/spandx/spandx/compare/v0.18.2...HEAD
+[0.18.2]: https://github.com/spandx/spandx/compare/v0.18.1...v0.18.2
+[0.18.1]: https://github.com/spandx/spandx/compare/v0.18.0...v0.18.1
+[0.18.0]: https://github.com/spandx/spandx/compare/v0.17.0...v0.18.0
+[0.17.0]: https://github.com/spandx/spandx/compare/v0.16.1...v0.17.0
+[0.16.1]: https://github.com/spandx/spandx/compare/v0.16.0...v0.16.1
 [0.16.0]: https://github.com/spandx/spandx/compare/v0.15.1...v0.16.0
 [0.15.1]: https://github.com/spandx/spandx/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/spandx/spandx/compare/v0.14.0...v0.15.0

data/README.md

@@ -4,7 +4,7 @@
 
 # Spandx ![badge](https://github.com/spandx/spandx/workflows/ci/badge.svg)
 
-A ruby API for interacting with the https://spdx.org software license catalogue.
+A Ruby API for interacting with the https://spdx.org software license catalogue.
 This gem includes a command line interface to scan a software project for the
 software licenses that are associated with each dependency in the project.
 `spandx` leverages an offline cache of software licenses for known dependencies.
@@ -104,7 +104,7 @@ end
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/cibuild` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/lib/spandx.rb

@@ -4,6 +4,7 @@ require 'addressable/uri'
 require 'bundler'
 require 'csv'
 require 'forwardable'
+require 'hcl2'
 require 'json'
 require 'logger'
 require 'net/hippie'
@@ -11,6 +12,7 @@ require 'nokogiri'
 require 'oj'
 require 'parslet'
 require 'pathname'
+require 'sorted_set'
 require 'yaml'
 require 'zeitwerk'
 require 'spandx/spandx'

data/lib/spandx/cli/commands/build.rb

@@ -5,10 +5,11 @@ module Spandx
     module Commands
       class Build
         INDEXES = {
+          dotnet: Spandx::Dotnet::Index,
           maven: Spandx::Java::Index,
           nuget: Spandx::Dotnet::Index,
-          dotnet: Spandx::Dotnet::Index,
           pypi: Spandx::Python::Index,
+          rubygems: Spandx::Ruby::Index,
         }.freeze
 
         def initialize(options)

data/lib/spandx/cli/commands/scan.rb

@@ -37,10 +37,6 @@ module Spandx
           end
         end
 
-        def format(output)
-          Array(output).map(&:to_s)
-        end
-
         def with_printer(output)
           printer = ::Spandx::Cli::Printer.for(@options[:format])
           printer.print_header(output)

data/lib/spandx/cli/main.rb

@@ -12,15 +12,11 @@ module Spandx
       method_option :pull, aliases: '-p', type: :boolean, desc: 'Pull the latest cache before the scan', default: false
       method_option :require, aliases: '-r', type: :string, desc: 'Causes spandx to load the library using require.', default: nil
       def scan(lockfile = Pathname.pwd)
-        if options[:help]
-          invoke :help, ['scan']
-        else
-          Oj.default_options = { mode: :strict }
-          Spandx.airgap = options[:airgap]
-          Spandx.logger = Logger.new(options[:logfile])
-          pull if options[:pull]
-          Spandx::Cli::Commands::Scan.new(lockfile, options).execute
-        end
+        return invoke :help, ['scan'] if options[:help]
+
+        prepare(options)
+        pull if options[:pull]
+        Spandx::Cli::Commands::Scan.new(lockfile, options).execute
       end
 
       desc 'pull', 'Pull the latest offline cache'
@@ -52,6 +48,14 @@ module Spandx
         puts "v#{Spandx::VERSION}"
       end
       map %w[--version -v] => :version
+
+      private
+
+      def prepare(options)
+        Oj.default_options = { mode: :strict }
+        Spandx.airgap = options[:airgap]
+        Spandx.logger = Logger.new(options[:logfile])
+      end
     end
   end
 end

data/lib/spandx/cli/printers/table.rb

@@ -8,7 +8,6 @@ module Spandx
 
         def initialize(output: $stderr)
           @spinner = TTY::Spinner.new('[:spinner] Scanning...', output: output, clear: true, format: :dots)
-          @spinner.auto_spin
         end
 
         def match?(format)
@@ -16,6 +15,7 @@ module Spandx
         end
 
         def print_header(_io)
+          @spinner.auto_spin
           @dependencies = SortedSet.new
         end
 

data/lib/spandx/core/dependency.rb

@@ -14,6 +14,8 @@ module Spandx
         Spandx::Python::Parsers::PipfileLock => :pypi,
         Spandx::Ruby::Parsers::GemfileLock => :rubygems,
         Spandx::Os::Parsers::Apk => :apk,
+        Spandx::Os::Parsers::Dpkg => :dpkg,
+        Spandx::Terraform::Parsers::LockFile => :terraform,
       }.freeze
       attr_reader :path, :name, :version, :licenses, :meta
 

data/lib/spandx/ruby/gateway.rb

@@ -8,8 +8,21 @@ module Spandx
         @http = http
       end
 
+      def each
+        response = http.get('https://index.rubygems.org/versions')
+        return unless http.ok?(response)
+
+        parse_each_from(StringIO.new(response.body)) do |item|
+          yield item
+        end
+      end
+
       def licenses_for(dependency)
-        details_on(dependency.name, dependency.version)['licenses'] || []
+        licenses(dependency.name, dependency.version)
+      end
+
+      def licenses(name, version)
+        details_on(name, version)['licenses'] || []
       end
 
       def matches?(dependency)
@@ -20,6 +33,17 @@ module Spandx
 
       attr_reader :http
 
+      def parse_each_from(io)
+        _created_at = io.readline
+        _triple_dash = io.readline
+        until io.eof?
+          name, versions, _digest = io.readline.split(' ')
+          versions.split(',').each do |version|
+            yield({ name: name, version: version })
+          end
+        end
+      end
+
       def details_on(name, version)
         url = "https://rubygems.org/api/v2/rubygems/#{name}/versions/#{version}.json"
         response = http.get(url, default: {})

data/lib/spandx/ruby/index.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Ruby
+    class Index
+      include Enumerable
+
+      attr_reader :directory, :name, :rubygems
+
+      def initialize(directory:)
+        @directory = directory
+        @name = 'rubygems'
+        @cache = ::Spandx::Core::Cache.new(@name, root: directory)
+        @rubygems = ::Spandx::Ruby::Gateway.new
+      end
+
+      def update!(*)
+        queue = Queue.new
+        [fetch(queue), save(queue)].each(&:join)
+        cache.rebuild_index
+      end
+
+      private
+
+      attr_reader :cache
+
+      def fetch(queue)
+        Thread.new do
+          rubygems.each do |item|
+            queue.enq(
+              item.merge(
+                licenses: rubygems.licenses(item[:name], item[:version])
+              )
+            )
+          end
+          queue.enq(:stop)
+        end
+      end
+
+      def save(queue)
+        Thread.new do
+          loop do
+            item = queue.deq
+            break if item == :stop
+
+            cache.insert(item[:name], item[:version], item[:licenses])
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spandx/terraform/parsers/lock_file.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Spandx
+  module Terraform
+    module Parsers
+      class LockFile < ::Spandx::Core::Parser
+        def initialize
+          @parser = Hcl2::Parser.new
+        end
+
+        def match?(pathname)
+          basename = pathname.basename
+          basename.fnmatch?('.terraform.lock.hcl')
+        end
+
+        def parse(path)
+          tree = @parser.parse(path.read)
+          tree[:blocks].map do |block|
+            version_arg = version_arg_from(block)
+            ::Spandx::Core::Dependency.new(
+              name: block[:name].to_s,
+              version: version_arg[:value]&.to_s,
+              path: path
+            )
+          end
+        end
+
+        private
+
+        def version_arg_from(block)
+          block[:arguments].find do |x|
+            x[:name] == 'version'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spandx/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spandx
-  VERSION = '0.16.0'
+  VERSION = '0.18.2'
 end

data/spandx.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
   spec.description   = 'Spanx is a ruby API for interacting with the spdx.org software license catalogue. This gem includes a command line interface to scan a software project for the software licenses that are associated with each dependency in the project. Spandx also allows you to hook additional information for each dependency found. For instance, you can add plugin to Spandx to find and report vulnerabilities for the dependencies it found.'
   spec.homepage      = 'https://spandx.github.io/'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
 
   spec.metadata['homepage_uri'] = spec.homepage
   spec.metadata['source_code_uri'] = 'https://github.com/spandx/spandx'
@@ -34,10 +34,12 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'addressable', '~> 2.7'
   spec.add_dependency 'bundler', '>= 1.16', '< 3.0.0'
+  spec.add_dependency 'hcl2', '~> 0.1'
   spec.add_dependency 'net-hippie', '~> 1.0'
   spec.add_dependency 'nokogiri', '~> 1.10'
   spec.add_dependency 'oj', '~> 3.10'
   spec.add_dependency 'parslet', '~> 2.0'
+  spec.add_dependency 'sorted_set', '~> 1.0'
   spec.add_dependency 'terminal-table', '~> 1.8'
   spec.add_dependency 'thor'
   spec.add_dependency 'tty-spinner', '~> 0.9'

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: spandx
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.18.2
 platform: ruby
 authors:
 - Can Eldem
 - mo khan
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-19 00:00:00.000000000 Z
+date: 2021-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -45,6 +45,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: hcl2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: net-hippie
   requirement: !ruby/object:Gem::Requirement
@@ -101,6 +115,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: sorted_set
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
@@ -413,12 +441,14 @@ files:
 - lib/spandx/python/pypi.rb
 - lib/spandx/python/source.rb
 - lib/spandx/ruby/gateway.rb
+- lib/spandx/ruby/index.rb
 - lib/spandx/ruby/parsers/gemfile_lock.rb
 - lib/spandx/spdx/catalogue.rb
 - lib/spandx/spdx/composite_license.rb
 - lib/spandx/spdx/expression.rb
 - lib/spandx/spdx/gateway.rb
 - lib/spandx/spdx/license.rb
+- lib/spandx/terraform/parsers/lock_file.rb
 - lib/spandx/version.rb
 - spandx.gemspec
 homepage: https://spandx.github.io/
@@ -428,7 +458,7 @@ metadata:
   homepage_uri: https://spandx.github.io/
   source_code_uri: https://github.com/spandx/spandx
   changelog_uri: https://github.com/spandx/spandx/blob/main/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -436,15 +466,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.19
+signing_key:
 specification_version: 4
 summary: A ruby interface to the SPDX catalogue.
 test_files: []