spandx 0.17.0 → 0.18.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +23 -2
- data/README.md +2 -2
- data/lib/spandx/cli/commands/scan.rb +0 -4
- data/lib/spandx/core/dependency.rb +2 -0
- data/lib/spandx/spdx/catalogue.rb +2 -1
- data/lib/spandx/terraform/parsers/lock_file.rb +38 -0
- data/lib/spandx/version.rb +1 -1
- data/lib/spandx.rb +1 -0
- data/spandx.gemspec +3 -2
- metadata +23 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 81626f66bcff1fbe9a38a489f72e0f00bbd355f91ed43582e563a04089016e83
|
|
4
|
+
data.tar.gz: b5ed156f7c0b5f9972d2e8e564dd37666f1fa8acf5c26ae4192db2a4d6d68c2e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e81245600853fa6677deedd50ece29463a50736c44cb4503391e8777b31f3493c4d9405cc33bde47538d2f991befea153abdefe0b9cfe04954f0c73277c70005
|
|
7
|
+
data.tar.gz: 190c97f3ab8e9431a5ca52ffd4dfb524f6438997a8912288c8abd821e220dfbda149fe1107f0f63b6e8e5bff6258a312800654764073e1c929182175bc89a27c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
Version 0.
|
|
1
|
+
Version 0.18.3
|
|
2
2
|
|
|
3
3
|
# Changelog
|
|
4
4
|
|
|
@@ -8,6 +8,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
|
8
8
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
9
9
|
|
|
10
10
|
## [Unreleased]
|
|
11
|
+
|
|
12
|
+
## [0.18.3] - 2021-12-15
|
|
13
|
+
- fix(spdx): fallback to online catalogue when local catalogue is not available.
|
|
14
|
+
|
|
15
|
+
## [0.18.2] - 2021-06-05
|
|
16
|
+
### Fixed
|
|
17
|
+
- fix(dpkg): detect package manager for related dependencies
|
|
18
|
+
- fix(terraform): detect package manager for related dependencies
|
|
19
|
+
|
|
20
|
+
## [0.18.1] - 2021-06-02
|
|
21
|
+
### Fixed
|
|
22
|
+
- Parse `.terraform.lock.hcl` files with multiple providers.
|
|
23
|
+
|
|
24
|
+
## [0.18.0] - 2021-05-10
|
|
25
|
+
### Added
|
|
26
|
+
- Add support for parsing `.terraform.lock.hcl` files.
|
|
27
|
+
|
|
11
28
|
## [0.17.0] - 2020-12-28
|
|
12
29
|
### Added
|
|
13
30
|
- Allow indexing gems from index.rubygems.org.
|
|
@@ -223,7 +240,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
223
240
|
### Added
|
|
224
241
|
- Provide ruby API to the latest SPDX catalogue.
|
|
225
242
|
|
|
226
|
-
[Unreleased]: https://github.com/spandx/spandx/compare/v0.
|
|
243
|
+
[Unreleased]: https://github.com/spandx/spandx/compare/v0.18.3...HEAD
|
|
244
|
+
[0.18.3]: https://github.com/spandx/spandx/compare/v0.18.2...v0.18.3
|
|
245
|
+
[0.18.2]: https://github.com/spandx/spandx/compare/v0.18.1...v0.18.2
|
|
246
|
+
[0.18.1]: https://github.com/spandx/spandx/compare/v0.18.0...v0.18.1
|
|
247
|
+
[0.18.0]: https://github.com/spandx/spandx/compare/v0.17.0...v0.18.0
|
|
227
248
|
[0.17.0]: https://github.com/spandx/spandx/compare/v0.16.1...v0.17.0
|
|
228
249
|
[0.16.1]: https://github.com/spandx/spandx/compare/v0.16.0...v0.16.1
|
|
229
250
|
[0.16.0]: https://github.com/spandx/spandx/compare/v0.15.1...v0.16.0
|
data/README.md
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
|
|
5
5
|
# Spandx 
|
|
6
6
|
|
|
7
|
-
A
|
|
7
|
+
A Ruby API for interacting with the https://spdx.org software license catalogue.
|
|
8
8
|
This gem includes a command line interface to scan a software project for the
|
|
9
9
|
software licenses that are associated with each dependency in the project.
|
|
10
10
|
`spandx` leverages an offline cache of software licenses for known dependencies.
|
|
@@ -104,7 +104,7 @@ end
|
|
|
104
104
|
|
|
105
105
|
## Development
|
|
106
106
|
|
|
107
|
-
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/
|
|
107
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
|
108
108
|
|
|
109
109
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
110
110
|
|
|
@@ -14,6 +14,8 @@ module Spandx
|
|
|
14
14
|
Spandx::Python::Parsers::PipfileLock => :pypi,
|
|
15
15
|
Spandx::Ruby::Parsers::GemfileLock => :rubygems,
|
|
16
16
|
Spandx::Os::Parsers::Apk => :apk,
|
|
17
|
+
Spandx::Os::Parsers::Dpkg => :dpkg,
|
|
18
|
+
Spandx::Terraform::Parsers::LockFile => :terraform,
|
|
17
19
|
}.freeze
|
|
18
20
|
attr_reader :path, :name, :version, :licenses, :meta
|
|
19
21
|
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Spandx
|
|
4
|
+
module Terraform
|
|
5
|
+
module Parsers
|
|
6
|
+
class LockFile < ::Spandx::Core::Parser
|
|
7
|
+
def initialize
|
|
8
|
+
@parser = Hcl2::Parser.new
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def match?(pathname)
|
|
12
|
+
basename = pathname.basename
|
|
13
|
+
basename.fnmatch?('.terraform.lock.hcl')
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def parse(path)
|
|
17
|
+
tree = @parser.parse(path.read)
|
|
18
|
+
tree[:blocks].map do |block|
|
|
19
|
+
version_arg = version_arg_from(block)
|
|
20
|
+
::Spandx::Core::Dependency.new(
|
|
21
|
+
name: block[:name].to_s,
|
|
22
|
+
version: version_arg[:value]&.to_s,
|
|
23
|
+
path: path
|
|
24
|
+
)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
private
|
|
29
|
+
|
|
30
|
+
def version_arg_from(block)
|
|
31
|
+
block[:arguments].find do |x|
|
|
32
|
+
x[:name] == 'version'
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
data/lib/spandx/version.rb
CHANGED
data/lib/spandx.rb
CHANGED
data/spandx.gemspec
CHANGED
|
@@ -11,10 +11,10 @@ Gem::Specification.new do |spec|
|
|
|
11
11
|
spec.email = ['eldemcan@gmail.com', 'mo@mokhan.ca']
|
|
12
12
|
|
|
13
13
|
spec.summary = 'A ruby interface to the SPDX catalogue.'
|
|
14
|
-
spec.description = '
|
|
14
|
+
spec.description = 'Spandx is a ruby API for interacting with the spdx.org software license catalogue. This gem includes a command line interface to scan a software project for the software licenses that are associated with each dependency in the project. Spandx also allows you to hook additional information for each dependency found. For instance, you can add plugin to Spandx to find and report vulnerabilities for the dependencies it found.'
|
|
15
15
|
spec.homepage = 'https://spandx.github.io/'
|
|
16
16
|
spec.license = 'MIT'
|
|
17
|
-
spec.required_ruby_version = Gem::Requirement.new('>= 2.
|
|
17
|
+
spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
|
|
18
18
|
|
|
19
19
|
spec.metadata['homepage_uri'] = spec.homepage
|
|
20
20
|
spec.metadata['source_code_uri'] = 'https://github.com/spandx/spandx'
|
|
@@ -34,6 +34,7 @@ Gem::Specification.new do |spec|
|
|
|
34
34
|
|
|
35
35
|
spec.add_dependency 'addressable', '~> 2.7'
|
|
36
36
|
spec.add_dependency 'bundler', '>= 1.16', '< 3.0.0'
|
|
37
|
+
spec.add_dependency 'hcl2', '~> 0.1'
|
|
37
38
|
spec.add_dependency 'net-hippie', '~> 1.0'
|
|
38
39
|
spec.add_dependency 'nokogiri', '~> 1.10'
|
|
39
40
|
spec.add_dependency 'oj', '~> 3.10'
|
metadata
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spandx
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.18.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Can Eldem
|
|
8
8
|
- mo khan
|
|
9
|
-
autorequire:
|
|
9
|
+
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2021-12-16 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: addressable
|
|
@@ -45,6 +45,20 @@ dependencies:
|
|
|
45
45
|
- - "<"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
47
|
version: 3.0.0
|
|
48
|
+
- !ruby/object:Gem::Dependency
|
|
49
|
+
name: hcl2
|
|
50
|
+
requirement: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0.1'
|
|
55
|
+
type: :runtime
|
|
56
|
+
prerelease: false
|
|
57
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0.1'
|
|
48
62
|
- !ruby/object:Gem::Dependency
|
|
49
63
|
name: net-hippie
|
|
50
64
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -353,7 +367,7 @@ dependencies:
|
|
|
353
367
|
- - "~>"
|
|
354
368
|
- !ruby/object:Gem::Version
|
|
355
369
|
version: '3.7'
|
|
356
|
-
description:
|
|
370
|
+
description: Spandx is a ruby API for interacting with the spdx.org software license
|
|
357
371
|
catalogue. This gem includes a command line interface to scan a software project
|
|
358
372
|
for the software licenses that are associated with each dependency in the project.
|
|
359
373
|
Spandx also allows you to hook additional information for each dependency found.
|
|
@@ -434,6 +448,7 @@ files:
|
|
|
434
448
|
- lib/spandx/spdx/expression.rb
|
|
435
449
|
- lib/spandx/spdx/gateway.rb
|
|
436
450
|
- lib/spandx/spdx/license.rb
|
|
451
|
+
- lib/spandx/terraform/parsers/lock_file.rb
|
|
437
452
|
- lib/spandx/version.rb
|
|
438
453
|
- spandx.gemspec
|
|
439
454
|
homepage: https://spandx.github.io/
|
|
@@ -443,7 +458,7 @@ metadata:
|
|
|
443
458
|
homepage_uri: https://spandx.github.io/
|
|
444
459
|
source_code_uri: https://github.com/spandx/spandx
|
|
445
460
|
changelog_uri: https://github.com/spandx/spandx/blob/main/CHANGELOG.md
|
|
446
|
-
post_install_message:
|
|
461
|
+
post_install_message:
|
|
447
462
|
rdoc_options: []
|
|
448
463
|
require_paths:
|
|
449
464
|
- lib
|
|
@@ -451,15 +466,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
451
466
|
requirements:
|
|
452
467
|
- - ">="
|
|
453
468
|
- !ruby/object:Gem::Version
|
|
454
|
-
version: 2.
|
|
469
|
+
version: 2.6.0
|
|
455
470
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
456
471
|
requirements:
|
|
457
472
|
- - ">="
|
|
458
473
|
- !ruby/object:Gem::Version
|
|
459
474
|
version: '0'
|
|
460
475
|
requirements: []
|
|
461
|
-
rubygems_version: 3.2.
|
|
462
|
-
signing_key:
|
|
476
|
+
rubygems_version: 3.2.32
|
|
477
|
+
signing_key:
|
|
463
478
|
specification_version: 4
|
|
464
479
|
summary: A ruby interface to the SPDX catalogue.
|
|
465
480
|
test_files: []
|