licenseguard-cli 2.0.0 → 2.1.1

package/lib/scanner/license-normalizer.js

@@ -0,0 +1,357 @@
+/**
+ * License Normalizer
+ * Normalizes license identifiers to canonical SPDX form
+ * Handles ecosystem-specific variants (Python, Rust, C++, npm)
+ *
+ * This centralizes license normalization logic that was previously scattered
+ * across ecosystem plugins, making it reusable and consistent.
+ */
+
+/**
+ * Common license format variations → Canonical SPDX identifiers
+ * Covers Python, Rust, C++, and npm ecosystem quirks
+ *
+ * Sources:
+ * - Python: Trove Classifiers + pip show metadata
+ * - Rust: Cargo.toml license field patterns
+ * - C++: Conan license field + package.json variants
+ * - npm: package.json license field
+ */
+const LICENSE_NORMALIZATIONS = {
+  // ============================================
+  // Apache variants
+  // ============================================
+  'Apache 2.0': 'Apache-2.0',
+  'Apache License 2.0': 'Apache-2.0',
+  'Apache License, Version 2.0': 'Apache-2.0',
+  'Apache Software License': 'Apache-2.0',  // Python Trove Classifier
+  'ASL 2': 'Apache-2.0',
+  'Apache-2': 'Apache-2.0',  // Rust/C++ shorthand
+
+  // ============================================
+  // BSD variants (most common in Python/C++)
+  // ============================================
+  'BSD License': 'BSD-3-Clause',  // Default to 3-Clause (most common)
+  'BSD': 'BSD-3-Clause',
+  'BSD 3-Clause': 'BSD-3-Clause',
+  'BSD 3 Clause': 'BSD-3-Clause',
+  '3-Clause BSD License': 'BSD-3-Clause',
+  'New BSD': 'BSD-3-Clause',
+  'Modified BSD': 'BSD-3-Clause',
+  'BSD 2-Clause': 'BSD-2-Clause',
+  'Simplified BSD': 'BSD-2-Clause',
+  'FreeBSD': 'BSD-2-Clause',
+
+  // ============================================
+  // MIT variants
+  // ============================================
+  'MIT': 'MIT',
+  'MIT License': 'MIT',
+  'mit': 'MIT',
+  'Mit': 'MIT',
+
+  // ============================================
+  // GPL variants (SPDX 3.0 normalization)
+  // ============================================
+  // CRITICAL: GPL-3.0 is deprecated in SPDX 3.0 → GPL-3.0-only
+  'GPL-3.0': 'GPL-3.0-only',
+  'GPL 3.0': 'GPL-3.0-only',
+  'GPLv3': 'GPL-3.0-only',
+  'GPL-3.0.0': 'GPL-3.0-only',
+  'GNU General Public License v3.0': 'GPL-3.0-only',
+  'GNU General Public License (GPL)': 'GPL-3.0-only',  // Default to v3
+
+  'GPL-2.0': 'GPL-2.0-only',
+  'GPL 2.0': 'GPL-2.0-only',
+  'GPLv2': 'GPL-2.0-only',
+  'GPL-2.0.0': 'GPL-2.0-only',
+  'GNU General Public License v2.0': 'GPL-2.0-only',
+
+  // GPL "or-later" variants
+  'GPL-3.0+': 'GPL-3.0-or-later',
+  'GPL-3.0-or-later': 'GPL-3.0-or-later',
+  'GPLv3+': 'GPL-3.0-or-later',
+
+  'GPL-2.0+': 'GPL-2.0-or-later',
+  'GPL-2.0-or-later': 'GPL-2.0-or-later',
+  'GPLv2+': 'GPL-2.0-or-later',
+
+  // ============================================
+  // LGPL variants
+  // ============================================
+  'GNU Library or Lesser General Public License (LGPL)': 'LGPL-2.1-or-later',
+  'LGPL': 'LGPL-2.1-or-later',  // Default to 2.1-or-later (most permissive)
+  'LGPLv3': 'LGPL-3.0-only',
+  'LGPL-3.0': 'LGPL-3.0-only',
+  'LGPL-3.0-only': 'LGPL-3.0-only',
+  'LGPL-3.0-or-later': 'LGPL-3.0-or-later',
+  'LGPLv2': 'LGPL-2.1-only',
+  'LGPL-2.1': 'LGPL-2.1-only',
+  'LGPL-2.1-only': 'LGPL-2.1-only',
+  'LGPL-2.1-or-later': 'LGPL-2.1-or-later',
+  'LGPL-2.0-only': 'LGPL-2.0-only',
+  'LGPL-2.0-or-later': 'LGPL-2.0-or-later',
+
+  // ============================================
+  // ISC variants
+  // ============================================
+  'ISC': 'ISC',
+  'ISC License': 'ISC',
+  'ISC License (ISCL)': 'ISC',
+
+  // ============================================
+  // MPL variants
+  // ============================================
+  'MPL-2.0': 'MPL-2.0',
+  'Mozilla Public License 2.0': 'MPL-2.0',
+  'Mozilla Public License 2.0 (MPL 2.0)': 'MPL-2.0',
+  'MPL 2.0': 'MPL-2.0',
+
+  // ============================================
+  // Python Software Foundation
+  // ============================================
+  'Python Software Foundation License': 'PSF-2.0',
+  'PSF': 'PSF-2.0',
+
+  // ============================================
+  // Public Domain / Ultra-Permissive
+  // ============================================
+  'Unlicense': 'Unlicense',
+  'Public Domain': 'Unlicense',  // Map to Unlicense (closest SPDX)
+  'CC0-1.0': 'CC0-1.0',
+  'CC0': 'CC0-1.0',
+  'WTFPL': 'WTFPL',
+  '0BSD': '0BSD',
+
+  // ============================================
+  // Zlib / bzip2 (permissive)
+  // ============================================
+  'Zlib': 'Zlib',
+  'zlib License': 'Zlib',
+  'bzip2-1.0.6': 'bzip2-1.0.6',
+  'bzip2': 'bzip2-1.0.6',
+
+  // ============================================
+  // Boost Software License
+  // ============================================
+  'BSL-1.0': 'BSL-1.0',
+  'Boost Software License 1.0': 'BSL-1.0',
+  'Boost': 'BSL-1.0',
+
+  // ============================================
+  // Proprietary / Non-SPDX
+  // ============================================
+  'Other/Proprietary License': 'LicenseRef-Proprietary',
+  'NVIDIA Proprietary Software': 'LicenseRef-NVIDIA-Proprietary',
+  'Proprietary': 'LicenseRef-Proprietary',
+  'Commercial': 'LicenseRef-Commercial'
+}
+
+/**
+ * License family classifications
+ * Used for upgrade path detection (e.g., LGPL can upgrade to GPL)
+ */
+const LICENSE_FAMILIES = {
+  // GPL Family (Strong Copyleft)
+  'GPL-2.0-only': 'GPL2',
+  'GPL-2.0-or-later': 'GPL2-or-later',
+  'GPL-3.0-only': 'GPL3',
+  'GPL-3.0-or-later': 'GPL3-or-later',
+
+  // LGPL Family (Weak Copyleft - can upgrade to GPL)
+  'LGPL-2.1-only': 'LGPL',
+  'LGPL-2.1-or-later': 'LGPL-or-later',
+  'LGPL-3.0-only': 'LGPL3',
+  'LGPL-3.0-or-later': 'LGPL3-or-later',
+  'LGPL-2.0-only': 'LGPL',
+  'LGPL-2.0-or-later': 'LGPL-or-later',
+
+  // AGPL Family (Network Copyleft)
+  'AGPL-3.0-only': 'AGPL3',
+  'AGPL-3.0-or-later': 'AGPL3-or-later',
+
+  // MPL Family (Weak Copyleft - Section 3.3 allows GPL combination)
+  'MPL-2.0': 'MPL',
+  'MPL-1.1': 'MPL',
+
+  // Apache Family (Permissive with Patent Grant)
+  'Apache-2.0': 'Apache',
+  'Apache-1.1': 'Apache',
+
+  // MIT Family (Permissive)
+  'MIT': 'MIT',
+
+  // BSD Family (Permissive)
+  'BSD-3-Clause': 'BSD',
+  'BSD-2-Clause': 'BSD',
+  'BSD-1-Clause': 'BSD',
+  '0BSD': 'BSD',
+
+  // ISC Family (Permissive)
+  'ISC': 'ISC',
+
+  // Public Domain
+  'Unlicense': 'Public-Domain',
+  'CC0-1.0': 'Public-Domain',
+  'WTFPL': 'Public-Domain',
+
+  // Other Permissive
+  'Zlib': 'Permissive',
+  'bzip2-1.0.6': 'Permissive',
+  'BSL-1.0': 'Permissive',
+  'PSF-2.0': 'Permissive'
+}
+
+/**
+ * Normalize license identifier to canonical SPDX form
+ *
+ * Algorithm:
+ * 1. Handle UNKNOWN/empty cases
+ * 2. Clean whitespace
+ * 3. Exact match in normalization table
+ * 4. Case-insensitive match
+ * 5. Regex pattern matching (flexible)
+ * 6. Return as-is if already valid SPDX
+ *
+ * @param {string} license - License string from ecosystem metadata
+ * @returns {string} Canonical SPDX identifier or UNKNOWN
+ *
+ * @example
+ * normalize('GPL-3.0') // → 'GPL-3.0-only'
+ * normalize('mit') // → 'MIT'
+ * normalize('Apache 2.0') // → 'Apache-2.0'
+ * normalize('') // → 'UNKNOWN'
+ */
+function normalize(license) {
+  if (!license || license === '' || /^none$/i.test(license) || license === 'UNKNOWN') {
+    return 'UNKNOWN'
+  }
+
+  // Clean: trim, normalize whitespace
+  const cleaned = license.trim().replace(/\s+/g, ' ')
+
+  // Exact match (fast path)
+  if (LICENSE_NORMALIZATIONS[cleaned]) {
+    return LICENSE_NORMALIZATIONS[cleaned]
+  }
+
+  // Case-insensitive match
+  const lower = cleaned.toLowerCase()
+  for (const [key, value] of Object.entries(LICENSE_NORMALIZATIONS)) {
+    if (key.toLowerCase() === lower) {
+      return value
+    }
+  }
+
+  // ============================================
+  // Regex pattern matching (flexible normalization)
+  // ============================================
+  // CRITICAL: Order matters! Check more specific patterns first
+  // LGPL must be checked BEFORE GPL (LGPL contains "GPL" substring)
+
+  // Apache
+  if (/Apache.*2(\.0)?/i.test(cleaned)) return 'Apache-2.0'
+  if (/^ASL\s*2/i.test(cleaned)) return 'Apache-2.0'
+
+  // BSD (including full license text detection)
+  if (/BSD.*3.*Clause/i.test(cleaned)) return 'BSD-3-Clause'
+  if (/BSD.*2.*Clause/i.test(cleaned)) return 'BSD-2-Clause'
+  if (/^BSD$/i.test(cleaned)) return 'BSD-3-Clause'
+  // Detect full BSD license text (starts with "Redistribution and use")
+  if (/Redistribution and use in source and binary forms/i.test(cleaned)) {
+    return 'BSD-3-Clause'  // Assume 3-Clause if full text
+  }
+
+  // LGPL (CHECK BEFORE GPL - more specific pattern)
+  // CRITICAL: LGPL contains "GPL" substring, so must be checked first
+  if (/LGPL.*v?3/i.test(cleaned)) {
+    if (/\+|or.*later/i.test(cleaned)) return 'LGPL-3.0-or-later'
+    return 'LGPL-3.0-only'
+  }
+  if (/LGPL.*v?2/i.test(cleaned)) {
+    if (/\+|or.*later/i.test(cleaned)) return 'LGPL-2.1-or-later'
+    return 'LGPL-2.1-only'
+  }
+
+  // AGPL (CHECK BEFORE GPL - AGPL contains "GPL" substring)
+  // CRITICAL: AGPL-3.0-only matches /GPL.*v?3/ if not checked first
+  if (/AGPL.*v?3/i.test(cleaned)) {
+    if (/\+|or.*later/i.test(cleaned)) return 'AGPL-3.0-or-later'
+    return 'AGPL-3.0-only'
+  }
+
+  // GPL (CHECK AFTER LGPL AND AGPL - less specific pattern)
+  if (/GPL.*v?3/i.test(cleaned)) {
+    if (/\+|or.*later/i.test(cleaned)) return 'GPL-3.0-or-later'
+    return 'GPL-3.0-only'
+  }
+  if (/GPL.*v?2/i.test(cleaned)) {
+    if (/\+|or.*later/i.test(cleaned)) return 'GPL-2.0-or-later'
+    return 'GPL-2.0-only'
+  }
+
+  // PSF
+  if (/Python Software Foundation/i.test(cleaned)) return 'PSF-2.0'
+
+  // ISC
+  if (/ISC.*License/i.test(cleaned)) return 'ISC'
+
+  // MPL
+  if (/Mozilla Public License.*2/i.test(cleaned)) return 'MPL-2.0'
+
+  // Proprietary
+  if (/proprietary/i.test(cleaned)) return 'LicenseRef-Proprietary'
+  if (/NVIDIA.*Proprietary/i.test(cleaned)) return 'LicenseRef-NVIDIA-Proprietary'
+  if (/commercial/i.test(cleaned)) return 'LicenseRef-Commercial'
+
+  // Return as-is if no match (might be valid SPDX already)
+  return cleaned
+}
+
+/**
+ * Get license family for compatibility upgrade path detection
+ *
+ * @param {string} license - Normalized SPDX identifier
+ * @returns {string} License family (GPL3, LGPL, MIT, BSD, Apache, etc.) or 'Unknown'
+ *
+ * @example
+ * getLicenseFamily('GPL-3.0-only') // → 'GPL3'
+ * getLicenseFamily('LGPL-2.1-or-later') // → 'LGPL-or-later'
+ * getLicenseFamily('MIT') // → 'MIT'
+ */
+function getLicenseFamily(license) {
+  if (!license || license === 'UNKNOWN') {
+    return 'Unknown'
+  }
+
+  // Normalize first to ensure consistent lookup
+  const normalized = normalize(license)
+
+  return LICENSE_FAMILIES[normalized] || 'Unknown'
+}
+
+/**
+ * Check if two licenses are the same after normalization
+ * Handles SPDX deprecated identifiers (GPL-3.0 vs GPL-3.0-only)
+ *
+ * @param {string} license1 - First license identifier
+ * @param {string} license2 - Second license identifier
+ * @returns {boolean} True if same license after normalization
+ *
+ * @example
+ * areSameLicense('GPL-3.0', 'GPL-3.0-only') // → true
+ * areSameLicense('mit', 'MIT') // → true
+ * areSameLicense('MIT', 'Apache-2.0') // → false
+ */
+function areSameLicense(license1, license2) {
+  return normalize(license1) === normalize(license2)
+}
+
+module.exports = {
+  normalize,
+  getLicenseFamily,
+  areSameLicense,
+  // Export for testing
+  LICENSE_NORMALIZATIONS,
+  LICENSE_FAMILIES
+}

package/lib/scanner/plugins/cpp.js

@@ -0,0 +1,267 @@
+/**
+ * C/C++ Ecosystem Plugin (Conan)
+ * Scans Conan dependencies for license information
+ */
+
+const fs = require('fs')
+const path = require('path')
+const { execSync } = require('child_process')
+const { checkCompatibility } = require('../compat-checker')
+const { showProgress } = require('../progress')
+
+/**
+ * Detect if this is a C/C++ Conan project
+ * @returns {boolean} True if conanfile.txt or conanfile.py exists
+ */
+function detect() {
+  return fs.existsSync('conanfile.txt') || fs.existsSync('conanfile.py')
+}
+
+/**
+ * Parse conanfile.txt to get dependency list
+ * @returns {string[]} Array of dependency references (e.g., ['boost/1.81.0', 'openssl/3.0.7'])
+ */
+function parseConanfile() {
+  let content = ''
+
+  if (fs.existsSync('conanfile.txt')) {
+    content = fs.readFileSync('conanfile.txt', 'utf8')
+  } else if (fs.existsSync('conanfile.py')) {
+    // For conanfile.py, we rely on conan info command instead
+    // Return empty array - getConanPackages will get the actual deps
+    return []
+  }
+
+  const deps = []
+  const lines = content.split('\n')
+  let inRequires = false
+
+  for (const line of lines) {
+    const trimmed = line.trim()
+
+    // Check for [requires] section
+    if (trimmed === '[requires]') {
+      inRequires = true
+      continue
+    }
+
+    // Check for other sections (end of requires)
+    if (trimmed.startsWith('[') && trimmed.endsWith(']')) {
+      inRequires = false
+      continue
+    }
+
+    // Parse dependency in requires section
+    if (inRequires && trimmed && !trimmed.startsWith('#')) {
+      deps.push(trimmed)
+    }
+  }
+
+  return deps
+}
+
+/**
+ * Get installed Conan packages via CLI
+ * Supports both Conan 1.x and Conan 2.x
+ * @returns {Array} Array of package objects with name, version, license, path
+ */
+function getConanPackages() {
+  let output
+  let isConan2 = false
+
+  try {
+    // Try Conan 2.x command first
+    output = execSync('conan graph info . --format=json', {
+      encoding: 'utf8',
+      timeout: 30000, // 30 second timeout for graph operations
+      cwd: process.cwd(),
+      stdio: ['pipe', 'pipe', 'pipe']
+    })
+    isConan2 = true
+  } catch (error) {
+    // Check if it's a "command not found" for conan itself
+    if (error.message.includes('command not found') ||
+        error.message.includes('not recognized') ||
+        error.message.includes('ENOENT')) {
+      throw new Error(
+        'Conan not installed.\n\n' +
+        'Install Conan: pip install conan\n' +
+        'Or skip scanning: licenseguard init --noscan'
+      )
+    }
+
+    // If Conan 2.x command failed, try Conan 1.x
+    if (error.message.includes('Unknown command') ||
+        error.message.includes('not a Conan command')) {
+      try {
+        output = execSync('conan info . --only requires --json', {
+          encoding: 'utf8',
+          timeout: 10000,
+          cwd: process.cwd(),
+          stdio: ['pipe', 'pipe', 'pipe']
+        })
+        isConan2 = false
+      } catch (error2) {
+        // Check for project not installed
+        if (error2.message.includes('Unable to find') ||
+            error2.message.includes('not found in local cache')) {
+          throw new Error(
+            'Conan dependencies not installed.\n\n' +
+            'Run: conan install .\n' +
+            'Or skip scanning: licenseguard init --noscan'
+          )
+        }
+        throw new Error('Failed to get Conan package info: ' + error2.message)
+      }
+    } else {
+      // Check for project not installed (Conan 2.x errors)
+      if (error.message.includes('No such file') ||
+          error.message.includes('does not exist') ||
+          error.message.includes('ERROR: Package')) {
+        throw new Error(
+          'Conan dependencies not installed.\n\n' +
+          'Run: conan install . --build=missing\n' +
+          'Or skip scanning: licenseguard init --noscan'
+        )
+      }
+      throw new Error('Failed to get Conan package info: ' + error.message)
+    }
+  }
+
+  const data = JSON.parse(output)
+
+  if (isConan2) {
+    // Conan 2.x format: { "graph": { "nodes": { "0": {...}, "1": {...} } } }
+    const nodes = data.graph?.nodes || {}
+    return Object.values(nodes)
+      .filter(node => node.ref && node.ref !== 'conanfile') // Skip root node
+      .map(node => {
+        // Parse reference like "boost/1.81.0"
+        const ref = node.ref || ''
+        const match = ref.match(/^([^/]+)\/([^@#]+)/)
+
+        return {
+          name: match ? match[1] : ref,
+          version: match ? match[2] : 'unknown',
+          license: node.license || null,
+          path: node.package_folder || node.source_folder || 'conan-cache'
+        }
+      })
+  } else {
+    // Conan 1.x format: array of package objects
+    return data.map(pkg => {
+      const ref = pkg.reference || pkg
+      const match = ref.match(/^([^/]+)\/([^@]+)/)
+
+      return {
+        name: match ? match[1] : ref,
+        version: match ? match[2] : 'unknown',
+        license: pkg.license || null,
+        path: pkg.export_folder || pkg.package_folder || 'conan-cache'
+      }
+    })
+  }
+}
+
+/**
+ * Extract license from Conan package metadata
+ * @param {Object} pkg - Package object from getConanPackages
+ * @returns {string} License identifier or 'UNKNOWN'
+ */
+function extractConanLicense(pkg) {
+  // If license is already in package info, use it
+  if (pkg.license) {
+    // Conan license can be a string or array
+    if (Array.isArray(pkg.license)) {
+      return pkg.license[0] || 'UNKNOWN'
+    }
+    return pkg.license
+  }
+
+  // Try to read license from conanfile.py in cache
+  if (pkg.path && pkg.path !== 'conan-cache') {
+    const conanfilePath = path.join(pkg.path, 'conanfile.py')
+    if (fs.existsSync(conanfilePath)) {
+      try {
+        const content = fs.readFileSync(conanfilePath, 'utf8')
+        // Look for license = "..." or license = '...'
+        const match = content.match(/license\s*=\s*["']([^"']+)["']/)
+        if (match) {
+          return match[1]
+        }
+      } catch (error) {
+        // Ignore read errors
+      }
+    }
+
+    // Try LICENSE file
+    const licensePath = path.join(pkg.path, 'licenses', 'LICENSE')
+    if (fs.existsSync(licensePath)) {
+      // Could parse LICENSE file content, but for now mark as found
+      return 'UNKNOWN' // Would need license detection logic
+    }
+  }
+
+  return 'UNKNOWN'
+}
+
+/**
+ * Scan all Conan dependencies for license compatibility
+ * @param {string} projectLicense - The project's license (SPDX format)
+ * @returns {Promise<Object>} Scan results
+ */
+async function scanDependencies(projectLicense) {
+  // Get installed packages via Conan CLI
+  const packages = getConanPackages()
+
+  const results = {
+    timestamp: new Date().toISOString(),
+    totalDependencies: packages.length,
+    compatible: 0,
+    incompatible: 0,
+    unknown: 0,
+    issues: []
+  }
+
+  // Scan each dependency
+  for (let i = 0; i < packages.length; i++) {
+    showProgress(i + 1, packages.length)
+
+    const pkg = packages[i]
+    const license = extractConanLicense(pkg)
+
+    // Check compatibility using universal compat-checker
+    const compatResult = checkCompatibility(projectLicense, license)
+
+    if (!compatResult.compatible) {
+      const isUnknown = license === 'UNKNOWN'
+
+      if (isUnknown) {
+        results.unknown++
+      } else {
+        results.incompatible++
+      }
+
+      results.issues.push({
+        package: `${pkg.name}@${pkg.version}`,
+        license: license,
+        type: isUnknown ? 'warning' : 'conflict',
+        reason: compatResult.reason,
+        location: pkg.path
+      })
+    } else {
+      results.compatible++
+    }
+  }
+
+  return results
+}
+
+module.exports = {
+  detect,
+  scanDependencies,
+  // Export internal functions for testing
+  parseConanfile,
+  getConanPackages,
+  extractConanLicense
+}