licenseguard-cli 2.0.0 → 2.1.1

package/lib/scanner/plugins/python-license-scanner.py

@@ -0,0 +1,173 @@
+#!/usr/bin/env python3
+"""
+Python License Scanner - Native Python implementation
+Scans installed packages and extracts license information using importlib.metadata
+
+This script is called by Node.js and returns JSON output.
+Handles all worst-case scenarios:
+1. Python version compatibility (3.7+)
+2. Read-only filesystems (runs via python -c)
+3. Encoding issues (force UTF-8)
+4. Virtualenv detection
+"""
+
+import sys
+import json
+import os
+
+# MITIGATION #3: Force UTF-8 encoding (Windows CP1252 fix)
+if sys.version_info >= (3, 7):
+    sys.stdout.reconfigure(encoding='utf-8')
+
+# MITIGATION #1: Python version compatibility
+# Try importlib.metadata (Python 3.8+), fallback to pkg_resources (Python 3.7)
+try:
+    import importlib.metadata as metadata
+    USING_IMPORTLIB = True
+except ImportError:
+    try:
+        import pkg_resources
+        USING_IMPORTLIB = False
+    except ImportError:
+        print(json.dumps({"error": "Neither importlib.metadata nor pkg_resources available"}), file=sys.stderr)
+        sys.exit(1)
+
+
+def extract_license_from_classifier(classifier):
+    """
+    Extract license name from Trove Classifier
+    Example: "License :: OSI Approved :: MIT License" -> "MIT License"
+    """
+    parts = classifier.split(' :: ')
+    last = parts[-1].strip()
+    return last if last != 'OSI Approved' else None
+
+
+def get_license_via_importlib(package_name):
+    """
+    Get license using importlib.metadata (Python 3.8+)
+    Implements pip-licenses priority: License-Expression > Classifier > License
+    """
+    try:
+        dist = metadata.distribution(package_name)
+
+        # Priority 1: License-Expression (PEP 639 - modern packages)
+        license_expr = dist.metadata.get('License-Expression')
+        if license_expr and license_expr.strip() and license_expr.strip().lower() != 'none':
+            return license_expr.strip()
+
+        # Priority 2: Trove Classifiers
+        classifiers = dist.metadata.get_all('Classifier') or []
+        license_classifiers = [c for c in classifiers if c.startswith('License ::')]
+        if license_classifiers:
+            license_from_classifier = extract_license_from_classifier(license_classifiers[0])
+            if license_from_classifier:
+                return license_from_classifier
+
+        # Priority 3: License field (legacy)
+        license_field = dist.metadata.get('License')
+        if license_field and license_field.strip() and license_field.strip().lower() != 'none':
+            return license_field.strip()
+
+        return 'UNKNOWN'
+
+    except Exception:
+        return 'UNKNOWN'
+
+
+def get_license_via_pkg_resources(package_name):
+    """
+    Get license using pkg_resources (Python 3.7 fallback)
+    """
+    try:
+        dist = pkg_resources.get_distribution(package_name)
+
+        if dist.has_metadata('METADATA'):
+            metadata_content = dist.get_metadata('METADATA')
+            lines = metadata_content.split('\n')
+
+            license_expr = None
+            license_field = None
+            classifiers = []
+
+            for line in lines:
+                if line.startswith('License-Expression:'):
+                    license_expr = line.split(':', 1)[1].strip()
+                elif line.startswith('License:'):
+                    license_field = line.split(':', 1)[1].strip()
+                elif line.startswith('Classifier:') and 'License ::' in line:
+                    classifiers.append(line.split(':', 1)[1].strip())
+
+            # Priority: License-Expression > Classifier > License
+            if license_expr and license_expr.lower() != 'none':
+                return license_expr
+
+            if classifiers:
+                license_from_classifier = extract_license_from_classifier(classifiers[0])
+                if license_from_classifier:
+                    return license_from_classifier
+
+            if license_field and license_field.lower() != 'none':
+                return license_field
+
+        return 'UNKNOWN'
+
+    except Exception:
+        return 'UNKNOWN'
+
+
+def scan_packages(package_names):
+    """
+    Scan licenses for a list of packages
+    Returns: dict {package_name: license_string}
+    """
+    results = {}
+    get_license = get_license_via_importlib if USING_IMPORTLIB else get_license_via_pkg_resources
+
+    for pkg in package_names:
+        # Try exact name first
+        license_info = get_license(pkg)
+
+        # If UNKNOWN, try with normalized name (dashes to underscores)
+        if license_info == 'UNKNOWN' and '-' in pkg:
+            normalized = pkg.replace('-', '_')
+            license_info = get_license(normalized)
+
+        # If still UNKNOWN, try with underscores to dashes
+        if license_info == 'UNKNOWN' and '_' in pkg:
+            normalized = pkg.replace('_', '-')
+            license_info = get_license(normalized)
+
+        results[pkg.lower()] = license_info
+
+    return results
+
+
+def main():
+    """
+    Main entry point
+    Expects: JSON array of package names via stdin
+    Returns: JSON object {package: license} via stdout
+    """
+    try:
+        # Read package list from stdin
+        input_data = sys.stdin.read()
+        package_names = json.loads(input_data)
+
+        if not isinstance(package_names, list):
+            raise ValueError("Expected JSON array of package names")
+
+        # Scan licenses
+        results = scan_packages(package_names)
+
+        # Output JSON to stdout
+        print(json.dumps(results, ensure_ascii=False))
+
+    except Exception as e:
+        error_output = {"error": str(e)}
+        print(json.dumps(error_output), file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()

package/lib/scanner/plugins/python.js

@@ -0,0 +1,336 @@
+/**
+ * Python Ecosystem Plugin (pip/pipenv/poetry)
+ * Scans Python dependencies for license information
+ * Supports three package managers with priority: poetry > pipenv > pip
+ */
+
+const fs = require('fs')
+const { execSync } = require('child_process')
+const { checkCompatibility } = require('../compat-checker')
+const { showProgress } = require('../progress')
+const { normalize } = require('../license-normalizer')
+
+/**
+ * Detect if this is a Python project and return package manager
+ * Priority order: poetry > pipenv > pip
+ * @returns {string|boolean} 'poetry' | 'pipenv' | 'pip' | false
+ */
+function detect() {
+  const hasPoetry = fs.existsSync('pyproject.toml')
+  const hasPipenv = fs.existsSync('Pipfile')
+  const hasPip = fs.existsSync('requirements.txt')
+
+  // Priority: poetry > pipenv > pip
+  if (hasPoetry) return 'poetry'
+  if (hasPipenv) return 'pipenv'
+  if (hasPip) return 'pip'
+
+  return false
+}
+
+/**
+ * Parse requirements.txt to get dependency list
+ * @returns {string[]} Array of package names
+ */
+function parseRequirementsTxt() {
+  if (!fs.existsSync('requirements.txt')) {
+    return []
+  }
+
+  const content = fs.readFileSync('requirements.txt', 'utf8')
+  const packages = []
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim()
+
+    // Skip empty lines and comments
+    if (!trimmed || trimmed.startsWith('#')) {
+      continue
+    }
+
+    // Extract package name from various formats:
+    // requests==2.31.0
+    // numpy>=1.24.0
+    // pandas~=2.0.0
+    // flask[async]>=2.0.0
+    // git+https://... (skip)
+    // -r requirements-dev.txt (skip)
+    // -e . (skip editable installs)
+
+    if (trimmed.startsWith('-') || trimmed.startsWith('git+') || trimmed.startsWith('http')) {
+      continue
+    }
+
+    // Extract package name before version specifier or extras
+    const match = trimmed.match(/^([a-zA-Z0-9_-]+)/)
+    if (match) {
+      packages.push(match[1])
+    }
+  }
+
+  return packages
+}
+
+/**
+ * Parse Pipfile to get dependency list
+ * @returns {string[]} Array of package names
+ */
+function parsePipfile() {
+  if (!fs.existsSync('Pipfile')) {
+    return []
+  }
+
+  const content = fs.readFileSync('Pipfile', 'utf8')
+  const packages = []
+  let inPackages = false
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim()
+
+    // Check for [packages] section
+    if (trimmed === '[packages]') {
+      inPackages = true
+      continue
+    }
+
+    // Check for other sections (end of packages)
+    if (trimmed.startsWith('[') && trimmed.endsWith(']')) {
+      inPackages = false
+      continue
+    }
+
+    // Parse package in packages section
+    // Format: package = "version" or package = {version = "1.0.0"}
+    if (inPackages && trimmed && !trimmed.startsWith('#')) {
+      const match = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=/)
+      if (match) {
+        packages.push(match[1])
+      }
+    }
+  }
+
+  return packages
+}
+
+/**
+ * Parse pyproject.toml to get dependency list (Poetry format)
+ * @returns {string[]} Array of package names
+ */
+function parsePyprojectToml() {
+  if (!fs.existsSync('pyproject.toml')) {
+    return []
+  }
+
+  const content = fs.readFileSync('pyproject.toml', 'utf8')
+  const packages = []
+  let inDependencies = false
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim()
+
+    // Check for [tool.poetry.dependencies] section
+    if (trimmed === '[tool.poetry.dependencies]') {
+      inDependencies = true
+      continue
+    }
+
+    // Check for other sections (end of dependencies)
+    if (trimmed.startsWith('[') && trimmed.endsWith(']')) {
+      inDependencies = false
+      continue
+    }
+
+    // Parse package in dependencies section
+    // Format: package = "^1.0.0" or package = {version = "^1.0.0"}
+    if (inDependencies && trimmed && !trimmed.startsWith('#')) {
+      // Skip python version specification
+      if (trimmed.startsWith('python =')) {
+        continue
+      }
+
+      const match = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=/)
+      if (match) {
+        packages.push(match[1])
+      }
+    }
+  }
+
+  return packages
+}
+
+/**
+ * Batch fetch licenses using native Python script
+ * Uses importlib.metadata directly in Python for maximum reliability
+ * Handles: version compatibility, encoding, virtualenv detection
+ *
+ * @param {string[]} packageNames - Array of package names
+ * @param {string} manager - Package manager (for error messages)
+ * @returns {Object} Map of { packageName: licenseString }
+ */
+function getLicensesBatch(packageNames, _manager) {
+  if (packageNames.length === 0) return {}
+
+  const CHUNK_SIZE = 100  // Process in chunks to avoid stdin size limits
+  const licenseMap = {}
+  const totalChunks = Math.ceil(packageNames.length / CHUNK_SIZE)
+
+  // Path to Python scanner script
+  const scriptPath = `${__dirname}/python-license-scanner.py`
+
+  for (let i = 0; i < packageNames.length; i += CHUNK_SIZE) {
+    const currentChunk = Math.floor(i / CHUNK_SIZE) + 1
+    showProgress(currentChunk, totalChunks)
+
+    const chunk = packageNames.slice(i, i + CHUNK_SIZE)
+
+    try {
+      // Call Python scanner script with package list via stdin
+      const input = JSON.stringify(chunk)
+      const output = execSync(`python "${scriptPath}"`, {
+        input: input,
+        encoding: 'utf8',
+        timeout: 60000,  // 60 seconds for large chunks
+        stdio: ['pipe', 'pipe', 'pipe']
+      })
+
+      // Parse JSON response
+      const results = JSON.parse(output)
+
+      // Normalize licenses before adding to map (using shared normalizer)
+      for (const [pkg, license] of Object.entries(results)) {
+        const normalized = normalize(license)
+        licenseMap[pkg.toLowerCase()] = normalized
+      }
+
+    } catch (error) {
+      const stderr = error.stderr || ''
+      const message = error.message || ''
+
+      // 1. FATAL: Python not available
+      if (message.includes('command not found') ||
+          message.includes('not recognized') ||
+          message.includes('ENOENT')) {
+        throw new Error(
+          'Python not installed.\n\n' +
+          'Install Python 3.7+ from: https://www.python.org/downloads/\n' +
+          'Or skip scanning: licenseguard init --noscan'
+        )
+      }
+
+      // 2. Try to parse error output for diagnostics
+      try {
+        const errorData = JSON.parse(stderr)
+        if (errorData.error) {
+          throw new Error(`Python scanner error: ${errorData.error}`)
+        }
+      } catch (parseErr) {
+        // stderr is not JSON, show raw error
+      }
+
+      // 3. FATAL: System errors
+      const fatalErrors = [
+        'Permission denied',
+        'No space left on device',
+        'Disk quota exceeded',
+        'Read-only file system'
+      ]
+
+      const isFatal = fatalErrors.some(err =>
+        stderr.includes(err) || message.includes(err)
+      )
+
+      if (isFatal) {
+        throw new Error(
+          'Python scanner failed with system error:\n\n' +
+          (stderr || message)
+        )
+      }
+
+      // 4. UNKNOWN: Mark all packages in this chunk as UNKNOWN
+      for (const pkg of chunk) {
+        licenseMap[pkg.toLowerCase()] = 'UNKNOWN'
+      }
+    }
+  }
+
+  return licenseMap
+}
+
+/**
+ * Scan all Python dependencies for license compatibility
+ * Uses batch processing for 30x performance improvement on large projects
+ * @param {string} projectLicense - The project's license (SPDX format)
+ * @returns {Promise<Object>} Scan results
+ */
+async function scanDependencies(projectLicense) {
+  const manager = detect()
+
+  if (!manager) {
+    throw new Error('No Python package manager detected (requirements.txt, Pipfile, or pyproject.toml)')
+  }
+
+  // Get dependency list based on manager
+  let packages = []
+  if (manager === 'poetry') {
+    packages = parsePyprojectToml()
+  } else if (manager === 'pipenv') {
+    packages = parsePipfile()
+  } else {
+    packages = parseRequirementsTxt()
+  }
+
+  // Normalize package names to lowercase for consistent lookup
+  packages = packages.map(pkg => pkg.toLowerCase())
+
+  // Batch fetch licenses (O(n/50) instead of O(n) execSync calls)
+  const licenseMap = getLicensesBatch(packages, manager)
+
+  const results = {
+    timestamp: new Date().toISOString(),
+    totalDependencies: packages.length,
+    compatible: 0,
+    incompatible: 0,
+    unknown: 0,
+    issues: []
+  }
+
+  // Process results (fast in-memory loop)
+  for (const packageName of packages) {
+    const license = licenseMap[packageName] || 'UNKNOWN'
+
+    // Check compatibility using universal compat-checker
+    const compatResult = checkCompatibility(projectLicense, license)
+
+    if (!compatResult.compatible) {
+      const isUnknown = license === 'UNKNOWN'
+
+      if (isUnknown) {
+        results.unknown++
+      } else {
+        results.incompatible++
+      }
+
+      results.issues.push({
+        package: packageName,
+        license: license,
+        type: isUnknown ? 'warning' : 'conflict',
+        reason: compatResult.reason,
+        location: 'Python site-packages'
+      })
+    } else {
+      results.compatible++
+    }
+  }
+
+  return results
+}
+
+module.exports = {
+  detect,
+  scanDependencies,
+  // Export internal functions for testing
+  parseRequirementsTxt,
+  parsePipfile,
+  parsePyprojectToml,
+  getLicensesBatch
+}

package/lib/scanner/plugins/rust.js

@@ -0,0 +1,196 @@
+/**
+ * Rust Ecosystem Plugin (Cargo)
+ * Scans Cargo dependencies for license information
+ */
+
+const fs = require('fs')
+const { execSync } = require('child_process')
+const { checkCompatibility } = require('../compat-checker')
+const { showProgress } = require('../progress')
+
+/**
+ * Detect if this is a Rust Cargo project
+ * @returns {boolean} True if Cargo.toml exists
+ */
+function detect() {
+  return fs.existsSync('Cargo.toml')
+}
+
+/**
+ * Get Cargo metadata via CLI
+ * @returns {Object} Cargo metadata JSON
+ */
+function getCargoMetadata() {
+  try {
+    const output = execSync('cargo metadata --format-version 1', {
+      encoding: 'utf8',
+      timeout: 30000, // 30 second timeout for large projects
+      cwd: process.cwd(),
+      stdio: ['pipe', 'pipe', 'pipe']
+    })
+    return JSON.parse(output)
+  } catch (error) {
+    // Check if Cargo is not installed
+    if (error.message.includes('command not found') ||
+        error.message.includes('not recognized') ||
+        error.message.includes('ENOENT')) {
+      throw new Error(
+        'Cargo not installed.\n\n' +
+        'Install Rust/Cargo: https://rustup.rs\n' +
+        'Or skip scanning: licenseguard init --noscan'
+      )
+    }
+
+    // Check for project not found / no Cargo.toml
+    if (error.message.includes('could not find') ||
+        error.message.includes('no Cargo.toml')) {
+      throw new Error(
+        'No Cargo.toml found in current directory.\n\n' +
+        'Make sure you are in a Rust project directory.'
+      )
+    }
+
+    throw new Error('Failed to get Cargo metadata: ' + error.message)
+  }
+}
+
+/**
+ * Normalize license string from Rust ecosystem conventions to SPDX format
+ * Many older Rust crates use "/" instead of " OR " for dual-licensing
+ * e.g., "MIT/Apache-2.0" → "MIT OR Apache-2.0"
+ *
+ * @param {string} license - Raw license string from Cargo metadata
+ * @returns {string} Normalized SPDX-compliant license string
+ */
+function normalizeLicense(license) {
+  if (!license) return license
+
+  // Rust ecosystem convention: "/" means OR (dual-licensing)
+  // Convert "MIT/Apache-2.0" → "MIT OR Apache-2.0"
+  // Handle both "MIT/Apache-2.0" and "Apache-2.0 / MIT" (with spaces)
+  if (license.includes('/') && !license.includes(' OR ')) {
+    return license
+      .split('/')
+      .map(part => part.trim())
+      .join(' OR ')
+  }
+
+  return license
+}
+
+/**
+ * Extract license from Cargo package metadata
+ * @param {Object} pkg - Package object from cargo metadata
+ * @returns {string} License identifier or 'UNKNOWN'
+ */
+function extractCrateLicense(pkg) {
+  // Cargo metadata includes license field (SPDX format)
+  // e.g., "MIT", "Apache-2.0", "MIT OR Apache-2.0"
+  if (pkg.license) {
+    // Normalize legacy Rust license format to SPDX
+    return normalizeLicense(pkg.license)
+  }
+
+  // Some crates use license_file instead
+  if (pkg.license_file) {
+    return 'UNKNOWN' // Would need to parse license file content
+  }
+
+  return 'UNKNOWN'
+}
+
+/**
+ * Filter packages to only include actual dependencies (not root package)
+ * @param {Object} metadata - Cargo metadata object
+ * @returns {Array} Array of dependency packages
+ */
+function filterDependencies(metadata) {
+  const packages = metadata.packages || []
+  const rootPackageId = metadata.resolve?.root
+
+  // Filter out the root package (the project itself)
+  return packages.filter(pkg => {
+    // Skip if this is the root package
+    if (rootPackageId && pkg.id === rootPackageId) {
+      return false
+    }
+
+    // Skip packages that are path dependencies from the workspace root
+    // These are typically the project's own packages
+    if (pkg.source === null && pkg.manifest_path) {
+      const manifestPath = pkg.manifest_path
+      // If manifest is in the current directory or a subdirectory, it's part of the project
+      const cwd = process.cwd()
+      if (manifestPath.startsWith(cwd)) {
+        return false
+      }
+    }
+
+    return true
+  })
+}
+
+/**
+ * Scan all Cargo dependencies for license compatibility
+ * @param {string} projectLicense - The project's license (SPDX format)
+ * @returns {Promise<Object>} Scan results
+ */
+async function scanDependencies(projectLicense) {
+  // Get metadata via Cargo CLI
+  const metadata = getCargoMetadata()
+
+  // Filter to only actual dependencies
+  const packages = filterDependencies(metadata)
+
+  const results = {
+    timestamp: new Date().toISOString(),
+    totalDependencies: packages.length,
+    compatible: 0,
+    incompatible: 0,
+    unknown: 0,
+    issues: []
+  }
+
+  // Scan each dependency
+  for (let i = 0; i < packages.length; i++) {
+    showProgress(i + 1, packages.length)
+
+    const pkg = packages[i]
+    const license = extractCrateLicense(pkg)
+
+    // Check compatibility using universal compat-checker
+    const compatResult = checkCompatibility(projectLicense, license)
+
+    if (!compatResult.compatible) {
+      const isUnknown = license === 'UNKNOWN'
+
+      if (isUnknown) {
+        results.unknown++
+      } else {
+        results.incompatible++
+      }
+
+      results.issues.push({
+        package: `${pkg.name}@${pkg.version}`,
+        license: license,
+        type: isUnknown ? 'warning' : 'conflict',
+        reason: compatResult.reason,
+        location: pkg.manifest_path || 'crates.io'
+      })
+    } else {
+      results.compatible++
+    }
+  }
+
+  return results
+}
+
+module.exports = {
+  detect,
+  scanDependencies,
+  // Export internal functions for testing
+  getCargoMetadata,
+  extractCrateLicense,
+  filterDependencies,
+  normalizeLicense
+}