Merge branch 'pivotal:master' into upgrade-thor

.rubocop.yml

@@ -27,9 +27,9 @@ BlockLength:
 ClassLength:
   Enabled: false
 CyclomaticComplexity:
-  Max: 10
+  Max: 15
 PerceivedComplexity:
-  Max: 10
+  Max: 15
 LineLength:
   Max: 200
 MethodLength:

CHANGELOG.md

@@ -1,3 +1,38 @@
+# [6.14.2] / 2021-10-27
+
+### Added
+* Zlib License - [0f004b52](https://github.com/pivotal/LicenseFinder/commit/0f004b528d436b4d53db8bd373ede0594c07d9e8) - blooper05
+
+# [6.14.1] / 2021-06-25
+
+First two commit were supposed to show up in v6.14.0, but GPG bug prevented a correct build. Therefore, a follow up patch build was made to include the GPG fix.
+
+### Changed
+* Upgrade Docker image to use Ubuntu Bionic [#178471230] [1c12588c](https://github.com/pivotal/LicenseFinder/commit/1c12588cceecb8b7350d090c85b519b24bcc6682)
+* Update the default timezone to GMT [#178471230] - [9fcab84](https://github.com/pivotal/LicenseFinder/commit/9fcab84605cda81e7f276d3c567d14409e371333)
+* Use local copy of Swift puglic GPG keys [#178674224] - [4db4b3e](https://github.com/pivotal/LicenseFinder/commit/4db4b3e5980ca52019549d74da574a2342a7846e)
+
+### Added 
+* Added --npm_options option to customize npm behavior. [b8457a62](https://github.com/pivotal/LicenseFinder/commit/b8457a62e7b531294934364d1e5f72cd78a7686a) - Alexander-Malott 
+
+### Security
+* Fix issue where commands could be injected running on Cocoapods projects. [b0a61a2d](https://github.com/pivotal/LicenseFinder/commit/b0a61a2d833921c714cc39cdda8ba80af3f33d04)
+
+  Thanks to Joern SchneeweiszStaff Security Engineer, Security Research | GitLab for raising the issue
+
+
+# [6.13.0] / 2021-04-27
+
+### Fixed
+* Ignore packages with nil modules - [4eca0ec1](https://github.com/pivotal/LicenseFinder/commit/4eca0ec15dc6266afa48b74b3742278351246eb8) 
+
+# [6.12.2] / 2021-04-14
+
+### Changed
+* exit when go mod list command fails - [fcf1f707](https://github.com/pivotal/LicenseFinder/commit/fcf1f7076dee2ff730e3c8b608381aca22de0e92) - Jeff Jun
+
+# [6.12.1] / 2021-04-12
+
 # [6.12.0] / 2021-03-05
 
 ### Added
@@ -939,3 +974,8 @@ Bugfixes:
 [6.10.1]: https://github.com/pivotal/LicenseFinder/compare/v6.10.0...v6.10.1
 [6.11.0]: https://github.com/pivotal/LicenseFinder/compare/v6.10.1...v6.11.0
 [6.12.0]: https://github.com/pivotal/LicenseFinder/compare/v6.11.0...v6.12.0
+[6.12.1]: https://github.com/pivotal/LicenseFinder/compare/v6.12.0...v6.12.1
+[6.12.2]: https://github.com/pivotal/LicenseFinder/compare/v6.12.1...v6.12.2
+[6.13.0]: https://github.com/pivotal/LicenseFinder/compare/v6.12.2...v6.13.0
+[6.14.1]: https://github.com/pivotal/LicenseFinder/compare/v6.13.0...v6.14.1
+[6.14.2]: https://github.com/pivotal/LicenseFinder/compare/v6.14.1...v6.14.2

Dockerfile

@@ -1,4 +1,6 @@
-FROM ubuntu:xenial
+FROM ubuntu:bionic
+
+WORKDIR /tmp
 
 # Versioning
 ENV PIP_INSTALL_VERSION 19.0.2
@@ -18,7 +20,8 @@ RUN apt-get update && apt-get install -y \
   sudo \
   unzip \
   wget \
-  gnupg2 \ 
+  gnupg2 \
+  apt-utils \
   software-properties-common \
   bzr
 
@@ -76,7 +79,6 @@ RUN mkdir -p /usr/local/share/sbt-launcher-packaging && \
     rm -f "/tmp/sbt-${SBT_VERSION}.tgz"
 
 # install gradle
-WORKDIR /tmp
 RUN curl -L -o gradle.zip https://services.gradle.org/distributions/gradle-$GRADLE_VERSION-bin.zip && \
     unzip -q gradle.zip && \
     rm gradle.zip && \
@@ -102,18 +104,24 @@ RUN mkdir /gopath && \
   go get -u github.com/rancher/trash && \
   go clean -cache
 
+WORKDIR /tmp
 # Fix the locale
 RUN apt-get install -y locales
 RUN locale-gen en_US.UTF-8
 ENV LANG=en_US.UTF-8
 ENV LANGUAGE=en_US:en
 ENV LC_ALL=en_US.UTF-8
 
+# install Cargo
+RUN curl https://sh.rustup.rs -sSf | bash -ls -- -y --profile minimal
+
 #install rvm
 RUN apt-add-repository -y ppa:rael-gc/rvm && \
     apt update && apt install -y rvm && \
     /usr/share/rvm/bin/rvm install --default $RUBY_VERSION
-ENV PATH=/usr/share/rvm/bin:$PATH
+
+# install bundler
+RUN bash -lc "gem update --system && gem install bundler"
 
 #install mix
 RUN wget https://packages.erlang-solutions.com/erlang-solutions_${MIX_VERSION}_all.deb && \
@@ -123,41 +131,40 @@ RUN wget https://packages.erlang-solutions.com/erlang-solutions_${MIX_VERSION}_a
     sudo apt-get install -y esl-erlang && \
     sudo apt-get install -y elixir
 
-# install bundler
-RUN bash -lc "gem update --system && gem install bundler"
-
 # install conan
 RUN apt-get install -y python-dev && \
 	pip install --no-cache-dir --ignore-installed six --ignore-installed colorama \
 	    --ignore-installed requests --ignore-installed chardet \
 	    --ignore-installed urllib3 \
 	    --upgrade setuptools && \
-    pip install --no-cache-dir -Iv conan==1.11.2
+    pip install --no-cache-dir -Iv conan==1.11.2 && \
+    conan config install https://github.com/conan-io/conanclientcert.git
 
-# install Cargo
-RUN curl https://sh.rustup.rs -sSf | bash -s -- -y --profile minimal
 
 # install NuGet (w. mono)
 # https://docs.microsoft.com/en-us/nuget/install-nuget-client-tools#macoslinux
 RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF &&\
-  echo "deb https://download.mono-project.com/repo/ubuntu stable-xenial main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list &&\
+  echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list &&\
   apt-get update &&\
   apt-get install -y mono-complete &&\
   curl -o "/usr/local/bin/nuget.exe" "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" &&\
   curl -o "/usr/local/bin/nugetv3.5.0.exe" "https://dist.nuget.org/win-x86-commandline/v3.5.0/nuget.exe"
 
 # install dotnet core
-WORKDIR /tmp
-RUN wget -q https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb &&\
+RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb &&\
   sudo dpkg -i packages-microsoft-prod.deb &&\
   rm packages-microsoft-prod.deb &&\
   sudo apt-get update &&\
   sudo apt-get install -y dotnet-runtime-2.1 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1
 
 # install Composer
+# The ARG and ENV are for installing tzdata which is part of this installaion.
+# https://serverfault.com/questions/949991/how-to-install-tzdata-on-a-ubuntu-docker-image
+ENV TZ=GMT
 RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5267A6C &&\
-    echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main" | sudo tee /etc/apt/sources.list.d/php.list &&\
+    echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu bionic main" | sudo tee /etc/apt/sources.list.d/php.list &&\
     apt-get update &&\
+    export DEBIAN_FRONTEND=noninteractive &&\
     apt-get install -y php7.4-cli &&\
     EXPECTED_COMPOSER_INSTALLER_CHECKSUM="$(curl --silent https://composer.github.io/installer.sig)" &&\
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" &&\
@@ -170,7 +177,6 @@ RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 4F4EA0AAE5
 # install miniconda
 # See https://docs.conda.io/en/latest/miniconda_hashes.html
 # for latest versions and SHAs.
-WORKDIR /tmp
 RUN  \
   conda_installer=Miniconda3-py38_4.9.2-Linux-x86_64.sh &&\
   ref='1314b90489f154602fd794accfc90446111514a5a72fe1f71ab83e07de9504a7' &&\
@@ -179,6 +185,61 @@ RUN  \
   ([ "$sha" = "${ref}" ] || (echo "Verification failed: ${sha} != ${ref}"; false)) &&\
   (echo; echo "yes") | sh "${conda_installer}"
 
+# install Swift Package Manager
+# Based on https://github.com/apple/swift-docker/blob/main/5.3/ubuntu/18.04/Dockerfile
+# The GPG download steps has been modified. Keys are now on LF repo and copied instaad of downloaded.
+# Refer to https://swift.org/download/#using-downloads in the Linux section on how to download the keys
+RUN apt-get -q install -y \
+    libatomic1 \
+    libcurl4 \
+    libxml2 \
+    libedit2 \
+    libsqlite3-0 \
+    libc6-dev \
+    binutils \
+    libgcc-5-dev \
+    libstdc++-5-dev \
+    zlib1g-dev \
+    libpython2.7 \
+    tzdata \
+    git \
+    pkg-config \
+    && rm -r /var/lib/apt/lists/*
+
+# pub   4096R/ED3D1561 2019-03-22 [SC] [expires: 2023-03-23]
+#       Key fingerprint = A62A E125 BBBF BB96 A6E0  42EC 925C C1CC ED3D 1561
+# uid                  Swift 5.x Release Signing Key <[email protected]
+ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
+ARG SWIFT_PLATFORM=ubuntu18.04
+ARG SWIFT_BRANCH=swift-5.3.3-release
+ARG SWIFT_VERSION=swift-5.3.3-RELEASE
+ARG SWIFT_WEBROOT=https://download.swift.org
+
+ENV SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
+    SWIFT_PLATFORM=$SWIFT_PLATFORM \
+    SWIFT_BRANCH=$SWIFT_BRANCH \
+    SWIFT_VERSION=$SWIFT_VERSION \
+    SWIFT_WEBROOT=$SWIFT_WEBROOT
+
+COPY swift-all-keys.asc .
+RUN set -e; \
+    SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)" \
+    && SWIFT_BIN_URL="$SWIFT_WEBDIR/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM.tar.gz" \
+    && SWIFT_SIG_URL="$SWIFT_BIN_URL.sig" \
+    # - Grab curl here so we cache better up above
+    && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -q update && apt-get -q install -y curl && rm -rf /var/lib/apt/lists/* \
+    # - Download the GPG keys, Swift toolchain, and toolchain signature, and verify.
+    && export GNUPGHOME="$(mktemp -d)" \
+    && curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz "$SWIFT_SIG_URL" -o swift.tar.gz.sig \
+    && gpg --import swift-all-keys.asc \
+    && gpg --batch --verify swift.tar.gz.sig swift.tar.gz \
+    # - Unpack the toolchain, set libs permissions, and clean up.
+    && tar -xzf swift.tar.gz --directory / --strip-components=1 \
+    && chmod -R o+r /usr/lib/swift \
+    && rm -rf "$GNUPGHOME" swift.tar.gz.sig swift.tar.gz \
+    set +e
+
 # install license_finder
 COPY . /LicenseFinder
 RUN bash -lc "cd /LicenseFinder && bundle config set no-cache 'true' && bundle install -j4 && rake install"

README.md

@@ -44,7 +44,7 @@ and give you an actionable exception report.
 ### Experimental project types
 
 * Erlang (via `rebar` and `Erlang.mk`)
-* Objective-C, Swift (via Carthage or CocoaPods \[0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/)\])
+* Objective-C, Swift (via Carthage, CocoaPods \[0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/)\]) and Swift Package Manager)
 * Objective-C (+ CocoaPods 0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/))
 * Elixir (via `mix`)
 * Golang (via `gvt`, `glide`,`dep`, `trash` and `govendor`)
@@ -176,6 +176,7 @@ languages, as long as that language has a package definition in the project dire
 * `bower.json` (for `bower`)
 * `Podfile` (for `pod`)
 * `Cartfile` (for `carthage`)
+* `workspace-state.json` under build directory (provided as enviroment variable `SPM_DERIVED_DATA` for Xcode, or default `.build` for non-Xcode projects), (for `spm`)
 * `rebar.config` (for `rebar`)
 * `Erlang.mk` or `erlang.mk` file (for `Erlang.mk`)
 * `mix.exs` (for `mix`)

VERSION

@@ -1 +1 @@
-6.12.0
+6.14.2

bin/license_finder_pip.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python
-
 import json
 import sys
 
@@ -21,12 +20,16 @@
 from pip._vendor import pkg_resources
 from pip._vendor.six import print_
 
+
 reqs = []
 for req in parse_requirements(sys.argv[1], session=PipSession()):
-    if req.req == None or (req.markers != None and not req.markers.evaluate()): continue
-    reqs.append(req)
-
-requirements = [pkg_resources.Requirement.parse(str(req.req)) for req in reqs]
+    try:
+        if req.req is not None and (req.markers is None or req.markers.evaluate()):
+            reqs.append(pkg_resources.Requirement.parse(str(req.req)))
+    except AttributeError:
+        # Since pip 20.1 (pip now takes care of markers at the resolve step)
+        if req.requirement is not None:
+            reqs.append(pkg_resources.Requirement.parse(str(req.requirement)))
 
 transform = lambda dist: {
         'name': dist.project_name,
@@ -35,7 +38,6 @@
         'dependencies': list(map(lambda dependency: dependency.project_name, dist.requires())),
         }
 
-packages = [transform(dist) for dist
-            in pkg_resources.working_set.resolve(requirements)]
 
+packages = [transform(dist) for dist in pkg_resources.working_set.resolve(reqs)]
 print_(json.dumps(packages))

features/features/package_managers/conda_spec.rb

@@ -12,6 +12,6 @@
   specify 'are shown in reports' do
     LicenseFinder::TestingDSL::CondaProject.create
     conda_developer.run_license_finder
-    expect(conda_developer).to be_seeing_line 'zlib, 1.2.11, zlib'
+    expect(conda_developer).to be_seeing_line 'zlib, 1.2.11, "zlib/libpng license"'
   end
 end

features/features/package_managers/spm_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative '../../support/feature_helper'
+
+describe 'SPM Dependencies' do
+  # As a developer on Apple platforms
+  # I want to be able to manage Swift Package Manager dependencies
+
+  let(:apple_platform_developer) { LicenseFinder::TestingDSL::User.new }
+
+  specify 'are shown in reports' do
+    LicenseFinder::TestingDSL::SpmProject.create
+    apple_platform_developer.run_license_finder
+    expect(apple_platform_developer).to be_seeing_line 'URLSessionDecodable, 0.1.0, "Apache 2.0"'
+  end
+end

features/fixtures/Package.swift

@@ -0,0 +1,21 @@
+// swift-tools-version:5.1
+// The swift-tools-version declares the minimum version of Swift required to build this package.
+
+import PackageDescription
+
+let package = Package(
+    name: "example",
+    products: [
+        .executable(name: "Test", targets: ["Test"]),
+    ],
+    dependencies: [
+	   .package(url: "https://github.com/ViacomInc/URLSessionDecodable.git", .exact("0.1.0"))
+    ],
+    targets: [
+        // Targets are the basic building blocks of a package. A target can define a module or a test suite.
+        // Targets can depend on other targets in this package, and on products in packages which this package depends on.
+        .target(
+            name: "Test",
+            dependencies: ["URLSessionDecodable"]),
+    ]
+)

features/support/testing_dsl.rb

@@ -482,6 +482,16 @@ def install
       end
     end
 
+    class SpmProject < Project
+      def add_dep
+        install_fixture('Package.swift')
+      end
+
+      def install
+        shell_out('swift package resolve')
+      end
+    end
+
     class ConanProject < Project
       def add_dep
         install_fixture('conanfile.txt')

lib/license_finder/cli/base.rb

@@ -42,6 +42,7 @@ def license_finder_config
           :gradle_include_groups,
           :maven_include_groups,
           :maven_options,
+          :npm_options,
           :pip_requirements_path,
           :python_version,
           :rebar_command,

lib/license_finder/cli/main.rb

@@ -30,6 +30,7 @@ class Main < Base
                           Defaults to 'gradlew' / 'gradlew.bat' if the wrapper is present, otherwise to 'gradle'."
       class_option :maven_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Java/maven project. Defaults to false.'
       class_option :maven_options, desc: 'Maven options to append to command. Defaults to empty.'
+      class_option :npm_options, desc: 'npm options to append to command. Defaults to empty.'
       class_option :pip_requirements_path, desc: 'Path to python requirements file. Defaults to requirements.txt.'
       class_option :python_version, desc: 'Python version to invoke pip with. Valid versions: 2 or 3. Default: 2'
       class_option :rebar_command, desc: "Command to use when fetching rebar packages. Only meaningful if used with a Erlang/rebar project. Defaults to 'rebar'."

lib/license_finder/configuration.rb

@@ -93,6 +93,10 @@ def maven_options
       get(:maven_options)
     end
 
+    def npm_options
+      get(:npm_options)
+    end
+
     def pip_requirements_path
       get(:pip_requirements_path)
     end

lib/license_finder/core.rb

@@ -99,6 +99,7 @@ def options # rubocop:disable Metrics/AbcSize
         gradle_include_groups: config.gradle_include_groups,
         maven_include_groups: config.maven_include_groups,
         maven_options: config.maven_options,
+        npm_options: config.npm_options,
         pip_requirements_path: config.pip_requirements_path,
         python_version: config.python_version,
         rebar_command: config.rebar_command,