Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 310ae5f6ae | |||
| 4fabda986c | |||
| dfbe08e4d2 | |||
| 3fc792b939 | |||
| 748dfadbc3 | |||
| a97084db22 | |||
| e7ebeffdf9 |
@@ -1,13 +1,9 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as Utils from '../src/utils'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -19,11 +15,11 @@ test('it defaults to low severity', async () => {
|
||||
|
||||
test('it reads custom configs', async () => {
|
||||
setInput('fail-on-severity', 'critical')
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', 'ISC, GPL-2.0')
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('it defaults to false for warn-only', async () => {
|
||||
@@ -40,7 +36,7 @@ test('it defaults to empty allow/deny lists ', async () => {
|
||||
|
||||
test('it raises an error if both an allow and denylist are specified', async () => {
|
||||
setInput('allow-licenses', 'MIT')
|
||||
setInput('deny-licenses', 'BSD')
|
||||
setInput('deny-licenses', 'BSD-3-Clause')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'You cannot specify both allow-licenses and deny-licenses'
|
||||
@@ -204,21 +200,17 @@ test('it is not possible to disable both checks', async () => {
|
||||
})
|
||||
|
||||
describe('licenses that are not valid SPDX licenses', () => {
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in allow-licenses', async () => {
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in allow-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in allow-licenses: BSD-YOLO'
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in deny-licenses', async () => {
|
||||
setInput('deny-licenses', ' BSD, GPL 2')
|
||||
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in deny-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -33,11 +33,6 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
|
||||
npmChange = createTestChange({ecosystem: 'npm'})
|
||||
rubyChange = createTestChange({ecosystem: 'rubygems'})
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import * as Utils from '../src/utils'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
const externalConfig = `fail_on_severity: 'high'
|
||||
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
|
||||
}
|
||||
})
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('raises an error when the config file was not found', async () => {
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
fail_on_severity: critical
|
||||
allow_licenses:
|
||||
- 'BSD'
|
||||
- 'GPL 2'
|
||||
- 'BSD-3-Clause'
|
||||
- 'GPL-2.0'
|
||||
|
||||
+29
-30
@@ -1,7 +1,6 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getInvalidLicenseChanges: Function
|
||||
import {getInvalidLicenseChanges} from '../src/licenses'
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
@@ -30,7 +29,7 @@ const rubyChange: Change = {
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
license: 'BSD-3-Clause',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
@@ -100,29 +99,32 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
})
|
||||
|
||||
test('it adds license outside the allow list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(npmChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds license inside the deny list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(rubyChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
@@ -133,7 +135,7 @@ test('it does not add license outside the allow list to forbidden changes if it
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -144,7 +146,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -156,23 +158,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([npmChange])
|
||||
})
|
||||
|
||||
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
|
||||
jest.resetModules() // reset module set in before
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
return jest.fn((_first: string, _second: string) => {
|
||||
throw new Error('Some Error')
|
||||
})
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
{...npmChange, license: 'Foo'},
|
||||
{...rubyChange, license: 'Bar'}
|
||||
]
|
||||
const invalidLicenses = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['Apache-2.0']
|
||||
})
|
||||
expect(invalidLicenses.forbidden.length).toEqual(0)
|
||||
expect(invalidLicenses.unlicensed.length).toEqual(0)
|
||||
@@ -182,7 +179,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
|
||||
test('it does not filter out changes that are on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
@@ -198,7 +195,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
|
||||
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
|
||||
@@ -212,16 +209,18 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
test('it does filters out changes if they are not on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: [
|
||||
'pkg:pypi/notmypackage-1@1.1.1',
|
||||
'pkg:npm/alsonot@1.0.2'
|
||||
]
|
||||
}
|
||||
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
changes,
|
||||
licensesConfig
|
||||
)
|
||||
|
||||
expect(invalidLicenses.forbidden.length).toEqual(2)
|
||||
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
|
||||
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
|
||||
|
||||
@@ -0,0 +1,267 @@
|
||||
import {expect, test} from '@jest/globals'
|
||||
import * as spdx from '../src/spdx'
|
||||
|
||||
test('satisfiesAny', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
let got: boolean = spdx.satisfiesAny(unit.candidate, unit.licenses)
|
||||
if (got != unit.expected) {
|
||||
console.log(
|
||||
`failing unit test inputs: candidate(${unit.candidate}) licenses(${unit.licenses})`
|
||||
)
|
||||
}
|
||||
expect(got).toBe(unit.expected)
|
||||
}
|
||||
})
|
||||
|
||||
test('satisfiesAll', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
licenses: ['MIT', 'ISC', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT OR ISC) AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'BSD-3-Clause OR ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'ISC'],
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
let got: boolean = spdx.satisfiesAll(unit.candidate, unit.licenses)
|
||||
if (got != unit.expected) {
|
||||
console.log(
|
||||
`failing unit test inputs: candidate(${unit.candidate}) licenses(${unit.licenses})`
|
||||
)
|
||||
}
|
||||
expect(got).toBe(unit.expected)
|
||||
}
|
||||
})
|
||||
|
||||
test('satisfies', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
constraint: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
constraint: 'MIT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'BSD-3-Clause',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'Apache-2.0 OR BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'ISC OR (MIT AND Apache-2.0)',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT',
|
||||
constraint: 'MiT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC OR',
|
||||
constraint: 'MIT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC OR Apache-2.0',
|
||||
constraint: '',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
constraint: '(BSD-3-Clause AND ISC) OR MIT',
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
let got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
|
||||
if (got != unit.expected) {
|
||||
console.log(
|
||||
`failing unit test inputs: candidateExpr(${unit.candidate}) constraintExpr(${unit.constraint})`
|
||||
)
|
||||
}
|
||||
expect(got).toBe(unit.expected)
|
||||
}
|
||||
})
|
||||
|
||||
test('isValid', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'NOASSERTION',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'Foobar',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
for (const unit of units) {
|
||||
let got: boolean = spdx.isValid(unit.candidate)
|
||||
if (got != unit.expected) {
|
||||
console.log(`failing unit test inputs: candidateExpr(${unit.candidate})`)
|
||||
}
|
||||
expect(got).toBe(unit.expected)
|
||||
}
|
||||
})
|
||||
+434
-185
@@ -350,6 +350,29 @@ exports.getRefs = getRefs;
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
||||
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
||||
return new (P || (P = Promise))(function (resolve, reject) {
|
||||
@@ -359,14 +382,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
||||
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
||||
});
|
||||
};
|
||||
var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.getInvalidLicenseChanges = void 0;
|
||||
const spdx_satisfies_1 = __importDefault(__nccwpck_require__(4424));
|
||||
const utils_1 = __nccwpck_require__(918);
|
||||
const purl_1 = __nccwpck_require__(3609);
|
||||
const spdx = __importStar(__nccwpck_require__(8590));
|
||||
function getInvalidLicenseChanges(changes, licenses) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a;
|
||||
@@ -382,7 +402,7 @@ function getInvalidLicenseChanges(changes, licenses) {
|
||||
return true;
|
||||
}
|
||||
const changeAsPackageURL = (0, purl_1.parsePURL)(encodeURI(change.package_url));
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
if (licenseExclusions !== null &&
|
||||
@@ -414,12 +434,22 @@ function getInvalidLicenseChanges(changes, licenses) {
|
||||
else if (validityCache.get(license) === undefined) {
|
||||
try {
|
||||
if (allow !== undefined) {
|
||||
const found = allow.find(spdxExpression => (0, spdx_satisfies_1.default)(license, spdxExpression));
|
||||
validityCache.set(license, found !== undefined);
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, allow);
|
||||
validityCache.set(license, found);
|
||||
}
|
||||
else {
|
||||
invalidLicenseChanges.unresolved.push(change);
|
||||
}
|
||||
}
|
||||
else if (deny !== undefined) {
|
||||
const found = deny.find(spdxExpression => (0, spdx_satisfies_1.default)(license, spdxExpression));
|
||||
validityCache.set(license, found === undefined);
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, deny);
|
||||
validityCache.set(license, !found);
|
||||
}
|
||||
else {
|
||||
invalidLicenseChanges.unresolved.push(change);
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (err) {
|
||||
@@ -478,7 +508,7 @@ const setGHLicenses = (changes) => __awaiter(void 0, void 0, void 0, function* (
|
||||
});
|
||||
// Currently Dependency Graph licenses are truncated to 255 characters
|
||||
// This possibly makes them invalid spdx ids
|
||||
const truncatedDGLicense = (license) => license.length === 255 && !(0, utils_1.isSPDXValid)(license);
|
||||
const truncatedDGLicense = (license) => license.length === 255 && !spdx.isValid(license);
|
||||
function groupChanges(changes) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const result = {
|
||||
@@ -1282,6 +1312,93 @@ function getProjectUrl(ecosystem, packageName, version) {
|
||||
exports.getProjectUrl = getProjectUrl;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8590:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.isValid = exports.satisfiesAll = exports.satisfiesAny = exports.satisfies = void 0;
|
||||
const spdxlib = __importStar(__nccwpck_require__(9391));
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
/*
|
||||
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
|
||||
* which throws errors in the presence of any syntax trouble, unknown
|
||||
* license tokens, case sensitivity problems etc. to simplify handling
|
||||
* you should pre-screen inputs to the satisfies* methods using isValid
|
||||
*/
|
||||
// accepts a pair of well-formed SPDX expressions. the
|
||||
// candidate is tested against the constraint
|
||||
function satisfies(candidateExpr, constraintExpr) {
|
||||
try {
|
||||
return spdxlib.satisfies(candidateExpr, constraintExpr);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfies = satisfies;
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
function satisfiesAny(candidateExpr, licenses) {
|
||||
try {
|
||||
return spdxlib.satisfiesAny(candidateExpr, licenses);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfiesAny = satisfiesAny;
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
function satisfiesAll(candidateExpr, licenses) {
|
||||
try {
|
||||
return spdxlib.satisfiesAll(candidateExpr, licenses);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfiesAll = satisfiesAll;
|
||||
// accepts any SPDX expression
|
||||
function isValid(spdxExpr) {
|
||||
try {
|
||||
(0, spdx_expression_parse_1.default)(spdxExpr);
|
||||
return true;
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.isValid = isValid;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8608:
|
||||
@@ -1639,14 +1756,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
exports.octokitClient = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const octokit_1 = __nccwpck_require__(7467);
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
function groupDependenciesByManifest(changes) {
|
||||
var _a;
|
||||
const dependencies = new Map();
|
||||
@@ -1675,16 +1788,6 @@ function renderUrl(url, text) {
|
||||
}
|
||||
}
|
||||
exports.renderUrl = renderUrl;
|
||||
function isSPDXValid(license) {
|
||||
try {
|
||||
(0, spdx_expression_parse_1.default)(license);
|
||||
return true;
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.isSPDXValid = isSPDXValid;
|
||||
function isEnterprise() {
|
||||
var _a;
|
||||
const serverUrl = new URL((_a = process.env['GITHUB_SERVER_URL']) !== null && _a !== void 0 ? _a : 'https://github.com');
|
||||
@@ -12984,6 +13087,223 @@ var Webhooks = class {
|
||||
0 && (0);
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 9391:
|
||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||
|
||||
var compare = __nccwpck_require__(8918)
|
||||
var parse = __nccwpck_require__(1620)
|
||||
var ranges = __nccwpck_require__(9797)
|
||||
|
||||
function rangesAreCompatible (first, second) {
|
||||
return (
|
||||
first.license === second.license ||
|
||||
ranges.some(function (range) {
|
||||
return (
|
||||
licenseInRange(first.license, range) &&
|
||||
licenseInRange(second.license, range)
|
||||
)
|
||||
})
|
||||
)
|
||||
}
|
||||
|
||||
function licenseInRange (license, range) {
|
||||
return (
|
||||
range.indexOf(license) !== -1 ||
|
||||
range.some(function (element) {
|
||||
return (
|
||||
Array.isArray(element) &&
|
||||
element.indexOf(license) !== -1
|
||||
)
|
||||
})
|
||||
)
|
||||
}
|
||||
|
||||
function identifierInRange (identifier, range) {
|
||||
return (
|
||||
identifier.license === range.license ||
|
||||
compare.gt(identifier.license, range.license) ||
|
||||
compare.eq(identifier.license, range.license)
|
||||
)
|
||||
}
|
||||
|
||||
function licensesAreCompatible (first, second) {
|
||||
if (first.exception !== second.exception) {
|
||||
return false
|
||||
} else if (second.hasOwnProperty('license')) {
|
||||
if (second.hasOwnProperty('plus')) {
|
||||
if (first.hasOwnProperty('plus')) {
|
||||
// first+, second+
|
||||
return rangesAreCompatible(first, second)
|
||||
} else {
|
||||
// first, second+
|
||||
return identifierInRange(first, second)
|
||||
}
|
||||
} else {
|
||||
if (first.hasOwnProperty('plus')) {
|
||||
// first+, second
|
||||
return identifierInRange(second, first)
|
||||
} else {
|
||||
// first, second
|
||||
return first.license === second.license
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function replaceGPLOnlyOrLaterWithRanges (argument) {
|
||||
var license = argument.license
|
||||
if (license) {
|
||||
if (endsWith(license, '-or-later')) {
|
||||
argument.license = license.replace('-or-later', '')
|
||||
argument.plus = true
|
||||
} else if (endsWith(license, '-only')) {
|
||||
argument.license = license.replace('-only', '')
|
||||
delete argument.plus
|
||||
}
|
||||
} else if (argument.left && argument.right) {
|
||||
argument.left = replaceGPLOnlyOrLaterWithRanges(argument.left)
|
||||
argument.right = replaceGPLOnlyOrLaterWithRanges(argument.right)
|
||||
}
|
||||
return argument
|
||||
}
|
||||
|
||||
function endsWith (string, substring) {
|
||||
return string.indexOf(substring) === string.length - substring.length
|
||||
}
|
||||
|
||||
function licenseString (e) {
|
||||
if (e.hasOwnProperty('noassertion')) return 'NOASSERTION'
|
||||
if (e.license) {
|
||||
return (
|
||||
e.license +
|
||||
(e.plus ? '+' : '') +
|
||||
(e.exception ? ('WITH ' + e.exception) : '')
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
// Expand the given expression into an equivalent array where each member is an array of licenses AND'd
|
||||
// together and the members are OR'd together. For example, `(MIT OR ISC) AND GPL-3.0` expands to
|
||||
// `[[GPL-3.0 AND MIT], [ISC AND MIT]]`. Note that within each array of licenses, the entries are
|
||||
// normalized (sorted) by license name.
|
||||
function expand (expression) {
|
||||
return sort(expandInner(expression))
|
||||
}
|
||||
|
||||
function expandInner (expression) {
|
||||
if (!expression.conjunction) return [{ [licenseString(expression)]: expression }]
|
||||
if (expression.conjunction === 'or') return expandInner(expression.left).concat(expandInner(expression.right))
|
||||
if (expression.conjunction === 'and') {
|
||||
var left = expandInner(expression.left)
|
||||
var right = expandInner(expression.right)
|
||||
return left.reduce(function (result, l) {
|
||||
right.forEach(function (r) { result.push(Object.assign({}, l, r)) })
|
||||
return result
|
||||
}, [])
|
||||
}
|
||||
}
|
||||
|
||||
function sort (licenseList) {
|
||||
var sortedLicenseLists = licenseList
|
||||
.filter(function (e) { return Object.keys(e).length })
|
||||
.map(function (e) { return Object.keys(e).sort() })
|
||||
return sortedLicenseLists.map(function (list, i) {
|
||||
return list.map(function (license) { return licenseList[i][license] })
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if all the licenses on the first argument are satisfied by any license on the second argument.
|
||||
* @param {object[]} one - Source licenses.
|
||||
* @param {object[]} two - Target licenses.
|
||||
* @return {boolean} - Whether all the licenses on the first argument are satisfied by the target licenses.
|
||||
*/
|
||||
function isExpressionCompatible (one, two) {
|
||||
if (one.length !== two.length) return false
|
||||
return one.every(function (o) {
|
||||
return two.some(function (t) { return licensesAreCompatible(o, t) })
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether any group of licenses satisfies any target group of licenses.
|
||||
* e.g. [[MIT], [GPL-1.0+, Apache-2.0]] checked against
|
||||
* [[ISC, GPL-2.0], [GPL-2.0, Apache-2.0]] will return true.
|
||||
* @param {(object[])[]} one - Groups of licenses to be checked.
|
||||
* @param {(object[])[]} two - Target groups of licenses.
|
||||
* @return {boolean} - Whether any group of licenses in "one" satisfies any group of licenses of the "two" (the target).
|
||||
*/
|
||||
function anyExpressionCompatible (one, two) {
|
||||
return one.some(function (o) {
|
||||
return two.some(function (t) {
|
||||
return isExpressionCompatible(o, t)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
function checkArguments (first, second) {
|
||||
if (first.type === 'string' && second.type === 'string') {
|
||||
if (typeof first.value !== 'string' || typeof second.value !== 'string') throw new Error('Both arguments must be string.')
|
||||
} else {
|
||||
if (typeof first.value !== 'string') throw new Error('First argument must be string.')
|
||||
if (!Array.isArray(second.value)) throw new Error('Second argument must be array.')
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if "first" satisfies "second".
|
||||
* @param {string} first - A valid SPDX expression to be tested.
|
||||
* @param {string} second - A valid SDPX expression to be tested against.
|
||||
* @return {boolean} - Whether "first" satisfies "second".
|
||||
*/
|
||||
function satisfies (first, second) {
|
||||
checkArguments({ value: first, type: 'string' }, { value: second, type: 'string' })
|
||||
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
|
||||
var two = expand(replaceGPLOnlyOrLaterWithRanges(parse(second)))
|
||||
return anyExpressionCompatible(one, two)
|
||||
}
|
||||
|
||||
function parseLicensesArray (licenses) {
|
||||
var parsed = licenses.map(l => replaceGPLOnlyOrLaterWithRanges(parse(l)))
|
||||
if (parsed.some(({ conjunction }) => !!conjunction)) throw new Error('AND and OR operators are not allowed.')
|
||||
return parsed
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if "first" satisfies any of the licenses in "second".
|
||||
* @param {string} first - A valid SPDX expression to be tested.
|
||||
* @param {string[]} second - A list of licenses. AND and OR operators are not allowed.
|
||||
* @return {boolean} - Whether "first" satisfies any license in "second".
|
||||
*/
|
||||
function satisfiesAny (first, second) {
|
||||
checkArguments({value: first, type: 'string'}, {value: second, type: 'array'})
|
||||
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
|
||||
var two = parseLicensesArray(second).map(l => expand(l).flat())
|
||||
return anyExpressionCompatible(one, two)
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if "first" satisfies all the license in "second".
|
||||
* @param {string} first - A valid SPDX expression to be tested.
|
||||
* @param {string[]} second - A list of licenses. AND and OR operators are not allowed.
|
||||
* @return {boolean} - Whether "first" satisfies all licenses in "second".
|
||||
*/
|
||||
function satisfiesAll (first, second) {
|
||||
checkArguments({value: first, type: 'string'}, {value: second, type: 'array'})
|
||||
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
|
||||
var two = [parseLicensesArray(second)]
|
||||
return anyExpressionCompatible(one, two)
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
satisfies,
|
||||
satisfiesAny,
|
||||
satisfiesAll
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 1231:
|
||||
@@ -22285,151 +22605,6 @@ module.exports = function (source) {
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 4424:
|
||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||
|
||||
var compare = __nccwpck_require__(8918)
|
||||
var parse = __nccwpck_require__(1620)
|
||||
var ranges = __nccwpck_require__(9797)
|
||||
|
||||
var rangesAreCompatible = function (first, second) {
|
||||
return (
|
||||
first.license === second.license ||
|
||||
ranges.some(function (range) {
|
||||
return (
|
||||
licenseInRange(first.license, range) &&
|
||||
licenseInRange(second.license, range)
|
||||
)
|
||||
})
|
||||
)
|
||||
}
|
||||
|
||||
function licenseInRange (license, range) {
|
||||
return (
|
||||
range.indexOf(license) !== -1 ||
|
||||
range.some(function (element) {
|
||||
return (
|
||||
Array.isArray(element) &&
|
||||
element.indexOf(license) !== -1
|
||||
)
|
||||
})
|
||||
)
|
||||
}
|
||||
|
||||
var identifierInRange = function (identifier, range) {
|
||||
return (
|
||||
identifier.license === range.license ||
|
||||
compare.gt(identifier.license, range.license) ||
|
||||
compare.eq(identifier.license, range.license)
|
||||
)
|
||||
}
|
||||
|
||||
var licensesAreCompatible = function (first, second) {
|
||||
if (first.exception !== second.exception) {
|
||||
return false
|
||||
} else if (second.hasOwnProperty('license')) {
|
||||
if (second.hasOwnProperty('plus')) {
|
||||
if (first.hasOwnProperty('plus')) {
|
||||
// first+, second+
|
||||
return rangesAreCompatible(first, second)
|
||||
} else {
|
||||
// first, second+
|
||||
return identifierInRange(first, second)
|
||||
}
|
||||
} else {
|
||||
if (first.hasOwnProperty('plus')) {
|
||||
// first+, second
|
||||
return identifierInRange(second, first)
|
||||
} else {
|
||||
// first, second
|
||||
return first.license === second.license
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function normalizeGPLIdentifiers (argument) {
|
||||
var license = argument.license
|
||||
if (license) {
|
||||
if (endsWith(license, '-or-later')) {
|
||||
argument.license = license.replace('-or-later', '')
|
||||
argument.plus = true
|
||||
} else if (endsWith(license, '-only')) {
|
||||
argument.license = license.replace('-or-later', '')
|
||||
delete argument.plus
|
||||
}
|
||||
} else if (argument.left && argument.right) {
|
||||
argument.left = normalizeGPLIdentifiers(argument.left)
|
||||
argument.right = normalizeGPLIdentifiers(argument.right)
|
||||
}
|
||||
return argument
|
||||
}
|
||||
|
||||
function endsWith (string, substring) {
|
||||
return string.indexOf(substring) === string.length - substring.length
|
||||
}
|
||||
|
||||
function licenseString (e) {
|
||||
if (e.hasOwnProperty('noassertion')) return 'NOASSERTION'
|
||||
if (e.license) return `${e.license}${e.plus ? '+' : ''}${e.exception ? ` WITH ${e.exception}` : ''}`
|
||||
}
|
||||
|
||||
// Expand the given expression into an equivalent array where each member is an array of licenses AND'd
|
||||
// together and the members are OR'd together. For example, `(MIT OR ISC) AND GPL-3.0` expands to
|
||||
// `[[GPL-3.0 AND MIT], [ISC AND MIT]]`. Note that within each array of licenses, the entries are
|
||||
// normalized (sorted) by license name.
|
||||
function expand (expression) {
|
||||
return sort(expandInner(expression))
|
||||
}
|
||||
|
||||
// Flatten the given expression into an array of all licenses mentioned in the expression.
|
||||
function flatten (expression) {
|
||||
var expanded = expandInner(expression)
|
||||
var flattened = expanded.reduce(function (result, clause) {
|
||||
return Object.assign(result, clause)
|
||||
}, {})
|
||||
return sort([flattened])[0]
|
||||
}
|
||||
|
||||
function expandInner (expression) {
|
||||
if (!expression.conjunction) return [{ [licenseString(expression)]: expression }]
|
||||
if (expression.conjunction === 'or') return expandInner(expression.left).concat(expandInner(expression.right))
|
||||
if (expression.conjunction === 'and') {
|
||||
var left = expandInner(expression.left)
|
||||
var right = expandInner(expression.right)
|
||||
return left.reduce(function (result, l) {
|
||||
right.forEach(function (r) { result.push(Object.assign({}, l, r)) })
|
||||
return result
|
||||
}, [])
|
||||
}
|
||||
}
|
||||
|
||||
function sort (licenseList) {
|
||||
var sortedLicenseLists = licenseList
|
||||
.filter(function (e) { return Object.keys(e).length })
|
||||
.map(function (e) { return Object.keys(e).sort() })
|
||||
return sortedLicenseLists.map(function (list, i) {
|
||||
return list.map(function (license) { return licenseList[i][license] })
|
||||
})
|
||||
}
|
||||
|
||||
function isANDCompatible (one, two) {
|
||||
return one.every(function (o) {
|
||||
return two.some(function (t) { return licensesAreCompatible(o, t) })
|
||||
})
|
||||
}
|
||||
|
||||
function satisfies (first, second) {
|
||||
var one = expand(normalizeGPLIdentifiers(parse(first)))
|
||||
var two = flatten(normalizeGPLIdentifiers(parse(second)))
|
||||
return one.some(function (o) { return isANDCompatible(o, two) })
|
||||
}
|
||||
|
||||
module.exports = satisfies
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 4294:
|
||||
@@ -49639,6 +49814,7 @@ const core = __importStar(__nccwpck_require__(2186));
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const schemas_1 = __nccwpck_require__(1129);
|
||||
const utils_1 = __nccwpck_require__(1314);
|
||||
const spdx_1 = __nccwpck_require__(5967);
|
||||
function readConfig() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const inlineConfig = readInlineConfig();
|
||||
@@ -49719,9 +49895,9 @@ function validateLicenses(key, licenses) {
|
||||
if (licenses === undefined) {
|
||||
return;
|
||||
}
|
||||
const invalid_licenses = licenses.filter(license => !(0, utils_1.isSPDXValid)(license));
|
||||
const invalid_licenses = licenses.filter(license => !(0, spdx_1.isValid)(license));
|
||||
if (invalid_licenses.length > 0) {
|
||||
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`);
|
||||
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`);
|
||||
}
|
||||
}
|
||||
function readConfigFile(filePath) {
|
||||
@@ -50212,7 +50388,7 @@ exports.ScorecardSchema = z.object({
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 1314:
|
||||
/***/ 5967:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
@@ -50244,10 +50420,93 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
exports.isValid = exports.satisfiesAll = exports.satisfiesAny = exports.satisfies = void 0;
|
||||
const spdxlib = __importStar(__nccwpck_require__(9391));
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
/*
|
||||
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
|
||||
* which throws errors in the presence of any syntax trouble, unknown
|
||||
* license tokens, case sensitivity problems etc. to simplify handling
|
||||
* you should pre-screen inputs to the satisfies* methods using isValid
|
||||
*/
|
||||
// accepts a pair of well-formed SPDX expressions. the
|
||||
// candidate is tested against the constraint
|
||||
function satisfies(candidateExpr, constraintExpr) {
|
||||
try {
|
||||
return spdxlib.satisfies(candidateExpr, constraintExpr);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfies = satisfies;
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
function satisfiesAny(candidateExpr, licenses) {
|
||||
try {
|
||||
return spdxlib.satisfiesAny(candidateExpr, licenses);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfiesAny = satisfiesAny;
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
function satisfiesAll(candidateExpr, licenses) {
|
||||
try {
|
||||
return spdxlib.satisfiesAll(candidateExpr, licenses);
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.satisfiesAll = satisfiesAll;
|
||||
// accepts any SPDX expression
|
||||
function isValid(spdxExpr) {
|
||||
try {
|
||||
(0, spdx_expression_parse_1.default)(spdxExpr);
|
||||
return true;
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.isValid = isValid;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 1314:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.octokitClient = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const octokit_1 = __nccwpck_require__(7467);
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
function groupDependenciesByManifest(changes) {
|
||||
var _a;
|
||||
const dependencies = new Map();
|
||||
@@ -50276,16 +50535,6 @@ function renderUrl(url, text) {
|
||||
}
|
||||
}
|
||||
exports.renderUrl = renderUrl;
|
||||
function isSPDXValid(license) {
|
||||
try {
|
||||
(0, spdx_expression_parse_1.default)(license);
|
||||
return true;
|
||||
}
|
||||
catch (_) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
exports.isSPDXValid = isSPDXValid;
|
||||
function isEnterprise() {
|
||||
var _a;
|
||||
const serverUrl = new URL((_a = process.env['GITHUB_SERVER_URL']) !== null && _a !== void 0 ? _a : 'https://github.com');
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
+25
-25
@@ -514,6 +514,31 @@ The above copyright notice and this permission notice shall be included in all c
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
@onebeyond/spdx-license-satisfies
|
||||
MIT
|
||||
The MIT License
|
||||
|
||||
Copyright (c) spdx-satisfies.js contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a
|
||||
copy of this software and associated documentation files (the "Software"),
|
||||
to deal in the Software without restriction, including without limitation
|
||||
the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
and/or sell copies of the Software, and to permit persons to whom the
|
||||
Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included
|
||||
in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
aggregate-error
|
||||
MIT
|
||||
MIT License
|
||||
@@ -1621,31 +1646,6 @@ The above copyright notice and this permission notice shall be included in all c
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
spdx-satisfies
|
||||
MIT
|
||||
The MIT License
|
||||
|
||||
Copyright (c) spdx-satisfies.js contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a
|
||||
copy of this software and associated documentation files (the "Software"),
|
||||
to deal in the Software without restriction, including without limitation
|
||||
the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
and/or sell copies of the Software, and to permit persons to whom the
|
||||
Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included
|
||||
in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
tunnel
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
Generated
+13
-1
@@ -13,7 +13,7 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@octokit/request-error": "^5.0.1",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@onebeyond/spdx-license-satisfies": "^1.0.1",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^14.2.0",
|
||||
"jest": "^29.7.0",
|
||||
@@ -25,6 +25,7 @@
|
||||
"zod": "^3.22.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@types/spdx-satisfies": "^0.1.1",
|
||||
@@ -1922,6 +1923,16 @@
|
||||
"resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.1.0.tgz",
|
||||
"integrity": "sha512-y92CpG4kFFtBBjni8LHoV12IegJ+KFxLgKRengrVjKmGE5XMeCuGvlfRe75lTRrgXaG6XIWJlFpIDTlkoJsU8w=="
|
||||
},
|
||||
"node_modules/@onebeyond/spdx-license-satisfies": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@onebeyond/spdx-license-satisfies/-/spdx-license-satisfies-1.0.1.tgz",
|
||||
"integrity": "sha512-C91zRfMMoWsuFMbzFh95pv7nDtzmGD+4TKbCHJTMgCO8IWPN3LyBVnDDnJd2pM5dokIGamSEIvYlf6HKLBDDPg==",
|
||||
"dependencies": {
|
||||
"spdx-compare": "^1.0.0",
|
||||
"spdx-expression-parse": "^3.0.0",
|
||||
"spdx-ranges": "^2.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@pkgr/core": {
|
||||
"version": "0.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.1.0.tgz",
|
||||
@@ -2062,6 +2073,7 @@
|
||||
"version": "29.5.12",
|
||||
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.12.tgz",
|
||||
"integrity": "sha512-eDC8bTvT/QhYdxJAulQikueigY5AsdBRH2yDKW3yveW7svY3+DzN84/2NUgkw10RTiJbWqZrTtoGVdYlvFJdLw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"expect": "^29.0.0",
|
||||
"pretty-format": "^29.0.0"
|
||||
|
||||
+2
-1
@@ -29,7 +29,7 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@octokit/request-error": "^5.0.1",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@onebeyond/spdx-license-satisfies": "^1.0.1",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^14.2.0",
|
||||
"jest": "^29.7.0",
|
||||
@@ -41,6 +41,7 @@
|
||||
"zod": "^3.22.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@types/spdx-satisfies": "^0.1.1",
|
||||
|
||||
+6
-3
@@ -4,7 +4,8 @@ import YAML from 'yaml'
|
||||
import * as core from '@actions/core'
|
||||
import * as z from 'zod'
|
||||
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {octokitClient} from './utils'
|
||||
import {isValid} from './spdx'
|
||||
|
||||
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
|
||||
|
||||
@@ -113,10 +114,12 @@ function validateLicenses(
|
||||
return
|
||||
}
|
||||
|
||||
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
|
||||
const invalid_licenses = licenses.filter(license => !isValid(license))
|
||||
|
||||
if (invalid_licenses.length > 0) {
|
||||
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`)
|
||||
throw new Error(
|
||||
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+17
-12
@@ -1,7 +1,7 @@
|
||||
import spdxSatisfies from 'spdx-satisfies'
|
||||
import {Change, Changes} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {octokitClient} from './utils'
|
||||
import {parsePURL} from './purl'
|
||||
import * as spdx from './spdx'
|
||||
|
||||
/**
|
||||
* Loops through a list of changes, filtering and returning the
|
||||
@@ -47,7 +47,7 @@ export async function getInvalidLicenseChanges(
|
||||
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
if (
|
||||
@@ -87,15 +87,19 @@ export async function getInvalidLicenseChanges(
|
||||
} else if (validityCache.get(license) === undefined) {
|
||||
try {
|
||||
if (allow !== undefined) {
|
||||
const found = allow.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found !== undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, allow)
|
||||
validityCache.set(license, found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
} else if (deny !== undefined) {
|
||||
const found = deny.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found === undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, deny)
|
||||
validityCache.set(license, !found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
@@ -161,10 +165,11 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
|
||||
|
||||
return Promise.all(updatedChanges)
|
||||
}
|
||||
|
||||
// Currently Dependency Graph licenses are truncated to 255 characters
|
||||
// This possibly makes them invalid spdx ids
|
||||
const truncatedDGLicense = (license: string): boolean =>
|
||||
license.length === 255 && !isSPDXValid(license)
|
||||
license.length === 255 && !spdx.isValid(license)
|
||||
|
||||
async function groupChanges(
|
||||
changes: Changes
|
||||
|
||||
+56
@@ -0,0 +1,56 @@
|
||||
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
|
||||
import parse from 'spdx-expression-parse'
|
||||
|
||||
/*
|
||||
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
|
||||
* which throws errors in the presence of any syntax trouble, unknown
|
||||
* license tokens, case sensitivity problems etc. to simplify handling
|
||||
* you should pre-screen inputs to the satisfies* methods using isValid
|
||||
*/
|
||||
|
||||
// accepts a pair of well-formed SPDX expressions. the
|
||||
// candidate is tested against the constraint
|
||||
export function satisfies(
|
||||
candidateExpr: string,
|
||||
constraintExpr: string
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfies(candidateExpr, constraintExpr)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfiesAny(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfiesAll(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts any SPDX expression
|
||||
export function isValid(spdxExpr: string): boolean {
|
||||
try {
|
||||
parse(spdxExpr)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,5 @@
|
||||
import * as core from '@actions/core'
|
||||
import {Octokit} from 'octokit'
|
||||
import spdxParse from 'spdx-expression-parse'
|
||||
import {Changes} from './schemas'
|
||||
|
||||
export function groupDependenciesByManifest(
|
||||
@@ -34,15 +33,6 @@ export function renderUrl(url: string | null, text: string): string {
|
||||
}
|
||||
}
|
||||
|
||||
export function isSPDXValid(license: string): boolean {
|
||||
try {
|
||||
spdxParse(license)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
function isEnterprise(): boolean {
|
||||
const serverUrl = new URL(
|
||||
process.env['GITHUB_SERVER_URL'] ?? 'https://github.com'
|
||||
|
||||
+3
-1
@@ -5,7 +5,9 @@
|
||||
"outDir": "./lib" /* Redirect output structure to the directory. */,
|
||||
"strict": true /* Enable all strict type-checking options. */,
|
||||
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
|
||||
"typeRoots": [ "./node_modules/@types", "./types" ],
|
||||
"types": [ "node", "jest", "spdx-license-satisfies" ]
|
||||
},
|
||||
"exclude": ["node_modules"]
|
||||
}
|
||||
|
||||
Vendored
+18
@@ -0,0 +1,18 @@
|
||||
declare module '@onebeyond/spdx-license-satisfies' {
|
||||
export function satisfies(
|
||||
candidateExpr: string,
|
||||
constraintExpr: string
|
||||
): boolean
|
||||
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
|
||||
export function isValid(candidateExpr: string): boolean
|
||||
}
|
||||
Reference in New Issue
Block a user