Merge branch '212922-yarn-offline' into 'master'v3.8.1

Exclude devDependencies from yarn scan

See merge request gitlab-org/security-products/license-management!147

5 files changed, 90 insertions, 20 deletions

diff --git a/lib/license/finder/ext/pip.rb b/lib/license/finder/ext/pip.rb
index 51e2039..596cd4c 100644
--- a/lib/license/finder/ext/pip.rb
+++ b/lib/license/finder/ext/pip.rb
@@ -56,10 +56,8 @@ module LicenseFinder
     end
 
     def legacy_results
-      sources = [Spandx::Python::Source.new({ 'name' => 'pypi', 'url' => python.pip_index_url, 'verify_ssl' => true })]
-      pypi = Spandx::Python::PyPI.new
       pip_output.map do |name, version, _children, _location|
-        spec = pypi.definition_for(name, version, sources: sources)
+        spec = PyPI.definition(name, version)
         Package.new(
           name,
           version,
diff --git a/lib/license/finder/ext/pipenv.rb b/lib/license/finder/ext/pipenv.rb
index ebe8cad..17b7391 100644
--- a/lib/license/finder/ext/pipenv.rb
+++ b/lib/license/finder/ext/pipenv.rb
@@ -30,25 +30,13 @@ module LicenseFinder
       each_dependency(groups: allowed_groups) do |name, data, group|
         version = canonicalize(data['version'])
         package = packages.fetch(key_for(name, version)) do |key|
-          packages[key] = build_package_for(name, version)
+          packages[key] = PipPackage.new(name, version, PyPI.definition(name, version))
         end
         package.groups << group
       end
       packages.values
     end
 
-    def build_package_for(name, version)
-      PipPackage.new(name, version, pypi.definition_for(name, version, sources: sources))
-    end
-
-    def sources
-      @sources ||= ::Spandx::Python::Source.sources_from(lockfile_hash)
-    end
-
-    def pypi
-      @pypi ||= ::Spandx::Python::Pypi.new
-    end
-
     def lockfile_hash
       @lockfile_hash ||= JSON.parse(IO.read(detected_package_path))
     end
diff --git a/lib/license/finder/ext/yarn.rb b/lib/license/finder/ext/yarn.rb
index cc2c029..dba096b 100644
--- a/lib/license/finder/ext/yarn.rb
+++ b/lib/license/finder/ext/yarn.rb
@@ -2,8 +2,93 @@
 
 module LicenseFinder
   class Yarn
-    def prepare_command
-      'yarn install --ignore-engines --ignore-scripts'
+    INCOMPATIBLE_PACKAGE_REGEX = /(?<name>[\w,\-]+)@(?<version>(\d+\.?)+)/.freeze
+    PHANTOM_PACKAGE_REGEX = /workspace-aggregator-[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}/.freeze
+
+    def possible_package_paths
+      [project_path.join('yarn.lock')]
+    end
+
+    def current_packages
+      stdout, _stderr, status = Dir.chdir(project_path) do
+        shell.execute(list_licenses_command)
+      end
+      return [] unless status.success?
+
+      stdout.each_line.flat_map do |line|
+        dependencies_from(JSON.parse(line))
+      end
+    end
+
+    def prepare
+      Dir.chdir(project_path) do
+        shell.execute([
+          :yarn, :install,
+          '--ignore-engines', '--ignore-scripts',
+          '--production'
+        ])
+      end
+    end
+
+    private
+
+    def list_licenses_command
+      [
+        :yarn,
+        :licenses,
+        :list,
+        '--no-progress',
+        '--json',
+        '--production',
+        '--cwd',
+        project_path || Pathname.pwd
+      ]
+    end
+
+    def install_path_for(name)
+      if project_path
+        project_path.join('node_modules', name)
+      else
+        Pathname.pwd.join('node_modules', name)
+      end
+    end
+
+    def map_from(hash)
+      name = hash['Name']
+
+      YarnPackage.new(
+        name,
+        hash['Version'],
+        spec_licenses: [hash['License']],
+        install_path: install_path_for(name).to_s,
+        homepage: hash['VendorUrl']
+      )
+    end
+
+    def dependencies_from(json)
+      case json['type']
+      when 'table'
+        from_json_table(json)
+      when 'info'
+        from_json_info(json)
+      else
+        []
+      end
+    end
+
+    def from_json_table(json)
+      head = json['data']['head']
+      json['data']['body'].map do |array|
+        hash = Hash[head.zip(array)]
+        map_from(hash) unless PHANTOM_PACKAGE_REGEX.match(hash['Name'])
+      end.compact
+    end
+
+    def from_json_info(json)
+      matches = json['data'].to_s.match(INCOMPATIBLE_PACKAGE_REGEX)
+      return [] unless matches
+
+      [YarnPackage.new(matches['name'], matches['version'], spec_licenses: ['unknown'])]
     end
   end
 end
diff --git a/lib/license/management.rb b/lib/license/management.rb
index 4be002d..6306faf 100644
--- a/lib/license/management.rb
+++ b/lib/license/management.rb
@@ -3,7 +3,6 @@
 require 'json'
 require 'logger'
 require 'pathname'
-require 'spandx'
 require 'yaml'
 
 require 'license_finder'
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index 881fa37..22818e9 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.8.0'
+    VERSION = '3.8.1'
   end
 end