Merge branch 'upgrade-license-finder' into 'master'v3.23.0

Upgrade license finder to 6.8.1

See merge request gitlab-org/security-products/license-management!209

14 files changed, 135 insertions, 51 deletions

diff --git a/spec/integration/c/conan_spec.rb b/spec/integration/c/conan_spec.rb
index cdbf029..86025bd 100644
--- a/spec/integration/c/conan_spec.rb
+++ b/spec/integration/c/conan_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "conan" do
diff --git a/spec/integration/dotnet/examples_spec.rb b/spec/integration/dotnet/examples_spec.rb
index f9c63ea..909dd2c 100644
--- a/spec/integration/dotnet/examples_spec.rb
+++ b/spec/integration/dotnet/examples_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe ".NET Core" do
diff --git a/spec/integration/dotnet/nuget_spec.rb b/spec/integration/dotnet/nuget_spec.rb
index 90a189b..5bda5db 100644
--- a/spec/integration/dotnet/nuget_spec.rb
+++ b/spec/integration/dotnet/nuget_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "nuget" do
diff --git a/spec/integration/go/modules_spec.rb b/spec/integration/go/modules_spec.rb
index fa2313c..3edef74 100644
--- a/spec/integration/go/modules_spec.rb
+++ b/spec/integration/go/modules_spec.rb
@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "modules" do
   before do
     # Delete go module cache
-    system('rm -fr ~/.local/pkg')
+    system('rm -fr /opt/gitlab/.local/pkg')
     system('rm -fr /opt/asdf/installs/golang/**/packages/pkg/')
   end
 
@@ -64,6 +66,21 @@ RSpec.describe "modules" do
     end
   end
 
+  context "when scanning the `gitlab-runner` project" do
+    subject { runner.scan }
+
+    before do
+      runner.clone('https://gitlab.com/gitlab-org/gitlab-runner.git')
+    end
+
+    specify do
+      expect(subject).to match_schema
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject[:dependencies]).not_to be_empty
+      expect(subject.dependency_names).to include('gitlab.com/gitlab-org/gitlab-terminal')
+    end
+  end
+
   context "when scanning a project with vendored modules" do
     subject { runner.scan }
 
diff --git a/spec/integration/java/gradle_spec.rb b/spec/integration/java/gradle_spec.rb
index c2137b3..25d7e26 100644
--- a/spec/integration/java/gradle_spec.rb
+++ b/spec/integration/java/gradle_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "gradle" do
@@ -113,17 +115,17 @@ plugins {
   end
 
   context 'when using Java 8 with version 1.* of gradle' do
+    subject { runner.scan(env: { 'LM_JAVA_VERSION' => '8' }) }
+
     before do
       runner.mount(dir: fixture_file("java/gradle/java-8"))
       runner.add_file('.tool-versions', "gradle 1.9")
     end
 
     it 'returns an empty report because the plugin we use does not work in this version of the gradle API' do
-      report = runner.scan(env: { 'LM_JAVA_VERSION' => '8' })
-
-      expect(report).to match_schema
-      expect(report[:dependencies]).to be_empty
-      expect(report[:licenses]).to be_empty
+      expect(subject).to match_schema
+      expect(subject[:dependencies]).to be_empty
+      expect(subject[:licenses]).to be_empty
     end
   end
 
diff --git a/spec/integration/java/maven_spec.rb b/spec/integration/java/maven_spec.rb
index aa2d1ff..c9a7026 100644
--- a/spec/integration/java/maven_spec.rb
+++ b/spec/integration/java/maven_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "maven" do
@@ -58,15 +60,15 @@ RSpec.describe "maven" do
   end
 
   describe "When scanning a project with multiple modules" do
+    subject { runner.scan }
+
     before do
       runner.mount(dir: fixture_file('java/maven/multimodule'))
     end
 
     it 'detects dependences from each module' do
-      report = runner.scan
-
-      expect(report).to match_schema
-      expect(report[:dependencies]).not_to be_empty
+      expect(subject).to match_schema
+      expect(subject[:dependencies]).not_to be_empty
 
       [
         { name: "asm", licenses: ["BSD-4-Clause"] },
@@ -81,10 +83,10 @@ RSpec.describe "maven" do
         { name: "netty-all", licenses: ["Apache-2.0"] },
         { name: "stax2-api", licenses: ["BSD-4-Clause"] }
       ].each do |dependency|
-        expect(report.licenses_for(dependency[:name])).to match_array(dependency[:licenses])
+        expect(subject.licenses_for(dependency[:name])).to match_array(dependency[:licenses])
       end
 
-      expect(report.dependency_names).not_to include('junit')
+      expect(subject.dependency_names).not_to include('junit')
     end
   end
 
diff --git a/spec/integration/js/bower_spec.rb b/spec/integration/js/bower_spec.rb
index 227718e..1bb366e 100644
--- a/spec/integration/js/bower_spec.rb
+++ b/spec/integration/js/bower_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "bower" do
diff --git a/spec/integration/js/npm_spec.rb b/spec/integration/js/npm_spec.rb
index a8dd2d4..8ab5be6 100644
--- a/spec/integration/js/npm_spec.rb
+++ b/spec/integration/js/npm_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "npm" do
diff --git a/spec/integration/js/yarn_spec.rb b/spec/integration/js/yarn_spec.rb
index d81564c..5b1f9c5 100644
--- a/spec/integration/js/yarn_spec.rb
+++ b/spec/integration/js/yarn_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "yarn" do
diff --git a/spec/integration/php/composer_spec.rb b/spec/integration/php/composer_spec.rb
index 839f0b7..9f71541 100644
--- a/spec/integration/php/composer_spec.rb
+++ b/spec/integration/php/composer_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "composer" do
diff --git a/spec/integration/python/pip_spec.rb b/spec/integration/python/pip_spec.rb
index a52b992..9c2721d 100644
--- a/spec/integration/python/pip_spec.rb
+++ b/spec/integration/python/pip_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "pip" do
@@ -100,10 +102,20 @@ RSpec.describe "pip" do
   context "when a project uses a custom `SETUP_CMD`" do
     before do
       runner.add_file('requirements.txt', 'six==1.14.0')
+      runner.add_file('.python-version', '3.8.4')
+      runner.add_file('custom.sh') do
+        <<~SCRIPT
+        #!/bin/bash -lx
+
+        asdf install python 3.8.4
+        asdf reshim
+        pip install -r requirements.txt
+        SCRIPT
+      end
     end
 
     it 'detects the software licenses' do
-      report = runner.scan(env: { 'SETUP_CMD' => 'pip install -r requirements.txt' })
+      report = runner.scan(env: { 'SETUP_CMD' => 'bash custom.sh' })
 
       expect(report).to match_schema(version: '2.0')
       expect(report.licenses_for('six')).to match_array(["MIT"])
diff --git a/spec/integration/python/pipenv_spec.rb b/spec/integration/python/pipenv_spec.rb
index 5cc9128..cd20522 100644
--- a/spec/integration/python/pipenv_spec.rb
+++ b/spec/integration/python/pipenv_spec.rb
@@ -1,6 +1,12 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "pipenv" do
+  subject { runner.scan(env: env) }
+
+  let(:env) { {} }
+
   include_examples "each report version", "python", "pipenv", "pip-file-lock"
 
   context "when a project depends on a version 6 Pipfile.lock" do
@@ -19,15 +25,15 @@ RSpec.describe "pipenv" do
       })
     end
 
-    it 'produces a valid report' do
+    before do
       runner.add_file('Pipfile.lock', pipfile_lock_content)
+    end
 
-      report = runner.scan
-
-      expect(report).to match_schema
-      expect(report[:version]).not_to be_empty
-      expect(report[:licenses]).not_to be_empty
-      expect(report.dependency_names).to contain_exactly("six")
+    it 'produces a valid report' do
+      expect(subject).to match_schema
+      expect(subject[:version]).not_to be_empty
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject.dependency_names).to contain_exactly("six")
     end
   end
 
@@ -64,15 +70,15 @@ RSpec.describe "pipenv" do
       })
     end
 
-    it 'produces a valid report' do
+    before do
       runner.add_file('Pipfile.lock', pipfile_lock_content)
+    end
 
-      report = runner.scan
-
-      expect(report).to match_schema
-      expect(report[:version]).not_to be_empty
-      expect(report[:licenses]).not_to be_empty
-      expect(report.dependency_names).to match_array([
+    it 'produces a valid report' do
+      expect(subject).to match_schema
+      expect(subject[:version]).not_to be_empty
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject.dependency_names).to match_array([
         "backports.shutil_get_terminal_size",
         "click",
         "colorama",
@@ -124,15 +130,15 @@ RSpec.describe "pipenv" do
       })
     end
 
-    it 'produces a valid report' do
+    before do
       runner.add_file('Pipfile.lock', pipfile_lock_content)
+    end
 
-      report = runner.scan
-
-      expect(report).to match_schema
-      expect(report[:version]).not_to be_empty
-      expect(report[:licenses]).not_to be_empty
-      expect(report.dependency_names).to match_array(%w[
+    it 'produces a valid report' do
+      expect(subject).to match_schema
+      expect(subject[:version]).not_to be_empty
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject.dependency_names).to match_array(%w[
         certifi
         chardet
         idna
@@ -163,22 +169,19 @@ RSpec.describe "pipenv" do
     end
 
     it 'produces a valid report' do
-      report = runner.scan
-
-      expect(report).to match_schema
-      expect(report[:licenses]).not_to be_empty
-      expect(report[:dependencies].count).to be(1)
-      expect(report.find('six')).not_to be_nil
+      expect(subject).to match_schema
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject[:dependencies].count).to be(1)
+      expect(subject.find('six')).not_to be_nil
     end
   end
 
   context "when scanning a simple Pipfile project" do
-    let(:lockfile_content) { fixture_file_content('python/simple-Pipfile.lock') }
+    let(:lockfile_content) { fixture_file_content('python/pipenv/simple/Pipfile.lock') }
     let(:lockfile_hash) { JSON.parse(lockfile_content) }
 
     before do
-      runner.add_file('Pipfile', fixture_file_content('python/simple-Pipfile'))
-      runner.add_file('Pipfile.lock', lockfile_content)
+      runner.mount(dir: fixture_file('python/pipenv/simple'))
     end
 
     [2, 3].each do |version|
@@ -204,6 +207,12 @@ RSpec.describe "pipenv" do
 
   context "when connecting to a private package repository with self signed certificate" do
     let(:index_url) { "https://pypi.test/simple" }
+    let(:env) do
+      {
+        'ADDITIONAL_CA_CERT_BUNDLE' => x509_certificate('wildcard.test').read,
+        'PIP_INDEX_URL' => index_url
+      }
+    end
 
     before do
       add_host('pypi.test', '127.0.0.1')
@@ -214,13 +223,19 @@ RSpec.describe "pipenv" do
     end
 
     it 'downloads the packages and trusts the certificate' do
-      report = runner.scan(env: {
-        'ADDITIONAL_CA_CERT_BUNDLE' => x509_certificate('wildcard.test').read,
-        'PIP_INDEX_URL' => index_url
-      })
+      expect(subject).to match_schema
+      expect(subject.dependency_names).to include('requests')
+    end
+  end
+
+  context "when scanning a project that declares a specific version of python in the lockfile" do
+    before do
+      runner.mount(dir: fixture_file('python/pipenv/specific-python-version'))
+    end
 
-      expect(report).to match_schema
-      expect(report.dependency_names).to include('requests')
+    specify do
+      expect(subject).to match_schema
+      expect(subject.dependency_names).to match_array(%w[Django docutils pytz requests])
     end
   end
 end
diff --git a/spec/integration/ruby/bundler_spec.rb b/spec/integration/ruby/bundler_spec.rb
index 30cf776..6cb5543 100644
--- a/spec/integration/ruby/bundler_spec.rb
+++ b/spec/integration/ruby/bundler_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "bundler" do
@@ -82,8 +84,6 @@ RSpec.describe "bundler" do
 
     specify do
       expect(subject).to match_schema
-      expect(subject[:licenses]).not_to be_empty
-      expect(subject[:dependencies]).not_to be_empty
       expect(subject.dependency_names).to include('rails')
       expect(subject.dependency_names).to include('vue')
     end
@@ -140,4 +140,24 @@ RSpec.describe "bundler" do
       expect(subject.licenses_for('spandx')).to match_array(['MIT'])
     end
   end
+
+  context "when scanning a jruby project" do
+    before do
+      runner.mount(dir: fixture_file('ruby/bundler-jruby'))
+    end
+
+    pending do
+      expect(subject).to match_schema
+      expect(subject[:licenses]).not_to be_empty
+      expect(subject.dependency_names).not_to include('jruby-profiler-flame_graph_profile_printer')
+
+      expect(subject.dependency_names).to include('activerecord-jdbcpostgresql-adapter')
+      expect(subject.dependency_names).to include('protobuf_java_helpers')
+      expect(subject.dependency_names).to include('fast_blank_java')
+
+      expect(subject.licenses_for('activerecord-jdbcpostgresql-adapter')).to match_array(['MIT'])
+      expect(subject.licenses_for('protobuf_java_helpers')).to match_array(['MIT'])
+      expect(subject.licenses_for('fast_blank_java')).to match_array(['MIT'])
+    end
+  end
 end
diff --git a/spec/integration/rust/cargo_spec.rb b/spec/integration/rust/cargo_spec.rb
index 77ad447..3ab010d 100644
--- a/spec/integration/rust/cargo_spec.rb
+++ b/spec/integration/rust/cargo_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe "cargo" do