diff --git a/nodejs-wrapper/.gitignore b/nodejs-wrapper/.gitignore new file mode 100644 index 00000000..0ec7084c --- /dev/null +++ b/nodejs-wrapper/.gitignore @@ -0,0 +1,2 @@ +download +dependency-check-summary.txt \ No newline at end of file diff --git a/nodejs-wrapper/LICENSE-EPL-2.0 b/nodejs-wrapper/LICENSE-EPL-2.0 new file mode 100644 index 00000000..e48e0963 --- /dev/null +++ b/nodejs-wrapper/LICENSE-EPL-2.0 @@ -0,0 +1,277 @@ +Eclipse Public License - v 2.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE + PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION + OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + +1. DEFINITIONS + +"Contribution" means: + + a) in the case of the initial Contributor, the initial content + Distributed under this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + where such changes and/or additions to the Program originate from + and are Distributed by that particular Contributor. A Contribution + "originates" from a Contributor if it was added to the Program by + such Contributor itself or anyone acting on such Contributor's behalf. + Contributions do not include changes or additions to the Program that + are not Modified Works. + +"Contributor" means any person or entity that Distributes the Program. + +"Licensed Patents" mean patent claims licensable by a Contributor which +are necessarily infringed by the use or sale of its Contribution alone +or when combined with the Program. + +"Program" means the Contributions Distributed in accordance with this +Agreement. + +"Recipient" means anyone who receives the Program under this Agreement +or any Secondary License (as applicable), including Contributors. + +"Derivative Works" shall mean any work, whether in Source Code or other +form, that is based on (or derived from) the Program and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. + +"Modified Works" shall mean any work in Source Code or other form that +results from an addition to, deletion from, or modification of the +contents of the Program, including, for purposes of clarity any new file +in Source Code form that contains any contents of the Program. Modified +Works shall not include works that contain only declarations, +interfaces, types, classes, structures, or files of the Program solely +in each case in order to link to, bind by name, or subclass the Program +or Modified Works thereof. + +"Distribute" means the acts of a) distributing or b) making available +in any manner that enables the transfer of a copy. + +"Source Code" means the form of a Program preferred for making +modifications, including but not limited to software source code, +documentation source, and configuration files. + +"Secondary License" means either the GNU General Public License, +Version 2.0, or any later versions of that license, including any +exceptions or additional permissions as identified by the initial +Contributor. + +2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare Derivative Works of, publicly display, + publicly perform, Distribute and sublicense the Contribution of such + Contributor, if any, and such Derivative Works. + + b) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such Contributor, + if any, in Source Code or other form. This patent license shall + apply to the combination of the Contribution and the Program if, at + the time the Contribution is added by the Contributor, such addition + of the Contribution causes such combination to be covered by the + Licensed Patents. The patent license shall not apply to any other + combinations which include the Contribution. No hardware per se is + licensed hereunder. + + c) Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to Distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + + d) Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + e) Notwithstanding the terms of any Secondary License, no + Contributor makes additional grants to any Recipient (other than + those set forth in this Agreement) as a result of such Recipient's + receipt of the Program under the terms of a Secondary License + (if permitted under the terms of Section 3). + +3. REQUIREMENTS + +3.1 If a Contributor Distributes the Program in any form, then: + + a) the Program must also be made available as Source Code, in + accordance with section 3.2, and the Contributor must accompany + the Program with a statement that the Source Code for the Program + is available under this Agreement, and informs Recipients how to + obtain it in a reasonable manner on or through a medium customarily + used for software exchange; and + + b) the Contributor may Distribute the Program under a license + different than this Agreement, provided that such license: + i) effectively disclaims on behalf of all other Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and fitness + for a particular purpose; + + ii) effectively excludes on behalf of all other Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + + iii) does not attempt to limit or alter the recipients' rights + in the Source Code under section 3.2; and + + iv) requires any subsequent distribution of the Program by any + party to be under a license that satisfies the requirements + of this section 3. + +3.2 When the Program is Distributed as Source Code: + + a) it must be made available under this Agreement, or if the + Program (i) is combined with other material in a separate file or + files made available under a Secondary License, and (ii) the initial + Contributor attached to the Source Code the notice described in + Exhibit A of this Agreement, then the Program may be made available + under the terms of such Secondary Licenses, and + + b) a copy of this Agreement must be included with each copy of + the Program. + +3.3 Contributors may not remove or alter any copyright, patent, +trademark, attribution notices, disclaimers of warranty, or limitations +of liability ("notices") contained within the Program from any copy of +the Program which they Distribute, provided that Contributors may add +their own appropriate notices. + +4. COMMERCIAL DISTRIBUTION + +Commercial distributors of software may accept certain responsibilities +with respect to end users, business partners and the like. While this +license is intended to facilitate the commercial use of the Program, +the Contributor who includes the Program in a commercial product +offering should do so in a manner which does not create potential +liability for other Contributors. Therefore, if a Contributor includes +the Program in a commercial product offering, such Contributor +("Commercial Contributor") hereby agrees to defend and indemnify every +other Contributor ("Indemnified Contributor") against any losses, +damages and costs (collectively "Losses") arising from claims, lawsuits +and other legal actions brought by a third party against the Indemnified +Contributor to the extent caused by the acts or omissions of such +Commercial Contributor in connection with its distribution of the Program +in a commercial product offering. The obligations in this section do not +apply to any claims or Losses relating to any actual or alleged +intellectual property infringement. In order to qualify, an Indemnified +Contributor must: a) promptly notify the Commercial Contributor in +writing of such claim, and b) allow the Commercial Contributor to control, +and cooperate with the Commercial Contributor in, the defense and any +related settlement negotiations. The Indemnified Contributor may +participate in any such claim at its own expense. + +For example, a Contributor might include the Program in a commercial +product offering, Product X. That Contributor is then a Commercial +Contributor. If that Commercial Contributor then makes performance +claims, or offers warranties related to Product X, those performance +claims and warranties are such Commercial Contributor's responsibility +alone. Under this section, the Commercial Contributor would have to +defend claims against the other Contributors related to those performance +claims and warranties, and if a court requires any other Contributor to +pay any damages as a result, the Commercial Contributor must pay +those damages. + +5. NO WARRANTY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" +BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR +IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF +TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR +PURPOSE. Each Recipient is solely responsible for determining the +appropriateness of using and distributing the Program and assumes all +risks associated with its exercise of rights under this Agreement, +including but not limited to the risks and costs of program errors, +compliance with applicable laws, damage to or loss of data, programs +or equipment, and unavailability or interruption of operations. + +6. DISCLAIMER OF LIABILITY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS +SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST +PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE +EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + +7. GENERAL + +If any provision of this Agreement is invalid or unenforceable under +applicable law, it shall not affect the validity or enforceability of +the remainder of the terms of this Agreement, and without further +action by the parties hereto, such provision shall be reformed to the +minimum extent necessary to make such provision valid and enforceable. + +If Recipient institutes patent litigation against any entity +(including a cross-claim or counterclaim in a lawsuit) alleging that the +Program itself (excluding combinations of the Program with other software +or hardware) infringes such Recipient's patent(s), then such Recipient's +rights granted under Section 2(b) shall terminate as of the date such +litigation is filed. + +All Recipient's rights under this Agreement shall terminate if it +fails to comply with any of the material terms or conditions of this +Agreement and does not cure such failure in a reasonable period of +time after becoming aware of such noncompliance. If all Recipient's +rights under this Agreement terminate, Recipient agrees to cease use +and distribution of the Program as soon as reasonably practicable. +However, Recipient's obligations under this Agreement and any licenses +granted by Recipient relating to the Program shall continue and survive. + +Everyone is permitted to copy and distribute copies of this Agreement, +but in order to avoid inconsistency the Agreement is copyrighted and +may only be modified in the following manner. The Agreement Steward +reserves the right to publish new versions (including revisions) of +this Agreement from time to time. No one other than the Agreement +Steward has the right to modify this Agreement. The Eclipse Foundation +is the initial Agreement Steward. The Eclipse Foundation may assign the +responsibility to serve as the Agreement Steward to a suitable separate +entity. Each new version of the Agreement will be given a distinguishing +version number. The Program (including Contributions) may always be +Distributed subject to the version of the Agreement under which it was +received. In addition, after a new version of the Agreement is published, +Contributor may elect to Distribute the Program (including its +Contributions) under the new version. + +Except as expressly stated in Sections 2(a) and 2(b) above, Recipient +receives no rights or licenses to the intellectual property of any +Contributor under this Agreement, whether expressly, by implication, +estoppel or otherwise. All rights in the Program not expressly granted +under this Agreement are reserved. Nothing in this Agreement is intended +to be enforceable by any entity that is not a Contributor or Recipient. +No third-party beneficiary rights are created under this Agreement. + +Exhibit A - Form of Secondary Licenses Notice + +"This Source Code may also be made available under the following +Secondary Licenses when the conditions for such availability set forth +in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), +version(s), and exceptions or additional permissions here}." + + Simply including a copy of this Agreement, including this Exhibit A + is not sufficient to license the Source Code under Secondary Licenses. + + If it is not possible or desirable to put the notice in a particular + file, then You may include the notice in a location (such as a LICENSE + file in a relevant directory) where a recipient would be likely to + look for such a notice. + + You may add additional accurate notices of copyright ownership. diff --git a/nodejs-wrapper/LICENSE-GPL-2.0-ONLY-CLASSPATH-EXCEPTION b/nodejs-wrapper/LICENSE-GPL-2.0-ONLY-CLASSPATH-EXCEPTION new file mode 100644 index 00000000..b8aa1bee --- /dev/null +++ b/nodejs-wrapper/LICENSE-GPL-2.0-ONLY-CLASSPATH-EXCEPTION @@ -0,0 +1,356 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + signature of Ty Coon, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. + +Class Path Exception + +Linking this library statically or dynamically with other modules is making +a combined work based on this library. Thus, the terms and conditions of +the GNU General Public License cover the whole combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent modules, +and to copy and distribute the resulting executable under terms of your +choice, provided that you also meet, for each linked independent module, +the terms and conditions of the license of that module. An independent +module is a module which is not derived from or based on this library. If +you modify this library, you may extend this exception to your version of +the library, but you are not obligated to do so. If you do not wish to do +so, delete this exception statement from your version. diff --git a/nodejs-wrapper/README.md b/nodejs-wrapper/README.md new file mode 100644 index 00000000..3e71397d --- /dev/null +++ b/nodejs-wrapper/README.md @@ -0,0 +1,136 @@ +# dash-licenses-wrapper + +This npm package makes it easy to integrate [dash-licenses](https://github.com/eclipse/dash-licenses) to Eclipse Foundation JavaScript/TypeScript projects, including running license checks during CI on GitHub, e.g. on pull requests. That's the best way to catch early, any 3PP components that has incompatible or have unclear licenses. Optionally, `dash-licenses` can run in `automatic review mode`, to automatically create IP Check tickets, on the Eclipse Foundation Gitlab instance, one for each 3PP component that fails the check, for further scrutiny. These tickets can often be approved automatically in minutes. + +## Runtime requirements + +- called using `bash` +- `node.js` (`node`) is available from the path +- on Linux, mac or Windows using Windows Subsystem for Linux (WSL) +- JDK or JRE is installed (`java` executable is in the path), to run `dash-licenses` +- to run in [automatic review mode](https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests) : + - an Eclipse Foundation Gitlab Personal Access Token (PAT), generated by an Eclipse project committer, is necessary + - local run: the PAT needs to be set in environment variable `DASH_TOKEN`. e.g. `export DASH_TOKEN=` + - GitHub workflow run: the PAT needs to be set as a GitHub Secret, and used in the workflow to define environment variable `DASH_TOKEN`. Note: GitHub [secrets are not be available for PRs that originate from a fork](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow), which means that "automatic review mode" can't be used for PRs from non-committers (that must open the PR from their fork vs from the main repo) or for PR from committers that open the PR from their fork. + +## How to install and use + +This npm package contains a `dash-licenses-wrapper.js` script that serves as frontend to `dash-licenses`, an example GitHub workflow that uses it and some example configuration files. + +To install this package as a "devDependency" in your project, use one of the following from the root, according to the project's npm client: + +```bash +# yarn: +# note: if prompted to do so, you may need to add option "--ignore-workspace-root-check" +yarn add dash-licenses-wrapper --dev + +# npm: +npm install dash-licenses-wrapper --save-dev +``` + +Once installed, you can run the license check, from the repo root, with the following command: + +```bash + # using yarn lock file as input (default) + npx dash-licenses-wrapper + + # using npm lock file as input + npx dash-licenses-wrapper --inputFile=./package-lock.json +``` + +To get help about using the wrapper, do: + +```bash + npx dash-licenses-wrapper --help +``` + +It's suggested to add one or more `scripts` entries in the project's root `package.json`, that call the wrapper, with the wanted arguments. For example: + +`npm` project: + +```json +"scripts": { + "license:check": "npm run dash-licenses-wrapper --inputFile=./package-lock.json", + "license:check:review": "npm run dash-licenses-wrapper --inputFile=./package-lock.json --review --project=ecd.cdt-cloud", +``` + +`yarn` project: + +```json +"scripts": { + "license:check": "yarn run dash-licenses-wrapper --inputFile=./yarn.lock", + "license:check:review": "yarn run dash-licenses-wrapper --inputFile=./yarn.lock --review --project=ecd.cdt-cloud", +``` + +It's possible to use a configuration file instead of adding all wanted options on the CLI. See section below for the details about configuration files. + +```bash +npx dash-licenses-wrapper --configFile=./configs/license-check-config.json +``` + +## configuration file + +A configuration file can be used. Values defined therein will override wrapper defaults, and can themselves be overridden by CLI. + +`dashLicensesConfig.json`: + +```json +{ + "project": "ecd.theia", + "review": true, + "inputFile": "./package-lock.json", + "batch": "50", + "timeout": "240", + "exclusionsFile": "configs/dashLicensesExclusions.json", + "summaryFile": "dash-licenses-summary.txt" +} +``` + +A configuration file can be used like so: + +```bash + npx dash-licenses-wrapper --configFile=configs/dashLicensesConfig.json +``` + +## Fine-tuning results: exclusions file + +`dash-licenses` is meant to help Eclipse Foundation projects manage the license aspect of their 3PPs, rather than being the absolute "arbitror of truth". As such, a project may want some dependencies, reported as requiring more scrutiny, to be momentarily "ignored". This means that `dash-licenses` will still process these but the wrapper will not count them as having failed the check. If only excluded 3PPs are reported by `dash-licenses` as requiring further scrutiny, the wrapper will return a success status code. + +The `exclusions file` contains one dependency per line, with an optional comment, that can be used to track the justification for excluding the dependency, from failing the license check. This can be useful for example with dependencies that are under review but believed to have a compatible license. + +```json +{ + "<3PP as reported by dash-licenses>": "", + "": "" +} +``` + +Example scenario: an important Pull Request (PR) adds a 3PP dependency, whose license is believed by the project to be compatible, but for which `dash-licenses` disagrees (e.g. because of a low score). The dependency is submitted the IP team for further analysis but can't be automatically approved, quickly. In the meantime, to avoid delaying merging the important PR or merging and having the "License Check" CI job fail until the dependency is officially approved, it may be added to the `exclusions file`: + +Let's say the project's exclusion file is `configs/dashLicensesExclusions.json` + +The following entry is added: the first field is the 3PP as reported by `dash-licenses` and the second field is an optional comment, that can be used to track the reason for excluding the dependency from failing the license check. e.g.: + +```json +"npm/npmjs/-//1.2.3": "We believe this dependency is license-compatible. Under review by the IP team to confirm: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/555555", +``` + +And then the wrapper can be called with CLI parameter `--exclusions` pointing to the `exclusions` file, like so: + +```bash +npx dash-licenses-wrapper --inputFile=./package-lock.json --exclusions=configs/dashLicensesExclusions.json +``` + +Exclusion file: `/dependency-check-baseline.json` + +## GitHub workflow + +An example workflow, that runs the license check, is provided in directory `examples` (by default under `node_modules/dash-licenses-wrapper/examples/license-check-workflow.yml`). It can be copied to a GitHub project's directory `/.github/workflows` and adapted for the given project. + +If the project has added a `scripts` entry in the root `package.json` to run the license check, that may be used instead of `npx dash-licenses-wrapper [...]`. E.g. `yarn license:check [...]`. + +It can be very efficient to run `dash-licenses` in `review` mode during CI, to automatically create IP Check tickets, one for each 3PP component that fails the check. To do this, a committer (user with write access to the repo) needs to set a GitHub secret that contains an Eclipse Foundation Gitlab PAT, and use it in the workflow so that environment variable `DASH_TOKEN` is set with it. Note that for security reasons, GitHub only permits the secret to be used when the PR author is a committer. When that's not the case, the wrapper will fall-back to not using `review` mode, and IP tickets should be open manually, as needed. + +## Acknowledgements + +This work is based on work contributed to the [Eclipse Theia main git repository](https://github.com/eclipse-theia/theia), by Ericsson and others. Mainly script [check_3pp_licenses](https://github.com/eclipse-theia/theia/blob/master/scripts/check_3pp_licenses.js). diff --git a/nodejs-wrapper/examples/dashLicensesConfig.json b/nodejs-wrapper/examples/dashLicensesConfig.json new file mode 100644 index 00000000..dca13ae6 --- /dev/null +++ b/nodejs-wrapper/examples/dashLicensesConfig.json @@ -0,0 +1,9 @@ +{ + "project": "ecd.cdt-cloud", + "review": false, + "inputFile": "package-lock.json", + "batch": 51, + "timeout": 241, + "exclusions": "dashLicensesExclusions.json", + "summary": "dependency-check-summary.txt" +} diff --git a/nodejs-wrapper/examples/dashLicensesExclusions.json b/nodejs-wrapper/examples/dashLicensesExclusions.json new file mode 100644 index 00000000..582164b8 --- /dev/null +++ b/nodejs-wrapper/examples/dashLicensesExclusions.json @@ -0,0 +1,4 @@ +{ + "npm/npmjs/-/allure-commandline/2.23.0": "Approved https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/9379", + "npm/npmjs/-/eslint-plugin-deprecation/1.2.1": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22573" +} \ No newline at end of file diff --git a/nodejs-wrapper/examples/license-check-workflow.yml b/nodejs-wrapper/examples/license-check-workflow.yml new file mode 100644 index 00000000..d0f86ab0 --- /dev/null +++ b/nodejs-wrapper/examples/license-check-workflow.yml @@ -0,0 +1,53 @@ +name: 3PP License Check + +on: + push: + branches: + - master + workflow_dispatch: + pull_request: + branches: + - master + schedule: + - cron: '0 4 * * *' # Runs every day at 4am: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events-schedule + +jobs: + + License-check: + name: 3PP License Check using dash-licenses + + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest] + node: ['18.x'] + java: ['11'] + + runs-on: ${{ matrix.os }} + timeout-minutes: 60 + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 2 + + - name: Use Node.js ${{ matrix.node }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node }} + registry-url: 'https://registry.npmjs.org' + + - name: Use Java ${{ matrix.java }} + uses: actions/setup-java@v3 + with: + distribution: 'adopt' + java-version: ${{ matrix.java }} + + - name: Run dash-licenses + if: matrix.tests != 'skip' + shell: bash + run: | + npx dash-licenses-wrapper --inputFile=./yarn.lock --project= --review" + env: + DASH_TOKEN: ${{ secrets.DASH_LICENSES_PAT }} diff --git a/nodejs-wrapper/package.json b/nodejs-wrapper/package.json new file mode 100644 index 00000000..ece415a4 --- /dev/null +++ b/nodejs-wrapper/package.json @@ -0,0 +1,31 @@ +{ + "name": "dash-licenses-wrapper", + "version": "1.0.0", + "description": "Node.js wrapper for dash-licenses, that makes it easier to perform license checks for JS/TS Eclipse Foundation projects", + "publishConfig": { + "access": "public" + }, + "bin": { + "dash-licenses-wrapper": "src/dash-licenses-wrapper.js" + }, + "scripts": { + "test": "test" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/eclipse/dash-licenses.git" + }, + "keywords": [ + "dash-licenses", + "wrapper", + "license check", + "GitHub workflow", + "Eclipse Foundation" + ], + "author": "Ericsson and others", + "license": "EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0", + "bugs": { + "url": "https://github.com/eclipse/dash-licenses/issues" + }, + "homepage": "https://github.com/eclipse/dash-licenses/nodejs-wrapper#readme" +} diff --git a/nodejs-wrapper/publishing.md b/nodejs-wrapper/publishing.md new file mode 100644 index 00000000..1e8e8d60 --- /dev/null +++ b/nodejs-wrapper/publishing.md @@ -0,0 +1,11 @@ +# Publishing `dash-licenses-wrapper` + +```bash +# Setup npm token. e.g. +npm adduser + +cd nodejs-wrapper +# step package version in `package.json` +# publish package +npm publish +``` diff --git a/nodejs-wrapper/src/dash-licenses-wrapper.js b/nodejs-wrapper/src/dash-licenses-wrapper.js new file mode 100755 index 00000000..316b6302 --- /dev/null +++ b/nodejs-wrapper/src/dash-licenses-wrapper.js @@ -0,0 +1,542 @@ +#!/usr/bin/env node +// ***************************************************************************** +// Copyright (C) 2021-2023 Ericsson and others +// +// This program and the accompanying materials are made available under the +// terms of the Eclipse Public License v. 2.0 which is available at +// http://www.eclipse.org/legal/epl-2.0. +// +// This Source Code may also be made available under the following Secondary +// Licenses when the conditions for such availability set forth in the Eclipse +// Public License v. 2.0 are satisfied: GNU General Public License, version 2 +// with the GNU Classpath Exception which is available at +// https://www.gnu.org/software/classpath/license.html. +// +// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 +// ***************************************************************************** +// @ts-check + +const cp = require('child_process'); +const fs = require('fs'); +const path = require('path'); +const readline = require('readline'); + +let noColor = Boolean(process.env['NO_COLOR']); +const execName = path.basename(process.argv[1]); + +/** JSON.Stringify() "replacer", used to print objects in this script in human-friendly form */ +const regExpReplacer = (key, value) => { + if (value instanceof RegExp) { + return value.toString(); + } + return value; +}; +const dashLicensesJar = path.resolve(__dirname, 'download/dash-licenses.jar'); +const dashLicensesDownloadUrl = 'https://repo.eclipse.org/service/local/artifact/maven/redirect?r=dash-licenses&g=org.eclipse.dash&a=org.eclipse.dash.licenses&v=LATEST'; +const dashLicensesInternalError = 127; + +const unsupportedCLIDefault = "Unsupported CLI arg"; +/** CLI parameters parsed but not currently supported, so they will not be passed to dash-licenses */ +const dashUnsupportedCLI = { + "cd": unsupportedCLIDefault, + "clearly-defined-api": unsupportedCLIDefault, + "confidence": unsupportedCLIDefault, + "ef": unsupportedCLIDefault, + "foundation-api": unsupportedCLIDefault, + "lic": unsupportedCLIDefault, + "license": unsupportedCLIDefault, + "token": unsupportedCLIDefault + "- for security reasons, use an environment variable or GitHub secret instead" +}; + +// CLI parameters processed by this script, and corresponding +// Regexps to parse them and their values +const wrapperCLIRegexps = { + // supported, wrapper-specific + "configFile": /--(configFile)=(\S+).*/, + "debug": /--(debug)/, + "dryRun": /--(dryRun)/, + "exclusions": /--(exclusions)=(\S+).*/, + "help": /--(help)/, + "inputFile": /--(inputFile)=(\S+).*/, + "noColor": /--(noColor)/, + + // supported, passed to dash-licenses + "batch": /--(batch)=(\d+).*/, + "project": /--(project)=(\S+).*/, + "review": /--(review)/, + "summary": /--(summary)=(\S+).*/, + "timeout": /--(timeout)=(\d+).*/, + + // parsed but unsupported, from here down, + // not passed to dash-licenses + "cd": /--(cd)=(\S+).*/, + "clearly-defined-api": /--(clearly-defined-api)=(\S+).*/, + "confidence": /--(confidence)=(\d+)/, + "ef": /--(ef)=(\S+).*/, + "foundation-api": /--(foundation-api)=(\S+).*/, + "lic": /--(lic)=(\S).*/, + "license": /--(license)=(\S).*/, + "token": /--(token)=(\S).*/ +}; + +/** Effective configuration, after resolving defaults, config file and CLI */ +const dashLicensesConfig = {}; + +/** + * Supported Configurable parameters and their default values + * Note: We do not handle the Gitlab token. Instead, an environment variable + * should be used + */ +const dashLicensesConfigDefaults = { + /** batch size. Passed as-is to dash-licenses */ + "batch": 100, + /** default config file, to fine-tune dash-licenses options */ + "configFile": "dashLicensesConfig.json", + /** run this script in debug mode, printing-out more information */ + "debug": false, + /** run in dry run mode - do not create IP tickets */ + "dryRun": false, + /** + * file where exclusions are defined. Excluded 3PPs will be ignored, if + * reported by dash-licenses, and so will not cause this script to exit with + * an error status + */ + "exclusions": "license-check-exclusions.json", + /** display help and exit */ + "help": false, + /** file where dependencies are defined. Passed as-is to dash-licenses */ + "inputFile": "yarn.lock", + /** disable usage of color in this script's output */ + "noColor": false, + /** eclipse Foundation short project name. e.g. "ecd.theia", "ecd.cdt-cloud" */ + "project": "", + /** use dash-license "review" mode, to automatically create IP tickets for any suspicious dependencies? */ + "review": false, + /** summary file, in which dash-licenses will save its findings */ + "summary": "license-check-summary.txt", + /** timeout. Passed as-is to dash-licenses */ + "timeout": 30 +}; + +resolveConfig(); + +// review mode has further requirements (PAT) that may force us to turn it off, even if +// requested +let autoReviewMode = dashLicensesConfig.review; +const batch = dashLicensesConfig.batch; +const depsInputFile = dashLicensesConfig.inputFile; +const dryRun = dashLicensesConfig.dryRun; +const exclusionsFile = dashLicensesConfig.exclusions; +const projectName = dashLicensesConfig.project; +const summaryFile = path.resolve(dashLicensesConfig.summary); +const timeout = dashLicensesConfig.timeout; + +// A Eclipse Foundation Gitlab Personal Access Token, generated by an Eclipse committer, +// is required to use dash-licenses in "review" mode. For more information see: +// https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests +// +// Reminder: Do NOT share or expose your token! +// +// e.g. Set the token locally like so (bash shell): +// $> export DASH_TOKEN= +// +// Since dash-licenses can consume the PAT directly from the environment, let's just +// confirm whether it seems to be set +const isPersonalAccessTokenSet = "DASH_TOKEN" in process.env; + +main().catch(error => { + console.error(error); + process.exit(1); +}); + +async function main() { + if (!fs.existsSync(depsInputFile)) { + error(`Input file not found: ${depsInputFile}. Please provide it using "--inputFile=" CLI option`); + process.exit(1); + } + info(`Using input file: ${depsInputFile} - found`); + if (autoReviewMode && !isPersonalAccessTokenSet) { + warn('Please setup an Eclipse Foundation Gitlab Personal Access Token to run the license check in "review" mode'); + warn('It should be set in an environment variable named "DASH_TOKEN"'); + warn('Proceeding without auto review since the PAT is not currently set'); + autoReviewMode = false; + } + if (autoReviewMode && !projectName) { + warn('Please provide a valid Eclipse Foundation project name to run the license check in "review" mode'); + warn('You can pass it using the "--project=" CLI parameter'); + warn('Proceeding without auto review, since the project is not currently set'); + autoReviewMode = false; + } + if (!fs.existsSync(dashLicensesJar)) { + info('Fetching dash-licenses...'); + fs.mkdirSync(path.dirname(dashLicensesJar), { recursive: true }); + const curlError = getErrorFromStatus(spawn( + 'curl', ['-L', dashLicensesDownloadUrl, '-o', dashLicensesJar], + )); + if (curlError) { + error(curlError); + process.exit(1); + } + } + if (fs.existsSync(summaryFile)) { + info('Backing up previous summary...'); + fs.renameSync(summaryFile, `${summaryFile}.old`); + } + const args = ['-jar', dashLicensesJar, depsInputFile, '-batch', batch, '-timeout', timeout, '-summary', summaryFile]; + // use project name if defined - it makes results more precise. e.g. it lets + // dash-licenses take into account project-specific "works with" approvals + if (projectName) { + args.push('-project', projectName); + if (autoReviewMode && isPersonalAccessTokenSet) { + info(`Using "review" mode for project: ${projectName}`); + args.push('-review'); + } + } + if (dryRun) { + info('Dry-run mode enabled - exiting before launching dash-licenses'); + process.exit(0); + } + info('Running dash-licenses...'); + const dashStatus = spawn('java', args, { + stdio: ['ignore', 'inherit', 'inherit'] + }); + + const dashError = getErrorFromStatus(dashStatus); + + if (dashError) { + if (dashStatus.status == dashLicensesInternalError) { + error(dashError); + error('Detected an internal error in dash-licenses - run inconclusive'); + process.exit(dashLicensesInternalError); + } + warn(dashError); + } + + const restricted = await getRestrictedDependenciesFromSummary(summaryFile); + // filter-out restricted dependencies that are in the exclusion file + if (restricted.length > 0) { + if (fs.existsSync(exclusionsFile)) { + info('Checking results against the exclusions...'); + const exclusions = readExclusions(exclusionsFile); + const unmatched = new Set(exclusions.keys()); + const unhandled = restricted.filter(entry => { + unmatched.delete(entry.dependency); + return !exclusions.has(entry.dependency); + }); + if (unmatched.size > 0) { + warn('Some entries in the exclusions did not match anything from dash-licenses output:'); + warn("(perhaps these entries are no longer required?)"); + for (const dependency of unmatched) { + console.log(magenta(`> ${dependency}`)); + const data = exclusions.get(dependency); + if (data) { + console.warn(`${dependency}:`, data); + } + } + } + if (unhandled.length > 0) { + error(`Found results that aren't part of the exclusions!`); + logRestrictedDashSummaryEntries(unhandled); + process.exit(1); + } + } else { + error(`Found unhandled restricted dependencies!`); + logRestrictedDashSummaryEntries(restricted); + process.exit(1); + } + } + info('Done.'); + process.exit(0); +} + +function printHelp() { + help(`Usage: ${execName} [options]`); + help('Options:'); + help(' --batch= Batch size. Passed as-is to dash-licenses'); + help(' --configFile= Config file, to fine-tune dash-licenses options'); + help(' --debug Run this script in debug mode, printing-out more information'); + help(' --dryRun Run in dry run mode - do not create IP tickets'); + help(' --exclusions= File where exclusions are defined. Excluded 3PPs will be ignored,'); + help(' if reported by dash-licenses, and so will not cause this script to exit'); + help(' with an error status'); + help(' --help Display this help message and exit'); + help(' --inputFile= File where dependencies are defined. Passed as-is to dash-licenses'); + help(' e.g. a project\'s "yarn.lock" or "package-lock.json". Default: "yarn.lock"'); + help(' --noColor Disable color output'); + help(' --project= Eclipse Foundation short project name. e.g. "ecd.theia", "technology.dash"'); + help(' --review Use dash-license "review" mode, to automatically create IP tickets for'); + help(' dependencies whose license require more scrutiny'); + help(' --summary= Summary file, in which dash-licenses will save its findings'); + help(' --timeout= Timeout. Passed as-is to dash-licenses'); + help(''); + help('Examples:'); + help(' npx dash-licenses-wrapper --dry-run --configFile=configs/dashLicensesConfig.json'); + help(' npx dash-licenses-wrapper --inputFile=package-lock.json --summary=/tmp/license-check-summary.txt --review'); + help(' npx dash-licenses-wrapper --summary=license-check-summary.txt --review --project=ecd.theia'); + help(' npx dash-licenses-wrapper --summary=license-check-summary.txt --review --project=ecd.theia --exclusions=license-check-exclusions.json'); +} + +function getPrintableConfig(configObj) { + return JSON.stringify(configObj, regExpReplacer, 2); +} + +/** + * Figure-out the effective value to use for each parameter, taking into + * account the defaults, and, as needed, what was provided in a config file + * and/or the CLI. + */ +function resolveConfig() { + let configFile = dashLicensesConfigDefaults.configFile; + // Parse optional configuration provided from the CLI, skipping + // the first 2 entries that are not the arguments we are looking for + const configFromCLI = parseCLI(process.argv.slice(2)); + + // before resolving the config, check if a config file was provided + // on CLI that overrides defaults + if ("configFile" in configFromCLI) { + configFile = path.resolve(String(configFromCLI.configFile)); + } + + // optional configuration provided from a config file + const configFromFile = parseConfigFile(configFile); + + // Resolve configuration: In order of priority (highest to lowest): + // CLI, config file, defaults + Object.keys(dashLicensesConfigDefaults).map(k => { + const defaultValue = dashLicensesConfigDefaults[k]; + const configFileValue = configFromFile[k]; + const CLIValue = configFromCLI[k]; + + dashLicensesConfig[k] = (CLIValue || configFileValue || defaultValue); + }); + + // "no color" can also be configured in an environment variable: + // see: https://no-color.org/ + if (dashLicensesConfig.noColor || Boolean(process.env['NO_COLOR'])) { + noColor = true; + } + + if (dashLicensesConfig.help) { + printHelp() + process.exit(0); + } + + debug("Parsed config file: "); + debug(`(From file: ${configFile})`); + debug("-------------------------------------"); + debug(getPrintableConfig(configFromFile)); + debug("-------------------------------------\n"); + debug("Parsed CLI:"); + debug("-------------------------------------"); + debug(getPrintableConfig(configFromCLI)); + debug("-------------------------------------\n"); + info("Effective configuration: "); + info("-------------------------------------"); + info(getPrintableConfig(dashLicensesConfig)); + info("-------------------------------------\n"); +} + +/** + * If it exists, read config file and parse the parameters/values defined therein + * @param {string} file + * @returns {Object} config file parameters/values + */ +function parseConfigFile(file) { + const configFromFile = {}; + const dashLicensesConfigFile = path.resolve(file); + if (fs.existsSync(dashLicensesConfigFile)) { + const wsConfig = JSON.parse(fs.readFileSync(dashLicensesConfigFile, 'utf8')); + // prefer config file entries vs defaults + Object.keys(wsConfig).map(k => { + const value = wsConfig[k]; + // only consider known parameters + if (k in dashLicensesConfigDefaults) { + // exclude undefined values and also empty or white-space strings + if (value !== undefined && (typeof value != 'string' || value.trim() != "")) { + configFromFile[k] = wsConfig[k]; + } else { + warn(`(${path.basename(dashLicensesConfigFile)}) - config file entry "${k}" is undefined - ignoring it`); + } + } else { + warn(`Unknown config file entry: \"${k}\" - ignoring it"`); + } + }); + } else { + warn(`Config file not found: ${dashLicensesConfigFile} - ignoring it"`); + } + return configFromFile; +} + +/** + * Parse CLI arguments that are recognized as valid configuration parameters + * @param {*} CLIArgs + * @returns {Object} CLI config parameters/values + */ +function parseCLI(CLIArgs) { + const configFromCLI = {}; + let argParseIssue = false; + // Go through all CLI arguments + CLIArgs.forEach(CLIArg => { + // look for regexp match to parse this arg + const found = Object.values(wrapperCLIRegexps).find( rx => { + const RegexpResult = rx.exec(CLIArg); + if(RegexpResult) { + // parse arg - some have no "value" part + const [arg, val] = CLIArg.replace(rx, (_, group1, group2) => group2 ? `${group1} ${group2}` : group1).split(' '); + // Do not handle unsupported CLI args: + if (arg in dashUnsupportedCLI) { + warn(dashUnsupportedCLI[arg] + ": \n\t-> " + red(arg)); + } else { + configFromCLI[arg] = val || true; + } + // found matching regexp - find() should stop looking + return RegexpResult; + } + }) ? true : false; + if (!found) { + argParseIssue = true; + warn(`The following CLI argument was not parsed successfully: "${CLIArg}"`); + } + }); + + if (argParseIssue) { + warn(`Here are the supported CLI configurations and the Regular Expressions used to parse them:`); + warn(getPrintableConfig(wrapperCLIRegexps)); + } + + return configFromCLI; +} +/** + * @param {Iterable} entries + * @return {void} + */ +function logRestrictedDashSummaryEntries(entries) { + for (const { dependency: entry, license } of entries) { + console.log(red(`X ${entry}, ${license}`)); + } +} + +/** + * @param {string} summary path to the summary file. + * @returns {Promise} list of restricted dependencies. + */ +async function getRestrictedDependenciesFromSummary(summary) { + const restricted = []; + for await (const entry of readSummaryLines(summary)) { + if (entry.status.toLocaleLowerCase() === 'restricted') { + restricted.push(entry); + } + } + return restricted.sort( + (a, b) => a.dependency.localeCompare(b.dependency) + ); +} + +/** + * Read each entry from dash's summary file and collect each entry. + * This is essentially a cheap CSV parser. + * @param {string} summary path to the summary file. + * @returns {AsyncIterableIterator} reading completed. + */ +async function* readSummaryLines(summary) { + for await (const line of readline.createInterface(fs.createReadStream(summary))) { + const [dependency, license, status, source] = line.split(', '); + yield { dependency, license, status, source }; + } +} + +/** + * Handle both list and object format for the exclusions json file. + * @param {string} exclusions path to the exclusions json file. + * @returns {Map} map of dependencies to ignore if restricted, value is an optional data field. + */ +function readExclusions(exclusions) { + const json = JSON.parse(fs.readFileSync(exclusions, 'utf8')); + if (Array.isArray(json)) { + return new Map(json.map(element => [element, null])); + } else if (typeof json === 'object' && json !== null) { + return new Map(Object.entries(json)); + } + console.error(`ERROR: Invalid format for "${exclusions}"`); + process.exit(1); +} + +/** + * Spawn a process. Exits with code 1 on spawn error (e.g. file not found). + * @param {string} bin + * @param {(string | object)[]} args + * @param {import('child_process').SpawnSyncOptions} [opts] + * @returns {import('child_process').SpawnSyncReturns} + */ +function spawn(bin, args, opts = {}) { + opts = { stdio: 'inherit', ...opts }; + function abort(spawnError, spawnBin, spawnArgs) { + if (spawnBin && spawnArgs) { + error(`Command: ${prettyCommand({ bin: spawnBin, args: spawnArgs })}`); + } + error(spawnError.stack ?? spawnError.message); + process.exit(1); + } + /** @type {any} */ + let status; + try { + status = cp.spawnSync(bin, args, opts); + } catch (spawnError) { + abort(spawnError, bin, args); + } + // Add useful fields to the returned status object: + status.bin = bin; + status.args = args; + status.opts = opts; + // Abort on spawn error: + if (status.error) { + abort(status.error, status.bin, status.args); + } + return status; +} + +/** + * @param {import('child_process').SpawnSyncReturns} status + * @returns {string | undefined} Error message if the process errored, `undefined` otherwise. + */ +function getErrorFromStatus(status) { + if (typeof status.signal === 'string') { + return `Command ${prettyCommand(status)} exited with signal: ${status.signal}`; + } else if (status.status !== 0) { + if (status.status == dashLicensesInternalError) { + return `Command ${prettyCommand(status)} exit code (${status.status}) means dash-licenses has encountered an internal error`; + } + return `Command ${prettyCommand(status)} exited with code: ${status.status}`; + } +} + +/** + * @param {any} status + * @param {number} [indent] + * @returns {string} Pretty command with both bin and args as stringified JSON. + */ +function prettyCommand(status, indent = 2) { + return JSON.stringify([status.bin, ...status.args], undefined, indent); +} + +function info(text) { console.warn(cyan(`INFO: ${text}`)); } +function warn(text) { console.warn(yellow(`WARN: ${text}`)); } +function error(text) { console.error(red(`ERROR: ${text}`)); } +function debug(text) { if (dashLicensesConfig.debug) { console.warn(gray(`DEBUG: ${text}`)); } } +function help(text) { console.warn(green(`${text}`)); } + +function style(code, text) { return noColor ? text : `\x1b[${code}m${text}\x1b[0m`; } +function cyan(text) { return style(96, text); } +function magenta(text) { return style(95, text); } +function yellow(text) { return style(93, text); } +function red(text) { return style(91, text); } +function gray(text) { return style(90, text); } +function green(text) { return style(92, text); } + +/** + * @typedef {object} DashSummaryEntry + * @property {string} dependency + * @property {string} license + * @property {string} status + * @property {string} source + */