Fix non-conforming licenses on devDependencies and add the ability to whitelisting devOnly licenses (#23859)

* chore(19834): upgraded yargs dependency to 4.8.1 in order to remove pkg-conf dependency license conflict. * chore(19834): override xmldom to one of the allowed licenses (MIT). * chore(19834): added some overrides and whitelistenig for Apache2. * chore(19834): correct overides for some apache2 licenses. * chore(NA): updated specific dependency needs. * chore(19834): added some more info on updated licenses. * chore(19834): small note on dependencies use versions. * feat(NA): add the ability to white list licenses only valid for dev only dependencies. * chore(NA): update yarn lock files to include integrity check. * fix(NA): yarn lock file for kbn ui framework. * docs(NA): fix uncompleted comment left on the code.
2018-11-09 02:11:17 +00:00 · 2018-11-09 02:11:17 +00:00 · dc956a0a79
parent 830c195b0d
commit dc956a0a79
15 changed files with 801 additions and 345 deletions
--- a/packages/kbn-pm/package.json
+++ b/packages/kbn-pm/package.json
@ -57,7 +57,7 @@
    "spawn-sync": "^1.0.15",
    "string-replace-loader": "^1.3.0",
    "strip-ansi": "^4.0.0",
-    "strong-log-transformer": "^1.0.6",
+    "strong-log-transformer": "^2.0.0",
    "tempy": "^0.2.1",
    "ts-loader": "^3.5.0",
    "typescript": "^3.0.3",
--- a/packages/kbn-pm/yarn.lock
+++ b/packages/kbn-pm/yarn.lock
@ -2938,11 +2938,6 @@ minimist@0.0.8:
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
  integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=

-minimist@^0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.1.0.tgz#99df657a52574c21c9057497df742790b2b4c0de"
-  integrity sha1-md9lelJXTCHJBXSX33QnkLK0wN4=
-
 minimist@^1.2.0:
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
@ -2963,11 +2958,6 @@ mixin-deep@^1.2.0:
  dependencies:
    minimist "0.0.8"

-moment@^2.6.0:
-  version "2.20.1"
-  resolved "https://registry.yarnpkg.com/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
-  integrity sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg==
-
 ms@2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8"
@ -4000,15 +3990,14 @@ strip-json-comments@~2.0.1:
  resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a"
  integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo=

-strong-log-transformer@^1.0.6:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/strong-log-transformer/-/strong-log-transformer-1.0.6.tgz#f7fb93758a69a571140181277eea0c2eb1301fa3"
-  integrity sha1-9/uTdYpppXEUAYEnfuoMLrEwH6M=
+strong-log-transformer@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/strong-log-transformer/-/strong-log-transformer-2.0.0.tgz#fa6d8e0a9e62b3c168c3cad5ae5d00dc97ba26cc"
+  integrity sha512-FQmNqAXJgOX8ygOcvPLlGWBNT41mvNJ9ALoYf0GTwVt9t30mGTqpmp/oJx5gLcu52DXK10kS7dVWhx8aPXDTlg==
  dependencies:
    byline "^5.0.0"
    duplexer "^0.1.1"
-    minimist "^0.1.0"
-    moment "^2.6.0"
+    minimist "^1.2.0"
    through "^2.3.4"

 supports-color@^2.0.0:
--- a/packages/kbn-ui-framework/package.json
+++ b/packages/kbn-ui-framework/package.json
@ -70,6 +70,6 @@
    "webpack": "3.6.0",
    "webpack-dev-server": "2.9.1",
    "yeoman-generator": "1.1.1",
-    "yo": "2.0.0"
+    "yo": "2.0.3"
  }
 }
--- a/packages/kbn-ui-framework/yarn.lock
+++ b/packages/kbn-ui-framework/yarn.lock
--- a/src/dev/license_checker/config.js
+++ b/src/dev/license_checker/config.js
@ -17,6 +17,8 @@
 * under the License.
 */

+// The following list applies to packages both
+// used as dependencies or dev dependencies
 export const LICENSE_WHITELIST = [
  'Elastic-License',
  '(BSD-2-Clause OR MIT OR Apache-2.0)',
@ -42,12 +44,14 @@ export const LICENSE_WHITELIST = [
  'BSD-3-Clause AND MIT',
  'BSD-3-Clause OR MIT',
  'BSD-3-Clause',
+  '(BSD-3-Clause OR GPL-2.0)',
  'BSD-like',
  'CC0-1.0',
  'CC-BY',
  'CC-BY-3.0',
  'CC-BY-4.0',
  'ISC',
+  'ISC*',
  'MIT OR GPL-2.0',
  'MIT',
  'MIT*',
@ -60,6 +64,13 @@ export const LICENSE_WHITELIST = [
  'WTFPL',
 ];

+// The following list only applies to licenses that
+// we wanna allow in packages only used as dev dependencies
+export const DEV_ONLY_LICENSE_WHITELIST = [
+  'MPL-2.0'
+];
+
+// Globally overrides a license for a given package@version
 export const LICENSE_OVERRIDES = {
  'scriptjs@2.5.8': ['MIT'], // license header appended in the dist
  'react-lib-adler32@1.0.1': ['BSD'], // adler32 extracted from react source
@ -72,7 +83,23 @@ export const LICENSE_OVERRIDES = {

  // TODO can be removed once we upgrade past map-stream@0.5.0
  'map-stream@0.1.0': ['MIT'],
+
  'uglify-js@2.2.5': ['BSD'],
  'png-js@0.1.1': ['MIT'],
  'sha.js@2.4.11': ['BSD-3-Clause AND MIT'],
+
+  // TODO can be removed if the ISSUE#239 is accepted on the source
+  'xmldom@0.1.19': ['MIT'],
+
+  // TODO can be removed if the PR#9 is accepted on the source
+  'pause-stream@0.0.11': ['MIT'],
+
+  // TODO can be removed once we upgrade past or equal pdf-image@2.0.1
+  'pdf-image@1.1.0': ['MIT'],
+
+  // TODO can be removed once we upgrade the use of walk dependency past or equal to v2.3.14
+  'walk@2.3.9': ['MIT'],
+
+  // TODO remove this once we upgrade past or equal to v1.0.2
+  'babel-plugin-mock-imports@0.0.5': ['MIT']
 };
--- a/src/dev/license_checker/index.js
+++ b/src/dev/license_checker/index.js
@ -17,5 +17,5 @@
 * under the License.
 */

-export { LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config';
+export { LICENSE_WHITELIST, DEV_ONLY_LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config';
 export { assertLicensesValid } from './valid';
--- a/src/dev/npm/tests/fixtures/fixture1/node_modules/dep2/index.js
+++ b/src/dev/npm/tests/fixtures/fixture1/node_modules/dep2/index.js
@ -0,0 +1 @@
+console.log('I am dep 2');
--- a/src/dev/npm/tests/fixtures/fixture1/node_modules/dep2/package.json
+++ b/src/dev/npm/tests/fixtures/fixture1/node_modules/dep2/package.json
@ -0,0 +1,9 @@
+{
+  "name": "dep2",
+  "version": "0.0.2",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "http://github.com/mycorp/dep2.git"
+  }
+}
--- a/src/dev/npm/tests/fixtures/fixture1/package.json
+++ b/src/dev/npm/tests/fixtures/fixture1/package.json
@ -5,5 +5,8 @@
  "dependencies": {
    "dep1": "0.0.2",
    "privatedep": "0.0.2"
+  },
+  "devDependencies": {
+    "dep2": "0.0.2"
  }
 }
--- a/src/dev/npm/tests/installed_packages.js
+++ b/src/dev/npm/tests/installed_packages.js
@ -39,7 +39,8 @@ describe('src/dev/npm/installed_packages', () => {
          directory: KIBANA_ROOT
        }),
        getInstalledPackages({
-          directory: FIXTURE1_ROOT
+          directory: FIXTURE1_ROOT,
+          dev: true
        }),
      ]);
    });
@ -62,6 +63,7 @@ describe('src/dev/npm/installed_packages', () => {
          repository: 'https://github.com/mycorp/dep1',
          directory: resolve(FIXTURE1_ROOT, 'node_modules/dep1'),
          relative: ['node_modules', 'dep1'].join(sep),
+          isDevOnly: false,
        },
        {
          name: 'privatedep',
@ -69,7 +71,17 @@ describe('src/dev/npm/installed_packages', () => {
          repository: 'https://github.com/mycorp/privatedep',
          licenses: [ 'Apache-2.0' ],
          directory: resolve(FIXTURE1_ROOT, 'node_modules/privatedep'),
-          relative: ['node_modules', 'privatedep'].join(sep)
+          relative: ['node_modules', 'privatedep'].join(sep),
+          isDevOnly: false,
+        },
+        {
+          name: 'dep2',
+          version: '0.0.2',
+          licenses: [ 'Apache-2.0' ],
+          repository: 'https://github.com/mycorp/dep2',
+          directory: resolve(FIXTURE1_ROOT, 'node_modules/dep2'),
+          relative: ['node_modules', 'dep2'].join(sep),
+          isDevOnly: true,
        }
      ]);
    });
--- a/src/dev/npm/installed_packages.js
+++ b/src/dev/npm/installed_packages.js
@ -78,7 +78,7 @@ export async function getInstalledPackages(options = {}) {
  return Object
    .keys(licenseInfo)
    .map(key => {
-      const { realPath, repository } = licenseInfo[key];
+      const { realPath, repository, isDevOnly } = licenseInfo[key];
      if (realPath === directory) return;

      const keyParts = key.split('@');
@ -93,7 +93,8 @@ export async function getInstalledPackages(options = {}) {
        repository,
        licenses,
        directory: realPath,
-        relative: relative(directory, realPath)
+        relative: relative(directory, realPath),
+        isDevOnly
      };
    })
    .filter(Boolean);
--- a/src/dev/npm/license_checker.js
+++ b/src/dev/npm/license_checker.js
@ -19,19 +19,11 @@

 import licenseChecker from 'license-checker';

-export function callLicenseChecker(options = {}) {
-  const {
-    directory,
-    dev = false
-  } = options;
-
-  if (!directory) {
-    throw new Error('You must specify the directory where license checker should start');
-  }
-
+async function runLicenseChecker(directory, dev) {
  return new Promise((resolve, reject) => {
    licenseChecker.init({
      start: directory,
+      development: dev,
      production: !dev,
      json: true,
      customFormat: {
@ -41,7 +33,49 @@ export function callLicenseChecker(options = {}) {
      }
    }, (err, licenseInfo) => {
      if (err) reject(err);
-      else resolve(licenseInfo);
+      else {
+        resolve(
+          // Extend original licenseInfo object with a new attribute
+          // stating whether a license was found in a package used
+          // only as a dev dependency or not
+          Object.keys(licenseInfo).reduce(function (result, key) {
+            result[key] = Object.assign(licenseInfo[key], { isDevOnly: dev });
+            return result;
+          }, {})
+        );
+      }
    });
  });
 }
+
+export async function callLicenseChecker(options = {}) {
+  const {
+    directory,
+    dev = false
+  } = options;
+
+  if (!directory) {
+    throw new Error('You must specify the directory where license checker should start');
+  }
+
+  return new Promise(async (resolve, reject) => {
+    try {
+      // Run license checker for prod only packages
+      const prodOnlyLicenses = await runLicenseChecker(directory, false);
+
+      if (!dev) {
+        resolve(prodOnlyLicenses);
+        return;
+      }
+
+      // In case we have the dev option
+      // also run the license checker for the
+      // dev only packages and build a final object
+      // merging the previous results too
+      const devOnlyLicenses = await runLicenseChecker(directory, true);
+      resolve(Object.assign(prodOnlyLicenses, devOnlyLicenses));
+    } catch (e) {
+      reject(e);
+    }
+  });
+}
--- a/tasks/licenses.js
+++ b/tasks/licenses.js
@ -21,6 +21,7 @@ import { getInstalledPackages } from '../src/dev/npm';
 import {
  assertLicensesValid,
  LICENSE_WHITELIST,
+  DEV_ONLY_LICENSE_WHITELIST,
  LICENSE_OVERRIDES,
 } from '../src/dev/license_checker';

@ -31,14 +32,33 @@ export default function licenses(grunt) {
    try {
      const dev = Boolean(grunt.option('dev'));

+      // Get full packages list according dev flag
+      const packages = await getInstalledPackages({
+        directory: grunt.config.get('root'),
+        licenseOverrides: LICENSE_OVERRIDES,
+        dev
+      });
+      // Filter the packages only used in production
+      const prodPackages = packages.filter(pkg => !pkg.isDevOnly);
+
+      // Assert if the found licenses in the production
+      // packages are valid
      assertLicensesValid({
-        packages: await getInstalledPackages({
-          directory: grunt.config.get('root'),
-          licenseOverrides: LICENSE_OVERRIDES,
-          dev
-        }),
+        packages: prodPackages,
        validLicenses: LICENSE_WHITELIST
      });
+
+      // Do the same as above for the packages only used in development
+      // if the dev flag is found
+      if (dev) {
+        const devPackages = packages.filter(pkg => pkg.isDevOnly);
+
+        assertLicensesValid({
+          packages: devPackages,
+          validLicenses: LICENSE_WHITELIST.concat(DEV_ONLY_LICENSE_WHITELIST)
+        });
+      }
+
      done();
    } catch (err) {
      grunt.fail.fatal(err);
--- a/x-pack/package.json
+++ b/x-pack/package.json
@ -115,7 +115,7 @@
    "vinyl-fs": "^3.0.2",
    "xml-crypto": "^0.10.1",
    "xml2js": "^0.4.19",
-    "yargs": "4.7.1"
+    "yargs": "4.8.1"
  },
  "dependencies": {
    "@elastic/datemath": "^4.0.2",
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@ -6868,7 +6868,7 @@ linkify-it@^2.0.0:
  dependencies:
    uc.micro "^1.0.1"

-load-json-file@^1.0.0, load-json-file@^1.1.0:
+load-json-file@^1.0.0:
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-1.1.0.tgz#956905708d58b4bab4c2261b04f59f31c99374c0"
  integrity sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=
@ -8718,16 +8718,6 @@ pixelmatch@4.0.2:
  dependencies:
    pngjs "^3.0.0"

-pkg-conf@^1.1.2:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/pkg-conf/-/pkg-conf-1.1.3.tgz#378e56d6fd13e88bfb6f4a25df7a83faabddba5b"
-  integrity sha1-N45W1v0T6Iv7b0ol33qD+qvduls=
-  dependencies:
-    find-up "^1.0.0"
-    load-json-file "^1.1.0"
-    object-assign "^4.0.1"
-    symbol "^0.2.1"
-
 pkg-dir@^2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-2.0.0.tgz#f6d5d1109e19d63edf428e0bd57e12777615334b"
@ -10277,11 +10267,6 @@ serialize-javascript@^1.4.0:
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-1.5.0.tgz#1aa336162c88a890ddad5384baebc93a655161fe"
  integrity sha512-Ga8c8NjAAp46Br4+0oZ2WxJCwIzwP60Gq1YPgU+39PiTVxyed/iKE/zyZI6+UlVYH5Q4PaQdHhcegIFPZTUfoQ==

-set-blocking@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-1.0.0.tgz#cd5e5d938048df1ac92dfe92e1f16add656f5ec5"
-  integrity sha1-zV5dk4BI3xrJLf6S4fFq3WVvXsU=
-
 set-blocking@^2.0.0, set-blocking@~2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"
@ -10989,11 +10974,6 @@ symbol-tree@^3.2.1, symbol-tree@^3.2.2:
  resolved "https://registry.yarnpkg.com/symbol-tree/-/symbol-tree-3.2.2.tgz#ae27db38f660a7ae2e1c3b7d1bc290819b8519e6"
  integrity sha1-rifbOPZgp64uHDt9G8KQgZuFGeY=

-symbol@^0.2.1:
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/symbol/-/symbol-0.2.3.tgz#3b9873b8a901e47c6efe21526a3ac372ef28bbc7"
-  integrity sha1-O5hzuKkB5Hxu/iFSajrDcu8ou8c=
-
 tabbable@1.1.0:
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.0.tgz#2c9a9c9f09db5bb0659f587d532548dd6ef2067b"
@ -12124,7 +12104,7 @@ yallist@^2.1.2:
  resolved "https://registry.yarnpkg.com/yallist/-/yallist-2.1.2.tgz#1c11f9218f076089a47dd512f93c6699a6a81d52"
  integrity sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=

-yargs-parser@^2.4.0:
+yargs-parser@^2.4.1:
  version "2.4.1"
  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-2.4.1.tgz#85568de3cf150ff49fa51825f03a8c880ddcc5c4"
  integrity sha1-hVaN488VD/SfpRgl8DqMiA3cxcQ=
@ -12146,24 +12126,25 @@ yargs-parser@^9.0.2:
  dependencies:
    camelcase "^4.1.0"

-yargs@4.7.1:
-  version "4.7.1"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-4.7.1.tgz#e60432658a3387ff269c028eacde4a512e438dff"
-  integrity sha1-5gQyZYozh/8mnAKOrN5KUS5Djf8=
+yargs@4.8.1:
+  version "4.8.1"
+  resolved "https://registry.yarnpkg.com/yargs/-/yargs-4.8.1.tgz#c0c42924ca4aaa6b0e6da1739dfb216439f9ddc0"
+  integrity sha1-wMQpJMpKqmsObaFznfshZDn53cA=
  dependencies:
-    camelcase "^3.0.0"
    cliui "^3.2.0"
    decamelize "^1.1.1"
+    get-caller-file "^1.0.1"
    lodash.assign "^4.0.3"
    os-locale "^1.4.0"
-    pkg-conf "^1.1.2"
    read-pkg-up "^1.0.1"
+    require-directory "^2.1.1"
    require-main-filename "^1.0.1"
-    set-blocking "^1.0.0"
+    set-blocking "^2.0.0"
    string-width "^1.0.1"
+    which-module "^1.0.0"
    window-size "^0.2.0"
    y18n "^3.2.1"
-    yargs-parser "^2.4.0"
+    yargs-parser "^2.4.1"

 yargs@^11.0.0:
  version "11.1.0"