Class: LogStash::DependencyReport
- Inherits:
-
Clamp::Command
- Object
- Clamp::Command
- LogStash::DependencyReport
- Defined in:
- lib/logstash/dependency_report.rb
Defined Under Namespace
Modules: SPDX
Instance Method Summary collapse
Instance Method Details
#execute ⇒ Object
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/logstash/dependency_report.rb', line 15 def execute require "csv" CSV.open(output_path, "wb", :headers => [ "name", "version", "url", "license" ], :write_headers => true) do |csv| puts "Finding gem dependencies" gems.each { |d| csv << d } puts "Finding java/jar dependencies" jars.each { |d| csv << d } end # Copy in COPYING.csv which is a best-effort, hand-maintained file of dependency license information. File.open(output_path, "a+") do |file| extra = File.join(File.dirname(__FILE__), "..", "..", "..", "COPYING.csv") file.write(IO.read(extra)) end nil end |
#gems ⇒ Object
32 33 34 35 36 37 38 39 |
# File 'lib/logstash/dependency_report.rb', line 32 def gems # @mgreau requested `logstash-*` dependencies be removed from this list: # https://github.com/elastic/logstash/pull/8837#issuecomment-351859433 Gem::Specification.reject { |g| g.name =~ /^logstash-/ }.collect do |gem| licenses = ("UNKNOWN" if gem.licenses.empty?) || (gem.licenses.map { |l| SPDX.map(l) }.join("|") if !gem.licenses.empty?) [gem.name, gem.version.to_s, gem.homepage, licenses] end end |
#jars ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/logstash/dependency_report.rb', line 41 def jars jars = [] # For any gems with jar dependencies, # Look at META-INF/MANIFEST.MF for any jars in each gem # Note any important details. Gem::Specification.select { |g| g.requirements && g.requirements.any? { |r| r =~ /^jar / } }.collect do |gem| # Where is the gem installed root = gem.full_gem_path Dir.glob(File.join(root, "**", "*.jar")).collect do |path| jar = java.util.jar.JarFile.new(path) manifest = jar.getManifest pom_entries = jar.entries.select { |t| t.getName.start_with?("META-INF/maven/") && t.getName.end_with?("/pom.properties") } # Some jar files have multiple maven pom.properties files. It is unclear how to know what is correct? # TODO(sissel): Maybe we should use all pom.properties files? None of the pom.properties/pom.xml files have license information, though. # TODO(sissel): In some cases, there are META-INF/COPYING and # META-INF/NOTICE.txt files? Can we use these somehow? There is no # common syntax for parsing these files, though... pom_map = if pom_entries.count == 1 pom_in = jar.getInputStream(pom_entries.first) pom_content = pom_in.available.times.collect { pom_in.read }.pack("C*") # Split non-comment lines by `key=val` into a map { key => val } Hash[pom_content.split(/\r?\n/).grep(/^[^#]/).map { |line| line.split("=", 2) }] else {} end next if manifest.nil? # convert manifest attributes to a map w/ keys .to_s # without this, the attribute keys will be `Object#inspect` values # like #<Java::JavaUtilJar::Attributes::Name0xabcdef0> attributes = Hash[manifest.getMainAttributes.map { |k,v| [k.to_s, v] }] begin # Prefer the maven/pom groupId when it is available. artifact = pom_map.fetch("artifactId", attributes.fetch("Implementation-Title")) group = pom_map.fetch("groupId", attributes.fetch("Implementation-Vendor-Id")) jars << [ group + ":" + artifact, attributes.fetch("Bundle-Version"), attributes.fetch("Bundle-DocURL"), SPDX.map(attributes.fetch("Bundle-License")), ] rescue KeyError => e # The jar is missing a required manifest field, it may not have any useful manifest data. # Ignore it and move on. end end end jars.uniq.sort end |