feat: print license violations

google · Mar 28, 2024 · 92cf5a2 · 92cf5a2
1 parent a63fea3
commit 92cf5a2
Show file tree

Hide file tree

Showing 3 changed files with 685 additions and 15 deletions.
diff --git a/internal/output/__snapshots__/vertical_test.snap b/internal/output/__snapshots__/vertical_test.snap
@@ -1,5 +1,148 @@
 
-[TestPrintVerticalResults/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]
+[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]
+path/to/my/first/lockfile: found 1 package
+  no known vulnerabilities found
+  no license violations found
+path/to/my/second/lockfile: found 2 packages
+  no known vulnerabilities found
+  no license violations found
+path/to/my/third/lockfile: found 2 packages
+  no known vulnerabilities found
+  no license violations found
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]
+path/to/my/first/lockfile: found 1 package
+  no known vulnerabilities found
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/first/lockfile
+path/to/my/second/lockfile: found 2 packages
+  no known vulnerabilities found
+  mine2@3.2.5 is using an incompatible license: Apache-2.0
+
+  1 license violation found in path/to/my/second/lockfile
+path/to/my/third/lockfile: found 2 packages
+  no known vulnerabilities found
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/third/lockfile
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]
+path/to/my/first/lockfile: found 0 packages
+  no known vulnerabilities found
+  no license violations found
+path/to/my/second/lockfile: found 0 packages
+  no known vulnerabilities found
+  no license violations found
+path/to/my/third/lockfile: found 0 packages
+  no known vulnerabilities found
+  no license violations found
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/no_sources - 1]
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/one_source_with_no_packages - 1]
+path/to/my/first/lockfile: found 0 packages
+  no known vulnerabilities found
+  no license violations found
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]
+path/to/my/first/lockfile: found 1 package
+  no known vulnerabilities found
+  no license violations found
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]
+path/to/my/first/lockfile: found 1 package
+  no known vulnerabilities found
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/first/lockfile
+
+---
+
+[TestPrintVerticalResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]
+path/to/my/first/lockfile: found 1 package
+  no known vulnerabilities found
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/first/lockfile
+path/to/my/second/lockfile: found 1 package
+  no known vulnerabilities found
+  no license violations found
+
+---
+
+[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]
+path/to/my/first/lockfile: found 1 package
+
+  mine1@1.2.3 is affected by the following vulnerabilities:
+    OSV-1: Something scary! (https://osv.dev/OSV-1)
+
+  1 known vulnerability found in path/to/my/first/lockfile
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/first/lockfile
+path/to/my/second/lockfile: found 2 packages
+
+  mine2@3.2.5 is affected by the following vulnerabilities:
+    OSV-2: Something scary! (https://osv.dev/OSV-2)
+
+  1 known vulnerability found in path/to/my/second/lockfile
+  no license violations found
+path/to/my/third/lockfile: found 2 packages
+
+  mine1@1.2.3 is affected by the following vulnerabilities:
+    OSV-1: Something scary! (https://osv.dev/OSV-1)
+
+  1 known vulnerability found in path/to/my/third/lockfile
+  mine1@1.3.5 is using an incompatible license: MIT
+  mine1@1.2.3 is using an incompatible license: Apache-2.0
+
+  2 license violations found in path/to/my/third/lockfile
+
+---
+
+[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]
+path/to/my/first/lockfile: found 1 package
+
+  mine1@1.2.3 is affected by the following vulnerabilities:
+    OSV-1: Something scary! (https://osv.dev/OSV-1)
+
+  1 known vulnerability found in path/to/my/first/lockfile
+  mine1@1.2.3 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/first/lockfile
+
+---
+
+[TestPrintVerticalResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]
+path/to/my/first/lockfile: found 1 package
+
+  mine1@1.2.3 is affected by the following vulnerabilities:
+    OSV-1: Something scary! (https://osv.dev/OSV-1)
+
+  1 known vulnerability found in path/to/my/first/lockfile
+  no license violations found
+path/to/my/second/lockfile: found 1 package
+  no known vulnerabilities found
+  mine2@5.9.0 is using an incompatible license: MIT
+
+  1 license violation found in path/to/my/second/lockfile
+
+---
+
+[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]
 path/to/my/first/lockfile: found 2 packages
 
   mine1@1.2.3 is affected by the following vulnerabilities:
@@ -21,7 +164,7 @@ path/to/my/second/lockfile: found 2 packages
 
 ---
 
-[TestPrintVerticalResults/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]
+[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]
 path/to/my/first/lockfile: found 1 package
   no known vulnerabilities found
 path/to/my/second/lockfile: found 2 packages
@@ -31,7 +174,7 @@ path/to/my/third/lockfile: found 2 packages
 
 ---
 
-[TestPrintVerticalResults/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]
+[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]
 path/to/my/first/lockfile: found 1 package
 
   mine1@1.2.3 is affected by the following vulnerabilities:
@@ -53,7 +196,7 @@ path/to/my/third/lockfile: found 2 packages
 
 ---
 
-[TestPrintVerticalResults/multiple_sources_with_no_packages - 1]
+[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]
 path/to/my/first/lockfile: found 0 packages
   no known vulnerabilities found
 path/to/my/second/lockfile: found 0 packages
@@ -63,23 +206,23 @@ path/to/my/third/lockfile: found 0 packages
 
 ---
 
-[TestPrintVerticalResults/no_sources - 1]
+[TestPrintVerticalResults_WithVulnerabilities/no_sources - 1]
 
 ---
 
-[TestPrintVerticalResults/one_source_with_no_packages - 1]
+[TestPrintVerticalResults_WithVulnerabilities/one_source_with_no_packages - 1]
 path/to/my/first/lockfile: found 0 packages
   no known vulnerabilities found
 
 ---
 
-[TestPrintVerticalResults/one_source_with_one_package,_no_vulnerabilities - 1]
+[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]
 path/to/my/first/lockfile: found 1 package
   no known vulnerabilities found
 
 ---
 
-[TestPrintVerticalResults/one_source_with_one_package_and_one_vulnerability - 1]
+[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]
 path/to/my/first/lockfile: found 1 package
 
   mine1@1.2.3 is affected by the following vulnerabilities:
@@ -89,7 +232,7 @@ path/to/my/first/lockfile: found 1 package
 
 ---
 
-[TestPrintVerticalResults/one_source_with_vulnerabilities,_some_missing_content - 1]
+[TestPrintVerticalResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]
 path/to/my/first/lockfile: found 2 packages
 
   mine1@1.2.3 is affected by the following vulnerabilities:
@@ -101,7 +244,7 @@ path/to/my/first/lockfile: found 2 packages
 
 ---
 
-[TestPrintVerticalResults/two_sources_with_packages,_one_vulnerability - 1]
+[TestPrintVerticalResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]
 path/to/my/first/lockfile: found 1 package
 
   mine1@1.2.3 is affected by the following vulnerabilities:

diff --git a/internal/output/vertical.go b/internal/output/vertical.go
@@ -11,20 +11,23 @@ import (
 
 func PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) {
 	for _, result := range vulnResult.Results {
-		printVerticalResult(result, outputWriter)
+		printVerticalHeader(result, outputWriter)
+		printVerticalVulnerabilities(result, outputWriter)
+
+		if len(vulnResult.ExperimentalAnalysisConfig.Licenses.Allowlist) > 0 {
+			printVerticalLicenseViolations(result, outputWriter)
+		}
 	}
 }
 
-func printVerticalResult(result models.PackageSource, out io.Writer) {
+func printVerticalHeader(result models.PackageSource, out io.Writer) {
 	fmt.Fprintf(
 		out,
 		"%s: found %s %s\n",
 		color.MagentaString("%s", result.Source.Path),
 		color.YellowString("%d", len(result.Packages)),
 		Form(len(result.Packages), "package", "packages"),
 	)
-
-	printVerticalVulnerabilities(result, out)
 }
 
 func printVerticalVulnerabilities(result models.PackageSource, out io.Writer) {
@@ -72,6 +75,43 @@ func printVerticalVulnerabilities(result models.PackageSource, out io.Writer) {
 	)
 }
 
+func printVerticalLicenseViolations(result models.PackageSource, out io.Writer) {
+	count := countLicenseViolations(result)
+
+	if count == 0 {
+		fmt.Fprintf(
+			out,
+			"  %s\n",
+			color.GreenString("no license violations found"),
+		)
+
+		return
+	}
+
+	for _, pkg := range result.Packages {
+		if len(pkg.LicenseViolations) == 0 {
+			continue
+		}
+
+		fmt.Fprintf(out,
+			"  %s %s %s\n",
+			color.YellowString("%s@%s", pkg.Package.Name, pkg.Package.Version),
+			color.RedString("is using an incompatible license:"),
+			// todo: handle multiple licenses
+			color.CyanString(string(pkg.LicenseViolations[0])),
+		)
+	}
+
+	fmt.Fprintf(out, "\n  %s\n",
+		color.RedString(
+			"%d license %s found in %s",
+			count,
+			Form(count, "violation", "violations"),
+			result.Source.Path,
+		),
+	)
+}
+
 func countVulnerabilities(result models.PackageSource) int {
 	count := 0
 
@@ -82,6 +122,16 @@ func countVulnerabilities(result models.PackageSource) int {
 	return count
 }
 
+func countLicenseViolations(result models.PackageSource) int {
+	count := 0
+
+	for _, pkg := range result.Packages {
+		count += len(pkg.LicenseViolations)
+	}
+
+	return count
+}
+
 // truncate ensures that the given string is shorter than the provided limit.
 //
 // If the string is longer than the limit, it's trimmed and suffixed with an ellipsis.