feat: add npm audit licenses

lib/audit.js

@@ -1,5 +1,7 @@
 const Arborist = require('@npmcli/arborist')
 const auditReport = require('npm-audit-report')
+const rpj = require('read-package-json-fast')
+const licensee = require('licensee')
 const reifyFinish = require('./utils/reify-finish.js')
 const auditError = require('./utils/audit-error.js')
 const ArboristWorkspaceCmd = require('./workspaces/arborist-cmd.js')
@@ -48,10 +50,18 @@ class Audit extends ArboristWorkspaceCmd {
   }
 
   exec (args, cb) {
-    this.audit(args).then(() => cb()).catch(cb)
+    const auditType = this.npm.config.get('audit-type')
+    if (auditType === 'license') {
+      this.auditLicenses(args).then(() => cb()).catch(cb)
+    } if (auditType === 'advisories') {
+      this.auditAdvisories(args).then(() => cb()).catch(cb)
+    } else {
+      // we should probably collect the JSON from auditAdvisories and auditLicenses and merge them into a single object/output?
+      this.auditAdvisories(args).then(() => cb()).catch(cb)
+    }
   }
 
-  async audit (args) {
+  async auditAdvisories (args) {
     const reporter = this.npm.config.get('json') ? 'json' : 'detail'
     const opts = {
       ...this.npm.flatOptions,
@@ -74,6 +84,80 @@ class Audit extends ArboristWorkspaceCmd {
       this.npm.output(result.report)
     }
   }
+
+  async auditLicenses (args) {
+    const reporter = this.npm.config.get('json') ? 'json' : 'detail'
+    const packagejson = await rpj(`${this.npm.prefix}/package.json`)
+
+    if (!packagejson.audit) throw new Error("No audit property specified in package.json")
+    if (!packagejson.audit.licenses) throw new Error("No license specified in the audit property in package.json")
+    if (Object.keys(packagejson.audit.licenses).length === 0) throw new Error("license property in package.json cannot be empty.")
+
+    const config = await buildLicenseConfig(packagejson)
+
+    await new Promise((resolve, reject) => {
+      const licensesPath = this.npm.prefix
+      licensee(config, licensesPath, (error, dependencies) => {
+        if (error) reject(error)
+        if (reporter === "detail") {
+          // figure out pretty printing of license data
+        }
+        if (reporter === "json") {
+          this.jsonStringifyOutput(dependencies)
+        }
+        resolve()
+      })
+    })
+  }
+
+  jsonStringifyOutput (dependencies) {
+    const loggableProperties = [
+      'name',
+      'version',
+      'approved',
+      'license',
+      'corrected',
+      'repository',
+      'homepage',
+      'author',
+      'contributors'
+    ]
+
+    const out = {}
+    for (const dep of dependencies) {
+      out[dep.name] = {}
+      for (const prop of loggableProperties) {
+        out[dep.name][prop] = dep[prop]
+      }
+    }
+    this.npm.output(JSON.stringify(out, null, 2))
+  }
+}
+
+async function buildLicenseConfig (packagejson) {
+  const licenses = packagejson.audit.licenses
+  const licenseConfig = {}
+
+  if (licenses.identifiers) {
+    licenseConfig.licenses = {}
+    licenseConfig.licenses.spdx = licenses.identifiers
+  }
+
+  if (licenses.packages) {
+    licenseConfig.packages = licenses.packages
+  }
+
+  if (licenses.corrections === "false") { // prioritize users choice
+    licenseConfig.corrections = "false"
+  } else { // default to true for DX
+    licenseConfig.corrections = "true"
+  }
+
+  if (licenses.ignore) {
+    licenseConfig.ignore = licenses.ignore
+  }
+
+  return licenseConfig
 }
 
 module.exports = Audit

package.json

@@ -88,6 +88,7 @@
     "libnpmsearch": "^3.1.1",
     "libnpmteam": "^2.0.3",
     "libnpmversion": "^1.2.1",
+    "licensee": "^8.2.0",
     "make-fetch-happen": "^9.1.0",
     "minipass": "^3.1.3",
     "minipass-pipeline": "^1.2.4",
@@ -235,5 +236,20 @@
   "license": "Artistic-2.0",
   "engines": {
     "node": ">=10"
+  },
+  "audit": {  
+    "licenses": {
+      "identifiers": [
+        "MIT",
+        "ISC",
+        "CC0-1.0",
+        "Artistic-2.0",
+        "BSD-3-Clause",
+        "Apache-2.0",
+        "BSD-2-Clause",
+        "CC-BY-3.0",
+        "CC-BY-4.0"
+      ]
+    }
   }
 }

test/lib/audit.js

@@ -168,6 +168,54 @@ t.test('report endpoint error', t => {
   t.end()
 })
 
+t.test('licenses', t => {
+  const Audit = require('../../lib/audit.js')
+  t.test('run audit with license type and output json', t => {
+    const prefix = t.testdir({
+      node_modules: {
+        a: {
+          'package.json': JSON.stringify({
+            name: 'a',
+            version: '1.0.0',
+            license: 'MIT',
+          }),
+        },
+        b: {
+          'package.json': JSON.stringify({
+            name: 'b',
+            version: '1.0.0',
+            license: 'ISC',
+          }),
+        },
+      },
+    })
+
+    const OUTPUT = []
+    const npm = mockNpm({
+      prefix: prefix,
+      command: 'audit',
+      config: {
+       "audit-type": "license",
+        json: true
+      },
+      output: (...msg) => {
+        OUTPUT.push(msg)
+      },
+    })
+
+    const audit = new Audit(npm)
+
+    audit.exec([], () => {
+      t.strictSame(JSON.parse(OUTPUT), {
+        a: { name: 'a', version: '1.0.0', approved: true, license: 'MIT' },
+        b: { name: 'b', version: '1.0.0', approved: false, license: 'ISC' }
+      })
+      t.end()
+    })
+  })
+  t.end()
+})
+
 t.test('completion', t => {
   const Audit = require('../../lib/audit.js')
   const audit = new Audit({})