Fix non-conforming licenses on devDependencies and add the ability to whitelisting devOnly licenses (#23859)

* chore(19834): upgraded yargs dependency to 4.8.1 in order to remove pkg-conf dependency license conflict.

* chore(19834): override xmldom to one of the allowed licenses (MIT).

* chore(19834): added some overrides and whitelistenig for Apache2.

* chore(19834): correct overides for some apache2 licenses.

* chore(NA): updated specific dependency needs.

* chore(19834): added some more info on updated licenses.

* chore(19834): small note on dependencies use versions.

* feat(NA): add the ability to white list licenses only valid for dev only dependencies.

* chore(NA): update yarn lock files to include integrity check.

* fix(NA): yarn lock file for kbn ui framework.

* docs(NA): fix uncompleted comment left on the code.

packages/kbn-pm/package.json

@@ -57,7 +57,7 @@
     "spawn-sync": "^1.0.15",
     "string-replace-loader": "^1.3.0",
     "strip-ansi": "^4.0.0",
-    "strong-log-transformer": "^1.0.6",
+    "strong-log-transformer": "^2.0.0",
     "tempy": "^0.2.1",
     "ts-loader": "^3.5.0",
     "typescript": "^3.0.3",

packages/kbn-pm/yarn.lock

@@ -2938,11 +2938,6 @@ minimist@0.0.8:
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
   integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=
 
-minimist@^0.1.0:
-  version "0.1.0"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.1.0.tgz#99df657a52574c21c9057497df742790b2b4c0de"
-  integrity sha1-md9lelJXTCHJBXSX33QnkLK0wN4=
-
 minimist@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
@@ -2963,11 +2958,6 @@ mixin-deep@^1.2.0:
   dependencies:
     minimist "0.0.8"
 
-moment@^2.6.0:
-  version "2.20.1"
-  resolved "https://registry.yarnpkg.com/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
-  integrity sha512-Yh9y73JRljxW5QxN08Fner68eFLxM5ynNOAw2LbIB1YAGeQzZT8QFSUvkAz609Zf+IHhhaUxqZK8dG3W/+HEvg==
-
 ms@2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8"
@@ -4000,15 +3990,14 @@ strip-json-comments@~2.0.1:
   resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a"
   integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo=
 
-strong-log-transformer@^1.0.6:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/strong-log-transformer/-/strong-log-transformer-1.0.6.tgz#f7fb93758a69a571140181277eea0c2eb1301fa3"
-  integrity sha1-9/uTdYpppXEUAYEnfuoMLrEwH6M=
+strong-log-transformer@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/strong-log-transformer/-/strong-log-transformer-2.0.0.tgz#fa6d8e0a9e62b3c168c3cad5ae5d00dc97ba26cc"
+  integrity sha512-FQmNqAXJgOX8ygOcvPLlGWBNT41mvNJ9ALoYf0GTwVt9t30mGTqpmp/oJx5gLcu52DXK10kS7dVWhx8aPXDTlg==
   dependencies:
     byline "^5.0.0"
     duplexer "^0.1.1"
-    minimist "^0.1.0"
-    moment "^2.6.0"
+    minimist "^1.2.0"
     through "^2.3.4"
 
 supports-color@^2.0.0:

packages/kbn-ui-framework/package.json

@@ -70,6 +70,6 @@
     "webpack": "3.6.0",
     "webpack-dev-server": "2.9.1",
     "yeoman-generator": "1.1.1",
-    "yo": "2.0.0"
+    "yo": "2.0.3"
   }
 }

src/dev/license_checker/config.js

@@ -17,6 +17,8 @@
  * under the License.
  */
 
+// The following list applies to packages both
+// used as dependencies or dev dependencies
 export const LICENSE_WHITELIST = [
   'Elastic-License',
   '(BSD-2-Clause OR MIT OR Apache-2.0)',
@@ -42,12 +44,14 @@ export const LICENSE_WHITELIST = [
   'BSD-3-Clause AND MIT',
   'BSD-3-Clause OR MIT',
   'BSD-3-Clause',
+  '(BSD-3-Clause OR GPL-2.0)',
   'BSD-like',
   'CC0-1.0',
   'CC-BY',
   'CC-BY-3.0',
   'CC-BY-4.0',
   'ISC',
+  'ISC*',
   'MIT OR GPL-2.0',
   'MIT',
   'MIT*',
@@ -60,6 +64,13 @@ export const LICENSE_WHITELIST = [
   'WTFPL',
 ];
 
+// The following list only applies to licenses that
+// we wanna allow in packages only used as dev dependencies
+export const DEV_ONLY_LICENSE_WHITELIST = [
+  'MPL-2.0'
+];
+
+// Globally overrides a license for a given package@version
 export const LICENSE_OVERRIDES = {
   'scriptjs@2.5.8': ['MIT'], // license header appended in the dist
   'react-lib-adler32@1.0.1': ['BSD'], // adler32 extracted from react source
@@ -72,7 +83,23 @@ export const LICENSE_OVERRIDES = {
 
   // TODO can be removed once we upgrade past map-stream@0.5.0
   'map-stream@0.1.0': ['MIT'],
+
   'uglify-js@2.2.5': ['BSD'],
   'png-js@0.1.1': ['MIT'],
   'sha.js@2.4.11': ['BSD-3-Clause AND MIT'],
+
+  // TODO can be removed if the ISSUE#239 is accepted on the source
+  'xmldom@0.1.19': ['MIT'],
+
+  // TODO can be removed if the PR#9 is accepted on the source
+  'pause-stream@0.0.11': ['MIT'],
+
+  // TODO can be removed once we upgrade past or equal pdf-image@2.0.1
+  'pdf-image@1.1.0': ['MIT'],
+
+  // TODO can be removed once we upgrade the use of walk dependency past or equal to v2.3.14
+  'walk@2.3.9': ['MIT'],
+
+  // TODO remove this once we upgrade past or equal to v1.0.2
+  'babel-plugin-mock-imports@0.0.5': ['MIT']
 };

src/dev/license_checker/index.js

@@ -17,5 +17,5 @@
  * under the License.
  */
 
-export { LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config';
+export { LICENSE_WHITELIST, DEV_ONLY_LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config';
 export { assertLicensesValid } from './valid';

src/dev/npm/__tests__/fixtures/fixture1/node_modules/dep2/index.js

@@ -0,0 +1 @@
+console.log('I am dep 2');

src/dev/npm/__tests__/fixtures/fixture1/node_modules/dep2/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "dep2",
+  "version": "0.0.2",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "http://github.com/mycorp/dep2.git"
+  }
+}

src/dev/npm/__tests__/fixtures/fixture1/package.json

@@ -5,5 +5,8 @@
   "dependencies": {
     "dep1": "0.0.2",
     "privatedep": "0.0.2"
+  },
+  "devDependencies": {
+    "dep2": "0.0.2"
   }
 }

src/dev/npm/__tests__/installed_packages.js

@@ -39,7 +39,8 @@ describe('src/dev/npm/installed_packages', () => {
           directory: KIBANA_ROOT
         }),
         getInstalledPackages({
-          directory: FIXTURE1_ROOT
+          directory: FIXTURE1_ROOT,
+          dev: true
         }),
       ]);
     });
@@ -62,6 +63,7 @@ describe('src/dev/npm/installed_packages', () => {
           repository: 'https://github.com/mycorp/dep1',
           directory: resolve(FIXTURE1_ROOT, 'node_modules/dep1'),
           relative: ['node_modules', 'dep1'].join(sep),
+          isDevOnly: false,
         },
         {
           name: 'privatedep',
@@ -69,7 +71,17 @@ describe('src/dev/npm/installed_packages', () => {
           repository: 'https://github.com/mycorp/privatedep',
           licenses: [ 'Apache-2.0' ],
           directory: resolve(FIXTURE1_ROOT, 'node_modules/privatedep'),
-          relative: ['node_modules', 'privatedep'].join(sep)
+          relative: ['node_modules', 'privatedep'].join(sep),
+          isDevOnly: false,
+        },
+        {
+          name: 'dep2',
+          version: '0.0.2',
+          licenses: [ 'Apache-2.0' ],
+          repository: 'https://github.com/mycorp/dep2',
+          directory: resolve(FIXTURE1_ROOT, 'node_modules/dep2'),
+          relative: ['node_modules', 'dep2'].join(sep),
+          isDevOnly: true,
         }
       ]);
     });

src/dev/npm/installed_packages.js

@@ -78,7 +78,7 @@ export async function getInstalledPackages(options = {}) {
   return Object
     .keys(licenseInfo)
     .map(key => {
-      const { realPath, repository } = licenseInfo[key];
+      const { realPath, repository, isDevOnly } = licenseInfo[key];
       if (realPath === directory) return;
 
       const keyParts = key.split('@');
@@ -93,7 +93,8 @@ export async function getInstalledPackages(options = {}) {
         repository,
         licenses,
         directory: realPath,
-        relative: relative(directory, realPath)
+        relative: relative(directory, realPath),
+        isDevOnly
       };
     })
     .filter(Boolean);

src/dev/npm/license_checker.js

@@ -19,19 +19,11 @@
 
 import licenseChecker from 'license-checker';
 
-export function callLicenseChecker(options = {}) {
-  const {
-    directory,
-    dev = false
-  } = options;
-
-  if (!directory) {
-    throw new Error('You must specify the directory where license checker should start');
-  }
-
+async function runLicenseChecker(directory, dev) {
   return new Promise((resolve, reject) => {
     licenseChecker.init({
       start: directory,
+      development: dev,
       production: !dev,
       json: true,
       customFormat: {
@@ -41,7 +33,49 @@ export function callLicenseChecker(options = {}) {
       }
     }, (err, licenseInfo) => {
       if (err) reject(err);
-      else resolve(licenseInfo);
+      else {
+        resolve(
+          // Extend original licenseInfo object with a new attribute
+          // stating whether a license was found in a package used
+          // only as a dev dependency or not
+          Object.keys(licenseInfo).reduce(function (result, key) {
+            result[key] = Object.assign(licenseInfo[key], { isDevOnly: dev });
+            return result;
+          }, {})
+        );
+      }
     });
   });
 }
+
+export async function callLicenseChecker(options = {}) {
+  const {
+    directory,
+    dev = false
+  } = options;
+
+  if (!directory) {
+    throw new Error('You must specify the directory where license checker should start');
+  }
+
+  return new Promise(async (resolve, reject) => {
+    try {
+      // Run license checker for prod only packages
+      const prodOnlyLicenses = await runLicenseChecker(directory, false);
+
+      if (!dev) {
+        resolve(prodOnlyLicenses);
+        return;
+      }
+
+      // In case we have the dev option
+      // also run the license checker for the
+      // dev only packages and build a final object
+      // merging the previous results too
+      const devOnlyLicenses = await runLicenseChecker(directory, true);
+      resolve(Object.assign(prodOnlyLicenses, devOnlyLicenses));
+    } catch (e) {
+      reject(e);
+    }
+  });
+}

tasks/licenses.js

@@ -21,6 +21,7 @@ import { getInstalledPackages } from '../src/dev/npm';
 import {
   assertLicensesValid,
   LICENSE_WHITELIST,
+  DEV_ONLY_LICENSE_WHITELIST,
   LICENSE_OVERRIDES,
 } from '../src/dev/license_checker';
 
@@ -31,14 +32,33 @@ export default function licenses(grunt) {
     try {
       const dev = Boolean(grunt.option('dev'));
 
+      // Get full packages list according dev flag
+      const packages = await getInstalledPackages({
+        directory: grunt.config.get('root'),
+        licenseOverrides: LICENSE_OVERRIDES,
+        dev
+      });
+      // Filter the packages only used in production
+      const prodPackages = packages.filter(pkg => !pkg.isDevOnly);
+
+      // Assert if the found licenses in the production
+      // packages are valid
       assertLicensesValid({
-        packages: await getInstalledPackages({
-          directory: grunt.config.get('root'),
-          licenseOverrides: LICENSE_OVERRIDES,
-          dev
-        }),
+        packages: prodPackages,
         validLicenses: LICENSE_WHITELIST
       });
+
+      // Do the same as above for the packages only used in development
+      // if the dev flag is found
+      if (dev) {
+        const devPackages = packages.filter(pkg => pkg.isDevOnly);
+
+        assertLicensesValid({
+          packages: devPackages,
+          validLicenses: LICENSE_WHITELIST.concat(DEV_ONLY_LICENSE_WHITELIST)
+        });
+      }
+
       done();
     } catch (err) {
       grunt.fail.fatal(err);

x-pack/package.json

@@ -115,7 +115,7 @@
     "vinyl-fs": "^3.0.2",
     "xml-crypto": "^0.10.1",
     "xml2js": "^0.4.19",
-    "yargs": "4.7.1"
+    "yargs": "4.8.1"
   },
   "dependencies": {
     "@elastic/datemath": "^4.0.2",

x-pack/yarn.lock

@@ -6868,7 +6868,7 @@ linkify-it@^2.0.0:
   dependencies:
     uc.micro "^1.0.1"
 
-load-json-file@^1.0.0, load-json-file@^1.1.0:
+load-json-file@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-1.1.0.tgz#956905708d58b4bab4c2261b04f59f31c99374c0"
   integrity sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=
@@ -8718,16 +8718,6 @@ pixelmatch@4.0.2:
   dependencies:
     pngjs "^3.0.0"
 
-pkg-conf@^1.1.2:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/pkg-conf/-/pkg-conf-1.1.3.tgz#378e56d6fd13e88bfb6f4a25df7a83faabddba5b"
-  integrity sha1-N45W1v0T6Iv7b0ol33qD+qvduls=
-  dependencies:
-    find-up "^1.0.0"
-    load-json-file "^1.1.0"
-    object-assign "^4.0.1"
-    symbol "^0.2.1"
-
 pkg-dir@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-2.0.0.tgz#f6d5d1109e19d63edf428e0bd57e12777615334b"
@@ -10277,11 +10267,6 @@ serialize-javascript@^1.4.0:
   resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-1.5.0.tgz#1aa336162c88a890ddad5384baebc93a655161fe"
   integrity sha512-Ga8c8NjAAp46Br4+0oZ2WxJCwIzwP60Gq1YPgU+39PiTVxyed/iKE/zyZI6+UlVYH5Q4PaQdHhcegIFPZTUfoQ==
 
-set-blocking@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-1.0.0.tgz#cd5e5d938048df1ac92dfe92e1f16add656f5ec5"
-  integrity sha1-zV5dk4BI3xrJLf6S4fFq3WVvXsU=
-
 set-blocking@^2.0.0, set-blocking@~2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"
@@ -10989,11 +10974,6 @@ symbol-tree@^3.2.1, symbol-tree@^3.2.2:
   resolved "https://registry.yarnpkg.com/symbol-tree/-/symbol-tree-3.2.2.tgz#ae27db38f660a7ae2e1c3b7d1bc290819b8519e6"
   integrity sha1-rifbOPZgp64uHDt9G8KQgZuFGeY=
 
-symbol@^0.2.1:
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/symbol/-/symbol-0.2.3.tgz#3b9873b8a901e47c6efe21526a3ac372ef28bbc7"
-  integrity sha1-O5hzuKkB5Hxu/iFSajrDcu8ou8c=
-
 tabbable@1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.0.tgz#2c9a9c9f09db5bb0659f587d532548dd6ef2067b"
@@ -12124,7 +12104,7 @@ yallist@^2.1.2:
   resolved "https://registry.yarnpkg.com/yallist/-/yallist-2.1.2.tgz#1c11f9218f076089a47dd512f93c6699a6a81d52"
   integrity sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=
 
-yargs-parser@^2.4.0:
+yargs-parser@^2.4.1:
   version "2.4.1"
   resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-2.4.1.tgz#85568de3cf150ff49fa51825f03a8c880ddcc5c4"
   integrity sha1-hVaN488VD/SfpRgl8DqMiA3cxcQ=
@@ -12146,24 +12126,25 @@ yargs-parser@^9.0.2:
   dependencies:
     camelcase "^4.1.0"
 
-yargs@4.7.1:
-  version "4.7.1"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-4.7.1.tgz#e60432658a3387ff269c028eacde4a512e438dff"
-  integrity sha1-5gQyZYozh/8mnAKOrN5KUS5Djf8=
+yargs@4.8.1:
+  version "4.8.1"
+  resolved "https://registry.yarnpkg.com/yargs/-/yargs-4.8.1.tgz#c0c42924ca4aaa6b0e6da1739dfb216439f9ddc0"
+  integrity sha1-wMQpJMpKqmsObaFznfshZDn53cA=
   dependencies:
-    camelcase "^3.0.0"
     cliui "^3.2.0"
     decamelize "^1.1.1"
+    get-caller-file "^1.0.1"
     lodash.assign "^4.0.3"
     os-locale "^1.4.0"
-    pkg-conf "^1.1.2"
     read-pkg-up "^1.0.1"
+    require-directory "^2.1.1"
     require-main-filename "^1.0.1"
-    set-blocking "^1.0.0"
+    set-blocking "^2.0.0"
     string-width "^1.0.1"
+    which-module "^1.0.0"
     window-size "^0.2.0"
     y18n "^3.2.1"
-    yargs-parser "^2.4.0"
+    yargs-parser "^2.4.1"
 
 yargs@^11.0.0:
   version "11.1.0"