Merge pull request #40 from pmonks/dev

Release 2.0.264

Author: pmonks

.github/workflows/ci.yml

@@ -24,10 +24,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
-      - uses: DeLaGuardo/setup-clojure@12.1
+      - uses: DeLaGuardo/setup-clojure@12.5
         with:
           cli: latest
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository

.github/workflows/deploy.yml

@@ -2,7 +2,7 @@ name: deploy
 on:
   push:
     branches:
-      - main
+      - release
 
 jobs:
   deploy:
@@ -17,10 +17,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: 21
-      - uses: DeLaGuardo/setup-clojure@12.1
+      - uses: DeLaGuardo/setup-clojure@12.5
         with:
           cli: latest
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository

.github/workflows/docs.yml

@@ -2,7 +2,7 @@ name: docs
 on:
   push:
     branches:
-      - main
+      - release
 
 jobs:
   docs:
@@ -14,10 +14,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: 21
-      - uses: DeLaGuardo/setup-clojure@12.1
+      - uses: DeLaGuardo/setup-clojure@12.5
         with:
           cli: latest
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository

.github/workflows/vulnerabilities.yml

@@ -28,10 +28,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: 21
-      - uses: DeLaGuardo/setup-clojure@12.1
+      - uses: DeLaGuardo/setup-clojure@12.5
         with:
           cli: latest
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository
@@ -43,8 +43,8 @@ jobs:
       - name: Run NVD vulnerabilities check
         run: clojure -Srepro -J-Dclojure.main.report=stderr -T:build nvd
 
-      - name: Deploy NVD vulnerability report (main branch only)
-        if: ${{ ( success() || failure() ) && github.ref == 'refs/heads/main' }}  # Only deploy report from main branch, and regardless of whether the job succeeded or failed
+      - name: Deploy NVD vulnerability report (release branch only)
+        if: ${{ ( success() || failure() ) && github.ref == 'refs/heads/release' }}  # Only deploy report from release branch, and regardless of whether the job succeeded or failed
         uses: peaceiris/actions-gh-pages@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -1,17 +1,17 @@
 | | | | |
 |---:|:---:|:---:|:---:|
-| [**main**](https://github.com/pmonks/lice-comb/tree/main) | [![CI](https://github.com/pmonks/lice-comb/workflows/CI/badge.svg?branch=main)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Amain) | [![Dependencies](https://github.com/pmonks/lice-comb/workflows/dependencies/badge.svg?branch=main)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Amain) | [![Vulnerabilities](https://github.com/pmonks/lice-comb/workflows/vulnerabilities/badge.svg?branch=main)](https://pmonks.github.io/lice-comb/nvd/dependency-check-report.html) |
-| [**dev**](https://github.com/pmonks/lice-comb/tree/dev) | [![CI](https://github.com/pmonks/lice-comb/workflows/CI/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Adev) | [![Dependencies](https://github.com/pmonks/lice-comb/workflows/dependencies/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Adev) | [![Vulnerabilities](https://github.com/pmonks/lice-comb/workflows/vulnerabilities/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Avulnerabilities+branch%3Adev) |
+| [**release**](https://github.com/pmonks/lice-comb/tree/release) | [![CI](https://github.com/pmonks/lice-comb/actions/workflows/ci.yml/badge.svg?branch=release)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Arelease) | [![Dependencies](https://github.com/pmonks/lice-comb/actions/workflows/dependencies.yml/badge.svg?branch=release)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Arelease) | [![Vulnerabilities](https://github.com/pmonks/lice-comb/actions/workflows/vulnerabilities.yml/badge.svg?branch=release)](https://pmonks.github.io/lice-comb/nvd/dependency-check-report.html) |
+| [**dev**](https://github.com/pmonks/lice-comb/tree/dev) | [![CI](https://github.com/pmonks/lice-comb/workflows/CI/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Adev) | [![Dependencies](https://github.com/pmonks/lice-comb/actions/workflows/dependencies.yml/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Adev) | [![Vulnerabilities](https://github.com/pmonks/lice-comb/actions/workflows/vulnerabilities.yml/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Avulnerabilities+branch%3Adev) |
 
-[![Latest Version](https://img.shields.io/clojars/v/com.github.pmonks/lice-comb)](https://clojars.org/com.github.pmonks/lice-comb/) [![Open Issues](https://img.shields.io/github/issues/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/issues) [![License](https://img.shields.io/github/license/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/blob/main/LICENSE)
+[![Latest Version](https://img.shields.io/clojars/v/com.github.pmonks/lice-comb)](https://clojars.org/com.github.pmonks/lice-comb/) [![Open Issues](https://img.shields.io/github/issues/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/issues) [![License](https://img.shields.io/github/license/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/blob/release/LICENSE)
 
-<img alt="lice-comb logo: a fine-toothed metal comb for removing headlice emblazoned with the OSI keyhole logo" align="right" width="25%" src="https://raw.githubusercontent.com/pmonks/lice-comb/main/lice-comb-logo.png">
+<img alt="lice-comb logo: a fine-toothed metal comb for removing headlice emblazoned with the OSI keyhole logo" align="right" width="25%" src="https://raw.githubusercontent.com/pmonks/lice-comb/release/lice-comb-logo.png">
 
 # lice-comb
 
-A Clojure library for software *lice*nse detection.  It does this by *comb*ing through tools.deps and Leiningen dependencies, directory structures, and JAR & ZIP files, attempting to detect what license(s) they contain, and then normalising them into [SPDX license expression(s)](https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/).
+A Clojure library for software *lice*nse detection.  It does this by *comb*ing through tools.deps and Leiningen dependencies, directory structures, and JAR & ZIP files, attempting to detect what license(s) they reference and/or contain, and then normalising them into [SPDX license expressions](https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/).
 
-This library leverages, and is inspired by, the *excellent* [SPDX project](https://spdx.dev/).  It's a great shame that it doesn't have greater traction in the Java & Clojure (and wider open source) communities.  If you're new to SPDX and would prefer to read a primer rather than dry specification documents, I can thoroughly recommend [David A. Wheeler's SPDX Tutorial](https://github.com/david-a-wheeler/spdx-tutorial#spdx-tutorial).
+This library leverages, and is inspired by, the *excellent* [SPDX project](https://spdx.dev/).  It's a great shame that it doesn't have greater traction in the Java & Clojure (and wider open source) communities.  If you're new to SPDX and would prefer to read a primer rather than dry specification documents, [David A. Wheeler's SPDX Tutorial](https://github.com/david-a-wheeler/spdx-tutorial#spdx-tutorial) is a good (albeit slightly outdated) intro.
 
 ## Disclaimer
 
@@ -87,7 +87,7 @@ $ deps-try com.github.pmonks/lice-comb
 (lcmvn/gav->expressions "javax.mail" "mail")
 ;=> #{"GPL-2.0-only WITH Classpath-exception-2.0" "CDDL-1.1"}
 
-(lcmvn/pom->expressions (str (System/getProperty "user.home") "/.m2/repository/org/clojure/clojure/1.11.1/clojure-1.11.1.pom"))
+(lcmvn/pom->expressions (str (System/getProperty "user.home") "/.m2/repository/org/clojure/clojure/1.11.2/clojure-1.11.2.pom"))
 ;=> #{"EPL-1.0"}
 
 (lcmvn/pom->expressions "https://repo1.maven.org/maven2/org/springframework/spring-core/6.0.11/spring-core-6.0.11.pom")
@@ -107,7 +107,7 @@ $ deps-try com.github.pmonks/lice-comb
 (lcl/dep->expressions ['aopalliance/aopalliance "1.0"])
 ;=> #{"LicenseRef-lice-comb-PUBLIC-DOMAIN"}
 ; Also shows how lice-comb handles "public domain" attestations (which are not supported directly
-; by SPDX, as they're not a licensing mechanism)
+; by SPDX, since "public domain" is not a license)
 
 
 ;; Information about matches (useful for better understanding how lice-comb arrived at a given set
@@ -170,17 +170,17 @@ The implementation of [issue #3](https://github.com/pmonks/lice-comb/issues/3) r
 
 [Contributor FAQ](https://github.com/pmonks/lice-comb/wiki/FAQ#contributor-faqs)
 
-[Contributing Guidelines](https://github.com/pmonks/lice-comb/blob/main/.github/CONTRIBUTING.md)
+[Contributing Guidelines](https://github.com/pmonks/lice-comb/blob/release/.github/CONTRIBUTING.md)
 
 [Bug Tracker](https://github.com/pmonks/lice-comb/issues)
 
-[Code of Conduct](https://github.com/pmonks/lice-comb/blob/main/.github/CODE_OF_CONDUCT.md)
+[Code of Conduct](https://github.com/pmonks/lice-comb/blob/release/.github/CODE_OF_CONDUCT.md)
 
 ### Developer Workflow
 
-This project uses the [git-flow branching strategy](https://nvie.com/posts/a-successful-git-branching-model/), with the caveat that the permanent branches are called `main` and `dev`, and any changes to the `main` branch are considered a release and auto-deployed (JARs to Clojars, API docs to GitHub Pages, etc.).
+This project uses the [git-flow branching strategy](https://nvie.com/posts/a-successful-git-branching-model/), and the permanent branches are called `release` and `dev`.  Any changes to the `release` branch are considered a release and auto-deployed (JARs to Clojars, API docs to GitHub Pages, etc.).
 
-For this reason, **all development must occur either in branch `dev`, or (preferably) in temporary branches off of `dev`.**  All PRs from forked repos must also be submitted against `dev`; the `main` branch is **only** updated from `dev` via PRs created by the core development team.  All other changes submitted to `main` will be rejected.
+For this reason, **all development must occur either in branch `dev`, or (preferably) in temporary branches off of `dev`.**  All PRs from forked repos must also be submitted against `dev`; the `release` branch is **only** updated from `dev` via PRs created by the core development team.  All other changes submitted to `release` will be rejected.
 
 ### Build Tasks
 

deps.edn

@@ -18,17 +18,17 @@
 
 {:paths ["src" "resources"]
  :deps
-   {org.clojure/tools.logging             {:mvn/version "1.2.4"}
+   {org.clojure/tools.logging             {:mvn/version "1.3.0"}
     commons-validator/commons-validator   {:mvn/version "1.8.0"}
-    org.clojure/data.xml                  {:mvn/version "0.2.0-alpha8"}
+    org.clojure/data.xml                  {:mvn/version "0.2.0-alpha9"}
     clj-xml-validation/clj-xml-validation {:mvn/version "1.0.2"}
     tolitius/xml-in                       {:mvn/version "0.1.1"}
     hato/hato                             {:mvn/version "0.9.0"}
     dev.weavejester/medley                {:mvn/version "1.7.0"}
     miikka/clj-base62                     {:mvn/version "0.1.1"}
-    com.github.pmonks/clj-spdx            {:mvn/version "1.0.126"}
-    com.github.pmonks/rencg               {:mvn/version "1.0.34"}
-    com.github.pmonks/embroidery          {:mvn/version "0.1.13"}}
+    com.github.pmonks/clj-spdx            {:mvn/version "1.0.145"}
+    com.github.pmonks/rencg               {:mvn/version "1.0.51"}
+    com.github.pmonks/embroidery          {:mvn/version "0.1.20"}}
  :aliases
    {:build {:deps       {com.github.pmonks/pbr {:mvn/version "RELEASE"}}
             :ns-default pbr.build}}}

pbr.clj

@@ -22,14 +22,13 @@
   (assoc opts
          :lib          'com.github.pmonks/lice-comb
          :version      (pbr/calculate-version 2 0)
-;         :version      (format "2.0.%s-RCx-SNAPSHOT" (b/git-count-revs nil))
+         :prod-branch  "release"
          :write-pom    true
          :validate-pom true
          :pom          {:description      "A Clojure library for software license detection."
                         :url              "https://github.com/pmonks/lice-comb"
-                        :licenses         [:license   {:name "Apache License 2.0" :url "http://www.apache.org/licenses/LICENSE-2.0.html"}]
+                        :licenses         [:license   {:name "Apache-2.0" :url "http://www.apache.org/licenses/LICENSE-2.0.html"}]
                         :developers       [:developer {:id "pmonks" :name "Peter Monks" :email "pmonks+lice-comb@gmail.com"}]
                         :scm              {:url "https://github.com/pmonks/lice-comb" :connection "scm:git:git://github.com/pmonks/lice-comb.git" :developer-connection "scm:git:ssh://git@github.com/pmonks/lice-comb.git"}
                         :issue-management {:system "github" :url "https://github.com/pmonks/lice-comb/issues"}}
-         :codox        {:namespaces ['lice-comb.deps 'lice-comb.files 'lice-comb.lein 'lice-comb.matching 'lice-comb.maven 'lice-comb.utils]}
-         :eastwood     {:exclude-linters [:unused-ret-vals-in-try :no-ns-form-found]}))
+         :codox        {:namespaces ['lice-comb.deps 'lice-comb.files 'lice-comb.lein 'lice-comb.matching 'lice-comb.maven 'lice-comb.utils]}))

src/lice_comb/impl/matching.clj

@@ -121,44 +121,47 @@
           fix-mpl-2
           fix-license-id-with-exception-id))
 
-(defmulti text->expressions
-  "Returns an expressions-map for the given license text, or nil if no matches
-  are found."
+(defmulti text->expressions-info
+  "Returns an expressions-info map for the given license text, or nil if no
+  matches are found."
   {:arglists '([text])}
   type)
 
-(defmethod text->expressions java.lang.String
+(defmethod text->expressions-info java.lang.String
   [s]
   ; clj-spdx's *-within-text APIs are *expensive* but support batching, so we check batches of ids in parallel
   (let [num-cpus             (.availableProcessors (Runtime/getRuntime))
         license-id-batches   (partition num-cpus @lcis/license-ids-d)
         exception-id-batches (partition num-cpus @lcis/exception-ids-d)
         license-ids-found    (apply set/union (e/pmap* #(sm/licenses-within-text   s %) license-id-batches))
         exception-ids-found  (apply set/union (e/pmap* #(sm/exceptions-within-text s %) exception-id-batches))
-        ids-found            (set/union license-ids-found exception-ids-found)]
-    (when ids-found
-      ; Note: we don't need to sexp/normalise the keys here, as we never detect an expression from a text
-      (manual-fixes (into {} (map #(hash-map % (list {:id % :type :concluded :confidence :high :strategy :spdx-text-matching})) ids-found))))))
-
-(defmethod text->expressions java.io.Reader
+        expressions-found    (if (and (= 1 (count license-ids-found))
+                                      (= 1 (count exception-ids-found)))
+                               #{(str (first license-ids-found) " WITH " (first exception-ids-found))}
+                               (set/union license-ids-found exception-ids-found))]
+    (when expressions-found
+      ; Note: we don't need to sexp/normalise the keys here, as the only expressions that can be returned are constructed correctly
+      (manual-fixes (into {} (map #(hash-map % (list {:id % :type :concluded :confidence :high :strategy :spdx-matching-guidelines})) expressions-found))))))
+
+(defmethod text->expressions-info java.io.Reader
   [r]
   (let [sw (java.io.StringWriter.)]
     (io/copy r sw)
-    (text->expressions (str sw))))
+    (text->expressions-info (str sw))))
 
-(defmethod text->expressions java.io.InputStream
+(defmethod text->expressions-info java.io.InputStream
   [is]
-  (text->expressions (io/reader is)))
+  (text->expressions-info (io/reader is)))
 
-(defmethod text->expressions :default
+(defmethod text->expressions-info :default
   [src]
   (when src
     (with-open [r (io/reader src)]
-      (text->expressions r))))
+      (text->expressions-info r))))
 
-(defn uri->expressions
-  "Returns an expressions-map for the given license uri, or nil if no matches
-  are found."
+(defn uri->expressions-info
+  "Returns an expressions-info map for the given license uri, or nil if no
+  matches are found."
   [uri]
   (when-not (s/blank? uri)
       ; We don't need to sexp/normalise the keys here, as we never detect an expression from a URI
@@ -171,8 +174,8 @@
 
                                 ; 2. attempt to retrieve the text/plain contents of the uri and perform license text matching on it
                                 (when-let [license-text (lcihttp/get-text uri)]
-                                  (when-let [ids (text->expressions license-text)]
-                                    ids))))))))
+                                  (when-let [expressions (text->expressions-info license-text)]
+                                    expressions))))))))
 
 (defn- string->ids-info
   "Converts the given string (a fragment of a license name) into a sequence of
@@ -196,7 +199,7 @@
                   (map #(hash-map % (list {:id % :type :concluded :confidence :high :strategy :spdx-listed-name :source (list s)})) ids))
 
                 ; 3. Might it be a URI?  (this is to handle some dumb corner cases that exist in pom.xml files hosted on Clojars & Maven Central)
-                (when-let [ids (uri->expressions s)]
+                (when-let [ids (uri->expressions-info s)]
                   (map #(hash-map (key %) (val %)) ids))
 
                 ; 4. Attempt regex name matching