Merge pull request #55 from pmonks/dev

Release 2.0.318

Author: pmonks

.github/workflows/vulnerabilities.yml

@@ -1,12 +1,25 @@
 name: vulnerabilities
 on:
 # Don't require this on push or pull_request, or it'll block releases even for minor vulnerabilities
-# Note: scheduled actions only run on the default branch - see https://github.com/orgs/community/discussions/38800
+#  push:
+#  pull_request:
   schedule:
     - cron: '0 2 * * 2'   # Every Tuesday at 2am
 
 jobs:
+  skip_check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - id: skip_check
+        uses: fkirc/skip-duplicate-actions@master
+
   vulnerabilities:
+    needs: skip_check
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' }}
+    runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -28,11 +41,12 @@ jobs:
           key: ${{ runner.os }}-${{ hashFiles('**/deps.edn') }}
 
       - name: Run NVD vulnerabilities check
+        env:
+          NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
         run: clojure -Srepro -J-Dclojure.main.report=stderr -T:build nvd
 
-      - name: Deploy NVD vulnerability report
-#        if: ${{ ( success() || failure() ) && github.ref == 'refs/heads/release' }}  # Only deploy report from release branch, and regardless of whether the job succeeded or failed
-        if: ${{ ( success() || failure() ) }}
+      - name: Deploy NVD vulnerability report (dev branch only)                  # Because GitHub is idiotic and only supports timed jobs on the default branch (dev)
+        if: ${{ ( success() || failure() ) && github.ref == 'refs/heads/dev' }}  # Deploy report regardless of whether the job succeeded or failed
         uses: peaceiris/actions-gh-pages@v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -1,7 +1,7 @@
 | | | |
 |---:|:---:|:---:|
 | [**release**](https://github.com/pmonks/lice-comb/tree/release) | [![CI](https://github.com/pmonks/lice-comb/actions/workflows/ci.yml/badge.svg?branch=release)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Arelease) | [![Dependencies](https://github.com/pmonks/lice-comb/actions/workflows/dependencies.yml/badge.svg?branch=release)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Arelease) |
-| [**dev**](https://github.com/pmonks/lice-comb/tree/dev) | [![CI](https://github.com/pmonks/lice-comb/workflows/CI/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Adev) | [![Dependencies](https://github.com/pmonks/lice-comb/actions/workflows/dependencies.yml/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Adev) |
+| [**dev**](https://github.com/pmonks/lice-comb/tree/dev) | [![CI](https://github.com/pmonks/lice-comb/actions/workflows/ci.yml/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3ACI+branch%3Adev) | [![Dependencies](https://github.com/pmonks/lice-comb/actions/workflows/dependencies.yml/badge.svg?branch=dev)](https://github.com/pmonks/lice-comb/actions?query=workflow%3Adependencies+branch%3Adev) |
 
 [![Latest Version](https://img.shields.io/clojars/v/com.github.pmonks/lice-comb)](https://clojars.org/com.github.pmonks/lice-comb/) [![License](https://img.shields.io/github/license/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/blob/release/LICENSE) [![Open Issues](https://img.shields.io/github/issues/pmonks/lice-comb.svg)](https://github.com/pmonks/lice-comb/issues) [![Vulnerabilities](https://github.com/pmonks/lice-comb/actions/workflows/vulnerabilities.yml/badge.svg)](https://pmonks.github.io/lice-comb/nvd/dependency-check-report.html)
 
@@ -83,9 +83,10 @@ $ deps-try com.github.pmonks/lice-comb
 (lcmvn/gav->expressions "commons-io" "commons-io" "2.15.0")
 ;=> #{"Apache-2.0"}
 
-; Note: this looks up and uses only the latest version of the given project
+; Note: this looks up and uses the latest version of the given project (1.5.0-b01 at the time of
+; writing), so the results you get may be different to what you see here
 (lcmvn/gav->expressions "javax.mail" "mail")
-;=> #{"GPL-2.0-only WITH Classpath-exception-2.0" "CDDL-1.1"}
+;=> #{"CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0"}
 
 (lcmvn/pom->expressions (str (System/getProperty "user.home") "/.m2/repository/org/clojure/clojure/1.11.2/clojure-1.11.2.pom"))
 ;=> #{"EPL-1.0"}
@@ -125,7 +126,8 @@ $ deps-try com.github.pmonks/lice-comb
 ;      {:id "Classpath-exception-2.0", :type :concluded, :confidence :low, :strategy :regex-matching,
 ;       :source ("GNU Public License 2.0 or later w/ the GNU Classpath Exception"
 ;                "the GNU Classpath Exception"
-;                "Classpath Exception")})}
+;                "Classpath Exception"),
+;       :confidence-explanations #{:missing-version}})}
 
 (lcmvn/pom->expressions-info "https://repo.clojars.org/canvas/canvas/0.1.6/canvas-0.1.6.pom")
 ;=> {"EPL-2.0 OR GPL-2.0-or-later WITH Classpath-exception-2.0"
@@ -138,7 +140,7 @@ $ deps-try com.github.pmonks/lice-comb
 ;; Pretty print expressions-info
 (require '[lice-comb.utils :as lcu])
 
-(println (lcu/expressions-info->string (lcd/dep->expressions-info ['com.amazonaws/aws-java-sdk-s3 {:deps/manifest :mvn :mvn/version "1.12.129"}])))
+(println (lcu/expressions-info->string (lcmvn/gav->expressions-info "com.amazonaws" "aws-java-sdk-s3" "1.12.129")))
 ;=> Apache-2.0:
 ;     Concluded
 ;       Confidence: high

deps.edn

@@ -19,16 +19,16 @@
 {:paths ["src" "resources"]
  :deps
    {org.clojure/tools.logging             {:mvn/version "1.3.0"}
-    commons-validator/commons-validator   {:mvn/version "1.8.0"}
+    commons-validator/commons-validator   {:mvn/version "1.9.0"}
     org.clojure/data.xml                  {:mvn/version "0.2.0-alpha9"}
     clj-xml-validation/clj-xml-validation {:mvn/version "1.0.2"}
     tolitius/xml-in                       {:mvn/version "0.1.1"}
     hato/hato                             {:mvn/version "0.9.0"}
-    dev.weavejester/medley                {:mvn/version "1.7.0"}
+    dev.weavejester/medley                {:mvn/version "1.8.0"}
     miikka/clj-base62                     {:mvn/version "0.1.1"}
-    com.github.pmonks/clj-spdx            {:mvn/version "1.0.152"}
+    com.github.pmonks/clj-spdx            {:mvn/version "1.0.174"}
     com.github.pmonks/rencg               {:mvn/version "1.0.51"}
-    com.github.pmonks/embroidery          {:mvn/version "0.1.20"}}
+    com.github.pmonks/embroidery          {:mvn/version "1.0.41"}}
  :aliases
    {:build {:deps       {com.github.pmonks/pbr {:mvn/version "RELEASE"}}
             :ns-default pbr.build}}}

doc/overview.md

@@ -0,0 +1,74 @@
+# Overview
+
+Most of the namespaces in this library provide two variants of every license detection function:
+
+  1. A 'simple' version that returns a set of SPDX expressions (`String`s)
+  2. An 'info' version that returns an 'expressions-info map' containing metadata on how the determination was made (including confidence & source information)
+
+If all you're interested in are the license expressions themselves, the 'simple' variant is what you're after (e.g. [[lice-comb.matching/name->expressions]]).  However in choosing to use these 'simple' variants you're placing full faith & confidence that lice-comb has done the right thing.  Given that license matching is a messy business, you may wish to have better visibility into how lice-comb made a particular determination, and that can be done with the 'info' variants (e.g. [[lice-comb.matching/name->expressions-info]]).
+
+## expressions-info map
+
+The 'info' variants all return an 'expressions-info' map, which has this structure:
+  
+  * key:   an SPDX expression (`String`)
+  * value: a sequence of 'expression-info' maps
+
+## expression-info map
+
+Each expression-info map in the sequence of values has this structure:
+  
+  * `:id` (`String`, optional):
+    The portion of the SPDX expression that this info map refers to (usually, though not always, a single SPDX identifier).
+  * `:type` (either `:declared` or `:concluded`, mandatory):
+    Whether this identifier was unambiguously declared within the input or was instead concluded by lice-comb (see [the SPDX FAQ](https://wiki.spdx.org/view/SPDX_FAQ) for more detail on the definition of these two terms).
+  * `:confidence` (one of: `:high`, `:medium`, `:low`, only provided when `:type` = `:concluded`):
+    Indicates the approximate confidence lice-comb has in its conclusions for this particular SPDX identifier.
+  * `:strategy` (a keyword, mandatory):
+    The strategy lice-comb used to determine this particular SPDX identifier.  See [[lice-comb.utils/strategy->string]] for an up-to-date list of all possible values.
+  * `:source` (a sequence of `String`s):
+    The list of sources used to arrive at this portion of the SPDX expression, starting from the most general (the input) through to the most specific (the smallest subset of the input that was used to make this determination.  These may include dependencies expressed in Leiningen or tools.deps format, Maven GAVs, file paths, URIs, XML tags, text fragments, and other string data, and are intended for human, rather than programmatic, consumption.
+
+## Example
+
+For example, this code:
+
+```clojure
+(require '[lice-comb.maven :as lcmvn])
+(lcmvn/gav->expressions-info "javax.mail" "javax.mail-api" "1.6.2")
+```
+
+results in this expressions-info map (pretty printed for clarity):
+
+```clojure
+{"GPL-2.0-or-later"
+   ({:id         "GPL-2.0-or-later",
+     :type       :concluded,
+     :confidence :medium,
+     :strategy   :regex-matching,
+     :source     ("https://repo1.maven.org/maven2/javax/mail/javax.mail-api/1.6.2/javax.mail-api-1.6.2.pom"
+                  "https://repo1.maven.org/maven2/com/sun/mail/all/1.6.2/all-1.6.2.pom"
+                  "<licenses><license><name>"
+                  "CDDL/GPLv2+CE"
+                  "GPLv2+")}),
+ "CDDL-1.1"
+   ({:id         "CDDL-1.1",
+     :type       :concluded,
+     :confidence :low,
+     :strategy   :regex-matching,
+     :source     ("https://repo1.maven.org/maven2/javax/mail/javax.mail-api/1.6.2/javax.mail-api-1.6.2.pom"
+                  "https://repo1.maven.org/maven2/com/sun/mail/all/1.6.2/all-1.6.2.pom"
+                  "<licenses><license><name>"
+                  "CDDL/GPLv2+CE"
+                  "CDDL")})}
+```
+
+A key insight that the expressions-info map tells us in this case is that the `javax.mail/javax.mail-api@1.6.2` artifact doesn't declare which version of the CDDL it uses, and lice-comb has _inferred_ the latest (`CDDL-1.1`), and in doing so reduced its confidence to "low".  This important insight is not apparent when the `simple` variant of the function is used instead:
+
+```clojure
+(lcmvn/gav->expressions "javax.mail" "javax.mail-api" "1.6.2")
+
+#{"CDDL-1.1" "GPL-2.0-or-later"}
+```
+
+[Back to GitHub](https://github.com/pmonks/lice-comb)

pbr.clj

@@ -31,4 +31,6 @@
                         :developers       [:developer {:id "pmonks" :name "Peter Monks" :email "pmonks+lice-comb@gmail.com"}]
                         :scm              {:url "https://github.com/pmonks/lice-comb" :connection "scm:git:git://github.com/pmonks/lice-comb.git" :developer-connection "scm:git:ssh://git@github.com/pmonks/lice-comb.git"}
                         :issue-management {:system "github" :url "https://github.com/pmonks/lice-comb/issues"}}
-         :codox        {:namespaces ['lice-comb.deps 'lice-comb.files 'lice-comb.lein 'lice-comb.matching 'lice-comb.maven 'lice-comb.utils]}))
+         :codox        {:namespaces ['lice-comb.deps 'lice-comb.files 'lice-comb.lein 'lice-comb.matching 'lice-comb.maven 'lice-comb.utils]
+                        :metadata   {:doc/format :markdown}
+                        :doc-files  ["doc/overview.md"]}))

src/lice_comb/deps.clj

@@ -71,9 +71,8 @@
                                            (:paths info))))))))
 
 (defmulti dep->expressions-info
-  "Returns an expressions-info map for the given tools.dep dep (a MapEntry or
-  two-element vector of `['group-id/artifact-id dep-info]`), or nil if no
-  expressions were found."
+  "Returns an expressions-info map for `dep` (a `MapEntry` or two-element vector
+  of `['group-id/artifact-id dep-info]`), or `nil` if no expressions were found."
   {:arglists '([[ga info :as dep]])}
   (fn [[_ info]] (:deps/manifest info)))
 
@@ -106,9 +105,8 @@
                   {:dep dep})))
 
 (defn dep->expressions
-  "Returns a set of SPDX expressions (Strings) for the given tools.dep dep (a
-  MapEntry or two-element vector of `['group-id/artifact-id dep-info-map]`), or
-  nil if no expressions were found."
+  "Returns a set of SPDX expressions (`String`s) for `dep`. See
+  [[dep->expressions-info]] for details."
   [dep]
   (some-> (dep->expressions-info dep)
           keys
@@ -129,12 +127,12 @@
                    deps))))
 
 (defn dep->pom-uri
-  "Returns a java.net.URI that points to the pom for the given tools.dep dep (a
-  MapEntry or two-element vector of `['group-id/artifact-id dep-info]`), or nil if
-  the dep is not a Maven dep, or a POM could not be found.  The returned URI is
-  guaranteed to be resolvable - either to a file that exists in the local Maven
-  cache, or to an HTTP-accessible resource on a remote Maven repository (i.e.
-  Maven Central or Clojars) that resolves."
+  "Returns a `URI` that points to the pom for `dep` (a `MapEntry` or two-element
+  vector of `['group-id/artifact-id dep-info]`), or `nil` if `dep` is not a
+  Maven dep, or a POM could not be found for it.  When non-`nil`, the returned
+  URI is guaranteed to be resolvable - either to a file that exists in the local
+  Maven cache, or to an HTTP-accessible resource on a remote Maven artifact
+  repository (e.g. Maven Central or Clojars)."
   [dep]
   (when (and dep
              (= :mvn (:deps/manifest (second dep))))
@@ -144,10 +142,9 @@
       (lcmvn/gav->pom-uri group-id artifact-id version))))
 
 (defmulti dep->locations
-  "Returns a sequence of Strings representing locations that may be searched
-  for license information for the given tools.dep dep (a MapEntry or two-element
-  vector of `['group-id/artifact-id dep-info]`),or nil if no locations were
-  found."
+  "Returns a sequence of `String`s representing locations that may be searched
+  for license information for `dep` (a `MapEntry` or two-element vector of
+  `['group-id/artifact-id dep-info]`), or `nil` if no locations were found."
   {:arglists '([[ga info :as dep]])}
   (fn [[_ info]] (:deps/manifest info)))
 
@@ -172,9 +169,9 @@
                   {:dep dep})))
 
 (defmulti dep->version
-  "Returns the version (as a String) for the given tools.dep dep (a MapEntry or
-  two-element vector of `['group-id/artifact-id dep-info]`),or nil if no version
-  was found."
+  "Returns the Maven version (as a `String`) for `dep` (a `MapEntry` or
+  two-element vector of `['group-id/artifact-id dep-info]`), or `nil` if no
+  version was found."
   {:arglists '([[ga info :as dep]])}
   (fn [[_ info]] (:deps/manifest info)))
 
@@ -198,9 +195,11 @@
 
 (defn init!
   "Initialises this namespace upon first call (and does nothing on subsequent
-  calls), returning nil. Consumers of this namespace are not required to call
+  calls), returning `nil`. Consumers of this namespace are not required to call
   this fn, as initialisation will occur implicitly anyway; it is provided to
-  allow explicit control of the cost of initialisation to callers who need it."
+  allow explicit control of the cost of initialisation to callers who need it.
+
+  Note: this method may have a substantial performance cost."
   []
   (lcmvn/init!)
   (lcf/init!)