search

pmonks / lice-comb

A Clojure library for software license detection.
Apache License 2.0
6 stars 0 forks source link

Fix for #54 doesn't handle ambiguous poms correctly #61

Open pmonks opened 2 weeks ago

pmonks commented 2 weeks ago

The fix for issue #54 unconditionally places an OR operator between all detected licenses from a pom.xml file, however there are cases where there is indeed ambiguity and the Maven conjunction rule cannot be applied. For example:

  <licenses>
    <license>
      <name>MIT/Apache</name>
    </license>
  </licenses>

should result in:

#{"Apache-2.0" "MIT"}

Furthermore there are complications in (probably exceptionally rare) cases where there might be multiple such ambiguous <license> blocks in the same pom.xml file - does that result in a combinatorial explosion in SPDX expressions? For example:

  <licenses>
    <license>
      <name>MIT/Apache</name>
    </license>
    <license>
      <name>BSD/GPL</name>
    </license>
  </licenses>

Should the result for this be:

#{"BSD-4-Clause OR MIT" "Apache-2.0 OR BSD-4-Clause" "GPL-3.0-only OR MIT" "Apache-2.0 OR GPL-3.0-only"}

?

pmonks commented 2 weeks ago

To be clear I've only seen a few examples of the first case, and no examples of the second case, but right now lice-comb does the wrong thing in both cases.

Some examples of the first case: