#869: exclude jcabi-log from jcabi-xml

[akmhatey-ai]

Closes #869.

This excludes com.jcabi:jcabi-log from the direct jcabi-xml dependency. The project already declares jcabi-log:0.24.3 directly, so the classpath keeps jcabi-log, while ORT no longer receives the extra jcabi-xml -> jcabi-log dependency relationship that the SPDX reporter cannot map.

Validation:

• mvn -version -> Apache Maven 3.9.16, Java 21.0.11.
• mvn -DskipTests dependency:tree '-Dincludes=com.jcabi' -> jcabi-xml and jcabi-log are separate direct compile dependencies.
• mvn -q -DskipITs package.
• mvn clean verify -PskipTests -Pqulice --errors --batch-mode.
• git diff --check.
• git diff -- pom.xml | gitleaks stdin --no-banner --redact --exit-code 1 - -> no leaks found.

Limitation: I did not run ORT locally. The repository ort workflow is currently gated by vars.RUN_WORKFLOW == 'true', and the latest public ort runs are skipped.

[GHX5T-SOL]

Checked head 349db3820839aed6e40a12c2162d5ed5f3d7aa53.

The patch is limited to pom.xml and only excludes transitive com.jcabi:jcabi-log from jcabi-xml. Since jcabi-log:0.24.3 remains declared directly by the project, the runtime classpath keeps jcabi-log while removing the extra jcabi-xml -> jcabi-log dependency edge that was causing the SPDX relationship problem described in #869.

Validation I ran:

• git diff --check origin/master...HEAD
• diff-only gitleaks stdin --no-banner --redact --exit-code 1
• mvn --errors --batch-mode -DskipTests dependency:tree '-Dincludes=com.jcabi' confirmed jcabi-xml, jcabi-log, jcabi-manifests, and test-only jcabi-matchers as separate project dependencies, with no nested jcabi-xml -> jcabi-log edge in the filtered tree
• JAVA_HOME=/opt/homebrew/Cellar/openjdk/25.0.2/libexec/openjdk.jdk/Contents/Home mvn --errors --batch-mode -q -DskipITs package completed successfully locally

Hosted check readback is also clean for the relevant jobs: actionlint, bashate, copyrights, deep, labeler, markdown-lint, mvn (ubuntu-24.04, 23), mvn (macos-15, 23), mvn (windows-2022, 23), pdd, qulice, reserved, reuse, shellcheck, typos, vale, xcop, and yamllint are successful. ort, hone, and jmh are skipped by the workflow gating, so I did not treat them as validation evidence.

[0crat]

@GHX5T-SOL Thanks for the review! You've earned +4 points following our bonus policy: started with +12 base points, then -8 for no comments (as per policy for zero feedback), -4 for having only 6 hits-of-code (below the 32 minimum), but we added +4 to ensure you meet the minimum reward threshold. Your running score is +31 - don't forget to check your Zerocracy account too! 🚀

[akmhatey-ai]

Merged current master into this branch in c59fedd8 to clear the dirty merge state.

Resolution:

• Kept current jcabi-xml version 0.37.0 from master.
• Preserved the scoped addDependencyRelationships function crashes on missing transitive Maven dependency in SPDX report generation #869 fix: exclude transitive com.jcabi:jcabi-log from jcabi-xml.
• Kept the direct com.jcabi:jcabi-log:0.24.3 dependency unchanged.

Validation:

• XML parse of pom.xml passed.
• Static dependency check confirmed jcabi-xml=0.37.0, the nested jcabi-log exclusion, and direct jcabi-log=0.24.3.
• git diff --check origin/master...HEAD -> clean
• git merge-tree --write-tree origin/master HEAD -> f5f66bf76eedbba2ee9d4ac333bb181137feda72
• diff-scoped gitleaks stdin --no-banner --redact -> no leaks
• Hosted mvn passed on Ubuntu, macOS, and Windows after the push.

Limitation: I could not run local Maven because this shell has no java or mvn on PATH. Hosted reserved is still red from a download-maven-plugin:wget (download-home) Read timed out before reserved validation; I tried to rerun the failed job, but GitHub requires repository admin rights for that rerun.