Adding an aggregateSpdx goal

Signed-off-by: Christopher Josey <[email protected]>
spdx · Jan 25, 2025 · bd154bf · bd154bf
1 parent 5bfa29f
commit bd154bf
Show file tree

Hide file tree

Showing 8 changed files with 194 additions and 11 deletions.
diff --git a/src/it/advanced/pom.xml b/src/it/advanced/pom.xml
@@ -144,7 +144,7 @@
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>

diff --git a/src/it/simple-aggregate-it/pom.xml b/src/it/simple-aggregate-it/pom.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.spdx.it</groupId>
+  <artifactId>simple-aggregate-it</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <description>A simple IT verifying the basic use case.</description>
+  <packaging>pom</packaging>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.release>11</maven.compiler.release>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>3.2.2</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.2</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <modules>
+    <module>../advanced</module>
+  </modules>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>@project.groupId@</groupId>
+        <artifactId>@project.artifactId@</artifactId>
+        <version>@project.version@</version>
+        <executions>
+          <execution>
+            <id>build-spdx</id>
+            <goals>
+              <goal>aggregateSPDX</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.11.0</version>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/src/it/simple-aggregate-it/src/main/java/simple/Simple.java b/src/it/simple-aggregate-it/src/main/java/simple/Simple.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2014 Source Auditor Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package simple;
+
+public class Simple
+{
+    public static void main(String[] args)
+    {
+        System.out.println( "Hello World!");
+    }
+}
diff --git a/src/it/simple-aggregate-it/src/test/java/SimpleTest.java b/src/it/simple-aggregate-it/src/test/java/SimpleTest.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2014 Source Auditor Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package simple;
+
+import org.junit.Test;
+
+public class SimpleTest
+{
+    @Test
+    public void test()
+    {
+
+    }
+}
diff --git a/src/it/simple-aggregate-it/verify.groovy b/src/it/simple-aggregate-it/verify.groovy
@@ -0,0 +1,3 @@
+File spdxFile = new File( basedir, "target/site/org.spdx.it_simple-aggregate-it-1.0-SNAPSHOT.spdx.json" );
+
+assert spdxFile.isFile()
diff --git a/src/main/java/org/spdx/maven/AggregateSpdxMojo.java b/src/main/java/org/spdx/maven/AggregateSpdxMojo.java
@@ -0,0 +1,61 @@
+package org.spdx.maven;
+
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.project.DefaultProjectBuildingRequest;
+import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.ProjectBuildingRequest;
+import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
+import org.apache.maven.shared.dependency.graph.DependencyNode;
+
+import org.spdx.core.InvalidSPDXAnalysisException;
+import org.spdx.maven.utils.AbstractDependencyBuilder;
+import org.spdx.maven.utils.AbstractDocumentBuilder;
+import org.spdx.maven.utils.LicenseMapperException;
+import org.spdx.maven.utils.SpdxV2DependencyBuilder;
+import org.spdx.maven.utils.SpdxV2DocumentBuilder;
+import org.spdx.maven.utils.SpdxV3DependencyBuilder;
+import org.spdx.maven.utils.SpdxV3DocumentBuilder;
+
+
+import java.util.List;
+import java.util.Arrays;
+
+@Mojo( name = "aggregateSPDX",
+        defaultPhase = LifecyclePhase.VERIFY,
+        requiresOnline = true,
+        threadSafe = true )
+public class AggregateSpdxMojo extends CreateSpdxMojo {
+
+    @Override
+    protected void buildSpdxDependencyInformation( AbstractDocumentBuilder builder, OutputFormat outputFormatEnum )
+            throws DependencyGraphBuilderException, LicenseMapperException, InvalidSPDXAnalysisException {
+        AbstractDependencyBuilder dependencyBuilder;
+        if ( builder instanceof SpdxV3DocumentBuilder)
+        {
+            dependencyBuilder = new SpdxV3DependencyBuilder( ( SpdxV3DocumentBuilder ) builder, createExternalRefs,
+                    generatePurls, useArtifactID, includeTransitiveDependencies );
+        }
+        else
+        {
+            dependencyBuilder = new SpdxV2DependencyBuilder( ( SpdxV2DocumentBuilder ) builder, createExternalRefs,
+                    generatePurls, useArtifactID, includeTransitiveDependencies );
+        }
+        if ( session != null )
+        {
+            List<MavenProject> projects = session.getAllProjects(); //includes the current project
+            if ( !projects.isEmpty() )
+            {
+                getLog().info( "List of projects that will be aggregated into one file: "
+                        + Arrays.toString( projects.toArray() ) );
+                for ( MavenProject project : projects )
+                {
+                    ProjectBuildingRequest request = new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() );
+                    request.setProject( project );
+                    DependencyNode parentNode = dependencyGraphBuilder.buildDependencyGraph( request, null );
+                    dependencyBuilder.addMavenDependencies( mavenProjectBuilder, session, project, parentNode, builder.getProjectPackage() );
+                }
+            }
+        }
+    }
+}
diff --git a/src/main/java/org/spdx/maven/CreateSpdxMojo.java b/src/main/java/org/spdx/maven/CreateSpdxMojo.java
@@ -117,13 +117,13 @@ public class CreateSpdxMojo extends AbstractMojo
     private MavenProjectHelper projectHelper;
 
     @Component
-    private ProjectBuilder mavenProjectBuilder;
+    protected ProjectBuilder mavenProjectBuilder;
 
     @Component
-    private MavenSession session;
+    protected MavenSession session;
 
     @Component(hint = "default")
-    private DependencyGraphBuilder dependencyGraphBuilder;
+    protected DependencyGraphBuilder dependencyGraphBuilder;
 
     // Parameters for the plugin
     /**
@@ -460,7 +460,7 @@ public class CreateSpdxMojo extends AbstractMojo
      * @since 0.6.3
      */
     @Parameter( defaultValue = "true" )
-    private boolean createExternalRefs;
+    protected boolean createExternalRefs;
 
     /**
      * If true, all transitive dependencies will be included in the SPDX document.  If false,
@@ -469,7 +469,7 @@ public class CreateSpdxMojo extends AbstractMojo
      * @since 0.6.3
      */
     @Parameter( defaultValue = "true" )
-    private boolean includeTransitiveDependencies;
+    protected boolean includeTransitiveDependencies;
 
      /**
       * Skip goal execution.
@@ -484,14 +484,14 @@ public class CreateSpdxMojo extends AbstractMojo
      * Otherwise, ${project.name} will be used
      */
     @Parameter( property = "spdx.useArtifactID" )
-    private boolean useArtifactID;
+    protected boolean useArtifactID;
 
     /**
      * If true, adds an external reference to every package with category "PACKAGE-MANAGER", type "purl"
      * and locator "pkg:maven/${project.groupId}/${project.artifactId}@${project.version}".
      */
     @Parameter( property = "spdx.generatePurls" )
-    private boolean generatePurls = true;
+    protected boolean generatePurls = true;
 
     public void execute() throws MojoExecutionException
     {
@@ -662,7 +662,7 @@ private AbstractDocumentBuilder initSpdxDocumentBuilder( OutputFormat outputForm
      * @throws LicenseMapperException on errors related to mapping Maven licenses to SPDX licenses
      * @throws InvalidSPDXAnalysisException on SPDX parsing errors
      */
-    private void buildSpdxDependencyInformation( AbstractDocumentBuilder builder, OutputFormat outputFormatEnum )
+    protected void buildSpdxDependencyInformation( AbstractDocumentBuilder builder, OutputFormat outputFormatEnum )
         throws LicenseMapperException, InvalidSPDXAnalysisException, DependencyGraphBuilderException
     {
         AbstractDependencyBuilder dependencyBuilder;

diff --git a/src/main/java/org/spdx/maven/utils/AbstractDependencyBuilder.java b/src/main/java/org/spdx/maven/utils/AbstractDependencyBuilder.java
@@ -7,6 +7,7 @@
 import java.io.File;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 
@@ -41,6 +42,7 @@ public abstract class AbstractDependencyBuilder
     protected boolean generatePurls;
     protected boolean useArtifactID;
     protected boolean includeTransitiveDependencies;
+    private final HashSet<String> usedDependencies = new HashSet<>();
     DateFormat format = new SimpleDateFormat( SpdxConstantsCompatV2.SPDX_DATE_FORMAT );
 
     /**
@@ -74,12 +76,22 @@ public void addMavenDependencies( ProjectBuilder mavenProjectBuilder, MavenSessi
                                                   CoreModelObject pkg ) throws LicenseMapperException, InvalidSPDXAnalysisException
     {
         List<DependencyNode> children = node.getChildren();
-
         logDependencies( children );
+        String name = "";
 
         for ( DependencyNode childNode : children )
         {
-            addMavenDependency( pkg, childNode, mavenProjectBuilder, session, mavenProject );
+            name = String.format( "%s:%s:%s", childNode.getArtifact().getGroupId(),
+                    childNode.getArtifact().getArtifactId(), childNode.getArtifact().getVersion() );
+            //To keep the repetition-check at O(1)
+            if ( usedDependencies.add( name ) )
+            {
+                addMavenDependency( pkg, childNode, mavenProjectBuilder, session, mavenProject );
+            }
+            else
+            {
+                LOG.info( "Duplicate dependency occurred for " + name );
+            }
         }
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		File spdxFile = new File( basedir, "target/site/org.spdx.it_simple-aggregate-it-1.0-SNAPSHOT.spdx.json" );

		assert spdxFile.isFile()