Dependency graph

spdx · Jan 26, 2024 · d58e29f · d58e29f
1 parent ca7a58b
commit d58e29f
Show file tree

Hide file tree

Showing 7 changed files with 435 additions and 158 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,7 @@ buildNumber.properties
 .settings/
 .vscode/
 src/test/resources/unit/spdx-maven-plugin-test/spdx maven plugin test.spdx.rdf.xml
+.idea/
 
 # Avoid ignoring Maven wrapper jar file (.jar files are usually ignored)
 !/.mvn/wrapper/maven-wrapper.jar
diff --git a/pom.xml b/pom.xml
@@ -89,6 +89,11 @@
       <artifactId>file-management</artifactId>
       <version>3.1.0</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.maven.shared</groupId>
+      <artifactId>maven-dependency-tree</artifactId>
+      <version>3.1.0</version>
+    </dependency>
 
     <dependency>
       <groupId>org.spdx</groupId>
@@ -118,12 +123,30 @@
       <version>${maven.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-connector-basic</artifactId>
+      <version>1.6.3</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugin-testing</groupId>
       <artifactId>maven-plugin-testing-harness</artifactId>
       <version>3.3.0</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.aether</groupId>
+      <artifactId>aether-transport-file</artifactId>
+      <version>1.1.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.aether</groupId>
+      <artifactId>aether-transport-http</artifactId>
+      <version>1.1.0</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

diff --git a/src/main/java/org/spdx/maven/CreateSpdxMojo.java b/src/main/java/org/spdx/maven/CreateSpdxMojo.java
@@ -29,9 +29,14 @@
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.apache.maven.project.DefaultProjectBuildingRequest;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.project.MavenProjectHelper;
 import org.apache.maven.project.ProjectBuilder;
+import org.apache.maven.project.ProjectBuildingRequest;
+import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
+import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
+import org.apache.maven.shared.dependency.graph.DependencyNode;
 import org.apache.maven.shared.model.fileset.FileSet;
 
 import org.spdx.library.InvalidSPDXAnalysisException;
@@ -120,12 +125,15 @@ public class CreateSpdxMojo extends AbstractMojo
     @Component
     private MavenSession session;
 
+    @Component(hint = "default")
+    private DependencyGraphBuilder dependencyGraphBuilder;
+
     // Parameters for the plugin
     /**
      * SPDX File name
      */
     @Parameter( defaultValue = "${project.reporting.outputDirectory}/${project.groupId}_${project.artifactId}-${project.version}.spdx",
-                property = "spdxFileName" )
+        property = "spdxFileName" )
     private File spdxFile;
 
     /**
@@ -536,12 +544,7 @@ public void execute() throws MojoExecutionException
         // add dependencies information
         try
         {
-            @SuppressWarnings("deprecation")
-            Set<Artifact> dependencies = includeTransitiveDependencies ? mavenProject.getArtifacts() : mavenProject.getDependencyArtifacts();
-
-            logDependencies( dependencies );
-
-            SpdxDependencyInformation dependencyInformation = getSpdxDependencyInformation( dependencies, builder, useArtifactID );
+            SpdxDependencyInformation dependencyInformation = getSpdxDependencyInformation( builder );
 
             builder.addDependencyInformation( dependencyInformation );
         }
@@ -553,6 +556,10 @@ public void execute() throws MojoExecutionException
         {
             throw new MojoExecutionException( "SPDX analysis error processing dependencies", e );
         }
+        catch ( DependencyGraphBuilderException e )
+        {
+            throw new MojoExecutionException( "SPDX analysis error getting the dependencies", e );
+        }
 
         // save result to SPDX file
         builder.saveSpdxDocumentToFile();
@@ -648,52 +655,27 @@ private SpdxDocumentBuilder initSpdxDocumentBuilder( OutputFormat outputFormatEn
     /**
      * Collect dependency information from Maven dependencies
      *
-     * @param dependencies Maven dependencies
      * @param builder SPDX document builder
-     * @param useArtifactID If true, use ${project.groupId}:${artifactId} as the SPDX package name, otherwise, ${project.name} will be used
-     * @return information collected from Maven dependencies
      * @throws LicenseMapperException
      * @throws InvalidSPDXAnalysisException 
      */
-    private SpdxDependencyInformation getSpdxDependencyInformation( Set<Artifact> dependencies, 
-                                                                    SpdxDocumentBuilder builder,
-                                                                    boolean useArtifactID ) throws LicenseMapperException, InvalidSPDXAnalysisException
+    private SpdxDependencyInformation getSpdxDependencyInformation( SpdxDocumentBuilder builder )
+        throws LicenseMapperException, InvalidSPDXAnalysisException, DependencyGraphBuilderException
     {
-        SpdxDependencyInformation retval = new SpdxDependencyInformation( builder.getLicenseManager(), builder.getSpdxDoc(), createExternalRefs, generatePurls );
-        if ( dependencies != null )
-        {
-            for ( Artifact dependency : dependencies )
-            {
-                retval.addMavenDependency( dependency, mavenProjectBuilder, session, mavenProject, useArtifactID );
-            }
-        }
-        return retval;
-    }
+        SpdxDependencyInformation retval = new SpdxDependencyInformation( builder.getLicenseManager(), builder.getSpdxDoc(),
+            createExternalRefs, generatePurls, useArtifactID,
+            includeTransitiveDependencies );
 
-    private void logDependencies( Set<Artifact> dependencies )
-    {
-        if ( !getLog().isDebugEnabled() )
+        if ( session != null )
         {
-            return;
-        }
-        getLog().debug( "Dependencies:" );
-        if ( dependencies == null )
-        {
-            getLog().debug( "\tNull dependencies" );
-            return;
-        }
-        if ( dependencies.isEmpty() )
-        {
-            getLog().debug( "\tZero dependencies" );
-            return;
-        }
-        for ( Artifact dependency : dependencies )
-        {
-            String filePath = dependency.getFile() != null ? dependency.getFile().getAbsolutePath() : "[NONE]";
-            String scope = dependency.getScope() != null ? dependency.getScope() : "[NONE]";
-            getLog().debug(
-                    "ArtifactId: " + dependency.getArtifactId() + ", file path: " + filePath + ", Scope: " + scope );
+            ProjectBuildingRequest request = new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() );
+            request.setProject( mavenProject );
+            DependencyNode parentNode = dependencyGraphBuilder.buildDependencyGraph( request, null );
+
+            retval.addMavenDependencies( mavenProjectBuilder, session, mavenProject, parentNode, builder.getProjectPackage() );
         }
+
+        return retval;
     }
 
     private void logFileSpecificInfo( HashMap<String, SpdxDefaultFileInformation> fileSpecificInformation )