Merge pull request #298 from CycloneDX/parent-deps

add a test for Maven parent dependencies in reactor
CycloneDX · Feb 28, 2023 · 7df0a4f · 7df0a4f
2 parents bcc5f3f + 34291c3
commit 7df0a4f
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 17 deletions.
diff --git a/src/it/makeAggregateBom/verify.groovy b/src/it/makeAggregateBom/verify.groovy
@@ -55,3 +55,11 @@ assertBomEqualsNonAggregate("util/target/bom")
 assertBomEqualsNonAggregate("impls/target/bom")
 assertBomEqualsNonAggregate("impls/impl-A/target/bom")
 assertBomEqualsNonAggregate("impls/impl-B/target/bom")
+
+// dependencies for root component in makeAggregateBom is the list of modules
+String bom = new File(basedir, 'target/bom.xml').text
+String rootDependencies = bom.substring(bom.indexOf('<dependency ref="pkg:maven/org.cyclonedx.its/makeAggregateBom@1.0-SNAPSHOT?type=pom">'), bom.indexOf('</dependency>') + 13)
+assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/api@1.0-SNAPSHOT?type=jar"/>')
+assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/impls@1.0-SNAPSHOT?type=pom"/>')
+assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/util@1.0-SNAPSHOT?type=jar"/>')
+assert 4 == (rootDependencies =~ /<dependency ref="pkg:maven/).size()
diff --git a/src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java b/src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java
@@ -31,8 +31,10 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -132,9 +134,6 @@ protected String extractComponentsAndDependencies(final Set<Component> component
                 continue;
             }
 
-            final Set<String> projectComponentRefs = new LinkedHashSet<>();
-            final Set<Dependency> projectDependencies = new LinkedHashSet<>();
-
             // Add reference to BOM metadata component.
             // Without this, direct dependencies of the Maven project cannot be determined.
             final Component projectBomComponent = convert(mavenProject.getArtifact());
@@ -154,29 +153,36 @@ protected String extractComponentsAndDependencies(final Set<Component> component
                 if (componentRefs.add(component.getBomRef())) {
                     component.setScope(inferComponentScope(artifact, projectsDependencyAnalysis));
                     components.add(component);
-
-                    projectComponentRefs.add(component.getBomRef());
                 }
             }
 
-            projectDependencies.addAll(buildBOMDependencies(mavenProject));
-            dependencies.addAll(projectDependencies);
+            dependencies.addAll(buildBOMDependencies(mavenProject));
         }
 
-        addMavenProjectsAsDependencies(reactorProjects, dependencies);
+        addMavenProjectsAsParentDependencies(reactorProjects, dependencies);
 
         return "makeAggregateBom";
     }
 
-    private void addMavenProjectsAsDependencies(List<MavenProject> reactorProjects, Set<Dependency> dependencies) {
-        for (final Dependency dependency: dependencies) {
-            for (final MavenProject project: reactorProjects) {
-                if (project.hasParent()) {
-                    final String parentRef = generatePackageUrl(project.getParentArtifact());
-                    if (dependency.getRef() != null && dependency.getRef().equals(parentRef)) {
-                        final Dependency child = new Dependency(generatePackageUrl(project.getArtifact()));
-                        dependency.addDependency(child);
-                    }
+    /**
+     * When a Maven project from the reactor has his Maven parent in the reactor, register it as a dependency of his parent.
+     * This completes the BOM dependency graph with references between projects in the reactor that don't have any
+     * code dependency, but only the build reactor.
+     *
+     * @param reactorProjects the Maven projects from the reactor
+     * @param dependencies all BOM dependencies found in reactor
+     */
+    private void addMavenProjectsAsParentDependencies(List<MavenProject> reactorProjects, Set<Dependency> dependencies) {
+        Map<String, Dependency> dependenciesByRef = new HashMap<>();
+        dependencies.forEach(d -> dependenciesByRef.put(d.getRef(), d));
+
+        for (final MavenProject project: reactorProjects) {
+            if (project.hasParent()) {
+                final String parentRef = generatePackageUrl(project.getParentArtifact());
+                Dependency parentDependency = dependenciesByRef.get(parentRef);
+                if (parentDependency != null) {
+                    final Dependency child = new Dependency(generatePackageUrl(project.getArtifact()));
+                    parentDependency.addDependency(child);
                 }
             }
         }