✨(draft) Resolve BOM POMs for dependencies

Adds a "bom" key to each dependency node in case it declares BOM POMs in
as part of its dependency management section of the "pom.xml" file.

The algorithm implemented is roughly:

- Traverse the dependency graph
- Resolve the POM artifact for a node
- Build a MavenProject for a node
- Check the original model's dependency management section
- Filter out BOM POMs from other dependencies
- For each BOM POM found:
  - Resolve the POM artifact
  - Build the MavenProject (so we can get the resolved URL)
  - Resolve the potential hierarchy of parent POMs
  - Add it to the "boms" section of the relative node

Signed-off-by: Bruno Pimentel <bpimente@redhat.com>

Author: brunoapimentel

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/LockFileFacade.java

@@ -15,6 +15,7 @@
 import io.github.chains_project.maven_lockfile.data.VersionNumber;
 import io.github.chains_project.maven_lockfile.graph.DependencyGraph;
 import io.github.chains_project.maven_lockfile.reporting.PluginLogManager;
+import io.github.chains_project.maven_lockfile.resolvers.BomResolver;
 import io.github.chains_project.maven_lockfile.resolvers.ProjectBuilder;
 import java.nio.file.Path;
 import java.util.*;
@@ -109,6 +110,7 @@ public static LockFile generateLockFileFromProject(
                 .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(
                         io.github.chains_project.maven_lockfile.graph.DependencyNode::getComparatorString))));
         var pom = constructRecursivePom(project, checksumCalculator);
+        resolveBoms(graph, session, project, checksumCalculator);
         return new LockFile(
                 GroupId.of(project.getGroupId()),
                 ArtifactId.of(project.getArtifactId()),
@@ -369,4 +371,32 @@ private static Pom constructRecursivePom(
 
         return lastPom;
     }
+
+    private static void resolveBoms(
+            DependencyGraph graph,
+            MavenSession session,
+            MavenProject rootProject,
+            AbstractChecksumCalculator checksumCalculator) {
+        ProjectBuilder projectBuilder = new ProjectBuilder(session, rootProject.getPluginArtifactRepositories());
+        BomResolver bomResolver =
+                new BomResolver(session, rootProject.getRemoteArtifactRepositories(), checksumCalculator);
+
+        graph.getGraph().forEach(node -> {
+            var projectOptional = projectBuilder.buildFromGav(
+                    node.getGroupId().getValue(),
+                    node.getArtifactId().getValue(),
+                    node.getVersion().getValue());
+
+            if (projectOptional.isEmpty()) {
+                PluginLogManager.getLog().warn(String.format("Skipping BOM resolution for %s", node));
+                return;
+            }
+
+            Set<Pom> boms = bomResolver.resolveForProject(projectOptional.get());
+
+            if (boms.size() > 0) {
+                node.setBoms(boms);
+            }
+        });
+    }
 }

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/graph/DependencyNode.java

@@ -6,6 +6,7 @@
 import io.github.chains_project.maven_lockfile.data.Classifier;
 import io.github.chains_project.maven_lockfile.data.GroupId;
 import io.github.chains_project.maven_lockfile.data.MavenScope;
+import io.github.chains_project.maven_lockfile.data.Pom;
 import io.github.chains_project.maven_lockfile.data.RepositoryId;
 import io.github.chains_project.maven_lockfile.data.ResolvedUrl;
 import io.github.chains_project.maven_lockfile.data.VersionNumber;
@@ -39,6 +40,8 @@ public class DependencyNode implements Comparable<DependencyNode> {
 
     private final Set<DependencyNode> children;
 
+    private Set<Pom> boms;
+
     DependencyNode(
             ArtifactId artifactId,
             GroupId groupId,
@@ -117,6 +120,12 @@ public ResolvedUrl getResolved() {
     public RepositoryId getRepositoryId() {
         return repositoryId;
     }
+    /**
+     * @return the BOM POMs.
+     */
+    public Set<Pom> getBoms() {
+        return boms;
+    }
 
     void addChild(DependencyNode child) {
         children.add(child);
@@ -130,6 +139,10 @@ void setParent(NodeId parent) {
         this.parent = parent;
     }
 
+    public void setBoms(Set<Pom> boms) {
+        this.boms = boms;
+    }
+
     /**
      * @return the children
      */
@@ -190,7 +203,8 @@ public int hashCode() {
                 selectedVersion,
                 id,
                 parent,
-                children);
+                children,
+                boms);
     }
 
     @Override
@@ -213,7 +227,8 @@ public boolean equals(Object obj) {
                 && Objects.equals(selectedVersion, other.selectedVersion)
                 && Objects.equals(id, other.id)
                 && Objects.equals(parent, other.parent)
-                && Objects.equals(children, other.children);
+                && Objects.equals(children, other.children)
+                && Objects.equals(boms, other.boms);
     }
 
     @Override
@@ -248,7 +263,7 @@ public String toString() {
                 + ", classifier=" + classifier + ", type=" + type + ", checksumAlgorithm=" + checksumAlgorithm
                 + ", checksum=" + checksum + ", scope=" + scope + ", resolved=" + resolved + ", repositoryId="
                 + repositoryId + ", selectedVersion=" + selectedVersion + ", id=" + id + ", parent=" + parent
-                + ", children=" + children + "]";
+                + ", children=" + children + ", boms=" + boms + "]";
     }
 
     public String getComparatorString() {

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/resolvers/BomResolver.java

@@ -0,0 +1,128 @@
+package io.github.chains_project.maven_lockfile.resolvers;
+
+import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
+import io.github.chains_project.maven_lockfile.data.ArtifactId;
+import io.github.chains_project.maven_lockfile.data.GroupId;
+import io.github.chains_project.maven_lockfile.data.Pom;
+import io.github.chains_project.maven_lockfile.data.VersionNumber;
+import io.github.chains_project.maven_lockfile.reporting.PluginLogManager;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+import org.apache.maven.artifact.repository.ArtifactRepository;
+import org.apache.maven.execution.MavenSession;
+import org.apache.maven.model.Dependency;
+import org.apache.maven.project.MavenProject;
+
+public class BomResolver {
+    private final MavenSession session;
+
+    @SuppressWarnings("deprecation")
+    private final List<ArtifactRepository> repositories;
+
+    private final AbstractChecksumCalculator checksumCalculator;
+
+    @SuppressWarnings("deprecation")
+    public BomResolver(
+            MavenSession session,
+            List<ArtifactRepository> repositories,
+            AbstractChecksumCalculator checksumCalculator) {
+        this.session = session;
+        this.repositories = repositories;
+        this.checksumCalculator = checksumCalculator;
+    }
+
+    public Set<Pom> resolveForProject(MavenProject project) {
+        var model = project.getOriginalModel();
+        var dependencyManagement = model.getDependencyManagement();
+        var projectBuilder = new ProjectBuilder(session, repositories);
+        var boms = new TreeSet<Pom>();
+
+        if (dependencyManagement == null
+                || dependencyManagement.getDependencies().isEmpty()) {
+            return Collections.emptySet();
+        }
+
+        for (Dependency dependency : dependencyManagement.getDependencies()) {
+            if ("pom".equals(dependency.getType()) && "import".equals(dependency.getScope())) {
+                var resolvedVersion = resolveVersionFromPlaceholder(dependency.getVersion(), project);
+                var bomProjectOptional = projectBuilder.buildFromGav(
+                        dependency.getGroupId(), dependency.getArtifactId(), resolvedVersion);
+
+                if (bomProjectOptional.isEmpty()) {
+                    PluginLogManager.getLog().warn(String.format("Could not resolve BOM for %s", dependency));
+                    continue;
+                }
+
+                var bomTree = resolveBomParents(bomProjectOptional.get());
+                boms.add(bomTree);
+            }
+        }
+
+        return boms;
+    }
+
+    private String resolveVersionFromPlaceholder(String version, MavenProject project) {
+        if (version != null && version.startsWith("${") && version.endsWith("}")) {
+            String propertyName = version.substring(2, version.length() - 1);
+
+            // Check project properties (interpolated model has all properties resolved)
+            var resolvedVersion = project.getModel().getProperties().getProperty(propertyName);
+
+            if (resolvedVersion != null) {
+                return resolvedVersion;
+            }
+        }
+
+        return version;
+    }
+
+    private Pom resolveBomParents(MavenProject start) {
+        List<MavenProject> projects = new ArrayList<>();
+        Pom current = null;
+
+        if (!start.hasParent()) {
+            return mavenProjectToBom(start, checksumCalculator, null);
+        }
+
+        while (start.hasParent()) {
+            projects.add(start);
+            start = start.getParent();
+        }
+
+        projects.add(start);
+
+        for (MavenProject project : projects.reversed()) {
+            if (current == null) {
+                current = mavenProjectToBom(project, checksumCalculator, null);
+            } else {
+                var bom = mavenProjectToBom(project, checksumCalculator, current);
+                current = bom;
+            }
+        }
+
+        return current;
+    }
+
+    private static Pom mavenProjectToBom(
+            MavenProject project, AbstractChecksumCalculator checksumCalculator, Pom parent) {
+        var dependency = project.getModel();
+
+        var repoInfo = checksumCalculator.getArtifactResolvedField(project.getArtifact());
+        var checksum = checksumCalculator.calculateArtifactChecksum(project.getArtifact());
+        var checksumAlgorithm = checksumCalculator.getChecksumAlgorithm();
+
+        return new Pom(
+                GroupId.of(dependency.getGroupId()),
+                ArtifactId.of(dependency.getArtifactId()),
+                VersionNumber.of(dependency.getVersion()),
+                null,
+                repoInfo.getResolvedUrl(),
+                repoInfo.getRepositoryId(),
+                checksumAlgorithm,
+                checksum,
+                parent);
+    }
+}

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/resolvers/ProjectBuilder.java

@@ -111,7 +111,7 @@ private Optional<MavenProject> buildProjectFromPomFile(File pomFile) {
                     session.getContainer().lookup(org.apache.maven.project.ProjectBuilder.class);
             ProjectBuildingResult result = projectBuilder.build(pomFile, buildingRequest);
 
-            if (result.getProblems() != null && !result.getProblems().isEmpty()) {
+            if (result.getProject() == null) {
                 log.warn(String.format(
                         "Problems building plugin project for %s: %s",
                         pomFile.getAbsoluteFile(), result.getProblems()));