✨ feat: Include parent poms (recursively) in lockfile (#1444)

Co-authored-by: Adam Kaplan <adam.kaplan@redhat.com>

Author: LogFlames

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/LockFileFacade.java

@@ -20,6 +20,7 @@
 import java.util.*;
 import java.util.stream.Collectors;
 import org.apache.maven.artifact.Artifact;
+import org.apache.maven.artifact.DefaultArtifact;
 import org.apache.maven.artifact.factory.ArtifactFactory;
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.project.DefaultProjectBuildingRequest;
@@ -108,7 +109,7 @@ public static LockFile generateLockFileFromProject(
                 .filter(v -> v.getParent() == null)
                 .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(
                         io.github.chains_project.maven_lockfile.graph.DependencyNode::getComparatorString))));
-        var pom = new Pom(project, checksumCalculator);
+        var pom = constructRecursivePom(project, checksumCalculator);
         return new LockFile(
                 GroupId.of(project.getGroupId()),
                 ArtifactId.of(project.getArtifactId()),
@@ -338,4 +339,58 @@ private static DependencyGraph graph(
             return DependencyGraph.of(GraphBuilder.directed().build(), checksumCalculator, reduced);
         }
     }
+
+    /**
+     * Construct a Pom object containing a full tree of its parent POM references. These parent
+     * POMs may be relative to the project being built, or are specified from an external POM.
+     */
+    private static Pom constructRecursivePom(
+            MavenProject initialProject, AbstractChecksumCalculator checksumCalculator) {
+        String checksumAlgorithm = checksumCalculator.getChecksumAlgorithm();
+
+        List<MavenProject> recursiveProjects = new ArrayList<>();
+        recursiveProjects.add(initialProject);
+        while (recursiveProjects.get(recursiveProjects.size() - 1).hasParent()) {
+            recursiveProjects.add(
+                    recursiveProjects.get(recursiveProjects.size() - 1).getParent());
+        }
+
+        Pom lastPom = null;
+        Collections.reverse(recursiveProjects);
+        for (MavenProject project : recursiveProjects) {
+            String relativePath = project.getFile() == null
+                    ? null
+                    : initialProject
+                            .getBasedir()
+                            .toPath()
+                            .relativize(project.getFile().toPath())
+                            .toString();
+            String checksum = null;
+            if (project.getFile() == null) {
+                Artifact artifact = project.getArtifact();
+                Artifact pomArtifact = new DefaultArtifact(
+                        artifact.getGroupId(),
+                        artifact.getArtifactId(),
+                        artifact.getVersion(),
+                        artifact.getScope(),
+                        "pom",
+                        artifact.getClassifier(),
+                        artifact.getArtifactHandler());
+                checksum = checksumCalculator.calculateArtifactChecksum(pomArtifact);
+            } else {
+                checksum = checksumCalculator.calculatePomChecksum(
+                        project.getFile().toPath());
+            }
+            lastPom = new Pom(
+                    GroupId.of(project.getGroupId()),
+                    ArtifactId.of(project.getArtifactId()),
+                    VersionNumber.of(project.getVersion()),
+                    relativePath,
+                    checksumAlgorithm,
+                    checksum,
+                    lastPom);
+        }
+
+        return lastPom;
+    }
 }

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/ValidateChecksumMojo.java

@@ -64,11 +64,11 @@ public void execute() throws MojoExecutionException {
                 }
             }
             if (!Objects.equals(lockFileFromFile.getPom(), lockFileFromProject.getPom())) {
-                String sb = "Pom checksum mismatch. Differences:" + "\n" + "Your lockfile pom path and checksum:\n"
-                        + lockFileFromFile.getPom().getPath()
-                        + " " + lockFileFromFile.getPom().getChecksum() + "\n" + "Your project pom path and checksum:\n"
-                        + lockFileFromProject.getPom().getPath()
-                        + " " + lockFileFromProject.getPom().getChecksum() + "\n";
+                String sb = "Pom checksum mismatch. Differences:\nYour lockfile pom:\n"
+                        + JsonUtils.toJson(lockFileFromFile.getPom())
+                        + "\n" + "Your project pom:\n"
+                        + JsonUtils.toJson(lockFileFromProject.getPom())
+                        + "\n";
 
                 switch (config.getOnPomValidationFailure()) {
                     case Warn:

maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/Pom.java

@@ -1,32 +1,46 @@
 package io.github.chains_project.maven_lockfile.data;
 
-import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
-import org.apache.maven.project.MavenProject;
-
 public class Pom implements Comparable<Pom> {
 
-    private final String path;
+    private final GroupId groupId;
+    private final ArtifactId artifactId;
+    private final VersionNumber version;
+    private final String relativePath;
     private final String checksumAlgorithm;
     private final String checksum;
+    private final Pom parent;
 
-    public Pom(MavenProject project, AbstractChecksumCalculator checksumCalculator) {
-        this.path = project.getBasedir()
-                .toPath()
-                .relativize(project.getFile().toPath())
-                .toString();
-        this.checksumAlgorithm = checksumCalculator.getChecksumAlgorithm();
-        this.checksum =
-                checksumCalculator.calculatePomChecksum(project.getFile().toPath());
-    }
-
-    public Pom(String path, String checksumAlgorithm, String checksum) {
-        this.path = path;
+    public Pom(
+            GroupId groupId,
+            ArtifactId artifactId,
+            VersionNumber version,
+            String relativePath,
+            String checksumAlgorithm,
+            String checksum,
+            Pom parent) {
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        this.relativePath = relativePath;
         this.checksumAlgorithm = checksumAlgorithm;
         this.checksum = checksum;
+        this.parent = parent;
+    }
+
+    public GroupId getGroupId() {
+        return groupId;
+    }
+
+    public ArtifactId getArtifactId() {
+        return artifactId;
     }
 
-    public String getPath() {
-        return path;
+    public VersionNumber getVersion() {
+        return version;
+    }
+
+    public String getRelativePath() {
+        return relativePath;
     }
 
     public String getChecksumAlgorithm() {
@@ -37,10 +51,29 @@ public String getChecksum() {
         return checksum;
     }
 
+    public Pom getParent() {
+        return parent;
+    }
+
     @Override
     public int compareTo(Pom o) {
-        if (this.path.compareTo(o.path) != 0) {
-            return this.path.compareTo(o.path);
+        if (this.groupId.compareTo(o.groupId) != 0) {
+            return this.groupId.compareTo(o.groupId);
+        }
+
+        if (this.artifactId.compareTo(o.artifactId) != 0) {
+            return this.artifactId.compareTo(o.artifactId);
+        }
+
+        if (this.version.compareTo(o.version) != 0) {
+            return this.version.compareTo(o.version);
+        }
+
+        String pathCmp = this.relativePath == null ? "" : this.relativePath;
+        String oPathCmp = o.relativePath == null ? "" : o.relativePath;
+
+        if (pathCmp.compareTo(oPathCmp) != 0) {
+            return pathCmp.compareTo(oPathCmp);
         }
 
         if (this.checksumAlgorithm.compareTo(o.checksumAlgorithm) != 0) {
@@ -51,6 +84,18 @@ public int compareTo(Pom o) {
             return this.checksum.compareTo(o.checksum);
         }
 
+        if (this.parent == null && o.parent != null) {
+            return -1;
+        }
+
+        if (this.parent != null && o.parent == null) {
+            return 1;
+        }
+
+        if (this.parent != null && o.parent != null && this.parent.compareTo(o.parent) != 0) {
+            return this.parent.compareTo(o.parent);
+        }
+
         return 0;
     }
 
@@ -63,8 +108,18 @@ public boolean equals(Object obj) {
             return false;
         }
         Pom other = (Pom) obj;
-        return this.path.equals(other.path)
+        String pathCmp = this.relativePath == null ? "" : this.relativePath;
+        String otherPathCmp = other.relativePath == null ? "" : other.relativePath;
+
+        boolean parentEqual = (this.parent == null && other.parent == null)
+                || (this.parent != null && other.parent != null && this.parent.equals(other.parent));
+
+        return this.groupId.equals(other.groupId)
+                && this.artifactId.equals(other.artifactId)
+                && this.version.equals(other.version)
+                && pathCmp.equals(otherPathCmp)
                 && this.checksumAlgorithm.equals(other.checksumAlgorithm)
-                && this.checksum.equals(other.checksum);
+                && this.checksum.equals(other.checksum)
+                && parentEqual;
     }
 }

maven_plugin/src/test/java/io/github/chains_project/maven_lockfile/graph/LockfileTest.java

@@ -42,7 +42,7 @@ void shouldLockFilesEqualWhenOrderIsChanged() {
                 groupId,
                 artifactId,
                 version,
-                new Pom("pom.xml", "SHA-256", "POM-CHECKSUM"),
+                new Pom(groupId, artifactId, version, "pom.xml", "SHA-256", "POM-CHECKSUM", null),
                 Set.of(dependencyNodeA(dependencyNodeAChild1(), dependencyNodeAChild2()), dependencyNodeB()),
                 Set.of(pluginA(), pluginB()),
                 metadata);
@@ -51,7 +51,7 @@ void shouldLockFilesEqualWhenOrderIsChanged() {
                 groupId,
                 artifactId,
                 version,
-                new Pom("pom.xml", "SHA-256", "POM-CHECKSUM"),
+                new Pom(groupId, artifactId, version, "pom.xml", "SHA-256", "POM-CHECKSUM", null),
                 Set.of(dependencyNodeB(), dependencyNodeA(dependencyNodeAChild1(), dependencyNodeAChild2())),
                 Set.of(pluginB(), pluginA()),
                 metadata);

maven_plugin/src/test/java/it/IntegrationTestsIT.java

@@ -524,6 +524,16 @@ public void pomCheckShouldFail(MavenExecutionResult result) throws Exception {
         assertThat(stdout.contains("Pom checksum mismatch.")).isTrue();
     }
 
+    @MavenTest
+    public void pomParentCheckShouldFail(MavenExecutionResult result) throws Exception {
+        // contract: if the pom checksum of a parent of the pom does not match is should fail with reason being pom
+        // didn't match.
+        assertThat(result).isFailure();
+        String stdout = Files.readString(result.getMavenLog().getStdout());
+        assertThat(stdout.contains("42a499ef30a02d54a826cdc21f289cf1eabfe561a7f0c5ca9e0ab7d9a5bb1a10_TAMPER_ATTACK"))
+                .isTrue();
+    }
+
     @MavenTest
     public void environmentalCheckShouldFail(MavenExecutionResult result) throws Exception {
         // contract: if the pom checksum does not match is should fail with reason being pom didn't match.
@@ -532,4 +542,69 @@ public void environmentalCheckShouldFail(MavenExecutionResult result) throws Exc
         String stdout = Files.readString(result.getMavenLog().getStdout());
         assertThat(stdout.contains("Failed verifying environment.")).isTrue();
     }
+
+    @MavenTest
+    public void externalParentPom(MavenExecutionResult result) throws Exception {
+        // contract: a project with an external parent POM (e.g., Spring Boot) should generate
+        // a lockfile containing the full parent pom hierarchy with checksums
+        System.out.println("Running 'externalParentPom' integration test.");
+        assertThat(result).isSuccessful();
+        Path lockFilePath = findFile(result, "lockfile.json");
+        assertThat(lockFilePath).exists();
+        var lockFile = LockFile.readLockFile(lockFilePath);
+
+        // Verify pom is present
+        var pom = lockFile.getPom();
+        assertThat(pom).isNotNull();
+        assertThat(pom.getGroupId()).extracting(GroupId::getValue).isEqualTo("com.mycompany.app");
+        assertThat(pom.getArtifactId()).extracting(ArtifactId::getValue).isEqualTo("external-parent-pom");
+        assertThat(pom.getChecksum()).isNotBlank();
+
+        // Verify external parent pom is present (Spring Boot starter parent)
+        var parentPom = pom.getParent();
+        assertThat(parentPom).isNotNull();
+        assertThat(parentPom.getGroupId()).extracting(GroupId::getValue).isEqualTo("org.springframework.boot");
+        assertThat(parentPom.getArtifactId()).extracting(ArtifactId::getValue).isEqualTo("spring-boot-starter-parent");
+        assertThat(parentPom.getChecksum()).isNotBlank();
+        // External pom should not have a relativePath
+        assertThat(parentPom.getRelativePath()).isNull();
+
+        // Verify grandparent pom is present (Spring Boot dependencies)
+        var grandparentPom = parentPom.getParent();
+        assertThat(grandparentPom).isNotNull();
+        assertThat(grandparentPom.getGroupId()).extracting(GroupId::getValue).isEqualTo("org.springframework.boot");
+        assertThat(grandparentPom.getArtifactId())
+                .extracting(ArtifactId::getValue)
+                .isEqualTo("spring-boot-dependencies");
+        assertThat(grandparentPom.getChecksum()).isNotBlank();
+    }
+
+    @MavenTest
+    public void relativeParentPom(MavenExecutionResult result) throws Exception {
+        // contract: a project with a relative parent POM (multi-module project) should generate
+        // a lockfile containing the parent pom with relativePath and checksums
+        System.out.println("Running 'relativeParentPom' integration test.");
+        assertThat(result).isSuccessful();
+        Path lockFilePath = findFile(result, "lockfile.json");
+        assertThat(lockFilePath).exists();
+        var lockFile = LockFile.readLockFile(lockFilePath);
+
+        // Verify pom is present
+        var pom = lockFile.getPom();
+        assertThat(pom).isNotNull();
+        assertThat(pom.getGroupId()).extracting(GroupId::getValue).isEqualTo("com.mycompany.app");
+        assertThat(pom.getArtifactId()).extracting(ArtifactId::getValue).isEqualTo("relative-parent-pom-child-module");
+        assertThat(pom.getChecksum()).isNotBlank();
+        assertThat(pom.getRelativePath()).isEqualTo("pom.xml");
+
+        // Verify parent pom is present with relativePath
+        var parentPom = pom.getParent();
+        assertThat(parentPom).isNotNull();
+        assertThat(parentPom.getGroupId()).extracting(GroupId::getValue).isEqualTo("com.mycompany.app");
+        assertThat(parentPom.getArtifactId())
+                .extracting(ArtifactId::getValue)
+                .isEqualTo("relative-parent-pom-parent-project");
+        assertThat(parentPom.getChecksum()).isNotBlank();
+        assertThat(parentPom.getRelativePath()).isEqualTo("../pom.xml");
+    }
 }