Add the concept of an "attribute" to Dependency. (#5881)

Add the concept of an "attribute" to Dependency

We use maven Dependency to model Gradle dependencies, but Gradle and Maven allocate information differently. Maven has a separate dependency management section, whereas in Gradle BOMs are intermixed with regular dependencies and differentiated via the "category" attribute.

Being unable to reliably differentiate `platform()` and project dependencies from binary dependencies has limited how accurate our model updates can be. UpgradeDependencyVersion and UpgradeTransitiveDependencyVersion try their best but without some of this information inaccuracies add up over time.

For example right now dependency vulnerability check will tell you a gradle project that uses `platform()` has a vulnerability if the BOM references a vulnerable dependency, even if that dependency isn't actually used in the project. Because to our model a BOM currently just looks like any other dependency.

Author: sambsnyd

rewrite-core/src/main/java/org/openrewrite/RecipeSerializer.java

@@ -28,6 +28,7 @@
 import com.fasterxml.jackson.dataformat.smile.SmileGenerator;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import com.fasterxml.jackson.module.paramnames.ParameterNamesModule;
+import lombok.Getter;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -37,6 +38,7 @@
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 
+@Getter
 public class RecipeSerializer {
     private final ObjectMapper mapper;
 

rewrite-gradle/src/main/java/org/openrewrite/gradle/AddDependency.java

@@ -29,6 +29,7 @@
 import org.openrewrite.java.search.UsesType;
 import org.openrewrite.java.tree.J;
 import org.openrewrite.java.tree.JavaSourceFile;
+import org.openrewrite.kotlin.tree.K;
 import org.openrewrite.maven.table.MavenMetadataFailures;
 import org.openrewrite.maven.tree.GroupArtifact;
 import org.openrewrite.semver.Semver;

rewrite-gradle/src/main/java/org/openrewrite/gradle/attributes/Bundling.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.gradle.attributes;
+
+
+import org.jspecify.annotations.Nullable;
+import org.openrewrite.maven.attributes.Attribute;
+
+/**
+ * Attribute representing the <a href="https://docs.gradle.org/current/javadoc/org/gradle/api/attributes/Bundling.html">bundling</a> of a dependency variant.
+ */
+public enum Bundling implements Attribute {
+    /**
+     * Dependencies are provided externally at runtime (not bundled)
+     */
+    EXTERNAL,
+
+    /**
+     * Dependencies are embedded inside the artifact (fat jar)
+     */
+    EMBEDDED,
+
+    /**
+     * Dependencies are shadowed (relocated) inside the artifact
+     */
+    SHADOWED;
+
+    public static String key() {
+        return "org.gradle.dependency.bundling";
+    }
+
+    public static @Nullable Bundling from(@Nullable String bundling) {
+        if (bundling == null) {
+            return null;
+        }
+        switch (bundling) {
+            case "external":
+                return Bundling.EXTERNAL;
+            case "embedded":
+                return Bundling.EMBEDDED;
+            case "shadowed":
+                return Bundling.SHADOWED;
+            default:
+                return null;
+        }
+    }
+}

rewrite-gradle/src/main/java/org/openrewrite/gradle/attributes/Category.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.gradle.attributes;
+
+import org.jspecify.annotations.Nullable;
+import org.openrewrite.maven.attributes.Attribute;
+
+/**
+ * See <a href="https://docs.gradle.org/current/javadoc/org/gradle/api/attributes/Category.html">category javadoc</a>
+ */
+public enum Category implements Attribute {
+    /**
+     * The documentation category
+     */
+    DOCUMENTATION,
+
+    /**
+     * The enforced platform, usually a synthetic variant derived from the platform
+     */
+    ENFORCED_PLATFORM,
+
+    /**
+     * The library category
+     */
+    LIBRARY,
+
+    /**
+     * Typically marks a dependency as <a href="https://docs.gradle.org/current/userguide/platforms.html">platform</a>.
+     * "platform" has very similar semantics to a Maven bill of materials (BOM) added to the "import" scope via dependencyManagement.
+     */
+    REGULAR_PLATFORM,
+
+    /**
+     * The verification category, for variants which contain the results of running verification tasks (e.g. Test, Jacoco).
+     */
+    VERIFICATION;
+
+    public static String key() {
+        return "org.gradle.category";
+    }
+
+    public static @Nullable Category from(@Nullable String category) {
+        if (category == null) {
+            return null;
+        }
+        switch (category) {
+            case "documentation":
+                return Category.DOCUMENTATION;
+            case "enforced-platform":
+                return Category.ENFORCED_PLATFORM;
+            case "library":
+                return Category.LIBRARY;
+            case "platform":
+                return Category.REGULAR_PLATFORM;
+            case "verification":
+                return Category.VERIFICATION;
+            default:
+                return null;
+        }
+    }
+}

rewrite-gradle/src/main/java/org/openrewrite/gradle/attributes/DocsType.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.gradle.attributes;
+
+import org.jspecify.annotations.Nullable;
+import org.openrewrite.maven.attributes.Attribute;
+
+/**
+ * See Gradle javadocs for <a href="https://docs.gradle.org/current/javadoc/org/gradle/api/attributes/DocsType.html">org.gradle.api.attributes.DocsType</a>
+ */
+public enum DocsType implements Attribute {
+    /**
+     * The typical documentation for Java APIs
+     */
+    JAVADOC,
+
+    /**
+     * The source files of the module
+     */
+    SOURCES,
+    /**
+     * A user manual
+     */
+    USER_MANUAL,
+    /**
+     * Samples illustrating how to use the software module
+     */
+    SAMPLES,
+    /**
+     * The typical documentation for native APIs
+     */
+    DOXYGEN;
+
+    public static String key() {
+        return "org.gradle.docstype";
+    }
+
+    public static @Nullable DocsType from(@Nullable String docsType) {
+        if (docsType == null) {
+            return null;
+        }
+        switch (docsType) {
+            case "javadoc":
+                return DocsType.JAVADOC;
+            case "sources":
+                return DocsType.SOURCES;
+            case "user-manual":
+                return DocsType.USER_MANUAL;
+            case "samples":
+                return DocsType.SAMPLES;
+            case "doxygen":
+                return DocsType.DOXYGEN;
+            default:
+                return null;
+        }
+    }
+}

rewrite-gradle/src/main/java/org/openrewrite/gradle/attributes/LibraryElements.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.gradle.attributes;
+
+import org.jspecify.annotations.Nullable;
+import org.openrewrite.maven.attributes.Attribute;
+
+/**
+ * Attribute representing the technical elements of a  <a href="https://docs.gradle.org/current/javadoc/org/gradle/api/attributes/LibraryElements.html">library variant</a>.
+ */
+public enum LibraryElements implements Attribute {
+    /**
+     * The JVM classes format
+     */
+    CLASSES,
+
+    /**
+     * The JVM class files and resources
+     */
+    CLASSES_AND_RESOURCES,
+
+    /**
+     * Dynamic libraries for native modules
+     */
+    DYNAMIC_LIB,
+
+    /**
+     * Header files for C++
+     */
+    HEADERS_CPLUSPLUS,
+
+    /**
+     * The JVM archive format
+     */
+    JAR,
+
+    /**
+     * Link archives for native modules
+     */
+    LINK_ARCHIVE,
+    /**
+     * Objects for native modules
+     */
+    OBJECTS,
+
+    /**
+     * JVM resources
+     */
+    RESOURCES;
+
+    public static String key() {
+        return "org.gradle.libraryelements";
+    }
+
+    public static @Nullable LibraryElements from(@Nullable String libraryElements) {
+        if (libraryElements == null) {
+            return null;
+        }
+        switch (libraryElements) {
+            case "classes":
+                return LibraryElements.CLASSES;
+            case "classes+resources":
+                return LibraryElements.CLASSES_AND_RESOURCES;
+            case "dynamic-lib":
+                return LibraryElements.DYNAMIC_LIB;
+            case "headers-cplusplus":
+                return LibraryElements.HEADERS_CPLUSPLUS;
+            case "jar":
+                return LibraryElements.JAR;
+            case "link-archive":
+                return LibraryElements.LINK_ARCHIVE;
+            case "objects":
+                return LibraryElements.OBJECTS;
+            case "resources":
+                return LibraryElements.RESOURCES;
+            default:
+                return null;
+        }
+    }
+}

rewrite-gradle/src/main/java/org/openrewrite/gradle/attributes/ProjectAttribute.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.gradle.attributes;
+
+import lombok.Value;
+import org.openrewrite.maven.attributes.Attribute;
+
+/**
+ * Marks a dependency as representing another Gradle project within the same multi-project build
+ */
+@Value
+public class ProjectAttribute implements Attribute {
+    /**
+     * The path to the project within the gradle build.
+     * Note that this is not a filesystem path. Delimiters are ":"
+     * So the root project's path is ":"
+     * A subproject may have a path like ":someDir:projectName"
+     */
+    String path;
+
+    public static String key() {
+        return "org.gradle.api.artifacts.ProjectDependency";
+    }
+
+    public static ProjectAttribute from(String path) {
+        return new ProjectAttribute(path);
+    }
+}