Fix issue where BOMs/platforms defined in Gradle Module Metadata could end up erroneously listed as requested dependencies in our maven model (#6488)

* Fix issue where BOMs/platforms defined in Gradle Module Metadata could end up erroneously listed as requested dependencies in our maven model

Fixes #6487

* Fix javadoc failures due to not being able to find lombok generated class definition

* Maybe this will make the CI failure go away?

Author: sambsnyd

rewrite-gradle/src/test/java/org/openrewrite/gradle/RemoveRedundantSecurityResolutionRulesKotlinTest.java

@@ -45,7 +45,7 @@ void removeRedundantCveRule() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -63,7 +63,7 @@ void removeRedundantCveRule() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -87,7 +87,7 @@ void keepRuleWhenManagedVersionIsLower() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -113,7 +113,7 @@ void keepRuleWithoutSecurityReason() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -140,7 +140,7 @@ void removeRuleWithCustomPattern() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -158,7 +158,7 @@ void removeRuleWithCustomPattern() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -177,7 +177,7 @@ void removeMultipleRulesFromElseIfChain() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -199,7 +199,7 @@ void removeMultipleRulesFromElseIfChain() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -229,7 +229,7 @@ void keepBuildscriptRuleWhenNoPlatformInBuildscript() {
                   }
               }
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -268,7 +268,7 @@ void removeBuildscriptRuleWhenPlatformInBuildscript() {
                   }
               }
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -284,7 +284,7 @@ void removeBuildscriptRuleWhenPlatformInBuildscript() {
                   }
               }
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -301,7 +301,7 @@ void keepRuleWithoutBecauseClause() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -332,7 +332,7 @@ void removeRuleWhenDirectDependencyProvidesNewerVersion() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.all {
@@ -349,7 +349,7 @@ void removeRuleWhenDirectDependencyProvidesNewerVersion() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -366,7 +366,7 @@ void removeRuleButKeepCustomConfiguration() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations {
@@ -387,7 +387,7 @@ void removeRuleButKeepCustomConfiguration() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations {
@@ -412,7 +412,7 @@ void keepConfigurationsBlockWithoutResolutionStrategy() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations {
@@ -438,7 +438,7 @@ void removeRedundantRuleOnSpecificConfiguration() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations.named("compileClasspath") {
@@ -456,7 +456,7 @@ void removeRedundantRuleOnSpecificConfiguration() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {
@@ -474,7 +474,7 @@ void removeRedundantRuleOnNestedConfiguration() {
           buildGradleKts(
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               configurations {
@@ -496,7 +496,7 @@ void removeRedundantRuleOnNestedConfiguration() {
               """,
             """
               plugins {
-                  java
+                  id("java")
               }
               repositories { mavenCentral() }
               dependencies {

rewrite-maven/src/main/java/org/openrewrite/maven/internal/MavenPomDownloader.java

@@ -300,7 +300,7 @@ public MavenMetadata downloadMetadata(GroupArtifactVersion gav, @Nullable Resolv
                         if (derivedMeta != null) {
                             Counter.builder("rewrite.maven.derived.metadata")
                                     .tag("repositoryUri", repo.getUri())
-                                    .tag("group", gav.getGroupId())
+                                    .tag("group", gav.getGroupId() == null ? "" : gav.getGroupId())
                                     .tag("artifact", gav.getArtifactId())
                                     .register(Metrics.globalRegistry)
                                     .increment();
@@ -636,13 +636,23 @@ public Pom download(GroupArtifactVersion gav,
                                 String line;
                                 while ((line = reader.readLine()) != null) {
                                     if (line.contains("published-with-gradle-metadata")) {
-                                        // as some artifacts do not have the bom as dependency listed, we need to add it by fetching the gradle metadata module.
+                                        // Some artifacts do not have the bom as dependency listed, we need to add it by fetching the gradle metadata module.
+                                        // It isn't strictly correct to do this from a maven standpoint, but helps with emulating Gradle dependency resolution
                                         pomResponseBody = requestAsAuthenticatedOrAnonymous(repo, uri.toString().replaceFirst(".pom$", ".module"));
                                         RawGradleModule module = RawGradleModule.parse(new ByteArrayInputStream(pomResponseBody));
-                                        for (Dependency dependency : module.getDependencies("apiElements", "platform")) {
-                                            rawPom.getDependencies().getDependencies().add(
-                                                    new RawPom.Dependency(dependency.getGroupId(), dependency.getArtifactId(), dependency.getVersion(), null, "bom", null, null, null)
-                                            );
+                                        for (Dependency dependency : module.getDependencies("apiElements", "platform", "enforcedPlatform")) {
+                                            String category = dependency.getAttributes().get("org.gradle.category");
+                                            // Platform and enforcedPlatform dependencies are BOMs that should be in dependencyManagement,
+                                            // not regular dependencies - they only provide version constraints
+                                            if ("platform".equalsIgnoreCase(category) || "enforcedPlatform".equalsIgnoreCase(category)) {
+                                                if (rawPom.getDependencyManagement() == null) {
+                                                    rawPom.setDependencyManagement(new RawPom.DependencyManagement(new RawPom.Dependencies()));
+                                                }
+                                                assert rawPom.getDependencyManagement().getDependencies() != null;
+                                                rawPom.getDependencyManagement().getDependencies().getDependencies().add(
+                                                        new RawPom.Dependency(dependency.getGroupId() == null ? "" : dependency.getGroupId(), dependency.getArtifactId(), dependency.getVersion(), "import", "pom", null, null, null)
+                                                );
+                                            }
                                         }
                                         break;
                                     }
@@ -999,7 +1009,7 @@ public boolean isSuccess() {
     enum Reachability {
         SUCCESS,
         ERROR,
-        UNREACHABLE;
+        UNREACHABLE
     }
 
     private ReachabilityResult reachable(HttpSender.Request.Builder request) {

rewrite-maven/src/main/java/org/openrewrite/maven/internal/RawGradleModule.java

@@ -35,6 +35,7 @@
 import java.util.Objects;
 
 import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonMap;
 import static java.util.stream.Collectors.toList;
 import static org.openrewrite.internal.ObjectMappers.propertyBasedMapper;
 
@@ -125,10 +126,14 @@ public List<org.openrewrite.maven.tree.Dependency> getDependencies(String varian
                 .filter(Objects::nonNull)
                 .flatMap(Collection::stream)
                 .filter(d -> categories.length == 0 || (d.getAttributes() != null && d.getAttributes().getCategory() != null && Arrays.stream(categories).anyMatch(cat -> d.getAttributes().getCategory().equalsIgnoreCase(cat))))
-                .map(Dependency::asGav)
-                .map(gav -> org.openrewrite.maven.tree.Dependency.builder()
-                        .gav(gav)
-                        .build())
+                .map(dep -> {
+                    org.openrewrite.maven.tree.Dependency.DependencyBuilder builder = org.openrewrite.maven.tree.Dependency.builder().gav(dep.asGav());
+                    if (dep.getAttributes() != null && dep.getAttributes().getCategory() != null) {
+                        //noinspection NullableProblems,ResultOfMethodCallIgnored
+                        builder.attributes(singletonMap("org.gradle.category", dep.getAttributes().getCategory()));
+                    }
+                    return builder.build();
+                })
                 .collect(toList());
     }
 }

rewrite-maven/src/main/java/org/openrewrite/maven/internal/RawPom.java

@@ -23,7 +23,6 @@
 import lombok.*;
 import lombok.experimental.FieldDefaults;
 import lombok.experimental.NonFinal;
-import org.jspecify.annotations.NonNull;
 import org.jspecify.annotations.Nullable;
 import org.openrewrite.internal.ListUtils;
 import org.openrewrite.internal.StringUtils;
@@ -101,6 +100,8 @@ public class RawPom {
     Dependencies dependencies;
 
     @Nullable
+    @NonFinal
+    @Setter(AccessLevel.PACKAGE)
     DependencyManagement dependencyManagement;
 
     @Nullable
@@ -498,7 +499,6 @@ private List<org.openrewrite.maven.tree.Profile> mapProfiles(@Nullable Profiles
         return profiles;
     }
 
-    @NonNull
     private List<MavenRepository> mapRepositories(@Nullable RawRepositories rawRepositories) {
         List<MavenRepository> pomRepositories = emptyList();
         if (rawRepositories != null) {
@@ -517,7 +517,6 @@ private List<MavenRepository> mapRepositories(@Nullable RawRepositories rawRepos
         return pomRepositories;
     }
 
-    @NonNull
     private List<MavenRepository> mapPluginRepositories(@Nullable RawPluginRepositories rawRepositories) {
         List<MavenRepository> pomRepositories = emptyList();
         if (rawRepositories != null) {

rewrite-maven/src/test/java/org/openrewrite/maven/MavenParserTest.java

@@ -39,7 +39,6 @@
 import org.openrewrite.maven.internal.MavenParsingException;
 import org.openrewrite.maven.tree.*;
 import org.openrewrite.test.RewriteTest;
-import org.openrewrite.test.SourceSpecs;
 import org.openrewrite.test.TypeValidation;
 import org.openrewrite.tree.ParseError;
 
@@ -1557,7 +1556,6 @@ void parseNotInProfileActivation() {
     @Issue("https://github.com/openrewrite/rewrite/issues/1427")
     @Test
     void parseEmptyActivationTag() {
-        //noinspection DataFlowIssue
         rewriteRun(
           pomXml(
             """
@@ -1613,7 +1611,6 @@ void parseEmptyValueActivationTag() {
                 assertThat(activation).isNotNull();
                 assertThat(activation.getActiveByDefault()).isNull();
                 assertThat(activation.getJdk()).isNull();
-                //noinspection DataFlowIssue
                 assertThat(activation.getProperty()).isNull();
             })
           )
@@ -3118,7 +3115,7 @@ void mergePluginConfigListAppendOverride() {
     @Test
     void escapedA() {
         rewriteRun(
-          spec -> spec.recipe(new AddManagedDependency("ch.qos.logback", "logback-classic", "1.4.14", null, null, null, null, null, null, null)),
+          spec -> spec.recipe(new AddManagedDependency("ch.qos.logback", "logback-classic", "1.4.14", null, null, null, null, null, null, null, null)),
           //language=xml
           pomXml(
             """
@@ -3631,7 +3628,7 @@ void systemPropertyTakesPrecedence() {
                 <version>1.0-SNAPSHOT</version>
                 <packaging>pom</packaging>
                 <name>parent</name>
-                <url>http://www.example.com</url>
+                <url>https://www.example.com</url>
                 <properties>
                   <hatversion>SYSTEM_PROPERTY_SHOULD_OVERRIDE_THIS</hatversion>
                 </properties>
@@ -4893,4 +4890,41 @@ void groupIdAndArtifactIdAsProperties() {
           )
         );
     }
+
+    @Issue("https://github.com/openrewrite/rewrite/issues/6487")
+    @Test
+    void bomsShouldNotAppearInRuntimeDependencies() {
+        // jackson-core takes no direct dependencies
+        // Its parent pom is com.fasterxml.jackson:jackson-base
+        // jackson-base's parent pom is jackson-bom
+        // Like most boms/parents jackson-bom contains only dependencyManagement entries
+        rewriteRun(
+          pomXml(
+            """
+              <project>
+                <modelVersion>4.0.0</modelVersion>
+                <groupId>com.example</groupId>
+                <artifactId>test-app</artifactId>
+                <version>1.0.0</version>
+
+                <dependencies>
+                  <dependency>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-core</artifactId>
+                    <version>2.17.2</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """,
+            spec -> spec.afterRecipe(pom -> {
+                MavenResolutionResult mrr = pom.getMarkers().findFirst(MavenResolutionResult.class).orElseThrow();
+                List<ResolvedDependency> runtimeDeps = mrr.getDependencies().get(Scope.Runtime);
+                assertThat(runtimeDeps)
+                  .filteredOn(dep -> "jackson-bom".equals(dep.getArtifactId()))
+                  .as("jackson-bom is jackson-core's parent pom, it is not a runtime dependency")
+                  .isEmpty();
+            })
+          )
+        );
+    }
 }