feat(Maven): Obtain package metadata for Tycho OSGi artifacts

The normal mechanism to resolve package metadata does not work for
Tycho OSGi artifacts. Such artifacts do not have a POM, but may
contain metadata in their manifest. Therefore, try to locate these
artifacts in the local Maven repository (where they should have been
downloaded during the Tycho build) and read their manifests.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

plugins/package-managers/maven/src/main/kotlin/Tycho.kt

@@ -22,39 +22,51 @@ package org.ossreviewtoolkit.plugins.packagemanagers.maven
 import java.io.File
 import java.nio.file.Path
 import java.util.concurrent.atomic.AtomicReference
+import java.util.jar.JarInputStream
+import java.util.jar.Manifest
 
 import kotlin.io.path.invariantSeparatorsPathString
 
 import org.apache.logging.log4j.kotlin.logger
+import org.apache.logging.log4j.kotlin.loggerOf
 import org.apache.maven.AbstractMavenLifecycleParticipant
 import org.apache.maven.cli.MavenCli
 import org.apache.maven.execution.MavenSession
+import org.apache.maven.model.Scm
 import org.apache.maven.project.MavenProject
+import org.apache.maven.repository.RepositorySystem
 
 import org.codehaus.plexus.PlexusContainer
 import org.codehaus.plexus.classworlds.ClassWorld
 
+import org.eclipse.aether.artifact.Artifact
 import org.eclipse.aether.graph.DependencyNode
 
 import org.ossreviewtoolkit.analyzer.AbstractPackageManagerFactory
 import org.ossreviewtoolkit.analyzer.PackageManager
 import org.ossreviewtoolkit.analyzer.PackageManagerResult
 import org.ossreviewtoolkit.analyzer.ProjectResults
 import org.ossreviewtoolkit.model.DependencyGraph
+import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Issue
+import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.ProjectAnalyzerResult
+import org.ossreviewtoolkit.model.RemoteArtifact
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
 import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.LocalProjectWorkspaceReader
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenDependencyHandler
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.PackageResolverFun
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.createIssuesForAutoGeneratedPoms
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.identifier
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.internalId
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.isTychoProject
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.parseDependencyTree
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.parseScm
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.processDeclaredLicenses
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.toOrtProject
 import org.ossreviewtoolkit.utils.ort.createOrtTempFile
 
@@ -151,8 +163,8 @@ class Tycho(
         mavenSupport: MavenSupport,
         mavenProjects: Map<String, MavenProject>
     ): DependencyGraphBuilder<DependencyNode> {
-        val dependencyHandler =
-            MavenDependencyHandler(managerName, projectType, mavenProjects, mavenSupport.defaultPackageResolverFun())
+        val resolverFun = tychoPackageResolverFun(mavenSupport.defaultPackageResolverFun())
+        val dependencyHandler = MavenDependencyHandler(managerName, projectType, mavenProjects, resolverFun)
         return DependencyGraphBuilder(dependencyHandler)
     }
 
@@ -329,3 +341,104 @@ internal class TychoProjectsCollector : AbstractMavenLifecycleParticipant() {
         logger.info { "Found ${builtProjects.size} projects during build." }
     }
 }
+
+private val tychoLogger = loggerOf(Tycho::class.java)
+
+/**
+ * Return a [PackageResolverFun] that can handle special OSGi artifacts detected during a Tycho analysis.
+ * OSGi bundles retrieved from a P2 repository cannot be handled by the default resolver function, which is not aware
+ * of the special repository layout. Also, they do not have a POM with metadata, but may contain some metadata in
+ * their OSGi manifest.
+ * This function first delegates to the given [delegate] function to handle normal packages in the usual way. If this
+ * fails, it checks whether the dependency can be found in the p2 cache of the local Maven repository pointed to by
+ * [localRepositoryRoot]. (Since the Tycho project has been built, the cache should be populated.) If this is the case,
+ * it tries to obtain metadata from the OSGi manifest of the bundle. This approach is partly inspired by
+ * https://github.com/OpenNTF/p2-layout-provider.
+ */
+internal fun tychoPackageResolverFun(
+    delegate: PackageResolverFun,
+    localRepositoryRoot: File = RepositorySystem.defaultUserLocalRepository
+): PackageResolverFun =
+    { dependency ->
+        runCatching {
+            delegate(dependency)
+        }.recoverCatching { exception ->
+            createPackageFromLocalArtifact(dependency.artifact, localRepositoryRoot)
+                ?: throw exception
+        }.getOrThrow()
+    }
+
+/**
+ * Create a [Package] for the given [artifact] obtaining metadata from the given [manifest]. This function is used for
+ * OSGi artifacts for which no POM is available.
+ */
+internal fun createPackageFromManifest(artifact: Artifact, manifest: Manifest): Package =
+    with(manifest.mainAttributes) {
+        val declaredLicenses = setOfNotNull(getValue("Bundle-License"))
+        val declaredLicensesProcessed = processDeclaredLicenses(declaredLicenses)
+        val authors = setOfNotNull(getValue("Bundle-Vendor"))
+
+        val vcs = parseScm(getValue("Eclipse-SourceReferences").toScm(), artifact.identifier())
+
+        Package(
+            id = Identifier(
+                type = "Maven",
+                namespace = artifact.groupId,
+                name = artifact.artifactId,
+                version = artifact.version
+            ),
+            authors = authors,
+            declaredLicenses = declaredLicenses,
+            declaredLicensesProcessed = declaredLicensesProcessed,
+            description = getValue("Bundle-Description").orEmpty(),
+            homepageUrl = "",
+            binaryArtifact = RemoteArtifact.EMPTY,
+            sourceArtifact = RemoteArtifact.EMPTY,
+            vcs = vcs,
+            vcsProcessed = vcs
+        )
+    }
+
+/**
+ * Try to find an OSGi artifact in the local Maven repository at [localRepositoryRoot] that matches the given
+ * [artifact]. If found, create a [Package] from the artifact's OSGi manifest.
+ */
+private fun createPackageFromLocalArtifact(artifact: Artifact, localRepositoryRoot: File): Package? {
+    val artifactFile = localRepositoryRoot.resolve("p2/osgi/bundle")
+        .resolve(artifact.artifactId)
+        .resolve(artifact.version)
+        .resolve("${artifact.artifactId}-${artifact.version}.jar")
+
+    tychoLogger.debug {
+        "Looking up package metadata for '${artifact.identifier()}' in local repository '$artifactFile'."
+    }
+
+    if (!artifactFile.isFile) return null
+
+    tychoLogger.info {
+        "Reading metadata for '${artifact.identifier()}' from local repository '$artifactFile'."
+    }
+
+    return JarInputStream(artifactFile.inputStream()).use { jar ->
+        createPackageFromManifest(artifact, jar.manifest ?: Manifest())
+    }
+}
+
+/**
+ * Parse this string with a source references manifest header to a [Scm] structure.
+ * See https://wiki.eclipse.org/PDE/UI/SourceReferences.
+ */
+private fun String?.toScm(): Scm? =
+    this?.split(',')?.firstOrNull()
+        ?.let { scmInfo ->
+            val fields = scmInfo.split(';')
+            val properties = fields.drop(1).filter { "=" in it }.associate { field ->
+                val (key, value) = field.split('=')
+                key to value.removeSurrounding("\"")
+            }
+
+            Scm().apply {
+                connection = fields[0]
+                tag = properties["tag"]
+            }
+        }

plugins/package-managers/maven/src/main/kotlin/utils/MavenParsers.kt

@@ -157,8 +157,10 @@ internal fun parseLicenses(mavenProject: MavenProject): Set<String> =
         listOfNotNull(license.name, license.url, license.comments).firstOrNull { it.isNotBlank() }
     }
 
-internal fun parseVcsInfo(project: MavenProject): VcsInfo {
-    val scm = getOriginalScm(project)
+internal fun parseVcsInfo(project: MavenProject): VcsInfo =
+    parseScm(getOriginalScm(project), project.artifact?.toString().orEmpty())
+
+internal fun parseScm(scm: Scm?, artifactId: String): VcsInfo {
     val connection = scm?.connection
     if (connection.isNullOrEmpty()) return VcsInfo.EMPTY
 
@@ -183,14 +185,14 @@ internal fun parseVcsInfo(project: MavenProject): VcsInfo {
                 // It is a common mistake to omit the "scm:[provider]:" prefix. Add fall-backs for nevertheless
                 // clear cases.
                 logger.info {
-                    "Maven SCM connection '$connection' of project ${project.artifact} lacks the required " +
+                    "Maven SCM connection '$connection' of project $artifactId lacks the required " +
                         "'scm' prefix."
                 }
 
                 VcsInfo(type = VcsType.GIT, url = connection, revision = tag)
             } else {
                 logger.info {
-                    "Ignoring Maven SCM connection '$connection' of project ${project.artifact} due to an " +
+                    "Ignoring Maven SCM connection '$connection' of project $artifactId due to an " +
                         "unexpected format."
                 }