(feat) Add Apache Ivy package manager support

- New Ivy plugin with direct parsing (default) and transitive
  resolution (opt-in) modes
- Requires Ivy CLI only for transitive resolution
- Pre-installed Apache Ivy 2.5.2 in Docker images
- Enhanced Gradle plugin to handle Ivy dependencies
- Includes functional tests and example configuration

Signed-off-by: Alexandru Zănogeanu <[email protected]>

Author: alexandruz

.env.versions

@@ -10,6 +10,7 @@ DART_VERSION=2.18.4
 DOTNET_VERSION=6.0
 GO_VERSION=1.25.0
 HASKELL_STACK_VERSION=2.13.1
+IVY_VERSION=2.5.3
 JAVA_VERSION=21
 LICENSEE_VERSION=9.18.0
 NODEJS_VERSION=24.10.0

Dockerfile

@@ -363,6 +363,23 @@ RUN curl -L https://github.com/sbt/sbt/releases/download/v$SBT_VERSION/sbt-$SBT_
 FROM scratch AS scala
 COPY --from=scalabuild /opt/sbt /opt/sbt
 
+#------------------------------------------------------------------------
+# APACHE IVY
+FROM base AS ivybuild
+
+ARG IVY_VERSION
+
+ENV IVY_HOME=/opt/ivy
+ENV PATH=$PATH:$IVY_HOME/bin
+
+RUN mkdir -p $IVY_HOME \
+    && curl -L https://archive.apache.org/dist/ant/ivy/$IVY_VERSION/apache-ivy-$IVY_VERSION-bin.tar.gz \
+    | tar -xz -C $IVY_HOME --strip-components=1 \
+    && chmod a+x $IVY_HOME/bin/ivy
+
+FROM scratch AS ivy
+COPY --from=ivybuild /opt/ivy /opt/ivy
+
 #------------------------------------------------------------------------
 # SWIFT
 FROM base AS swiftbuild
@@ -540,6 +557,11 @@ ENV SBT_HOME=/opt/sbt
 ENV PATH=$PATH:$SBT_HOME/bin
 COPY --from=scala --chown=$USER:$USER $SBT_HOME $SBT_HOME
 
+# Apache Ivy
+ENV IVY_HOME=/opt/ivy
+ENV PATH=$PATH:$IVY_HOME/bin
+COPY --from=ivy --chown=$USER:$USER $IVY_HOME $IVY_HOME
+
 # Dart
 ENV DART_SDK=/opt/dart-sdk
 ENV PATH=$PATH:$DART_SDK/bin

examples/ivy.ort.yml

@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: 2025 The ORT Project Authors <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Example ORT configuration for Apache Ivy projects
+
+# Analyzer configuration
+analyzer:
+  # Enable Ivy package manager
+  enabled_package_managers:
+    - Ivy
+
+  # Package manager specific configuration
+  package_managers:
+    Ivy:
+      # Enable transitive dependency resolution using Ivy CLI
+      # Requires Apache Ivy to be installed and available in PATH
+      # Default: false
+      resolveTransitive: true
+
+  # Skip excluded paths and scopes during analysis
+  skip_excluded: true
+
+# Path excludes
+excludes:
+  paths:
+    # Exclude test resources
+    - pattern: "**/test/**"
+      reason: "TEST_OF"
+      comment: "Test code and resources"
+
+  # Scope excludes (Ivy configurations)
+  scopes:
+    - pattern: "test"
+      reason: "TEST_DEPENDENCY_OF"
+      comment: "Test dependencies are not distributed"
+    
+    - pattern: "provided"
+      reason: "PROVIDED_DEPENDENCY_OF"
+      comment: "Provided dependencies are supplied by runtime environment"
+
+# Curations for common issues
+curations:
+  packages:
+    # Example: Fix incorrect license for a package
+    - id: "Maven:commons-lang:commons-lang:2.6"
+      curations:
+        declared_licenses:
+          - "Apache-2.0"
+

integrations/schemas/package-managers-schema.json

@@ -15,6 +15,7 @@
         "GoMod",
         "Gradle",
         "GradleInspector",
+        "Ivy",
         "Maven",
         "NPM",
         "NuGet",

model/src/main/kotlin/config/AnalyzerConfiguration.kt

@@ -57,6 +57,7 @@ data class AnalyzerConfiguration(
         "Conan",
         "GoMod",
         "GradleInspector",
+        "Ivy",
         "Maven",
         "NPM",
         "NuGet",

plugins/package-managers/gradle-inspector/src/main/kotlin/GradleDependencyHandler.kt

@@ -72,12 +72,29 @@ internal class GradleDependencyHandler(
 
         val id = identifierFor(dependency)
         val model = dependency.mavenModel ?: run {
-            issues += createAndLogIssue(
-                source = GradleInspectorFactory.descriptor.displayName,
-                message = "No Maven model available for '${id.toCoordinates()}'."
-            )
+            // If no Maven model is available, this might be an Ivy dependency or artifact without metadata
+            // Only warn for non-Ivy dependencies, as Ivy dependencies are expected to not have Maven POMs
+            if (id.type != "Ivy") {
+                issues += createAndLogIssue(
+                    source = GradleInspectorFactory.descriptor.displayName,
+                    message = "No POM found for component '${id.toCoordinates()}'.",
+                    severity = org.ossreviewtoolkit.model.Severity.WARNING
+                )
+            }
 
-            return null
+            // Create a basic package with minimal information
+            return Package(
+                id = id,
+                authors = emptySet(),
+                declaredLicenses = emptySet(),
+                declaredLicensesProcessed = DeclaredLicenseProcessor.process(emptySet()),
+                description = "",
+                homepageUrl = "",
+                binaryArtifact = RemoteArtifact.EMPTY,
+                sourceArtifact = RemoteArtifact.EMPTY,
+                vcs = VcsInfo.EMPTY,
+                vcsProcessed = VcsInfo.EMPTY
+            )
         }
 
         val isSpringMetadataProject = with(id) {
@@ -241,7 +258,23 @@ private fun createRemoteArtifact(
     extension: String? = null
 ): RemoteArtifact {
     val algorithm = "sha1"
-    val artifactBaseUrl = pomUrl?.removeSuffix(".pom") ?: return RemoteArtifact.EMPTY
+
+    // Handle both Maven POM files (.pom) and Ivy descriptor files (ivy-*.xml)
+    val artifactBaseUrl = when {
+        pomUrl == null -> return RemoteArtifact.EMPTY
+        pomUrl.endsWith(".pom") -> pomUrl.removeSuffix(".pom")
+        pomUrl.contains("/ivy-") && pomUrl.endsWith(".xml") -> {
+            // For Ivy descriptors like .../ivy-4.9.2.4.xml, extract the artifact name and version
+            // Pattern: .../[module]/[version]/ivy-[version].xml -> .../[module]/[version]/[module]-[version]
+            val pathParts = pomUrl.split("/")
+            val version = pathParts[pathParts.size - 2]
+            val module = pathParts[pathParts.size - 3]
+            val basePath = pathParts.dropLast(1).joinToString("/")
+            "$basePath/$module-$version"
+        }
+
+        else -> pomUrl.removeSuffix(".xml")
+    }
 
     val artifactUrl = buildString {
         append(artifactBaseUrl)

plugins/package-managers/gradle-inspector/src/main/resources/template.init.gradle

@@ -27,4 +27,42 @@ initscript {
 
 allprojects {
     apply plugin: OrtModelPlugin
+    
+    // Force Gradle to use Ivy descriptors and disable Gradle metadata for Ivy repositories
+    // This allows legacy targetConfiguration to work
+    repositories.configureEach { repo ->
+        if (repo instanceof org.gradle.api.artifacts.repositories.IvyArtifactRepository) {
+            repo.metadataSources {
+                ivyDescriptor()
+                artifact()
+                // Explicitly disable Gradle metadata which causes variant resolution issues
+                // with targetConfiguration
+            }
+            
+            // Check if repository should preserve its custom pattern layout
+            // Set repo.name = "customIvyLayout" in your build.gradle to skip ORT pattern configuration
+            def skipPatternConfig = repo.name?.contains("customIvyLayout") || 
+                                   System.getProperty("ort.ivy.preservePatterns") == "true"
+            
+            if (!skipPatternConfig) {
+                // Support multiple Ivy layout patterns for different Artifactory configurations
+                // Gradle will try each pattern in order until it finds the artifact
+                // m2compatible = false keeps dots in organization (e.g., com.artifactory stays as com.artifactory)
+                repo.patternLayout {
+                    // Artifactory Ivy layout with 'ivys' subdirectory (e.g., com.artifactory/module/version/ivys/ivy-version.xml)
+                    ivy '[organisation]/[module]/[revision]/ivys/ivy-[revision].xml'
+                    artifact '[organisation]/[module]/[revision]/jars/[artifact]-[revision](-[classifier])(.[ext])'
+                    artifact '[organisation]/[module]/[revision]/[type]s/[artifact]-[revision](-[classifier])(.[ext])'
+                    
+                    // Standard Ivy layout (e.g., com.artifactory/module/version/ivy-version.xml)
+                    ivy '[organisation]/[module]/[revision]/ivy-[revision].xml'
+                    artifact '[organisation]/[module]/[revision]/[artifact]-[revision](-[classifier])(.[ext])'
+                    
+                    // Keep m2compatible = false to preserve dots in organization names
+                    // If you need Maven-style paths (com/artifactory), repositories should use Maven layout instead
+                    m2compatible = false
+                }
+            }
+        }
+    }
 }

plugins/package-managers/gradle-model/src/main/kotlin/Extensions.kt

@@ -22,12 +22,13 @@ package org.ossreviewtoolkit.plugins.packagemanagers.gradlemodel
 import OrtDependency
 
 /**
- * The type of this Gradle dependency. In case of a project, it is [projectType]. Otherwise it is "Maven" unless there
- * is no POM, then it is "Unknown".
+ * The type of this Gradle dependency. In case of a project, it is [projectType]. Otherwise it is "Maven" if a POM
+ * file exists, "Ivy" if an ivy.xml exists, or "Unknown" if there is no metadata.
  */
 fun OrtDependency.getIdentifierType(projectType: String) =
     when {
         isProjectDependency -> projectType
+        pomFile?.contains("/ivy-") == true && pomFile?.endsWith(".xml") == true -> "Ivy"
         pomFile != null -> "Maven"
         else -> "Unknown"
     }