feat(Maven): Generate hints about auto-generated POMs for Tycho

oheger-bosch · oheger-bosch · commit 17f979ef08f7 · 2025-02-27T08:22:25.000+01:00
To make the required functionality available to the Tycho
implementation, extract it as an extension function.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.io&gt;
diff --git a/plugins/package-managers/maven/src/main/kotlin/Maven.kt b/plugins/package-managers/maven/src/main/kotlin/Maven.kt
@@ -30,14 +30,13 @@ import org.ossreviewtoolkit.analyzer.PackageManager
 import org.ossreviewtoolkit.analyzer.PackageManagerResult
 import org.ossreviewtoolkit.model.DependencyGraph
 import org.ossreviewtoolkit.model.ProjectAnalyzerResult
-import org.ossreviewtoolkit.model.Severity
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
-import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.LocalProjectWorkspaceReader
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenDependencyHandler
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.createIssuesForAutoGeneratedPoms
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.identifier
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.isTychoProject
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.toOrtProject
@@ -130,18 +129,7 @@ class Maven(
             graphBuilder.scopesFor(projectId)
         )
 
-        val issues = (graphBuilder.packages() - knownPackages).mapNotNull { pkg ->
-            if (pkg.description == "POM was created by Sonatype Nexus") {
-                createAndLogIssue(
-                    managerName,
-                    "Package '${pkg.id.toCoordinates()}' seems to use an auto-generated POM which might lack metadata.",
-                    Severity.HINT
-                )
-            } else {
-                null
-            }
-        }
-
+        val issues = (graphBuilder.packages() - knownPackages).createIssuesForAutoGeneratedPoms(managerName)
         return listOf(ProjectAnalyzerResult(project, emptySet(), issues))
     }
 
diff --git a/plugins/package-managers/maven/src/main/kotlin/Tycho.kt b/plugins/package-managers/maven/src/main/kotlin/Tycho.kt
@@ -41,6 +41,7 @@ import org.ossreviewtoolkit.analyzer.PackageManager
 import org.ossreviewtoolkit.analyzer.PackageManagerResult
 import org.ossreviewtoolkit.analyzer.ProjectResults
 import org.ossreviewtoolkit.model.DependencyGraph
+import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.ProjectAnalyzerResult
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
@@ -50,6 +51,7 @@ import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.LocalProjectWork
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenDependencyHandler
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenLogger
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.createIssuesForAutoGeneratedPoms
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.identifier
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.internalId
 import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.isTychoProject
@@ -92,10 +94,7 @@ class Tycho(
         // TODO: Create issues for a failed build and projects for which dependencies could not be resolved.
 
         val resolvedProjects = createMavenSupport(collector).use { mavenSupport ->
-            val dependencyHandler =
-                MavenDependencyHandler(managerName, projectType, mavenSupport, collector.mavenProjects, false)
-
-            graphBuilder = DependencyGraphBuilder(dependencyHandler)
+            graphBuilder = createGraphBuilder(mavenSupport, collector.mavenProjects)
 
             buildLog.inputStream().use { stream ->
                 parseDependencyTree(stream, collector.mavenProjects.values).map { projectNode ->
@@ -108,6 +107,10 @@ class Tycho(
 
         buildLog.delete()
 
+        // Assign issues that are global to the build to the root project.
+        val rootIssues = mutableListOf<Issue>()
+        graphBuilder.packages().createIssuesForAutoGeneratedPoms(managerName, rootIssues)
+
         return resolvedProjects.map { mavenProject ->
             val projectId = mavenProject.identifier(projectType)
             val project = mavenProject.toOrtProject(
@@ -116,7 +119,8 @@ class Tycho(
                 mavenProject.file.parentFile,
                 graphBuilder.scopesFor(projectId)
             )
-            ProjectAnalyzerResult(project, emptySet())
+            val issues = rootIssues.takeIf { mavenProject.file == definitionFile } ?: emptyList()
+            ProjectAnalyzerResult(project, emptySet(), issues)
         }
     }
 
@@ -128,7 +132,7 @@ class Tycho(
      * that it is invoked during the build. Also install a specific logger that forwards the output of the dependency
      * tree plugin to the given [outputStream].
      */
-    private fun createMavenCli(collector: TychoProjectsCollector, outputStream: PrintStream): MavenCli =
+    internal fun createMavenCli(collector: TychoProjectsCollector, outputStream: PrintStream): MavenCli =
         object : MavenCli(ClassWorld("plexus.core", javaClass.classLoader)) {
             override fun customizeContainer(container: PlexusContainer) {
                 container.addComponent(
@@ -148,6 +152,18 @@ class Tycho(
             }
         }
 
+    /**
+     * Create the [DependencyGraphBuilder] for constructing the dependency graph of the analyzed Tycho project using
+     * the given [mavenSupport] and the encountered [mavenProjects].
+     */
+    internal fun createGraphBuilder(
+        mavenSupport: MavenSupport,
+        mavenProjects: Map<String, MavenProject>
+    ): DependencyGraphBuilder<DependencyNode> {
+        val dependencyHandler = MavenDependencyHandler(managerName, projectType, mavenSupport, mavenProjects, false)
+        return DependencyGraphBuilder(dependencyHandler)
+    }
+
     /**
      * Run a Maven build on the Tycho project in [projectRoot] utilizing the given [collector]. Return a pair with
      * the exit code of the Maven project and a [File] that contains the output generated during the build.
diff --git a/plugins/package-managers/maven/src/main/kotlin/utils/Extensions.kt b/plugins/package-managers/maven/src/main/kotlin/utils/Extensions.kt
@@ -34,7 +34,11 @@ import org.eclipse.aether.repository.RemoteRepository
 import org.ossreviewtoolkit.analyzer.PackageManager.Companion.processProjectVcs
 import org.ossreviewtoolkit.downloader.VersionControlSystem
 import org.ossreviewtoolkit.model.Identifier
+import org.ossreviewtoolkit.model.Issue
+import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Project
+import org.ossreviewtoolkit.model.Severity
+import org.ossreviewtoolkit.model.createAndLogIssue
 
 fun Artifact.identifier() = "$groupId:$artifactId:$version"
 
@@ -55,6 +59,27 @@ internal fun MavenProject.identifier(projectType: String): Identifier =
 internal val MavenProject.internalId: String
     get() = "$groupId:$artifactId:$version"
 
+/**
+ * Check whether this collection of [Package]s contains elements that stem from auto-generated POM files. If so,
+ * create an [Issue] for each such [Package] using the given [managerName] as source. Optionally, the [targetIssues]
+ * list can be provided.
+ */
+internal fun Collection<Package>.createIssuesForAutoGeneratedPoms(
+    managerName: String,
+    targetIssues: MutableList<Issue> = mutableListOf()
+): List<Issue> =
+    mapNotNullTo(targetIssues) { pkg ->
+        if (pkg.description == "POM was created by Sonatype Nexus") {
+            createAndLogIssue(
+                managerName,
+                "Package '${pkg.id.toCoordinates()}' seems to use an auto-generated POM which might lack metadata.",
+                Severity.HINT
+            )
+        } else {
+            null
+        }
+    }
+
 /**
  * Convert this [MavenProject] to an ORT [Project] using the given [identifier], the path to the [definitionFile],
  * the [projectDir], and the set of [scopeNames].
diff --git a/plugins/package-managers/maven/src/test/kotlin/TychoTest.kt b/plugins/package-managers/maven/src/test/kotlin/TychoTest.kt
@@ -19,11 +19,35 @@
 
 package org.ossreviewtoolkit.plugins.packagemanagers.maven
 
+import io.kotest.core.TestConfiguration
 import io.kotest.core.spec.style.WordSpec
 import io.kotest.engine.spec.tempdir
+import io.kotest.engine.spec.tempfile
+import io.kotest.matchers.collections.beEmpty
 import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.string.shouldContain
 
+import io.mockk.every
 import io.mockk.mockk
+import io.mockk.spyk
+
+import java.io.File
+import java.io.PrintStream
+
+import org.apache.maven.cli.MavenCli
+import org.apache.maven.execution.MavenSession
+import org.apache.maven.project.MavenProject
+
+import org.eclipse.aether.graph.DependencyNode
+
+import org.ossreviewtoolkit.model.Identifier
+import org.ossreviewtoolkit.model.Package
+import org.ossreviewtoolkit.model.Severity
+import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.DependencyTreeMojoNode
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.JSON
 
 class TychoTest : WordSpec({
     "mapDefinitionFiles()" should {
@@ -56,4 +80,98 @@ class TychoTest : WordSpec({
             mappedDefinitionFiles shouldContainExactlyInAnyOrder listOf(tychoDefinitionFile1, tychoDefinitionFile2)
         }
     }
+
+    "resolveDependencies()" should {
+        "generate warnings about auto-generated pom files" {
+            val definitionFile = tempfile()
+            val rootProject = createMavenProject("root", definitionFile)
+            val subProject = createMavenProject("sub")
+            val projectsList = listOf(rootProject, subProject)
+
+            val tycho = spyk(Tycho("Tycho", tempdir(), mockk(relaxed = true), mockk(relaxed = true)))
+            injectCliMock(tycho, projectsList.toJson(), projectsList)
+
+            val pkg1 = mockk<Package>(relaxed = true)
+            val pkg2 = mockk<Package> {
+                every { id } returns Identifier("Tycho:org.ossreviewtoolkit:sub-dependency:1.0.0")
+                every { description } returns "POM was created by Sonatype Nexus"
+            }
+
+            val graphBuilder = mockk<DependencyGraphBuilder<DependencyNode>>(relaxed = true) {
+                every { packages() } returns setOf(pkg1, pkg2)
+            }
+
+            every { tycho.createGraphBuilder(any(), any()) } returns graphBuilder
+
+            val results = tycho.resolveDependencies(definitionFile, emptyMap())
+
+            val (rootResults, subResults) = results.partition { it.project.id.name == "root" }
+
+            with(rootResults.single().issues.single()) {
+                severity shouldBe Severity.HINT
+                message shouldContain pkg2.id.toCoordinates()
+                message shouldContain "auto-generated POM"
+                source shouldBe "Tycho"
+            }
+
+            subResults.single().issues should beEmpty()
+        }
+    }
 })
+
+/**
+ * Create a mock [MavenProject] with default coordinates and the given [name] and optional [definitionFile].
+ */
+private fun TestConfiguration.createMavenProject(name: String, definitionFile: File = tempfile()): MavenProject =
+    mockk(relaxed = true) {
+        every { groupId } returns "org.ossreviewtoolkit"
+        every { artifactId } returns name
+        every { version } returns "1.0.0"
+        every { file } returns definitionFile
+        every { id } returns "org.ossreviewtoolkit:$name:jar:1.0.0"
+        every { parent } returns null
+    }
+
+/**
+ * Return a [DependencyTreeMojoNode] with the properties of this [MavenProject].
+ */
+private fun MavenProject.toDependencyTreeMojoNode(): DependencyTreeMojoNode =
+    DependencyTreeMojoNode(groupId, artifactId, version, "jar", "compile", "")
+
+/**
+ * Generate JSON output analogously to the Maven Dependency Plugin for this list of [MavenProject]s. Here only the
+ * root project nodes are relevant; dependencies are not included.
+ */
+private fun Collection<MavenProject>.toJson(): String =
+    joinToString("\n") { JSON.encodeToString(it.toDependencyTreeMojoNode()) }
+
+/**
+ * Create a mock for a [MavenCli] object and configure the given [tycho] spi to use it. The mock CLI simulates a
+ * Maven build that produces the given [buildOutput] and detects the given [projectsList]. It returns the given
+ * [exitCode].
+ */
+private fun injectCliMock(
+    tycho: Tycho,
+    buildOutput: String,
+    projectsList: List<MavenProject>,
+    exitCode: Int = 0
+): MavenCli {
+    val cli = mockk<MavenCli> {
+        every { doMain(any(), any(), any(), any()) } returns exitCode
+    }
+
+    val session = mockk<MavenSession> {
+        every { projects } returns projectsList
+    }
+
+    every { tycho.createMavenCli(any(), any()) } answers {
+        val collector = firstArg<TychoProjectsCollector>()
+        collector.afterSessionEnd(session)
+
+        val out = secondArg<PrintStream>()
+        out.println(buildOutput)
+        cli
+    }
+
+    return cli
+}
