feat(Maven): Add functionality to parse JSON-based dependency trees

The Tycho implementation is going to invoke the `dependency:tree` goal
of Maven. The newly introduced functions are able to parse the output
format of this goal and to collect the corresponding dependency
information.

In addition, add a `DependencyTreeLogger` class to make sure that the
output generated by the dependency plugin is separated from the other
output produced by the Maven build.

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>

Author: oheger-bosch

plugins/package-managers/maven/build.gradle.kts

@@ -20,6 +20,9 @@
 plugins {
     // Apply precompiled plugins.
     id("ort-library-conventions")
+
+    // Apply third-party plugins.
+    alias(libs.plugins.kotlinSerialization)
 }
 
 dependencies {
@@ -32,6 +35,9 @@ dependencies {
     implementation(projects.downloader)
     implementation(projects.utils.commonUtils)
 
+    implementation(libs.kotlinx.serialization.core)
+    implementation(libs.kotlinx.serialization.json)
+
     // The classes from the maven-resolver dependencies are not used directly but initialized by the Plexus IoC
     // container automatically. They are required on the classpath for Maven dependency resolution to work.
     runtimeOnly(libs.bundles.mavenResolver)

plugins/package-managers/maven/src/main/kotlin/utils/DependencyTreeLogger.kt

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven.utils
+
+import java.io.PrintStream
+
+import org.apache.logging.log4j.kotlin.logger
+
+import org.codehaus.plexus.logging.AbstractLogger
+
+/**
+ * A special logger implementation that can redirect the output of the Maven dependency tree plugin to a separate file.
+ *
+ * When running a Maven build programmatically, the format of the generated log output is determined by the logging
+ * configuration of the client application. This also affects the log level and the log format. Because of this, it can
+ * be problematic to detect the output of the Maven dependency tree plugin in the log output. This logger
+ * implementation solves this problem by printing the log messages verbatim into a configured output stream.
+ */
+internal class DependencyTreeLogger(
+    /** The stream where to direct log output to. */
+    private val outputStream: PrintStream
+) : AbstractLogger(LEVEL_DEBUG, "DependencyTreeLogger") {
+    override fun getChildLogger(name: String?) = this
+
+    override fun debug(message: String, throwable: Throwable?) = log(message, throwable)
+
+    override fun error(message: String, throwable: Throwable?) = log(message, throwable)
+
+    override fun fatalError(message: String, throwable: Throwable?) = log(message, throwable)
+
+    override fun info(message: String, throwable: Throwable?) = log(message, throwable)
+
+    override fun warn(message: String, throwable: Throwable?) = log(message, throwable)
+
+    /**
+     * Log the given [message] and optional [throwable] in the standard format defined by this logger.
+     */
+    private fun log(message: String, throwable: Throwable?) {
+        outputStream.println(message)
+
+        logger.info { "[DEPENDENCY TREE] $message" }
+        throwable?.also {
+            logger.error("[DEPENDENCY TREE ERROR]", it)
+        }
+    }
+}

plugins/package-managers/maven/src/main/kotlin/utils/DependencyTreeParser.kt

@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven.utils
+
+import java.io.InputStream
+
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.decodeToSequence
+
+import org.apache.maven.project.MavenProject
+
+import org.eclipse.aether.artifact.DefaultArtifact
+import org.eclipse.aether.graph.DefaultDependencyNode
+import org.eclipse.aether.graph.Dependency
+import org.eclipse.aether.graph.DependencyNode
+import org.eclipse.aether.repository.RemoteRepository
+
+/** The [Json] instance to use for parsing of dependency trees in JSON format. */
+internal val JSON = Json { ignoreUnknownKeys = true }
+
+/**
+ * A data class to represent a node in the JSON output generated by the Maven Dependency Plugin.
+ */
+@Serializable
+internal data class DependencyTreeMojoNode(
+    val groupId: String,
+    val artifactId: String,
+    val version: String,
+    val type: String,
+    val scope: String,
+    val classifier: String,
+    val children: List<DependencyTreeMojoNode> = emptyList()
+) {
+    /** An ID that matches the internal IDs generated for Maven projects. */
+    val projectId: String = "$groupId:$artifactId:$type:$version"
+}
+
+/**
+ * Parse the file with the aggregated output of the Maven Dependency Plugin from the given [inputStream] to a sequence
+ * of [DependencyNode]s for all the projects encountered during the build. Use the given [projects] that were
+ * encountered during the build to enrich the dependencies with further information.
+ */
+internal fun parseDependencyTree(
+    inputStream: InputStream,
+    projects: Collection<MavenProject>
+): Sequence<DependencyNode> {
+    val projectsById = projects.associateBy(MavenProject::getId)
+
+    return JSON.decodeToSequence<DependencyTreeMojoNode>(inputStream)
+        .mapNotNull { node ->
+            projectsById[node.projectId]?.let { project ->
+                node.toDependencyNode(project.remoteProjectRepositories.orEmpty())
+            }
+        }
+}
+
+/**
+ * Convert this [DependencyTreeMojoNode] and all its children to a [DependencyNode]. Set the given [repositories] for
+ * all created [DependencyNode]s.
+ */
+private fun DependencyTreeMojoNode.toDependencyNode(repositories: List<RemoteRepository>): DependencyNode {
+    val artifact = DefaultArtifact(groupId, artifactId, classifier, type, version)
+    val dependency = Dependency(artifact, scope)
+    val childNodes = children.map { it.toDependencyNode(repositories) }
+
+    return DefaultDependencyNode(dependency).apply {
+        children = childNodes
+        setRepositories(repositories)
+    }
+}

plugins/package-managers/maven/src/test/kotlin/utils/DependencyTreeParserTest.kt

@@ -0,0 +1,384 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven.utils
+
+import io.kotest.core.spec.style.WordSpec
+import io.kotest.inspectors.forAll
+import io.kotest.matchers.collections.shouldBeSingleton
+import io.kotest.matchers.collections.shouldContainExactly
+import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.collections.shouldHaveSize
+import io.kotest.matchers.shouldBe
+
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.spyk
+
+import java.io.InputStream
+
+import org.apache.maven.project.MavenProject
+
+import org.eclipse.aether.graph.DependencyNode
+import org.eclipse.aether.repository.RemoteRepository
+
+private const val DEPENDENCY_TREE_JSON = """
+{
+   "groupId": "org.ossreviewtoolkit",
+   "artifactId": "tycho-test-bundle",
+   "version": "1.0.0-SNAPSHOT",
+   "type": "pom",
+   "scope": "",
+   "classifier": "",
+   "optional": "false",
+   "children": [
+     {
+       "groupId": "org.apache.commons",
+       "artifactId": "commons-configuration2",
+       "version": "2.11.0",
+       "type": "jar",
+       "scope": "compile",
+       "classifier": "",
+       "optional": "false",
+       "children": [
+         {
+           "groupId": "org.apache.commons",
+           "artifactId": "commons-lang3",
+           "version": "3.14.0",
+           "type": "jar",
+           "scope": "compile",
+           "classifier": "",
+           "optional": "false"
+         },
+         {
+           "groupId": "org.apache.commons",
+           "artifactId": "commons-text",
+           "version": "1.12.0",
+           "type": "bundle",
+           "scope": "test",
+           "classifier": "foo",
+           "optional": "false"
+         },
+         {
+           "groupId": "commons-logging",
+           "artifactId": "commons-logging",
+           "version": "1.3.2",
+           "type": "jar",
+           "scope": "compile",
+           "classifier": "",
+           "optional": "false"
+         }
+         ]
+     }
+     ]
+ }
+            """
+
+class DependencyTreeParserTest : WordSpec({
+    "JSON serialization" should {
+        "deserialize a hierarchical structure" {
+            val node = JSON.decodeFromString<DependencyTreeMojoNode>(DEPENDENCY_TREE_JSON)
+
+            with(node) {
+                groupId shouldBe "org.ossreviewtoolkit"
+                artifactId shouldBe "tycho-test-bundle"
+                version shouldBe "1.0.0-SNAPSHOT"
+                type shouldBe "pom"
+                scope shouldBe ""
+                classifier shouldBe ""
+
+                with(children.single()) {
+                    groupId shouldBe "org.apache.commons"
+                    artifactId shouldBe "commons-configuration2"
+                    version shouldBe "2.11.0"
+                    type shouldBe "jar"
+                    scope shouldBe "compile"
+                    classifier shouldBe ""
+
+                    children shouldContainExactlyInAnyOrder listOf(
+                        DependencyTreeMojoNode(
+                            "org.apache.commons",
+                            "commons-lang3",
+                            "3.14.0",
+                            "jar",
+                            "compile",
+                            ""
+                        ),
+                        DependencyTreeMojoNode(
+                            "org.apache.commons",
+                            "commons-text",
+                            "1.12.0",
+                            "bundle",
+                            "test",
+                            "foo"
+                        ),
+                        DependencyTreeMojoNode(
+                            "commons-logging",
+                            "commons-logging",
+                            "1.3.2",
+                            "jar",
+                            "compile",
+                            ""
+                        )
+                    )
+                }
+            }
+        }
+    }
+
+    "parseDependencyTree()" should {
+        "parse the dependency tree of a single project" {
+            val projectNode = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "ort",
+                "1.2.3-SNAPSHOT",
+                "pom",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-configuration2",
+                        "2.11.0",
+                        "jar",
+                        "compile",
+                        "",
+                        listOf(
+                            DependencyTreeMojoNode(
+                                "org.apache.commons",
+                                "commons-lang3",
+                                "3.14.0",
+                                "jar",
+                                "compile",
+                                ""
+                            ),
+                            DependencyTreeMojoNode(
+                                "org.apache.commons",
+                                "commons-text",
+                                "1.12.0",
+                                "bundle",
+                                "test",
+                                "foo"
+                            ),
+                            DependencyTreeMojoNode(
+                                "commons-logging",
+                                "commons-logging",
+                                "1.3.2",
+                                "jar",
+                                "compile",
+                                ""
+                            )
+                        )
+                    )
+                )
+            )
+
+            val projectDependencies = parseDependencyTree(
+                inputStreamFor(projectNode),
+                listOf(createProject("ort"))
+            ).toList()
+
+            projectDependencies.shouldBeSingleton {
+                compareNodes(projectNode, it)
+            }
+        }
+
+        "parse the dependency trees of multiple projects" {
+            val projectNode1 = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "module1",
+                "1.2.3-SNAPSHOT",
+                "pom",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-configuration2",
+                        "2.11.0",
+                        "jar",
+                        "compile",
+                        ""
+                    )
+                )
+            )
+            val projectNode2 = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "module2",
+                "1.2.3-SNAPSHOT",
+                "eclipse-plugin",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-lang3",
+                        "3.14.0",
+                        "jar",
+                        "compile",
+                        ""
+                    )
+                )
+            )
+
+            val projectDependencies = parseDependencyTree(
+                inputStreamFor(projectNode1, projectNode2),
+                listOf(createProject("module1"), createProject("module2", "eclipse-plugin"))
+            ).toList()
+
+            projectDependencies shouldHaveSize 2
+            compareNodes(projectNode1, projectDependencies.first())
+            compareNodes(projectNode2, projectDependencies.last())
+        }
+
+        "use the available repositories" {
+            val remoteRepo1 = mockk<RemoteRepository>()
+            val remoteRepo2 = mockk<RemoteRepository>()
+            val remoteRepositories = listOf(remoteRepo1, remoteRepo2)
+            val project = spyk(createProject("module1", "eclipse-plugin")) {
+                every { remoteProjectRepositories } returns remoteRepositories
+            }
+
+            val projectNode = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "module1",
+                "1.2.3-SNAPSHOT",
+                "eclipse-plugin",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-configuration2",
+                        "2.11.0",
+                        "jar",
+                        "compile",
+                        ""
+                    ),
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-lang3",
+                        "3.14.0",
+                        "jar",
+                        "compile",
+                        ""
+                    )
+                )
+            )
+
+            val dependencies = parseDependencyTree(
+                inputStreamFor(projectNode),
+                listOf(project)
+            ).single()
+
+            dependencies.children.forAll { node ->
+                node.repositories shouldContainExactly remoteRepositories
+            }
+        }
+
+        "skip unknown projects" {
+            val projectNode1 = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "module1",
+                "1.2.3-SNAPSHOT",
+                "pom",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-configuration2",
+                        "2.11.0",
+                        "jar",
+                        "compile",
+                        ""
+                    )
+                )
+            )
+            val projectNode2 = DependencyTreeMojoNode(
+                "org.ossreviewtoolkit",
+                "module2",
+                "1.2.3-SNAPSHOT",
+                "eclipse-plugin",
+                "",
+                "",
+                listOf(
+                    DependencyTreeMojoNode(
+                        "org.apache.commons",
+                        "commons-lang3",
+                        "3.14.0",
+                        "jar",
+                        "compile",
+                        ""
+                    )
+                )
+            )
+
+            val projectDependencies = parseDependencyTree(
+                inputStreamFor(projectNode1, projectNode2),
+                listOf(createProject("module1"))
+            ).toList()
+
+            projectDependencies.shouldBeSingleton {
+                compareNodes(projectNode1, it)
+            }
+        }
+    }
+})
+
+/**
+ * Return an [InputStream] with the JSON representation of the given [projects] in the same way as this would be done
+ * by the dependency tree plugin.
+ */
+private fun inputStreamFor(vararg projects: DependencyTreeMojoNode): InputStream =
+    projects.joinToString("\n") { JSON.encodeToString(it) }.byteInputStream()
+
+/**
+ * Compare a hierarchy of [DependencyTreeMojoNode]s with a hierarchy of [DependencyNode]s given the root nodes
+ * [mojoNode] and [dependencyNode].
+ */
+private fun compareNodes(mojoNode: DependencyTreeMojoNode, dependencyNode: DependencyNode) {
+    with(dependencyNode) {
+        with(artifact) {
+            groupId shouldBe mojoNode.groupId
+            artifactId shouldBe mojoNode.artifactId
+            version shouldBe mojoNode.version
+            extension shouldBe mojoNode.type
+            classifier shouldBe mojoNode.classifier
+        }
+
+        dependency.scope shouldBe mojoNode.scope
+
+        mojoNode.children.size shouldBe children.orEmpty().size
+        mojoNode.children.zip(children.orEmpty()).forAll { (mojoChild, child) ->
+            compareNodes(mojoChild, child)
+        }
+    }
+}
+
+/**
+ * Create a [MavenProject] with the given [name] and optional [packaging].
+ */
+private fun createProject(name: String, packaging: String = "pom"): MavenProject =
+    MavenProject().apply {
+        artifactId = name
+        groupId = "org.ossreviewtoolkit"
+        version = "1.2.3-SNAPSHOT"
+        this.packaging = packaging
+    }