feat(Maven): Add an initial Tycho package manager implementation

This is an MVP implementation that can already handle real projects.
Upcoming commits will add more robustness and missing features.

Since this implementation uses a different approach to collect
dependency information (based on parsing the dependency tree generated
by the Maven Dependency Plugin [1]), it is placed in a dedicated
class. Shared logic used by both the Maven and the Tycho
implementations is provided by the `MavenSupport` class.

[1]: https://maven.apache.org/plugins/maven-dependency-plugin/

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>

Author: oheger-bosch

gradle/libs.versions.toml

@@ -156,6 +156,7 @@ log4j-api-slf4j = { module = "org.apache.logging.log4j:log4j-to-slf4j", version.
 logbackClassic = { module = "ch.qos.logback:logback-classic", version.ref = "logback" }
 maven-compat = { module = "org.apache.maven:maven-compat", version.ref = "maven" }
 maven-core = { module = "org.apache.maven:maven-core", version.ref = "maven" }
+maven-embedder = { module = "org.apache.maven:maven-embedder", version.ref = "maven" }
 maven-model = { module = "org.apache.maven:maven-model", version.ref = "maven" }
 maven-model-builder = { module = "org.apache.maven:maven-model-builder", version.ref = "maven" }
 maven-resolver-api = { module = "org.apache.maven.resolver:maven-resolver-api", version.ref = "mavenResolver" }

plugins/package-managers/maven/build.gradle.kts

@@ -35,6 +35,7 @@ dependencies {
     implementation(projects.downloader)
     implementation(projects.utils.commonUtils)
 
+    implementation(libs.maven.embedder)
     implementation(libs.kotlinx.serialization.core)
     implementation(libs.kotlinx.serialization.json)
 

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho-expected-output.yml

@@ -0,0 +1,292 @@
+---
+projects:
+- id: "Tycho:org.ossreviewtoolkit:tycho-test-aggregator:1.0.0-SNAPSHOT"
+  definition_file_path: "plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/pom.xml"
+  authors:
+  - "ACME"
+  - "Sirius Cybernetics Corporation"
+  declared_licenses:
+  - "Apache License, Version 2.0"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0"
+    mapped:
+      Apache License, Version 2.0: "Apache-2.0"
+  vcs:
+    type: "Git"
+    url: "https://example.com/git/repository.git"
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho"
+  homepage_url: "http://maven.apache.org"
+  scopes: []
+- id: "Tycho:org.ossreviewtoolkit:tycho-test-bundle:1.0.0-SNAPSHOT"
+  definition_file_path: "plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/org.ossreviewtoolkit.tycho.bundle/pom.xml"
+  declared_licenses: []
+  declared_licenses_processed: {}
+  vcs:
+    type: ""
+    url: ""
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/org.ossreviewtoolkit.tycho.bundle"
+  homepage_url: ""
+  scopes:
+  - name: "compile"
+    dependencies:
+    - id: "Maven:org.apache.commons:commons-configuration2:2.11.0"
+      dependencies:
+      - id: "Maven:commons-logging:commons-logging:1.3.2"
+      - id: "Maven:org.apache.commons:commons-lang3:3.14.0"
+      - id: "Maven:org.apache.commons:commons-text:1.12.0"
+  - name: "test"
+    dependencies:
+    - id: "Maven:junit:junit:4.13.2"
+      dependencies:
+      - id: "Maven:org.hamcrest:hamcrest-core:1.3"
+packages:
+- id: "Maven:commons-logging:commons-logging:1.3.2"
+  purl: "pkg:maven/commons-logging/commons-logging@1.3.2"
+  authors:
+  - "Apache"
+  - "Brian Stansberry"
+  - "Juozas Baliuka"
+  - "Peter Donald"
+  - "The Apache Software Foundation"
+  declared_licenses:
+  - "Apache-2.0"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0"
+  description: "Apache Commons Logging is a thin adapter allowing configurable bridging\
+    \ to other,\n    well-known logging systems."
+  homepage_url: "https://commons.apache.org/proper/commons-logging/"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar"
+    hash:
+      value: "3dc966156ef19d23c839715165435e582fafa753"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2-sources.jar"
+    hash:
+      value: "3bf2b5ce48a273d1d37bac9df0ab9f73b4ef92cb"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-logging"
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-logging"
+    revision: ""
+    path: ""
+- id: "Maven:junit:junit:4.13.2"
+  purl: "pkg:maven/junit/junit@4.13.2"
+  authors:
+  - "David Saff"
+  - "JUnit"
+  - "Kevin Cooney"
+  - "Marc Philipp"
+  - "Stefan Birkner"
+  declared_licenses:
+  - "Eclipse Public License 1.0"
+  declared_licenses_processed:
+    spdx_expression: "EPL-1.0"
+    mapped:
+      Eclipse Public License 1.0: "EPL-1.0"
+  description: "JUnit is a unit testing framework for Java, created by Erich Gamma\
+    \ and Kent Beck."
+  homepage_url: "http://junit.org"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar"
+    hash:
+      value: "8ac9e16d933b6fb43bc7f576336b8f4d7eb5ba12"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/junit/junit/4.13.2/junit-4.13.2-sources.jar"
+    hash:
+      value: "33987872a811fe4d4001ed494b07854822257f42"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git://github.com/junit-team/junit4.git"
+    revision: "r4.13.2"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/junit-team/junit4.git"
+    revision: "r4.13.2"
+    path: ""
+- id: "Maven:org.apache.commons:commons-configuration2:2.11.0"
+  purl: "pkg:maven/org.apache.commons/commons-configuration2@2.11.0"
+  authors:
+  - "Ariane Software"
+  - "Bosch Software Innovations"
+  - "Claude Warren"
+  - "CollabNet, Inc."
+  - "INTERMETA - Gesellschaft fuer Mehrwertdienste mbH"
+  - "Intuit"
+  - "Jörg Schaible"
+  - "Multitask Consulting"
+  - "Rob Tompkins"
+  - "The Apache Software Foundation"
+  - "Zenplex"
+  - "dunbarconsulting.org"
+  - "tucana.at"
+  - "upstate.com"
+  declared_licenses:
+  - "Apache-2.0"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0"
+  description: "Tools to assist in the reading of configuration/preferences files\
+    \ in various formats; requires Java 8."
+  homepage_url: "https://commons.apache.org/proper/commons-configuration/"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0.jar"
+    hash:
+      value: "af5a2c6abe587074c0be1107fcb27fa2fad91304"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0-sources.jar"
+    hash:
+      value: "613216569295c3594984d97225ae255c6082ad4c"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-configuration.git"
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-configuration.git"
+    revision: ""
+    path: ""
+- id: "Maven:org.apache.commons:commons-lang3:3.14.0"
+  purl: "pkg:maven/org.apache.commons/commons-lang3@3.14.0"
+  authors:
+  - "Benedikt Ritter"
+  - "Carman Consulting, Inc."
+  - "CollabNet, Inc."
+  - "Duncan Jones"
+  - "Fredrik Westermarck"
+  - "Henri Yandell"
+  - "Joerg Schaible"
+  - "Loic Guibert"
+  - "Matt Benson"
+  - "Niall Pemberton"
+  - "Oliver Heger"
+  - "Paul Benedict"
+  - "Rob Tompkins"
+  - "Robert Burrell Donkin"
+  - "SITA ATS Ltd"
+  - "Steven Caswell"
+  - "The Apache Software Foundation"
+  declared_licenses:
+  - "Apache-2.0"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0"
+  description: "Apache Commons Lang, a package of Java utility classes for the\n \
+    \ classes that are in java.lang's hierarchy, or are considered to be so\n  standard\
+    \ as to justify existence in java.lang."
+  homepage_url: "https://commons.apache.org/proper/commons-lang/"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar"
+    hash:
+      value: "1ed471194b02f2c6cb734a0cd6f6f107c673afae"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0-sources.jar"
+    hash:
+      value: "9ef3e18356f4ac30b15bfa48c02a7f54b51af382"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "http://gitbox.apache.org/repos/asf/commons-lang.git"
+    revision: "rel/commons-lang-3.13.0"
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "http://gitbox.apache.org/repos/asf/commons-lang.git"
+    revision: "rel/commons-lang-3.13.0"
+    path: ""
+- id: "Maven:org.apache.commons:commons-text:1.12.0"
+  purl: "pkg:maven/org.apache.commons/commons-text@1.12.0"
+  authors:
+  - "Benedikt Ritter"
+  - "Bruno P. Kinoshita"
+  - "Duncan Jones"
+  - "Rob Tompkins"
+  - "The Apache Software Foundation"
+  declared_licenses:
+  - "Apache-2.0"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0"
+  description: "Apache Commons Text is a set of utility functions and reusable components\
+    \ for the purpose of processing\n    and manipulating text that should be of use\
+    \ in a Java environment."
+  homepage_url: "https://commons.apache.org/proper/commons-text"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar"
+    hash:
+      value: "66aa90dc099701c4d3b14bd256c328f592ccf0d6"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0-sources.jar"
+    hash:
+      value: "9ff4f979b84635ca1b57a3298dd905b61e7fd0ca"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-text"
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "https://gitbox.apache.org/repos/asf/commons-text"
+    revision: ""
+    path: ""
+- id: "Maven:org.hamcrest:hamcrest-core:1.3"
+  purl: "pkg:maven/org.hamcrest/hamcrest-core@1.3"
+  authors:
+  - "Joe Walnes"
+  - "Nat Pryce"
+  - "Neil Dunn"
+  - "Steve Freeman"
+  - "Tom Denley"
+  declared_licenses:
+  - "New BSD License"
+  declared_licenses_processed:
+    spdx_expression: "BSD-3-Clause"
+    mapped:
+      New BSD License: "BSD-3-Clause"
+  description: "This is the core API of hamcrest matcher framework to be used by third-party\
+    \ framework providers. This includes the a foundation set of matcher implementations\
+    \ for common operations."
+  homepage_url: "https://github.com/hamcrest/JavaHamcrest/hamcrest-core"
+  binary_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar"
+    hash:
+      value: "42a25dc3219429f0e5d060061f71acb49bf010a0"
+      algorithm: "SHA-1"
+  source_artifact:
+    url: "https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3-sources.jar"
+    hash:
+      value: "1dc37250fbc78e23a65a67fbbaf71d2e9cbc3c0b"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git@github.com:hamcrest/JavaHamcrest.git"
+    revision: ""
+    path: ""
+  vcs_processed:
+    type: "Git"
+    url: "ssh://git@github.com/hamcrest/JavaHamcrest.git"
+    revision: ""
+    path: ""

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/.mvn/extensions.xml

@@ -0,0 +1,7 @@
+<extensions>
+  <extension>
+    <groupId>org.eclipse.tycho</groupId>
+    <artifactId>tycho-build</artifactId>
+    <version>4.0.8</version>
+  </extension>
+</extensions>

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/org.ossreviewtoolkit.tycho.bundle/pom.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>tycho-test-bundle</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <name>[bundle] Bundle</name>
+    <packaging>pom</packaging>
+
+    <parent>
+        <groupId>org.ossreviewtoolkit</groupId>
+        <artifactId>tycho-test-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+        <relativePath>../org.ossreviewtoolkit.tycho.parent/pom.xml</relativePath>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>2.11.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.13.2</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.eclipse.tycho</groupId>
+                <artifactId>tycho-compiler-plugin</artifactId>
+                <configuration>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/org.ossreviewtoolkit.tycho.parent/pom.xml

@@ -0,0 +1,102 @@
+<project>
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>org.ossreviewtoolkit</groupId>
+ <artifactId>tycho-test-parent</artifactId>
+ <version>1.0.0-SNAPSHOT</version>
+ <packaging>pom</packaging>
+
+ <properties>
+  <tycho.version>4.0.8</tycho.version>
+  <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <build>
+   <pluginManagement>
+     <plugins>
+       <plugin>
+         <groupId>org.eclipse.tycho</groupId>
+         <artifactId>tycho-p2-director-plugin</artifactId>
+         <version>${tycho.version}</version>
+       </plugin>
+   <plugin>
+    <groupId>org.eclipse.tycho</groupId>
+    <artifactId>tycho-maven-plugin</artifactId>
+    <version>${tycho.version}</version>
+    <extensions>true</extensions>
+   </plugin>
+   <plugin>
+        <groupId>org.eclipse.tycho</groupId>
+            <artifactId>tycho-packaging-plugin</artifactId>
+             <version>${tycho.version}</version>
+             <executions>
+              <execution>
+                <phase>package</phase>
+                <id>package-feature</id>
+                    <configuration>
+                        <finalName>${project.artifactId}_${unqualifiedVersion}.${buildQualifier}</finalName>
+                    </configuration>
+            </execution>
+        </executions>
+    </plugin>
+    <plugin>
+    <groupId>org.eclipse.tycho</groupId>
+    <artifactId>target-platform-configuration</artifactId>
+    <version>${tycho.version}</version>
+    <configuration>
+     <environments>
+      <environment>
+       <os>linux</os>
+       <ws>gtk</ws>
+       <arch>x86_64</arch>
+      </environment>
+      <environment>
+       <os>win32</os>
+       <ws>win32</ws>
+       <arch>x86_64</arch>
+      </environment>
+      <environment>
+       <os>macosx</os>
+       <ws>cocoa</ws>
+       <arch>x86_64</arch>
+      </environment>
+     </environments>
+     <target>
+       <file>../org.ossreviewtoolkit.tycho.target/org.ossreviewtoolkit.tycho.target.target</file>
+     </target>   
+    </configuration>
+   </plugin>
+        <plugin>
+          <groupId>org.eclipse.tycho</groupId>
+          <artifactId>tycho-compiler-plugin</artifactId>
+          <version>${tycho.version}</version>
+          <configuration>
+            <compilerArgument>-enableJavadoc</compilerArgument>
+            <compilerArgument>-warn:-warningToken</compilerArgument>
+            <encoding>${project.build.sourceEncoding}</encoding>
+            <optimize>true</optimize>
+            <showDeprecation>true</showDeprecation>
+            <showWarnings>true</showWarnings>
+            <source>17.0</source>
+            <target>17.0</target>
+            <useProjectSettings>true</useProjectSettings>
+          </configuration>
+        </plugin>
+     </plugins>
+   </pluginManagement>
+  <plugins>
+      <plugin>
+        <artifactId>target-platform-configuration</artifactId>
+        <groupId>org.eclipse.tycho</groupId>
+      </plugin>
+      <plugin>
+        <artifactId>tycho-compiler-plugin</artifactId>
+        <groupId>org.eclipse.tycho</groupId>
+      </plugin>
+      <plugin>
+        <artifactId>tycho-maven-plugin</artifactId>
+        <extensions>true</extensions>
+        <groupId>org.eclipse.tycho</groupId>
+      </plugin>
+  </plugins>
+ </build>
+</project>

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/org.ossreviewtoolkit.tycho.target/org.ossreviewtoolkit.tycho.target.target

@@ -0,0 +1,9 @@
+<?pde version="3.8"?>
+<target name="MyTarget" sequenceNumber="1">
+ <locations>
+ <location includeAllPlatforms="false" includeMode="planner" includeSource="true" type="InstallableUnit">
+ <unit id="org.apache.commons:commons-lang3" version="3.12.0"/>
+ <repository location="https://repo1.maven.org/maven2/"/>
+ </location>
+ </locations>
+</target>

plugins/package-managers/maven/src/funTest/assets/projects/synthetic/tycho/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.ossreviewtoolkit</groupId>
+    <artifactId>tycho-test-aggregator</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <name>[pom] Aggregator</name>
+    <packaging>pom</packaging>
+    <description>
+        This is a test project for the ORT Tycho package manager.
+    </description>
+    <url>http://maven.apache.org</url>
+    <scm>
+        <connection>scm:git:https://example.com/git/repository.git</connection>
+        <developerConnection>scm:git:https://example.com/git/repository.git</developerConnection>
+        <url>https://example.com/git/repository</url>
+    </scm>
+    <organization>
+        <name>ACME</name>
+    </organization>
+    <developers>
+        <developer>
+            <organization>ACME</organization>
+            <name>Dev A</name>
+        </developer>
+        <developer>
+            <organization>Sirius Cybernetics Corporation</organization>
+            <name>Dev B</name>
+        </developer>
+    </developers>
+    <licenses>
+        <license>
+            <name>Apache License, Version 2.0</name>
+            <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <parent>
+        <groupId>org.ossreviewtoolkit</groupId>
+        <artifactId>tycho-test-parent</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+        <relativePath>org.ossreviewtoolkit.tycho.parent/pom.xml</relativePath>
+    </parent>
+
+    <modules>
+        <module>org.ossreviewtoolkit.tycho.bundle</module>
+    </modules>
+
+</project>

plugins/package-managers/maven/src/funTest/kotlin/TychoFunTest.kt

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven
+
+import io.kotest.core.spec.style.StringSpec
+import io.kotest.matchers.should
+
+import org.ossreviewtoolkit.analyzer.collateMultipleProjects
+import org.ossreviewtoolkit.analyzer.create
+import org.ossreviewtoolkit.model.toYaml
+import org.ossreviewtoolkit.utils.test.getAssetFile
+import org.ossreviewtoolkit.utils.test.matchExpectedResult
+
+class TychoFunTest : StringSpec({
+    "Project dependencies are detected correctly" {
+        val definitionFile = getAssetFile("projects/synthetic/tycho/pom.xml")
+        val expectedResultFile = getAssetFile("projects/synthetic/tycho-expected-output.yml")
+
+        val result = create("Tycho").collateMultipleProjects(definitionFile).withResolvedScopes()
+
+        result.toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
+    }
+})

plugins/package-managers/maven/src/main/kotlin/Tycho.kt

@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven
+
+import java.io.File
+import java.io.PrintStream
+import java.util.concurrent.atomic.AtomicReference
+
+import org.apache.logging.log4j.kotlin.logger
+import org.apache.maven.AbstractMavenLifecycleParticipant
+import org.apache.maven.cli.MavenCli
+import org.apache.maven.execution.MavenSession
+import org.apache.maven.project.MavenProject
+
+import org.codehaus.plexus.DefaultPlexusContainer
+import org.codehaus.plexus.PlexusContainer
+import org.codehaus.plexus.classworlds.ClassWorld
+import org.codehaus.plexus.logging.BaseLoggerManager
+
+import org.eclipse.aether.graph.DependencyNode
+
+import org.ossreviewtoolkit.analyzer.AbstractPackageManagerFactory
+import org.ossreviewtoolkit.analyzer.PackageManager
+import org.ossreviewtoolkit.analyzer.PackageManagerResult
+import org.ossreviewtoolkit.analyzer.ProjectResults
+import org.ossreviewtoolkit.model.DependencyGraph
+import org.ossreviewtoolkit.model.ProjectAnalyzerResult
+import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
+import org.ossreviewtoolkit.model.config.RepositoryConfiguration
+import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.DependencyTreeLogger
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.LocalProjectWorkspaceReader
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenDependencyHandler
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenLogger
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.identifier
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.internalId
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.isTychoProject
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.parseDependencyTree
+import org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.toOrtProject
+import org.ossreviewtoolkit.utils.ort.createOrtTempFile
+
+/**
+ * A package manager implementation supporting Maven projects using [Tycho](https://github.com/eclipse-tycho/tycho).
+ */
+class Tycho(
+    name: String,
+    analysisRoot: File,
+    analyzerConfig: AnalyzerConfiguration,
+    repoConfig: RepositoryConfiguration
+) : PackageManager(name, "Tycho", analysisRoot, analyzerConfig, repoConfig) {
+    class Factory : AbstractPackageManagerFactory<Tycho>("Tycho") {
+        override val globsForDefinitionFiles = listOf("pom.xml")
+
+        override fun create(
+            analysisRoot: File,
+            analyzerConfig: AnalyzerConfiguration,
+            repoConfig: RepositoryConfiguration
+        ) = Tycho(type, analysisRoot, analyzerConfig, repoConfig)
+    }
+
+    /**
+     * The builder to generate the dependency graph. This could actually be a local variable, but it is also needed
+     * to construct the final [PackageManagerResult].
+     */
+    private lateinit var graphBuilder: DependencyGraphBuilder<DependencyNode>
+
+    override fun mapDefinitionFiles(definitionFiles: List<File>): List<File> = definitionFiles.filter(::isTychoProject)
+
+    override fun resolveDependencies(definitionFile: File, labels: Map<String, String>): List<ProjectAnalyzerResult> {
+        logger.info { "Resolving Tycho dependencies for $definitionFile." }
+
+        val collector = TychoProjectsCollector()
+        val (_, buildLog) = runBuild(collector, definitionFile.parentFile)
+        // TODO: Create issues for a failed build and projects for which dependencies could not be resolved.
+
+        val resolvedProjects = createMavenSupport(collector).use { mavenSupport ->
+            val dependencyHandler =
+                MavenDependencyHandler(managerName, projectType, mavenSupport, collector.mavenProjects, false)
+
+            graphBuilder = DependencyGraphBuilder(dependencyHandler)
+
+            buildLog.inputStream().use { stream ->
+                parseDependencyTree(stream, collector.mavenProjects.values).map { projectNode ->
+                    val project = collector.mavenProjects.getValue(projectNode.artifact.identifier())
+                    processProjectDependencies(graphBuilder, project, projectNode.children)
+                    project
+                }.toList()
+            }
+        }
+
+        buildLog.delete()
+
+        return resolvedProjects.map { mavenProject ->
+            val projectId = mavenProject.identifier(projectType)
+            val project = mavenProject.toOrtProject(
+                projectId,
+                mavenProject.file,
+                mavenProject.file.parentFile,
+                graphBuilder.scopesFor(projectId)
+            )
+            ProjectAnalyzerResult(project, emptySet())
+        }
+    }
+
+    override fun createPackageManagerResult(projectResults: ProjectResults): PackageManagerResult =
+        PackageManagerResult(projectResults, graphBuilder.build(), graphBuilder.packages())
+
+    /**
+     * Create the [MavenCli] instance to trigger a build on the analyzed project. Register the given [collector], so
+     * that it is invoked during the build. Also install a specific logger that forwards the output of the dependency
+     * tree plugin to the given [outputStream].
+     */
+    private fun createMavenCli(collector: TychoProjectsCollector, outputStream: PrintStream): MavenCli =
+        object : MavenCli(ClassWorld("plexus.core", javaClass.classLoader)) {
+            override fun customizeContainer(container: PlexusContainer) {
+                container.addComponent(
+                    collector,
+                    AbstractMavenLifecycleParticipant::class.java,
+                    "TychoProjectsCollector"
+                )
+
+                (container as? DefaultPlexusContainer)?.loggerManager = object : BaseLoggerManager() {
+                    override fun createLogger(name: String): org.codehaus.plexus.logging.Logger =
+                        if (DEPENDENCY_TREE_LOGGER == name) {
+                            DependencyTreeLogger(outputStream)
+                        } else {
+                            MavenLogger(logger.delegate.level)
+                        }
+                }
+            }
+        }
+
+    /**
+     * Run a Maven build on the Tycho project in [projectRoot] utilizing the given [collector]. Return a pair with
+     * the exit code of the Maven project and a [File] that contains the output generated during the build.
+     */
+    private fun runBuild(collector: TychoProjectsCollector, projectRoot: File): Pair<Int, File> {
+        // The Maven CLI seems to change the context class loader. This has side effects on ORT's plugin mechanism.
+        // To prevent this, store the class loader and restore it at the end of this function.
+        val tccl = Thread.currentThread().contextClassLoader
+
+        try {
+            val buildLog = createOrtTempFile()
+
+            val exitCode = PrintStream(buildLog.outputStream()).use { out ->
+                val cli = createMavenCli(collector, out)
+
+                // With the current CLI API, there does not seem to be another way to set the build root folder than
+                // using a system property.
+                System.setProperty(MavenCli.MULTIMODULE_PROJECT_DIRECTORY, projectRoot.absolutePath)
+
+                cli.doMain(
+                    // The "package" goal is required; otherwise the Tycho extension is not activated.
+                    arrayOf("package", "dependency:tree", "-DoutputType=json"),
+                    projectRoot.path,
+                    null,
+                    null
+                ).also { logger.info { "Tycho analysis completed. Exit code: $it." } }
+            }
+
+            return exitCode to buildLog
+        } finally {
+            Thread.currentThread().contextClassLoader = tccl
+        }
+    }
+
+    /**
+     * Create a [MavenSupport] instance to be used for resolving the packages found during the Maven build. Obtain
+     * the local projects from the given [collector]
+     */
+    private fun createMavenSupport(collector: TychoProjectsCollector): MavenSupport {
+        val localProjects = collector.mavenProjects
+        val resolveFunc: (String) -> File? = { projectId -> localProjects[projectId]?.file }
+
+        return MavenSupport(LocalProjectWorkspaceReader(resolveFunc))
+    }
+
+    /**
+     * Process the [dependencies] of the given [project] by adding them to the [graphBuilder].
+     */
+    private fun processProjectDependencies(
+        graphBuilder: DependencyGraphBuilder<DependencyNode>,
+        project: MavenProject,
+        dependencies: Collection<DependencyNode>
+    ) {
+        val projectId = project.identifier(projectType)
+
+        dependencies.forEach { node ->
+            graphBuilder.addDependency(DependencyGraph.qualifyScope(projectId, node.dependency.scope), node)
+        }
+    }
+}
+
+/** The name of the logger used by the Maven dependency tree plugin. */
+private const val DEPENDENCY_TREE_LOGGER = "org.apache.maven.plugins.dependency.tree.TreeMojo"
+
+/**
+ * An internal helper class that gets registered as a Maven lifecycle participant to obtain all [MavenProject]s
+ * encountered during the build.
+ */
+internal class TychoProjectsCollector : AbstractMavenLifecycleParticipant() {
+    /**
+     * Stores the projects that have been found during the Maven build. To be on the safe side with regard to
+     * possible threading issues, use an [AtomicReference] to ensure safe publication.
+     */
+    private val projects = AtomicReference<Map<String, MavenProject>>(emptyMap())
+
+    /**
+     * Return the projects that have been found during the Maven build.
+     */
+    val mavenProjects: Map<String, MavenProject>
+        get() = projects.get()
+
+    override fun afterSessionEnd(session: MavenSession) {
+        val builtProjects = session.projects.associateBy(MavenProject::internalId)
+        projects.set(builtProjects)
+
+        logger.info { "Found ${builtProjects.size} projects during build." }
+    }
+}

plugins/package-managers/maven/src/main/kotlin/utils/Extensions.kt

@@ -49,6 +49,12 @@ internal fun MavenProject.identifier(projectType: String): Identifier =
         version = version
     )
 
+/**
+ * Return an internal ID string to uniquely identify this [MavenProject] during the currently ongoing analysis.
+ */
+internal val MavenProject.internalId: String
+    get() = "$groupId:$artifactId:$version"
+
 /**
  * Convert this [MavenProject] to an ORT [Project] using the given [identifier], the path to the [definitionFile],
  * the [projectDir], and the set of [scopeNames].

plugins/package-managers/maven/src/main/kotlin/utils/MavenSupport.kt

@@ -219,9 +219,8 @@ class MavenSupport(private val workspaceReader: WorkspaceReader) : Closeable {
                 }
             } else {
                 val project = projectBuildingResult.project
-                val identifier = "${project.groupId}:${project.artifactId}:${project.version}"
 
-                result[identifier] = projectBuildingResult
+                result[project.internalId] = projectBuildingResult
             }
         }
 

plugins/package-managers/maven/src/main/resources/META-INF/services/org.ossreviewtoolkit.analyzer.PackageManagerFactory

@@ -1 +1,2 @@
 org.ossreviewtoolkit.plugins.packagemanagers.maven.Maven$Factory
+org.ossreviewtoolkit.plugins.packagemanagers.maven.Tycho$Factory

plugins/package-managers/maven/src/test/kotlin/TychoTest.kt

@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.maven
+
+import io.kotest.core.spec.style.WordSpec
+import io.kotest.engine.spec.tempdir
+import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+
+import io.mockk.mockk
+
+class TychoTest : WordSpec({
+    "mapDefinitionFiles()" should {
+        "select only Tycho root projects" {
+            val tychoProjectDir1 = tempdir()
+            tychoProjectDir1.addTychoExtension()
+            val tychoDefinitionFile1 = tychoProjectDir1.resolve("pom.xml").also { it.writeText("pom-tycho1") }
+            val tychoSubProjectDir = tychoProjectDir1.resolve("subproject")
+            val tychoSubModule = tychoSubProjectDir.resolve("pom.xml")
+            val tychoProjectDir2 = tempdir()
+            tychoProjectDir2.addTychoExtension()
+            val tychoDefinitionFile2 = tychoProjectDir2.resolve("pom.xml").also { it.writeText("pom-tycho2") }
+
+            val mavenProjectDir = tempdir()
+            val mavenDefinitionFile = mavenProjectDir.resolve("pom.xml").also { it.writeText("pom-maven") }
+            val mavenSubProjectDir = mavenProjectDir.resolve("subproject")
+            val mavenSubModule = mavenSubProjectDir.resolve("pom.xml")
+
+            val definitionFiles = listOf(
+                tychoDefinitionFile1,
+                mavenDefinitionFile,
+                tychoDefinitionFile2,
+                mavenSubModule,
+                tychoSubModule
+            )
+
+            val tycho = Tycho("Tycho", tempdir(), mockk(relaxed = true), mockk(relaxed = true))
+            val mappedDefinitionFiles = tycho.mapDefinitionFiles(definitionFiles)
+
+            mappedDefinitionFiles shouldContainExactlyInAnyOrder listOf(tychoDefinitionFile1, tychoDefinitionFile2)
+        }
+    }
+})