Merge pull request #44 from RHEcosystemAppEng/ignore-test-deps

fix: dependencies with Test/Dev scope not ignored https://issues.redhat.com/browse/TC-540
RHEcosystemAppEng · Sep 10, 2023 · 9beb2cc · 9beb2cc
2 parents afd9786 + 497da1b
commit 9beb2cc
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 431 deletions.
diff --git a/src/main/java/com/redhat/exhort/providers/JavaMavenProvider.java b/src/main/java/com/redhat/exhort/providers/JavaMavenProvider.java
@@ -71,6 +71,8 @@ public Content provideStack(final Path manifestPath) throws IOException {
       add("-q");
       add("dependency:tree");
       add("-DoutputType=dot");
+      add("-Dscope=compile");
+      add("-Dscope=runtime");
       add(String.format("-DoutputFile=%s", tmpFile.toString()));
       add("-f");
       add(manifestPath.toString());
@@ -148,10 +150,13 @@ public Content provideComponent(byte[] manifestContent) throws IOException {
     Operations.runProcess(mvnEffPomCmd);
     // if we have dependencies marked as ignored grab ignored dependencies from the original pom
     // the effective-pom goal doesn't carry comments
-    var ignored = getDependencies(originPom).stream().filter(d -> d.ignored).map(DependencyAggregator::toPurl).collect(Collectors.toSet());
+    List<DependencyAggregator> dependencies = getDependencies(originPom);
+    var ignored = dependencies.stream().filter(d -> d.ignored).map(DependencyAggregator::toPurl).collect(Collectors.toSet());
+    var testsDeps = dependencies.stream().filter(DependencyAggregator::isTestDependency).collect(Collectors.toSet());
     var deps = getDependencies(tmpEffPom);
     var sbom = SbomFactory.newInstance().addRoot(getRoot(tmpEffPom));
     deps.stream()
+      .filter(dep -> !testsDeps.contains(dep))
       .map(DependencyAggregator::toPurl)
       .filter(dep -> !ignored.contains(dep))
       .forEach(d -> sbom.addDependency(sbom.getRoot(), d));
@@ -251,6 +256,11 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
                 reader.next();
                 dependencyAggregator.artifactId = reader.getText();
                 break;
+
+              case "scope":
+                reader.next();
+                dependencyAggregator.scope = reader.getText() != null ? reader.getText() : "*";
+                break;
               case "version": // starting "version" tag, get next event and set to aggregator
                 reader.next();
                 dependencyAggregator.version = reader.getText();
@@ -284,6 +294,7 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
   // add property here and a case in the start-element-switch in the getIgnored method
   /** Aggregator class for aggregating Dependency data over stream iterations, **/
   private final static class DependencyAggregator {
+    private String scope="*";
     private String groupId;
     private String artifactId;
     private String version;
@@ -296,13 +307,18 @@ private final static class DependencyAggregator {
     @Override
     public String toString() {
       // NOTE if you add scope, don't forget to replace the * with its value
-      return String.format("%s:%s:*:%s", groupId, artifactId, version);
+      return String.format("%s:%s:%s:%s", groupId, artifactId,scope, version);
     }
 
     public boolean isValid() {
       return Objects.nonNull(groupId) && Objects.nonNull(artifactId) && Objects.nonNull(version);
     }
 
+    public boolean isTestDependency()
+    {
+      return scope.trim().equals("test");
+    }
+
     /**
      * Convert the {@link DependencyAggregator} object to a {@link PackageAggregator}
      * @return a new instance of {@link PackageAggregator}

diff --git a/...st/resources/tst_manifests/maven/deps_no_trivial_with_ignore/expected_component_sbom.json b/...st/resources/tst_manifests/maven/deps_no_trivial_with_ignore/expected_component_sbom.json
@@ -30,14 +30,6 @@
       "type" : "library",
       "bom-ref" : "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.3"
     },
-    {
-      "group" : "org.springframework.boot",
-      "name" : "spring-boot-starter-test",
-      "version" : "3.1.3",
-      "purl" : "pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.3",
-      "type" : "library",
-      "bom-ref" : "pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.3"
-    },
     {
       "group" : "io.quarkus",
       "name" : "quarkus-resteasy",
@@ -68,7 +60,6 @@
       "ref" : "pkg:maven/pom-no-trivial-with-deps-and-ignore/demo@0.0.1",
       "dependsOn" : [
         "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.3",
-        "pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.3",
         "pkg:maven/io.quarkus/quarkus-resteasy@2.7.7.Final",
         "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final",
         "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.5.Final"
@@ -78,10 +69,6 @@
       "ref" : "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.3",
       "dependsOn" : [ ]
     },
-    {
-      "ref" : "pkg:maven/org.springframework.boot/spring-boot-starter-test@3.1.3",
-      "dependsOn" : [ ]
-    },
     {
       "ref" : "pkg:maven/io.quarkus/quarkus-resteasy@2.7.7.Final",
       "dependsOn" : [ ]