Merge pull request #355 from knrc/remove_dependency_collection

Remove extra dependency collection through Mojo annotation, fixes #354

src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java

@@ -43,9 +43,7 @@
         defaultPhase = LifecyclePhase.PACKAGE,
         threadSafe = true,
         aggregator = true,
-        requiresOnline = true,
-        requiresDependencyCollection = ResolutionScope.TEST,
-        requiresDependencyResolution = ResolutionScope.TEST
+        requiresOnline = true
 )
 public class CycloneDxAggregateMojo extends CycloneDxMojo {
     @Parameter(property = "reactorProjects", readonly = true, required = true)
@@ -129,7 +127,7 @@ protected String extractComponentsAndDependencies(final Set<String> topLevelComp
             components.put(projectBomComponent.getPurl(), projectBomComponent);
             topLevelComponents.add(projectBomComponent.getPurl());
 
-            populateComponents(topLevelComponents, components, bomDependencies.getArtifacts(), doProjectDependencyAnalysis(mavenProject));
+            populateComponents(topLevelComponents, components, bomDependencies.getArtifacts(), doProjectDependencyAnalysis(mavenProject, bomDependencies));
 
             projectDependencies.forEach(dependencies::putIfAbsent);
         }

src/main/java/org/cyclonedx/maven/CycloneDxMojo.java

@@ -18,6 +18,7 @@
  */
 package org.cyclonedx.maven;
 
+import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
@@ -33,6 +34,7 @@
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.Dependency;
 
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -43,9 +45,7 @@
         name = "makeBom",
         defaultPhase = LifecyclePhase.PACKAGE,
         threadSafe = true,
-        requiresOnline = true,
-        requiresDependencyCollection = ResolutionScope.TEST,
-        requiresDependencyResolution = ResolutionScope.TEST
+        requiresOnline = true
 )
 public class CycloneDxMojo extends BaseCycloneDxMojo {
 
@@ -82,9 +82,12 @@ private ProjectDependencyAnalyzer getProjectDependencyAnalyzer() throws MojoExec
         return dependencyAnalyzer;
     }
 
-    protected ProjectDependencyAnalysis doProjectDependencyAnalysis(MavenProject mavenProject) throws MojoExecutionException {
+    protected ProjectDependencyAnalysis doProjectDependencyAnalysis(final MavenProject mavenProject, final BomDependencies bomDependencies) throws MojoExecutionException {
+        final MavenProject localMavenProject = new MavenProject(mavenProject);
+        localMavenProject.setArtifacts(new LinkedHashSet<>(bomDependencies.getArtifacts().values()));
+        localMavenProject.setDependencyArtifacts(new LinkedHashSet<>(bomDependencies.getDependencyArtifacts().values()));
         try {
-            return getProjectDependencyAnalyzer().analyze(mavenProject);
+            return getProjectDependencyAnalyzer().analyze(localMavenProject);
         } catch (ProjectDependencyAnalyzerException pdae) {
             getLog().debug("Could not analyze " + mavenProject.getId(), pdae); // TODO should warn...
         }
@@ -101,7 +104,7 @@ protected String extractComponentsAndDependencies(final Set<String> topLevelComp
         components.put(projectBomComponent.getPurl(), projectBomComponent);
         topLevelComponents.add(projectBomComponent.getPurl());
 
-        populateComponents(topLevelComponents, components, bomDependencies.getArtifacts(), doProjectDependencyAnalysis(getProject()));
+        populateComponents(topLevelComponents, components, bomDependencies.getArtifacts(), doProjectDependencyAnalysis(getProject(), bomDependencies));
 
         projectDependencies.forEach(dependencies::putIfAbsent);
 

src/main/java/org/cyclonedx/maven/CycloneDxPackageMojo.java

@@ -43,9 +43,7 @@
         defaultPhase = LifecyclePhase.PACKAGE,
         threadSafe = true,
         aggregator = true,
-        requiresOnline = true,
-        requiresDependencyCollection = ResolutionScope.TEST,
-        requiresDependencyResolution = ResolutionScope.TEST
+        requiresOnline = true
 )
 public class CycloneDxPackageMojo extends BaseCycloneDxMojo {
     @Parameter(property = "reactorProjects", readonly = true, required = true)

src/main/java/org/cyclonedx/maven/DefaultProjectDependenciesConverter.java

@@ -26,6 +26,7 @@
 import org.apache.maven.project.ProjectBuildingRequest;
 import org.apache.maven.shared.dependency.graph.DependencyCollectorBuilder;
 import org.apache.maven.shared.dependency.graph.DependencyCollectorBuilderException;
+import org.apache.maven.shared.dependency.graph.internal.ConflictData;
 import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyCollectorBuilder;
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.Dependency;
@@ -38,6 +39,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.lang.reflect.Field;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -73,12 +75,13 @@ public BomDependencies extractBOMDependencies(MavenProject mavenProject, MavenDe
 
         final Map<String, Dependency> dependencies = new LinkedHashMap<>();
         final Map<String, Artifact> mavenArtifacts = new LinkedHashMap<>();
+        final Map<String, Artifact> mavenDependencyArtifacts = new LinkedHashMap<>();
         try {
             final DelegatingRepositorySystem delegateRepositorySystem = new DelegatingRepositorySystem(aetherRepositorySystem);
             final DependencyCollectorBuilder dependencyCollectorBuilder = new DefaultDependencyCollectorBuilder(delegateRepositorySystem);
 
             final org.apache.maven.shared.dependency.graph.DependencyNode mavenRoot = dependencyCollectorBuilder.collectDependencyGraph(buildingRequest, null);
-            populateArtifactMap(mavenArtifacts, mavenRoot, false);
+            populateArtifactMap(mavenArtifacts, mavenDependencyArtifacts, mavenRoot, 0);
 
             final CollectResult collectResult = delegateRepositorySystem.getCollectResult();
             if (collectResult == null) {
@@ -95,16 +98,45 @@ public BomDependencies extractBOMDependencies(MavenProject mavenProject, MavenDe
             // rather than throwing an exception https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/55
             logger.warn("An error occurred building dependency graph: " + e.getMessage());
         }
-        return new BomDependencies(dependencies, mavenArtifacts);
+        return new BomDependencies(dependencies, mavenArtifacts, mavenDependencyArtifacts);
     }
 
-    private void populateArtifactMap(final Map<String, Artifact> artifactMap, final org.apache.maven.shared.dependency.graph.DependencyNode node, final boolean resolve) {
+    private void populateArtifactMap(final Map<String, Artifact> artifactMap, final Map<String, Artifact> dependencyArtifactMap, final org.apache.maven.shared.dependency.graph.DependencyNode node, final int level) {
+        final ConflictData conflictData = getConflictData(node);
+        if ((conflictData != null) && (conflictData.getWinnerVersion() != null)) {
+            return;
+        }
+
         final Artifact artifact = node.getArtifact();
         final String purl = modelConverter.generatePackageUrl(artifact);
-        artifactMap.putIfAbsent(purl, artifact);
+        if (level > 0) {
+            artifactMap.putIfAbsent(purl, artifact);
+        }
+        if (level == 1) {
+            dependencyArtifactMap.putIfAbsent(purl, artifact);
+        }
 
+        final int childLevel = level + 1;
         for (org.apache.maven.shared.dependency.graph.DependencyNode child: node.getChildren()) {
-            populateArtifactMap(artifactMap, child, true);
+            populateArtifactMap(artifactMap, dependencyArtifactMap, child, childLevel);
+        }
+    }
+
+    private ConflictData getConflictData(final org.apache.maven.shared.dependency.graph.DependencyNode node) {
+        if (!node.getChildren().isEmpty()) {
+            return null;
+        }
+        final Field field ;
+        try {
+            field = node.getClass().getDeclaredField("data");
+        } catch (final NoSuchFieldException nsfe) {
+            return null;
+        }
+        field.setAccessible(true);
+        try {
+            return (ConflictData)field.get(node);
+        } catch (final IllegalAccessException iae) {
+            return null;
         }
     }
 

src/main/java/org/cyclonedx/maven/ProjectDependenciesConverter.java

@@ -60,16 +60,22 @@ public MavenDependencyScopes(boolean compile, boolean provided, boolean runtime,
     public static class BomDependencies {
         private final Map<String, Dependency> dependencies;
         private final Map<String, Artifact> artifacts;
+        private final Map<String, Artifact> dependencyArtifacts;
 
-        public BomDependencies(final Map<String, Dependency> dependencies, final Map<String, Artifact> artifacts) {
+        public BomDependencies(final Map<String, Dependency> dependencies, final Map<String, Artifact> artifacts, final Map<String, Artifact> dependencyArtifacts) {
             this.dependencies = dependencies;
             this.artifacts = artifacts;
+            this.dependencyArtifacts = dependencyArtifacts;
         }
 
         public final Map<String, Dependency> getDependencies() {
             return dependencies;
         }
 
+        public final Map<String, Artifact> getDependencyArtifacts() {
+            return dependencyArtifacts;
+        }
+
         public final Map<String, Artifact> getArtifacts() {
             return artifacts;
         }