spdx · eygraber · Nov 8, 2023 · eygraber · Jun 13, 2023 · loosebazooka
diff --git a/src/main/java/org/spdx/sbom/gradle/SpdxSbomPlugin.java b/src/main/java/org/spdx/sbom/gradle/SpdxSbomPlugin.java
@@ -15,31 +15,18 @@
  */
 package org.spdx.sbom.gradle;
 
-import java.io.File;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Set;
 import java.util.stream.Collectors;
 import org.gradle.api.Plugin;
 import org.gradle.api.Project;
 import org.gradle.api.Task;
-import org.gradle.api.Transformer;
-import org.gradle.api.artifacts.Configuration;
-import org.gradle.api.artifacts.Dependency;
-import org.gradle.api.artifacts.component.ComponentArtifactIdentifier;
-import org.gradle.api.artifacts.component.ModuleComponentIdentifier;
 import org.gradle.api.artifacts.repositories.MavenArtifactRepository;
-import org.gradle.api.artifacts.result.ArtifactResult;
-import org.gradle.api.artifacts.result.ResolvedArtifactResult;
 import org.gradle.api.artifacts.result.ResolvedComponentResult;
 import org.gradle.api.provider.Provider;
 import org.gradle.api.tasks.TaskProvider;
-import org.gradle.internal.component.local.model.OpaqueComponentIdentifier;
 import org.spdx.sbom.gradle.SpdxSbomExtension.Target;
-import org.spdx.sbom.gradle.maven.PomResolver;
 import org.spdx.sbom.gradle.project.DocumentInfo;
 import org.spdx.sbom.gradle.project.ProjectInfo;
 import org.spdx.sbom.gradle.project.ScmInfo;
@@ -111,15 +98,6 @@ private void createTaskForTarget(
 
                   List<String> configurationNames = target.getConfigurations().get();
                   for (var configurationName : configurationNames) {
-                    Provider<Set<ResolvedArtifactResult>> artifacts =
-                        project
-                            .getConfigurations()
-                            .getByName(configurationName)
-                            .getIncoming()
-                            .getArtifacts()
-                            .getResolvedArtifacts();
-                    t.getResolvedArtifacts().putAll(artifacts.map(new ArtifactTransformer()));
-
                     Provider<ResolvedComponentResult> rootComponent =
                         project
                             .getConfigurations()
@@ -128,24 +106,6 @@ private void createTaskForTarget(
                             .getResolutionResult()
                             .getRootComponent();
 
-                    Configuration pomsConfig =
-                        project
-                            .getConfigurations()
-                            .detachedConfiguration(
-                                project
-                                    .getConfigurations()
-                                    .getByName(configurationName)
-                                    .getIncoming()
-                                    .getResolutionResult()
-                                    .getAllComponents()
-                                    .stream()
-                                    .filter(rcr -> rcr.getId() instanceof ModuleComponentIdentifier)
-                                    .map(rcr -> rcr.getId().getDisplayName() + "@pom")
-                                    .map(pom -> project.getDependencies().create(pom))
-                                    .toArray(Dependency[]::new));
-                    t.getPoms()
-                        .putAll(PomResolver.newPomResolver(project).effectivePoms(pomsConfig));
-
                     t.getRootComponents().add(rootComponent);
                   }
                   t.getMavenRepositories()
@@ -160,23 +120,9 @@ private void createTaskForTarget(
                                               e -> e,
                                               e ->
                                                   ((MavenArtifactRepository)
-                                                          project.getRepositories().getByName(e))
+                                                      project.getRepositories().getByName(e))
                                                       .getUrl()))));
                 });
     aggregate.configure(t -> t.dependsOn(task));
   }
-
-  private static class ArtifactTransformer
-      implements Transformer<
-          Map<ComponentArtifactIdentifier, File>, Collection<ResolvedArtifactResult>> {
-
-    @Override
-    public Map<ComponentArtifactIdentifier, File> transform(
-        Collection<ResolvedArtifactResult> resolvedArtifactResults) {
-      return resolvedArtifactResults.stream()
-          // ignore gradle API components as they cannot be serialized
-          .filter(x -> !(x.getId().getComponentIdentifier() instanceof OpaqueComponentIdentifier))
-          .collect(Collectors.toMap(ArtifactResult::getId, ResolvedArtifactResult::getFile));
-    }
-  }
 }
diff --git a/src/main/java/org/spdx/sbom/gradle/SpdxSbomTask.java b/src/main/java/org/spdx/sbom/gradle/SpdxSbomTask.java
@@ -18,10 +18,22 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.net.URI;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.inject.Inject;
 import org.gradle.api.DefaultTask;
+import org.gradle.api.artifacts.ConfigurationContainer;
 import org.gradle.api.artifacts.component.ComponentArtifactIdentifier;
+import org.gradle.api.artifacts.component.ComponentIdentifier;
+import org.gradle.api.artifacts.dsl.DependencyHandler;
+import org.gradle.api.artifacts.result.DependencyResult;
+import org.gradle.api.artifacts.result.ResolvedArtifactResult;
 import org.gradle.api.artifacts.result.ResolvedComponentResult;
+import org.gradle.api.artifacts.result.ResolvedDependencyResult;
 import org.gradle.api.file.DirectoryProperty;
 import org.gradle.api.provider.ListProperty;
 import org.gradle.api.provider.MapProperty;
@@ -31,11 +43,13 @@
 import org.gradle.api.tasks.Internal;
 import org.gradle.api.tasks.OutputDirectory;
 import org.gradle.api.tasks.TaskAction;
+import org.gradle.maven.MavenModule;
+import org.gradle.maven.MavenPomArtifact;
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
 import org.spdx.library.model.SpdxDocument;
 import org.spdx.sbom.gradle.extensions.SpdxSbomTaskExtension;
-import org.spdx.sbom.gradle.maven.PomInfo;
+import org.spdx.sbom.gradle.maven.PomResolver;
 import org.spdx.sbom.gradle.project.DocumentInfo;
 import org.spdx.sbom.gradle.project.ProjectInfo;
 import org.spdx.sbom.gradle.project.ScmInfo;
@@ -45,16 +59,18 @@
 import org.spdx.storage.simple.InMemSpdxStore;
 
 public abstract class SpdxSbomTask extends DefaultTask {
+  @Inject
+  protected abstract DependencyHandler getDependencyHandler();
+
+  @Inject
+  protected abstract ConfigurationContainer getConfigurations();
 
   @Internal
   abstract Property<SpdxKnownLicensesService> getSpdxKnownLicensesService();
 
   @Input
   abstract ListProperty<ResolvedComponentResult> getRootComponents();
 
-  @Input
-  abstract MapProperty<ComponentArtifactIdentifier, File> getResolvedArtifacts();
-
   @OutputDirectory
   public abstract DirectoryProperty getOutputDirectory();
 
@@ -64,9 +80,6 @@ public abstract class SpdxSbomTask extends DefaultTask {
   @Input
   abstract MapProperty<String, URI> getMavenRepositories();
 
-  @Input
-  abstract MapProperty<String, PomInfo> getPoms();
-
   @Input
   abstract Property<String> getFilename();
 
@@ -84,6 +97,37 @@ public abstract class SpdxSbomTask extends DefaultTask {
 
   @TaskAction
   public void generateSbom() throws Exception {
+    Set<ComponentIdentifier> componentIds = new HashSet<>();
+    for (var rootComponent : getRootComponents().get()) {
+      componentIds.addAll(
+          gatherSelectedDependencies(rootComponent, new HashSet<>(), new HashSet<>()));
+    }
+
+    Map<ComponentArtifactIdentifier, File> resolvedArtifactsById = new HashMap<>();
+
+    @SuppressWarnings("unchecked")
+    List<ResolvedArtifactResult> resolvedArtifactResults =
+        getDependencyHandler()
+            .createArtifactResolutionQuery()
+            .forComponents(componentIds)
+            .withArtifacts(MavenModule.class, MavenPomArtifact.class)
+            .execute()
+            .getResolvedComponents()
+            .stream()
+            .flatMap(
+                componentArtifactsResult ->
+                    componentArtifactsResult.getArtifacts(MavenPomArtifact.class).stream())
+            .filter(artifactResult -> artifactResult instanceof ResolvedArtifactResult)
+            .map(artifactResult -> (ResolvedArtifactResult) artifactResult)
+            .peek(
+                resolvedArtifactResult ->
+                    resolvedArtifactsById.put(
+                        resolvedArtifactResult.getId(), resolvedArtifactResult.getFile()))
+            .collect(Collectors.toList());
+
+    PomResolver pomResolver =
+        PomResolver.newPomResolver(getDependencyHandler(), getConfigurations(), getLogger());
+
     ISerializableModelStore modelStore =
         new MultiFormatStore(new InMemSpdxStore(), Format.JSON_PRETTY);
     SpdxDocumentBuilder documentBuilder =
@@ -92,9 +136,9 @@ public void generateSbom() throws Exception {
             getAllProjects().get(),
             getLogger(),
             modelStore,
-            getResolvedArtifacts().get(),
+            resolvedArtifactsById,
             getMavenRepositories().get(),
-            getPoms().get(),
+            pomResolver.effectivePoms(resolvedArtifactResults),
             getTaskExtension().getOrNull(),
             getDocumentInfo().get(),
             getScmInfo().get(),
@@ -114,4 +158,21 @@ public void generateSbom() throws Exception {
         new FileOutputStream(getOutputDirectory().file(getFilename()).get().getAsFile());
     modelStore.serialize(doc.getDocumentUri(), out);
   }
+
+  private Set<ComponentIdentifier> gatherSelectedDependencies(
+      ResolvedComponentResult component,
+      Set<ResolvedComponentResult> seenComponents,
+      Set<ComponentIdentifier> componentIds) {
+    if (seenComponents.add(component)) {
+      for (DependencyResult dep : component.getDependencies()) {
+        if (dep instanceof ResolvedDependencyResult) {
+          ResolvedDependencyResult resolvedDep = (ResolvedDependencyResult) dep;
+          componentIds.add(resolvedDep.getSelected().getId());
+          gatherSelectedDependencies(resolvedDep.getSelected(), seenComponents, componentIds);
+        }
+      }
+    }
+
+    return componentIds;
+  }
 }
diff --git a/src/main/java/org/spdx/sbom/gradle/maven/GradleMavenResolver.java b/src/main/java/org/spdx/sbom/gradle/maven/GradleMavenResolver.java
@@ -21,20 +21,24 @@
 import org.apache.maven.model.building.FileModelSource;
 import org.apache.maven.model.building.ModelSource2;
 import org.apache.maven.model.resolution.ModelResolver;
-import org.gradle.api.Project;
+import org.gradle.api.artifacts.ConfigurationContainer;
+import org.gradle.api.artifacts.dsl.DependencyHandler;
 
 public class GradleMavenResolver implements ModelResolver {
-  private final Project project;
+  private final DependencyHandler dependencies;
+  private final ConfigurationContainer configurations;
 
-  public GradleMavenResolver(Project project) {
-    this.project = project;
+  public GradleMavenResolver(
+      DependencyHandler dependencies, ConfigurationContainer configurations) {
+    this.dependencies = dependencies;
+    this.configurations = configurations;
   }
 
   @Override
   public ModelSource2 resolveModel(String groupId, String artifactId, String version) {
     var dep = groupId + ":" + artifactId + ":" + version + "@pom";
-    var dependency = project.getDependencies().create(dep);
-    var config = project.getConfigurations().detachedConfiguration(dependency);
+    var dependency = dependencies.create(dep);
+    var config = configurations.detachedConfiguration(dependency);
 
     var pomXml = config.getSingleFile();
     return new FileModelSource(pomXml);

diff --git a/src/main/java/org/spdx/sbom/gradle/maven/PomResolver.java b/src/main/java/org/spdx/sbom/gradle/maven/PomResolver.java
@@ -19,6 +19,7 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -29,9 +30,10 @@
 import org.apache.maven.model.building.ModelBuildingException;
 import org.apache.maven.model.building.ModelBuildingRequest;
 import org.gradle.api.GradleException;
-import org.gradle.api.Project;
-import org.gradle.api.artifacts.Configuration;
+import org.gradle.api.artifacts.ConfigurationContainer;
 import org.gradle.api.artifacts.component.ComponentIdentifier;
+import org.gradle.api.artifacts.dsl.DependencyHandler;
+import org.gradle.api.artifacts.result.ResolvedArtifactResult;
 import org.gradle.api.logging.Logger;
 
 /** This needs to be run *before* while configuring the task, so use it in the Plugin. */
@@ -40,9 +42,12 @@ public class PomResolver {
   private final GradleMavenResolver gradleMavenResolver;
   private final Logger logger;
 
-  public static PomResolver newPomResolver(Project project) {
+  public static PomResolver newPomResolver(
+      DependencyHandler dependencies, ConfigurationContainer configurations, Logger logger) {
     return new PomResolver(
-        new GradleMavenResolver(project), new DefaultModelBuilderFactory(), project.getLogger());
+        new GradleMavenResolver(dependencies, configurations),
+        new DefaultModelBuilderFactory(),
+        logger);
   }
 
   PomResolver(
@@ -54,9 +59,9 @@ public static PomResolver newPomResolver(Project project) {
     this.logger = logger;
   }
 
-  public Map<String, PomInfo> effectivePoms(Configuration pomsConfig) {
+  public Map<String, PomInfo> effectivePoms(List<ResolvedArtifactResult> resolvedArtifactResults) {
     Map<String, PomInfo> effectivePoms = new HashMap<>();
-    for (var ra : pomsConfig.getIncoming().getArtifacts().getResolvedArtifacts().get()) {
+    for (var ra : resolvedArtifactResults) {
       var pomFile = ra.getFile();
       Model model = resolveEffectivePom(pomFile);
       effectivePoms.put(