Add support for maven optionality, fixes CycloneDX#314

Signed-off-by: Kevin Conner <kev.conner@gmail.com>

src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java

@@ -167,6 +167,16 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
     @Parameter(property = "excludeTypes", required = false)
     private String[] excludeTypes;
 
+    /**
+     * Define component scope (REQUIRED/OPTIONAL) using the maven artifact optionality, determined during dependency analysis.
+     *
+     * Note: The default mechanism uses bytecode analysis to determine component scope.
+     *
+     * @since 2.7.6
+     */
+    @Parameter(property = "useMavenOptionality", defaultValue = "false")
+    protected boolean useMavenOptionality;
+
     @org.apache.maven.plugins.annotations.Component(hint = "default")
     private RepositorySystem aetherRepositorySystem;
 
@@ -270,6 +280,8 @@ public void execute() throws MojoExecutionException {
                 if (includeSystemScope) scopes.add("system");
                 if (includeTestScope) scopes.add("test");
                 metadata.addProperty(newProperty("maven.scopes", String.join(",", scopes)));
+
+                metadata.addProperty(newProperty("maven.optionality", Boolean.toString(useMavenOptionality)));
             }
 
             final Component rootComponent = metadata.getComponent();
@@ -407,7 +419,7 @@ protected void populateComponents(final Set<String> topLevelComponents, final Ma
         for (Map.Entry<String, Artifact> entry: artifacts.entrySet()) {
             final String purl = entry.getKey();
             final Artifact artifact = entry.getValue();
-            final Component.Scope artifactScope = (dependencyAnalysis != null ? inferComponentScope(artifact, dependencyAnalysis) : null);
+            final Component.Scope artifactScope = getComponentScope(artifact, dependencyAnalysis);
             final Component component = components.get(purl);
             if (component == null) {
                 final Component newComponent = convert(artifact);
@@ -419,6 +431,25 @@ protected void populateComponents(final Set<String> topLevelComponents, final Ma
         }
     }
 
+    /**
+     * Get the BOM component scope (required/optional/excluded).  The scope can either be determined through bytecode
+     * analysis or through maven dependency resolution.
+     *
+     * @param artifact Artifact from maven project
+     * @param projectDependencyAnalysis Maven Project Dependency Analysis data
+     *
+     * @return Component.Scope - REQUIRED, OPTIONAL or null if it cannot be determined
+     *
+     * @see useMavenOptionality
+     */
+    private Component.Scope getComponentScope(Artifact artifact, ProjectDependencyAnalysis projectDependencyAnalysis) {
+        if (useMavenOptionality) {
+            return (artifact.isOptional() ? Component.Scope.OPTIONAL : Component.Scope.REQUIRED);
+        } else {
+            return inferComponentScope(artifact, projectDependencyAnalysis);
+        }
+    }
+
     /**
      * Infer BOM component scope (required/optional/excluded) based on Maven project dependency analysis.
      *
@@ -427,7 +458,7 @@ protected void populateComponents(final Set<String> topLevelComponents, final Ma
      *
      * @return Component.Scope - REQUIRED: If the component is used (as detected by project dependency analysis). OPTIONAL: If it is unused
      */
-    protected Component.Scope inferComponentScope(Artifact artifact, ProjectDependencyAnalysis projectDependencyAnalysis) {
+    private Component.Scope inferComponentScope(Artifact artifact, ProjectDependencyAnalysis projectDependencyAnalysis) {
         if (projectDependencyAnalysis == null) {
             return null;
         }

src/main/java/org/cyclonedx/maven/CycloneDxMojo.java

@@ -83,6 +83,9 @@ private ProjectDependencyAnalyzer getProjectDependencyAnalyzer() throws MojoExec
     }
 
     protected ProjectDependencyAnalysis doProjectDependencyAnalysis(MavenProject mavenProject) throws MojoExecutionException {
+        if (useMavenOptionality) {
+            return null;
+        }
         try {
             return getProjectDependencyAnalyzer().analyze(mavenProject);
         } catch (ProjectDependencyAnalyzerException pdae) {

src/test/java/org/cyclonedx/maven/BaseMavenVerifier.java

@@ -10,6 +10,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.util.Map;
 import java.util.Properties;
 import org.junit.Rule;
 
@@ -55,10 +56,14 @@ protected File cleanAndBuild(final String project, final String[] excludeTypes)
     }
 
     protected File cleanAndBuild(final String project, final String[] excludeTypes, final String[] profiles) throws Exception {
-        return mvnBuild(project, null, excludeTypes, null);
+        return mvnBuild(project, null, excludeTypes, profiles, null);
     }
 
-    protected File mvnBuild(final String project, final String[] goals, final String[] excludeTypes, final String[] profiles) throws Exception {
+    protected File cleanAndBuild(final String project, final Map<String, String> properties, final String[] excludeTypes) throws Exception {
+        return mvnBuild(project, null, excludeTypes, null, properties);
+    }
+
+    protected File mvnBuild(final String project, final String[] goals, final String[] excludeTypes, final String[] profiles, final Map<String, String> properties) throws Exception {
         File projDir = resources.getBasedir(project);
 
         MavenExecution execution = verifier
@@ -70,7 +75,12 @@ protected File mvnBuild(final String project, final String[] goals, final String
             execution = execution.withCliOption("-DexcludeTypes=" + String.join(",", excludeTypes));
         }
         if ((profiles != null) && (profiles.length > 0)) {
-            execution = execution.withCliOption("-P" + String.join(",", profiles));
+            execution.withCliOption("-P" + String.join(",", profiles));
+        }
+        if (properties != null) {
+            for (Map.Entry<String, String> entry: properties.entrySet()) {
+                execution.withCliOption("-D" + entry.getKey() + "=" + entry.getValue());
+            }
         }
         if (goals != null && goals.length > 0) {
             execution.execute(goals).assertErrorFreeLog();

src/test/java/org/cyclonedx/maven/CyclicTest.java

@@ -43,7 +43,7 @@ public void testCyclicDependency() throws Exception {
         cleanAndBuild("cyclic", null);
         File projDir = null;
         try {
-            projDir = mvnBuild("cyclic", new String[]{"package"}, null, new String[] {"profile"});
+            projDir = mvnBuild("cyclic", new String[]{"package"}, null, new String[] {"profile"}, null);
         } catch (final Exception ex) {
             fail("Failed to generate SBOM", ex);
         }

src/test/java/org/cyclonedx/maven/Issue311Test.java

@@ -39,7 +39,7 @@ public Issue311Test(MavenRuntimeBuilder runtimeBuilder) throws Exception {
 
     @Test
     public void testLatestAndRelease() throws Exception {
-        final File projDir = mvnBuild("issue-311", new String[]{"clean", "install"}, null, null);
+        final File projDir = mvnBuild("issue-311", new String[]{"clean", "install"}, null, null, null);
 
         checkLatest(projDir);
         checkRelease(projDir);

src/test/java/org/cyclonedx/maven/Issue314Test.java

@@ -0,0 +1,112 @@
+package org.cyclonedx.maven;
+
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.cyclonedx.maven.TestUtils.getComponentNode;
+import static org.cyclonedx.maven.TestUtils.getElement;
+import static org.cyclonedx.maven.TestUtils.readXML;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import org.cyclonedx.model.Component;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import io.takari.maven.testing.executor.MavenRuntime.MavenRuntimeBuilder;
+import io.takari.maven.testing.executor.MavenVersions;
+import io.takari.maven.testing.executor.junit.MavenJUnitTestRunner;
+
+/**
+ * Fix BOM handling of conflicting dependency tree graphs
+ */
+@RunWith(MavenJUnitTestRunner.class)
+@MavenVersions({"3.6.3"})
+public class Issue314Test extends BaseMavenVerifier {
+
+    private static final String ISSUE_314_DEPENDENCY_B = "pkg:maven/com.example.issue_314/dependency_B@1.0.0?type=jar";
+    private static final String ISSUE_314_DEPENDENCY_C = "pkg:maven/com.example.issue_314/dependency_C@1.0.0?type=jar";
+    private static final String ISSUE_314_DEPENDENCY_D = "pkg:maven/com.example.issue_314/dependency_D@1.0.0?type=jar";
+
+    public Issue314Test(MavenRuntimeBuilder runtimeBuilder) throws Exception {
+        super(runtimeBuilder);
+    }
+
+    /**
+     * Validate the bytecode analysis components.
+     * - No component should be marked as optional
+     */
+    @Test
+    public void testBytecodeDependencyTree() throws Exception {
+      final Map<String, String> properties = new HashMap<>();
+      properties.put("useMavenOptionality", "false");
+      final File projDir = mvnBuild("issue-314", null, null, null, properties);
+
+      final String requiredName = Component.Scope.REQUIRED.getScopeName();
+
+      final Document bom = readXML(new File(projDir, "dependency_A/target/bom.xml"));
+
+      final NodeList componentsList = bom.getElementsByTagName("components");
+      assertEquals("Expected a single components element", 1, componentsList.getLength());
+      final Element components = (Element)componentsList.item(0);
+
+      final Element componentBNode = getComponentNode(components, ISSUE_314_DEPENDENCY_B);
+      final Element componentBScope = getElement(componentBNode, "scope");
+      if (componentBScope != null) {
+        assertEquals("dependency_B scope should be " + requiredName, requiredName, componentBScope.getTextContent());
+      }
+
+      final Element componentCNode = getComponentNode(components, ISSUE_314_DEPENDENCY_C);
+      final Element componentCScope = getElement(componentCNode, "scope");
+      if (componentCScope != null) {
+        assertEquals("dependency_C scope should be " + requiredName, requiredName, componentCScope.getTextContent());
+      }
+
+      final Element componentDNode = getComponentNode(components, ISSUE_314_DEPENDENCY_D);
+      final Element componentDScope = getElement(componentDNode, "scope");
+      if (componentDScope != null) {
+        assertEquals("dependency_D scope should be " + requiredName, requiredName, componentDScope.getTextContent());
+      }
+  }
+
+    /**
+     * Validate the bytecode analysis components.
+     * - com.example.issue_314:dependency_C:1.0.0 and com.example.issue_314:dependency_D:1.0.0 *should* be marked as optional
+     */
+    @Test
+    public void testMavenOptionalityDependencyTree() throws Exception {
+      final Map<String, String> properties = new HashMap<>();
+      properties.put("useMavenOptionality", "true");
+      final File projDir = mvnBuild("issue-314", null, null, null, properties);
+
+      final String requiredName = Component.Scope.REQUIRED.getScopeName();
+      final String optionalName = Component.Scope.OPTIONAL.getScopeName();
+
+      final Document bom = readXML(new File(projDir, "dependency_A/target/bom.xml"));
+
+      final NodeList componentsList = bom.getElementsByTagName("components");
+      assertEquals("Expected a single components element", 1, componentsList.getLength());
+      final Element components = (Element)componentsList.item(0);
+
+      final Element componentBNode = getComponentNode(components, ISSUE_314_DEPENDENCY_B);
+      final Element componentBScope = getElement(componentBNode, "scope");
+      if (componentBScope != null) {
+        assertEquals("dependency_B scope should be " + requiredName, requiredName, componentBScope.getTextContent());
+      }
+
+      final Element componentCNode = getComponentNode(components, ISSUE_314_DEPENDENCY_C);
+      final Element componentCScope = getElement(componentCNode, "scope");
+      assertNotNull("dependency_C is missing its scope", componentCScope);
+      assertEquals("dependency_C scope should be " + optionalName, optionalName, componentCScope.getTextContent());
+
+      final Element componentDNode = getComponentNode(components, ISSUE_314_DEPENDENCY_D);
+      final Element componentDScope = getElement(componentDNode, "scope");
+      assertNotNull("dependency_D is missing its scope", componentDScope);
+      assertEquals("dependency_D scope should be " + optionalName, optionalName, componentDScope.getTextContent());
+  }
+}

src/test/java/org/cyclonedx/maven/TestUtils.java

@@ -10,28 +10,46 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
 class TestUtils {
-    static Node getDependencyNode(final Node dependencies, final String ref) {
+    static Element getElement(final Element parent, final String elementName) throws Exception {
+        Element element = null;
+        Node child = parent.getFirstChild();
+        while (child != null) {
+            if (Node.ELEMENT_NODE == child.getNodeType()) {
+                if (child.getNodeName().equals(elementName)) {
+                    if (element != null) {
+                        throw new Exception("Second instance of element " + elementName + " discovered in " + parent.getNodeName());
+                    }
+                    element = (Element)child;
+                }
+            }
+            child = child.getNextSibling();
+        }
+        return element;
+    }
+
+    static Element getDependencyNode(final Node dependencies, final String ref) {
         return getChildElement(dependencies, ref, "dependency", "ref");
     }
 
-    static Node getComponentNode(final Node components, final String ref) {
+    static Element getComponentNode(final Node components, final String ref) {
         return getChildElement(components, ref, "component", "bom-ref");
     }
 
-    private static Node getChildElement(final Node parent, final String ref, final String elementName, final String attrName) {
+    private static Element getChildElement(final Node parent, final String ref, final String elementName, final String attrName) {
         final NodeList children = parent.getChildNodes();
         final int numChildNodes = children.getLength();
         for (int index = 0 ; index < numChildNodes ; index++) {
             final Node child = children.item(index);
             if ((child.getNodeType() == Node.ELEMENT_NODE) && elementName.equals(child.getNodeName())) {
                 final Node refNode = child.getAttributes().getNamedItem(attrName);
                 if (ref.equals(refNode.getNodeValue())) {
-                    return child;
+                    return (Element)child;
                 }
             }
         }

src/test/resources/issue-314/dependency_A/pom.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.example.issue_314</groupId>
+        <artifactId>issue_314_parent</artifactId>
+        <version>1.0.0</version>
+    </parent>
+
+    <artifactId>dependency_A</artifactId>
+
+    <name>Dependency A</name>
+
+    <properties>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.example.issue_314</groupId>
+            <artifactId>dependency_B</artifactId>
+            <version>1.0.0</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.example.issue_314</groupId>
+            <artifactId>dependency_C</artifactId>
+            <version>1.0.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <version>${current.version}</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <projectType>library</projectType>
+                    <schemaVersion>1.4</schemaVersion>
+                    <includeBomSerialNumber>true</includeBomSerialNumber>
+                    <includeCompileScope>true</includeCompileScope>
+                    <includeProvidedScope>true</includeProvidedScope>
+                    <includeRuntimeScope>false</includeRuntimeScope>
+                    <includeSystemScope>false</includeSystemScope>
+                    <includeTestScope>false</includeTestScope>
+                    <includeLicenseText>false</includeLicenseText>
+                    <outputFormat>xml</outputFormat>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

src/test/resources/issue-314/dependency_A/src/main/java/com/example/issue_314/liba/LibA.java

@@ -0,0 +1,18 @@
+package com.example.issue_314.liba;
+
+import com.example.issue_314.libb.LibB;
+import com.example.issue_314.libc.LibC;
+
+public class LibA {
+    private LibA() {}
+
+    public static void main(final String[] args) {
+        System.out.println("In libA");
+        LibB.libBMethod();
+        try {
+            LibC.libCMethod();
+        } catch (final NoClassDefFoundError ncdfe) {
+            System.out.println("Optional library libC not present on classpath");
+        }
+    }
+}