Check imported boms for unwanted dependency management

Closes gh-42523

Author: wilkinsona

buildSrc/src/main/java/org/springframework/boot/build/bom/BomExtension.java

@@ -40,9 +40,11 @@
 
 import org.springframework.boot.build.bom.Library.Exclusion;
 import org.springframework.boot.build.bom.Library.Group;
+import org.springframework.boot.build.bom.Library.ImportedBom;
 import org.springframework.boot.build.bom.Library.LibraryVersion;
 import org.springframework.boot.build.bom.Library.Link;
 import org.springframework.boot.build.bom.Library.Module;
+import org.springframework.boot.build.bom.Library.PermittedDependency;
 import org.springframework.boot.build.bom.Library.ProhibitedVersion;
 import org.springframework.boot.build.bom.Library.VersionAlignment;
 import org.springframework.boot.build.bom.bomr.version.DependencyVersion;
@@ -152,8 +154,8 @@ private void addLibrary(Library library) {
 			for (Module module : group.getModules()) {
 				addModule(library, dependencies, versionProperty, group, module);
 			}
-			for (String bomImport : group.getBoms()) {
-				addBomImport(library, dependencies, versionProperty, group, bomImport);
+			for (ImportedBom bomImport : group.getBoms()) {
+				addBomImport(library, dependencies, versionProperty, group, bomImport.name());
 			}
 		}
 	}
@@ -176,6 +178,8 @@ private void addBomImport(Library library, DependencyHandler dependencies, Strin
 
 	public static class LibraryHandler {
 
+		private final Project project;
+
 		private final List<Group> groups = new ArrayList<>();
 
 		private final List<ProhibitedVersion> prohibitedVersions = new ArrayList<>();
@@ -194,6 +198,7 @@ public static class LibraryHandler {
 
 		@Inject
 		public LibraryHandler(Project project, String version) {
+			this.project = project;
 			this.version = version;
 			this.alignWith = project.getObjects().newInstance(AlignWithHandler.class);
 		}
@@ -211,7 +216,7 @@ public void setCalendarName(String calendarName) {
 		}
 
 		public void group(String id, Action<GroupHandler> action) {
-			GroupHandler groupHandler = new GroupHandler(id);
+			GroupHandler groupHandler = this.project.getObjects().newInstance(GroupHandler.class, id);
 			action.execute(groupHandler);
 			this.groups
 				.add(new Group(groupHandler.id, groupHandler.modules, groupHandler.plugins, groupHandler.imports));
@@ -290,16 +295,17 @@ public void because(String because) {
 
 		}
 
-		public class GroupHandler extends GroovyObjectSupport {
+		public static class GroupHandler extends GroovyObjectSupport {
 
 			private final String id;
 
 			private List<Module> modules = new ArrayList<>();
 
-			private List<String> imports = new ArrayList<>();
+			private List<ImportedBom> imports = new ArrayList<>();
 
 			private List<String> plugins = new ArrayList<>();
 
+			@Inject
 			public GroupHandler(String id) {
 				this.id = id;
 			}
@@ -310,8 +316,14 @@ public void setModules(List<Object> modules) {
 					.toList();
 			}
 
-			public void setImports(List<String> imports) {
-				this.imports = imports;
+			public void bom(String bom) {
+				this.imports.add(new ImportedBom(bom));
+			}
+
+			public void bom(String bom, Action<ImportBomHandler> action) {
+				ImportBomHandler handler = new ImportBomHandler();
+				action.execute(handler);
+				this.imports.add(new ImportedBom(bom, handler.permittedDependencies));
 			}
 
 			public void setPlugins(List<String> plugins) {
@@ -354,6 +366,17 @@ public void setClassifier(String classifier) {
 
 			}
 
+			public class ImportBomHandler {
+
+				private final List<PermittedDependency> permittedDependencies = new ArrayList<>();
+
+				public void permit(String allowed) {
+					String[] components = allowed.split(":");
+					this.permittedDependencies.add(new PermittedDependency(components[0], components[1]));
+				}
+
+			}
+
 		}
 
 		public static class AlignWithHandler {

buildSrc/src/main/java/org/springframework/boot/build/bom/BomResolver.java

@@ -42,6 +42,7 @@
 import org.w3c.dom.NodeList;
 
 import org.springframework.boot.build.bom.Library.Group;
+import org.springframework.boot.build.bom.Library.ImportedBom;
 import org.springframework.boot.build.bom.Library.Link;
 import org.springframework.boot.build.bom.Library.Module;
 import org.springframework.boot.build.bom.ResolvedBom.Bom;
@@ -84,9 +85,9 @@ ResolvedBom resolve(BomExtension bomExtension) {
 					Id id = new Id(group.getId(), module.getName(), library.getVersion().getVersion().toString());
 					managedDependencies.add(id);
 				}
-				for (String imported : group.getBoms()) {
+				for (ImportedBom imported : group.getBoms()) {
 					Bom bom = bomFrom(resolveBom(
-							"%s:%s:%s".formatted(group.getId(), imported, library.getVersion().getVersion())));
+							"%s:%s:%s".formatted(group.getId(), imported.name(), library.getVersion().getVersion())));
 					imports.add(bom);
 				}
 			}

buildSrc/src/main/java/org/springframework/boot/build/bom/CheckBom.java

@@ -17,7 +17,11 @@
 package org.springframework.boot.build.bom;
 
 import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
@@ -42,7 +46,9 @@
 import org.gradle.api.tasks.TaskAction;
 
 import org.springframework.boot.build.bom.Library.Group;
+import org.springframework.boot.build.bom.Library.ImportedBom;
 import org.springframework.boot.build.bom.Library.Module;
+import org.springframework.boot.build.bom.Library.PermittedDependency;
 import org.springframework.boot.build.bom.Library.ProhibitedVersion;
 import org.springframework.boot.build.bom.Library.VersionAlignment;
 import org.springframework.boot.build.bom.ResolvedBom.Bom;
@@ -69,7 +75,8 @@ public CheckBom(BomExtension bom) {
 		Provider<ResolvedBom> resolvedBom = getResolvedBomFile().map(RegularFile::getAsFile).map(ResolvedBom::readFrom);
 		this.checks = List.of(new CheckExclusions(configurations, dependencies), new CheckProhibitedVersions(),
 				new CheckVersionAlignment(),
-				new CheckDependencyManagementAlignment(resolvedBom, configurations, dependencies));
+				new CheckDependencyManagementAlignment(resolvedBom, configurations, dependencies),
+				new CheckForUnwantedDependencyManagement(resolvedBom));
 		this.bom = bom;
 	}
 
@@ -241,31 +248,22 @@ private void check(VersionAlignment versionAlignment, Library library, List<Stri
 
 	}
 
-	private static final class CheckDependencyManagementAlignment implements LibraryCheck {
+	private abstract static class ResolvedLibraryCheck implements LibraryCheck {
 
 		private final Provider<ResolvedBom> resolvedBom;
 
-		private final BomResolver bomResolver;
-
-		private CheckDependencyManagementAlignment(Provider<ResolvedBom> resolvedBom,
-				ConfigurationContainer configurations, DependencyHandler dependencies) {
+		private ResolvedLibraryCheck(Provider<ResolvedBom> resolvedBom) {
 			this.resolvedBom = resolvedBom;
-			this.bomResolver = new BomResolver(configurations, dependencies);
 		}
 
 		@Override
 		public List<String> check(Library library) {
-			List<String> errors = new ArrayList<>();
-			String alignsWithBom = library.getAlignsWithBom();
-			if (alignsWithBom != null) {
-				Bom mavenBom = this.bomResolver
-					.resolveMavenBom(alignsWithBom + ":" + library.getVersion().getVersion());
-				ResolvedLibrary resolvedLibrary = getResolvedLibrary(library);
-				checkDependencyManagementAlignment(resolvedLibrary, mavenBom, errors);
-			}
-			return errors;
+			ResolvedLibrary resolvedLibrary = getResolvedLibrary(library);
+			return check(library, resolvedLibrary);
 		}
 
+		protected abstract List<String> check(Library library, ResolvedLibrary resolvedLibrary);
+
 		private ResolvedLibrary getResolvedLibrary(Library library) {
 			ResolvedBom resolvedBom = this.resolvedBom.get();
 			Optional<ResolvedLibrary> resolvedLibrary = resolvedBom.libraries()
@@ -278,6 +276,30 @@ private ResolvedLibrary getResolvedLibrary(Library library) {
 			return resolvedLibrary.get();
 		}
 
+	}
+
+	private static final class CheckDependencyManagementAlignment extends ResolvedLibraryCheck {
+
+		private final BomResolver bomResolver;
+
+		private CheckDependencyManagementAlignment(Provider<ResolvedBom> resolvedBom,
+				ConfigurationContainer configurations, DependencyHandler dependencies) {
+			super(resolvedBom);
+			this.bomResolver = new BomResolver(configurations, dependencies);
+		}
+
+		@Override
+		public List<String> check(Library library, ResolvedLibrary resolvedLibrary) {
+			List<String> errors = new ArrayList<>();
+			String alignsWithBom = library.getAlignsWithBom();
+			if (alignsWithBom != null) {
+				Bom mavenBom = this.bomResolver
+					.resolveMavenBom(alignsWithBom + ":" + library.getVersion().getVersion());
+				checkDependencyManagementAlignment(resolvedLibrary, mavenBom, errors);
+			}
+			return errors;
+		}
+
 		private void checkDependencyManagementAlignment(ResolvedLibrary library, Bom mavenBom, List<String> errors) {
 			List<Id> managedByLibrary = library.managedDependencies();
 			List<Id> managedByBom = managedDependenciesOf(mavenBom);
@@ -316,4 +338,108 @@ private List<Id> managedDependenciesOf(Bom mavenBom) {
 
 	}
 
+	private static final class CheckForUnwantedDependencyManagement extends ResolvedLibraryCheck {
+
+		private CheckForUnwantedDependencyManagement(Provider<ResolvedBom> resolvedBom) {
+			super(resolvedBom);
+		}
+
+		@Override
+		public List<String> check(Library library, ResolvedLibrary resolvedLibrary) {
+			Map<String, Set<String>> unwanted = findUnwantedDependencyManagement(library, resolvedLibrary);
+			List<String> errors = new ArrayList<>();
+			if (!unwanted.isEmpty()) {
+				StringBuilder error = new StringBuilder("Unwanted dependency management:");
+				unwanted.forEach((bom, dependencies) -> {
+					error.append("%n        - %s:".formatted(bom));
+					error.append("%n            - %s".formatted(String.join("\n            - ", dependencies)));
+				});
+				errors.add(error.toString());
+			}
+			Map<String, Set<String>> unnecessary = findUnnecessaryPermittedDependencies(library, resolvedLibrary);
+			if (!unnecessary.isEmpty()) {
+				StringBuilder error = new StringBuilder("Dependencies permitted unnecessarily:");
+				unnecessary.forEach((bom, dependencies) -> {
+					error.append("%n        - %s:".formatted(bom));
+					error.append("%n            - %s".formatted(String.join("\n            - ", dependencies)));
+				});
+				errors.add(error.toString());
+			}
+			return errors;
+		}
+
+		private Map<String, Set<String>> findUnwantedDependencyManagement(Library library,
+				ResolvedLibrary resolvedLibrary) {
+			Map<String, Set<String>> unwanted = new LinkedHashMap<>();
+			for (Bom bom : resolvedLibrary.importedBoms()) {
+				Set<String> notPermitted = new TreeSet<>();
+				Set<Id> managedDependencies = managedDependenciesOf(bom);
+				managedDependencies.stream()
+					.filter((dependency) -> unwanted(bom, dependency, findPermittedDependencies(library, bom)))
+					.map(Id::toString)
+					.forEach(notPermitted::add);
+				if (!notPermitted.isEmpty()) {
+					unwanted.put(bom.id().artifactId(), notPermitted);
+				}
+			}
+			return unwanted;
+		}
+
+		private List<PermittedDependency> findPermittedDependencies(Library library, Bom bom) {
+			for (Group group : library.getGroups()) {
+				for (ImportedBom importedBom : group.getBoms()) {
+					if (importedBom.name().equals(bom.id().artifactId()) && group.getId().equals(bom.id().groupId())) {
+						return importedBom.permittedDependencies();
+					}
+				}
+			}
+			return Collections.emptyList();
+		}
+
+		private Set<Id> managedDependenciesOf(Bom bom) {
+			Set<Id> managedDependencies = new TreeSet<>();
+			if (bom != null) {
+				managedDependencies.addAll(bom.managedDependencies());
+				managedDependencies.addAll(managedDependenciesOf(bom.parent()));
+				for (Bom importedBom : bom.importedBoms()) {
+					managedDependencies.addAll(managedDependenciesOf(importedBom));
+				}
+			}
+			return managedDependencies;
+		}
+
+		private boolean unwanted(Bom bom, Id managedDependency, List<PermittedDependency> permittedDependencies) {
+			if (bom.id().groupId().equals(managedDependency.groupId())
+					|| managedDependency.groupId().startsWith(bom.id().groupId() + ".")) {
+				return false;
+			}
+			for (PermittedDependency permittedDependency : permittedDependencies) {
+				if (permittedDependency.artifactId().equals(managedDependency.artifactId())
+						&& permittedDependency.groupId().equals(managedDependency.groupId())) {
+					return false;
+				}
+			}
+			return true;
+		}
+
+		private Map<String, Set<String>> findUnnecessaryPermittedDependencies(Library library,
+				ResolvedLibrary resolvedLibrary) {
+			Map<String, Set<String>> unnecessary = new HashMap<>();
+			for (Bom bom : resolvedLibrary.importedBoms()) {
+				Set<String> permittedDependencies = findPermittedDependencies(library, bom).stream()
+					.map((dependency) -> dependency.groupId() + ":" + dependency.artifactId())
+					.collect(Collectors.toCollection(TreeSet::new));
+				Set<String> dependencies = managedDependenciesOf(bom).stream()
+					.map((dependency) -> dependency.groupId() + ":" + dependency.artifactId())
+					.collect(Collectors.toCollection(TreeSet::new));
+				permittedDependencies.removeAll(dependencies);
+				if (!permittedDependencies.isEmpty()) {
+					unnecessary.put(bom.id().artifactId(), permittedDependencies);
+				}
+			}
+			return unnecessary;
+		}
+
+	}
+
 }