Merge branch 'main' into snyk-upgrade-cea59a264e1327dc7a9f03a4a4d11781

Author: soul2zimate

README.md

@@ -104,7 +104,7 @@ repositories {
 <dependency>
     <groupId>com.redhat.exhort</groupId>
     <artifactId>exhort-java-api</artifactId>
-    <version>0.0.8-SNAPSHOT</version>
+    <version>0.0.9-SNAPSHOT</version>
 </dependency>
 ```
 </li>
@@ -188,7 +188,7 @@ Excluding a package from any analysis can be achieved by marking the package for
 <dependency> <!--exhortignore-->
   <groupId>...</groupId>
   <artifactId>...</artifactId>
-  <version>0.0.8-SNAPSHOT</version>
+  <version>0.0.9-SNAPSHOT</version>
 </dependency>
 ```
 </li>

pom.xml

@@ -5,7 +5,7 @@
 
   <groupId>com.redhat.exhort</groupId>
   <artifactId>exhort-java-api</artifactId>
-  <version>0.0.8-SNAPSHOT</version>
+  <version>0.0.9-SNAPSHOT</version>
   <name>Exhort Java API</name>
   <description>Exhort Java API</description>
   <url>https://github.com/trustification/exhort-java-api#readme</url>
@@ -19,7 +19,7 @@
     <maven.compiler.release>17</maven.compiler.release>
     <!-- Dependencies -->
     <exhort-api.version>1.0.6</exhort-api.version>
-    <jackson.version>2.19.1</jackson.version>
+    <jackson.version>2.19.2</jackson.version>
     <jakarta.annotation-api.version>2.1.1</jakarta.annotation-api.version>
     <jakarta.mail.version>2.0.4</jakarta.mail.version>
     <cyclonedx.version>10.2.1</cyclonedx.version>
@@ -679,7 +679,7 @@ limitations under the License.]]>
             <configuration>
               <shadedArtifactAttached>true</shadedArtifactAttached>
               <shadedClassifierName>cli</shadedClassifierName>
-              
+
               <!-- Filters to exclude problematic files -->
               <filters>
                 <filter>
@@ -697,17 +697,17 @@ limitations under the License.]]>
                   </excludes>
                 </filter>
               </filters>
-              
+
               <!-- Transformers to handle overlapping resources -->
               <transformers>
                 <!-- Main class transformer -->
                 <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                   <mainClass>com.redhat.exhort.cli.App</mainClass>
                 </transformer>
-                
+
                 <!-- Service files transformer for Jackson and other services -->
                 <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
-                
+
                 <!-- Append NOTICE files -->
                 <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
                   <resource>META-INF/NOTICE</resource>
@@ -718,7 +718,7 @@ limitations under the License.]]>
                 <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
                   <resource>META-INF/NOTICE.md</resource>
                 </transformer>
-                
+
                 <!-- Append LICENSE files -->
                 <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
                   <resource>META-INF/LICENSE</resource>
@@ -731,7 +731,7 @@ limitations under the License.]]>
                 </transformer>
 
               </transformers>
-              
+
               <!-- Create non-verbose output -->
               <createDependencyReducedPom>false</createDependencyReducedPom>
             </configuration>

src/main/java/com/redhat/exhort/providers/JavaMavenProvider.java

@@ -238,11 +238,41 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
       // when a "dependency" tag starts, it will be initiated,
       // when a "dependency" tag ends, it will be parsed, act upon, and reset
       DependencyAggregator dependencyAggregator = null;
+      boolean insideDependencyManagement = false;
+      boolean insideExclusions = false;
+      boolean insidePlugins = false;
       while (reader.hasNext()) {
         reader.next(); // get the next event
+        if (reader.isStartElement() && "dependencyManagement".equals(reader.getLocalName())) {
+          insideDependencyManagement = true;
+          continue;
+        }
+        if (reader.isEndElement() && "dependencyManagement".equals(reader.getLocalName())) {
+          insideDependencyManagement = false;
+          continue;
+        }
+        if (reader.isStartElement() && "plugins".equals(reader.getLocalName())) {
+          insidePlugins = true;
+          continue;
+        }
+        if (reader.isEndElement() && "plugins".equals(reader.getLocalName())) {
+          insidePlugins = false;
+          continue;
+        }
+        if (reader.isStartElement() && "exclusions".equals(reader.getLocalName())) {
+          insideExclusions = true;
+          continue;
+        }
+        if (reader.isEndElement() && "exclusions".equals(reader.getLocalName())) {
+          insideExclusions = false;
+          continue;
+        }
         if (reader.isStartElement() && "dependency".equals(reader.getLocalName())) {
-          // starting "dependency" tag, initiate aggregator
-          dependencyAggregator = new DependencyAggregator();
+          // starting "dependency" tag, initiate aggregator only if not inside dependencyManagement
+          // or plugins
+          if (!insideDependencyManagement && !insidePlugins) {
+            dependencyAggregator = new DependencyAggregator();
+          }
           continue;
         }
 
@@ -256,9 +286,10 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
             continue;
           }
 
-          if (reader.isStartElement()) {
+          if (reader.isStartElement() && !insideExclusions) {
             // NOTE if we want to include "scope" tags in ignore,
             // add a case here and a property in DependencyIgnore
+            // Only process these elements if we're not inside exclusions
             switch (reader.getLocalName()) {
               case "groupId": // starting "groupId" tag, get next event and set to aggregator
                 reader.next();
@@ -282,8 +313,11 @@ private List<DependencyAggregator> getDependencies(final Path manifestPath) thro
           }
 
           if (reader.isEndElement() && "dependency".equals(reader.getLocalName())) {
-            // add object to list and reset dependency aggregator
-            deps.add(dependencyAggregator);
+            // add object to list and reset dependency aggregator only if not inside
+            // dependencyManagement or plugins
+            if (!insideDependencyManagement && !insidePlugins && dependencyAggregator != null) {
+              deps.add(dependencyAggregator);
+            }
             dependencyAggregator = null;
           }
         }
@@ -383,7 +417,9 @@ private String selectMvnRuntime(final Path manifestPath) {
         try {
           // verify maven wrapper is accessible
           Operations.runProcess(manifest.getParent(), mvnw, ARG_VERSION);
-          log.fine(String.format("using maven wrapper from : %s", mvnw));
+          if (debugLoggingIsNeeded()) {
+            log.info(String.format("using maven wrapper from : %s", mvnw));
+          }
           return mvnw;
         } catch (Exception e) {
           log.warning(
@@ -393,7 +429,9 @@ private String selectMvnRuntime(final Path manifestPath) {
     }
     // If maven wrapper is not requested or not accessible, fall back to use mvn
     String mvn = Operations.getExecutable(MVN, ARG_VERSION);
-    log.fine(String.format("using mvn executable from : %s", mvn));
+    if (debugLoggingIsNeeded()) {
+      log.info(String.format("using mvn executable from : %s", mvn));
+    }
     return mvn;
   }