Allow to set attributes to match a variant after a conflict (sonatype-nexus-community#136)

Author: guillermo-varela

.gitignore

@@ -6,6 +6,7 @@ target/
 .classpath
 .project
 .idea
+.DS_Store
 
 # ci config for local ci build
 .circleci/local-config.yml

README.md

@@ -57,14 +57,14 @@ Gradle can be used to build projects developed in various programming languages.
 
 ```
 plugins {
-  id 'org.sonatype.gradle.plugins.scan' version '2.5.4' // Update the version as needed
+  id 'org.sonatype.gradle.plugins.scan' version '2.5.5' // Update the version as needed
 }
 ```
 
 - Or `build.gradle.kts`:
 ```
 plugins {
-    id ("org.sonatype.gradle.plugins.scan") version "2.5.4" // Update the version as needed
+    id ("org.sonatype.gradle.plugins.scan") version "2.5.5" // Update the version as needed
 }
 ```
 
@@ -96,6 +96,9 @@ ossIndexAudit {
     modulesIncluded = ['module-1', 'module-2'] // Optional. For multi-module projects, the names of the sub-modules to include for auditing. If not specified all modules are included.
     modulesExcluded = ['module-1', 'module-2'] // Optional. For multi-module projects, the names of the sub-modules to exclude from auditing. If not specified no modules are excluded. This value is processed after 'modulesIncluded' if both are specified.
 
+    // For projects using multiple custom variants for the release distribution, a Map can be set with the attributes names and values to match the specific variant. See more at the section "How to Deal with Multiple Release Variants" below in this doc.
+    variantAttributes = ['com.android.build.api.attributes.ProductFlavor:version': 'prod', 'other.attribute': 'other value'] // Optional, use it only when the plugin can't match a variant on its own
+
     // ossIndexAudit can be configured to exclude vulnerabilities from matching
     excludeVulnerabilityIds = ['39d74cc8-457a-4e57-89ef-a258420138c5'] // list containing ids of vulnerabilities to be ignored
     excludeCoordinates = ['commons-fileupload:commons-fileupload:1.3'] // list containing coordinate of components which if vulnerable should be ignored
@@ -130,6 +133,9 @@ ossIndexAudit {
     modulesIncluded = listOf("module-1", "module-2") // Optional. For multi-module projects, the names of the sub-modules to include for auditing. If not specified all modules are included.
     modulesExcluded = listOf("module-1", "module-2") // Optional. For multi-module projects, the names of the sub-modules to exclude from auditing. If not specified no modules are excluded. This value is processed after 'modulesIncluded' if both are specified.
 
+    // For projects using multiple custom variants for the release distribution, a Map can be set with the attributes names and values to match the specific variant. See more at the section "How to Deal with Multiple Release Variants" below in this doc.
+    variantAttributes = mapOf("com.android.build.api.attributes.ProductFlavor:version" to "prod", "other.attribute" to "other value") // Optional, use it only when the plugin can't match a variant on its own
+
     // ossIndexAudit can be configured to exclude vulnerabilities from matching
     excludeVulnerabilityIds =
         listOf("39d74cc8-457a-4e57-89ef-a258420138c5") // list containing ids of vulnerabilities to be ignored
@@ -166,6 +172,9 @@ nexusIQScan {
     modulesExcluded = ['module-1', 'module-2'] // Optional. For multi-module projects, the names of the sub-modules to exclude from scanning and evaluation.
     dirExcludes = 'some-ant-pattern' // Optional. Comma separated ant-like glob patterns to select directories/archives that should be excluded. For Android projects we suggest using '**/classes.jar,**/annotations.zip,**/lint.jar,**/internal_impl-*.jar'
     dirIncludes = 'some-ant-pattern' // Optional. Comma separated ant-like glob patterns to select directories/archives that should be examined
+
+    // For projects using multiple custom variants for the release distribution, a Map can be set with the attributes names and values to match the specific variant. See more at the section "How to Deal with Multiple Release Variants" below in this doc.
+    variantAttributes = ['com.android.build.api.attributes.ProductFlavor:version': 'prod', 'other.attribute': 'other value'] // Optional, use it only when the plugin can't match a variant on its own
 }
 ```
 
@@ -183,6 +192,9 @@ nexusIQScan {
     modulesExcluded = listOf("module-1", "module-2") // Optional. For multi-module projects, the names of the sub-modules to exclude from scanning and evaluation.
     dirExcludes = "some-ant-pattern" // Optional. Comma separated ant-like glob patterns to select directories/archives that should be excluded. For Android projects we suggest using "**/classes.jar,**/annotations.zip,**/lint.jar,**/internal_impl-*.jar"
     dirIncludes = "some-ant-pattern" // Optional. Comma separated ant-like glob patterns to select directories/archives that should be examined
+
+    // For projects using multiple custom variants for the release distribution, a Map can be set with the attributes names and values to match the specific variant. See more at the section "How to Deal with Multiple Release Variants" below in this doc.
+    variantAttributes = mapOf("com.android.build.api.attributes.ProductFlavor:version" to "prod", "other.attribute" to "other value") // Optional, use it only when the plugin can't match a variant on its own
 }
 ```
 
@@ -306,6 +318,66 @@ ossIndexAudit {
 Just apply the plugin on the root project and all sub-modules will be processed and the output will be a single report
 with all components found in each module. This includes Android projects.
 
+## How to Deal with Multiple Release Variants
+This plugin makes its best effort to find the release (production) configuration and variant to get the dependencies to analyze.
+
+However, a Gradle project can have multiple custom release variants and the plugin might not be able to tell Gradle which one to pick, resulting in an error like this:
+
+```
+> Could not resolve all dependencies for configuration 'sonatypeCopyConfiguration0'.
+   > Could not resolve project :common-lib.
+     Required by:
+         project :app
+      > The consumer was configured to find a runtime of a component, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release'. However we cannot choose between the following variants of project :baseapp:
+          - ciReleaseRuntimeElements
+          - prodReleaseRuntimeElements
+        All of them match the consumer attributes:
+          - Variant 'ciReleaseRuntimeElements' capability common-lib:1.0.0 declares a runtime of a component, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release':
+              - Unmatched attributes:
+                  - Provides attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.2.2' but the consumer didn't ask for it
+                  - Provides attribute 'com.android.build.api.attributes.ProductFlavor:version' with value 'ci' but the consumer didn't ask for it
+                  - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'ciRelease' but the consumer didn't ask for it
+                  - Provides a library but the consumer didn't ask for it
+                  - Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
+          - Variant 'prodReleaseRuntimeElements' capability common-lib:1.0.0 declares a runtime of a component, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release':
+              - Unmatched attributes:
+                  - Provides attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.2.2' but the consumer didn't ask for it
+                  - Provides attribute 'com.android.build.api.attributes.ProductFlavor:version' with value 'prod' but the consumer didn't ask for it
+                  - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'prodRelease' but the consumer didn't ask for it
+                  - Provides a library but the consumer didn't ask for it
+                  - Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
+```
+
+From that output we can see the value of the attribute `com.android.build.api.attributes.ProductFlavor:version` can be used to distinguish between the available variants.
+
+Since attribute names and values can be customized on each project, this plugin allows to set the attributes needed to match the right variant using the property `variantAttributes`.
+
+In the example above, the following configuration would allow the plugin to choose the `prodReleaseRuntimeElements` variant:
+
+*Groovy*
+```
+nexusIQScan {
+    variantAttributes = ['com.android.build.api.attributes.ProductFlavor:version': 'prod']
+}
+
+ossIndexAudit {
+    variantAttributes = ['com.android.build.api.attributes.ProductFlavor:version': 'prod']
+}
+```
+
+*Kotlin*
+```
+nexusIQScan {
+    variantAttributes = mapOf("com.android.build.api.attributes.ProductFlavor:version" to "prod")
+}
+
+ossIndexAudit {
+    variantAttributes = mapOf("com.android.build.api.attributes.ProductFlavor:version" to "prod")
+}
+```
+
+See more information about attributes matching for variant selection see https://docs.gradle.org/current/userguide/variant_model.html#sec:variant-select-errors
+
 ## Contributing
 
 We care a lot about making the world a safer place, and that's why we created this `scan-gradle-plugin`. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

src/main/java/org/sonatype/gradle/plugins/scan/common/AndroidAttributeDisambiguationRule.java src/main/java/org/sonatype/gradle/plugins/scan/common/AndroidArtifactTypeAttributeDisambiguationRule.java

@@ -20,7 +20,7 @@
 
 import static org.gradle.api.artifacts.type.ArtifactTypeDefinition.JAR_TYPE;
 
-public class AndroidAttributeDisambiguationRule
+public class AndroidArtifactTypeAttributeDisambiguationRule
     implements AttributeDisambiguationRule<String>
 {
   private static final String AAR_TYPE = "aar";

src/main/java/org/sonatype/gradle/plugins/scan/common/DependenciesFinder.java

@@ -21,6 +21,7 @@
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collector;
@@ -83,30 +84,31 @@ public class DependenciesFinder
 
   private static final String ATTRIBUTES_SUPPORTED_GRADLE_VERSION = "4.0";
 
-  public Set<ResolvedDependency> findResolvedDependencies(Project project, boolean allConfigurations) {
+  public Set<ResolvedDependency> findResolvedDependencies(
+      Project project,
+      boolean allConfigurations,
+      Map<String, String> variantAttributes)
+  {
     return new LinkedHashSet<>(new LinkedHashSet<>(project.getConfigurations()).stream()
         .filter(configuration -> isAcceptableConfiguration(configuration, allConfigurations))
-        .flatMap(configuration -> getDependencies(project, configuration,
+        .flatMap(configuration -> getDependencies(project, configuration, variantAttributes,
             resolvedConfiguration -> resolvedConfiguration.getFirstLevelModuleDependencies().stream()))
         .collect(collectResolvedDependencies()).values());
   }
 
-  public Set<ResolvedArtifact> findResolvedArtifacts(Project project, boolean allConfigurations) {
-    return new LinkedHashSet<>(project.getConfigurations()).stream()
-        .filter(configuration -> isAcceptableConfiguration(configuration, allConfigurations))
-        .flatMap(configuration -> getDependencies(project, configuration,
-            resolvedConfiguration -> resolvedConfiguration.getResolvedArtifacts().stream()))
-        .collect(Collectors.toSet());
-  }
-
-  public List<Module> findModules(Project rootProject, boolean allConfigurations, Set<String> modulesExcluded) {
+  public List<Module> findModules(
+      Project rootProject,
+      boolean allConfigurations,
+      Set<String> modulesExcluded,
+      Map<String, String> variantAttributes)
+  {
     List<Module> modules = new ArrayList<>();
 
     rootProject.allprojects(project -> {
       if (!modulesExcluded.contains(project.getName())) {
         Module module = buildModule(project);
 
-        findResolvedArtifacts(project, allConfigurations).forEach(resolvedArtifact -> {
+        findResolvedArtifacts(project, allConfigurations, variantAttributes).forEach(resolvedArtifact -> {
           ModuleVersionIdentifier artifactId = resolvedArtifact.getModuleVersion().getId();
 
           Artifact artifact = new Artifact()
@@ -117,8 +119,8 @@ public List<Module> findModules(Project rootProject, boolean allConfigurations,
           module.addConsumedArtifact(artifact);
         });
 
-        findResolvedDependencies(project, allConfigurations).forEach(resolvedDependency ->
-          module.addDependency(processDependency(resolvedDependency, true, new HashSet<>()))
+        findResolvedDependencies(project, allConfigurations, variantAttributes).forEach(
+            resolvedDependency -> module.addDependency(processDependency(resolvedDependency, true, new HashSet<>()))
         );
 
         modules.add(module);
@@ -128,6 +130,19 @@ public List<Module> findModules(Project rootProject, boolean allConfigurations,
     return modules;
   }
 
+  @VisibleForTesting
+  Set<ResolvedArtifact> findResolvedArtifacts(
+      Project project,
+      boolean allConfigurations,
+      Map<String, String> variantAttributes)
+  {
+    return new LinkedHashSet<>(project.getConfigurations()).stream()
+        .filter(configuration -> isAcceptableConfiguration(configuration, allConfigurations))
+        .flatMap(configuration -> getDependencies(project, configuration, variantAttributes,
+            resolvedConfiguration -> resolvedConfiguration.getResolvedArtifacts().stream()))
+        .collect(Collectors.toSet());
+  }
+
   @VisibleForTesting
   Module buildModule(Project project) {
     Module module = new Module()
@@ -158,7 +173,7 @@ String getId(Project project) {
   }
 
   @VisibleForTesting
-  Configuration createCopyConfiguration(Project project) {
+  Configuration createCopyConfiguration(Project project, Map<String, String> variantAttributes) {
     String configurationName = COPY_CONFIGURATION_NAME;
     for (int i = 0; project.getConfigurations().findByName(configurationName) != null; i++) {
       configurationName += i;
@@ -171,13 +186,17 @@ Configuration createCopyConfiguration(Project project) {
       if (isAndroidProject) {
         AttributeMatchingStrategy<String> artifactTypeMatchingStrategy =
             project.getDependencies().getAttributesSchema().attribute(Attribute.of("artifactType", String.class));
-        artifactTypeMatchingStrategy.getDisambiguationRules().add(AndroidAttributeDisambiguationRule.class);
+        artifactTypeMatchingStrategy.getDisambiguationRules().add(AndroidArtifactTypeAttributeDisambiguationRule.class);
       }
 
       copyConfiguration.attributes(attributeContainer -> {
         ObjectFactory factory = project.getObjects();
         attributeContainer.attribute(Usage.USAGE_ATTRIBUTE, factory.named(Usage.class, Usage.JAVA_RUNTIME));
 
+        variantAttributes.forEach((attributeName, value) -> {
+          attributeContainer.attribute(Attribute.of(attributeName, String.class), value);
+        });
+
         if (isAndroidProject) {
           addReleaseBuildTypeAttribute(project, attributeContainer);
         }
@@ -233,19 +252,20 @@ boolean isAndroidProject(Project project) {
   <T> Stream<T> getDependencies(
       Project project,
       Configuration originalConfiguration,
+      Map<String, String> variantAttributes,
       Function<ResolvedConfiguration, Stream<T>> function)
   {
     try {
       return function.apply(originalConfiguration.getResolvedConfiguration());
     }
     catch (ResolveException e) {
-      Configuration copyConfiguration = copyDependencies(project, originalConfiguration, false);
+      Configuration copyConfiguration = copyDependencies(project, originalConfiguration, false, variantAttributes);
 
       try {
         return function.apply(copyConfiguration.getResolvedConfiguration());
       }
       catch (ResolveException lastResortException) {
-        copyConfiguration = copyDependencies(project, originalConfiguration, true);
+        copyConfiguration = copyDependencies(project, originalConfiguration, true, variantAttributes);
         return function.apply(copyConfiguration.getResolvedConfiguration());
       }
     }
@@ -254,9 +274,10 @@ <T> Stream<T> getDependencies(
   private Configuration copyDependencies(
       Project project,
       Configuration originalConfiguration,
-      boolean skipUnresolvableDependencies)
+      boolean skipUnresolvableDependencies,
+      Map<String, String> variantAttributes)
   {
-    Configuration copyConfiguration = createCopyConfiguration(project);
+    Configuration copyConfiguration = createCopyConfiguration(project, variantAttributes);
 
     originalConfiguration.getAllDependencies().all(dependency -> {
       copyConfiguration.getDependencies().add(dependency);

src/main/java/org/sonatype/gradle/plugins/scan/nexus/iq/index/NexusIqIndexTask.java

@@ -59,8 +59,8 @@ public NexusIqIndexTask() {
   @TaskAction
   public void saveModule() {
     try {
-      List<Module> modules =
-          dependenciesFinder.findModules(getProject(), extension.isAllConfigurations(), extension.getModulesExcluded());
+      List<Module> modules = dependenciesFinder.findModules(getProject(), extension.isAllConfigurations(),
+          extension.getModulesExcluded(), extension.getVariantAttributes());
       List<File> files = new ArrayList<>(modules.size());
 
       for (Module module : modules) {

src/main/java/org/sonatype/gradle/plugins/scan/nexus/iq/index/NexusIqPluginIndexExtension.java

@@ -16,6 +16,7 @@
 package org.sonatype.gradle.plugins.scan.nexus.iq.index;
 
 import java.util.Collections;
+import java.util.Map;
 import java.util.Set;
 
 import org.gradle.api.Project;
@@ -26,8 +27,11 @@ public class NexusIqPluginIndexExtension
 
   private Set<String> modulesExcluded;
 
+  private Map<String, String> variantAttributes;
+
   public NexusIqPluginIndexExtension(Project project) {
     modulesExcluded = Collections.emptySet();
+    variantAttributes = Collections.emptyMap();
   }
 
   public boolean isAllConfigurations() {
@@ -45,4 +49,12 @@ public Set<String> getModulesExcluded() {
   public void setModulesExcluded(Set<String> modulesExcluded) {
     this.modulesExcluded = modulesExcluded;
   }
+
+  public Map<String, String> getVariantAttributes() {
+    return variantAttributes;
+  }
+
+  public void setVariantAttributes(Map<String, String> variantAttributes) {
+    this.variantAttributes = variantAttributes;
+  }
 }

src/main/java/org/sonatype/gradle/plugins/scan/nexus/iq/scan/NexusIqPluginScanExtension.java

@@ -16,6 +16,7 @@
 package org.sonatype.gradle.plugins.scan.nexus.iq.scan;
 
 import java.util.Collections;
+import java.util.Map;
 import java.util.Set;
 
 import com.sonatype.clm.dto.model.policy.Stage;
@@ -55,6 +56,8 @@ public class NexusIqPluginScanExtension
 
   private String dirExcludes;
 
+  private Map<String, String> variantAttributes;
+
   public NexusIqPluginScanExtension(Project project) {
     stage = Stage.ID_BUILD;
     organizationId = "";
@@ -64,6 +67,7 @@ public NexusIqPluginScanExtension(Project project) {
     modulesExcluded = Collections.emptySet();
     dirIncludes = "";
     dirExcludes = "";
+    variantAttributes = Collections.emptyMap();
   }
 
   public String getUsername() {
@@ -178,4 +182,12 @@ public String getDirExcludes() {
   public void setDirExcludes(String dirExcludes) {
     this.dirExcludes = dirExcludes;
   }
+
+  public Map<String, String> getVariantAttributes() {
+    return variantAttributes;
+  }
+
+  public void setVariantAttributes(Map<String, String> variantAttributes) {
+    this.variantAttributes = variantAttributes;
+  }
 }