Trust resolved version over declared dep in dependency search (#181)

timtebeek · Jenson3210 · web-flow · commit a05505ce6c50 · 2026-05-29T11:38:56.000+02:00
* Trust resolved version over declared dep in dependency search PR #179 extended ModuleHasDependency / RepositoryHasDependency to also match against requested/declared dependencies so they still match when resolution fails. This introduced false positives whenever a version range is supplied: the declared version string could satisfy the comparator even when the resolved version did not (e.g. a Gradle resolutionStrategy.force or platform alignment overriding the declared coordinate). - When a coordinate is present in the resolved dependencies, trust the resolved check and skip the declared-dependency fallback for that group:artifact. Only fall back for declared deps not already resolved. - Tighten versionMatches so a null declared version no longer auto-matches when a version constraint is supplied (same treatment as a ${...} property reference). Adds regression tests covering both rules in ModuleHasDependencyTest and RepositoryHasDependencyTest. * Apply suggestions from code review Co-authored-by: Jente Sondervorst <jentesondervorst@gmail.com> * Add Maven regression tests for BOM-managed dependency version range --------- Co-authored-by: Jente Sondervorst <jentesondervorst@gmail.com>
diff --git a/src/main/java/org/openrewrite/java/dependencies/search/ModuleHasDependency.java b/src/main/java/org/openrewrite/java/dependencies/search/ModuleHasDependency.java
@@ -112,12 +112,17 @@ private boolean hasDependency(Tree tree) {
         if (mavenResult != null) {
             Scope requestedScope = scope == null ? null : Scope.fromName(scope);
             List<ResolvedDependency> dependencies = mavenResult.findDependencies(groupIdPattern, artifactIdPattern, requestedScope);
+            Set<String> resolvedGAs = new HashSet<>();
             for (ResolvedDependency dependency : dependencies) {
+                resolvedGAs.add(dependency.getGroupId() + ":" + dependency.getArtifactId());
                 if (versionComparator == null || versionComparator.isValid(null, dependency.getVersion())) {
                     return true;
                 }
             }
             for (Dependency requested : mavenResult.getPom().getRequestedDependencies()) {
+                if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {
+                    continue;
+                }
                 if (matchesRequested(requested, requestedScope, versionComparator)) {
                     return true;
                 }
@@ -127,16 +132,23 @@ private boolean hasDependency(Tree tree) {
 
         GradleProject gp = tree.getMarkers().findFirst(GradleProject.class).orElse(null);
         if (gp != null) {
+            Set<String> resolvedGAs = new HashSet<>();
             for (GradleDependencyConfiguration c : gp.getConfigurations()) {
                 for (ResolvedDependency resolvedDependency : c.getDirectResolved()) {
                     ResolvedDependency found = resolvedDependency.findDependency(groupIdPattern, artifactIdPattern);
-                    if (found != null && (versionComparator == null || versionComparator.isValid(null, found.getVersion()))) {
-                        return true;
+                    if (found != null) {
+                        resolvedGAs.add(found.getGroupId() + ":" + found.getArtifactId());
+                        if (versionComparator == null || versionComparator.isValid(null, found.getVersion())) {
+                            return true;
+                        }
                     }
                 }
             }
             for (GradleDependencyConfiguration c : gp.getConfigurations()) {
                 for (Dependency requested : c.getRequested()) {
+                    if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {
+                        continue;
+                    }
                     if (matchesRequested(requested, null, versionComparator)) {
                         return true;
                     }
@@ -166,10 +178,10 @@ private boolean matchesRequested(Dependency dep, @Nullable Scope requestedScope,
     }
 
     private static boolean versionMatches(@Nullable String version, @Nullable VersionComparator cmp) {
-        if (cmp == null || version == null) {
+        if (cmp == null) {
             return true;
         }
-        if (version.startsWith("${")) {
+        if (version == null || version.startsWith("${")) {
             return false;
         }
         return cmp.isValid(null, version);
diff --git a/src/main/java/org/openrewrite/java/dependencies/search/RepositoryHasDependency.java b/src/main/java/org/openrewrite/java/dependencies/search/RepositoryHasDependency.java
@@ -31,7 +31,9 @@
 import org.openrewrite.semver.Semver;
 import org.openrewrite.semver.VersionComparator;
 
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 @EqualsAndHashCode(callSuper = false)
@@ -107,12 +109,17 @@ private boolean hasDependency(Tree tree) {
         if (mavenResult != null) {
             Scope requestedScope = scope == null ? null : Scope.fromName(scope);
             List<ResolvedDependency> dependencies = mavenResult.findDependencies(groupIdPattern, artifactIdPattern, requestedScope);
+            Set<String> resolvedGAs = new HashSet<>();
             for (ResolvedDependency dependency : dependencies) {
+                resolvedGAs.add(dependency.getGroupId() + ":" + dependency.getArtifactId());
                 if (versionComparator == null || versionComparator.isValid(null, dependency.getVersion())) {
                     return true;
                 }
             }
             for (Dependency requested : mavenResult.getPom().getRequestedDependencies()) {
+                if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {
+                    continue;
+                }
                 if (matchesRequested(requested, requestedScope, versionComparator)) {
                     return true;
                 }
@@ -122,16 +129,23 @@ private boolean hasDependency(Tree tree) {
 
         GradleProject gp = tree.getMarkers().findFirst(GradleProject.class).orElse(null);
         if (gp != null) {
+            Set<String> resolvedGAs = new HashSet<>();
             for (GradleDependencyConfiguration c : gp.getConfigurations()) {
                 for (ResolvedDependency resolvedDependency : c.getDirectResolved()) {
                     ResolvedDependency found = resolvedDependency.findDependency(groupIdPattern, artifactIdPattern);
-                    if (found != null && (versionComparator == null || versionComparator.isValid(null, found.getVersion()))) {
-                        return true;
+                    if (found != null) {
+                        resolvedGAs.add(found.getGroupId() + ":" + found.getArtifactId());
+                        if (versionComparator == null || versionComparator.isValid(null, found.getVersion())) {
+                            return true;
+                        }
                     }
                 }
             }
             for (GradleDependencyConfiguration c : gp.getConfigurations()) {
                 for (Dependency requested : c.getRequested()) {
+                    if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {
+                        continue;
+                    }
                     if (matchesRequested(requested, null, versionComparator)) {
                         return true;
                     }
@@ -161,10 +175,10 @@ private boolean matchesRequested(Dependency dep, @Nullable Scope requestedScope,
     }
 
     private static boolean versionMatches(@Nullable String version, @Nullable VersionComparator cmp) {
-        if (cmp == null || version == null) {
+        if (cmp == null) {
             return true;
         }
-        if (version.startsWith("${")) {
+        if (version == null || version.startsWith("${")) {
             return false;
         }
         return cmp.isValid(null, version);
diff --git a/src/test/java/org/openrewrite/java/dependencies/search/ModuleHasDependencyTest.java b/src/test/java/org/openrewrite/java/dependencies/search/ModuleHasDependencyTest.java
@@ -454,6 +454,100 @@ void gradleVersionRangeOnRequestedDoesNotMatchWhenOutOfRange() {
               )
             );
         }
+
+        @Language("groovy")
+        private final static String GradleNoRepositoriesNoVersion = """
+          plugins {
+            id 'java-library'
+          }
+          dependencies {
+            implementation 'org.springframework:spring-beans'
+          }
+          """;
+
+        @Test
+        void gradleRequestedWithoutVersionAndConstraintDoesNotMatch() {
+            // Force resolution failure (no repositories), so the requested fallback fires.
+            rewriteRun(
+              spec -> spec.recipe(new ModuleHasDependency(GroupId, ArtifactId, null, "[1.0,)", null)),
+              mavenProject("project-gradle",
+                buildGradle(GradleNoRepositoriesNoVersion),
+                java(GradleJava)
+              )
+            );
+        }
+    }
+
+    @Nested
+    class WhenResolvedVersionIsSourceOfTruth {
+
+        @Language("groovy")
+        private final static String GradleForcedOutOfRange = """
+          plugins {
+            id 'java-library'
+          }
+          repositories {
+            mavenCentral()
+          }
+          configurations.all {
+            resolutionStrategy {
+              force 'org.springframework:spring-beans:6.0.0'
+            }
+          }
+          dependencies {
+            implementation 'org.springframework:spring-beans:5.3.0'
+          }
+          """;
+
+        @Test
+        void gradleVersionRangeDoesNotMatchDeclaredWhenResolvedVersionIsOutOfRange() {
+            // The declared-dependency fallback must be skipped for an already-resolved coordinate (resolutionStrategy).
+            rewriteRun(
+              spec -> spec.recipe(new ModuleHasDependency(GroupId, ArtifactId, null, "[5.0,6.0)", null)),
+              mavenProject("project-gradle",
+                buildGradle(GradleForcedOutOfRange),
+                java(GradleJava)
+              )
+            );
+        }
+
+        @Language("xml")
+        private final static String MavenBomManagedOutOfRange = """
+          <project>
+            <groupId>com.example</groupId>
+            <artifactId>foo</artifactId>
+            <version>1.0.0</version>
+            <dependencyManagement>
+              <dependencies>
+                <dependency>
+                  <groupId>org.springframework.boot</groupId>
+                  <artifactId>spring-boot-dependencies</artifactId>
+                  <version>3.0.0</version>
+                  <type>pom</type>
+                  <scope>import</scope>
+                </dependency>
+              </dependencies>
+            </dependencyManagement>
+            <dependencies>
+              <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-beans</artifactId>
+              </dependency>
+            </dependencies>
+          </project>
+          """;
+
+        @Test
+        void mavenVersionRangeDoesNotMatchBomManagedDependencyWhenResolvedIsOutOfRange() {
+            // Regression for rewrite-third-party#76: BOM-managed version (null on requested) must not match the range.
+            rewriteRun(
+              spec -> spec.recipe(new ModuleHasDependency(GroupId, ArtifactId, null, "[5.0,6.0)", null)),
+              mavenProject("project-maven",
+                pomXml(MavenBomManagedOutOfRange),
+                java(MavenJava)
+              )
+            );
+        }
     }
 
 @Nested
diff --git a/src/test/java/org/openrewrite/java/dependencies/search/RepositoryHasDependencyTest.java b/src/test/java/org/openrewrite/java/dependencies/search/RepositoryHasDependencyTest.java
@@ -15,12 +15,15 @@
  */
 package org.openrewrite.java.dependencies.search;
 
+import org.intellij.lang.annotations.Language;
 import org.junit.jupiter.api.Test;
 import org.openrewrite.DocumentExample;
 import org.openrewrite.test.RecipeSpec;
 import org.openrewrite.test.RewriteTest;
 
+import static org.openrewrite.gradle.Assertions.buildGradle;
 import static org.openrewrite.gradle.toolingapi.Assertions.withToolingApi;
+import static org.openrewrite.java.Assertions.java;
 import static org.openrewrite.java.Assertions.mavenProject;
 import static org.openrewrite.maven.Assertions.pomXml;
 
@@ -84,4 +87,92 @@ void usedAsDeclarativePrecondition() {
           )
         );
     }
+
+    @Language("java")
+    private final static String GradleJava = """
+      public class AGradle {}
+      """;
+
+    @Test
+    void gradleVersionRangeDoesNotMatchDeclaredWhenResolvedVersionIsOutOfRange() {
+        // The declared-dependency fallback must be skipped for an already-resolved coordinate (resolutionStrategy).
+        rewriteRun(
+          spec -> spec.recipe(new RepositoryHasDependency("org.springframework", "spring-beans", null, "[5.0,6.0)")),
+          mavenProject("project-gradle",
+            //language=groovy
+            buildGradle("""
+              plugins {
+                id 'java-library'
+              }
+              repositories {
+                mavenCentral()
+              }
+              configurations.all {
+                resolutionStrategy {
+                  force 'org.springframework:spring-beans:6.0.0'
+                }
+              }
+              dependencies {
+                implementation 'org.springframework:spring-beans:5.3.0'
+              }
+              """),
+            java(GradleJava)
+          )
+        );
+    }
+
+    @Test
+    void mavenVersionRangeDoesNotMatchBomManagedDependencyWhenResolvedIsOutOfRange() {
+        // Regression for rewrite-third-party#76: BOM-managed version (null on requested) must not match the range.
+        rewriteRun(
+          spec -> spec.recipe(new RepositoryHasDependency("org.springframework", "spring-beans", null, "[5.0,6.0)")),
+          mavenProject("project-maven",
+            //language=xml
+            pomXml("""
+              <project>
+                <groupId>com.example</groupId>
+                <artifactId>foo</artifactId>
+                <version>1.0.0</version>
+                <dependencyManagement>
+                  <dependencies>
+                    <dependency>
+                      <groupId>org.springframework.boot</groupId>
+                      <artifactId>spring-boot-dependencies</artifactId>
+                      <version>3.0.0</version>
+                      <type>pom</type>
+                      <scope>import</scope>
+                    </dependency>
+                  </dependencies>
+                </dependencyManagement>
+                <dependencies>
+                  <dependency>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-beans</artifactId>
+                  </dependency>
+                </dependencies>
+              </project>
+              """)
+          )
+        );
+    }
+
+    @Test
+    void gradleRequestedWithoutVersionAndConstraintDoesNotMatch() {
+        // Force resolution failure (no repositories), so the requested fallback fires.
+        rewriteRun(
+          spec -> spec.recipe(new RepositoryHasDependency("org.springframework", "spring-beans", null, "[1.0,)")),
+          mavenProject("project-gradle",
+            //language=groovy
+            buildGradle("""
+              plugins {
+                id 'java-library'
+              }
+              dependencies {
+                implementation 'org.springframework:spring-beans'
+              }
+              """),
+            java(GradleJava)
+          )
+        );
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -112,12 +112,17 @@ private boolean hasDependency(Tree tree) {`
`112`	`112`	`if (mavenResult != null) {`
`113`	`113`	`Scope requestedScope = scope == null ? null : Scope.fromName(scope);`
`114`	`114`	`List<ResolvedDependency> dependencies = mavenResult.findDependencies(groupIdPattern, artifactIdPattern, requestedScope);`
	`115`	`+ Set<String> resolvedGAs = new HashSet<>();`
`115`	`116`	`for (ResolvedDependency dependency : dependencies) {`
	`117`	`+ resolvedGAs.add(dependency.getGroupId() + ":" + dependency.getArtifactId());`
`116`	`118`	`if (versionComparator == null \|\| versionComparator.isValid(null, dependency.getVersion())) {`
`117`	`119`	`return true;`
`118`	`120`	`}`
`119`	`121`	`}`
`120`	`122`	`for (Dependency requested : mavenResult.getPom().getRequestedDependencies()) {`
	`123`	`+ if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {`
	`124`	`+ continue;`
	`125`	`+ }`
`121`	`126`	`if (matchesRequested(requested, requestedScope, versionComparator)) {`
`122`	`127`	`return true;`
`123`	`128`	`}`
`@@ -127,16 +132,23 @@ private boolean hasDependency(Tree tree) {`
`127`	`132`
`128`	`133`	`GradleProject gp = tree.getMarkers().findFirst(GradleProject.class).orElse(null);`
`129`	`134`	`if (gp != null) {`
	`135`	`+ Set<String> resolvedGAs = new HashSet<>();`
`130`	`136`	`for (GradleDependencyConfiguration c : gp.getConfigurations()) {`
`131`	`137`	`for (ResolvedDependency resolvedDependency : c.getDirectResolved()) {`
`132`	`138`	`ResolvedDependency found = resolvedDependency.findDependency(groupIdPattern, artifactIdPattern);`
`133`		`- if (found != null && (versionComparator == null \|\| versionComparator.isValid(null, found.getVersion()))) {`
`134`		`- return true;`
	`139`	`+ if (found != null) {`
	`140`	`+ resolvedGAs.add(found.getGroupId() + ":" + found.getArtifactId());`
	`141`	`+ if (versionComparator == null \|\| versionComparator.isValid(null, found.getVersion())) {`
	`142`	`+ return true;`
	`143`	`+ }`
`135`	`144`	`}`
`136`	`145`	`}`
`137`	`146`	`}`
`138`	`147`	`for (GradleDependencyConfiguration c : gp.getConfigurations()) {`
`139`	`148`	`for (Dependency requested : c.getRequested()) {`
	`149`	`+ if (resolvedGAs.contains(requested.getGroupId() + ":" + requested.getArtifactId())) {`
	`150`	`+ continue;`
	`151`	`+ }`
`140`	`152`	`if (matchesRequested(requested, null, versionComparator)) {`
`141`	`153`	`return true;`
`142`	`154`	`}`
`@@ -166,10 +178,10 @@ private boolean matchesRequested(Dependency dep, @Nullable Scope requestedScope,`
`166`	`178`	`}`
`167`	`179`
`168`	`180`	`private static boolean versionMatches(@Nullable String version, @Nullable VersionComparator cmp) {`
`169`		`- if (cmp == null \|\| version == null) {`
	`181`	`+ if (cmp == null) {`
`170`	`182`	`return true;`
`171`	`183`	`}`
`172`		`- if (version.startsWith("${")) {`
	`184`	`+ if (version == null \|\| version.startsWith("${")) {`
`173`	`185`	`return false;`
`174`	`186`	`}`
`175`	`187`	`return cmp.isValid(null, version);`