fix(DependencyGraphBuilder): Skip deep comparison for Gradle projects

jjohannes · sschuberth · commit 30b1b0515d92 · 2025-04-17T15:10:08.000+02:00
This can be avoided as it leads to a long runtime (and possible an
infinite loop / recursion) for large dependency graphs. In order
to be able to skip the deep comparison, the selected variants
need to be tracked in the Identifier. In the DependencyGraphBuilder
all 'scopes' (runtimeClasspath, compileClasspath, ...) are thrown
together. Gradle may have selected different variants of the components
in different 'scopes'.

Signed-off-by: Jendrik Johannes &lt;jendrik.johannes@gmail.com&gt;
diff --git a/model/src/main/kotlin/Identifier.kt b/model/src/main/kotlin/Identifier.kt
@@ -49,7 +49,12 @@ data class Identifier(
     /**
      * The version of the component.
      */
-    val version: String
+    val version: String,
+
+    /**
+     * The selected variants of the component.
+     */
+    val variants: Set<String> = emptySet()
 ) : Comparable<Identifier> {
     companion object {
         /**
diff --git a/model/src/main/kotlin/utils/DependencyGraphBuilder.kt b/model/src/main/kotlin/utils/DependencyGraphBuilder.kt
@@ -328,7 +328,14 @@ class DependencyGraphBuilder<D>(
 
         val dependencies1 = ref.dependencies.mapTo(mutableSetOf()) { dependencyIds[it.pkg] }
         val dependencies2 = dependencies.associateBy { dependencyHandler.identifierFor(it) }
-        if (dependencies1 != dependencies2.keys) return false
+
+        if (dependencies1 == dependencies2.keys) {
+            if (!dependencyHandler.requiresDeepDependencyTreeComparison()) {
+                return true
+            }
+        } else {
+            return false
+        }
 
         return ref.dependencies.all { refDep ->
             dependencies2[dependencyIds[refDep.pkg]]?.let { dependencyTreeEquals(refDep, it) } == true
diff --git a/model/src/main/kotlin/utils/DependencyHandler.kt b/model/src/main/kotlin/utils/DependencyHandler.kt
@@ -65,4 +65,11 @@ interface DependencyHandler<D> {
      * implementation returns an empty collection.
      */
     fun issuesForDependency(dependency: D): List<Issue> = emptyList()
+
+    /**
+     * Does node comparison require a deep comparison of the whole dependency subtree or not? If the underlying
+     * dependency management system, gives the guarantee for the latter, a costly comparison can be avoided and
+     * speed up the analysis process.
+     */
+    fun requiresDeepDependencyTreeComparison() = true
 }
diff --git a/plugins/package-managers/gradle-inspector/src/main/kotlin/GradleDependencyHandler.kt b/plugins/package-managers/gradle-inspector/src/main/kotlin/GradleDependencyHandler.kt
@@ -125,6 +125,12 @@ internal class GradleDependencyHandler(
             isMetadataOnly = hasNoArtifacts
         )
     }
+
+    /*
+     * In case of Gradle, the costly deep comparison can be skipped, because if the direct dependencies are the same,
+     * their children are also the same.
+     */
+    override fun requiresDeepDependencyTreeComparison() = false
 }
 
 // See http://maven.apache.org/pom.html#SCM.
diff --git a/plugins/package-managers/gradle-model/src/main/kotlin/GradleModel.kt b/plugins/package-managers/gradle-model/src/main/kotlin/GradleModel.kt
@@ -41,6 +41,7 @@ interface OrtDependency {
     val groupId: String
     val artifactId: String
     val version: String
+    val variants: Set<String>
     val classifier: String
     val extension: String
     val dependencies: List<OrtDependency>
diff --git a/plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelBuilder.kt b/plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelBuilder.kt
@@ -223,6 +223,7 @@ internal class OrtModelBuilder : ToolingModelBuilder {
                                 groupId = id.group,
                                 artifactId = id.module,
                                 version = id.version,
+                                variants = selectedComponent.variants.map { it.displayName }.toSet(),
                                 classifier = "",
                                 extension = modelBuildingResult?.effectiveModel?.packaging.orEmpty(),
                                 dependencies = dependencies,
@@ -252,6 +253,7 @@ internal class OrtModelBuilder : ToolingModelBuilder {
                                 groupId = moduleId.group,
                                 artifactId = moduleId.name,
                                 version = moduleId.version.takeUnless { it == "unspecified" }.orEmpty(),
+                                variants = selectedComponent.variants.map { it.displayName }.toSet(),
                                 classifier = "",
                                 extension = "",
                                 dependencies = dependencies,
diff --git a/plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelImpl.kt b/plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelImpl.kt
@@ -50,6 +50,7 @@ internal class OrtDependencyImpl(
     override val artifactId: String,
     override val version: String,
     override val classifier: String,
+    override val variants: Set<String>,
     override val extension: String,
     override val dependencies: List<OrtDependency>,
     override val error: String?,
diff --git a/plugins/package-managers/gradle/src/main/resources/init.gradle b/plugins/package-managers/gradle/src/main/resources/init.gradle
@@ -71,6 +71,7 @@ interface OrtDependency {
     String getArtifactId()
     String getVersion()
     String getClassifier()
+    Set<String> getVariants()
     String getExtension()
     List<OrtDependency> getDependencies()
     String getError()
@@ -104,6 +105,7 @@ class OrtDependencyImpl implements OrtDependency, Serializable {
     String groupId = ''
     String artifactId = ''
     String version = ''
+    Set<String> variants = []
     String classifier = ''
     String extension = ''
     List<OrtDependency> dependencies = []
@@ -369,7 +371,7 @@ class AbstractOrtDependencyTreePlugin<T> implements Plugin<T> {
                     def classifier = artifact?.classifier ?: ''
                     def extension = artifact?.extension ?: ''
 
-                    return new OrtDependencyImpl(id.group, id.module, id.version, classifier, extension, dependencies,
+                    return new OrtDependencyImpl(id.group, id.module, id.version, [] as Set, classifier, extension, dependencies,
                             error, warning, pomFile, null)
                 } else if (id instanceof ProjectComponentIdentifier) {
                     if (id.build.isCurrentBuild() || !project.gradle.gradleVersion.isAtLeastVersion(7, 2)) {

Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,12 @@ internal class GradleDependencyHandler(`
`125`	`125`	`isMetadataOnly = hasNoArtifacts`
`126`	`126`	`)`
`127`	`127`	`}`
	`128`	`+`
	`129`	`+ /*`
	`130`	`+ * In case of Gradle, the costly deep comparison can be skipped, because if the direct dependencies are the same,`
	`131`	`+ * their children are also the same.`
	`132`	`+ */`
	`133`	`+ override fun requiresDeepDependencyTreeComparison() = false`
`128`	`134`	`}`
`129`	`135`
`130`	`136`	`// See http://maven.apache.org/pom.html#SCM.`