From e5ca10d5d38561fabee7a9bafa459fdaeda3540e Mon Sep 17 00:00:00 2001
From: Frank Viernau <frank_viernau@epam.com>
Date: Tue, 12 Sep 2023 11:33:11 +0200
Subject: [PATCH] fix(reporter): Fix the creation of first level dependency
 relationships

As of [1] the SPDX document was changed to have separate entries for all
projects and sub-projects instead of a single artificial root project
containing all dependencies. While excluded packages are not included in
the package, the implementation [1] accidentally creates (dangling)
relationships to such excluded packages, see [2].

Fix the issue visible in [2] by the code change further up and an analog
issue not visible in the expected result diff with the code change some
lines further down.

Fixes #7487.

[1] https://github.com/oss-review-toolkit/ort/commit/b47154482299b9b49c0e0c692e3f2dacdd53c395
[2] https://github.com/oss-review-toolkit/ort/commit/b47154482299b9b49c0e0c692e3f2dacdd53c395#diff-6de35dd2aff1f92b7f5ea558d3f77e02d0d596dd4ce2a8199056cfb31b47fcabR181-R184

Signed-off-by: Frank Viernau <frank_viernau@epam.com>
---
 .../assets/spdx-document-reporter-expected-output.spdx.json | 4 ----
 .../assets/spdx-document-reporter-expected-output.spdx.yml  | 3 ---
 .../spdx/src/main/kotlin/SpdxDocumentModelMapper.kt         | 6 ++++--
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json
index ba9f4876ed8ec..9ddc9622e09ef 100644
--- a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json
+++ b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json
@@ -240,10 +240,6 @@
     "spdxElementId" : "SPDXRef-Package-Maven-seventh-package-group-seventh-package-0.0.1",
     "relationshipType" : "GENERATED_FROM",
     "relatedSpdxElement" : "SPDXRef-Package-Maven-seventh-package-group-seventh-package-0.0.1-source-artifact"
-  }, {
-    "spdxElementId" : "SPDXRef-Project-Maven-first-project-group-first-project-name-0.0.1",
-    "relationshipType" : "DEPENDS_ON",
-    "relatedSpdxElement" : "SPDXRef-Package-Maven-fifth-package-group-fifth-package-0.0.1"
   }, {
     "spdxElementId" : "SPDXRef-Project-Maven-first-project-group-first-project-name-0.0.1",
     "relationshipType" : "DEPENDS_ON",
diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml
index e2ad5bdfedfc6..9eefa75bb61a2 100644
--- a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml
+++ b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml
@@ -241,9 +241,6 @@ relationships:
 - spdxElementId: "SPDXRef-Package-Maven-seventh-package-group-seventh-package-0.0.1"
   relationshipType: "GENERATED_FROM"
   relatedSpdxElement: "SPDXRef-Package-Maven-seventh-package-group-seventh-package-0.0.1-source-artifact"
-- spdxElementId: "SPDXRef-Project-Maven-first-project-group-first-project-name-0.0.1"
-  relationshipType: "DEPENDS_ON"
-  relatedSpdxElement: "SPDXRef-Package-Maven-fifth-package-group-fifth-package-0.0.1"
 - spdxElementId: "SPDXRef-Project-Maven-first-project-group-first-project-name-0.0.1"
   relationshipType: "DEPENDS_ON"
   relatedSpdxElement: "SPDXRef-Package-Maven-first-package-group-first-package-0.0.1"
diff --git a/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt b/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt
index 7213ecfad326a..219389650419f 100644
--- a/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt
+++ b/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt
@@ -72,7 +72,8 @@ internal object SpdxDocumentModelMapper : Logging {
 
             ortResult.getDependencies(
                 id = project.id,
-                maxLevel = 1
+                maxLevel = 1,
+                omitExcluded = true
             ).mapTo(relationships) { dependency ->
                 SpdxRelationship(
                     spdxElementId = spdxProjectPackage.spdxId,
@@ -96,7 +97,8 @@ internal object SpdxDocumentModelMapper : Logging {
 
             ortResult.getDependencies(
                 id = pkg.id,
-                maxLevel = 1
+                maxLevel = 1,
+                omitExcluded = true
             ).mapTo(relationships) { dependency ->
                 SpdxRelationship(
                     spdxElementId = binaryPackage.spdxId,