Add option to filter scopes when creating SBOM

src/main/java/org/spdx/maven/CreateSpdxMojo.java

@@ -54,6 +54,9 @@
 import org.spdx.maven.utils.SpdxV3DependencyBuilder;
 import org.spdx.maven.utils.SpdxV3DocumentBuilder;
 
+import org.apache.maven.artifact.resolver.filter.ArtifactFilter;
+import org.apache.maven.artifact.resolver.filter.CumulativeScopeArtifactFilter;
+
 import java.io.File;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -493,6 +496,41 @@ public class CreateSpdxMojo extends AbstractMojo
     @Parameter( property = "spdx.generatePurls" )
     protected boolean generatePurls = true;
 
+    /**
+     * If true, include system scope in dependency graph
+     * @since 0.8.0
+     */
+    @Parameter( defaultValue = "true" )
+    private boolean includeSystemScope;
+
+    /**
+     * If true, include test scope in dependency graph
+     * @since 0.8.0
+     */
+    @Parameter( defaultValue = "true" )
+    private boolean includeTestScope;
+
+    /**
+     * If true, include runtime scope in dependency graph
+     * @since 0.8.0
+     */
+    @Parameter( defaultValue = "true" )
+    private boolean includeRuntimeScope;
+
+    /**
+     * If true, include provided scope in dependency graph
+     * @since 0.8.0
+     */
+    @Parameter( defaultValue = "true" )
+    private boolean includeProvidedScope;
+
+    /**
+     * If true, include compile scope in dependency graph
+     * @since 0.8.0
+     */
+    @Parameter( defaultValue = "true" )
+    private boolean includeCompileScope;
+
     public void execute() throws MojoExecutionException
     {
         if ( skip )
@@ -683,7 +721,8 @@ protected void buildSpdxDependencyInformation( AbstractDocumentBuilder builder,
         {
             ProjectBuildingRequest request = new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() );
             request.setProject( mavenProject );
-            DependencyNode parentNode = dependencyGraphBuilder.buildDependencyGraph( request, null );
+            ArtifactFilter artifactFilter = getArtifactFilter();
+            DependencyNode parentNode = dependencyGraphBuilder.buildDependencyGraph( request, artifactFilter );
 
             dependencyBuilder.addMavenDependencies( mavenProjectBuilder, session, mavenProject, parentNode, builder.getProjectPackage() );
         }
@@ -1004,4 +1043,21 @@ private Set<String> getChecksumAlgorithms()
         }
         return algorithms;
     }
+
+    /**
+     * Create an ArtifactFilter based on the provided scopes
+     */
+    private ArtifactFilter getArtifactFilter()
+    {
+        getLog().debug( "Creating Artifact filter" );
+        List<String> scopes = new ArrayList<>();
+        if (includeCompileScope) scopes.add("compile");
+        if (includeProvidedScope) scopes.add("provided");
+        if (includeRuntimeScope) scopes.add("runtime");
+        if (includeSystemScope) scopes.add("system");
+        if (includeTestScope) scopes.add("test");
+
+        getLog().debug( scopes.toString() );
+        return new CumulativeScopeArtifactFilter(scopes);
+    }
 }

src/test/java/org/spdx/maven/TestWithSessionSpdxV2Mojo.java

@@ -98,6 +98,37 @@ public void testDependencies() throws Exception
     assertTrue( relationships.contains( "junit->hamcrest-core" ) || relationships.contains( "junit->org.hamcrest:hamcrest-core" ) );
   }
 
+  @Test
+  public void testDependenciesExclTestScope() throws Exception
+  {
+    File pom = new File( getBasedir(), UNIT_TEST_RESOURCE_DIR + "/json-pom-dependencies-excl-test.xml" );
+    SpdxDocument result = runMojoWithPom( pom );
+
+    Set<String> packages = new HashSet<>();
+    Set<String> relationships = new HashSet<>();
+    SpdxModelFactory.getElements( result.getModelStore(), result.getDocumentUri(), result.getCopyManager(), SpdxPackage.class )
+        .forEach( ( element ) -> {
+          SpdxPackage pkg = (SpdxPackage) element;
+          try
+          {
+            packages.add( pkg.getName().get() );
+
+            for ( Relationship rel : pkg.getRelationships() )
+            {
+              relationships.add( pkg.getName().get() + "->" + rel.getRelatedSpdxElement().get().getName().get() );
+            }
+          }
+          catch ( InvalidSPDXAnalysisException e )
+          {
+            throw new RuntimeException( e );
+          }
+        });
+
+    assertTrue( packages.contains( "org.spdx:spdx-maven-plugin-test" ) );
+    assertFalse( packages.contains( "junit" ) );
+    assertFalse( packages.contains( "hamcrest-core" ) || packages.contains( "org.hamcrest:hamcrest-core" ) );
+  }
+
   // -- Configure mojo loader
 
   private SpdxDocument runMojoWithPom( File pom ) throws Exception

src/test/resources/unit/spdx-maven-plugin-test/json-pom-dependencies-excl-test.xml

@@ -0,0 +1,108 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.spdx</groupId>
+    <artifactId>spdx-maven-plugin-test</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <name>Test SPDX Plugin</name>
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+    <url>http://spdx.org/tools</url>
+    <organization>
+        <name>Linux Foundation</name>
+        <url>http://www.linuxfoundation.org</url>
+    </organization>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.13.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <sourceDirectory>src</sourceDirectory>
+        <testSourceDirectory>Test</testSourceDirectory>
+        <resources>
+            <resource>
+                <targetPath>resources</targetPath>
+                <filtering>false</filtering>
+                <directory>resources</directory>
+                <includes>
+                    <include>**/*</include>
+                </includes>
+            </resource>
+            <resource>
+                <targetPath>META-INF</targetPath>
+                <filtering>false</filtering>
+                <directory>.</directory>
+                <includes>
+                    <include>NOTICE</include>
+                    <include>LICENSE</include>
+                    <include>README.txt</include>
+                    <include>changelog</include>
+                </includes>
+            </resource>
+            <resource>
+                <directory>src</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </resource>
+        </resources>
+        <testResources>
+            <testResource>
+                <directory>Test</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </testResource>
+            <testResource>
+                <filtering>false</filtering>
+                <directory>TestFiles</directory>
+                <includes>
+                    <include>**/*</include>
+                </includes>
+            </testResource>
+        </testResources>
+
+        <plugins>
+            <plugin>
+                <groupId>org.spdx</groupId>
+                <artifactId>spdx-maven-plugin</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <executions>
+                    <execution>
+                        <id>build-spdx</id>
+                        <phase>prepare-package</phase>
+                        <goals>
+                            <goal>createSPDX</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <spdxFile>target/test-classes/unit/spdx-maven-plugin-test/test.spdx.json</spdxFile>
+                    <useArtifactID>true</useArtifactID>
+                    <outputFormat>JSON</outputFormat>
+                    <spdxDocumentNamespace>http://spdx.org/documents/spdx%20toolsv2.0%20rc1</spdxDocumentNamespace>
+                    <defaultFileConcludedLicense>Apache-2.0</defaultFileConcludedLicense>
+                    <generatePurls>true</generatePurls>
+                    <includeTestScope>false</includeTestScope>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>