From 9fca5270e8a7ff92bee998ebe74f5dba8719aa11 Mon Sep 17 00:00:00 2001
From: Sam Snyder <sam@moderne.io>
Date: Wed, 11 Sep 2024 18:07:27 -0700
Subject: [PATCH] Don't get transitive dependencies of checkstyle. We don't
 need them to load checkstyle config and occasionally security scanners get
 mad about these unused transitive dependencies.

---
 plugin/build.gradle.kts                       |  2 ++
 .../org/openrewrite/gradle/RewritePlugin.java | 21 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/plugin/build.gradle.kts b/plugin/build.gradle.kts
index 413373f7f..c7cbfc559 100644
--- a/plugin/build.gradle.kts
+++ b/plugin/build.gradle.kts
@@ -117,6 +117,8 @@ dependencies {
     @Suppress("VulnerableLibrariesLocal", "RedundantSuppression")
     "rewriteDependencies"("com.puppycrawl.tools:checkstyle:9.3") {
         because("Latest version supporting gradle 4.x")
+        // We only use checkstyle to load its configuration files, and it turns out this alone is sufficient
+        isTransitive = false
     }
     "rewriteDependencies"("com.fasterxml.jackson.module:jackson-module-kotlin:2.17.2")
     "rewriteDependencies"("com.google.guava:guava:latest.release")
diff --git a/plugin/src/main/java/org/openrewrite/gradle/RewritePlugin.java b/plugin/src/main/java/org/openrewrite/gradle/RewritePlugin.java
index 5ea34f325..a0308ca51 100644
--- a/plugin/src/main/java/org/openrewrite/gradle/RewritePlugin.java
+++ b/plugin/src/main/java/org/openrewrite/gradle/RewritePlugin.java
@@ -15,11 +15,13 @@
  */
 package org.openrewrite.gradle;
 
+import groovy.lang.Closure;
 import org.gradle.api.Plugin;
 import org.gradle.api.Project;
 import org.gradle.api.Task;
 import org.gradle.api.artifacts.Configuration;
 import org.gradle.api.artifacts.Dependency;
+import org.gradle.api.artifacts.ExternalModuleDependency;
 import org.gradle.api.artifacts.dsl.DependencyHandler;
 import org.gradle.api.attributes.*;
 import org.gradle.api.attributes.java.TargetJvmEnvironment;
@@ -32,6 +34,7 @@
 import org.gradle.api.provider.Provider;
 import org.gradle.api.tasks.SourceSetContainer;
 import org.gradle.api.tasks.TaskProvider;
+import org.jspecify.annotations.Nullable;
 
 import java.io.File;
 import java.util.Comparator;
@@ -52,6 +55,7 @@
 @SuppressWarnings("unused")
 public class RewritePlugin implements Plugin<Project> {
 
+    @Nullable
     private Set<File> resolvedDependencies;
 
     @Override
@@ -210,7 +214,22 @@ private static Stream<Dependency> knownRewriteDependencies(RewriteExtension exte
                 deps.create("org.openrewrite.gradle.tooling:model:" + extension.getRewriteGradleModelVersion()),
 
                 // This is an optional dependency of rewrite-java needed when projects also apply the checkstyle plugin
-                deps.create("com.puppycrawl.tools:checkstyle:" + extension.getCheckstyleToolsVersion()),
+                deps.create("com.puppycrawl.tools:checkstyle:" + extension.getCheckstyleToolsVersion(), new Closure<Dependency>(deps) {
+                    @Override
+                    public Dependency call(Object arguments) {
+                        if (arguments instanceof ExternalModuleDependency) {
+                            ExternalModuleDependency dep = (ExternalModuleDependency) arguments;
+                            dep.setTransitive(false);
+                            return dep;
+                        }
+                        return super.call(arguments);
+                    }
+
+                    @Override
+                    public int getMaximumNumberOfParameters() {
+                        return 1;
+                    }
+                }),
                 deps.create("com.fasterxml.jackson.module:jackson-module-kotlin:" + extension.getJacksonModuleKotlinVersion()),
                 deps.create("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:" + extension.getJacksonModuleKotlinVersion())
         );