Feat: Add id attribute (gav) support to Dependency, Exclusion, Mixin

[rbygrave]

Based on design discussion on Issue #11500, the proposal is to support a compact id attribute format for Dependency, Exclusion and Mixin elements.

Dependency id Format

The id attribute supports the following compact formats, using the standard Maven coordinate order (groupId:artifactId:type:classifier:version):

Format	Description
groupId:artifactId	version managed via <dependencyManagement>
groupId:artifactId:version	explicit version
groupId:artifactId:type:version	with explicit type
groupId:artifactId:type:classifier:version	with type and classifier

Full syntax: groupId:artifactId[[:type[:classifier]]:version][@scope][?]

A trailing : (empty version) indicates the version is managed (e.g. groupId:artifactId:type:).

Any segment may be left empty to skip setting that field, leaving it for later inference (e.g. from dependencyManagement). For example, :artifactId leaves groupId unset, and :artifactId:version leaves groupId unset with an explicit version.

An optional @scope suffix sets the dependency scope (test, provided, runtime, compile, system, import). A trailing ? marks the dependency as optional.

Examples

<!-- Basic GAV -->
<dependency id="org.slf4j:slf4j-api:2.0.17"/>

<!-- Managed version (from dependencyManagement) -->
<dependency id="org.slf4j:slf4j-api"/>

<!-- Inferred groupId (from dependencyManagement) -->
<dependency id=":slf4j-api"/>

<!-- Inferred groupId with explicit version -->
<dependency id=":slf4j-api:2.0.17"/>

<!-- With scope -->
<dependency id="org.junit.jupiter:junit-jupiter-api:5.14.1@test"/>

<!-- Inferred groupId with scope -->
<dependency id=":junit-jupiter-api@test"/>

<!-- With optional marker -->
<dependency id="commons-io:commons-io:2.11.0?"/>

<!-- Scope + optional combined -->
<dependency id="org.apache.maven:maven-core:3.9.0@provided?"/>

<!-- Import scope (for BOMs) -->
<dependency id="org.junit:junit-bom:5.12.0@import"/>

<!-- With type -->
<dependency id="org.example:lib-b:pom:1.0"/>

<!-- With type and classifier -->
<dependency id="org.example:lib-c:jar:sources:1.0"/>

<!-- Type with managed version -->
<dependency id="org.example:lib-b:pom:"/>

<!-- Exclusions with id attribute -->
<dependency id="org.postgresql:postgresql:42.7.3">
  <exclusions>
    <exclusion id="*:*"/>
  </exclusions>
</dependency>

<!-- Mixin with compact format -->
<mixin id="com.example.mixins:java-mixin:1.0.0"/>

Validation

• When id is used, child elements groupId, artifactId, and version must not be specified (even if the corresponding segment in the id is empty).
• type conflict is only checked when the id has 4+ parts (3+ colons, i.e. type is encoded).
• classifier conflict is only checked when the id has 5 parts (4 colons, i.e. classifier is encoded).
• When @scope is present in the id, a <scope> child element must not be specified.
• When ? is present, an <optional> child element must not be specified.
• Scope and optional can still be specified as child elements when not encoded in the id attribute.

Inference

Empty segments are skipped during normalization, leaving the corresponding field unset for later inference. This allows patterns like:

• :artifactId — groupId and version left unset for inference from dependencyManagement
• :artifactId:version — groupId left unset
• groupId:artifactId:type: — version left unset (managed), type explicit

Notes

• Mixin has the XML attribute id but uses gav underneath as the Java field, to work around a name clash with getId() from Parent.
• Normalization splits the id into component fields and clears the id attribute, so downstream code works with standard dependency fields.
• Existing child element values are not overridden — the id attribute only fills in fields that are currently null/empty.

---

Following this checklist to help us incorporate your
contribution quickly and easily:

• Your pull request should address just one issue, without pulling in other changes.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Each commit in the pull request should have a meaningful subject line and body.
  Note that commits might be squashed by a maintainer on merge.
• Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied.
  This may not always be possible but is a best-practice.
• Run mvn verify to make sure basic checks pass.
  A more thorough check will be performed on your pull request automatically.
• You have run the Core IT successfully.

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• In any other case, please file an Apache Individual Contributor License Agreement.

[rbygrave]

Using field name gav with attribute name id ... in order to avoid the conflict with the existing Parent.getId()

[gnodet]

Claude Code on behalf of Guillaume Nodet

Overall a clean implementation. The strict validation, test coverage, and the Mixin gav field workaround are well thought out. A few issues to address:

1. Dependency management dependencies are not expanded -- mergeDuplicates only expands id on model.getDependencies() but not on model.getDependencyManagement().getDependencies(), nor on profile-scoped dependencies/dependency-management. The validator correctly validates all of these (lines 536-596 of DefaultModelValidator), so managed deps with id will pass validation but never get expanded.

2. Normalization runs after raw validation -- validateRawModel runs in doReadRawModel() (line 1818) before mergeDuplicates (line 1362 in readInputModel). The validator's duplicate-detection key logic (using dependency.getId() directly when set) handles this correctly, but it means the validator sees the unexpanded state. This is fine for the conflict checks but worth keeping in mind.

3. Dependency.getId() naming clash -- The Dependency class now has a new id field with getId()/setId() via the model generator. But Parent (and therefore Mixin) has a computed getId() method in a codeSegment that returns groupId:artifactId:pom:version. Since Mixin extends Parent, the new field was wisely renamed to gav. However, does Dependency have a similar computed getId() method anywhere? If so, the new id field's generated getter could shadow or conflict with it. Worth verifying the generated code compiles cleanly.

4. isBlank does not trim -- The isBlank helper in the normalizer only checks for null/empty, not for whitespace-only strings. The name isBlank is misleading since String.isBlank() checks whitespace. Consider renaming to isNullOrEmpty or using String.isBlank() which handles whitespace in coordinates (e.g., " ").

[gnodet]

Nit: this method name is misleading -- String.isBlank() in Java checks for whitespace-only strings, but this only checks null/empty. Consider renaming to isNullOrEmpty to avoid confusion, or use s == null || s.isBlank() to also handle whitespace-only values in coordinates.

Suggested change

	private static boolean isNullOrEmpty(String s) {
	return s == null || s.isEmpty();
	}

[gnodet]

Good approach using dependency.getId() as the dedup key when set, since normalization hasn't run yet at this point. However, two dependencies with the same id attribute but different scopes/classifiers would collide here (since the key is just the raw id string, not the management key). After normalization, they'd have distinct management keys (which includes type and classifier). Is this the intended behavior?