From 5cd5675b9865c45e65c3cafc33cf8f437b13b140 Mon Sep 17 00:00:00 2001
From: Jente Sondervorst <jentesondervorst@gmail.com>
Date: Thu, 6 Jun 2024 21:43:22 +0200
Subject: [PATCH] Do not add constraints inside version J.MethodInvocations
 part of the constraint itself. (#4229)

* Added test to showcase issue

#4228

* Do not update version method in constraints with a new constraint

Closes #4228

---------

Co-authored-by: Jente Sondervorst <jente.sondervorst@colruytgroup.com>
---
 .../UpgradeTransitiveDependencyVersion.java   |  6 ++
 ...pgradeTransitiveDependencyVersionTest.java | 56 +++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/rewrite-gradle/src/main/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersion.java b/rewrite-gradle/src/main/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersion.java
index 720f80e5809..420b46f3241 100644
--- a/rewrite-gradle/src/main/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersion.java
+++ b/rewrite-gradle/src/main/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersion.java
@@ -366,6 +366,9 @@ private static class CreateConstraintVisitor extends GroovyIsoVisitor<ExecutionC
         String because;
         @Override
         public J.MethodInvocation visitMethodInvocation(J.MethodInvocation method, ExecutionContext ctx) {
+            if ("version".equals(method.getSimpleName())) {
+                return method;
+            }
             J.MethodInvocation m = super.visitMethodInvocation(method, ctx);
             Optional<G.CompilationUnit> withConstraint = GradleParser.builder().build().parse(String.format(
                     "plugins {\n" +
@@ -419,6 +422,9 @@ private static class UpdateConstraintVersionVisitor extends GroovyIsoVisitor<Exe
 
         @Override
         public J.MethodInvocation visitMethodInvocation(J.MethodInvocation method, ExecutionContext ctx) {
+            if ("version".equals(method.getSimpleName())) {
+                return method;
+            }
             J.MethodInvocation m = super.visitMethodInvocation(method, ctx);
             if(existingConstraint.isScope(m)) {
                 AtomicBoolean updatedBecause = new AtomicBoolean(false);
diff --git a/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java b/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java
index 6567e3aecbe..7405c5bbb39 100644
--- a/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java
+++ b/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java
@@ -17,6 +17,7 @@
 
 import org.junit.jupiter.api.Test;
 import org.openrewrite.DocumentExample;
+import org.openrewrite.Issue;
 import org.openrewrite.test.RecipeSpec;
 import org.openrewrite.test.RewriteTest;
 
@@ -447,4 +448,59 @@ void constraintDoesNotGetAddedToNonTransitiveNonExtendingConfiguration() {
           )
         );
     }
+
+    @Test
+    @Issue("https://github.com/openrewrite/rewrite/issues/4228")
+    void constraintDoesNotGetAddedInsideConstraint() {
+        rewriteRun(
+          spec -> spec
+            .beforeRecipe(withToolingApi())
+            .recipe(new UpgradeTransitiveDependencyVersion("com.fasterxml.jackson.core", "jackson-core","2.12.5", null, "CVE-2024-BAD")),
+          //language=groovy
+          buildGradle(
+            """
+              plugins {
+                  id 'java'
+              }
+              repositories {
+                  mavenCentral()
+              }
+              dependencies {
+                  implementation 'org.openrewrite:rewrite-java:7.0.0'
+              
+                  constraints {
+                      implementation("org.apache.logging.log4j:log4j-core") {
+                          version {
+                              strictly("2.17.0")
+                          }
+                          because 'security'
+                      }
+                  }
+              }
+              """, """
+              plugins {
+                  id 'java'
+              }
+              repositories {
+                  mavenCentral()
+              }
+              dependencies {
+                  implementation 'org.openrewrite:rewrite-java:7.0.0'
+              
+                  constraints {
+                      implementation('com.fasterxml.jackson.core:jackson-core:2.12.5') {
+                          because 'CVE-2024-BAD'
+                      }
+                      implementation("org.apache.logging.log4j:log4j-core") {
+                          version {
+                              strictly("2.17.0")
+                          }
+                          because 'security'
+                      }
+                  }
+              }
+              """
+          )
+        );
+    }
 }