Add NoSystemScopeDependencies cleanup recipe (#7055)

timtebeek · web-flow · commit 03048dcc3e29 · 2026-03-22T13:00:47.000-04:00
* Add recipe to fix Sonar rule S3422: remove system scope from Maven dependencies

This recipe removes &lt;scope&gt;system&lt;/scope&gt; and &lt;systemPath&gt; from Maven
dependencies when the artifact is available in configured repositories.
System scope is deprecated, non-portable, and problematic because it
requires a machine-specific systemPath and is not packaged in artifacts.

The recipe only removes system scope if the dependency can be verified
to exist in a configured Maven repository by checking available versions.
Dependencies not found in any repository are left unchanged.

Fixes Sonar finding: 'Dependencies should not have "system" scope'

* Add NoSystemScopeDependencies to Maven best practices

Include the new recipe in the BestPractices composite recipe and
add its entry to recipes.csv.

* Remove unused import and add null safety for metadata versioning

* Revert unrelated package-lock.json changes

* Restore package-lock.json to match latest main

* Resolve property placeholders in version before checking metadata
diff --git a/rewrite-maven/src/main/java/org/openrewrite/maven/cleanup/NoSystemScopeDependencies.java b/rewrite-maven/src/main/java/org/openrewrite/maven/cleanup/NoSystemScopeDependencies.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2026 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.maven.cleanup;
+
+import lombok.Getter;
+import org.openrewrite.ExecutionContext;
+import org.openrewrite.Recipe;
+import org.openrewrite.TreeVisitor;
+import org.openrewrite.maven.MavenDownloadingException;
+import org.openrewrite.maven.MavenIsoVisitor;
+import org.openrewrite.maven.tree.MavenMetadata;
+import org.openrewrite.xml.RemoveContentVisitor;
+import org.openrewrite.xml.tree.Xml;
+
+public class NoSystemScopeDependencies extends Recipe {
+
+    @Getter
+    final String displayName = "Dependencies should not have `system` scope";
+
+    @Getter
+    final String description = "Replaces `<scope>system</scope>` with the default compile scope and removes " +
+            "`<systemPath>` for dependencies that are available in configured repositories.";
+
+    @Override
+    public TreeVisitor<?, ExecutionContext> getVisitor() {
+        return new MavenIsoVisitor<ExecutionContext>() {
+            @Override
+            public Xml.Tag visitTag(Xml.Tag tag, ExecutionContext ctx) {
+                if ((isDependencyTag() || isManagedDependencyTag()) &&
+                        "system".equals(tag.getChildValue("scope").orElse(null))) {
+
+                    String groupId = tag.getChildValue("groupId").orElse(null);
+                    String artifactId = tag.getChildValue("artifactId").orElse(null);
+                    String version = tag.getChildValue("version").orElse(null);
+                    if (groupId == null || artifactId == null || version == null) {
+                        return super.visitTag(tag, ctx);
+                    }
+
+                    // Resolve property placeholders (e.g. ${some.version}) against the POM
+                    String resolvedVersion = getResolutionResult().getPom().getValue(version);
+                    if (resolvedVersion == null) {
+                        return super.visitTag(tag, ctx);
+                    }
+
+                    try {
+                        MavenMetadata metadata = downloadMetadata(groupId, artifactId, ctx);
+                        if (metadata.getVersioning() == null ||
+                                !metadata.getVersioning().getVersions().contains(resolvedVersion)) {
+                            return super.visitTag(tag, ctx);
+                        }
+                    } catch (MavenDownloadingException e) {
+                        return super.visitTag(tag, ctx);
+                    }
+
+                    tag.getChild("scope").ifPresent(
+                            scope -> doAfterVisit(new RemoveContentVisitor<>(scope, false, true)));
+                    tag.getChild("systemPath").ifPresent(
+                            systemPath -> doAfterVisit(new RemoveContentVisitor<>(systemPath, false, true)));
+                    maybeUpdateModel();
+                }
+                return super.visitTag(tag, ctx);
+            }
+        };
+    }
+}
diff --git a/rewrite-maven/src/main/resources/META-INF/rewrite/maven.yml b/rewrite-maven/src/main/resources/META-INF/rewrite/maven.yml
@@ -22,6 +22,7 @@ recipeList:
   - org.openrewrite.maven.cleanup.ExplicitDependencyVersion
   - org.openrewrite.maven.cleanup.ExplicitPluginGroupId
   - org.openrewrite.maven.cleanup.ExplicitPluginVersion
+  - org.openrewrite.maven.cleanup.NoSystemScopeDependencies
   - org.openrewrite.maven.cleanup.PrefixlessExpressions
   - org.openrewrite.maven.OrderPomElements
   - org.openrewrite.maven.RemoveDuplicateDependencies
diff --git a/rewrite-maven/src/main/resources/META-INF/rewrite/recipes.csv b/rewrite-maven/src/main/resources/META-INF/rewrite/recipes.csv
@@ -73,6 +73,7 @@ maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.UpgradeToModelVersion4
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.ReplaceModulesWithSubprojects,Replace modules with subprojects,Maven 4 model version 4.1.0 deprecates the `<modules>` element in favor of `<subprojects>` to eliminate confusion with Java's Platform Module System (JPMS). This recipe renames `<modules>` to `<subprojects>` and `<module>` children to `<subproject>`.,3,,Maven,,
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.RemoveMavenWrapper,Remove Maven wrapper,"Remove Maven wrapper files from a project. This includes the `mvnw` and `mvnw.cmd` scripts, and the `.mvn/wrapper` directory.",4,,Maven,,
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.cleanup.DependencyManagementDependencyRequiresVersion,Dependency management dependencies should have a version,"If they don't have a version, they can't possibly affect dependency resolution anywhere, and can be safely removed.",1,Cleanup,Maven,,
+maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.cleanup.NoSystemScopeDependencies,Dependencies should not have `system` scope,"Replaces `<scope>system</scope>` with the default compile scope and removes `<systemPath>` for dependencies that are available in configured repositories.",1,Cleanup,Maven,,
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.cleanup.ExplicitDependencyVersion,Add explicit dependency versions,"Add explicit dependency versions to POMs for reproducibility, as the `LATEST` and `RELEASE` version keywords are deprecated.",1,Cleanup,Maven,,"[{""name"":""org.openrewrite.maven.table.MavenMetadataFailures"",""displayName"":""Maven metadata failures"",""description"":""Attempts to resolve maven metadata that failed."",""columns"":[{""name"":""group"",""type"":""String"",""displayName"":""Group id"",""description"":""The groupId of the artifact for which the metadata download failed.""},{""name"":""artifactId"",""type"":""String"",""displayName"":""Artifact id"",""description"":""The artifactId of the artifact for which the metadata download failed.""},{""name"":""version"",""type"":""String"",""displayName"":""Version"",""description"":""The version of the artifact for which the metadata download failed.""},{""name"":""mavenRepositoryUri"",""type"":""String"",""displayName"":""Maven repository"",""description"":""The URL of the Maven repository that the metadata download failed on.""},{""name"":""snapshots"",""type"":""String"",""displayName"":""Snapshots"",""description"":""Does the repository support snapshots.""},{""name"":""releases"",""type"":""String"",""displayName"":""Releases"",""description"":""Does the repository support releases.""},{""name"":""failure"",""type"":""String"",""displayName"":""Failure"",""description"":""The reason the metadata download failed.""}]}]"
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.cleanup.ExplicitPluginGroupId,Add explicit `groupId` to Maven plugins,Add the default `<groupId>org.apache.maven.plugins</groupId>` to plugins for clarity.,1,Cleanup,Maven,,
 maven,org.openrewrite:rewrite-maven,org.openrewrite.maven.cleanup.ExplicitPluginVersion,Add explicit plugin versions,"Add explicit plugin versions to POMs for reproducibility, as [MNG-4173](https://issues.apache.org/jira/browse/MNG-4173) removes automatic version resolution for POM plugins.",1,Cleanup,Maven,,
diff --git a/rewrite-maven/src/test/java/org/openrewrite/maven/cleanup/NoSystemScopeDependenciesTest.java b/rewrite-maven/src/test/java/org/openrewrite/maven/cleanup/NoSystemScopeDependenciesTest.java
@@ -0,0 +1,261 @@
+/*
+ * Copyright 2026 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite.maven.cleanup;
+
+import org.junit.jupiter.api.Test;
+import org.openrewrite.test.RewriteTest;
+
+import static org.openrewrite.maven.Assertions.pomXml;
+
+class NoSystemScopeDependenciesTest implements RewriteTest {
+
+    @Test
+    void removesSystemScopeAndSystemPath() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                    <scope>system</scope>
+                    <systemPath>${project.basedir}/lib/guava-29.0-jre.jar</systemPath>
+                  </dependency>
+                </dependencies>
+              </project>
+              """,
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void removesSystemScopeWithoutSystemPath() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                    <scope>system</scope>
+                  </dependency>
+                </dependencies>
+              </project>
+              """,
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void removesSystemScopeInDependencyManagement() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencyManagement>
+                  <dependencies>
+                    <dependency>
+                      <groupId>com.google.guava</groupId>
+                      <artifactId>guava</artifactId>
+                      <version>29.0-jre</version>
+                      <scope>system</scope>
+                      <systemPath>${project.basedir}/lib/guava-29.0-jre.jar</systemPath>
+                    </dependency>
+                  </dependencies>
+                </dependencyManagement>
+              </project>
+              """,
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencyManagement>
+                  <dependencies>
+                    <dependency>
+                      <groupId>com.google.guava</groupId>
+                      <artifactId>guava</artifactId>
+                      <version>29.0-jre</version>
+                    </dependency>
+                  </dependencies>
+                </dependencyManagement>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void removesSystemScopeWhenVersionIsProperty() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <properties>
+                  <guava.version>29.0-jre</guava.version>
+                </properties>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>${guava.version}</version>
+                    <scope>system</scope>
+                    <systemPath>${project.basedir}/lib/guava-29.0-jre.jar</systemPath>
+                  </dependency>
+                </dependencies>
+              </project>
+              """,
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <properties>
+                  <guava.version>29.0-jre</guava.version>
+                </properties>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>${guava.version}</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void doesNotRemoveSystemScopeWhenNotInRepo() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.example.local</groupId>
+                    <artifactId>proprietary-lib</artifactId>
+                    <version>1.0</version>
+                    <scope>system</scope>
+                    <systemPath>${project.basedir}/lib/proprietary-lib-1.0.jar</systemPath>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void doesNotModifyNonSystemScope() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                    <scope>test</scope>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+
+    @Test
+    void doesNotModifyDependencyWithoutScope() {
+        rewriteRun(
+          spec -> spec.recipe(new NoSystemScopeDependencies()),
+          pomXml(
+            """
+              <project>
+                <groupId>test</groupId>
+                <artifactId>test</artifactId>
+                <version>1.0-SNAPSHOT</version>
+                <dependencies>
+                  <dependency>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                    <version>29.0-jre</version>
+                  </dependency>
+                </dependencies>
+              </project>
+              """
+          )
+        );
+    }
+}
