Fix empty dependencies block left after constraint-to-rule conversion (#6754)

Jenson3210 · web-flow · commit 2ae43a8a8aa4 · 2026-02-18T11:09:26.000+01:00
* Add failing test for apply from: with Spring DM plugin

When dependencies are declared in a separate file loaded via
`apply from: 'dependencies.gradle'` and the Spring dependency
management plugin is active, UpgradeTransitiveDependencyVersion
incorrectly:
1. Adds configurations.all/resolutionStrategy to both build.gradle
   AND dependencies.gradle (should only be in build.gradle)
2. Adds an empty dependencies {} block to build.gradle
3. Creates syntax errors in dependencies.gradle

* Fix transitive dependency overrides duplicated in apply from: scripts

When a Gradle project uses `apply from: 'dependencies.gradle'` to
define dependencies in a separate file, UpgradeTransitiveDependencyVersion
was adding constraints (and resolutionStrategy rules for Spring DM) to
BOTH build.gradle and the applied script. This caused:
- Duplicate configurations.all blocks
- Syntax errors in the applied script
- Empty dependencies {} blocks left behind

Only add constraints to primary build files (build.gradle/build.gradle.kts),
not to applied scripts. Also fix DependencyConstraintToRule to properly
remove empty dependencies blocks with 0 statements.

* Remove redundant isPrimaryBuildFile check from UpgradeTransitiveDependencyVersion

Applied scripts like dependencies.gradle already don't get constraints
added due to the DEPENDENCIES_DSL_MATCHER not matching non-type-attributed
method invocations in applied scripts. The isPrimaryBuildFile guard was
redundant.

The actual fix is the DependencyConstraintToRule isEmptyDependenciesBlock
change (from the previous commit) which properly cleans up empty
dependencies {} blocks after constraints are converted to resolutionStrategy.
diff --git a/rewrite-gradle/src/main/java/org/openrewrite/gradle/DependencyConstraintToRule.java b/rewrite-gradle/src/main/java/org/openrewrite/gradle/DependencyConstraintToRule.java
@@ -460,6 +460,9 @@ private static boolean isEmptyDependenciesBlock(J.MethodInvocation m) {
         J.Lambda l = (J.Lambda) m.getArguments().get(0);
         if (l.getBody() instanceof J.Block) {
             J.Block b = (J.Block) l.getBody();
+            if (b.getStatements().isEmpty()) {
+                return true;
+            }
             if (b.getStatements().size() == 1) {
                 return b.getStatements().get(0) instanceof J.Return && ((J.Return) b.getStatements().get(0)).getExpression() == null;
             }
diff --git a/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java b/rewrite-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java
@@ -81,6 +81,44 @@ void addConstraint() {
         );
     }
 
+    @Test
+    void addConstraintWithApplyFrom() {
+        rewriteRun(
+          buildGradle(
+            """
+              dependencies {
+                  implementation 'org.openrewrite:rewrite-java:7.0.0'
+              }
+              """,
+            spec -> spec.path("dependencies.gradle")
+          ),
+          buildGradle(
+            """
+              plugins {
+                  id 'java'
+              }
+              repositories { mavenCentral() }
+              apply from: 'dependencies.gradle'
+              """,
+            """
+              plugins {
+                  id 'java'
+              }
+              repositories { mavenCentral() }
+              apply from: 'dependencies.gradle'
+
+              dependencies {
+                  constraints {
+                      implementation('com.fasterxml.jackson.core:jackson-core:2.12.5') {
+                          because 'CVE-2024-BAD'
+                      }
+                  }
+              }
+              """
+          )
+        );
+    }
+
     @Test
     void addConstraintForDependenciesDeclaredInMultipleConfigurationsThatExtendFromDifferentResolvableConfigurations() {
         rewriteRun(
@@ -995,6 +1033,46 @@ void useResolutionStrategyWhenSpringDependencyManagementPluginIsPresent() {
         );
     }
 
+    @Test
+    void useResolutionStrategyWithApplyFromWhenSpringDependencyManagementPluginIsPresent() {
+        rewriteRun(
+          buildGradle(
+            """
+              dependencies {
+                  implementation 'org.openrewrite:rewrite-java:7.0.0'
+              }
+              """,
+            spec -> spec.path("dependencies.gradle")
+          ),
+          buildGradle(
+            """
+              plugins {
+                  id 'java'
+                  id 'io.spring.dependency-management' version '1.1.5'
+              }
+              repositories { mavenCentral() }
+              apply from: 'dependencies.gradle'
+              """,
+            """
+              plugins {
+                  id 'java'
+                  id 'io.spring.dependency-management' version '1.1.5'
+              }
+              repositories { mavenCentral() }
+              apply from: 'dependencies.gradle'
+              configurations.all {
+                  resolutionStrategy.eachDependency { details ->
+                      if (details.requested.group == 'com.fasterxml.jackson.core' && details.requested.name == 'jackson-core') {
+                          details.useVersion('2.12.5')
+                          details.because('CVE-2024-BAD')
+                      }
+                  }
+              }
+              """
+          )
+        );
+    }
+
     @Test
     void noChangesIfDependencyIsAlsoPresentOnProject() {
         rewriteRun(
