Preserve old exclusions and add sibling for new coordinates on dependency change (#6800)

* Add failing test for incorrect exclusion renaming

When ChangeDependencyGroupIdAndArtifactId renames commons-lang:commons-lang
to org.apache.commons:commons-lang3, it also incorrectly renames exclusions
for commons-lang:commons-lang in other dependencies. The exclusion should
remain unchanged because it blocks the old vulnerable transitive dependency.

* Do not auto-update exclusions when changing dependency coordinates

ChangeDependencyGroupIdAndArtifactId previously called ChangeExclusion to
rename all exclusions matching the old coordinates to the new ones. This is
incorrect because exclusions exist to block OLD transitive dependencies that
other libraries may still pull in. Changing the exclusion from the old to the
new coordinates means the old vulnerable artifact is no longer blocked.

A stale exclusion (excluding something no longer pulled in transitively) is
harmless, but an incorrect exclusion (no longer blocking a vulnerable
transitive dependency) causes real problems.

* Add sibling exclusion for new coordinates instead of replacing old ones

ChangeDependencyGroupIdAndArtifactId previously called ChangeExclusion to
rename exclusions matching the old coordinates to the new ones. This was
incorrect because the old exclusion exists to block the OLD vulnerable
transitive dependency that other libraries may still pull in.

Now, when changing dependency coordinates, existing exclusions for the old
coordinates are preserved and a sibling exclusion for the new coordinates
is added alongside them. This ensures both old and new transitive
dependencies are excluded.

* Use exclusion-scoped patterns in test assertions

Tighten pattern assertions to match within <exclusion> tags so they
don't accidentally match on direct dependency coordinates.

* Return early without checking second condition

---------

Co-authored-by: Tim te Beek <tim@moderne.io>

Author: Jenson3210

rewrite-maven/src/main/java/org/openrewrite/maven/ChangeDependencyGroupIdAndArtifactId.java

@@ -123,7 +123,7 @@ public String getInstanceNameSuffix() {
 
     String description = "Change a Maven dependency coordinates. The `newGroupId` or `newArtifactId` **MUST** be different from before. " +
                 "Matching `<dependencyManagement>` coordinates are also updated if a `newVersion` or `versionPattern` is provided. " +
-                "Exclusions that reference the old dependency coordinates will also be updated to match the new coordinates.";
+                "Exclusions that reference the old dependency coordinates are preserved, and a sibling exclusion for the new coordinates is added alongside them.";
 
     @Override
     public Validated<Object> validate() {
@@ -270,11 +270,38 @@ public Xml visitDocument(Xml.Document document, ExecutionContext ctx) {
                             newArtifactId,
                             newVersion, versionPattern).getVisitor());
                 }
-                // Update any exclusions that reference the old coordinates
+                // Add sibling exclusions for the new coordinates alongside existing old exclusions
                 if (newGroupId != null || newArtifactId != null) {
-                    doAfterVisit(new ChangeExclusion(
-                            oldGroupId, oldArtifactId,
-                            newGroupId, newArtifactId).getVisitor());
+                    String effectiveNewGroupId = newGroupId != null ? newGroupId : oldGroupId;
+                    String effectiveNewArtifactId = newArtifactId != null ? newArtifactId : oldArtifactId;
+                    doAfterVisit(new MavenVisitor<ExecutionContext>() {
+                        @Override
+                        public Xml visitTag(Xml.Tag tag, ExecutionContext ctx) {
+                            Xml.Tag t = (Xml.Tag) super.visitTag(tag, ctx);
+                            if (!"exclusions".equals(t.getName())) {
+                                return t;
+                            }
+                            boolean hasOldExclusion = t.getChildren("exclusion").stream()
+                                    .anyMatch(e -> matchesGlob(e.getChildValue("groupId").orElse(null), oldGroupId) &&
+                                                   matchesGlob(e.getChildValue("artifactId").orElse(null), oldArtifactId));
+                            if (!hasOldExclusion) {
+                                return t;
+                            }
+                            boolean hasNewExclusion = t.getChildren("exclusion").stream()
+                                    .anyMatch(e -> effectiveNewGroupId.equals(e.getChildValue("groupId").orElse(null)) &&
+                                                   effectiveNewArtifactId.equals(e.getChildValue("artifactId").orElse(null)));
+                            if (!hasNewExclusion) {
+                                t = (Xml.Tag) new AddToTagVisitor<>(t, Xml.Tag.build(
+                                        "<exclusion>\n" +
+                                                "<groupId>" + effectiveNewGroupId + "</groupId>\n" +
+                                                "<artifactId>" + effectiveNewArtifactId + "</artifactId>\n" +
+                                                "</exclusion>"))
+                                        .visitNonNull(t, ctx, getCursor().getParentOrThrow());
+                                maybeUpdateModel();
+                            }
+                            return t;
+                        }
+                    });
                 }
                 return super.visitDocument(document, ctx);
             }

rewrite-maven/src/test/java/org/openrewrite/maven/ChangeDependencyGroupIdAndArtifactIdTest.java

@@ -3489,16 +3489,17 @@ void versionNotDroppedWhenSwaggerMigratedFirst() {
 
     @Issue("https://github.com/moderneinc/customer-requests/issues/1330")
     @Test
-    void exclusionUpdatedWhenDependencyGroupIdChanges() {
-        // When changing a dependency's groupId/artifactId, any exclusions that match
-        // the old coordinates should be updated to match the new coordinates.
+    void exclusionPreservedAndSiblingAddedWhenDependencyGroupIdChanges() {
+        // When changing a dependency's groupId/artifactId, exclusions that match
+        // the old coordinates should be preserved, and a sibling exclusion for the
+        // new coordinates should be added alongside them.
         rewriteRun(
           spec -> spec.recipe(new ChangeDependencyGroupIdAndArtifactId(
             "com.fasterxml.jackson.jaxrs",
             "jackson-jaxrs-json-provider",
             "com.fasterxml.jackson.jakarta.rs",
             "jackson-jakarta-rs-json-provider",
-            "2.x",
+            "2.18.x",
             null
           )),
           pomXml(
@@ -3530,13 +3531,73 @@ void exclusionUpdatedWhenDependencyGroupIdChanges() {
               </project>
               """,
             spec -> spec.after(actual -> assertThat(actual)
+              // Old exclusion preserved
+              .containsPattern("<exclusion>\\s*<groupId>com\\.fasterxml\\.jackson\\.jaxrs</groupId>\\s*<artifactId>jackson-jaxrs-json-provider</artifactId>\\s*</exclusion>")
+              // Sibling exclusion added for new coordinates
+              .containsPattern("<exclusion>\\s*<groupId>com\\.fasterxml\\.jackson\\.jakarta\\.rs</groupId>\\s*<artifactId>jackson-jakarta-rs-json-provider</artifactId>\\s*</exclusion>")
+              // Version updated
               .containsPattern("<groupId>com\\.fasterxml\\.jackson\\.jakarta\\.rs</groupId>\\s*<artifactId>jackson-jakarta-rs-json-provider</artifactId>\\s*<version>2\\.\\d+\\.\\d+</version>")
               .doesNotContain("<version>2.9.7</version>")
               .actual())
           )
         );
     }
 
+    @Test
+    void exclusionPreservedAndSiblingAddedForNewCoordinates() {
+        // When changing commons-lang:commons-lang to org.apache.commons:commons-lang3,
+        // the old exclusion for commons-lang:commons-lang should be preserved (to block
+        // the vulnerable transitive dependency), and a sibling exclusion for the new
+        // coordinates should be added alongside it.
+        rewriteRun(
+          spec -> spec.recipe(new ChangeDependencyGroupIdAndArtifactId(
+            "commons-lang",
+            "commons-lang",
+            "org.apache.commons",
+            "commons-lang3",
+            "3.x",
+            null
+          )),
+          pomXml(
+            """
+              <project>
+                  <modelVersion>4.0.0</modelVersion>
+                  <groupId>com.mycompany.app</groupId>
+                  <artifactId>my-app</artifactId>
+                  <version>1</version>
+                  <dependencies>
+                      <dependency>
+                          <groupId>commons-lang</groupId>
+                          <artifactId>commons-lang</artifactId>
+                          <version>2.6</version>
+                      </dependency>
+                      <dependency>
+                          <groupId>org.apache.struts</groupId>
+                          <artifactId>struts2-core</artifactId>
+                          <version>2.5.30</version>
+                          <exclusions>
+                              <exclusion>
+                                  <groupId>commons-lang</groupId>
+                                  <artifactId>commons-lang</artifactId>
+                              </exclusion>
+                          </exclusions>
+                      </dependency>
+                  </dependencies>
+              </project>
+              """,
+            spec -> spec.after(actual -> assertThat(actual)
+              // Direct dependency changed to commons-lang3
+              .containsPattern("<groupId>org\\.apache\\.commons</groupId>\\s*<artifactId>commons-lang3</artifactId>\\s*<version>3\\.\\d+\\.\\d+</version>")
+              .doesNotContain("<version>2.6</version>")
+              // Old exclusion preserved
+              .containsPattern("<exclusion>\\s*<groupId>commons-lang</groupId>\\s*<artifactId>commons-lang</artifactId>\\s*</exclusion>")
+              // Sibling exclusion added for new coordinates
+              .containsPattern("<exclusion>\\s*<groupId>org\\.apache\\.commons</groupId>\\s*<artifactId>commons-lang3</artifactId>\\s*</exclusion>")
+              .actual())
+          )
+        );
+    }
+
     @Test
     void shouldNotChangeDependencyWithImplicitlyDefinedVersionProperty() {
         rewriteRun(