feat: Create simple BOM file format analyzer plugin

This commit creates new plugin to analyze ORT-specific BOM
file format.

Signed-off-by: Kamil Bielecki <kamil.bielecki@pl.bosch.com>

Author: Kamil Bielecki

analyzer/src/funTest/kotlin/PackageManagerFunTest.kt

@@ -73,7 +73,8 @@ class PackageManagerFunTest : WordSpec({
         "spdx-project/project.spdx.yml",
         "spm-app/Package.resolved",
         "spm-lib/Package.swift",
-        "stack/stack.yaml"
+        "stack/stack.yaml",
+        "ort-bon/ort-bom.yml"
     )
 
     val projectDir = tempdir()

model/src/main/kotlin/config/AnalyzerConfiguration.kt

@@ -60,6 +60,7 @@ data class AnalyzerConfiguration(
         "Maven",
         "NPM",
         "NuGet",
+        "OrtBomFile",
         "PIP",
         "Pipenv",
         "PNPM",

plugins/package-managers/ortbom/build.gradle.kts

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+plugins {
+    // Apply precompiled plugins.
+    id("ort-plugin-conventions")
+
+    // Apply third-party plugins.
+    alias(libs.plugins.kotlinSerialization)
+}
+
+dependencies {
+    api(projects.analyzer)
+    api(projects.model)
+
+    implementation(projects.utils.ortUtils)
+
+    implementation(jacksonLibs.jacksonModuleKotlin)
+    implementation(libs.kotlinx.serialization.core)
+    implementation(libs.kotlinx.serialization.yaml)
+
+    ksp(projects.analyzer)
+
+    funTestImplementation(testFixtures(projects.analyzer))
+}

plugins/package-managers/ortbom/src/funTest/assets/multiproject/ort-bom.yml

@@ -0,0 +1,40 @@
+projectName: "Example ORT BOM project"
+description: "Project X description"
+vcs:
+  type: "GIT"
+  url: "https://git.example.com/project_x/"
+  revision: "master"
+  path: "/"
+homepageUrl: "https://project_x.example.com"
+declaredLicenses:
+  - "Apache-2.0"
+authors:
+  - "John Doe"
+  - "Foo Bar"
+dependencies:
+  - purl: "pkg:maven/com.example/full@1.1.0"
+    description: "Package with fully elaborated model."
+    vcs:
+      type: "Mercurial"
+      url: "https://git.example.com/full/"
+      revision: "master"
+      path: "/"
+    sourceArtifact:
+      url: "https://repo.example.com/m2/full-1.1.0-sources.jar"
+      hash: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    declaredLicenses:
+      - "Apache-2.0"
+      - "MIT"
+    homepageUrl: "https://project_x.example.com/full"
+    labels:
+      label: "value"
+      label2: "value2"
+    authors:
+      - "John Doe"
+      - "Foo Bar"
+    scopes:
+      - "main"
+    isModified: false
+    metadataOnly: false
+
+  - purl: "pkg:maven/com.example/minimal@0.1.0"

plugins/package-managers/ortbom/src/funTest/assets/multiproject/subproject1/sub1.ort-bom.yml

@@ -0,0 +1,40 @@
+projectName: "Example ORT BOM project"
+description: "Project X description"
+vcs:
+  type: "GIT"
+  url: "https://git.example.com/project_x/"
+  revision: "master"
+  path: "/"
+homepageUrl: "https://project_x.example.com"
+declaredLicenses:
+  - "Apache-2.0"
+authors:
+  - "John Doe"
+  - "Foo Bar"
+dependencies:
+  - purl: "pkg:maven/com.example/full@1.1.0"
+    description: "Package with fully elaborated model."
+    vcs:
+      type: "Mercurial"
+      url: "https://git.example.com/full/"
+      revision: "master"
+      path: "/"
+    sourceArtifact:
+      url: "https://repo.example.com/m2/full-1.1.0-sources.jar"
+      hash: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    declaredLicenses:
+      - "Apache-2.0"
+      - "MIT"
+    homepageUrl: "https://project_x.example.com/full"
+    labels:
+      label: "value"
+      label2: "value2"
+    authors:
+      - "John Doe"
+      - "Foo Bar"
+    scopes:
+      - "main"
+    isModified: false
+    metadataOnly: false
+
+  - purl: "pkg:maven/com.example/minimal@0.1.0"

plugins/package-managers/ortbom/src/funTest/assets/multiproject/subproject2/ort-bom.json

@@ -0,0 +1,55 @@
+{
+  "projectName": "Example ORT BOM project",
+  "description": "Project X description",
+  "vcs": {
+    "type": "GIT",
+    "url": "https://git.example.com/project_x/",
+    "revision": "master",
+    "path": "/"
+  },
+  "homepageUrl": "https://project_x.example.com",
+  "declaredLicenses": [
+    "Apache-2.0"
+  ],
+  "authors": [
+    "John Doe",
+    "Foo Bar"
+  ],
+  "dependencies": [
+    {
+      "purl": "pkg:maven/com.example/full@1.1.0",
+      "description": "Package with fully elaborated model.",
+      "vcs": {
+        "type": "Mercurial",
+        "url": "https://git.example.com/full/",
+        "revision": "master",
+        "path": "/"
+      },
+      "sourceArtifact": {
+        "url": "https://repo.example.com/m2/full-1.1.0-sources.jar",
+        "hash": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+      },
+      "declaredLicenses": [
+        "Apache-2.0",
+        "MIT"
+      ],
+      "homepageUrl": "https://project_x.example.com/full",
+      "labels": {
+        "label": "value",
+        "label2": "value2"
+      },
+      "authors": [
+        "John Doe",
+        "Foo Bar"
+      ],
+      "scopes": [
+        "main"
+      ],
+      "isModified": false,
+      "metadataOnly": false
+    },
+    {
+      "purl": "pkg:maven/com.example/minimal@0.1.0"
+    }
+  ]
+}

plugins/package-managers/ortbom/src/funTest/assets/projects/ort-bom-no-pkg-id-or-purl.yml

@@ -0,0 +1,37 @@
+projectName: "Example ORT BOM project"
+description: "Project X description"
+vcs:
+  type: "GIT"
+  url: "https://git.example.com/project_x/"
+  revision: "master"
+  path: "/"
+homepageUrl: "https://project_x.example.com"
+declaredLicenses:
+  - "Apache-2.0"
+authors:
+  - "John Doe"
+  - "Foo Bar"
+dependencies:
+  - description: "Package with fully elaborated model."
+    vcs:
+      type: "Mercurial"
+      url: "https://git.example.com/full/"
+      revision: "master"
+      path: "/"
+    sourceArtifact:
+      url: "https://repo.example.com/m2/full-1.1.0-sources.jar"
+      hash: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    declaredLicenses:
+      - "Apache-2.0"
+      - "MIT"
+    homepageUrl: "https://project_x.example.com/full"
+    labels:
+      label: "value"
+      label2: "value2"
+    authors:
+      - "Doe John"
+      - "Bar Foo"
+    scopes:
+      - "main"
+    isModified: false
+    metadataOnly: false

plugins/package-managers/ortbom/src/funTest/assets/projects/ort-bom-purl-and-id-for-same-pkg.yml

@@ -0,0 +1,41 @@
+projectName: "Example ORT BOM project"
+description: "Project X description"
+vcs:
+  type: "GIT"
+  url: "https://git.example.com/project_x/"
+  revision: "master"
+  path: "/"
+homepageUrl: "https://project_x.example.com"
+declaredLicenses:
+  - "Apache-2.0"
+authors:
+  - "John Doe"
+  - "Foo Bar"
+dependencies:
+  - purl: "pkg:maven/com.example/full@1.1.0"
+    id: "Maven/com.example/full@1.1.0"
+    description: "Package with fully elaborated model."
+    vcs:
+      type: "Mercurial"
+      url: "https://git.example.com/full/"
+      revision: "master"
+      path: "/"
+    sourceArtifact:
+      url: "https://repo.example.com/m2/full-1.1.0-sources.jar"
+      hash: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    declaredLicenses:
+      - "Apache-2.0"
+      - "MIT"
+    homepageUrl: "https://project_x.example.com/full"
+    labels:
+      label: "value"
+      label2: "value2"
+    authors:
+      - "Doe John"
+      - "Bar Foo"
+    scopes:
+      - "main"
+    isModified: false
+    metadataOnly: false
+
+  - purl: "pkg:maven/com.example/minimal@0.1.0"

plugins/package-managers/ortbom/src/funTest/assets/projects/ort-bom-wrong-format.json

@@ -0,0 +1,9 @@
+{
+  "projectName": "Example ORT BOM project with wrong format of file",
+  "dependencies": "OK",
+  "dependencies": [
+    {
+      "purl": "something:maven/com.example/full@1.1.0"
+    }
+  ]
+}

plugins/package-managers/ortbom/src/funTest/assets/projects/ort-bom-wrong-pkg-name.json

@@ -0,0 +1,8 @@
+{
+  "projectName": "Example ORT BOM project with wrong package name",
+  "dependencies": [
+    {
+      "purl": "something:maven/com.example/full@1.1.0"
+    }
+  ]
+}