microsoft · yezhu6 · Dec 26, 2025 · Dec 15, 2025 · Dec 19, 2025 · Dec 24, 2025
@@ -2,7 +2,7 @@
   "name": "vscode-java-dependency",
   "displayName": "Project Manager for Java",
   "description": "%description%",
-  "version": "0.26.5",
+  "version": "0.27.0",
   "publisher": "vscjava",
   "preview": false,
   "aiKey": "5c642b22-e845-4400-badb-3f8509a70777",

@@ -1,7 +1,13 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
 
+import * as fs from 'fs';
 import * as semver from 'semver';
+import * as glob from 'glob';
+import { promisify } from 'util';
+
+const globAsync = promisify(glob);
-import * as glob from 'glob';
-import { promisify } from 'util';
-
-const globAsync = promisify(glob);
+import globby from 'globby';
+import { promisify } from 'util';
+
+const globAsync = globby;
-import * as glob from 'glob';
-import { promisify } from 'util';
-
-const globAsync = promisify(glob);
+import globby from 'globby';
+import { promisify } from 'util';
+
+const globAsync = globby;
+import { Uri } from 'vscode';
 import { Jdtls } from "../java/jdtls";
 import { NodeKind, type INodeData } from "../java/nodeData";
 import { type DependencyCheckItem, type UpgradeIssue, type PackageDescription, UpgradeReason } from "./type";
@@ -11,6 +17,7 @@ import { buildPackageId } from './utility';
 import metadataManager from './metadataManager';
 import { sendInfo } from 'vscode-extension-telemetry-wrapper';
 import { batchGetCVEIssues } from './cve';
+import { ContainerPath } from '../views/containerNode';
 
 function packageNodeToDescription(node: INodeData): PackageDescription | null {
     const version = node.metaData?.["maven.version"];
@@ -143,62 +150,235 @@ async function getDependencyIssues(dependencies: PackageDescription[]): Promise<
     return issues;
 }
 
-async function getProjectIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
-    const issues: UpgradeIssue[] = [];
-    const dependencies = await getAllDependencies(projectNode);
-    issues.push(...await getCVEIssues(dependencies));
-    issues.push(...getJavaIssues(projectNode));
-    issues.push(...await getDependencyIssues(dependencies));
+async function getWorkspaceIssues(projectDeps:{projectNode: INodeData, dependencies: PackageDescription[]}[]): Promise<UpgradeIssue[]> {
 
+    const issues: UpgradeIssue[] = [];
+    const dependenciesSet: Set<PackageDescription> = new Set();
+    for (const { projectNode, dependencies } of projectDeps) {
+        issues.push(...getJavaIssues(projectNode));
+        dependencies.forEach(dep => dependenciesSet.add(dep));
+    }
+    issues.push(...await getCVEIssues(Array.from(dependenciesSet)));
+    issues.push(...await getDependencyIssues(Array.from(dependenciesSet)));
-    const dependenciesSet: Set<PackageDescription> = new Set();
-    for (const { projectNode, dependencies } of projectDeps) {
-        issues.push(...getJavaIssues(projectNode));
-        dependencies.forEach(dep => dependenciesSet.add(dep));
-    }
-    issues.push(...await getCVEIssues(Array.from(dependenciesSet)));
-    issues.push(...await getDependencyIssues(Array.from(dependenciesSet)));
+    const dependencyMap: Map<string, PackageDescription> = new Map();
+    for (const { projectNode, dependencies } of projectDeps) {
+        issues.push(...getJavaIssues(projectNode));
+        for (const dep of dependencies) {
+            const key = `${dep.groupId}:${dep.artifactId}:${dep.version ?? ""}`;
+            if (!dependencyMap.has(key)) {
+                dependencyMap.set(key, dep);
+            }
+        }
+    }
+    const uniqueDependencies = Array.from(dependencyMap.values());
+    issues.push(...await getCVEIssues(uniqueDependencies));
+    issues.push(...await getDependencyIssues(uniqueDependencies));
-    const dependenciesSet: Set<PackageDescription> = new Set();
-    for (const { projectNode, dependencies } of projectDeps) {
-        issues.push(...getJavaIssues(projectNode));
-        dependencies.forEach(dep => dependenciesSet.add(dep));
-    }
-    issues.push(...await getCVEIssues(Array.from(dependenciesSet)));
-    issues.push(...await getDependencyIssues(Array.from(dependenciesSet)));
+    const dependencyMap: Map<string, PackageDescription> = new Map();
+    for (const { projectNode, dependencies } of projectDeps) {
+        issues.push(...getJavaIssues(projectNode));
+        for (const dep of dependencies) {
+            const key = `${dep.groupId}:${dep.artifactId}:${dep.version ?? ""}`;
+            if (!dependencyMap.has(key)) {
+                dependencyMap.set(key, dep);
+            }
+        }
+    }
+    const uniqueDependencies = Array.from(dependencyMap.values());
+    issues.push(...await getCVEIssues(uniqueDependencies));
+    issues.push(...await getDependencyIssues(uniqueDependencies));
     return issues;
+}
 
+/**
+ * Find all pom.xml files in a directory using glob
+ */
+async function findAllPomFiles(dir: string): Promise<string[]> {
+    try {
+        return await globAsync('**/pom.xml', {
+            cwd: dir,
+            absolute: true,
+            nodir: true,
+            ignore: ['**/node_modules/**', '**/target/**', '**/.git/**', '**/.idea/**', '**/.vscode/**']
+        });
+    } catch {
+        return [];
+    }
 }
 
-async function getWorkspaceIssues(workspaceFolderUri: string): Promise<UpgradeIssue[]> {
-    const projects = await Jdtls.getProjects(workspaceFolderUri);
-    const projectsIssues = await Promise.allSettled(projects.map(async (projectNode) => {
-        const issues = await getProjectIssues(projectNode);
-        return issues;
-    }));
+/**
+ * Parse dependencies from a single pom.xml file
+ */
+function parseDependenciesFromSinglePom(pomPath: string): Set<string> {
+    const directDeps = new Set<string>();
+    try {
+        const pomContent = fs.readFileSync(pomPath, 'utf-8');
+
+        // Extract dependencies from <dependencies> section (not inside <dependencyManagement>)
+        // First, remove dependencyManagement sections to avoid including managed deps
+        const withoutDepMgmt = pomContent.replace(/<dependencyManagement>[\s\S]*?<\/dependencyManagement>/g, '');
 
-    const workspaceIssues = projectsIssues.map(x => {
-        if (x.status === "fulfilled") {
-            return x.value;
+        // Match <dependency> blocks and extract groupId and artifactId
+        const dependencyRegex = /<dependency>\s*<groupId>([^<]+)<\/groupId>\s*<artifactId>([^<]+)<\/artifactId>/g;
+        let match = dependencyRegex.exec(withoutDepMgmt);
+        while (match !== null) {
+            const groupId = match[1].trim();
+            const artifactId = match[2].trim();
+            // Skip property references like ${project.groupId}
+            if (!groupId.includes('${') && !artifactId.includes('${')) {
+                directDeps.add(`${groupId}:${artifactId}`);
+            }
+            match = dependencyRegex.exec(withoutDepMgmt);
-        // Match <dependency> blocks and extract groupId and artifactId
-        const dependencyRegex = /<dependency>\s*<groupId>([^<]+)<\/groupId>\s*<artifactId>([^<]+)<\/artifactId>/g;
-        let match = dependencyRegex.exec(withoutDepMgmt);
-        while (match !== null) {
-            const groupId = match[1].trim();
-            const artifactId = match[2].trim();
-            // Skip property references like ${project.groupId}
-            if (!groupId.includes('${') && !artifactId.includes('${')) {
-                directDeps.add(`${groupId}:${artifactId}`);
-            }
-            match = dependencyRegex.exec(withoutDepMgmt);
+        // Match full <dependency> blocks so we can inspect scope as well as coordinates
+        const dependencyBlockRegex = /<dependency>([\s\S]*?)<\/dependency>/g;
+        let blockMatch = dependencyBlockRegex.exec(withoutDepMgmt);
+        while (blockMatch !== null) {
+            const dependencyBlock = blockMatch[1];
+
+            const groupIdMatch = /<groupId>\s*([^<]+?)\s*<\/groupId>/.exec(dependencyBlock);
+            const artifactIdMatch = /<artifactId>\s*([^<]+?)\s*<\/artifactId>/.exec(dependencyBlock);
+
+            if (groupIdMatch && artifactIdMatch) {
+                const groupId = groupIdMatch[1].trim();
+                const artifactId = artifactIdMatch[1].trim();
+
+                // Skip property references like ${project.groupId}
+                if (!groupId.includes('${') && !artifactId.includes('${')) {
+                    // Extract scope if present; default (no scope) is treated as compile/runtime
+                    const scopeMatch = /<scope>\s*([^<]+?)\s*<\/scope>/.exec(dependencyBlock);
+                    const scope = scopeMatch ? scopeMatch[1].trim() : undefined;
+                    const nonRuntimeScopes = new Set(['test', 'provided', 'system']);
+
+                    if (!scope || !nonRuntimeScopes.has(scope)) {
+                        directDeps.add(`${groupId}:${artifactId}`);
+                    }
+                }
+            }
+
+            blockMatch = dependencyBlockRegex.exec(withoutDepMgmt);
-        // Match <dependency> blocks and extract groupId and artifactId
-        const dependencyRegex = /<dependency>\s*<groupId>([^<]+)<\/groupId>\s*<artifactId>([^<]+)<\/artifactId>/g;
-        let match = dependencyRegex.exec(withoutDepMgmt);
-        while (match !== null) {
-            const groupId = match[1].trim();
-            const artifactId = match[2].trim();
-            // Skip property references like ${project.groupId}
-            if (!groupId.includes('${') && !artifactId.includes('${')) {
-                directDeps.add(`${groupId}:${artifactId}`);
-            }
-            match = dependencyRegex.exec(withoutDepMgmt);
+        // Match full <dependency> blocks so we can inspect scope as well as coordinates
+        const dependencyBlockRegex = /<dependency>([\s\S]*?)<\/dependency>/g;
+        let blockMatch = dependencyBlockRegex.exec(withoutDepMgmt);
+        while (blockMatch !== null) {
+            const dependencyBlock = blockMatch[1];
+
+            const groupIdMatch = /<groupId>\s*([^<]+?)\s*<\/groupId>/.exec(dependencyBlock);
+            const artifactIdMatch = /<artifactId>\s*([^<]+?)\s*<\/artifactId>/.exec(dependencyBlock);
+
+            if (groupIdMatch && artifactIdMatch) {
+                const groupId = groupIdMatch[1].trim();
+                const artifactId = artifactIdMatch[1].trim();
+
+                // Skip property references like ${project.groupId}
+                if (!groupId.includes('${') && !artifactId.includes('${')) {
+                    // Extract scope if present; default (no scope) is treated as compile/runtime
+                    const scopeMatch = /<scope>\s*([^<]+?)\s*<\/scope>/.exec(dependencyBlock);
+                    const scope = scopeMatch ? scopeMatch[1].trim() : undefined;
+                    const nonRuntimeScopes = new Set(['test', 'provided', 'system']);
+
+                    if (!scope || !nonRuntimeScopes.has(scope)) {
+                        directDeps.add(`${groupId}:${artifactId}`);
+                    }
+                }
+            }
+
+            blockMatch = dependencyBlockRegex.exec(withoutDepMgmt);
         }
+    } catch {
+        // If we can't read the pom, return empty set
+    }
+    return directDeps;
+}
 
-        sendInfo("", {
-            operationName: "java.dependency.assessmentManager.getWorkspaceIssues",
+/**
+ * Parse direct dependencies from all pom.xml files in the project.
+ * Finds all pom.xml files starting from the project root and parses them to collect dependencies.
+ */
+async function parseDirectDependenciesFromPom(projectPath: string): Promise<Set<string>> {
+    const directDeps = new Set<string>();
+
+    // Find all pom.xml files in the project starting from the project root
+    const allPomFiles = await findAllPomFiles(projectPath);
+
+    // Parse each pom.xml and collect dependencies
+    for (const pom of allPomFiles) {
+        const deps = parseDependenciesFromSinglePom(pom);
+        deps.forEach(dep => directDeps.add(dep));
+    }
+
+    return directDeps;
+}
+
+/**
+ * Find all Gradle build files in a directory using glob
+ */
+async function findAllGradleFiles(dir: string): Promise<string[]> {
+    try {
+        return await globAsync('**/{build.gradle,build.gradle.kts}', {
+            cwd: dir,
+            absolute: true,
+            nodir: true,
+            ignore: ['**/node_modules/**', '**/build/**', '**/.git/**', '**/.idea/**', '**/.vscode/**', '**/.gradle/**']
         });
+    } catch {
         return [];
-    }).flat();
+    }
+}
+
+/**
+ * Parse dependencies from a single Gradle build file
+ */
+function parseDependenciesFromSingleGradle(gradlePath: string): Set<string> {
+    const directDeps = new Set<string>();
+    try {
+        const gradleContent = fs.readFileSync(gradlePath, 'utf-8');
+
+        // Match common dependency configurations:
+        // implementation 'group:artifact:version'
+        // implementation "group:artifact:version"
+        // api 'group:artifact:version'
+        // compileOnly, runtimeOnly, testImplementation, etc.
+        const shortFormRegex = /(?:implementation|api|compile|compileOnly|runtimeOnly|testImplementation|testCompileOnly|testRuntimeOnly)\s*\(?['"]([^:'"]+):([^:'"]+)(?::[^'"]*)?['"]\)?/g;
+        let match = shortFormRegex.exec(gradleContent);
+        while (match !== null) {
+            const groupId = match[1].trim();
+            const artifactId = match[2].trim();
+            if (!groupId.includes('$') && !artifactId.includes('$')) {
+                directDeps.add(`${groupId}:${artifactId}`);
+            }
+            match = shortFormRegex.exec(gradleContent);
+        }
+
+        // Match map notation: implementation group: 'x', name: 'y', version: 'z'
+        const mapFormRegex = /(?:implementation|api|compile|compileOnly|runtimeOnly|testImplementation|testCompileOnly|testRuntimeOnly)\s*\(?group:\s*['"]([^'"]+)['"]\s*,\s*name:\s*['"]([^'"]+)['"]/g;
+        match = mapFormRegex.exec(gradleContent);
+        while (match !== null) {
+            const groupId = match[1].trim();
+            const artifactId = match[2].trim();
+            if (!groupId.includes('$') && !artifactId.includes('$')) {
+                directDeps.add(`${groupId}:${artifactId}`);
+            }
+            match = mapFormRegex.exec(gradleContent);
+        }
+    } catch {
+        // If we can't read the gradle file, return empty set
+    }
+    return directDeps;
+}
+
+/**
+ * Parse direct dependencies from all Gradle build files in the project.
+ * Finds all build.gradle and build.gradle.kts files and parses them to collect dependencies.
+ */
+async function parseDirectDependenciesFromGradle(projectPath: string): Promise<Set<string>> {
+    const directDeps = new Set<string>();
+
+    // Find all Gradle build files in the project
+    const allGradleFiles = await findAllGradleFiles(projectPath);
+
+    // Parse each gradle file and collect dependencies
+    for (const gradleFile of allGradleFiles) {
+        const deps = parseDependenciesFromSingleGradle(gradleFile);
+        deps.forEach(dep => directDeps.add(dep));
+    }
 
-    return workspaceIssues;
+    return directDeps;
 }
 
-async function getAllDependencies(projectNode: INodeData): Promise<PackageDescription[]> {
+export async function getDirectDependencies(projectNode: INodeData): Promise<PackageDescription[]> {
     const projectStructureData = await Jdtls.getPackageData({ kind: NodeKind.Project, projectUri: projectNode.uri });
-    const packageContainers = projectStructureData.filter(x => x.kind === NodeKind.Container);
+    // Only include Maven or Gradle containers (not JRE or other containers)
+    const dependencyContainers = projectStructureData.filter(x =>
+        x.kind === NodeKind.Container &&
+        (x.path?.startsWith(ContainerPath.Maven) || x.path?.startsWith(ContainerPath.Gradle))
+    );
+
+    if (dependencyContainers.length === 0) {
+        return [];
+    }
 
     const allPackages = await Promise.allSettled(
-        packageContainers.map(async (packageContainer) => {
+        dependencyContainers.map(async (packageContainer) => {
             const packageNodes = await Jdtls.getPackageData({
                 kind: NodeKind.Container,
                 projectUri: projectNode.uri,
                 path: packageContainer.path,
             });
-            return packageNodes.map(packageNodeToDescription).filter((x): x is PackageDescription => Boolean(x));
+            return packageNodes
+                .map(packageNodeToDescription)
+                .filter((x): x is PackageDescription => Boolean(x));
         })
     );
 
     const fulfilled = allPackages.filter((x): x is PromiseFulfilledResult<PackageDescription[]> => x.status === "fulfilled");
     const failedPackageCount = allPackages.length - fulfilled.length;
     if (failedPackageCount > 0) {
         sendInfo("", {
-            operationName: "java.dependency.assessmentManager.getAllDependencies.rejected",
+            operationName: "java.dependency.assessmentManager.getDirectDependencies.rejected",
             failedPackageCount: String(failedPackageCount),
         });
     }
-    return fulfilled.map(x => x.value).flat();
+
+    let dependencies = fulfilled.map(x => x.value).flat();
+
+    if (!dependencies) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getDirectDependencies.noDependencyInfo"
+        });
+        return [];
+    }
+
+    // Determine build type from dependency containers
+    const isMaven = dependencyContainers.some(x => x.path?.startsWith(ContainerPath.Maven));
+    // Get direct dependency identifiers from build files
+    let directDependencyIds: Set<string> | null = null;
+    if (projectNode.uri && dependencyContainers.length > 0) {
+        try {
+            const projectPath = Uri.parse(projectNode.uri).fsPath;
+            if (isMaven) {
+                directDependencyIds = await parseDirectDependenciesFromPom(projectPath);
+            } else {
+                directDependencyIds = await parseDirectDependenciesFromGradle(projectPath);
+            }
+        } catch {
+            // Ignore errors
-        } catch {
-            // Ignore errors
+        } catch (error) {
+            // Log parsing errors for diagnostics while preserving fallback behavior
+            let errorName: string | undefined;
+            let errorMessage: string | undefined;
+            let errorStack: string | undefined;
+            if (error instanceof Error) {
+                errorName = error.name;
+                errorMessage = error.message;
+                errorStack = error.stack;
+            } else if (error !== undefined && error !== null) {
+                errorMessage = String(error);
+            }
+            sendInfo("", {
+                operationName: "java.dependency.assessmentManager.getDirectDependencies.parseDirectDependencies.error",
+                buildTool: isMaven ? "maven" : "gradle",
+                projectUri: projectNode.uri,
+                errorName,
+                errorMessage,
+                // Truncate stack to avoid oversized telemetry; rely on default batching limits.
+                errorStack,
+            });
-        } catch {
-            // Ignore errors
+        } catch (error) {
+            // Log parsing errors for diagnostics while preserving fallback behavior
+            let errorName: string | undefined;
+            let errorMessage: string | undefined;
+            let errorStack: string | undefined;
+            if (error instanceof Error) {
+                errorName = error.name;
+                errorMessage = error.message;
+                errorStack = error.stack;
+            } else if (error !== undefined && error !== null) {
+                errorMessage = String(error);
+            }
+            sendInfo("", {
+                operationName: "java.dependency.assessmentManager.getDirectDependencies.parseDirectDependencies.error",
+                buildTool: isMaven ? "maven" : "gradle",
+                projectUri: projectNode.uri,
+                errorName,
+                errorMessage,
+                // Truncate stack to avoid oversized telemetry; rely on default batching limits.
+                errorStack,
+            });
+        }
+    }
+
+    if (!directDependencyIds) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getDirectDependencies.noDirectDependencyInfo"
+        });
+        //TODO: fallback to return all dependencies if we cannot parse direct dependencies or just return empty?
+        return dependencies;
-        //TODO: fallback to return all dependencies if we cannot parse direct dependencies or just return empty?
-        return dependencies;
+        // When we cannot parse direct dependencies, avoid returning transitive dependencies; return empty instead.
+        return [];
-        //TODO: fallback to return all dependencies if we cannot parse direct dependencies or just return empty?
-        return dependencies;
+        // When we cannot parse direct dependencies, avoid returning transitive dependencies; return empty instead.
+        return [];
+    }
+    // Filter to only direct dependencies if we have build file info
+    if (directDependencyIds && directDependencyIds.size > 0) {
+        dependencies = dependencies.filter(pkg =>
+            directDependencyIds!.has(`${pkg.groupId}:${pkg.artifactId}`)
+        );
+    }
+
-        //TODO: fallback to return all dependencies if we cannot parse direct dependencies or just return empty?
-        return dependencies;
-    }
-    // Filter to only direct dependencies if we have build file info
-    if (directDependencyIds && directDependencyIds.size > 0) {
-        dependencies = dependencies.filter(pkg =>
-            directDependencyIds!.has(`${pkg.groupId}:${pkg.artifactId}`)
-        );
-    }
+        // When we cannot parse direct dependencies, return an empty list instead of all dependencies.
+        return [];
+    }
+    // Filter to only direct dependencies if we have build file info
+    if (directDependencyIds.size === 0) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getDirectDependencies.emptyDirectDependencyList"
+        });
+        return [];
+    }
+
+    dependencies = dependencies.filter(pkg =>
+        directDependencyIds.has(`${pkg.groupId}:${pkg.artifactId}`)
+    );
-        //TODO: fallback to return all dependencies if we cannot parse direct dependencies or just return empty?
-        return dependencies;
-    }
-    // Filter to only direct dependencies if we have build file info
-    if (directDependencyIds && directDependencyIds.size > 0) {
-        dependencies = dependencies.filter(pkg =>
-            directDependencyIds!.has(`${pkg.groupId}:${pkg.artifactId}`)
-        );
-    }
+        // When we cannot parse direct dependencies, return an empty list instead of all dependencies.
+        return [];
+    }
+    // Filter to only direct dependencies if we have build file info
+    if (directDependencyIds.size === 0) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getDirectDependencies.emptyDirectDependencyList"
+        });
+        return [];
+    }
+
+    dependencies = dependencies.filter(pkg =>
+        directDependencyIds.has(`${pkg.groupId}:${pkg.artifactId}`)
+    );
+    return dependencies;
 }
 
 async function getCVEIssues(dependencies: PackageDescription[]): Promise<UpgradeIssue[]> {

@@ -41,7 +41,16 @@ class NotificationManager implements IUpgradeIssuesRenderer {
                 if (issues.length === 0) {
                     return;
                 }
-                const issue = issues[0];
+
+                // Filter to only CVE issues and cast to CveUpgradeIssue[]
+                const cveIssues = issues.filter(
+                        (i): i is CveUpgradeIssue => i.reason === UpgradeReason.CVE
+                    );
+                const nonCVEIssues = issues.filter(
+                        (i) => i.reason !== UpgradeReason.CVE
+                    );
+                const hasCVEIssue = cveIssues.length > 0;
+                const issue = hasCVEIssue ? cveIssues[0] : nonCVEIssues[0];
 
                 if (!this.shouldShow()) {
                     return;
@@ -56,12 +65,8 @@ class NotificationManager implements IUpgradeIssuesRenderer {
                 const prompt = buildFixPrompt(issue);
 
                 let notificationMessage = "";
-                let cveIssues: CveUpgradeIssue[] = [];
-                if (issue.reason === UpgradeReason.CVE) {
-                    // Filter to only CVE issues and cast to CveUpgradeIssue[]
-                    cveIssues = issues.filter(
-                        (i): i is CveUpgradeIssue => i.reason === UpgradeReason.CVE
-                    );
+
+                if (hasCVEIssue) {
                     notificationMessage = buildCVENotificationMessage(cveIssues, hasExtension);
                 } else {
                     notificationMessage = buildNotificationMessage(issue, hasExtension);
@@ -72,7 +77,7 @@ class NotificationManager implements IUpgradeIssuesRenderer {
                     operationName: "java.dependency.upgradeNotification.show",
                 });
 
-                const buttons = issue.reason === UpgradeReason.CVE
+                const buttons = hasCVEIssue
                     ? [fixCVEButtonText, BUTTON_TEXT_NOT_NOW]
                     : [upgradeButtonText, BUTTON_TEXT_NOT_NOW];