Improve SBT support

[sschuberth]

Currently, we support SBT by running sbt makePom and then using our Maven-backend on the generated POMs. While that works fairly well, there are edge-cases where the results are incomplete e.g. for some inter-module dependencies or dynamically generated projects. Ideas to improve this include using Coursier directly, or maybe yet better the Build Server Protocol for Scala.

[sschuberth]

One general problem with the POM generated by makePom is that this is a POM meant for distribution, not for building the project.

[sschuberth]

This StackOverflow comment proposes to run sbt update and inspect the .xml files generated by Ivy. Basically, that's a very nice approach, but unfortunately it does not associate dependencies to sub-projects but only contains a root-project level dependency tree.

[sschuberth]

Sbt 1.4 started to bundle the previously external sbt-dependency-graph plugin, so that seems to be the new way to go to query dependencies. Unfortunately, the plugin still seem to not support JSON or YAML, but maybe the required information could be parsed from GraphML, Dot, or Ivy report files.

[sschuberth]

Quick recap, Sbt by now uses Coursier instead of Ivy for dependency resolution, and Coursier can produce JSON output for dependencies.

[sschuberth]

As a test for a new / improved implementation, we should ensure that analyzing https://github.com/orbeon/orbeon-forms/tree/279b983234362e181be4d6c93eed90253d15045c as used by https://github.com/nordic-institute/misp2 works.

[sschuberth]

Quick recap, Sbt by now uses Coursier instead of Ivy for dependency resolution, and Coursier can produce JSON output for dependencies.

This also seems to be the approach that e.g. https://github.com/snyk/snyk-sbt-plugin is using.