Automatically downgrade/fallback bundled signatures to next lower version if missing (#274)

* Add a set with all bundled Signatures and also check against it instead of searching classpath

* Use NavigableSet to find closest matching version by using a custom comparator

* Change logic to also normalize the bundled-sig name (use canonic name) and cleanup api

* make compatible to java 7

* add test

* add antunit test for commons-io version downgrade or equivalence

* add documentation about bundled signatures

Author: uschindler

build.xml

@@ -316,6 +316,14 @@
         <path refid="path.main-build"/>
       </classpath>
     </groovyc>
+    <pathconvert property="bundled-signatures-list" pathsep="&#10;">
+      <fileset dir="${signatures.dir}" includes="*.txt" excludes="incr-*"/>
+      <chainedmapper>
+        <flattenmapper />
+        <globmapper from="*.txt" to="*"/>
+      </chainedmapper>
+    </pathconvert>
+    <echo file="build/main/de/thetaphi/forbiddenapis/signatures/list" encoding="${build.encoding}">${bundled-signatures-list}</echo>
   </target>
 
   <target name="compile-tools" depends="compile" description="Compile tools">

src/main/docs/bundled-signatures.html

@@ -43,7 +43,7 @@ <h1>Bundled Signatures Documentation</h1>
 <em>Internally this is implemented using heuristics:</em> Any reference to an API that is part of the Java runtime (<tt>rt.jar</tt>, extensions,
 Java 9+ <tt>java.*</tt> / <tt>jdk.*</tt> core modules) and is <strong>not</strong> part of the Java SE specification packages
 (mainly <tt>java</tt>, <tt>javax</tt>, but also <tt>org.ietf.jgss</tt>, <tt>org.omg</tt>, <tt>org.w3c.dom</tt>, and <tt>org.xml.sax</tt>) is forbidden
-(any java version, no specific JDK version, <em>since forbiddenapis v2.1).</li>
+(any java version, no specific JDK version, <em>since forbiddenapis v2.1</em>).</li>
 
 <li><strong><tt>jdk-system-out</tt>:</strong> On server-side applications or libraries used by other programs, printing to
 <tt>System.out</tt> or <tt>System.err</tt> is discouraged and should be avoided (any java version, no specific JDK version).</li>
@@ -53,9 +53,16 @@ <h1>Bundled Signatures Documentation</h1>
 
 <li><strong><tt>commons-io-unsafe-*</tt>:</strong> If your application uses the famous <i>Apache Common-IO</i> library,
 this adds signatures of all methods that depend on default charset
-(for versions <tt>*</tt> = 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.17.0, 2.18.0).</li>
+(for versions <tt>*</tt> = 1.0,..., 2.8.0,..., 2.20.0).</li>
 
 </ul>
 
+<p>You can specify newer JDK versions but this will lead to a warning that the signatures were downgraded. This may fail to detect all
+deprecated APIs with <tt>jdk-deprecated-*</tt>, but it should be OK till an update is available.
+Please do not open issues about adding new JDK versions! This will be done regularily due to maintenance releases. Only open new
+issues if the classfile format version is no longer supported by forbiddenapis and parsing class files leads to an error.</p>
+
+<p>The same applies to <tt>commons-io-unsafe-*</tt>.</p>
+
 </body>
 </html>

src/main/java/de/thetaphi/forbiddenapis/Constants.java

@@ -27,6 +27,7 @@ public interface Constants {
   final String BS_JDK_NONPORTABLE = "jdk-non-portable";
 
   final Pattern JDK_SIG_PATTERN = Pattern.compile("(jdk\\-.*?\\-)(\\d+)(\\.\\d+)?(\\.\\d+)*");
+  final Pattern ENDS_WITH_VERSION_PATTERN = Pattern.compile("(.*?)\\-(\\d+(\\.\\d+)*)");
 
   final String DEPRECATED_WARN_FAIL_ON_UNRESOLVABLE_SIGNATURES =
       "The setting 'failOnUnresolvableSignatures' was deprecated and will be removed in next version. Use 'ignoreSignaturesOfMissingClasses' instead.";

src/main/java/de/thetaphi/forbiddenapis/Signatures.java

@@ -25,6 +25,7 @@
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.io.StringReader;
+import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -35,6 +36,7 @@
 import java.util.LinkedHashSet;
 import java.util.Locale;
 import java.util.Map;
+import java.util.NavigableSet;
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.regex.Matcher;
@@ -57,6 +59,22 @@ public final class Signatures implements Constants {
   private static final String WILDCARD_ARGS = "**";
   private static final Pattern PATTERN_WILDCARD_ARGS = Pattern.compile(String.format(Locale.ROOT, "%s\\s*%s\\s*%s",
       Pattern.quote("("), Pattern.quote(WILDCARD_ARGS), Pattern.quote(")")));
+  
+  // not public yet because its modifiable (Java 7 misses Collections#unmodifiableNavigableSet):
+  private static final NavigableSet<String> BUNDLED_SIGNATURES_NAMES;
+  static {
+    try (final InputStream in = Checker.class.getResourceAsStream("signatures/list");
+        final BufferedReader reader = new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
+      final NavigableSet<String> names = new TreeSet<String>(VersionCompare.BUNDLED_SIGNATURES_COMPARATOR);
+      String name;
+      while ((name = reader.readLine()) != null) {
+        names.add(name);
+      }
+      BUNDLED_SIGNATURES_NAMES = names;
+    } catch (IOException ioe) {
+      throw new RuntimeException(ioe);
+    }
+  }
 
   private static enum UnresolvableReporting {
     FAIL(true) {
@@ -272,30 +290,47 @@ private void reportMissingSignatureClasses(Set<String> missingClasses) {
     logger.warn(AsmUtils.formatClassesAbbreviated(missingClasses));
   }
 
-  private void addBundledSignatures(String name, String jdkTargetVersion, boolean logging, Set<String> missingClasses) throws IOException,ParseException {
+  private void addBundledSignatures(String name, String jdkTargetVersion, boolean readExternal, Set<String> missingClasses) throws IOException,ParseException {
     if (!name.matches("[A-Za-z0-9\\-\\.]+")) {
       throw new ParseException("Invalid bundled signature reference: " + name);
     }
     if (BS_JDK_NONPORTABLE.equals(name)) {
-      if (logging) logger.info("Reading bundled API signatures: " + name);
+      if (readExternal) logger.info("Reading bundled API signatures: " + name);
       numberOfFiles++;
       forbidNonPortableRuntime = true;
       return;
     }
-    name = fixTargetVersion(name);
-    // use Checker.class hardcoded (not getClass) so we have a fixed package name:
-    InputStream in = Checker.class.getResourceAsStream("signatures/" + name + ".txt");
-    // automatically expand the compiler version in here (for jdk-* signatures without version):
-    if (in == null && jdkTargetVersion != null && name.startsWith("jdk-") && !name.matches(".*?\\-\\d+(\\.\\d+)*")) {
-      name = name + "-" + jdkTargetVersion;
+    if (readExternal) {
       name = fixTargetVersion(name);
-      in = Checker.class.getResourceAsStream("signatures/" + name + ".txt");
+      // automatically expand the compiler version in here (for jdk-* signatures without version):
+      if (!BUNDLED_SIGNATURES_NAMES.contains(name) && jdkTargetVersion != null && name.startsWith("jdk-") && !ENDS_WITH_VERSION_PATTERN.matcher(name).matches()) {
+        name = name + "-" + jdkTargetVersion;
+        name = fixTargetVersion(name);
+      }
+      // downgrade the version number to next lower signatures file:
+      final Matcher m = ENDS_WITH_VERSION_PATTERN.matcher(name);
+      if (m.matches()) {
+        final String closest = BUNDLED_SIGNATURES_NAMES.floor(name);
+        if (closest != null && closest.startsWith(m.group(1)) && ENDS_WITH_VERSION_PATTERN.matcher(closest).matches()) {
+          if (VersionCompare.compareBundledSignatures(closest, name) != 0) {
+            logger.warn("Bundled signatures '" + name + "' not found, choosing next lower available signature: " + closest);
+          }
+          // Assign the found name (normalized, e.g. the "0" version components removed):
+          name = closest;
+        }
+      }
+      // check name again:
+      if (!BUNDLED_SIGNATURES_NAMES.contains(name)) {
+        throw new FileNotFoundException("Bundled signatures resource not found: " + name);
+      }
+      logger.info("Reading bundled API signatures: " + name);
     }
-    if (in == null) {
+    // use Checker.class hardcoded (not getClass) so we have a fixed package name:
+    final URL url = Checker.class.getResource("signatures/" + name + ".txt");
+    if (url == null) {
       throw new FileNotFoundException("Bundled signatures resource not found: " + name);
     }
-    if (logging) logger.info("Reading bundled API signatures: " + name);
-    parseSignaturesStream(in, true, missingClasses);
+    parseSignaturesStream(url.openStream(), true, missingClasses);
   }
 
   private void parseSignaturesStream(InputStream in, boolean isBundled, Set<String> missingClasses) throws IOException,ParseException {

src/main/java/de/thetaphi/forbiddenapis/VersionCompare.java

@@ -0,0 +1,74 @@
+/*
+ * (C) Copyright Uwe Schindler (Generics Policeman) and others.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.thetaphi.forbiddenapis;
+
+import java.util.Comparator;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/** Simple version comparator (to support downgrading versions in bundled-signatures names). */
+final class VersionCompare {
+  
+  private static final Pattern DOT_SPLITTER_PATTERN = Pattern.compile("\\.");
+
+  public static final Comparator<String> VERSION_COMPARATOR = new Comparator<String>() {
+    @Override
+    public int compare(String version1, String version2) {
+      return compareVersion(version1, version2);
+    }
+  };
+
+  public static final Comparator<String> BUNDLED_SIGNATURES_COMPARATOR = new Comparator<String>() {
+    @Override
+    public int compare(String bs1, String bs2) {
+      return compareBundledSignatures(bs1, bs2);
+    }
+  };
+
+  private VersionCompare() {}
+  
+  public static int compareVersion(String version1, String version2) {
+    final String[] version1Splits = DOT_SPLITTER_PATTERN.split(version1),
+        version2Splits = DOT_SPLITTER_PATTERN.split(version2);
+    final int maxLengthOfVersionSplits = Math.max(version1Splits.length, version2Splits.length);
+    
+    for (int i = 0; i < maxLengthOfVersionSplits; i++) {
+      final int v1 = i < version1Splits.length ? Integer.parseInt(version1Splits[i]) : 0;
+      final int v2 = i < version2Splits.length ? Integer.parseInt(version2Splits[i]) : 0;
+      final int compare = Integer.compare(v1, v2);
+      if (compare != 0) {
+        return compare;
+      }
+    }
+    return 0;
+  }
+  
+  public static int compareBundledSignatures(String bs1, String bs2) {
+    final Matcher m1 = Constants.ENDS_WITH_VERSION_PATTERN.matcher(bs1),
+        m2 = Constants.ENDS_WITH_VERSION_PATTERN.matcher(bs2);
+    if (m1.matches() && m2.matches()) {
+      final int prefixCmp = m1.group(1).compareTo(m2.group(1));
+      if (prefixCmp != 0) {
+        return prefixCmp;
+      }
+      return compareVersion(m1.group(2), m2.group(2));
+    } else {
+      return bs1.compareTo(bs2);
+    }
+  }
+
+}

src/test/antunit/TestCommonsIOSignatures.xml

@@ -36,4 +36,23 @@
     <forbiddenapis bundledSignatures="${commons-io-signature}" ignoreEmptyFileset="true" classpathref="commons-io.classpath" targetVersion="${jdk.version}"/>
   </target>
 
+  <target name="testVersionDowngradeAndEquivalence">
+    <ivy:cachepath organisation="commons-io" module="commons-io" revision="2.10.0"
+      inline="true" conf="master" type="jar" pathid="commons-io.classpath" log="${ivy.logging}"/> 
+    <ac:foreach param="commons-version" target="-check-version-equivalent" inheritall="true" inheritrefs="true" delimiter="/" list="2.10.00/2.10/2.010"/>
+    <ac:foreach param="commons-version" target="-check-version-downgrade" inheritall="true" inheritrefs="true" delimiter="/" list="2.10.1/2.010.1/2.10.02"/>
+  </target>
+  
+  <target name="-check-version-equivalent">
+    <forbiddenapis bundledSignatures="commons-io-unsafe-${commons-version}" ignoreEmptyFileset="true" classpathref="commons-io.classpath" targetVersion="${jdk.version}"/>
+    <au:assertLogContains level="info" text="Reading bundled API signatures: commons-io-unsafe-2.10.0"/> 
+    <au:assertLogDoesntContain level="warning" text="choosing next lower available signature"/> 
+  </target>
+  
+  <target name="-check-version-downgrade">
+    <forbiddenapis bundledSignatures="commons-io-unsafe-${commons-version}" ignoreEmptyFileset="true" classpathref="commons-io.classpath" targetVersion="${jdk.version}"/>
+    <au:assertLogContains level="info" text="Reading bundled API signatures: commons-io-unsafe-2.10.0"/> 
+    <au:assertLogContains level="warning" text="Bundled signatures 'commons-io-unsafe-${commons-version}' not found, choosing next lower available signature: commons-io-unsafe-2.10.0"/> 
+  </target>
+  
 </project>

src/test/java/de/thetaphi/forbiddenapis/VersionCompareTest.java

@@ -0,0 +1,114 @@
+/*
+ * (C) Copyright Uwe Schindler (Generics Policeman) and others.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.thetaphi.forbiddenapis;
+
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+public final class VersionCompareTest {
+
+  @Test
+  public void testVersionCompare() throws Exception {
+    assertVersionEquals("1.0.0", "1.0.0");
+    assertVersionEquals("1.0.0", "1.00.0");
+    assertVersionEquals("1.0.0", "01.00.0");
+    assertVersionEquals("1.0.0", "1.0");
+    assertVersionEquals("1.0.0", "1");
+    
+    assertVersionLess("1.0.0", "2.0");
+    assertVersionLess("1.0.0", "1.1");
+    assertVersionLess("1", "1.1.0");
+    assertVersionLess("1.0", "1.1.0");
+    assertVersionLess("1.2", "1.10.0");
+    
+    assertVersionGreater("1.1.0", "1.0.0");
+    assertVersionGreater("1.1.0", "1.0");
+    assertVersionGreater("1.1.0", "1");
+    assertVersionGreater("2", "1");
+    assertVersionGreater("2.0", "1");
+    assertVersionGreater("2.1.1", "2.1");
+    assertVersionGreater("1.11", "1.2.0");
+    assertVersionGreater("1.11", "1.02.0");
+  }
+  
+  private void assertVersionEquals(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareVersion(v1, v2) == 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.VERSION_COMPARATOR.compare(v1, v2) == 0);
+  }
+  
+  private void assertVersionLess(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareVersion(v1, v2) < 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.VERSION_COMPARATOR.compare(v1, v2) < 0);
+  }
+  
+  private void assertVersionGreater(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareVersion(v1, v2) > 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.VERSION_COMPARATOR.compare(v1, v2) > 0);
+  }
+  
+  @Test
+  public void testBundledSignaturesCompare() throws Exception {
+    assertBsEquals("foo-1.0.0", "foo-1.00.0");
+    assertBsEquals("foo-1.0.0", "foo-1.0");
+    assertBsEquals("foo-1.0.0", "foo-01");
+    
+    assertBsLess("foo-1.0.0", "foo-2.0");
+    assertBsLess("foo-1.2.0", "foo-10.1");
+    assertBsLess("foo-1", "foo-1.2.0");
+    assertBsLess("foo-1.2", "foo-1.010.0");
+    assertBsLess("foo-2", "foo-10");
+    
+    assertBsLess("bar-1.0", "foo-1.0");
+    assertBsLess("bar-1.0", "foo-1.1");
+    assertBsLess("bar-1", "foo-0");
+    assertBsLess("bar-1.0", "foo-0");
+    assertBsLess("bar-1.0", "foo");
+    assertBsLess("bar", "foo-1.0");
+    
+    assertBsGreater("foo-1.1.0", "foo-1.0.0");
+    assertBsGreater("foo-1.1.0", "foo-1.0");
+    assertBsGreater("foo-1.1.0", "foo-1");
+    assertBsGreater("foo-2", "foo-1");
+    assertBsGreater("foo-2.0", "foo-1");
+    assertBsGreater("foo-2.1.1", "foo-2.1");
+    assertBsGreater("foo-1.11", "foo-1.2.0");
+    assertBsGreater("foo-1.11", "foo-1.02.0");
+
+    assertBsGreater("foo-1", "bar-1");
+    assertBsGreater("foo-0", "bar-1");
+    assertBsGreater("foo", "bar");
+    assertBsGreater("foo-2.1", "bar");
+    assertBsGreater("foo", "bar-1.1");
+  }
+  
+  private void assertBsEquals(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareBundledSignatures(v1, v2) == 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.BUNDLED_SIGNATURES_COMPARATOR.compare(v1, v2) == 0);
+  }
+  
+  private void assertBsLess(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareBundledSignatures(v1, v2) < 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.BUNDLED_SIGNATURES_COMPARATOR.compare(v1, v2) < 0);
+  }
+  
+  private void assertBsGreater(String v1, String v2) {
+    assertTrue(v1 + " <> " + v2, VersionCompare.compareBundledSignatures(v1, v2) > 0);
+    assertTrue(v1 + " <> " + v2, VersionCompare.BUNDLED_SIGNATURES_COMPARATOR.compare(v1, v2) > 0);
+  }
+  
+}