Merge pull request #19329 Backports for release 6.9.2

gradle · Dec 17, 2021 · 1153f0a · 1153f0a
2 parents d7ffa28 + 9f71cb1
commit 1153f0a
Show file tree

Hide file tree

Showing 50 changed files with 452 additions and 49 deletions.
diff --git a/released-versions.json b/released-versions.json
@@ -8,6 +8,10 @@
     "buildTime": "20201126092543+0000"
   },
   "finalReleases": [
+    {
+      "version": "6.9.1",
+      "buildTime": "20210820111518+0000"
+    },
     {
       "version": "6.9",
       "buildTime": "20210507072853+0000"

diff --git a/...jects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java b/...jects/core/src/main/java/org/gradle/api/internal/initialization/DefaultScriptHandler.java
@@ -37,6 +37,7 @@
 import org.gradle.api.logging.Logging;
 import org.gradle.groovy.scripts.ScriptSource;
 import org.gradle.internal.classpath.ClassPath;
+import org.gradle.internal.logging.util.Log4jBannedVersion;
 import org.gradle.internal.metaobject.BeanDynamicObject;
 import org.gradle.internal.metaobject.DynamicObject;
 import org.gradle.internal.resource.ResourceLocation;
@@ -91,9 +92,6 @@ public ClassPath getScriptClassPath() {
     @Override
     public DependencyHandler getDependencies() {
         defineConfiguration();
-        if (dependencyHandler == null) {
-            dependencyHandler = dependencyResolutionServices.getDependencyHandler();
-        }
         return dependencyHandler;
     }
 
@@ -121,6 +119,9 @@ private void defineConfiguration() {
         if (configContainer == null) {
             configContainer = dependencyResolutionServices.getConfigurationContainer();
         }
+        if (dependencyHandler == null) {
+            dependencyHandler = dependencyResolutionServices.getDependencyHandler();
+        }
         if (classpathConfiguration == null) {
             classpathConfiguration = configContainer.create(CLASSPATH_CONFIGURATION);
             // should ideally reuse the `JvmEcosystemUtilities` but this code is too low level
@@ -130,7 +131,12 @@ private void defineConfiguration() {
             attributes.attribute(Category.CATEGORY_ATTRIBUTE, instantiator.named(Category.class, Category.LIBRARY));
             attributes.attribute(LibraryElements.LIBRARY_ELEMENTS_ATTRIBUTE, instantiator.named(LibraryElements.class, LibraryElements.JAR));
             attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, instantiator.named(Bundling.class, Bundling.EXTERNAL));
-            attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, Integer.valueOf(JavaVersion.current().getMajorVersion()));
+            attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, Integer.parseInt(JavaVersion.current().getMajorVersion()));
+
+            classpathConfiguration.getDependencyConstraints().add(dependencyHandler.getConstraints().create(Log4jBannedVersion.LOG4J2_CORE_COORDINATES, constraint -> constraint.version(version -> {
+                version.require(Log4jBannedVersion.LOG4J2_CORE_REQUIRED_VERSION);
+                version.reject(Log4jBannedVersion.LOG4J2_CORE_VULNERABLE_VERSION_RANGE);
+            })));
         }
     }
 

diff --git a/...re/src/test/groovy/org/gradle/api/internal/initialization/DefaultScriptHandlerTest.groovy b/...re/src/test/groovy/org/gradle/api/internal/initialization/DefaultScriptHandlerTest.groovy
@@ -17,6 +17,8 @@ package org.gradle.api.internal.initialization
 
 import org.gradle.api.artifacts.Configuration
 import org.gradle.api.artifacts.ConfigurationContainer
+import org.gradle.api.artifacts.DependencyConstraintSet
+import org.gradle.api.artifacts.dsl.DependencyConstraintHandler
 import org.gradle.api.artifacts.dsl.DependencyHandler
 import org.gradle.api.artifacts.dsl.RepositoryHandler
 import org.gradle.api.attributes.Bundling
@@ -34,6 +36,8 @@ import spock.lang.Specification
 class DefaultScriptHandlerTest extends Specification {
     def repositoryHandler = Mock(RepositoryHandler)
     def dependencyHandler = Mock(DependencyHandler)
+    def dependencyConstraintHandler = Mock(DependencyConstraintHandler)
+    def dependencyConstraintSet = Mock(DependencyConstraintSet)
     def configurationContainer = Mock(ConfigurationContainer)
     def configuration = Mock(Configuration)
     def scriptSource = Stub(ScriptSource)
@@ -56,11 +60,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         then:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         0 * configurationContainer._
         0 * depMgmtServices._
     }
@@ -72,12 +81,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         then:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
-        1 * depMgmtServices.dependencyHandler >> dependencyHandler
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         0 * configurationContainer._
         0 * depMgmtServices._
     }
@@ -106,11 +119,16 @@ class DefaultScriptHandlerTest extends Specification {
 
         and:
         1 * depMgmtServices.configurationContainer >> configurationContainer
+        1 * depMgmtServices.dependencyHandler >> dependencyHandler
         1 * configurationContainer.create('classpath') >> configuration
         1 * configuration.attributes >> attributes
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         1 * classpathResolver.resolveClassPath(configuration) >> classpath
     }
 
@@ -142,6 +160,10 @@ class DefaultScriptHandlerTest extends Specification {
         1 * attributes.attribute(Usage.USAGE_ATTRIBUTE, _ as Usage)
         1 * attributes.attribute(Bundling.BUNDLING_ATTRIBUTE, _ as Bundling)
         1 * attributes.attribute(TargetJvmVersion.TARGET_JVM_VERSION_ATTRIBUTE, _)
+        1 * configuration.getDependencyConstraints() >> dependencyConstraintSet
+        1 * dependencyConstraintSet.add(_)
+        1 * dependencyHandler.getConstraints() >> dependencyConstraintHandler
+        1 * dependencyConstraintHandler.create(_, _)
         1 * dependencyHandler.add('config', 'dep')
     }
 }
diff --git a/...groovy/org/gradle/integtests/resolve/ModuleDependencyExcludeResolveIntegrationTest.groovy b/...groovy/org/gradle/integtests/resolve/ModuleDependencyExcludeResolveIntegrationTest.groovy
@@ -542,4 +542,73 @@ task check(type: Sync) {
             }
         }
     }
+
+
+    /**
+     * In the project, dependency `c` will be rewritten to dependency `b`.
+     * If we exclude dependency b, both the direct request dependency `b`
+     * and the dependency rewritten from `c` will be excluded
+     * with their transitive dependencies.
+     *
+     * Dependency graph:
+     * a -> b, c, f, g
+     * b -> d
+     * c -> e
+     *
+     * Exclude is applied to configuration conf
+     */
+    def "ensure renamed dependencies are exclude correctly"() {
+        given:
+        buildFile << """
+configurations {
+    conf {
+        exclude group: 'b', module: 'b'
+        resolutionStrategy {
+            dependencySubstitution {
+                all {
+                    if (it.requested instanceof ModuleComponentSelector) {
+                        if (it.requested.group == 'c' && it.requested.module == 'c') {
+                            it.useTarget group: 'b', name: 'b', version: '1.0'
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+"""
+
+        def expectResolved = ['a', 'f', 'g']
+        repository {
+            'a:a:1.0' {
+                dependsOn 'b:b:1.0'
+                dependsOn 'c:c:1.0'
+                dependsOn 'f:f:1.0'
+                dependsOn 'g:g:1.0'
+            }
+            'b:b:1.0' {
+                dependsOn 'd:d:1.0'
+            }
+            'c:c:1.0' {
+                dependsOn 'e:e:1.0'
+            }
+            'd:d:1.0'()
+            'e:e:1.0'()
+            'f:f:1.0'()
+            'g:g:1.0'()
+        }
+
+        repositoryInteractions {
+            expectResolved.each {
+                "${it}:${it}:1.0" { expectResolve() }
+            }
+        }
+
+        when:
+        succeedsDependencyResolution()
+
+        then:
+        def resolvedJars = expectResolved.collect { it + '-1.0.jar'}
+        assertResolvedFiles(resolvedJars)
+    }
 }
diff --git a/...egTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy b/...egTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy
@@ -17,7 +17,9 @@
 package org.gradle.integtests.resolve
 
 import org.gradle.integtests.fixtures.AbstractDependencyResolutionTest
+import org.gradle.integtests.fixtures.ToBeFixedForConfigurationCache
 import org.gradle.test.fixtures.file.LeaksFileHandles
+import spock.lang.Issue
 
 class ScriptDependencyResolveIntegrationTest extends AbstractDependencyResolutionTest {
     @LeaksFileHandles("Puts gradle user home in integration test dir")
@@ -60,4 +62,76 @@ task check {
         expect:
         succeeds "check"
     }
+
+    @ToBeFixedForConfigurationCache(because = ":buildEnvironment")
+    @Issue("gradle/gradle#19328")
+    def 'carries implicit constraint for log4j-core'() {
+        given:
+        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.16.0').publish()
+
+        and:
+        settingsFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core"
+                }
+            }
+
+            rootProject.name = 'testproject'
+        """
+
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core"
+                }
+            }
+        """
+
+        expect:
+        succeeds 'buildEnvironment'
+        outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 2.16.0 (c)')
+    }
+
+    @Issue("gradle/gradle#19328")
+    def 'fails if build attempts to force vulnerable log4j-core'() {
+        given:
+        settingsFile << """
+            rootProject.name = 'testproject'
+        """
+
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core:2.14.1!!"
+                }
+            }
+        """
+
+        expect:
+        fails 'help'
+        failureCauseContains('Cannot find a version of \'org.apache.logging.log4j:log4j-core\' that satisfies the version constraints')
+    }
+
+    @ToBeFixedForConfigurationCache(because = ":buildEnvironment")
+    @Issue("gradle/gradle#19328")
+    def 'allows to upgrade log4j to 3.x one day'() {
+        given:
+        mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '3.1.0').publish()
+        buildFile << """
+            buildscript {
+                repositories { maven { url "${mavenRepo().uri}" } }
+                dependencies {
+                    classpath "org.apache.logging.log4j:log4j-core:3.1.0"
+                }
+            }
+        """
+
+        expect:
+        succeeds 'buildEnvironment'
+        outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 3.1.0 (c)')
+    }
 }