SONARJAVA-5383 Lookup Spring-web dependency version to filter out Spring specific rule (#5053)

Co-authored-by: Leonardo Pilastri <[email protected]>
Improves the SpringComposedRequestMappingCheck. 
Introduces DependencyVersionAware API.
Provides a simple example of the usage of the new API.

Author: romainbrenguier

.cirrus.yml

@@ -86,7 +86,7 @@ build_task:
   build_script:
     - *log_develocity_url_script
     - source cirrus-env BUILD
-    - regular_mvn_build_deploy_analyze -Dmaven.test.skip=true -Dsonar.skip=true -pl '!java-checks-test-sources/default,!java-checks-test-sources/aws'
+    - regular_mvn_build_deploy_analyze -Dmaven.test.skip=true -Dsonar.skip=true -pl '!java-checks-test-sources/default,!java-checks-test-sources/aws,!java-checks-test-sources/spring-web-4.0'
   cleanup_before_cache_script: cleanup_maven_repository
 
 test_analyze_task:
@@ -118,7 +118,7 @@ ws_scan_task:
   whitesource_script:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
-    - mvn clean install --batch-mode -Dmaven.test.skip=true -pl '!java-checks-test-sources,!java-checks-test-sources/default,!java-checks-test-sources/aws,!java-checks-test-sources/spring-3.2'
+    - mvn clean install --batch-mode -Dmaven.test.skip=true -pl '!java-checks-test-sources,!java-checks-test-sources/default,!java-checks-test-sources/aws,!java-checks-test-sources/spring-3.2,!java-checks-test-sources/spring-web-4.0'
     - source ws_scan.sh
   allow_failures: "true"
   always:

its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -120,7 +120,7 @@ public void javaCheckTestSources() throws Exception {
       .setProjectName(PROJECT_NAME)
       .setProjectVersion("0.1.0-SNAPSHOT")
       .setSourceEncoding("UTF-8")
-      .setSourceDirs("aws/src/main/java/,default/src/main/java/,java-17/src/main/java/,spring-3.2/src/main/java/")
+      .setSourceDirs("aws/src/main/java/,default/src/main/java/,java-17/src/main/java/,spring-3.2/src/main/java/,spring-web-4.0/src/main/java/")
       .setTestDirs("default/src/test/java/,test-classpath-reader/src/test/java")
       .setProperty("sonar.java.source", "22")
       // common properties

java-checks-test-sources/pom.xml

@@ -21,6 +21,7 @@
     <module>java-17</module>
     <module>test-classpath-reader</module>
     <module>spring-3.2</module>
+    <module>spring-web-4.0</module>
   </modules>
 
   <build>

java-checks-test-sources/spring-web-4.0/pom.xml

@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.sonarsource.java</groupId>
+    <artifactId>java-checks-test-sources</artifactId>
+    <version>8.13.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>spring-web-4.0</artifactId>
+  <name>SonarQube Java :: Checks Test Sources :: Spring Web 4.0</name>
+
+  <properties>
+    <sonar.skip>true</sonar.skip>
+    <forbiddenapis.skip>true</forbiddenapis.skip>
+    <skipTests>true</skipTests>
+    <maven.deploy.skip>true</maven.deploy.skip>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-web</artifactId>
+      <version>4.0.0.RELEASE</version>
+      <scope>provided</scope>
+    </dependency>
+  </dependencies>
+
+  <profiles>
+    <profile>
+      <id>analyze-tests</id>
+      <properties>
+        <sonar.skip>false</sonar.skip>
+      </properties>
+    </profile>
+  </profiles>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <release>22</release>
+          <source>22</source>
+          <target>22</target>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <argLine>--enable-preview</argLine>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.simplify4u.plugins</groupId>
+        <artifactId>sign-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>sign-artifacts</id>
+            <phase>none</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-jar-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>default-jar</id>
+            <phase>none</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-source-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>attach-sources</id>
+            <phase>none</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-javadoc-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>attach-javadocs</id>
+            <phase>none</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-install-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>default-install</id>
+            <phase>none</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>com.mycila</groupId>
+        <artifactId>license-maven-plugin</artifactId>
+        <configuration>
+          <licenseSets>
+            <licenseSet>
+              <excludes>
+                <exclude>src/main/java/**</exclude>
+                <exclude>src/test/java/**</exclude>
+              </excludes>
+            </licenseSet>
+          </licenseSets>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>

java-checks-test-sources/spring-web-4.0/src/main/java/checks/SpringComposedRequestMappingCheckSample.java

@@ -0,0 +1,38 @@
+package checks;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+
+/**
+ * This class serves as a sample for older spring-web version (4.0) where @GetMapping, @PostMapping and so on were not present
+ * hence no issues are expected to be reported here when using the generic @RequestMapping
+ */
+@RestController
+@RequestMapping("/home")
+public class SpringComposedRequestMappingCheckSample {
+
+  @RequestMapping(method = RequestMethod.GET)
+  String m2() {
+    return "";
+  }
+
+  @RequestMapping(method = {POST})
+  String m3() {
+    return "";
+  }
+
+  @RequestMapping(method = {RequestMethod.PUT})
+  String m4() {
+    return "";
+  }
+
+  @RequestMapping(method = RequestMethod.PATCH)
+  String m5() {
+    return "";
+  }
+
+}

java-checks-testkit/src/main/java/org/sonar/java/checks/Constants.java

@@ -23,4 +23,6 @@ private Constants() {
 
   public static final String SPRING_3_2 = "../java-checks-test-sources/spring-3.2";
   public static final String SPRING_3_2_CLASSPATH = SPRING_3_2 + "/target/test-classpath.txt";
+  public static final String SPRING_WEB_4_0_TEST_SOURCES = "../java-checks-test-sources/spring-web-4.0";
+  public static final String SPRING_WEB_4_0_CLASSPATH = SPRING_WEB_4_0_TEST_SOURCES + "/target/test-classpath.txt";
 }

java-checks/src/main/java/org/sonar/java/checks/spring/SpringComposedRequestMappingCheck.java

@@ -20,10 +20,14 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
+import java.util.function.Function;
 import java.util.stream.Stream;
 import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.DependencyVersionAware;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.JavaFileScannerContext;
+import org.sonar.plugins.java.api.Version;
 import org.sonar.plugins.java.api.semantic.Symbol;
 import org.sonar.plugins.java.api.tree.AnnotationTree;
 import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
@@ -34,7 +38,7 @@
 import org.sonar.plugins.java.api.tree.Tree;
 
 @Rule(key = "S4488")
-public class SpringComposedRequestMappingCheck extends IssuableSubscriptionVisitor {
+public class SpringComposedRequestMappingCheck extends IssuableSubscriptionVisitor implements DependencyVersionAware {
 
   private static final Map<String, String> PREFERRED_METHOD_MAP = buildPreferredMethodMap();
 
@@ -110,4 +114,11 @@ private static Stream<ExpressionTree> extractValues(ExpressionTree argument) {
     }
     return Stream.of(expression);
   }
+
+  @Override
+  public boolean isCompatibleWithDependencies(Function<String, Optional<Version>> dependencyFinder) {
+    return dependencyFinder.apply("spring-web")
+      .map(v -> v.isGreaterThanOrEqualTo("4.3"))
+      .orElse(false);
+  }
 }

java-checks/src/test/java/org/sonar/java/checks/spring/SpringComposedRequestMappingCheckTest.java

@@ -17,7 +17,11 @@
 package org.sonar.java.checks.spring;
 
 import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.Constants;
 import org.sonar.java.checks.verifier.CheckVerifier;
+import org.sonar.java.test.classpath.TestClasspathUtils;
+
+import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPathInModule;
 
 class SpringComposedRequestMappingCheckTest {
 
@@ -34,4 +38,13 @@ void test() {
       .verifyNoIssues();
   }
 
+  @Test
+  void test_spring_web_4_0() {
+    CheckVerifier.newVerifier()
+      .onFile(mainCodeSourcesPathInModule(Constants.SPRING_WEB_4_0_TEST_SOURCES, "checks/SpringComposedRequestMappingCheckSample.java"))
+      .withCheck(new SpringComposedRequestMappingCheck())
+      .withClassPath(TestClasspathUtils.loadFromFile(Constants.SPRING_WEB_4_0_CLASSPATH))
+      .verifyNoIssues();
+  }
+
 }

java-frontend/src/main/java/org/sonar/java/classpath/DependencyVersionInference.java

@@ -0,0 +1,51 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.classpath;
+
+import java.io.File;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.sonar.plugins.java.api.Version;
+
+public class DependencyVersionInference {
+
+  /** Cache for dependency retrieval. Indexed by artifactId. */
+  private final Map<String, Optional<Version>> dependencyVersionsCache = new HashMap<>();
+
+  static Pattern makeJarPattern(String artifactId) {
+    return Pattern.compile(artifactId + "-" + VersionImpl.VERSION_REGEX + "\\.jar");
+  }
+
+  public Optional<Version> infer(String artifactId, List<File> classpath) {
+    return dependencyVersionsCache
+      .computeIfAbsent(artifactId, key -> infer(makeJarPattern(key), classpath));
+  }
+
+  private static Optional<Version> infer(Pattern jarPattern, List<File> classpath) {
+    for (File file : classpath) {
+      Matcher matcher = jarPattern.matcher(file.getName());
+      if (matcher.matches()) {
+        return Optional.of(VersionImpl.matcherToVersion(matcher));
+      }
+    }
+    return Optional.empty();
+  }
+}