Add dependency lock and constraint version alignment to Bomr

Closes gh-27044

Author: wilkinsona

buildSrc/build.gradle

@@ -29,6 +29,7 @@ dependencies {
 	testImplementation("org.assertj:assertj-core:3.11.1")
 	testImplementation("org.apache.logging.log4j:log4j-core:2.12.1")
 	testImplementation("org.junit.jupiter:junit-jupiter:5.6.0")
+	testRuntimeOnly("org.junit.platform:junit-platform-launcher:1.6.3")
 }
 
 checkstyle {

buildSrc/src/main/java/org/springframework/boot/build/bom/BomExtension.java

@@ -56,10 +56,15 @@
 import org.w3c.dom.NodeList;
 
 import org.springframework.boot.build.DeployedPlugin;
+import org.springframework.boot.build.bom.Library.DependencyConstraintsDependencyVersions;
+import org.springframework.boot.build.bom.Library.DependencyLockDependencyVersions;
+import org.springframework.boot.build.bom.Library.DependencyVersions;
 import org.springframework.boot.build.bom.Library.Exclusion;
 import org.springframework.boot.build.bom.Library.Group;
+import org.springframework.boot.build.bom.Library.LibraryVersion;
 import org.springframework.boot.build.bom.Library.Module;
 import org.springframework.boot.build.bom.Library.ProhibitedVersion;
+import org.springframework.boot.build.bom.Library.VersionAlignment;
 import org.springframework.boot.build.bom.bomr.version.DependencyVersion;
 import org.springframework.boot.build.mavenplugin.MavenExec;
 import org.springframework.util.FileCopyUtils;
@@ -101,11 +106,17 @@ public Upgrade getUpgrade() {
 				this.upgradeHandler.gitHub.repository, this.upgradeHandler.gitHub.issueLabels));
 	}
 
+	public void library(String name, Closure<?> closure) {
+		this.library(name, null, closure);
+	}
+
 	public void library(String name, String version, Closure<?> closure) {
-		LibraryHandler libraryHandler = new LibraryHandler();
+		LibraryHandler libraryHandler = new LibraryHandler(version);
 		ConfigureUtil.configure(closure, libraryHandler);
-		addLibrary(new Library(name, DependencyVersion.parse(version), libraryHandler.groups,
-				libraryHandler.prohibitedVersions));
+		LibraryVersion libraryVersion = new LibraryVersion(DependencyVersion.parse(libraryHandler.version),
+				libraryHandler.versionAlignment);
+		addLibrary(new Library(name, libraryVersion, libraryHandler.groups, libraryHandler.prohibitedVersions,
+				libraryHandler.dependencyVersions));
 	}
 
 	public void effectiveBomArtifact() {
@@ -171,17 +182,18 @@ private void addLibrary(Library library) {
 		this.libraries.add(library);
 		String versionProperty = library.getVersionProperty();
 		if (versionProperty != null) {
-			this.properties.put(versionProperty, library.getVersion());
+			this.properties.put(versionProperty, library.getVersion().getVersion());
 		}
 		for (Group group : library.getGroups()) {
 			for (Module module : group.getModules()) {
 				putArtifactVersionProperty(group.getId(), module.getName(), versionProperty);
 				this.dependencyHandler.getConstraints().add(JavaPlatformPlugin.API_CONFIGURATION_NAME,
-						createDependencyNotation(group.getId(), module.getName(), library.getVersion()));
+						createDependencyNotation(group.getId(), module.getName(), library.getVersion().getVersion()));
 			}
 			for (String bomImport : group.getBoms()) {
 				putArtifactVersionProperty(group.getId(), bomImport, versionProperty);
-				String bomDependency = createDependencyNotation(group.getId(), bomImport, library.getVersion());
+				String bomDependency = createDependencyNotation(group.getId(), bomImport,
+						library.getVersion().getVersion());
 				this.dependencyHandler.add(JavaPlatformPlugin.API_CONFIGURATION_NAME,
 						this.dependencyHandler.platform(bomDependency));
 				this.dependencyHandler.add(BomPlugin.API_ENFORCED_CONFIGURATION_NAME,
@@ -196,6 +208,23 @@ public static class LibraryHandler {
 
 		private final List<ProhibitedVersion> prohibitedVersions = new ArrayList<>();
 
+		private String version;
+
+		private VersionAlignment versionAlignment;
+
+		private DependencyVersions dependencyVersions;
+
+		public LibraryHandler(String version) {
+			this.version = version;
+		}
+
+		public void version(String version, Closure<?> closure) {
+			this.version = version;
+			VersionHandler versionHandler = new VersionHandler();
+			ConfigureUtil.configure(closure, versionHandler);
+			this.versionAlignment = new VersionAlignment(versionHandler.libraryName);
+		}
+
 		public void group(String id, Closure<?> closure) {
 			GroupHandler groupHandler = new GroupHandler(id);
 			ConfigureUtil.configure(closure, groupHandler);
@@ -215,6 +244,21 @@ public void prohibit(String range, Closure<?> closure) {
 			}
 		}
 
+		public void dependencyVersions(Closure<?> closure) {
+			DependencyVersionsHandler dependencyVersionsHandler = new DependencyVersionsHandler();
+			ConfigureUtil.configure(closure, dependencyVersionsHandler);
+		}
+
+		public static class VersionHandler {
+
+			private String libraryName;
+
+			public void shouldAlignWithVersionFrom(String libraryName) {
+				this.libraryName = libraryName;
+			}
+
+		}
+
 		public static class ProhibitedVersionHandler {
 
 			private String reason;
@@ -277,6 +321,29 @@ public void exclude(Map<String, String> exclusion) {
 
 		}
 
+		public class DependencyVersionsHandler {
+
+			public void extractFrom(Closure<?> closure) {
+				ExtractFromHandler extractFromHandler = new ExtractFromHandler();
+				ConfigureUtil.configure(closure, extractFromHandler);
+			}
+
+			public class ExtractFromHandler {
+
+				public void dependencyLock(String location) {
+					LibraryHandler.this.dependencyVersions = new DependencyLockDependencyVersions(location,
+							LibraryHandler.this.version);
+				}
+
+				public void dependencyConstraints(String location) {
+					LibraryHandler.this.dependencyVersions = new DependencyConstraintsDependencyVersions(location,
+							LibraryHandler.this.version);
+				}
+
+			}
+
+		}
+
 	}
 
 	public static class UpgradeHandler {

buildSrc/src/main/java/org/springframework/boot/build/bom/CheckBom.java

@@ -50,7 +50,7 @@ void checkBom() {
 			for (Group group : library.getGroups()) {
 				for (Module module : group.getModules()) {
 					if (!module.getExclusions().isEmpty()) {
-						checkExclusions(group.getId(), module, library.getVersion());
+						checkExclusions(group.getId(), module, library.getVersion().getVersion());
 					}
 				}
 			}

buildSrc/src/main/java/org/springframework/boot/build/bom/Library.java

@@ -16,11 +16,20 @@
 
 package org.springframework.boot.build.bom;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.URI;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.maven.artifact.versioning.VersionRange;
+import org.gradle.api.GradleException;
 
 import org.springframework.boot.build.bom.bomr.version.DependencyVersion;
 
@@ -34,37 +43,41 @@ public class Library {
 
 	private final String name;
 
-	private final DependencyVersion version;
+	private final LibraryVersion version;
 
 	private final List<Group> groups;
 
 	private final String versionProperty;
 
 	private final List<ProhibitedVersion> prohibitedVersions;
 
+	private final DependencyVersions dependencyVersions;
+
 	/**
 	 * Create a new {@code Library} with the given {@code name}, {@code version}, and
 	 * {@code groups}.
 	 * @param name name of the library
 	 * @param version version of the library
 	 * @param groups groups in the library
 	 * @param prohibitedVersions version of the library that are prohibited
+	 * @param dependencyVersions the library's dependency versions
 	 */
-	public Library(String name, DependencyVersion version, List<Group> groups,
-			List<ProhibitedVersion> prohibitedVersions) {
+	public Library(String name, LibraryVersion version, List<Group> groups, List<ProhibitedVersion> prohibitedVersions,
+			DependencyVersions dependencyVersions) {
 		this.name = name;
 		this.version = version;
 		this.groups = groups;
 		this.versionProperty = "Spring Boot".equals(name) ? null
 				: name.toLowerCase(Locale.ENGLISH).replace(' ', '-') + ".version";
 		this.prohibitedVersions = prohibitedVersions;
+		this.dependencyVersions = dependencyVersions;
 	}
 
 	public String getName() {
 		return this.name;
 	}
 
-	public DependencyVersion getVersion() {
+	public LibraryVersion getVersion() {
 		return this.version;
 	}
 
@@ -80,6 +93,10 @@ public List<ProhibitedVersion> getProhibitedVersions() {
 		return this.prohibitedVersions;
 	}
 
+	public DependencyVersions getDependencyVersions() {
+		return this.dependencyVersions;
+	}
+
 	/**
 	 * A version or range of versions that are prohibited from being used in a bom.
 	 */
@@ -104,6 +121,27 @@ public String getReason() {
 
 	}
 
+	public static class LibraryVersion {
+
+		private final DependencyVersion version;
+
+		private final VersionAlignment versionAlignment;
+
+		public LibraryVersion(DependencyVersion version, VersionAlignment versionAlignment) {
+			this.version = version;
+			this.versionAlignment = versionAlignment;
+		}
+
+		public DependencyVersion getVersion() {
+			return this.version;
+		}
+
+		public VersionAlignment getVersionAlignment() {
+			return this.versionAlignment;
+		}
+
+	}
+
 	/**
 	 * A collection of modules, Maven plugins, and Maven boms with the same group ID.
 	 */
@@ -194,4 +232,128 @@ public String getArtifactId() {
 
 	}
 
+	public interface DependencyVersions {
+
+		String getVersion(String groupId, String artifactId);
+
+		default boolean available() {
+			return true;
+		}
+
+	}
+
+	public static class DependencyLockDependencyVersions implements DependencyVersions {
+
+		private final Map<String, Map<String, String>> dependencyVersions = new HashMap<>();
+
+		private final String sourceTemplate;
+
+		private final String libraryVersion;
+
+		public DependencyLockDependencyVersions(String sourceTemplate, String libraryVersion) {
+			this.sourceTemplate = sourceTemplate;
+			this.libraryVersion = libraryVersion;
+		}
+
+		@Override
+		public boolean available() {
+			return !this.libraryVersion.contains("-SNAPSHOT");
+		}
+
+		@Override
+		public String getVersion(String groupId, String artifactId) {
+			if (this.dependencyVersions.isEmpty()) {
+				loadVersions();
+			}
+			return this.dependencyVersions.computeIfAbsent(groupId, (key) -> Collections.emptyMap()).get(artifactId);
+		}
+
+		private void loadVersions() {
+			String source = this.sourceTemplate.replace("<libraryVersion>", this.libraryVersion);
+			try {
+				try (BufferedReader reader = new BufferedReader(
+						new InputStreamReader(URI.create(source).toURL().openStream()))) {
+					String line;
+					while ((line = reader.readLine()) != null) {
+						if (!line.startsWith("#")) {
+							String[] components = line.split(":");
+							Map<String, String> groupDependencies = this.dependencyVersions
+									.computeIfAbsent(components[0], (key) -> new HashMap<>());
+							groupDependencies.put(components[1], components[2]);
+						}
+					}
+				}
+			}
+			catch (IOException ex) {
+				throw new GradleException("Failed to load versions from dependency lock file '" + source + "'", ex);
+			}
+		}
+
+	}
+
+	public static class DependencyConstraintsDependencyVersions implements DependencyVersions {
+
+		private static final Pattern CONSTRAINT_PATTERN = Pattern.compile("api \"(.+):(.+):(.+)\"");
+
+		private final Map<String, Map<String, String>> dependencyVersions = new HashMap<>();
+
+		private final String sourceTemplate;
+
+		private final String libraryVersion;
+
+		public DependencyConstraintsDependencyVersions(String sourceTemplate, String libraryVersion) {
+			this.sourceTemplate = sourceTemplate;
+			this.libraryVersion = libraryVersion;
+		}
+
+		@Override
+		public String getVersion(String groupId, String artifactId) {
+			if (this.dependencyVersions.isEmpty()) {
+				loadVersions();
+			}
+			return this.dependencyVersions.computeIfAbsent(groupId, (key) -> Collections.emptyMap()).get(artifactId);
+		}
+
+		private void loadVersions() {
+			String version = this.libraryVersion;
+			if (version.endsWith("-SNAPSHOT")) {
+				version = version.substring(0, version.lastIndexOf('.')) + ".x";
+			}
+			String source = this.sourceTemplate.replace("<libraryVersion>", version);
+			try {
+				try (BufferedReader reader = new BufferedReader(
+						new InputStreamReader(URI.create(source).toURL().openStream()))) {
+					String line;
+					while ((line = reader.readLine()) != null) {
+						Matcher matcher = CONSTRAINT_PATTERN.matcher(line.trim());
+						if (matcher.matches()) {
+							Map<String, String> groupDependencies = this.dependencyVersions
+									.computeIfAbsent(matcher.group(1), (key) -> new HashMap<>());
+							groupDependencies.put(matcher.group(2), matcher.group(3));
+						}
+					}
+				}
+			}
+			catch (IOException ex) {
+				throw new GradleException(
+						"Failed to load versions from dependency constraints declared in '" + source + "'", ex);
+			}
+		}
+
+	}
+
+	public static class VersionAlignment {
+
+		private final String libraryName;
+
+		public VersionAlignment(String libraryName) {
+			this.libraryName = libraryName;
+		}
+
+		public String getLibraryName() {
+			return this.libraryName;
+		}
+
+	}
+
 }