Update guava to 32.1.3 in Javapackages-bootstrap (#8524)

Author: rikenm1

SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md

@@ -539,6 +539,7 @@
                 "js-jquery",
                 "jsoncpp",
                 "Judy",
+                "jurand",
                 "kata-containers",
                 "kde-filesystem",
                 "kde-settings",

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -0,0 +1,89 @@
+diff -urN a/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/CompilerTool.java b/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/CompilerTool.java
+--- a/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/CompilerTool.java	2024-03-22 11:02:12.472882868 -0700
++++ b/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/CompilerTool.java	2024-03-22 11:05:04.539120103 -0700
+@@ -49,6 +49,8 @@
+ 
+     private Predicate<Path> sourceFilter = source -> true;
+ 
++    private boolean accessInternalJavaAPI;
++
+     private int release = 8;
+ 
+     @Instruction
+@@ -58,6 +60,12 @@
+     }
+ 
+     @Instruction
++    public void accessInternalJavaAPI( String dummy )
++    {
++        this.accessInternalJavaAPI = true;
++    }
++
++    @Instruction
+     public void addSourceRoot( String sourceRoot )
+     {
+         sourceRoots.add( sourceRoot );
+@@ -101,7 +109,7 @@
+         }
+         List<Path> allIncluded = new ArrayList<>();
+         EclipseProjectGenerator eclipse =
+-            new EclipseProjectGenerator( getReactor(), getProject(), getModule(), release );
++            new EclipseProjectGenerator( getReactor(), getProject(), getModule(), release, accessInternalJavaAPI );
+         for ( Path sourceDir : sourceDirs )
+         {
+             List<Path> included = new ArrayList<>();
+@@ -116,8 +124,20 @@
+         List<String> options = new ArrayList<>();
+         options.add( "-d" );
+         options.add( getClassesDir().toString() );
+-        options.add( "--release" );
+-        options.add( release + "" );
++        // If internal Java APIs need to be visible then --release can't be used
++        // https://bugs.openjdk.org/browse/JDK-8206937
++        if ( accessInternalJavaAPI )
++        {
++            options.add( "-source" );
++            options.add( release + "" );
++            options.add( "-target" );
++            options.add( release + "" );
++        }
++        else
++        {
++            options.add( "--release" );
++            options.add( release + "" );
++        }
+         options.add( "-cp" );
+         options.add( getClassPath().stream().map( Path::toString ).collect( Collectors.joining( ":" ) ) );
+         StringWriter compilerOutput = new StringWriter();
+diff -urN a/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/EclipseProjectGenerator.java b/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/EclipseProjectGenerator.java
+--- a/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/EclipseProjectGenerator.java	2024-03-22 11:02:12.480882972 -0700
++++ b/javapackages-bootstrap-1.5.0/mbi/core/src/org/fedoraproject/mbi/tool/compiler/EclipseProjectGenerator.java	2024-03-22 11:08:44.793998047 -0700
+@@ -39,12 +39,15 @@
+ 
+     private final int release;
+ 
+-    public EclipseProjectGenerator( Reactor reactor, ProjectDescriptor project, ModuleDescriptor module, int release )
++    private boolean accessInternalJavaAPI;
++
++    public EclipseProjectGenerator( Reactor reactor, ProjectDescriptor project, ModuleDescriptor module, int release,boolean accessInternalJavaAPI )
+     {
+         this.reactor = reactor;
+         this.project = project;
+         this.module = module;
+         this.release = release;
++        this.accessInternalJavaAPI = accessInternalJavaAPI;
+     }
+ 
+     private StringBuilder eclipseClasspath = new StringBuilder( "<classpath>" );
+@@ -99,7 +102,10 @@
+             bw.write( "org.eclipse.jdt.core.compiler.compliance=" + vm + "\n" );
+             bw.write( "org.eclipse.jdt.core.compiler.source=" + vm + "\n" );
+             bw.write( "org.eclipse.jdt.core.compiler.codegen.targetPlatform=" + vm + "\n" );
+-            bw.write( "org.eclipse.jdt.core.compiler.release=enabled\n" );
++            if ( !accessInternalJavaAPI )
++            {
++                bw.write( "org.eclipse.jdt.core.compiler.release=enabled\n" );
++            }
+             bw.write( "org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning\n" );
+         }
+     }

SPECS/javapackages-bootstrap/Internal-Java-API.patch

@@ -0,0 +1,28 @@
+<project>
+  <licensing>
+    <tag>Apache-2.0 AND CC0-1.0</tag>
+  </licensing>
+  <module>
+    <dependency>jsr-305</dependency>
+    <build>
+      <ant>
+        <run>
+          [copy todir="${generatedSources}"]
+            [fileset dir="${basedir}/guava/src"/]
+          [/copy]
+          [exec executable="jurand" dir="${generatedSources}" failonerror="true" logerror="true"]
+            [arg line="-i -a ."/]
+            [arg line="-p ^org.checkerframework."/]
+            [arg line="-p ^com.google.common.annotations."/]
+            [arg line="-p ^com.google.errorprone.annotations."/]
+            [arg line="-p ^com.google.j2objc.annotations."/]
+          [/exec]
+        </run>
+      </ant>
+      <compiler>
+        <accessInternalJavaAPI/>
+        <addSourceRoot>futures/failureaccess/src</addSourceRoot>
+      </compiler>
+    </build>
+  </module>
+</project>

SPECS/javapackages-bootstrap/guava.xml

@@ -2,6 +2,7 @@
     "Signatures": {
         "javapackages-bootstrap-1.5.0.tar.xz": "37518e10d629f6d7115bd78bed85977c7294f871c2438a57f7857f2c0e065c7c",
         "javapackages-bootstrap-PACKAGE-LICENSING": "3f440662012f41be31be13fb764c1f6a21d51f2efdcabf85ed35e9eb8c3b5714",
+        "guava.xml":"4fba5a37ddeabeb21925f2bf71182380734c89ee0000895df59fb32ff8e8669c",
         "ignore.upstream.patch.txt": "441bb5697fc5fb4089b1d43479dd443a8ce4405bec4d6b92c4152d4320ad3a80",
         "apache-pom.tar.xz": "cedc788ca41b99d04a6b058b1689e6eda8f33b9afd642e526a0998d7741f7614",
         "ant.tar.xz": "230ad9d99c5adfffd14abc3e094e8b7331cef0c061282ce0f13245a02458b604",
@@ -29,7 +30,7 @@
         "felix-parent-pom.tar.xz": "968678162e287991bfd478ba9d673f77a5bb0f5d44262ec769e639d34ab9edcf",
         "felix-utils.tar.xz": "ac0c7eee70cf651749e200683db3daf715aea889e8c399cff1e4b494e9409181",
         "fusesource-pom.tar.xz": "1616d0dc4f66ad29e27ce329484a5fadf36efb2faea1702bfde3dede7f612a1d",
-        "guava.tar.xz": "8d147ba92ea1793004dfd9ee77d8450f01364ce306196e671480a5743a2697e1",
+        "guava-32.1.3b.tar.xz": "a07fe04da57a82383b2f9b0da4eb99344fdd527d1df97777f1fe13d5baa170e6",
         "guice.tar.xz": "f8bc5d4061aae98fb8aaa246cf9b1183d6700201cd0d216993f43d23fde6d421",
         "hamcrest.tar.xz": "ea0aa53fbc46c84726dd9499a71cd4a4d6b8111aa059a3afd84925cbc94cb40e",
         "httpcomponents-client.tar.xz": "2fbf3c7e0077ef4fe3fac1fa77c05a4a88609ef46d86fabf8908ff958abcced1",

SPECS/javapackages-bootstrap/javapackages-bootstrap.signatures.json

@@ -13,7 +13,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.5.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -25,6 +25,7 @@ Source0:        https://github.com/fedora-java/javapackages-bootstrap/releases/d
 # License breakdown
 Source1:        javapackages-bootstrap-PACKAGE-LICENSING
 Source2:        ignore.upstream.patch.txt
+Source3:        guava.xml
 
 Source1002:     apache-pom.tar.xz
 Source1001:     ant.tar.xz
@@ -52,7 +53,7 @@ Source1023:     easymock.tar.xz
 Source1024:     felix-parent-pom.tar.xz
 Source1025:     felix-utils.tar.xz
 Source1026:     fusesource-pom.tar.xz
-Source1027:     guava.tar.xz
+Source1027:     guava-32.1.3b.tar.xz
 Source1028:     guice.tar.xz
 Source1029:     hamcrest.tar.xz
 Source1030:     httpcomponents-client.tar.xz
@@ -138,6 +139,7 @@ Source1108:     xz-java.tar.xz
 Patch0:         0001-Bind-to-OpenJDK-11-for-runtime.patch
 Patch1:         0001-Remove-usage-of-ArchiveStreamFactory.patch
 Patch2:         CVE-2023-37460.patch
+Patch3:         Internal-Java-API.patch
 
 Provides:       bundled(ant) = 1.10.9
 Provides:       bundled(apache-parent) = 23
@@ -165,7 +167,7 @@ Provides:       bundled(easymock) = 4.2
 Provides:       bundled(felix-parent) = 7
 Provides:       bundled(felix-utils) = 1.11.6
 Provides:       bundled(fusesource-pom) = 1.12
-Provides:       bundled(guava) = 30.1
+Provides:       bundled(guava) = 32.1.3
 Provides:       bundled(google-guice) = 4.2.3
 Provides:       bundled(hamcrest) = 2.2
 Provides:       bundled(httpcomponents-client) = 4.5.11
@@ -252,6 +254,7 @@ BuildRequires:  byaccj
 BuildRequires:  msopenjdk-11
 BuildRequires:  javapackages-generators
 BuildRequires:  java-devel
+BuildRequires:  jurand
 
 Requires:       bash
 Requires:       coreutils
@@ -277,11 +280,11 @@ XMvn, allowing JPT to be used before one builds XMvn package.
 
 %prep
 %setup -q
-
+%patch 3 -p2
 # leave out the first source as it has already been extracted
 # leave out licensing breakdown file
 # leave ignore patch text file
-other_sources=$(echo %{sources} | cut -d' ' -f4-)
+other_sources=$(echo %{sources} | cut -d' ' -f5-)
 
 for source in ${other_sources}
 do
@@ -297,11 +300,28 @@ pushd "downstream/plexus-archiver"
 %patch2 -p1 
 popd
 
+# remove guava.xml from javapackage-bootstrap 1.5.0
+# import guava.xml 32.1.3 from Fedora 40
+# edit version from guava.properties
+pushd "project"
+rm guava.xml
+cp %{SOURCE3} .
+sed -i 's|version=30.1|version=32.1.3|' guava.properties
+sed -i 's|ref=v@.@|ref=v@.@.@|' guava.properties
+popd
+
+
 for patch_path in patches/*/*
 do
   package_name="$(echo ${patch_path} | cut -f2 -d/)"
   patch_name="$(echo ${patch_path} | cut -f3 -d/)"
-  
+
+  # ignore the patch provided by upstream javapackages-bootstrap as guava version has changed
+  # and no longer compatible
+  if [[ "$patch_name" == "0001-Fix-compilation-error-with-ECJ.patch" || "$patch_name" == "0002-Remove-use-of-sun.misc.Unsafe.patch" ]]
+  then
+      continue
+  fi
   pushd "downstream/${package_name}"
   # not applying some patches provided by javapackages-bootstrap
   # some upstream patches become not applicable when upgrading any of the sources
@@ -364,6 +384,9 @@ sed -i 's|/usr/lib/jvm/java-11-openjdk|%{java_home}|' %{buildroot}%{launchersPat
 %doc AUTHORS
 
 %changelog
+* Fri Mar 22 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.5.0-5
+- Update Guava to fix CVE-2023-2976 using Fedora 40 (License: MIT).
+
 * Fri Aug 11 2023 Saul Paredes <saulparedes@microsoft.com> - 1.5.0-4
 - Patch plexus-archiver to fix CVE-2023-37460
 

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -0,0 +1,6 @@
+{
+    "Signatures": {
+      "jurand-1.3.2.tar.gz": "05c1fa356e2ad4247265ac77e6837faf24a6e291742b2c123f248b85a5edd1dc"
+    }
+  }
+  

SPECS/jurand/jurand.signatures.json

@@ -0,0 +1,83 @@
+Summary:        A tool for manipulating symbols present in Java source files.
+Name:           jurand
+Version:        1.3.2
+Release:        4%{?dist}
+License:        Apache-2.0
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://github.com/fedora-java/jurand
+Source0:        https://github.com/fedora-java/jurand/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+BuildRequires:  gcc-c++
+BuildRequires:  diffutils
+BuildRequires:  make
+BuildRequires:  rubygem-asciidoctor
+Obsoletes:      javapackages-extra < 6.2.0
+
+%description
+The tool can be used for patching .java sources in cases where using sed is
+insufficient due to Java language syntax. The tool follows Java language rules
+rather than applying simple regular expressions on the source code.
+
+%prep
+%setup -q
+
+%build
+%{make_build} test-compile manpages
+
+%install
+export buildroot=%{buildroot}
+export bindir=%{_bindir}
+export rpmmacrodir=%{_rpmmacrodir}
+export mandir=%{_mandir}/man7
+
+./install.sh
+
+%check
+make test
+
+%files -f target/installed_files
+%dir %{_rpmconfigdir}
+%dir %{_rpmmacrodir}
+%license LICENSE NOTICE
+%doc README.adoc
+
+%changelog
+* Thu Mar 21 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.3.2-4
+- Initial CBL-Mariner import from Fedora 40 (license: MIT).
+- License verified
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Nov 21 2023 Marian Koncek <mkoncek@redhat.com> - 1.3.2-1
+- Update to upstream version 1.3.2
+
+* Wed Aug 30 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.3.1-3
+- Obsolete javapackages-extra
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Mar 23 2023 Marian Koncek <mkoncek@redhat.com> - 1.3.1-1
+- Update to upstream version 1.3.1
+
+* Wed Mar 15 2023 Marian Koncek <mkoncek@redhat.com> - 1.3.0-1
+- Update to upstream version 1.3.0
+
+* Wed Mar 08 2023 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.2.0-2
+- Skip interface keyword as annotation in name matching only
+
+* Wed Mar 08 2023 Marian Koncek <mkoncek@redhat.com> - 1.2.0-1
+- Update to upstream version 1.2.0
+
+* Tue Mar 07 2023 Marian Koncek <mkoncek@redhat.com> - 1.1.0-1
+- Update to upstream version 1.1.0
+
+* Fri Mar 03 2023 Marian Koncek <mkoncek@redhat.com> - 1.0.2-1
+- Update to upstream version 1.0.2
+
+* Wed Mar 01 2023 Marian Koncek <mkoncek@redhat.com> - 1.0.0-1
+- Initial build

SPECS/jurand/jurand.spec

@@ -8016,6 +8016,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "jurand",
+          "version": "1.3.2",
+          "downloadUrl": "https://github.com/fedora-java/jurand/archive/refs/tags/1.3.2.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",