CN112965913B - Java software dependency conflict problem automatic repairing method - Google Patents
Java software dependency conflict problem automatic repairing method Download PDFInfo
- Publication number
- CN112965913B CN112965913B CN202110338522.2A CN202110338522A CN112965913B CN 112965913 B CN112965913 B CN 112965913B CN 202110338522 A CN202110338522 A CN 202110338522A CN 112965913 B CN112965913 B CN 112965913B
- Authority
- CN
- China
- Prior art keywords
- version
- dependency
- risk
- conflict
- project
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/3668—Testing of software
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
 
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/3668—Testing of software
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
 
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
 
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Stored Programmes (AREA)
Abstract
Description
技术领域Technical field
本发明涉及软件可靠性技术领域,尤其涉及一种Java软件依赖冲突问题自动化修复的方法。The invention relates to the technical field of software reliability, and in particular to a method for automatically repairing Java software dependency conflict problems.
背景技术Background technique
Java软件在诸多开发者的努力下,形成了一个庞大的第三方开源依赖库。虽然第三方开源依赖库给开发者开发Java软件项目带来了极大的便利,但是也给开发者带来了困扰,即如何管理Java软件项目中所引入的诸多第三方依赖包。当一个Java软件项目引入了一个第三方依赖包,而该第三方依赖包的开发又引入了其他第三方依赖包,形成了一种传递情况,这样的情况阻碍了Java软件项目对第三方依赖包的管理。因此,Maven的出现给Java软件项目带来了一种良好的构建管理解决方案。Maven是Java项目主要的构建工具,也是Java项目所引入的第三方开源项目的主要管理工具。通过配置文件注入所需要的第三方依赖,Maven可以自动获取所有该项目所需要的依赖包。这样不仅解决了Java软件项目中第三方依赖包的管理问题,也为开发Java软件项目提供了极大的便利With the efforts of many developers, Java software has formed a huge third-party open source dependency library. Although third-party open source dependency libraries have brought great convenience to developers in developing Java software projects, they have also brought trouble to developers, that is, how to manage many third-party dependency packages introduced in Java software projects. When a Java software project introduces a third-party dependency package, and the development of the third-party dependency package introduces other third-party dependency packages, a transfer situation is formed. This situation prevents the Java software project from supporting the third-party dependency package. management. Therefore, the emergence of Maven brings a good build management solution to Java software projects. Maven is the main construction tool for Java projects and the main management tool for third-party open source projects introduced by Java projects. By injecting the required third-party dependencies through the configuration file, Maven can automatically obtain all the dependency packages required by the project. This not only solves the management problem of third-party dependent packages in Java software projects, but also provides great convenience for the development of Java software projects.
Maven作为Java构建管理的一种良好的解决方案,虽然能够有效的管理第三方依赖包,但也会带来问题。一个第三方依赖包往往会进行功能更新、问题修复等过程,在多次更新迭代后,会产生多个版本。由于在引入依赖包的同时会传递地引入该依赖所需的依赖包,所以一个Java软件项目往往会存在同一个依赖包的多个版本。依据Maven的依赖管理机制,只有其中一个版本会加载到项目中,而屏蔽其他版本,从而出现依赖冲突现象。一个第三方依赖包经过迭代更新后,会出现某个类或方法存在于一个版本中而不存在于另一个版本情况,当项目使用到了该方法而实际加载的是不包含该方法的依赖版本时,在运行时就会发生错误。当一个Java软件项目存在依赖冲突问题时,在集成测试不充分的情况下,依赖冲突问题可能会在项目运行的时候产生意想不到的运行时错误,比如java.lang.NoClassDefFoundError和java.lang.NoSuchMethodError。Maven本身虽然可以识别依赖冲突,但缺乏有效的机制帮助开发者修复依赖冲突。As a good solution for Java build management, Maven can effectively manage third-party dependency packages, but it can also cause problems. A third-party dependency package often undergoes function updates, problem fixes, etc. After multiple update iterations, multiple versions will be produced. Since the dependency packages required for the dependency are transitively introduced when the dependency package is introduced, a Java software project often has multiple versions of the same dependency package. According to Maven's dependency management mechanism, only one version will be loaded into the project, while other versions will be blocked, resulting in dependency conflicts. After a third-party dependency package is iteratively updated, it may happen that a certain class or method exists in one version but not in another version. When the project uses this method but actually loads a dependency version that does not contain this method. , an error will occur at runtime. When a Java software project has dependency conflicts and insufficient integration testing, the dependency conflicts may produce unexpected runtime errors when the project is running, such as java.lang.NoClassDefFoundError and java.lang.NoSuchMethodError. . Although Maven itself can identify dependency conflicts, it lacks an effective mechanism to help developers fix dependency conflicts.
对于Maven环境中依赖冲突导致的运行时错误的问题,Maven构建工具并未提供有效的解决方案。一旦遇到运行时错误,需要花费大量的时间寻找触发错误的类和方法,然后在寻找方法来修复错误。通过分析程序内部的类和方法的关系对依赖冲突进行修复可以更进一步地帮助软件开发者避免程序运行时崩溃。The Maven build tool does not provide an effective solution to the problem of runtime errors caused by dependency conflicts in the Maven environment. Once you encounter a runtime error, you need to spend a lot of time looking for the class and method that triggered the error, and then looking for ways to fix the error. Repairing dependency conflicts by analyzing the relationship between classes and methods within the program can further help software developers avoid program runtime crashes.
发明内容Contents of the invention
本发明要解决的技术问题是针对上述现有技术的不足,提供一种Java软件依赖冲突问题自动化修复的方法The technical problem to be solved by the present invention is to provide a method for automatically repairing Java software dependency conflict problems in view of the shortcomings of the above-mentioned existing technologies.
为解决上述技术问题,本发明所采取的技术方案是:一种Java软件依赖冲突问题自动化修复的方法,包括如下步骤:In order to solve the above technical problems, the technical solution adopted by the present invention is: a method for automatically repairing Java software dependency conflict problems, including the following steps:
步骤1:获取当前项目的项目代码和依赖关系;Step 1: Get the project code and dependencies of the current project;
步骤2:分析当前项目的依赖关系,得到风险依赖冲突和调用到的风险方法,并将风险依赖冲突划分为有直接依赖的冲突和无直接依赖的冲突,过程如下:Step 2: Analyze the dependencies of the current project, obtain the risk dependency conflicts and the risk methods called, and divide the risk dependency conflicts into conflicts with direct dependencies and conflicts without direct dependencies. The process is as follows:
步骤2.1:遍历当前项目的完全依赖树,分析得到在完全依赖树中存在多个版本的依赖关系,定义为依赖冲突;Step 2.1: Traverse the complete dependency tree of the current project, and analyze the dependencies that exist in multiple versions in the complete dependency tree, which are defined as dependency conflicts;
步骤2.2:对于分析得到的依赖冲突,对比分析加载版本和未加载版本jar包中的类和方法,如果一个未加载版本jar包中的方法在加载版本jar包中没有对应的限定名相同的方法,则为一个风险方法,获取这样的方法集合,判断集合中的方法在当前项目中是否有调用,若有调用,即为风险依赖冲突,获取被调用到的风险方法;Step 2.2: For the analyzed dependency conflicts, compare and analyze the classes and methods in the loaded version and the unloaded version jar package. If a method in the unloaded version jar package does not have a corresponding method with the same qualified name in the loaded version jar package , then it is a risk method. Obtain such a method collection and determine whether the method in the collection is called in the current project. If there is a call, it is a risk dependency conflict. Obtain the called risk method;
步骤2.3:对于风险依赖冲突,通过依赖关系图查看冲突的加载版本是否是当前项目直接声明的依赖,若为当前项目直接声明的依赖,则为有直接依赖的冲突;反之为无直接依赖的冲突。Step 2.3: For risky dependency conflicts, check whether the conflicting loaded version is a directly declared dependency of the current project through the dependency diagram. If it is a directly declared dependency of the current project, it is a conflict with direct dependency; otherwise, it is a conflict with no direct dependency. .
步骤3:分析风险依赖冲突,通过判断加载的依赖版本中的方法是否满足在当前项目中的所有调用,来寻找无风险的依赖版本,过程如下:Step 3: Analyze risky dependency conflicts and find risk-free dependency versions by judging whether the methods in the loaded dependency versions satisfy all calls in the current project. The process is as follows:
步骤3.1:对于风险依赖冲突,分析未加载的依赖版本的方法是否满足加载的依赖版本的方法在项目中的所有调用,若满足,则未加载版本为无风险版本,进入步骤3.5;若不满足,进入下一个步骤;Step 3.1: For risk dependency conflicts, analyze whether the method of the unloaded dependency version satisfies all calls of the method of the loaded dependency version in the project. If it is satisfied, the unloaded version is a risk-free version and enter step 3.5; if not , go to the next step;
步骤3.2:获取风险依赖的所有发行版本,删除风险冲突中所存在的版本,过滤比风险冲突中版本号低的版本,依次从过滤后的版本集中取出测试版本;Step 3.2: Obtain all releases that the risk depends on, delete the versions that exist in the risk conflict, filter versions with lower version numbers than those in the risk conflict, and remove the test version from the filtered version set in turn;
步骤3.3:获取测试版本的jar包,分析测试版本中的方法是否满足加载的依赖版本中的方法在项目中的所有调用,若满足,进入下一个步骤;若不满足,测试下一个版本;Step 3.3: Obtain the jar package of the test version, and analyze whether the methods in the test version satisfy all calls of the methods in the loaded dependent version in the project. If so, go to the next step; if not, test the next version;
步骤3.4:分析测试版本中的方法是否包含未加载的依赖版本中的被调用到的风险方法,若满足,即为一个无风险版本;Step 3.4: Analyze whether the method in the test version contains the risk method called in the unloaded dependency version. If so, it is a risk-free version;
步骤3.5:得到的未加载版本或者测试版本即为一个无风险版本。Step 3.5: The obtained unloaded version or test version is a risk-free version.
步骤4:设置修复策略,根据风险类型选择不同的策略将无风险的版本加载到当前项目中;Step 4: Set the repair strategy, select different strategies according to the risk type, and load the risk-free version into the current project;
所述修复策略包含如下4种:The repair strategies include the following four types:
1:替换当前项目的直接依赖:读取当前项目的依赖配置文件,定位目标直接依赖的声明位置,进行版本替换;1: Replace the direct dependencies of the current project: Read the dependency configuration file of the current project, locate the declaration location of the target's direct dependencies, and perform version replacement;
2:使用<dependencyManagement>标签统一到无风险的版本;2: Use the <dependencyManagement> tag to unify to a risk-free version;
3:使用<exclude>标签将当前使用的版本删除;3: Use the <exclude> tag to delete the currently used version;
4:直接声明无风险的版本:读取当前项目的依赖配置文件,直接添加对无风险版本依赖的声明。4: Directly declare the risk-free version: Read the dependency configuration file of the current project and directly add a declaration of dependence on the risk-free version.
所述根据风险类型选择不同的策略将无风险的版本加载到当前项目中的过程如下:The process of selecting different strategies according to the risk type to load the risk-free version into the current project is as follows:
步骤4.1:在得到无风险的版本后,判断风险依赖冲突的类型,若为有直接依赖的冲突,则使用修复策略中的策略1、2进行版本置换,生成临时修复补丁;若为无直接依赖的冲突,则使用策略2、3、4进行版本置换,生成临时修复补丁;Step 4.1: After obtaining the risk-free version, determine the type of risk dependency conflict. If it is a conflict with direct dependencies, use strategies 1 and 2 in the repair strategy to replace the version and generate a temporary repair patch; if it is a conflict with no direct dependencies, If there is a conflict, use strategies 2, 3, and 4 to perform version replacement and generate a temporary repair patch;
步骤4.2:对于不同置换策略对应的修复补丁,解析置换后的依赖关系,获取当前冲突置换后的加载版本,若无风险版本正确加载,则置换成功;若无风险版本没有正确加载,则置换失败,删除失败置换策略对应的临时修复补丁。Step 4.2: For repair patches corresponding to different replacement strategies, analyze the dependencies after replacement and obtain the loaded version after current conflict replacement. If the risk-free version is loaded correctly, the replacement is successful; if the risk-free version is not loaded correctly, the replacement fails. , delete the temporary repair patch corresponding to the failed replacement strategy.
步骤5:评估使用修复策略后的项目是否产生新的依赖冲突,过程如下:Step 5: Evaluate whether the project using the repair strategy generates new dependency conflicts. The process is as follows:
步骤5.1:依次遍历所有的临时修复补丁,获取由临时修复补丁生成的依赖关系;Step 5.1: Traverse all temporary repair patches in sequence and obtain the dependencies generated by the temporary repair patches;
步骤5.2:将由补丁生成的新的依赖关系与项目原来的依赖关系进行对比,查看是否出现不同于原项目的依赖冲突,若出现,进入下一个步骤;若未出现,进入步骤5.4;Step 5.2: Compare the new dependencies generated by the patch with the original dependencies of the project to see if there is a dependency conflict that is different from the original project. If so, go to the next step; if not, go to step 5.4;
步骤5.3:对比分析加载版本和未加载版本jar包中的类和方法,如果一个未加载版本jar包中的方法在加载版本jar包中没有对应的限定名相同的方法,则为一个风险方法,获取这样的方法集合,判断集合中的方法在当前项目中是否有调用,若有调用,则修复补丁无效;若无调用,则进入下一个步骤;Step 5.3: Comparatively analyze the classes and methods in the loaded version and the unloaded version jar package. If a method in the unloaded version jar package does not have a corresponding method with the same qualified name in the loaded version jar package, it is a risky method. Obtain such a method collection and determine whether the methods in the collection are called in the current project. If there are calls, the repair patch will be invalid; if there are no calls, go to the next step;
步骤5.4:将评估成功的临时修复补丁备份到用户指定的文件夹中。Step 5.4: Back up the successfully evaluated temporary repair patch to the user-specified folder.
步骤6:将修复建议和修复补丁推送给开发者。Step 6: Push fix suggestions and fix patches to developers.
采用上述技术方案所产生的有益效果在于:本发明提供的方法不仅可以标识出可能会产生运行时错误的依赖冲突,而且可以针对这些可能会产生运行时错误的依赖冲突给出合理的修复方案。只需要在目标Java项目中使用本发明的方法,就可以得到相应的修复建议以及修复补丁,减少了开发者在开发过程中遇到运行时错误的机率以及解决运行时错误的时间,节约了开发成本。The beneficial effect of adopting the above technical solution is that the method provided by the present invention can not only identify dependency conflicts that may produce runtime errors, but also provide reasonable repair solutions for these dependency conflicts that may produce runtime errors. Only by using the method of the present invention in the target Java project, corresponding repair suggestions and repair patches can be obtained, which reduces the probability of developers encountering runtime errors and the time to solve runtime errors during the development process, and saves development time cost.
附图说明Description of the drawings
图1为本发明实施例中Java软件依赖冲突问题自动化修复的方法的流程图;Figure 1 is a flow chart of a method for automatically repairing Java software dependency conflict problems in an embodiment of the present invention;
图2为本发明实施例中获取无风险依赖版本的流程图;Figure 2 is a flow chart for obtaining a risk-free dependency version in an embodiment of the present invention;
图3为本发明实施例中利用修复策略置换无风险版本的流程图;Figure 3 is a flow chart of using a repair strategy to replace a risk-free version in an embodiment of the present invention;
图4为本发明实施例中评估修复策略是否有效的流程图。Figure 4 is a flow chart for evaluating whether the repair strategy is effective in an embodiment of the present invention.
具体实施方式Detailed ways
下面结合附图和实施例,对本发明的具体实施方式作进一步详细描述。以下实施例用于说明本发明,但不用来限制本发明的范围。Specific implementations of the present invention will be described in further detail below with reference to the accompanying drawings and examples. The following examples are used to illustrate the invention but are not intended to limit the scope of the invention.
如图1所示,本实施例中Java软件依赖冲突问题自动化修复的方法如下所述:As shown in Figure 1, the method for automatically repairing Java software dependency conflict problems in this embodiment is as follows:
步骤1:获取当前项目的项目代码和依赖关系;Step 1: Get the project code and dependencies of the current project;
本实施例中,通过Maven对项目pom文件进行解析,获取项目的完全依赖树,因为Maven加载机制保证了每个依赖仅有一个版本被加载使用,所以一个完全依赖树包括项目加载的依赖和未被加载的依赖,遍历完全依赖树,将依赖树上的每个依赖看作是一个结点存储到程序的容器之中,每个节点存储包括groupId、artifavtId、version、isUsed、manage、parent等信息。In this embodiment, the project pom file is parsed through Maven to obtain the project's complete dependency tree. Because the Maven loading mechanism ensures that only one version of each dependency is loaded and used, a complete dependency tree includes the project's loaded dependencies and unused dependencies. The loaded dependency traverses the complete dependency tree, and each dependency on the dependency tree is regarded as a node and stored in the container of the program. Each node stores information including groupId, artifactavtId, version, isUsed, manage, parent, etc. .
步骤2:分析当前项目的依赖关系,得到风险依赖冲突和调用到的风险方法,并将风险依赖冲突划分为有直接依赖的冲突和无直接依赖的冲突,过程如下:Step 2: Analyze the dependencies of the current project, obtain the risk dependency conflicts and the risk methods called, and divide the risk dependency conflicts into conflicts with direct dependencies and conflicts without direct dependencies. The process is as follows:
步骤2.1:遍历当前项目的完全依赖树,分析得到在完全依赖树中存在多个版本的依赖关系,定义为依赖冲突;Step 2.1: Traverse the complete dependency tree of the current project, and analyze the dependencies that exist in multiple versions in the complete dependency tree, which are defined as dependency conflicts;
本实施例中,因为每个依赖都有唯一的groupId和ArtifactId,所以如果完全依赖树中出现具有相同的groupId和相同的artifactId的依赖,而依赖的version不相同,则产生了依赖的冲突。因为项目只会使用其中一个版本,所以查看依赖的isUsed值,若为true,则定义为加载版本依赖usedDepJar;若为false,则是未加载版本依赖unusedDepJar。将识别到的所有依赖冲突放入依赖冲突容器中。In this embodiment, because each dependency has a unique groupId and ArtifactId, if a dependency with the same groupId and the same artifactId appears in the complete dependency tree, but the versions of the dependencies are different, a dependency conflict will occur. Because the project will only use one of the versions, check the isUsed value of the dependency. If it is true, it is defined as the loaded version depends on usedDepJar; if it is false, the unloaded version depends on unusedDepJar. Place all dependency conflicts identified into a dependency conflict container.
步骤2.2:对于分析得到的依赖冲突,对比分析加载版本和未加载版本jar包中的类和方法,如果一个未加载版本jar包中的方法在加载版本jar包中没有对应的限定名相同的方法,则为一个风险方法,获取这样的方法集合,判断集合中的方法在当前项目中是否有调用,若有调用,即为风险依赖冲突,获取被调用到的风险方法;Step 2.2: For the analyzed dependency conflicts, compare and analyze the classes and methods in the loaded version and the unloaded version jar package. If a method in the unloaded version jar package does not have a corresponding method with the same qualified name in the loaded version jar package , then it is a risk method. Obtain such a method collection and determine whether the method in the collection is called in the current project. If there is a call, it is a risk dependency conflict. Obtain the called risk method;
本实施例中,遍历依赖冲突容器,对于每个依赖冲突,解析加载版本和未加载版本的jar包中的类和方法,对于解析到的方法,若该方法在加载版本中无实现而在未加载版本中有实现,则存入testMethods集中。利用soot生成项目的call graph,以项目中的方法作为起点,若能寻址到testMethods集中的方法,则是一个风险依赖冲突。将该方法加入riskMethods集中。In this embodiment, the dependency conflict container is traversed, and for each dependency conflict, the classes and methods in the jar package of the loaded version and the unloaded version are parsed. For the parsed method, if the method is not implemented in the loaded version and is not implemented in the unloaded version, If there is an implementation in the loaded version, it will be stored in the testMethods set. Use soot to generate the call graph of the project, using the methods in the project as the starting point. If you can address the methods in the testMethods set, it is a risky dependency conflict. Add this method to the riskMethods set.
步骤2.3:对于风险依赖冲突,通过依赖关系图查看冲突的加载版本是否是当前项目直接声明的依赖,若为当前项目直接声明的依赖,则为有直接依赖的冲突;反之为无直接依赖的冲突。Step 2.3: For risky dependency conflicts, check whether the conflicting loaded version is a directly declared dependency of the current project through the dependency diagram. If it is a directly declared dependency of the current project, it is a conflict with direct dependency; otherwise, it is a conflict with no direct dependency. .
本实施例中,对于每一个风险依赖冲突,获取加载版本usedDepJar的parent值,若该结点parent值不为空,则为一个无直接依赖的冲突Type A;反之为一个有直接依赖的冲突Type B。In this embodiment, for each risk dependency conflict, the parent value of the loaded version usedDepJar is obtained. If the parent value of the node is not empty, it is a conflict Type A with no direct dependency; otherwise, it is a conflict Type A with direct dependencies. B.
步骤3:分析风险依赖冲突,通过判断加载的依赖版本中的方法是否满足在当前项目中的所有调用,来寻找无风险的依赖版本,其流程如图2所示,过程如下:Step 3: Analyze risky dependency conflicts and find risk-free dependency versions by judging whether the methods in the loaded dependency versions satisfy all calls in the current project. The process is shown in Figure 2. The process is as follows:
步骤3.1:对于风险依赖冲突,分析未加载的依赖版本的方法是否满足加载的依赖版本的方法在项目中的所有调用,若满足,则未加载版本为无风险版本,进入步骤3.5;若不满足,进入下一个步骤;Step 3.1: For risk dependency conflicts, analyze whether the method of the unloaded dependency version satisfies all calls of the method of the loaded dependency version in the project. If it is satisfied, the unloaded version is a risk-free version and enter step 3.5; if not , go to the next step;
本实施例中,对于每个有风险的依赖冲突,解析加载版本jar包中的所有方法,通过soot生成项目的call graph调用路径图。以项目中的方法为起点,若能寻址到加载版本中的方法,则将该方法添加到usedMethods集中。分析未加载版本的方法是否包含usedMethods集中的所有方法,若包含,则未加载的版本为一个无风险的安全版本,进入步骤3.5,反之进入下一步骤。In this embodiment, for each risky dependency conflict, all methods in the loaded version jar package are parsed, and the call graph of the project is generated through soot. Taking the method in the project as a starting point, if the method in the loaded version can be addressed, the method is added to the usedMethods set. Analyze whether the method of the unloaded version contains all methods in the usedMethods set. If it does, the unloaded version is a risk-free and safe version. Go to step 3.5. Otherwise, go to the next step.
步骤3.2:获取风险依赖的所有发行版本,删除风险冲突中所存在的版本,过滤比风险冲突中版本号低的版本,依次从过滤后的版本集中取出测试版本;Step 3.2: Obtain all releases that the risk depends on, delete the versions that exist in the risk conflict, filter versions with lower version numbers than those in the risk conflict, and remove the test version from the filtered version set in turn;
本实施例中,从Maven仓库获取冲突依赖的所有发行版本,遍历这些版本,删除冲突依赖加载和未加载版本,并将剩余版本从高到低进行排序存入版本集versions中。从versions中依次取出版本,获取该版本的依赖jar包。In this embodiment, all released versions of conflicting dependencies are obtained from the Maven warehouse, these versions are traversed, the loaded and unloaded versions of conflicting dependencies are deleted, and the remaining versions are sorted from high to low and stored in the version set versions. Take out the versions from versions in sequence and obtain the dependent jar package of this version.
步骤3.3:获取测试版本的jar包,分析测试版本中的方法是否满足加载的依赖版本中的方法在项目中的所有调用,若满足,进入下一个步骤;若不满足,测试下一个版本;Step 3.3: Obtain the jar package of the test version, and analyze whether the methods in the test version satisfy all calls of the methods in the loaded dependent version in the project. If so, go to the next step; if not, test the next version;
本实施例中,解析测试版本jar包中的方法,获取步骤3.1中的usedMethods集,若测试版本jar包中的方法能够包括usedMethods集中的所有方法,进入下一个步骤;反之尝试其他版本。In this embodiment, the methods in the test version jar package are parsed to obtain the usedMethods set in step 3.1. If the methods in the test version jar package can include all methods in the usedMethods set, go to the next step; otherwise, try other versions.
步骤3.4:分析测试版本中的方法是否包含未加载的依赖版本中的被调用到的风险方法,若满足,即为一个无风险版本;Step 3.4: Analyze whether the method in the test version contains the risk method called in the unloaded dependency version. If so, it is a risk-free version;
本实施例中,获取步骤2.2中的riskMethods集合,若测试版本jar包中的方法包含riskMethods集合中的所有方法,则该测试版本为无风险的安全版本;反之尝试下一个版本。In this embodiment, the riskMethods collection in step 2.2 is obtained. If the methods in the test version jar package include all methods in the riskMethods collection, the test version is a risk-free safe version; otherwise, try the next version.
步骤3.5:得到的未加载版本或者测试版本即为一个无风险版本。Step 3.5: The obtained unloaded version or test version is a risk-free version.
步骤4:设置修复策略,根据风险类型选择不同的策略将无风险的版本加载到当前项目中;Step 4: Set the repair strategy, select different strategies according to the risk type, and load the risk-free version into the current project;
所述修复策略包含如下4种:The repair strategies include the following four types:
1:替换当前项目的直接依赖:读取当前项目的依赖配置文件,定位目标直接依赖的声明位置,进行版本替换;1: Replace the direct dependencies of the current project: Read the dependency configuration file of the current project, locate the declaration location of the target's direct dependencies, and perform version replacement;
2:使用<dependencyManagement>标签统一到无风险的版本;2: Use the <dependencyManagement> tag to unify to a risk-free version;
3:使用<exclude>标签将当前使用的版本删除;3: Use the <exclude> tag to delete the currently used version;
4:直接声明无风险的版本:读取当前项目的依赖配置文件,直接添加对无风险版本依赖的声明。4: Directly declare the risk-free version: Read the dependency configuration file of the current project and directly add a declaration of dependence on the risk-free version.
所述根据风险类型选择不同的策略将无风险的版本加载到当前项目中的流程如图3所示,包括过程如下:The process of selecting different strategies according to the risk type to load the risk-free version into the current project is shown in Figure 3, including the following process:
步骤4.1:在得到无风险的版本后,判断风险依赖冲突的类型,若为有直接依赖的冲突,则使用修复策略中的策略1、2进行版本置换,生成临时修复补丁;若为无直接依赖的冲突,则使用策略2、3、4进行版本置换,生成临时修复补丁;Step 4.1: After obtaining the risk-free version, determine the type of risk dependency conflict. If it is a conflict with direct dependencies, use strategies 1 and 2 in the repair strategy to replace the version and generate a temporary repair patch; if it is a conflict with no direct dependencies, If there is a conflict, use strategies 2, 3, and 4 to perform version replacement and generate a temporary repair patch;
本实施例中,读取项目pom.xml文件,定位到风险冲突的代码段,使用修复策略的代码段进行置换,将置换后的文件结合所使用的修复策略序号命名为pom-repair*.xml。In this embodiment, the project pom.xml file is read, the code segment with risk conflict is located, and the code segment of the repair strategy is used for replacement. The replaced file is named pom-repair*.xml in combination with the repair strategy serial number used. .
步骤4.2:对于不同置换策略对应的修复补丁,解析置换后的依赖关系,获取当前冲突置换后的加载版本,若无风险版本正确加载,则置换成功;若无风险版本没有正确加载,则置换失败,删除失败置换策略对应的临时修复补丁。Step 4.2: For repair patches corresponding to different replacement strategies, analyze the dependencies after replacement and obtain the loaded version after current conflict replacement. If the risk-free version is loaded correctly, the replacement is successful; if the risk-free version is not loaded correctly, the replacement fails. , delete the temporary repair patch corresponding to the failed replacement strategy.
本实施例中,:获取每个pom-repair*.xml的依赖关系,查看风险依赖冲突的加载版本是否为置换的版本,若置换版本被正确加载,则将pom-copy.xml文件复制到临时修复补丁temp文件夹中;若无风险版本没有正确加载,则置换失败。In this embodiment,: obtain the dependency relationship of each pom-repair*.xml, check whether the loaded version with risk dependency conflict is a replaced version, if the replaced version is loaded correctly, copy the pom-copy.xml file to a temporary The repair patch is in the temp folder; if the risk-free version is not loaded correctly, the replacement will fail.
步骤5:评估使用修复策略后的项目是否产生新的依赖冲突,其流程如图4所示,过程如下:Step 5: Evaluate whether the project using the repair strategy generates new dependency conflicts. The process is shown in Figure 4. The process is as follows:
步骤5.1:依次遍历所有的临时修复补丁pom-copy.xml,获取由临时修复补丁生成的依赖关系;Step 5.1: Traverse all temporary repair patch pom-copy.xml in sequence to obtain the dependencies generated by the temporary repair patch;
步骤5.2:将由补丁生成的新的依赖关系与项目原来的依赖关系进行对比,查看是否出现不同于原项目的依赖冲突,若出现,进入下一个步骤;若未出现,进入步骤5.4;Step 5.2: Compare the new dependencies generated by the patch with the original dependencies of the project to see if there is a dependency conflict that is different from the original project. If so, go to the next step; if not, go to step 5.4;
本实施例中,分析临时修复补丁的依赖关系,得到新的依赖冲突集newConflicts,通过限定groupId和artifactId值,查看newConflicts集中是否出现原依赖冲突集中所没有的依赖冲突,若出现,定义为新的依赖冲突,进入下一个步骤;若未出现呢,进入步骤5.4。In this embodiment, the dependency relationship of the temporary repair patch is analyzed to obtain a new dependency conflict set newConflicts. By limiting the groupId and artifactId values, it is checked whether a dependency conflict that does not exist in the original dependency conflict set appears in the newConflicts set. If it occurs, it is defined as a new one. If there is a dependency conflict, go to the next step; if it does not occur, go to step 5.4.
步骤5.3:对比分析加载版本和未加载版本jar包中的类和方法,如果一个未加载版本jar包中的方法在加载版本jar包中没有对应的限定名相同的方法,则为一个风险方法,获取这样的方法集合,判断集合中的方法在当前项目中是否有调用,若有调用,则修复补丁无效;若无调用,则进入下一个步骤;Step 5.3: Comparatively analyze the classes and methods in the loaded version and the unloaded version jar package. If a method in the unloaded version jar package does not have a corresponding method with the same qualified name in the loaded version jar package, it is a risky method. Obtain such a method collection and determine whether the methods in the collection are called in the current project. If there are calls, the repair patch will be invalid; if there are no calls, go to the next step;
本实施例中,对于新的依赖冲突,解析加载版本和未加载版本的jar包中的类和方法,对于解析到的方法,若该方法在加载版本中无实现而在未加载版本中有实现,则存入testMethod集中。利用soot生成项目的call graph,以项目中的方法作为起点,若能寻址到testMethod集中的方法,则修复补丁无效。In this embodiment, for new dependency conflicts, the classes and methods in the jar packages of the loaded version and the unloaded version are parsed. For the parsed method, if the method is not implemented in the loaded version but is implemented in the unloaded version , then it is stored in the testMethod set. Use soot to generate the call graph of the project, using the methods in the project as the starting point. If the method in the testMethod set can be addressed, the repair patch will be invalid.
步骤5.4:将评估成功的临时修复补丁备份到用户指定的文件夹中。Step 5.4: Back up the successfully evaluated temporary repair patch to the user-specified folder.
步骤6:将修复建议和修复补丁推送给开发者。Step 6: Push fix suggestions and fix patches to developers.
本实施例中,生成一个文本文件形式的修复建议报告,报告包括发生风险依赖冲突的详细信息(加载版本号和未加载版本号,依赖在依赖树中的结构,风险方法的调用路径等),针对风险依赖冲突提出的可用修复策略以及修复补丁的文件路径。In this embodiment, a repair suggestion report is generated in the form of a text file, and the report includes detailed information of risky dependency conflicts (loaded version number and unloaded version number, dependency structure in the dependency tree, calling path of risky methods, etc.), Available remediation strategies proposed for risky dependency conflicts and file paths to remediation patches.
Claims (5)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN202110338522.2A CN112965913B (en) | 2021-03-26 | 2021-03-26 | Java software dependency conflict problem automatic repairing method | 
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN202110338522.2A CN112965913B (en) | 2021-03-26 | 2021-03-26 | Java software dependency conflict problem automatic repairing method | 
Publications (2)
| Publication Number | Publication Date | 
|---|---|
| CN112965913A CN112965913A (en) | 2021-06-15 | 
| CN112965913B true CN112965913B (en) | 2023-09-26 | 
Family
ID=76279669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date | 
|---|---|---|---|
| CN202110338522.2A Active CN112965913B (en) | 2021-03-26 | 2021-03-26 | Java software dependency conflict problem automatic repairing method | 
Country Status (1)
| Country | Link | 
|---|---|
| CN (1) | CN112965913B (en) | 
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN113434394B (en) * | 2021-06-22 | 2023-07-21 | 青岛海尔科技有限公司 | Software exception handling method and device, storage medium and electronic device | 
| CN113254055B (en) * | 2021-06-29 | 2021-09-28 | 中航信移动科技有限公司 | Deletion method, device, computer equipment and storage medium for invalid reliance | 
| CN114675839B (en) * | 2022-05-30 | 2022-08-30 | 炫彩互动网络科技有限公司 | A Directed Graph Based Code Repository Java Conflict File Sorting and Grouping Method | 
| CN115016840B (en) * | 2022-06-30 | 2024-08-02 | 厦门大学 | Dependency conflict repair method and device based on call graph | 
| CN118885233B (en) * | 2024-07-18 | 2025-03-18 | 北京科杰科技有限公司 | An update loading method based on dynamic isolation | 
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| WO2009082653A1 (en) * | 2007-12-20 | 2009-07-02 | Hsbc Technologies Inc. | Automated methods and systems for developing and deploying projects in parallel | 
| WO2017212496A2 (en) * | 2016-06-08 | 2017-12-14 | Veriversion Labs Ltd. | Methods and systems of software testing, distribution, installation and deployment | 
| CN108121590A (en) * | 2017-11-29 | 2018-06-05 | 杭州九略智能科技有限公司 | The method and device of ESXI virtual machine automatic deployment installation systems | 
| CN108984416A (en) * | 2018-08-07 | 2018-12-11 | 东北大学 | Conflict hazard class method for distinguishing is relied in a kind of assessment Maven environment | 
| CN109343841A (en) * | 2018-10-15 | 2019-02-15 | 上海理工大学 | Semantic conflict resolution method in real-time collaborative programming environment | 
| CN112181858A (en) * | 2020-11-09 | 2021-01-05 | 东北大学 | Automatic detection method for Java software project dependent conflict semantic consistency | 
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| US8464247B2 (en) * | 2007-06-21 | 2013-06-11 | Red Hat, Inc. | Methods and systems for dynamically generating installation configuration files for software | 
| US8898285B2 (en) * | 2010-11-01 | 2014-11-25 | Architecture Technology Corporation | Service oriented architecture version and dependency control | 
| US20150143355A1 (en) * | 2010-11-01 | 2015-05-21 | Architecture Technology Corporation | Service oriented architecture version and dependency control | 
| US11144311B2 (en) * | 2019-05-17 | 2021-10-12 | Sap Se | Static analysis of higher-order merge conflicts in large software development projects | 
- 
        2021
        - 2021-03-26 CN CN202110338522.2A patent/CN112965913B/en active Active
 
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| WO2009082653A1 (en) * | 2007-12-20 | 2009-07-02 | Hsbc Technologies Inc. | Automated methods and systems for developing and deploying projects in parallel | 
| WO2017212496A2 (en) * | 2016-06-08 | 2017-12-14 | Veriversion Labs Ltd. | Methods and systems of software testing, distribution, installation and deployment | 
| CN108121590A (en) * | 2017-11-29 | 2018-06-05 | 杭州九略智能科技有限公司 | The method and device of ESXI virtual machine automatic deployment installation systems | 
| CN108984416A (en) * | 2018-08-07 | 2018-12-11 | 东北大学 | Conflict hazard class method for distinguishing is relied in a kind of assessment Maven environment | 
| CN109343841A (en) * | 2018-10-15 | 2019-02-15 | 上海理工大学 | Semantic conflict resolution method in real-time collaborative programming environment | 
| CN112181858A (en) * | 2020-11-09 | 2021-01-05 | 东北大学 | Automatic detection method for Java software project dependent conflict semantic consistency | 
Non-Patent Citations (1)
| Title | 
|---|
| 基于依赖关系的软件需求建模与优先级评估方法研究;邵飞;《中国博士学位论文全文数据库信息科技辑》(第06期);I138-26 * | 
Also Published As
| Publication number | Publication date | 
|---|---|
| CN112965913A (en) | 2021-06-15 | 
Similar Documents
| Publication | Publication Date | Title | 
|---|---|---|
| CN112965913B (en) | Java software dependency conflict problem automatic repairing method | |
| US8434054B2 (en) | System and method for managing cross project dependencies at development time | |
| US7861226B1 (en) | Constraint solver to code based test data generation for improving software reliability and security | |
| US8954930B2 (en) | System and method for reducing test effort by object risk analysis | |
| US8001530B2 (en) | Method and framework for object code testing | |
| US10509693B2 (en) | Method for identifying a cause for a failure of a test | |
| US11748245B2 (en) | Object-oriented regression-candidate filter | |
| CN112181858B (en) | Automatic detection method for Java software project dependent conflict semantic consistency | |
| US9880832B2 (en) | Software patch evaluator | |
| US20070234316A1 (en) | Methods and systems for development of software for complex systems | |
| CN112799937B (en) | Method to automatically detect dependency conflicts in Maven projects based on GitHub | |
| US7765520B2 (en) | System and method for managing cross project dependencies at development time | |
| US10514898B2 (en) | Method and system to develop, deploy, test, and manage platform-independent software | |
| US20090138854A1 (en) | Software error detection method, software module, database and system | |
| CN114756456B (en) | A continuous integration method, device and computer-readable storage medium | |
| Dann et al. | UPCY: safely updating outdated dependencies | |
| Huang et al. | Characterizing and detecting configuration compatibility issues in android apps | |
| CN112860312A (en) | Method and device for detecting item dependency relationship change | |
| CN114168972A (en) | A detection and repair method for npm ecosystem security vulnerability chokepoints | |
| US20200257613A1 (en) | Automated software program repair | |
| JP7384054B2 (en) | automated software program repair | |
| CN119690471A (en) | Interface processing method, device, equipment and medium | |
| Cazzola et al. | Dodging unsafe update points in java dynamic software updating systems | |
| CN117472757A (en) | A file abnormality testing method, device, storage medium and computer equipment | |
| US11899569B2 (en) | Automated tracking of consistent software test failures | 
Legal Events
| Date | Code | Title | Description | 
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |