[MENFORCER-427] New rule to ban dynamic versions

[kwin]

Following this checklist to help us incorporate your
contribution quickly and easily:

• Make sure there is a JIRA issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a JIRA issue. Your pull request should address just this issue, without
  pulling in other changes.
• Each commit in the pull request should have a meaningful subject line and body.
• Format the pull request title like [MENFORCER-XXX] - Fixes bug in ApproximateQuantiles,
  where you replace MENFORCER-XXX with the appropriate JIRA issue. Best practice
  is to use the JIRA issue title in the pull request title and in the first line of the
  commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean verify to make sure basic checks pass. A more thorough check will
  be performed on your pull request automatically.
• You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004

• In any other case, please file an Apache Individual Contributor License Agreement.

[michael-o]

Here are edge cases which I expect to work:

• [1.0.0] (hard 1.0.0)
• [1.0.0,1.0.0] (same as above), see https://issues.apache.org/jira/browse/MNG-7106

[kwin]

• [1.0.0,1.0.0] is currently invalid and leads to org.apache.maven.artifact.versioning.InvalidVersionSpecificationException: Range cannot have identical boundaries: [1.0,1.0].
• [1.0] leads to version resolving (although redundant) when used in a dependency and therefore always means overhead during build and dependency on metadata. I would rather ban this as well. This should be replaced by soft requirement 1.0 to speed up the build! Is there already an issue related to this? According to https://maven.apache.org/pom.html#Dependency_Version_Requirement_Specification the fixed hard requirement may make sense for some edge cases, but as long as this leads to version resolving I would recommend not to rely on it.

[kwin]

I opened https://issues.apache.org/jira/browse/MNG-7561 for same lower and upper bounds but it seems using a hard restriction always require resolving against metadata from local/remote repo, therefore at least optionally this pattern should be banned as well in this rule.

[michael-o]

• [1.0.0,1.0.0] is currently invalid and leads to org.apache.maven.artifact.versioning.InvalidVersionSpecificationException: Range cannot have identical boundaries: [1.0,1.0].

  • [1.0] leads to version resolving (although redundant) when used in a dependency and therefore always means overhead during build and dependency on metadata. I would rather ban this as well. This should be replaced by soft requirement 1.0 to speed up the build! Is there already an issue related to this? According to https://maven.apache.org/pom.html#Dependency_Version_Requirement_Specification the fixed hard requirement may make sense for some edge cases, but as long as this leads to version resolving I would recommend not to rely on it.

@cstamas @gnodet What is your opinion on this?

[michael-o]

• [1.0.0,1.0.0] is currently invalid and leads to org.apache.maven.artifact.versioning.InvalidVersionSpecificationException: Range cannot have identical boundaries: [1.0,1.0].

This is strange because 1.0 is resolved to this...I wonder why this range is logically invalid.

• [1.0] leads to version resolving (although redundant) when used in a dependency and therefore always means overhead during build and dependency on metadata. I would rather ban this as well. This should be replaced by soft requirement 1.0 to speed up the build! Is there already an issue related to this? According to https://maven.apache.org/pom.html#Dependency_Version_Requirement_Specification the fixed hard requirement may make sense for some edge cases, but as long as this leads to version resolving I would recommend not to rely on it.

Well, [1.0] exists for a reason. I think it is parsed to [1.0,1.0] then of course it incurs resolution. Hard for me to tell whether this should be blocked or not. If you want to block this, fine. Add a comment about the situation.

[kwin]

This is strange because 1.0 is resolved to this...I wonder why this range is logically invalid.

I proposed a fix for this attached to https://issues.apache.org/jira/browse/MNG-7106

[kwin]

I think it is parsed to [1.0,1.0] then of course it incurs resolution.

This is totally unexpected because 1.0 (soft requirement) is not resolved, see also my comment at apache/maven#823 (comment).
The only difference between [1.0] and 1.0 should be that one is a hard requirement the other one a soft one (https://maven.apache.org/pom.html#dependency-version-requirement-specification). The documentation doesn't say anything that hard requirements are resolved while soft ones aren't.

[michael-o]

I think it is parsed to [1.0,1.0] then of course it incurs resolution.

This is totally unexpected because 1.0 (soft requirement) is not resolved, see also my comment at apache/maven#823 (comment). The only difference between [1.0] and 1.0 should be that one is a hard requirement the other one a soft one (https://maven.apache.org/pom.html#dependency-version-requirement-specification). The documentation doesn't say anything that hard requirements are resolved while soft ones aren't.

My bad, I meant [1.0]