How we handle binary compatibility at Apache Commons

As a maintainer of the free and open source software project Apache Commons, I review pull requests on GitHub. Since the libraries we produce in components like Commons Lang, Commons IO, and Commons VFS are used directly and transitively in countless applications, open and closed source alike, we want to be careful when releasing new versions to cause the least headaches as possible. One way to enforce our least-headache policy is a recurring reason PRs are rejected: The PR breaks binary compatibility. I’ll outline here how we deal with this issue while still allowing our APIs to evolve.

What is binary compatibility?

Maintaining binary compatibility, in a nutshell, is the ability to drop a new version of a class file (in a jar for example) on top of your application and have it run without the Java Virtual Machine throwing an error trying to call the updated code.

At the JLS level, this means binary compatibility is preserved when a binary that previously linked without error continues to link without error.

Binary compatibility is… well, a binary quality: A release either is or isn’t binary compatible with its previous version.

If you remove a class or method and your app tries to call it, you break binary compatibility and your app blows up.

If you add or remove a parameter to a method, you break binary compatibility and, your app blows up.

This is all detailed in the Java Language Specification.

Note that this is different from source compatibility and behavioral compatibility.

Benefiting from binary compatibility

Why do this? To avoid Jar hell and needlessly breaking applications. See also DLL hell.

Defining guidelines at Apache Commons

Our guideline at Apache Commons on binary compatibility is:

Don’t break binary compatibility in a minor release (e.g. 2.0 to 2.1) or a maintenance release (e.g. 2.1.2 to 2.1.3).

For a major release (e.g. 2.2 to 3.0), you may break binary compatibility; and if you do, you must change the Java package name and Maven coordinate’s artifact ID.

For example, when Apache Commons Lang 3.0 was released, we updated the Java package from org.apache.commons.lang to org.apache.commons.lang3 and the Maven artifact ID from commons-lang to commons-lang3.

In the case of Apache Commons Lang, the 1.x and 2.x series of releases live in the same package and Maven coordinates.

This system allows, and this is key, for version 2 and 3 to co-exist in the same class loader. While the same is true for version 1 and 3, it is not for 1 and 2.

What am I allowed to change?

Almost everything, according to the Java Language Specification, you may:

• Rewrite the body of methods, constructors, and initializers (like static blocks).
• Rewrite code in the above that previously threw exceptions to no longer do so.
• Add fields, methods, and constructors.
• Delete items declared private.
• Reorder fields, methods, and constructors.
• Move a method higher in a class hierarchy.
• Reorder the list of direct super-interfaces in a class or interface.
• Insert new class or interface types in a type hierarchy.
• Add generics (since the compiler erases them).

In addition, our guidelines allow for updating package private element.

Checking for binary compatibility

When a release candidate is put up for a vote, it is proposed along with a web site generated by Maven which contains a report on binary compatibility. There are several tools you can use to do this, we usually use the JApiCmp Maven plugin. For example, this is the report for the current version of Apache Commons Lang.

A pattern I like using is providing a default Maven goal which includes JApiCmp which I invoke for builds on Travis-CI and GitHub Actions. For example:

<defaultGoal>clean verify apache-rat:check japicmp:cmp checkstyle:check spotbugs:check javadoc:javadoc</defaultGoal>

Wrapping up

All of this to say, as a library author:

• Don’t give your users headaches or put their apps in Jar hell by maintaining binary compatibility within a major release line.
• Use a build tool to fail a build that breaks binary compatibility.
• When you must break binary compatibility, change the Java package name and Maven coordinates (this works for Ivy, Gradle, and so on).

Explaining Terms at Apache

At Apache, the term project refers to a whole top level project (TLP).

Apache Commons is a TLP.

Apache Commons is made up of over 20 components.

Apache Commons components produce one or or more jar files. The components are listed on the Commons’ project main page.

Enabling Long Path Names on Windows

Here is how you enable long path names on Windows (I tested this on Window 10.0.16299.1268):

1. Run:

   regedit.exe

2. Open the key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

3. Set LongPathsEnabled to 1:
   
   
4. Reboot

Then, if you are a git user, you will need to run:

git config --system core.longpaths true

This usually requires admin rights.

That’s it.

 

 

Visualizing Code Vulnerabilities with the new ShilftLeft UI

This post is a follow up to Using ShiftLeft in Open Source, where I was looking to see if I could apply the principle of shift left testing to security. Now that ShiftLeft has a user interface, I want to come back to it and revisit looking at results from the UI instead of pouring through JSON reports. You’ll find that this write up parallels my original post so reading the original is not required to get up to speed.

Getting Rid of FUD and Panic

To get us started, allow me to go through the premise from my initial post: My long term goal is to formally insert security awareness into my development practices and eventually into my continuous integration-based builds.

After years of being involved in open-source development at Apache, we’ve seen security issues pop up in Apache Commons like arbitrary remote code execution, and denial of service attacks (CVE-2016-3092 and CVE-2014-0050). While some threats are real, other are just FUD. Even when they are real, it is important to consider context. There may be problems that end users never see because the “hole” is not reachable by users’ actions.

The idea behind ShiftLeft is to break old habits of building a product and then, later, figuring out how to fend off attacks and plug up security holes. Today, we take for granted that unit testing, integration testing, continuous integration, and continuous delivery are common place. ShiftLeft propose to make security analysis as ubiquitous.

By DonFiresmith (Own work) [CC BY-SA 4.0], via Wikimedia Commons

Getting Started

Since ShiftLeft is free for open source projects, I decided to look what it reports for Apache Commons IO, an Apache Commons Java component.

To get started, go to https://www.shiftleft.io/developers/ and enter a GitHub repository URL.

ShiftLeft then asks you for your name and email address:

And you are off to the races.

It’s important to note that  ShiftLeft has a 30 day disclosure policy so you have plenty of time to fix up your FOSS projects.

My previous post looked at the 2.5 release tag for Apache Commons IO; here I am working with my GitHub fork of the master branch, which I’ve kept up-to-date. While my initial experiment with ShiftLeft gave me a 150 KB JSON report to pour over, here, I have a nice web UI to explore:

What does it all mean? We have three areas in the UI that we will explore:

• The top-left shows a summary for the current state of the repository’s master branch: the latest commit details and a summary of conclusions (in white boxes.)
• The dark-colored list on the left shows what ShiftLeft calls conclusions. These are our potentially actionable items. As we’ll see, even if you find some conclusions non-actionable, these will do a great deal to raise your awareness of potential security issues for code that you’ll write tomorrow or need to maintain today. You can expand each item (dark box) to reveal more information.
• On the right-hand-side, you see a tree with paths of all public classes organized by package. On the left of that pane is a list of packages. You can expand each package to reveal of the public classes it contains. You can then expand each class to show its methods. We’ll see of this later. Leading away from tree item that have a conclusion, you’ll see light-colored path to its category. In other words, if you see a path leading away from an item, be it a package or class, that means one of its containing items carries with it a conclusion.

The first thing to notice of course is that I no longer have to consider the whole JSON report file. In the UI, the conclusions are presented in an expandable list without having to  filter out the graph data (and thank goodness for that.) There is also a heading called “Issues” you will use to track which conclusions you want to track for changes. Since we’ve not marked any conclusions as issues, the UI presents the expected “0” count and that “No conclusions marked as issues”.

The first UI elements to notice are the two summary boxes for “Sensitive Data” and “Untrusted Data”. ShiftLeft uses these two terms in conclusion descriptions to organize its findings.

The Trusted and Sensitive Kind

Lets describe “Sensitive Data” and “Untrusted Data”.

Conclusions described as dealing with Sensitive Data tell you: Lookout, if you have a password in this variable, it’s in plain text. Now, it’s up to me to make sure that this password does not end up in a clear text file or anywhere else that is not secure. This is where context matters, you are the SME of your code, you know how much trouble you can get yourself and your users into, ShiftLeft has no opinion, it offers ‘conclusions.’

Conclusions referring to Untrusted Data: This tells me I should take precautions before doing anything with that data. Should I just execute this script? Should I need to worry about JSON Hijacking? See Why does Google prepend while(1); to their JSON responses?

Looking for Trouble Again

Let’s start with a simple conclusion and get deeper in the weeds after that. When you click on “Sensitive Data” and “Untrusted Data”, you filter the list of conclusions. I choose “Untrusted Data” because I am looking for the first interesting conclusion I found while writing Using ShiftLeft in Open Source: The method IOUtils.buffer(Writer, int) does not support handling untrusted data to be passed as parameter size because it controls the size of a buffer, giving an attacker the chance to starve the system of memory. I find it quickly using a page search:

I can click on the link to open a page on exact line of code in GitHub:

While this example may seem trivial, ShiftLeft shows understanding of what the code does in this method: We are allowing call sites to control memory usage in an unbounded manner.

Let’s imagine an application that would allow an unbound value to be used, for example, to process a 2 GB file and that would care about this API and the conclusion rendered by ShiftLeft. To track this conclusion, we mark it as an issue to have it tracked in our Issues list:

Now, for the fun part. Let’s edit the code to guard against unbounded usage. Let’s institute an arbitrary 10 MB limit. We’ll change the code from:

    /**
     * Returns the given Writer if it is already a {@link BufferedWriter}, otherwise creates a BufferedWriter from the
     * given Writer.
     *
     * @param writer the Writer to wrap or return (not null)
     * @param size the buffer size, if a new BufferedWriter is created.
     * @return the given Writer or a new {@link BufferedWriter} for the given Writer
     * @throws NullPointerException if the input parameter is null
     * @since 2.5
     */
    public static BufferedWriter buffer(final Writer writer, int size) {
        return writer instanceof BufferedWriter ? (BufferedWriter) writer : new BufferedWriter(writer, size);
    }

to:

    private static final int MAX_BUFFER_SIZE = 10 * 1024 * 1024; // 10 MB

    /**
     * Returns the given Writer if it is already a {@link BufferedWriter}, otherwise creates a BufferedWriter from the
     * given Writer.
     *
     * @param writer the Writer to wrap or return (not null)
     * @param size the buffer size, if a new BufferedWriter is created.
     * @return the given Writer or a new {@link BufferedWriter} for the given Writer
     * @throws NullPointerException if the input parameter is null
     * @since 2.5
     */
    public static BufferedWriter buffer(final Writer writer, int size) {
    	if (size > MAX_BUFFER_SIZE) {
            throw new IllegalArgumentException("Request buffer cannot exceed " + MAX_BUFFER_SIZE);
    	}
        return writer instanceof BufferedWriter ? (BufferedWriter) writer : new BufferedWriter(writer, size);
    }

After pushing this change to GitHub, I do not see a change in my ShiftLeft report; ah, this is a beta still, should I chalk this up to work in progress or is there still potential trouble ahead?

I wonder if this method shouldn’t be always flagged anyway. Yes, I changed the code so that the memory allocation is no longer unbounded, but who is to decide if my MAX_BUFFER_SIZE is reasonable or not? It might be fine for a simple use case like a single threaded app does does it once. What if I have ten thousand concurrently tasks that want to do this? Is that still reasonable? I’m not so sure. So for now, I think I like being notified of this memory allocation.

Digging deeper

In my previous ShiftLeft post — based on Apache Commons IO 2.5, not master — I had found this conclusion (in raw form edited for brevity):

{
 "id": "org.apache.commons.io.FileUtils.copyFileToDirectory:void(java.io.File,java.io.File)/srcFile/2",
 "description": "The method `copyFileToDirectory` does not support handling **sensitive data** to be passed as parameter `srcFile` because it is leaked over I/O **File**.",
 "unsupportedDataType": "SENSITIVE",
 "interfaceId": "FILE/false",
 "methodId": "org.apache.commons.io.FileUtils.copyFileToDirectory:void(java.io.File,java.io.File)",
 "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L1141",
 "state": "NEUTRAL",
 "externalIssueUrl": "https://todo"
 }

Looking at the methodId tells us to go look at FileUtils.copyFileToDirectory(File, File) where we find:

/**
 * Copies a file to a directory preserving the file date.
 *
 * This method copies the contents of the specified source file
 * to a file of the same name in the specified destination directory.
 * The destination directory is created if it does not exist.
 * If the destination file exists, then this method will overwrite it.
 *
 * <strong>Note:</strong> This method tries to preserve the file's last
 * modified date/times using {@link File#setLastModified(long)}, however
 * it is not guaranteed that the operation will succeed.
 * If the modification operation fails, no indication is provided.
 *
 * @param srcFile an existing file to copy, must not be {@code null}
 * @param destDir the directory to place the copy in, must not be {@code null}
 *
 * @throws NullPointerException if source or destination is null
 * @throws IOException if source or destination is invalid
 * @throws IOException if an IO error occurs during copying
 * @see #copyFile(File, File, boolean)
 */
 public static void copyFileToDirectory(final File srcFile, final File destDir) throws IOException {
  copyFileToDirectory(srcFile, destDir, true);
 }

This method just delegates to another copyFileToDirectory() with an added parameter, no big deal. What is interesting is that the codeLocationUrl points to code not in this method but to a private utility method:

https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L1141

FileUtils at line 1141 is in the guts of a private method called org.apache.commons.io.FileUtils.doCopyFile(File, File, boolean) which is where ShiftLeft flagged an issue where the method creates a new FileInputStream. Because ShiftLeft is working with a code graph, when I search the JSON conclusions for this URL, I find a total of 14 conclusions that use this URL. This tells me that this code fragment creates 14 possible vulnerabilities in the component; with a careful emphasis on possible since context is important.

If I search in the Conclusions list on the left f the page, I find several hits for “FileUtils.copyFileToDirectory”. Then, I can click to expand each one so see the exact location and hyperlink to GitHub. What I hope is coming is the ability to filter sort so I create a mental picture like I was able with the JSON report.

ShiftLeft also has a user friendly way to discover this information: the tree view:

In this view, the “” node is the topmost package in Apache Commons IO. You can see that it has a path that leads to all three different categories: Generic, File, and Child process. This means that the root package contains conclusions and that these conclusions are in the linked categories.

When I expand the root node, I find the FileUtils class (highlighted):

You can see that the class has a path leading away from it, so I know it contains conclusions. At that point, it’s a little harder to make sense of the categories as they’ve scrolled off the top of the screen. It would be nice if the categories floated down as you scroll. Version 2 I hope! You can also see that some classes like FilenameUtils and IOCase do not have paths leading away from them and therefore do not carry conclusions. A relief I suppose, but I’d like to ability to filter out items that are conclusion-free.

I now expand the FileUtils class:

Here, some methods have paths, some don’t; scrolling down, we get to copyFileToDirectory:

As expected, the method has a path leading away from it which indicates a conclusion but we do not know which kind or which one. We do get a description of its parameters though, a nice touch.

For now, clicking on the method does not do anything where I would expect to be able perform the same operations as in the list. This view lets you explore the whole library but I do not find it terribly useful beyond the path to categories. I’d like to see hyperlinks to code and also the use of color to distinguish which methods are flagged as Untrusted Data and Sensitive Data as well as an indication as to which categories are involved that does not scroll of the screen.

The nice thing though is that I have two paths of exploration in the UI: the conclusion list and the explorer tree.

There are two key technologies at work here and that I expect both to get better as the beta progresses: First, building a code graph to give us the power to see that once a problem has been identified on a line of code, that all (I assume public) call-sites can be flagged. Second, what constitutes a problem or a conclusion in ShiftLeft’s neutral parlance will improve and be configurable, filterable and sortable.

In this example, the conclusion description reads:

The method `copyFileToDirectory` does not support handling **sensitive data** to be passed as parameter `srcFile` because it is leaked over I/O **File**.

What goes through my head when I read that is: Yeah, I do not want just anybody to be able to copy any file anywhere like overwriting a password vault a la copyFileToDirectory(myFile, "/etc/shadow"). Granted, Apache Commons IO is a library, not an application, so there is no alarm bells to ring here, but you get the idea.

Stepping back, I think it is important to reiterate what happened here: ShiftLeft found an issue (less dramatic than a problem) on a line of code in a private methods, then, using its code graph, created conclusions (report items) for each public facing method that may eventually call this private method in its code path.

Working from a baseline

If you think that having a list over 200 hundred conclusions to sift through is daunting, I would agree with you. This is why I look forward to using some sorting and filtering in the UI!

What matters just as much is how to use ShiftLeft when your code evolves. I want to track differences from commit to commit and from build to build: Did I create or squash vulnerabilities? This I can tell by watching the Conclusions and Issues list in the UI. I am hoping that ShiftLeft will implement a similar feature to Coveralls where you get an email that tells how much your test code coverage has changed in a build.

As an experiment, let’s see what happens when I add some possibly malicious code, a method to delete all files and directories from a given directory:

package org.apache.commons.io;

import java.io.File;
import java.io.IOException;

public class ADangerousClass {

    public void deleteAll(File directory) throws IOException {
        FileUtils.deleteDirectory(directory);
    }

}

Note that all this method does is delegate to another method. I hit refresh in my browser and I see my commit:

My commit comment, date, and commit hash are there. ShiftLeft goes to work for about two minutes (the two counts are reset to 0 as ShiftLeft is analyzing.) Then the Sensitive Data and Untrusted Data conclusion counts have gone up. Scrolling down I see my new class:

I also see it in the tree of course:

Notice that the deleteAll method has a path to the File category on the right hand side, this makes sense based on my previous findings.

Now I really want to click on the categories on the right as filters! I am especially intrigued by the “Child process” category.

What is worth noting here is that my new class and method do not in themselves actually do anything dangerous. But since we are working with a code graph, and that graph leads to a dangerous place, the new code is flagged.

Now for a bit of fun, let’s change the method to make the dangerous bits unreachable:

    public void deleteAll(File directory) throws IOException {
        if (false) {
            FileUtils.deleteDirectory(directory);
        }
    }

The dangerous class is gone from the list but present in the tree since it is a public API. What if it’s something more tricky? Let’s make some code unreachable through a local variable, and we will make it final to make it obvious to the code graph that the value is immutable:

    public void deleteAll(File directory) throws IOException {
        final boolean test = 1 == 2;
        if (test) {
            FileUtils.deleteDirectory(directory);
        }
    }

The dangerous class is still gone from the list. Pretty clever it is. Let’s see about delegating the test to a method:

    public void deleteAll(File directory) throws IOException {
        final boolean test = test();
        if (test) {
            FileUtils.deleteDirectory(directory);
        }
    }

    private boolean test() {
        return 1 == 2;
    }

ShiftLeft now shows the deleteAll() method in both the Untrusted Data and Sensitive Data lists. So that’s a false positive. Let’s get away from using a method and use two local variables instead:

    public void deleteAll(File directory) throws IOException {
        final Object obj = null;
        boolean test = true;
        if (obj == null) {
            test = false;
        }
        if (test) {
            FileUtils.deleteDirectory(directory);
        }
    }

With this change, ShilfLeft still puts the method as Untrusted Data and Sensitive Data lists. OK, so this is a bit like Eclipse’s compiler warnings for null analysis, it flags what it can see without really evaluating, fair enough.

Linking to the root cause

Let’s go back to the conclusions list for a minute. My deleteAll experiment created two conclusions: one untrusted data, one senstive data. Let’s take a closer look at these.

Untrusted Data

.ADangerousClass.deleteAll

The method deleteAll does not support handling untrusted data to be passed as parameter directory because it controls access to I/O File in a manner that would allow an attacker to abuse it.

When I click on the GitHub link for Untrusted Data, I see:

https://github.com/garydgregory/commons-io/blob/4e21badfa902f4d7cb80b5db0abb287dd43963b7/src/main/java/org/apache/commons/io/FileUtils.java#L1749

Note that we are not in the deleteAll method here, rather we are where the ShiftLeft code graph flags as the root issue. In other words, if I wrote a public method that called deleteAll, I would get the same conclusion and link. Graph Power!

Why is calling directory.listFiles() labeled untrusted? Well, passing a sensitive file path should not be considered a problem, because the file path you are searching for would not end up written on the disk. It is however considered dangerous if attackers were to control the input path, because they could be able to list arbitrary directories on the system. That’s a breach.

Only considering the method verifiedListFiles(), ShiftLeft does not know that the method is used in an operation to delete files. That’s up next:

Sensitive Data

.ADangerousClass.deleteAll

The method deleteAll does not support handling sensitive data to be passed as parameter directory because it is leaked over I/O File.

When I click on the GitHub link for Sensitive Data, I see:

https://github.com/garydgregory/commons-io/blob/4e21badfa902f4d7cb80b5db0abb287dd43963b7/src/main/java/org/apache/commons/io/FileUtils.java#L1620

Clearly calling File.delete() can be trouble but using the sensitive data category may be a bit of a stretch. If any sensitive data is used in a file operation, (for example, as the path of the file, like “path/to/my-secrets”,) then that data will end up on disk. For a delete operation, you could say that that’s not the case because you’re doing the reverse, but actually just the fact that you are deleting a file with a sensitive name is interesting. It’s also possible that you already had previously written sensitive data unencrypted to the disk. That’s a roundabout way to get there but it feels justifiable.

Finding arbitrary code attacks

When I first ran ShiftLeft on Apache Commons 2.5, I found a few conclusions for arbitrary code attacks in the Java7Support class. Now that Apache Commons in Git master requires Java 7, the Java7Support class is gone. At the moment, I’ve not found a way to run ShiftLeft on anything but the master branch of a repository, so let’s make our own trouble with Method.invoke() to call BigInteger.intValueExact() on Java 8 and intValue() on older versions of Java:

package org.apache.commons.io;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.math.BigInteger;

public class BigIntHelper {

    private static Method intValueExactMethod;

    static {
        try {
            intValueExactMethod = BigInteger.class.getMethod("intValueExact");
        } catch (NoSuchMethodException | SecurityException e) {
            intValueExactMethod = null;
            e.printStackTrace();
        }
    }

    public static int getExactInt(BigInteger bigInt) {
        try {
            return (int) (intValueExactMethod != null
                ? intValueExactMethod.invoke(bigInt)
                : bigInt.intValue());
        } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
            e.printStackTrace();
            return bigInt.intValue();
        }
    }

    public static void main(String[] args) {
        System.out.println(getExactInt(BigInteger.TEN));
    }
}

This code is OK by ShiftLeft even though our intValueExactMethod variable is private but not final:

Let’s open things up by making the variable by changing:

private static Method intValueExactMethod;

to:

public static Method intValueExactMethod;

For the Java7Support class in Apache Commons 2.5, ShiftLeft reports several arbitrary code attack vulnerabilities. Unfortunately, ShiftLeft does not report any such vulnerabilities for this example. Growing pains I suppose. Well, that’s all I have for now. A fun exploration in an area I’d like to get back to soon.

Fin

I’d like to wrap up this exploration of ShiftLeft with a quick summary of what we found: a tool we can add to our build pipelines to find potential security vulnerabilities.

There are a lot of data here, and this is just for Apache Commons IO! Another lesson is that context matters. This is low-level library as opposed to an application. Finding vulnerabilities in a low level library is good but this may not be vulnerabilities for your application. ShiftLeft conclusions can at least make you aware of how to use this library safely. ShiftLeft currently provides conclusions based on a code graph, this is powerful, as the examples show. We found conclusions about untrusted data (I’m not sure what’s in here so don’t go executing it) and sensitive data (don’t save passwords in plain text!)

I hope revisit this story and run ShiftLeft on other Apache Commons projects soon. This sure is fun!

Happy Coding,
Gary Gregory

Using ShiftLeft in Open Source

After years of being involved in open-source development at Apache, we’ve seen security issues pop up in Apache Commons like arbitrary remote code execution, and denial of service attacks (CVE-2016-3092 and CVE-2014-0050). While some threats are real, other are just FUD. Even when they are real, it is important to consider context. There may be problems that end users never see because the “hole” is not reachable by users’ actions.

I started to wonder how we can short-circuit FUD and proactively deal with security issues before we hear about them in the press and in panicked mailing list posts. Is there something we can do at build time? A FindBugs or PMD on steroids? Surely someone else must be thinking about this. Can we apply the principle of shift left testing to security?

It turns out there is a tool out there that does and it’s called, not coincidentally, ShiftLeft.io. The idea behind ShiftLeft is to break old habits of building a product and then, later, figuring out how to fend off attacks and plug up security holes. Today, we take for granted that unit testing, integration testing, continuous integration, and continuous delivery are common place. ShiftLeft propose to make security analysis as ubiquitous.

Getting started

Since ShiftLeft is free for open source projects, I decided to look what it reports for Apache Commons IO 2.5, an Apache Commons Java component. While I won’t divulge right now any real security issues, I’ll show what is safe to report about Commons IO. I’ll also show the cool stuff ShiftLeft points out to write more bullet-proof software. To use ShiftLeft, you go to their web site and submit the URL to your GitHub repository. ShiftLeft has a 30 day disclosure policy so you have plenty of time to fix up your FOSS project.

What I got is a JSON report file containing all sorts of data and what ShiftLeft calls conclusions. These are the potentially actionable items. As we’ll see, even if you find some conclusions non-actionable, these will do a great deal to raise your awareness of potential security issues for code that you’ll write tomorrow or need to maintain today.

Let’s start with a simple conclusion and get deeper in the weeds after that.

No memory for you!

The following example shows what “untrusted” data is and how it can affect your application.

I have a ShiftLeft conclusion that tells me the method IOUtils.buffer(Writer, int) does not support handling untrusted data to be passed as parameter size because it controls the size of a buffer, giving an attacker the chance to starve the system of memory:

/**
 * Returns the given Writer if it is already a {@link BufferedWriter}, otherwise creates a BufferedWriter from the
 * given Writer.
 *
 * @param writer the Writer to wrap or return (not null)
 * @param size the buffer size, if a new BufferedWriter is created.
 * @return the given Writer or a new {@link BufferedWriter} for the given Writer
 * @throws NullPointerException if the input parameter is null
 * @since 2.5
 */
 public static BufferedWriter buffer(final Writer writer, int size) {
  return writer instanceof BufferedWriter ? (BufferedWriter) writer : new BufferedWriter(writer, size);
 }

While this example may seem trivial, ShiftLeft shows understanding of what the code does in this method: We are allowing call sites to control memory usage in an unbounded manner. ShiftLeft gives us the exact method and line number:

• org.apache.commons.io.IOUtils.buffer:java.io.BufferedWriter(java.io.Writer,int)
• https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/IOUtils.java#L628

While some ShiftLeft conclusions may not all be actionable, I must say that the report has made me more aware of what to potentially secure when writing new code or maintaining old an code base.

Tangent: What could you do in this case? You could hard-code an upper bound of say 10 MB. You could make the bound configurable with a static non-final variable (effectively creating a global variable, an anti-pattern for sure.) You could move all the static methods to the instance side, create a memory profile class to define this bound, and then build IOUtils instances with this profile in the constructor. In addition, you could also use a different buffer class internally to make sure the buffer does not grow beyond a given size. And so on. I am not proposing these changes in the context of the Apache Commons IO 2.x line since we take great care to maintain binary compatibility within a major release across all of Apache Commons. But I can definitively see proposing changes for 3.0!

ShiftLeft’s understanding of code is deeper than this example thanks to Enhanced Code Property Graphs so let’s look at a more complex example.

Digging deeper

Here is a conclusion in raw form (edited for brevity):

{
 "id": "org.apache.commons.io.FileUtils.copyFileToDirectory:void(java.io.File,java.io.File)/srcFile/2",
 "description": "The method `copyFileToDirectory` does not support handling **sensitive data** to be passed as parameter `srcFile` because it is leaked over I/O **File**.",
 "unsupportedDataType": "SENSITIVE",
 "interfaceId": "FILE/false",
 "methodId": "org.apache.commons.io.FileUtils.copyFileToDirectory:void(java.io.File,java.io.File)",
 "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L1141",
 "state": "NEUTRAL",
 "externalIssueUrl": "https://todo"
 }

Looking at the methodId tells us to go look at FileUtils.copyFileToDirectory(File, File) where we find:

/**
 * Copies a file to a directory preserving the file date.
 *

 * This method copies the contents of the specified source file
 * to a file of the same name in the specified destination directory.
 * The destination directory is created if it does not exist.
 * If the destination file exists, then this method will overwrite it.
 *

 * <strong>Note:</strong> This method tries to preserve the file's last
 * modified date/times using {@link File#setLastModified(long)}, however
 * it is not guaranteed that the operation will succeed.
 * If the modification operation fails, no indication is provided.
 *
 * @param srcFile an existing file to copy, must not be {@code null}
 * @param destDir the directory to place the copy in, must not be {@code null}
 *
 * @throws NullPointerException if source or destination is null
 * @throws IOException if source or destination is invalid
 * @throws IOException if an IO error occurs during copying
 * @see #copyFile(File, File, boolean)
 */
 public static void copyFileToDirectory(final File srcFile, final File destDir) throws IOException {
  copyFileToDirectory(srcFile, destDir, true);
 }

This method just delegates to another copyFileToDirectory() with an added parameter, no big deal. What is interesting is that the codeLocationUrl points to code not in this method but to a private utility method:

https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L1141

FileUtils at line 1141 is in the guts of a private method called org.apache.commons.io.FileUtils.doCopyFile(File, File, boolean) which is where ShiftLeft flags an issue where the method creates a new FileInputStream. To be honest, this is a beta and I am not convinced that the line numbers are always dead on. What is important here is that ShiftLeft is working with a code graph. Therefore, when I search the JSON conclusions for this URL, I find a total of 14 conclusions that use this URL. This tells me that this code fragment creates 14 possible attack points in the component; with a careful emphasis on possible since context is important.

Another key point is to realize that there are two key technologies at work here and that I expect both to get better as the beta progresses: First, building a code graph to give us the power to see that once a problem has been identified on a line of code, that all (I assume public) call-sites can be flagged. Second, what constitutes a problem or a conclusion in ShiftLeft’s neutral parlance will improve and be configurable, filterable and sortable.

In this example, the conclusion description reads:

The method `copyFileToDirectory` does not support handling **sensitive data** to be passed as parameter `srcFile` because it is leaked over I/O **File**.

What goes through my head when I read that is: Yeah, I do not want just anybody to be able to copy any file anywhere like overwriting a password vault a la copyFileToDirectory(myFile, "/etc/shadow"). Granted, Commons IO is a library, not an application, so there is no alarm bell to ring here, but you get the idea.

Stepping back, I think it is important to reiterate what happened here: ShiftLeft found an issue (less dramatic than a problem) on a line of code in a private methods, then, using its code graph, created conclusions (report items) for each public facing method that may eventually call this private method in its code path.

Are you Trusted and Sensitive?

ShiftLeft uses two terms in conclusion descriptions that I want to review. Based on the limited subset of 255 (a very computer friendly number!) conclusions I saw for all of Commons IO, we can see two types of issues: trusted and sensitive.

Conclusions described as dealing with sensitive data: This says: Lookout, if you have a password in this variable, it’s in plain text. Now, it’s up to me to make sure that this password does not end up in a clear text file or anywhere else that is not secure. This is where context matters, you are the SME of your code, you know how much trouble you can get yourself and your users into, ShiftLeft has no opinion, it offers ‘conclusions.’

Conclusions referring to untrusted data: This tells me I should take precautions before doing anything with that data. Should I just execute this script? Should I need to worry about JSON Hijacking? See Why does Google prepend while(1); to their JSON responses?

Flipping it around on ShiftLeft

Let’s flip it around on ShiftLeft for a minute. I am now thinking about not writing sensitive data like passwords and financial reports to disk insecurely. I know we have many API in FileUtils that write strings to files. Will ShiftLeft tell me about, for example FileUtils.write(File, CharSequence, Charset)? Here is the method I should never use to write passwords or any sensitive data:

/**
 * Writes a CharSequence to a file creating the file if it does not exist.
 *
 * @param file the file to write
 * @param data the content to write to the file
 * @param encoding the encoding to use, {@code null} means platform default
 * @throws IOException in case of an I/O error
 * @since 2.3
 */
 public static void write(final File file, final CharSequence data, final Charset encoding) throws IOException {
  write(file, data, encoding, false);
 }

This in turn calls:

/**
 * Writes a CharSequence to a file creating the file if it does not exist.
 *
 * @param file the file to write
 * @param data the content to write to the file
 * @param encoding the encoding to use, {@code null} means platform default
 * @param append if {@code true}, then the data will be added to the
 * end of the file rather than overwriting
 * @throws IOException in case of an I/O error
 * @since 2.3
 */
 public static void write(final File file, final CharSequence data, final Charset encoding, final boolean append)
 throws IOException {
  final String str = data == null ? null : data.toString();
  writeStringToFile(file, str, encoding, append);
 }

Which calls:

/**
 * Writes a String to a file creating the file if it does not exist.
 *
 * @param file the file to write
 * @param data the content to write to the file
 * @param encoding the encoding to use, {@code null} means platform default
 * @param append if {@code true}, then the String will be added to the
 * end of the file rather than overwriting
 * @throws IOException in case of an I/O error
 * @since 2.3
 */
 public static void writeStringToFile(final File file, final String data, final Charset encoding, final boolean
 append) throws IOException {
   OutputStream out = null;
   try {
     out = openOutputStream(file, append);
     IOUtils.write(data, out, encoding);
     out.close(); // don't swallow close Exception if copy completes normally
   } finally {
     IOUtils.closeQuietly(out);
   }
 }

Which calls IOUtils‘:

/**
 * Writes chars from a <code>String</code> to bytes on an
 * <code>OutputStream</code> using the specified character encoding.
 *

 * This method uses {@link String#getBytes(String)}.
 *
 * @param data the <code>String</code> to write, null ignored
 * @param output the <code>OutputStream</code> to write to
 * @param encoding the encoding to use, null means platform default
 * @throws NullPointerException if output is null
 * @throws IOException if an I/O error occurs
 * @since 2.3
 */
 public static void write(final String data, final OutputStream output, final Charset encoding) throws IOException {
   if (data != null) {
     output.write(data.getBytes(Charsets.toCharset(encoding)));
   }
 }

Knowing what I know, I expect ShiftLeft to conclude that all these methods do not support sensitive data. Working back up the stack, I find:

• org.apache.commons.io.IOUtils.write(String, OutputStream, Charset)
  Nothing on that one; did I miss it due to the 255 conclusion limit?
• org.apache.commons.io.FileUtils.writeStringToFile(File, String, Charset, boolean)
  Got it:

   {
   "id": "org.apache.commons.io.FileUtils.writeStringToFile:void(java.io.File,java.lang.String,boolean)/file/1",
   "description": "The method `writeStringToFile` does not support handling **untrusted data** to be passed as parameter `file` because it controls access to I/O **File** in a manner that would allow an attacker to abuse it.",
   "unsupportedDataType": "ATTACKER_CONTROLLED",
   "interfaceId": "FILE/false",
   "methodId": "org.apache.commons.io.FileUtils.writeStringToFile:void(java.io.File,java.lang.String,boolean)",
   "codeLocation": {
     "file": "org/apache/commons/io/FileUtils.java",
     "lineNumber": 360,
     "symbol": "parent"
   },
   "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L360",
   "state": "NEUTRAL",
   "externalIssueUrl": "https://todo"
   }
  

• org.apache.commons.io.FileUtils.write(File, CharSequence, Charset, boolean)
  Got it:

  {
   "id": "org.apache.commons.io.FileUtils.write:void(java.io.File,java.lang.CharSequence,java.nio.charset.Charset,boolean)/file/2",
   "description": "The method `write` does not support handling **sensitive data** to be passed as parameter `file` because it is leaked over I/O **File**.",
   "unsupportedDataType": "SENSITIVE",
   "interfaceId": "FILE/false",
   "methodId": "org.apache.commons.io.FileUtils.write:void(java.io.File,java.lang.CharSequence,java.nio.charset.Charset,boolean)",
   "codeLocation": {
     "file": "org/apache/commons/io/FileUtils.java",
     "lineNumber": 355,
     "symbol": "parent"
   },
   "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L355",
   "state": "NEUTRAL",
   "externalIssueUrl": "https://todo"
   }
  

• org.apache.commons.io.FileUtils.write(File, CharSequence, Charset)
  Got it:

  {
   "id": "org.apache.commons.io.FileUtils.write:void(java.io.File,java.lang.CharSequence,java.nio.charset.Charset)/file/2",
   "description": "The method `write` does not support handling **sensitive data** to be passed as parameter `file` because it is leaked over I/O **File**.",
   "unsupportedDataType": "SENSITIVE",
   "interfaceId": "FILE/false",
   "methodId": "org.apache.commons.io.FileUtils.write:void(java.io.File,java.lang.CharSequence,java.nio.charset.Charset)",
   "codeLocation": {
     "file": "org/apache/commons/io/FileUtils.java",
     "lineNumber": 355,
     "symbol": "parent"
   },
   "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/FileUtils.java#L355",
   "state": "NEUTRAL",
   "externalIssueUrl": "https://todo"
   }
  

So yeah, that all hangs nicely together, thank you code graphs!

Finding arbitrary code attacks

Did I mention there 255 are conclusions in the JSON report file? It takes a while to go through these. I am hoping that ShiftLeft will have their UI in place soon so I can filter and sort all this information! Now that I am about 20% through the file, I see:

The method `createSymbolicLink` does not support handling **untrusted data** to be passed as parameter `symlink` because it could allow an attacker to run arbitrary code.

Yikes! let’s take a deeper look and see if this is for real or a false positive.

Here is the raw conclusion:

{
 "id": "org.apache.commons.io.Java7Support.createSymbolicLink:java.io.File(java.io.File,java.io.File)/symlink/1",
 "description": "The method `createSymbolicLink` does not support handling **untrusted data** to be passed as parameter `symlink` because it could allow an attacker to run arbitrary code.",
 "unsupportedDataType": "ATTACKER_CONTROLLED",
 "methodId": "org.apache.commons.io.Java7Support.createSymbolicLink:java.io.File(java.io.File,java.io.File)",
 "codeLocation": {
 "file": "org/apache/commons/io/Java7Support.java",
 "lineNumber": 128,
 "symbol": "file"
 },
 "codeLocationUrl": "https://github.com/apache/commons-io/blob/commons-io-2.5/src/main/java/org/apache/commons/io/Java7Support.java#L128",
 "state": "NEUTRAL",
 "externalIssueUrl": "https://todo"
 }

Our codeLocationUrl for this conclusion points us to the Java7Support class at line 128: where we find:

/**
 * Indicates if a symlunk target exists
 * @param file The symlink file
 * @return true if the target exists
 * @throws IOException upon error
 */
 private static boolean exists(File file)
 throws IOException {
   try {
     Object path = toPath.invoke(file);
     final Boolean result = (Boolean) exists.invoke(null, path, emptyLinkOpts);
     return result.booleanValue();
   } catch (IllegalAccessException e) {
     throw new RuntimeException(e);
   } catch (InvocationTargetException e) {
     throw (RuntimeException) e.getTargetException();
   }
}

ShiftLeft points to the line:

Object path = toPath.invoke(file);

The instance variable toPath is a java.lang.reflect.Method which can and does execute code as shown above. Looking narrowly at the code so far we can say that yes, this code run anything since toPath is a Method.

However, widening our view to the field declaration we see the following in the class static initialization block:

toPath = File.class.getMethod("toPath");

This makes sense in the context of the class: Java7Support is used to access Java 7 features while running on pre-Java 7 platforms. Here we are setting up toPath to run one method. I would expect toPath to be a static final but it is not:

private static Method toPath;

Why is it not static? Well, it’s just that the way the static initialize block is written does not allow you to just add final to the declaration. The static block needs to be rewritten to allow for toPath to be final which we will leave as ‘an exercise to the reader’ 😉 as it is out of scope for an already long blog post.

I would be curious to see how ShiftLeft responds to such a code change.

I am not sure if this is really a problem though. The variable is private now, but not final. Yes its type (Method) is all about executing code. Under normal circumstances, this value cannot be changed outside this class. I can use reflection of course to force a new value in toPath. Does that mean that anytime I use a Method instance variable I am going to get an arbitrary code execution conclusion? Another corner-case to examine.

What if I rewrote the static block and declared the variable final. Would ShiftLeft still reach the same conclusion? If yes, would that be because I could still use reflection to hammer any value in the field.

Concluding on this first arbitrary code attack

The more I explore these test results, the more I realize how tricky security is and how much context matters. I now know that the Java7Support class in Apache Commons IO 2.5 is open to an arbitrary code attack under the narrow use case of another piece of code using reflection. But if that code is allowed to use reflection, surely it could achieve its goal without going through the extra hoop of Java7Support hacking.

Stepping back, the realization is that I should think twice about using the Method class because I could open my application up to an attack unless that Method field is properly protected.

Looking for more arbitrary code attacks

Now that ShiftLeft has whetted my appetite, I wonder if there are more arbitrary code attacks lurking. A quick search through the file reveals to total of five. Not surprisingly, these are all in the Java7Support class and all follow the same pattern as above: calling the invoke method of a Method object where the Methodis initialized in the static block.

Flipping it around once more, let’s look at the Java7Support class variable declarations and see if all Method objects end up being accounted for by ShiftLeft:

/**
 * Java7 feature detection and reflection based feature access.
 * <p/>
 * Taken from maven-shared-utils, only for private usage until we go full java7
 */
class Java7Support {

  private static final boolean IS_JAVA7;

  private static Method isSymbolicLink;

  private static Method delete;

  private static Method toPath;

  private static Method exists;

  private static Method toFile;

  private static Method readSymlink;

  private static Method createSymlink;
  ...

We have seven static Method declarations which I see initialized in the static block:

static {
 boolean isJava7x = true;
 try {
   ClassLoader cl = Thread.currentThread().getContextClassLoader();
   Class<?> files = cl.loadClass("java.nio.file.Files");
   Class<?> path = cl.loadClass("java.nio.file.Path");
   Class<?> fa = cl.loadClass("java.nio.file.attribute.FileAttribute");
   Class<?> linkOption = cl.loadClass("java.nio.file.LinkOption");
   isSymbolicLink = files.getMethod("isSymbolicLink", path);
   delete = files.getMethod("delete", path);
   readSymlink = files.getMethod("readSymbolicLink", path);
   emptyFileAttributes = Array.newInstance(fa, 0);
   createSymlink = files.getMethod("createSymbolicLink", path, path, emptyFileAttributes.getClass());
   emptyLinkOpts = Array.newInstance(linkOption, 0);
   exists = files.getMethod("exists", path, emptyLinkOpts.getClass());
   toPath = File.class.getMethod("toPath");
   toFile = path.getMethod("toFile");
   } catch (ClassNotFoundException e) {
     isJava7x = false;
   } catch (NoSuchMethodException e) {
     isJava7x = false;
   }
   IS_JAVA7 = isJava7x;
 }

ShiftLeft gives me five conclusions:

The method `isSymLink` does not support handling **untrusted data** to be passed as parameter `file` because it could allow an attacker to run arbitrary code.
The method `createSymbolicLink` does not support handling **untrusted data** to be passed as parameter `symlink` because it could allow an attacker to run arbitrary code.
The method `delete` does not support handling **untrusted data** to be passed as parameter `file` because it could allow an attacker to run arbitrary code.
The method `createSymbolicLink` does not support handling **untrusted data** to be passed as parameter `target` because it could allow an attacker to run arbitrary code.
The method `readSymbolicLink` does not support handling **untrusted data** to be passed as parameter `symlink` because it could allow an attacker to run arbitrary code.

All of the Method declarations in this class are used by all of the methods listed above. Nice.

Fin

I’d like to wrap up this exploration of ShiftLeft with a quick summary of what we found: a tool we can add to our build pipelines to find potential security issues. There are a lot of data here, and this is just for Apache Commons IO 2.5, so another lesson is that context matters. ShiftLeft currently provides ‘conclusions’ based on a code graph. We found conclusions about untrusted data (I’m not sure what’s in here so don’t go executing it), sensitive data (don’t save passwords in plain text!) and arbitrary code attacks.

I hope revisit this story and run ShiftLeft on other Apache Commons projects soon. This sure is fun!

Happy Coding,
Gary Gregory

Understanding Java Generics’ super and extends

Do you know the difference in Java generics between <? super E> and <? extends E>? If you have any doubt, read on.

In Java, classes and interfaces can have type parameters, like a List of Numbers instead of just a List:

List list = new ArrayList();

With the diamond notation <>, the Java 7 compiler uses type inference to deduce the argument type so you can abbreviate instantiation to new ArrayList<>().

You can also type the variable that holds the reference to the ArrayList instance as a List, a Collection, or a Serializable.

Let’s now say you have a pair of methods that take a List of Numbers. The first method printNumbers() gets Numbers out of the List:

public void printNumbers(List list) {
    for (Number number : list) {
        System.out.print(number);
        System.out.print(", ");
    }
}

The second method, fillNumbers(), adds Numbers to the List:

public void fillNumbers(List list) {
    Number n = Integer.MAX_VALUE;
    list.add(n);
    list.add(3);
}

The method getting Numbers out of the List could just as easily work with a List of Integers or a List of Floats:

List floats = new ArrayList();
floats.add(Float.valueOf(1.2f));
printNumbers(floats);

What we really want though is a List, not a List:

List floats = new ArrayList();
floats.add(Float.valueOf(1.2f));
printNumbers(floats);

But that causes the compiler to fail with:

The method printNumbers(List) in the type Test is not applicable for the arguments (List)

To use a List, the method must be typed with List<? extends Number>.

public void printNumbers(List list)

The ? extends tells the compiler that we want to use some unknown (the ?) subtype of Number. We explicitly constrain the wildcard (the ?) to represent the unknown subtype of Number. We say the method is a covariant use of the List of Numbers; it works with any List of any subtype of Number.

On the other hand, you should be able to give the method adding Numbers to the List any old List of Objects:

List objects = new ArrayList();
fillNumbers(objects);

That does not compile:

The method fillNumbers(List) in the type GenericsSuperExtendsDemo is not applicable for the arguments (List)You get this to work with List<? super Number>:

public void fillNumbers(List list)

The ? super Number is an explicitly constrained wildcard that represents some unknown supertype of Number. We call that one a contravariant use of the List of Numbers and it works for any List of any supertype of Number.Here is the complete example:

package test;import java.util.ArrayList;import java.util.List;public class GenericsSuperExtendsDemo {    public static void main(String[] args) {        new GenericsSuperExtendsDemo().go();    }    public void go() {        System.out.println("Hello World!");        List numbers = new ArrayList();        fillNumbers(numbers);        printNumbers(numbers);        {            List floats = new ArrayList();            floats.add(Float.valueOf(1.2f));            printNumbers(floats);        }        {            List floats = new ArrayList();            floats.add(Float.valueOf(1.2f));            printNumbers(floats);        }        {            List integers = new ArrayList();            printNumbers(integers);        }        {            List objects = new ArrayList();            fillNumbers(objects);        }    }    public void printNumbers(List list) {        for (Number number : list) {            System.out.print(number);            System.out.print(", ");        }    }    public void fillNumbers(List list) {        Number n = Integer.MAX_VALUE;        list.add(n);        list.add(3);    }}

The inspiration for this article is a paper presented at OOPSLA 2016 titled “Java and Scala’s Type Systems are Unsound.”Happy Coding,Gary Gregory

Loading a Log4j Configuration for a specific EJB

You can load and unload a specific Log4j 2 configuration file for a given EJB. How? Use @PreDestroy and @PostConstruct. This gives you separately deployable EJBs with separate Log4j configurations. Ka-Pow!

For example:

public class MySessionEJB implements SessionBean {

    private static final String LOGGER_CONFIG = "/path/to/log4j2.xml";
    private static final String LOGGER_CONTEXT_NAME = "MySessionEJB";
    private static LoggerContext logctx;
    private static Logger logger;

    @PostConstruct
    @TransactionAttribute(value=TransactionAttributeType.NOT_SUPPORTED)
    private void postConstruct() {
        logctx = Configurator.initialize(LOGGER_CONTEXT_NAME, LOGGER_CONFIG);
        logger = logctx.getLogger("com.whatever.myejb");
    }

    @PreDestroy
    @TransactionAttribute(value=TransactionAttributeType.NOT_SUPPORTED)
    private void preDestroy() {
        Configurator.shutdown(logctx);
    }
}

Happy Coding,
Gary Gregory

How to catch up my git fork to master

TL;DR

git fetch upstream
git checkout master
git merge upstream/master

Here I am in one of my forked git repositories on GitHub. I have a patch to contribute, or a bug to fix but I want to make sure that my local copy of the repository is not stale. If I do not, the project I want to contribute to might not be able to apply my patch or merge my pull request cleanly. The first thing I need to do is to catch up my git repository to whatever the current code is in the master branch of the original repository. Some development workflows will use a different branch than master for day-to-day development but the same steps apply using whatever that branch name is. In this post, I’ll assume you are using master. You’ll also need a git command line tool.

There are two steps required. First, you must configure a git remote for a fork. Then you can catch up that fork to the current master.

Open a command line prompt and change the current directory to your project’s directory.

Configuring a git remote for a fork

You only need to do this once: Add a new remote upstream repository to sync with the fork where ORIGINAL_OWNER is the original GitHub account and ORIGINAL_REPOSITORY is the original repository name.

git remote add upstream https://github.com/ORIGINAL_OWNER/ORIGINAL_REPOSITORY.git

For example:

git remote add upstream https://github.com/apache/thrift.git

You can verify that all went well:

git remote -v
origin https://github.com/garydgregory/thrift.git (fetch)
origin https://github.com/garydgregory/thrift.git (push)
upstream https://github.com/apache/thrift.git (fetch)
upstream https://github.com/apache/thrift.git (push)

Catching up a git fork to master

Fetch project branches from the upstream repository to get all the commits. Your commits to master will be stored in the local branch upstream/master.

git fetch upstream

Check out the master branch from your local fork.

git checkout master

Now merge the changes from upstream/master into your local master branch. Your fork’s master branch will be in sync with the upstream repository. You will not lose your local changes.

git merge upstream/master

All done!

You can cut and paste this into a script:

git fetch upstream
git checkout master
git merge upstream/master

Happy Forking,
Gary

Of the demise of FindBugs and Monty Python

It turns out that FindBugs, the Java bug hunting tool used by legions of Java developers, after being proclaimed dead, has issued a Monty Python-like “I’m not dead yet” rejoinder on Hacker News.

What is going on here?

FindBugs is a development-time tool that finds bugs in Java programs using static analysis. It’s free and distributed under the Lesser GNU Public License out of The University of Maryland. Most developers use FindBugs through Maven and the Maven Findbugs Plugin. David Hovemeyer who did his Ph.D. thesis on FindBugs founded the project. Since then Bill Pugh has been the project lead and primary developer. The current developers listed for FindBugs are Bill Pugh and Andrey Loskutov.

Reviewing Andrey’s November 2nd post (edited in quotes for minor typos and clarity), here what seems to be the Good, the Bad and the Ugly, no not that one, but the film is a classic and the images below are all in good fun.

The Good

The Good is thin: FindBugs has two committers with push karma: Andrey Loskutov and Tagir Valeev. That’s not much for such a complex project but better than none. Tagir’s last commit (Google Code Archive) was on 2015-04-09 and Andrey does not consider him active. Andrey has stated that he himself “has no free time to work on the project”. (There is code on the Google Code Archive and then on GitHub.)

The Bad

Bill Pugh, the project lead, has not been active and is the bottleneck for access rights to critical parts of the project. According to Andrey:

“Only the project leader Bill Pugh has admin rights for the project web page and the GitHub project group and page. We cannot deploy any website update, we can’t add new project members, we can’t manage code access rights, we can’t publish releases to the well-known update sites without his help. Without him, we have no admin rights to anything; we can only push to the repository.”

This seems to be par for the course in many FOSS projects, the benevolent dictator acts as a gatekeeper to resources and once a bus or vacation enters the pictures, this locks out contributors. Bill Pugh, the project lead, has not been active or responsive it seems (until now, more on this later).

The Ugly

FindBugs has been around for a long time now (ten years) and has accrued a fair amount of technical debt.

Andrey states that the code is very complex, has “organically grown” over a decade. Not surprisingly and like many other FOSS projects, and authors have not done much in terms of documentation. Poor public interfaces apparently compound the hurt.

“Most of the code consists of the very low level bytecode related stuff, tightly coupled with the ancient BCEL library, which doesn’t scale and is not multi-thread safe.”

I hear you there. I help out over at Apache Commons, the current home of the Apache Commons BCEL component, where we released in July a long overdue version 6.0. Apache published the previous version 5.2; wait for it… in June 2006! Ouch, FindBugs, I feel your pain. It might be too late for FindBugs and Apache Commons BCEL developers to work together to salvage this dependency:

 “No one enjoys maintaining this code, at least not me. I see no future for FindBugs with the BCEL approach, and see no way to get rid of it without investing lot of effort, and without breaking every detector and possibly many third party tools. This is the biggest issue we have with FindBugs today, and most likely the root cause for all the evil. This code can’t be fixed, it must be rewritten.”

What are the alternatives?

Luckily, there are other byte code fiddling tools out there. We have (quoted with minor edits from their respective sites):

• ASM (INRIA, France Telecom license) from the OW2 consortium. ASM is an all-purpose Java bytecode manipulation and analysis framework. You can use ASM to modify existing classes or dynamically generate classes, directly in binary form. ASM provides common transformations and analysis algorithms allow you to assemble easily custom complex transformations and code analysis tools.
• Apache Commons Weaver (Apache 2.0 license) manipulates existing class files. It looks like FINDBUGS has started to work on some integration with ASM based on looking at a few commits.
• Javassist (Mozilla Public License 1.1, LGPL 2.1, Apache 2.0 licenses) is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. Javassist designed the whole API with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to edit directly a class file as other editors.
• Byte Buddy (Apache 2.0 license) is a code generation and manipulation library for creating and modifying Java classes during the runtime of a Java application and without the help of a compiler. Other than the code generation utilities that ship with the Java Class Library, Byte Buddy allows the creation of arbitrary classes and is not limited to implementing interfaces for the creation of runtime proxies. Furthermore, Byte Buddy offers a convenient API for changing classes either manually, using a Java agent or during a build.

From FindBugs to HuntBugs

Andrey thinks that because the code is as it is, there are not so many people willing to contribute. GitHub sees some pull requests, but most of them are smaller fixes or enhancements which are not reviewed or tested.

These conditions has led Tagir to start his own project called HuntBugs, a new Java bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs. HuntBugs is currently in early development stage and published under the Apache 2.0 license. It also sports seven contributors on GitHub, an almost good sign, but all of these contributors only have a handful of commits each. Almost all commits are from Tagir, so the word “community” seems generous. The Procyon Compiler Tools are published on BitBucket also under the Apache 2.0 license.

The lack of community around FindBugs is what killed it’s momentum. This happens over and over in the FOSS world.

Like many FOSS projects and again to no one’s surprise, there is little support from any companies or organizations. The FindBugs sponsors page states that the most recent funding for FindBugs comes from a Google Faculty Research Awards. No code patches, no testing, no paid developers. Of course, Andrey remarks, some companies do use FindBugs in commercial products like SonarSource and Coverity, not to mention countless companies using FindBugs in their build processes.

As it is today, even without further development, FindBugs is still useful. Sadly it cannot find bugs that are specific to Java 8 or Java 9’s early releases.

What’s on the horizon?

There are two paths here: FindBugs will raise from its ashes or a fork will take over. There are a number of steps Andrey outlines in his post to allow the current contributors (himself really) to continue the project. These are mostly project governance and access rights issues. However, having stated that his time is limited, does this seem realistic? This assumes that Bill follows the steps to further open up FindBugs and that this will lead to a community forming around a more open FindBugs . Summarizing from Andrey’s post, the following needs to happen:

• Update the site to point to GitHub instead of SourceForge.
• Shut down the old SourceForge bug tracker and forums and point to GitHub instead.
• Allow to grant access rights to the GitHub project.
• Grant right to publish the new releases all known download sites.
• Configure automated build and test (hello Travis CI and Coveralls)
• Attract contributors

None of these seems difficult or insurmountable; it just needs Bill’s blessing and a new project governance model that allows other contributors to come in have proper access rights. Perhaps FindBugs could adopt some of Apache’s nomenclature: You can be a committer with push rights and above that a Project Management Committee (PMC) member, with full access to the project. Only votes from PMC members vote are binding on release votes. This would allow many committers to come in under the mentorship of a PMC.

Hello Bill!

Bill eating a bug.

Then after all this, Bill pops up on Hacker News:

“FindBugs isn’t dead (although my participation had been in hibernation for a while).

I’ve been juggling far too many projects, but I’m now working to move FindBugs back into the active rotation.

I also want announce I’ll be working with GrammaTech as part of the Swamp Project, and they will be helping with rebooting the FindBugs project. This has been in the works for a long time (almost a year), and although I’ve known that GrammaTech was likely to win an award, this hasn’t been official and something I could talk about until recently. Was hoping to have something a little more concrete to talk about as far as that goes; but I don’t yet have the information I wanted to share.

Thanks to all the FindBugs fans and supporters who lobbied for me to return to active maintenance of FindBugs. Give me a week to get up to speed on current project needs.”

So that sounds good…

Now what?

This is all fine and good and I hope that Bill can work with the current contributors, or the one contributor to rejuvenate FindBugs. What Andrey asks sounds reasonable, but that is not enough. I believe that better project governance would really help FindBugs move forward again.

What about bringing FindBugs under the auspices of an Apache top-level project? Bringing a project under the Apache umbrella is done through the Apache Incubator under a well-defined process. This would really deal with all project governance issues and infrastructure in one go. The project sources could still live in GitHub, but the Apache-way of doing things would address many if not all of Andey’s concerns.

What do you think?

Cheers and Happy Coding,
Gary

Apache Log4j 2.7 is out!

Apache Log4j 2.7 is heading out to Maven Central. Here’s are the highlights of what’s new since 2.6.2.

 

• The RoutingAppender can be configured with scripts.
• A new Appender, the ScriptAppenderSelector can create another Appender as specified by a Script.
• Users can now inject context data from other sources than ThreadContext. Values can be any Object, not just Strings.
• The SocketAppender now supports IO buffering.
• Added the ability to generate Log4j 2 XML configuration file from a ConfigurationBuilder.
• Hello Scala! We’ve added Logging APIs for Scala 2.10 and 2.11.
• Added options to exclude stack trace from JSON, XML and YAML layouts.
• Added Core API Configurator.shutdown(LoggerContext, long, TimeUnit).
• FileAppender and RollingFileAppender can create files on-demand.
• PatternLayout added a color ANSI option to %message and %xThrowable.
• org.apache.logging.log4j.core.LoggerContext now implements Closeable.
• Add ThreadContextMap2 interface supporting method putAll(Map<String, String>).
• Add JUnit Rule implementations to manage the thread context.
• The Core AbstractConfiguration and AbstractManager now track its LoggerContext; add Configuration.getLoggerContext().

Continuing the Asynchronous Epic

• We’ve added support for java.util.concurrent.LinkedTransferQueue to the AsyncAppender.
• Added optional support for the Conversant DisruptorBlockingQueue in AsyncAppender.
• Added optional support for JCTools MPSC bounded lock-free queue in AsyncAppender.

Continuing the GC-free Epic

• Continuing the GC-free epic, we’ve added support for garbage-free ThreadContext map. This is disabled by default, and users need to enable this explicitly.
• Also in GC-free-land, we changed LogEvent‘s internal data structure for context data to be garbage-free. We added the method LogEvent#getContextData() and deprecated getContextMap().

Continuing the Builder Epic

• Added Builders for the ConsoleAppender, FileAppender, RoutingAppender, SocketAppender, and ServletAppender (and deprecated factory methods).
• Builders can be generic.
• A Builder can subclass another Builder.

And bug fixes as well, for which you can just see the Log4j site.

Happy Log4j Logging!
Gary

 

Java Charsets here, there and everywhere

From time to time, I need to see if a Java Charset exists in this and that JRE. I’m going to start gathering them here.

1. Sun Microsystems Inc. Java 1.5.0_22 (154 charsets)
2. Sun Microsystems Inc. Java 1.6.0_45 (166 charsets)
3. Oracle Corporation Java 1.7.0_79 (168 charsets)
4. Oracle Corporation Java 1.8.0_77 (170 charsets)
5. IBM Corporation Java 1.8.0 (243 charsets)

Sun Microsystems Inc. Java 1.5.0_22 (154 charsets)
#	Name	Aliases
1	Big5	csBig5
2	Big5-HKSCS	big5-hkscs, big5hk, big5-hkscs:unicode3.0, big5hkscs, Big5_HKSCS
3	EUC-JP	eucjis, x-eucjp, csEUCPkdFmtjapanese, eucjp, Extended_UNIX_Code_Packed_Format_for_Japanese, x-euc-jp, euc_jp
4	EUC-KR	ksc5601, 5601, ksc5601_1987, ksc_5601, ksc5601-1987, euc_kr, ks_c_5601-1987, euckr, csEUCKR
5	GB18030	gb18030-2000
6	GB2312	gb2312-1980, gb2312, EUC_CN, gb2312-80, euc-cn, euccn, x-EUC-CN
7	GBK	windows-936, CP936
8	IBM-Thai	ibm-838, ibm838, 838, cp838
9	IBM00858	cp858, ccsid00858, cp00858, 858
10	IBM01140	1140, ccsid01140, cp01140, cp1140
11	IBM01141	cp01141, cp1141, ccsid01141, 1141
12	IBM01142	cp01142, cp1142, ccsid01142, 1142
13	IBM01143	1143, cp01143, cp1143, ccsid01143
14	IBM01144	cp01144, cp1144, 1144, ccsid01144
15	IBM01145	ccsid01145, cp01145, 1145, cp1145
16	IBM01146	ccsid01146, cp1146, 1146, cp01146
17	IBM01147	cp1147, 1147, ccsid01147, cp01147
18	IBM01148	cp01148, cp1148, ccsid01148, 1148
19	IBM01149	cp1149, ccsid01149, 1149, cp01149
20	IBM037	csIBM037, cpibm37, cp037, cs-ebcdic-cp-us, ibm-037, ibm-37, cs-ebcdic-cp-ca, cs-ebcdic-cp-wt, cs-ebcdic-cp-nl, ibm037, 037
21	IBM1026	1026, ibm1026, cp1026, ibm-1026
22	IBM1047	1047, ibm-1047, cp1047
23	IBM273	ibm273, 273, cp273, ibm-273
24	IBM277	ibm277, cp277, ibm-277, 277
25	IBM278	csIBM278, ibm278, cp278, ebcdic-cp-se, 278, ibm-278, ebcdic-sv
26	IBM280	ibm280, cp280, 280, ibm-280
27	IBM284	cpibm284, csIBM284, ibm-284, ibm284, 284, cp284
28	IBM285	285, ebcdic-cp-gb, ibm-285, csIBM285, cp285, ibm285, cpibm285, ebcdic-gb
29	IBM297	csIBM297, ebcdic-cp-fr, cp297, ibm297, ibm-297, 297, cpibm297
30	IBM420	ibm420, 420, ebcdic-cp-ar1, csIBM420, ibm-420, cp420
31	IBM424	cp424, 424, ebcdic-cp-he, ibm424, csIBM424, ibm-424
32	IBM437	windows-437, cspc8codepage437, ibm437, cp437, 437, ibm-437
33	IBM500	500, ebcdic-cp-ch, ebcdic-cp-bh, ibm-500, csIBM500, cp500, ibm500
34	IBM775	ibm775, cp775, ibm-775, 775
35	IBM850	ibm-850, 850, ibm850, cspc850multilingual, cp850
36	IBM852	852, ibm-852, csPCp852, cp852, ibm852
37	IBM855	855, ibm855, cp855, cspcp855, ibm-855
38	IBM857	cp857, ibm857, csIBM857, 857, ibm-857
39	IBM860	ibm860, ibm-860, csIBM860, cp860, 860
40	IBM861	csIBM861, ibm861, 861, cp861, ibm-861
41	IBM862	cp862, ibm862, 862, ibm-862, csIBM862
42	IBM863	cp863, csIBM863, ibm863, 863, ibm-863
43	IBM864	csIBM864, ibm-864, 864, ibm864, cp864
44	IBM865	ibm-865, csIBM865, 865, ibm865, cp865
45	IBM866	866, ibm-866, csIBM866, ibm866, cp866
46	IBM868	cp-ar, 868, ibm868, csIBM868, ibm-868, cp868
47	IBM869	ibm869, ibm-869, 869, cp869, csIBM869, cp-gr
48	IBM870	ebcdic-cp-yu, ibm870, ibm-870, 870, csIBM870, cp870, ebcdic-cp-roece
49	IBM871	csIBM871, ibm-871, cp871, ebcdic-cp-is, 871, ibm871
50	IBM918	ibm-918, 918, cp918, ebcdic-cp-ar2
51	ISO-2022-CN	csISO2022CN, ISO2022CN
52	ISO-2022-JP	jis, jis_encoding, csjisencoding, csISO2022JP, iso2022jp
53	ISO-2022-KR	ISO2022KR, csISO2022KR
54	ISO-8859-1	iso-ir-100, 8859_1, ISO_8859-1, ISO8859_1, 819, csISOLatin1, IBM-819, ISO_8859-1:1987, latin1, cp819, ISO8859-1, IBM819, ISO_8859_1, l1
55	ISO-8859-13	ISO8859-13, 8859_13, iso8859_13, iso_8859-13
56	ISO-8859-15	8859_15, csISOlatin9, IBM923, cp923, 923, L9, IBM-923, ISO8859-15, LATIN9, ISO_8859-15, LATIN0, csISOlatin0, ISO8859_15_FDIS, ISO-8859-15, ISO8859_15
57	ISO-8859-2	ibm912, l2, ibm-912, cp912, ISO_8859-2:1987, ISO_8859-2, latin2, csISOLatin2, iso8859_2, 912, 8859_2, ISO8859-2, iso-ir-101
58	ISO-8859-3	iso8859_3, cp913, csISOLatin3, ibm-913, ISO_8859-3, 913, ISO8859-3, 8859_3, ibm913, iso-ir-109, ISO_8859-3:1988, latin3, l3
59	ISO-8859-4	iso-ir-110, l4, 8859_4, ibm914, latin4, ibm-914, csISOLatin4, iso8859_4, iso8859-4, cp914, 914, ISO_8859-4:1988, ISO_8859-4
60	ISO-8859-5	915, ISO_8859-5:1988, iso8859_5, cp915, ibm915, ISO_8859-5, ISO8859-5, csISOLatinCyrillic, cyrillic, 8859_5, iso-ir-144, ibm-915
61	ISO-8859-6	8859_6, arabic, ibm-1089, iso8859_6, ISO_8859-6, iso-ir-127, ibm1089, ISO_8859-6:1987, ECMA-114, 1089, csISOLatinArabic, ISO8859-6, ASMO-708, cp1089
62	ISO-8859-7	sun_eu_greek, 8859_7, iso-ir-126, ISO_8859-7:1987, ibm-813, iso8859_7, ISO_8859-7, csISOLatinGreek, greek8, ECMA-118, ibm813, ELOT_928, iso8859-7, cp813, greek, 813
63	ISO-8859-8	iso-ir-138, ibm-916, iso8859_8, cp916, ISO8859-8, ISO_8859-8:1988, hebrew, 8859_8, csISOLatinHebrew, ibm916, 916, ISO_8859-8
64	ISO-8859-9	cp920, l5, ISO_8859-9, ibm-920, csISOLatin5, 8859_9, iso-ir-148, latin5, 920, ISO8859-9, ibm920, ISO_8859-9:1989, iso8859_9
65	JIS_X0201	JIS_X0201, X0201, JIS0201, csHalfWidthKatakana
66	JIS_X0212-1990	jis_x0212-1990, iso-ir-159, x0212, JIS0212, csISO159JISX02121990
67	KOI8-R	koi8, koi8_r, cskoi8r
68	Shift_JIS	shift-jis, shift_jis, x-sjis, ms_kanji, csShiftJIS, sjis
69	TIS-620	tis620.2533, tis620
70	US-ASCII	ISO646-US, IBM367, ASCII, cp367, default, ascii7, ANSI_X3.4-1986, iso-ir-6, us, 646, iso_646.irv:1983, csASCII, ANSI_X3.4-1968, ISO_646.irv:1991
71	UTF-16	utf16, UTF_16
72	UTF-16BE	X-UTF-16BE, UnicodeBigUnmarked, UTF_16BE, ISO-10646-UCS-2
73	UTF-16LE	UnicodeLittleUnmarked, X-UTF-16LE, UTF_16LE
74	UTF-8	UTF8, unicode-1-1-utf-8
75	windows-1250	cp1250, cp5346
76	windows-1251	ansi-1251, cp1251, cp5347
77	windows-1252	cp1252, cp5348
78	windows-1253	cp1253, cp5349
79	windows-1254	cp5350, cp1254
80	windows-1255	cp1255
81	windows-1256	cp1256
82	windows-1257	cp1257, cp5353
83	windows-1258	cp1258
84	windows-31j	csWindows31J, windows-932, MS932
85	x-Big5-Solaris	Big5_Solaris
86	x-euc-jp-linux	euc_jp_linux, euc-jp-linux
87	x-EUC-TW	cns11643, euc_tw, EUC-TW, euctw
88	x-eucJP-Open	EUC_JP_Solaris, eucJP-open
89	x-IBM1006	cp1006, ibm1006, 1006, ibm-1006
90	x-IBM1025	ibm1025, 1025, cp1025, ibm-1025
91	x-IBM1046	ibm1046, 1046, cp1046, ibm-1046
92	x-IBM1097	ibm1097, 1097, cp1097, ibm-1097
93	x-IBM1098	cp1098, ibm-1098, ibm1098, 1098
94	x-IBM1112	cp1112, 1112, ibm1112, ibm-1112
95	x-IBM1122	ibm-1122, 1122, cp1122, ibm1122
96	x-IBM1123	cp1123, ibm1123, ibm-1123, 1123
97	x-IBM1124	cp1124, ibm1124, ibm-1124, 1124
98	x-IBM1381	1381, cp1381, ibm1381, ibm-1381
99	x-IBM1383	ibm1383, ibm-1383, cp1383, 1383
100	x-IBM33722	ibm-33722, cp33722, ibm-33722_vascii_vpua, ibm-5050, ibm33722, 33722
101	x-IBM737	ibm-737, ibm737, cp737, 737
102	x-IBM834	cp834, ibm-834, ibm834
103	x-IBM856	ibm-856, 856, ibm856, cp856
104	x-IBM874	cp874, ibm874, ibm-874, 874
105	x-IBM875	ibm875, ibm-875, 875, cp875
106	x-IBM921	921, cp921, ibm921, ibm-921
107	x-IBM922	cp922, ibm922, ibm-922, 922
108	x-IBM930	cp930, 930, ibm930, ibm-930
109	x-IBM933	ibm933, cp933, 933, ibm-933
110	x-IBM935	935, cp935, ibm935, ibm-935
111	x-IBM937	cp937, ibm-937, ibm937, 937
112	x-IBM939	ibm-939, ibm939, cp939, 939
113	x-IBM942	cp942, ibm942, ibm-942, 942
114	x-IBM942C	ibm942C, cp942C, ibm-942C, 942C
115	x-IBM943	ibm943, ibm-943, cp943, 943
116	x-IBM943C	ibm-943C, ibm943C, 943C, cp943C
117	x-IBM948	948, ibm-948, cp948, ibm948
118	x-IBM949	ibm-949, cp949, 949, ibm949
119	x-IBM949C	cp949C, 949C, ibm949C, ibm-949C
120	x-IBM950	950, cp950, ibm-950, ibm950
121	x-IBM964	964, cp964, ibm-964, ibm964
122	x-IBM970	ibm970, 970, cp970, ibm-eucKR, ibm-970
123	x-ISCII91	iscii, ST_SEV_358-88, iso-ir-153, csISO153GOST1976874, ISCII91
124	x-ISO-2022-CN-CNS	ISO2022CN_CNS, ISO-2022-CN-CNS
125	x-ISO-2022-CN-GB	ISO-2022-CN-GB, ISO2022CN_GB
126	x-iso-8859-11	iso-8859-11, iso8859_11
127	x-JIS0208	JIS0208, csISO87JISX0208, x0208, JIS_C6226-1983, JIS_X0208-1983, iso-ir-87
128	x-JISAutoDetect	JISAutoDetect
129	x-Johab	johab, ms1361, ksc5601-1992, ksc5601_1992
130	x-MacArabic	MacArabic
131	x-MacCentralEurope	MacCentralEurope
132	x-MacCroatian	MacCroatian
133	x-MacCyrillic	MacCyrillic
134	x-MacDingbat	MacDingbat
135	x-MacGreek	MacGreek
136	x-MacHebrew	MacHebrew
137	x-MacIceland	MacIceland
138	x-MacRoman	MacRoman
139	x-MacRomania	MacRomania
140	x-MacSymbol	MacSymbol
141	x-MacThai	MacThai
142	x-MacTurkish	MacTurkish
143	x-MacUkraine	MacUkraine
144	x-MS932_0213
145	x-MS950-HKSCS	MS950_HKSCS
146	x-mswin-936	ms936, ms_936
147	x-PCK	pck
148	x-SJIS_0213
149	x-windows-50220	cp50220, ms50220
150	x-windows-50221	ms50221, cp50221
151	x-windows-874	windows-874, ms874, ms-874
152	x-windows-949	windows949, ms_949, ms949
153	x-windows-950	windows-950, ms950
154	x-windows-iso2022jp	windows-iso2022jp

Sun Microsystems Inc. Java 1.6.0_45 (166 charsets)
#	Name	Aliases
1	Big5	csBig5
2	Big5-HKSCS	Big5_HKSCS, big5-hkscs, big5hk, big5hkscs
3	EUC-JP	eucjis, Extended_UNIX_Code_Packed_Format_for_Japanese, x-eucjp, eucjp, csEUCPkdFmtjapanese, euc_jp, x-euc-jp
4	EUC-KR	5601, ksc5601-1987, ksc5601_1987, euckr, ksc5601, ksc_5601, ks_c_5601-1987, euc_kr, csEUCKR
5	GB18030	gb18030-2000
6	GB2312	euc-cn, x-EUC-CN, gb2312-1980, gb2312, gb2312-80, euccn, EUC_CN
7	GBK	CP936, windows-936
8	IBM-Thai	838, cp838, ibm838, ibm-838
9	IBM00858	cp858, ccsid00858, 858, cp00858
10	IBM01140	ccsid01140, cp01140, 1140, cp1140
11	IBM01141	cp1141, ccsid01141, cp01141, 1141
12	IBM01142	cp01142, cp1142, 1142, ccsid01142
13	IBM01143	cp01143, 1143, ccsid01143, cp1143
14	IBM01144	cp01144, cp1144, ccsid01144, 1144
15	IBM01145	cp1145, cp01145, ccsid01145, 1145
16	IBM01146	ccsid01146, cp01146, cp1146, 1146
17	IBM01147	ccsid01147, cp1147, 1147, cp01147
18	IBM01148	cp1148, ccsid01148, 1148, cp01148
19	IBM01149	cp1149, cp01149, ccsid01149, 1149
20	IBM037	cs-ebcdic-cp-nl, 037, cp037, ebcdic-cp-nl, ibm-37, ebcdic-cp-wt, cs-ebcdic-cp-us, ebcdic-cp-ca, cs-ebcdic-cp-wt, csIBM037, ibm-037, cs-ebcdic-cp-ca, cpibm37, ibm037, ebcdic-cp-us
21	IBM1026	cp1026, ibm-1026, 1026, ibm1026
22	IBM1047	cp1047, 1047, ibm-1047
23	IBM273	ibm-273, ibm273, cp273, 273
24	IBM277	cp277, 277, ibm-277, ibm277
25	IBM278	cp278, ebcdic-cp-se, 278, ibm278, ebcdic-sv, ibm-278, csIBM278
26	IBM280	280, ibm-280, cp280, ibm280
27	IBM284	cpibm284, csIBM284, ibm284, cp284, 284, ibm-284
28	IBM285	ibm285, ebcdic-cp-gb, cpibm285, cp285, csIBM285, ebcdic-gb, 285, ibm-285
29	IBM297	cp297, ibm297, 297, cpibm297, ebcdic-cp-fr, ibm-297, csIBM297
30	IBM420	ibm420, cp420, 420, ibm-420, csIBM420, ebcdic-cp-ar1
31	IBM424	csIBM424, ibm-424, ibm424, cp424, ebcdic-cp-he, 424
32	IBM437	ibm-437, windows-437, cspc8codepage437, 437, ibm437, cp437
33	IBM500	ibm-500, ebcdic-cp-bh, cp500, csIBM500, ibm500, ebcdic-cp-ch, 500
34	IBM775	ibm-775, cp775, ibm775, 775
35	IBM850	ibm-850, cp850, 850, cspc850multilingual, ibm850
36	IBM852	ibm852, csPCp852, 852, ibm-852, cp852
37	IBM855	cspcp855, 855, ibm855, ibm-855, cp855
38	IBM857	csIBM857, 857, ibm-857, cp857, ibm857
39	IBM860	860, cp860, ibm-860, csIBM860, ibm860
40	IBM861	861, cp-is, ibm-861, cp861, csIBM861, ibm861
41	IBM862	ibm-862, ibm862, csIBM862, cp862, cspc862latinhebrew, 862
42	IBM863	ibm863, csIBM863, cp863, 863, ibm-863
43	IBM864	csIBM864, ibm864, 864, cp864, ibm-864
44	IBM865	csIBM865, ibm865, 865, ibm-865, cp865
45	IBM866	866, ibm-866, ibm866, csIBM866, cp866
46	IBM868	868, ibm-868, cp868, csIBM868, cp-ar, ibm868
47	IBM869	869, ibm-869, cp869, csIBM869, cp-gr, ibm869
48	IBM870	ibm-870, ebcdic-cp-roece, ebcdic-cp-yu, ibm870, csIBM870, cp870, 870
49	IBM871	ibm-871, 871, ebcdic-cp-is, cp871, csIBM871, ibm871
50	IBM918	cp918, ebcdic-cp-ar2, ibm-918, 918
51	ISO-2022-CN	ISO2022CN, csISO2022CN
52	ISO-2022-JP	jis_encoding, csjisencoding, jis, iso2022jp, csISO2022JP
53	ISO-2022-JP-2	csISO2022JP2, iso2022jp2
54	ISO-2022-KR	csISO2022KR, ISO2022KR
55	ISO-8859-1	csISOLatin1, IBM-819, iso-ir-100, 8859_1, ISO_8859-1, l1, ISO8859-1, ISO_8859_1, cp819, ISO8859_1, latin1, ISO_8859-1:1987, 819, IBM819
56	ISO-8859-13	8859_13, iso8859_13, iso_8859-13, ISO8859-13
57	ISO-8859-15	IBM923, 8859_15, ISO_8859-15, ISO-8859-15, L9, ISO8859-15, ISO8859_15_FDIS, 923, LATIN0, csISOlatin9, LATIN9, csISOlatin0, IBM-923, ISO8859_15, cp923
58	ISO-8859-2	iso-ir-101, csISOLatin2, ibm-912, 8859_2, l2, ISO_8859-2, ibm912, 912, ISO8859-2, latin2, iso8859_2, ISO_8859-2:1987, cp912
59	ISO-8859-3	ibm-913, csISOLatin3, iso-ir-109, l3, 8859_3, ibm913, ISO_8859-3, ISO8859-3, 913, latin3, iso8859_3, ISO_8859-3:1988, cp913
60	ISO-8859-4	iso-ir-110, iso8859-4, ibm914, ibm-914, l4, csISOLatin4, 914, 8859_4, latin4, ISO_8859-4, ISO_8859-4:1988, iso8859_4, cp914
61	ISO-8859-5	cp915, ISO8859-5, ibm915, ISO_8859-5:1988, ibm-915, 8859_5, 915, cyrillic, iso8859_5, ISO_8859-5, iso-ir-144, csISOLatinCyrillic
62	ISO-8859-6	arabic, ibm1089, iso8859_6, iso-ir-127, 8859_6, cp1089, ECMA-114, ISO_8859-6, csISOLatinArabic, ibm-1089, 1089, ISO8859-6, ASMO-708, ISO_8859-6:1987
63	ISO-8859-7	iso8859-7, sun_eu_greek, csISOLatinGreek, 813, ISO_8859-7, ISO_8859-7:1987, ibm-813, greek, greek8, iso8859_7, ECMA-118, iso-ir-126, 8859_7, cp813, ibm813, ELOT_928
64	ISO-8859-8	ibm916, cp916, csISOLatinHebrew, ISO_8859-8, ISO8859-8, ibm-916, iso8859_8, hebrew, 916, iso-ir-138, ISO_8859-8:1988, 8859_8
65	ISO-8859-9	ISO_8859-9, 920, iso8859_9, csISOLatin5, l5, 8859_9, latin5, ibm920, iso-ir-148, ISO_8859-9:1989, ISO8859-9, cp920, ibm-920
66	JIS_X0201	JIS0201, JIS_X0201, X0201, csHalfWidthKatakana
67	JIS_X0212-1990	csISO159JISX02121990, x0212, jis_x0212-1990, iso-ir-159, JIS0212
68	KOI8-R	cskoi8r, koi8_r, koi8
69	KOI8-U	koi8_u
70	Shift_JIS	x-sjis, shift_jis, sjis, ms_kanji, shift-jis, csShiftJIS
71	TIS-620	tis620.2533, tis620
72	US-ASCII	cp367, ascii7, ISO646-US, 646, csASCII, us, iso_646.irv:1983, ISO_646.irv:1991, IBM367, ASCII, default, ANSI_X3.4-1986, ANSI_X3.4-1968, iso-ir-6
73	UTF-16	utf16, UTF_16, UnicodeBig, unicode
74	UTF-16BE	X-UTF-16BE, UTF_16BE, ISO-10646-UCS-2, UnicodeBigUnmarked
75	UTF-16LE	UnicodeLittleUnmarked, UTF_16LE, X-UTF-16LE
76	UTF-32	UTF_32, UTF32
77	UTF-32BE	X-UTF-32BE, UTF_32BE
78	UTF-32LE	X-UTF-32LE, UTF_32LE
79	UTF-8	UTF8, unicode-1-1-utf-8
80	windows-1250	cp1250, cp5346
81	windows-1251	ansi-1251, cp5347, cp1251
82	windows-1252	cp1252, cp5348
83	windows-1253	cp1253, cp5349
84	windows-1254	cp1254, cp5350
85	windows-1255	cp1255
86	windows-1256	cp1256
87	windows-1257	cp1257, cp5353
88	windows-1258	cp1258
89	windows-31j	csWindows31J, windows-932, MS932
90	x-Big5-HKSCS-2001	big5-hkscs:unicode3.0, big5-hkscs-2001, big5hk-2001, big5hkscs-2001, Big5_HKSCS_2001
91	x-Big5-Solaris	Big5_Solaris
92	x-euc-jp-linux	euc-jp-linux, euc_jp_linux
93	x-EUC-TW	euc_tw, EUC-TW, cns11643, euctw
94	x-eucJP-Open	EUC_JP_Solaris, eucJP-open
95	x-IBM1006	cp1006, ibm-1006, ibm1006, 1006
96	x-IBM1025	cp1025, ibm-1025, 1025, ibm1025
97	x-IBM1046	ibm-1046, cp1046, ibm1046, 1046
98	x-IBM1097	cp1097, 1097, ibm-1097, ibm1097
99	x-IBM1098	ibm-1098, cp1098, ibm1098, 1098
100	x-IBM1112	ibm-1112, 1112, ibm1112, cp1112
101	x-IBM1122	cp1122, ibm-1122, 1122, ibm1122
102	x-IBM1123	cp1123, ibm-1123, 1123, ibm1123
103	x-IBM1124	cp1124, ibm-1124, 1124, ibm1124
104	x-IBM1364	cp1364, 1364, ibm1364, ibm-1364
105	x-IBM1381	ibm1381, cp1381, ibm-1381, 1381
106	x-IBM1383	cp1383, 1383, ibm1383, ibm-1383
107	x-IBM33722	ibm33722, 33722, ibm-33722_vascii_vpua, ibm-5050, ibm-33722, cp33722
108	x-IBM737	cp737, ibm-737, 737, ibm737
109	x-IBM833	ibm-833, ibm833, cp833
110	x-IBM834	ibm834, ibm-834, cp834
111	x-IBM856	856, cp856, ibm-856, ibm856
112	x-IBM874	cp874, ibm874, 874, ibm-874
113	x-IBM875	ibm875, 875, cp875, ibm-875
114	x-IBM921	cp921, ibm921, ibm-921, 921
115	x-IBM922	ibm922, ibm-922, cp922, 922
116	x-IBM930	cp930, ibm930, ibm-930, 930
117	x-IBM933	cp933, 933, ibm933, ibm-933
118	x-IBM935	ibm935, cp935, 935, ibm-935
119	x-IBM937	ibm-937, cp937, 937, ibm937
120	x-IBM939	ibm-939, ibm939, cp939, 939
121	x-IBM942	ibm-942, ibm942, cp942, 942
122	x-IBM942C	942C, ibm942C, cp942C, ibm-942C
123	x-IBM943	943, ibm-943, cp943, ibm943
124	x-IBM943C	ibm-943C, 943C, cp943C, ibm943C
125	x-IBM948	ibm948, ibm-948, cp948, 948
126	x-IBM949	ibm949, ibm-949, 949, cp949
127	x-IBM949C	cp949C, 949C, ibm-949C, ibm949C
128	x-IBM950	950, ibm950, cp950, ibm-950
129	x-IBM964	964, cp964, ibm-964, ibm964
130	x-IBM970	970, ibm-970, ibm970, cp970, ibm-eucKR
131	x-ISCII91	iso-ir-153, ST_SEV_358-88, ISCII91, iscii, csISO153GOST1976874
132	x-ISO-2022-CN-CNS	ISO-2022-CN-CNS, ISO2022CN_CNS
133	x-ISO-2022-CN-GB	ISO-2022-CN-GB, ISO2022CN_GB
134	x-iso-8859-11	iso-8859-11, iso8859_11
135	x-JIS0208	JIS_X0208-1983, x0208, JIS0208, JIS_C6226-1983, iso-ir-87, csISO87JISX0208
136	x-JISAutoDetect	JISAutoDetect
137	x-Johab	ksc5601_1992, ms1361, ksc5601-1992, johab
138	x-MacArabic	MacArabic
139	x-MacCentralEurope	MacCentralEurope
140	x-MacCroatian	MacCroatian
141	x-MacCyrillic	MacCyrillic
142	x-MacDingbat	MacDingbat
143	x-MacGreek	MacGreek
144	x-MacHebrew	MacHebrew
145	x-MacIceland	MacIceland
146	x-MacRoman	MacRoman
147	x-MacRomania	MacRomania
148	x-MacSymbol	MacSymbol
149	x-MacThai	MacThai
150	x-MacTurkish	MacTurkish
151	x-MacUkraine	MacUkraine
152	x-MS932_0213
153	x-MS950-HKSCS	MS950_HKSCS
154	x-MS950-HKSCS-XP	MS950_HKSCS_XP
155	x-mswin-936	ms936, ms_936
156	x-PCK	pck
157	x-SJIS_0213
158	x-UTF-16LE-BOM	UnicodeLittle
159	X-UTF-32BE-BOM	UTF_32BE_BOM, UTF-32BE-BOM
160	X-UTF-32LE-BOM	UTF_32LE_BOM, UTF-32LE-BOM
161	x-windows-50220	cp50220, ms50220
162	x-windows-50221	ms50221, cp50221
163	x-windows-874	ms-874, ms874, windows-874
164	x-windows-949	windows-949, ms_949, windows949, ms949
165	x-windows-950	ms950, windows-950
166	x-windows-iso2022jp	windows-iso2022jp

Oracle Corporation Java 1.7.0_79 (168 charsets)
#	Name	Aliases
1	Big5	csBig5
2	Big5-HKSCS	Big5_HKSCS, big5-hkscs, big5hkscs, big5hk
3	EUC-JP	eucjis, Extended_UNIX_Code_Packed_Format_for_Japanese, x-eucjp, eucjp, csEUCPkdFmtjapanese, x-euc-jp, euc_jp
4	EUC-KR	5601, ksc5601-1987, ksc5601_1987, euckr, ksc5601, ksc_5601, ks_c_5601-1987, euc_kr, csEUCKR
5	GB18030	gb18030-2000
6	GB2312	euc-cn, x-EUC-CN, gb2312-1980, gb2312, gb2312-80, EUC_CN, euccn
7	GBK	windows-936, CP936
8	IBM-Thai	838, cp838, ibm838, ibm-838
9	IBM00858	cp858, 858, ccsid00858, PC-Multilingual-850+euro, cp00858
10	IBM01140	1140, cp01140, ccsid01140, cp1140, ebcdic-us-037+euro
11	IBM01141	cp1141, 1141, cp01141, ccsid01141, ebcdic-de-273+euro
12	IBM01142	cp01142, cp1142, ebcdic-no-277+euro, 1142, ebcdic-dk-277+euro, ccsid01142
13	IBM01143	ebcdic-se-278+euro, 1143, cp01143, ccsid01143, ebcdic-fi-278+euro, cp1143
14	IBM01144	cp01144, ebcdic-it-280+euro, 1144, ccsid01144, cp1144
15	IBM01145	ebcdic-es-284+euro, cp1145, cp01145, 1145, ccsid01145
16	IBM01146	ccsid01146, cp01146, ebcdic-gb-285+euro, 1146, cp1146
17	IBM01147	ccsid01147, ebcdic-fr-277+euro, cp1147, 1147, cp01147
18	IBM01148	cp1148, ebcdic-international-500+euro, 1148, ccsid01148, cp01148
19	IBM01149	ebcdic-s-871+euro, cp01149, cp1149, 1149, ccsid01149
20	IBM037	cs-ebcdic-cp-nl, cs-ebcdic-cp-us, ebcdic-cp-wt, 037, ebcdic-cp-ca, cs-ebcdic-cp-wt, ibm-037, csIBM037, cp037, cs-ebcdic-cp-ca, cpibm37, ibm037, ebcdic-cp-nl, ebcdic-cp-us, ibm-37
21	IBM1026	1026, cp1026, ibm-1026, ibm1026
22	IBM1047	cp1047, 1047, ibm-1047
23	IBM273	ibm-273, ibm273, cp273, 273
24	IBM277	277, cp277, ibm-277, ibm277
25	IBM278	csIBM278, ebcdic-cp-se, cp278, 278, ebcdic-sv, ibm278, ibm-278
26	IBM280	280, ibm-280, ibm280, cp280
27	IBM284	cpibm284, csIBM284, ibm284, cp284, 284, ibm-284
28	IBM285	ibm285, ebcdic-cp-gb, cpibm285, cp285, csIBM285, ebcdic-gb, 285, ibm-285
29	IBM290	cp290, ibm-290, ibm290, EBCDIC-JP-kana, 290, csIBM290
30	IBM297	cp297, cpibm297, ibm297, ebcdic-cp-fr, 297, ibm-297, csIBM297
31	IBM420	ibm420, cp420, 420, ibm-420, csIBM420, ebcdic-cp-ar1
32	IBM424	csIBM424, ibm-424, ibm424, cp424, ebcdic-cp-he, 424
33	IBM437	ibm-437, windows-437, cspc8codepage437, 437, ibm437, cp437
34	IBM500	ibm-500, ebcdic-cp-bh, cp500, csIBM500, ibm500, ebcdic-cp-ch, 500
35	IBM775	ibm-775, 775, cp775, ibm775
36	IBM850	ibm-850, cp850, 850, cspc850multilingual, ibm850
37	IBM852	ibm852, csPCp852, 852, ibm-852, cp852
38	IBM855	cspcp855, 855, ibm855, ibm-855, cp855
39	IBM857	csIBM857, 857, ibm-857, cp857, ibm857
40	IBM860	860, cp860, ibm-860, csIBM860, ibm860
41	IBM861	861, cp-is, ibm-861, cp861, csIBM861, ibm861
42	IBM862	ibm-862, ibm862, csIBM862, cp862, cspc862latinhebrew, 862
43	IBM863	ibm863, csIBM863, cp863, 863, ibm-863
44	IBM864	csIBM864, ibm864, 864, cp864, ibm-864
45	IBM865	csIBM865, ibm865, 865, ibm-865, cp865
46	IBM866	866, ibm-866, ibm866, csIBM866, cp866
47	IBM868	868, ibm-868, cp868, csIBM868, cp-ar, ibm868
48	IBM869	869, ibm-869, cp869, csIBM869, cp-gr, ibm869
49	IBM870	ibm-870, ebcdic-cp-roece, ebcdic-cp-yu, csIBM870, ibm870, cp870, 870
50	IBM871	ibm-871, 871, ebcdic-cp-is, cp871, csIBM871, ibm871
51	IBM918	ebcdic-cp-ar2, 918, ibm-918, cp918
52	ISO-2022-CN	csISO2022CN, ISO2022CN
53	ISO-2022-JP	jis_encoding, csjisencoding, jis, iso2022jp, csISO2022JP
54	ISO-2022-JP-2	csISO2022JP2, iso2022jp2
55	ISO-2022-KR	csISO2022KR, ISO2022KR
56	ISO-8859-1	csISOLatin1, latin1, IBM-819, iso-ir-100, 8859_1, ISO_8859-1:1987, ISO_8859-1, 819, l1, ISO8859-1, IBM819, ISO_8859_1, ISO8859_1, cp819
57	ISO-8859-13	8859_13, iso8859_13, iso_8859-13, ISO8859-13
58	ISO-8859-15	IBM923, 8859_15, ISO_8859-15, ISO-8859-15, L9, ISO8859-15, ISO8859_15_FDIS, 923, LATIN0, csISOlatin9, LATIN9, csISOlatin0, IBM-923, ISO8859_15, cp923
59	ISO-8859-2	csISOLatin2, iso-ir-101, ibm-912, 8859_2, l2, ISO_8859-2, ibm912, 912, ISO8859-2, latin2, iso8859_2, ISO_8859-2:1987, cp912
60	ISO-8859-3	ibm-913, latin3, csISOLatin3, iso-ir-109, l3, iso8859_3, ISO_8859-3:1988, 8859_3, ibm913, ISO8859-3, ISO_8859-3, 913, cp913
61	ISO-8859-4	iso-ir-110, iso8859-4, ibm914, ibm-914, csISOLatin4, l4, 914, 8859_4, latin4, ISO_8859-4, ISO_8859-4:1988, iso8859_4, cp914
62	ISO-8859-5	cp915, ISO8859-5, ibm915, ISO_8859-5:1988, ibm-915, 8859_5, 915, cyrillic, iso8859_5, ISO_8859-5, iso-ir-144, csISOLatinCyrillic
63	ISO-8859-6	arabic, ibm1089, iso8859_6, iso-ir-127, 8859_6, cp1089, ECMA-114, ISO_8859-6, csISOLatinArabic, 1089, ibm-1089, ISO8859-6, ASMO-708, ISO_8859-6:1987
64	ISO-8859-7	iso8859-7, sun_eu_greek, csISOLatinGreek, 813, ISO_8859-7, ibm-813, ISO_8859-7:1987, greek, greek8, iso8859_7, ECMA-118, iso-ir-126, 8859_7, cp813, ibm813, ELOT_928
65	ISO-8859-8	ibm916, cp916, csISOLatinHebrew, ISO_8859-8, ISO8859-8, ibm-916, iso8859_8, hebrew, 916, iso-ir-138, ISO_8859-8:1988, 8859_8
66	ISO-8859-9	ISO_8859-9, 920, iso8859_9, csISOLatin5, l5, 8859_9, latin5, ibm920, iso-ir-148, ISO_8859-9:1989, ISO8859-9, cp920, ibm-920
67	JIS_X0201	JIS0201, X0201, JIS_X0201, csHalfWidthKatakana
68	JIS_X0212-1990	csISO159JISX02121990, x0212, jis_x0212-1990, iso-ir-159, JIS0212
69	KOI8-R	cskoi8r, koi8_r, koi8
70	KOI8-U	koi8_u
71	Shift_JIS	x-sjis, shift_jis, sjis, ms_kanji, shift-jis, csShiftJIS
72	TIS-620	tis620.2533, tis620
73	US-ASCII	cp367, ascii7, ISO646-US, 646, csASCII, us, iso_646.irv:1983, ISO_646.irv:1991, IBM367, ASCII, default, ANSI_X3.4-1986, ANSI_X3.4-1968, iso-ir-6
74	UTF-16	utf16, UnicodeBig, UTF_16, unicode
75	UTF-16BE	X-UTF-16BE, UTF_16BE, ISO-10646-UCS-2, UnicodeBigUnmarked
76	UTF-16LE	UnicodeLittleUnmarked, UTF_16LE, X-UTF-16LE
77	UTF-32	UTF32, UTF_32
78	UTF-32BE	X-UTF-32BE, UTF_32BE
79	UTF-32LE	X-UTF-32LE, UTF_32LE
80	UTF-8	unicode-1-1-utf-8, UTF8
81	windows-1250	cp1250, cp5346
82	windows-1251	ansi-1251, cp5347, cp1251
83	windows-1252	cp1252, cp5348
84	windows-1253	cp5349, cp1253
85	windows-1254	cp5350, cp1254
86	windows-1255	cp1255
87	windows-1256	cp1256
88	windows-1257	cp1257, cp5353
89	windows-1258	cp1258
90	windows-31j	csWindows31J, windows-932, MS932
91	x-Big5-HKSCS-2001	big5-hkscs:unicode3.0, big5-hkscs-2001, big5hk-2001, big5hkscs-2001, Big5_HKSCS_2001
92	x-Big5-Solaris	Big5_Solaris
93	x-euc-jp-linux	euc_jp_linux, euc-jp-linux
94	x-EUC-TW	euctw, euc_tw, EUC-TW, cns11643
95	x-eucJP-Open	eucJP-open, EUC_JP_Solaris
96	x-IBM1006	ibm-1006, cp1006, ibm1006, 1006
97	x-IBM1025	ibm-1025, cp1025, 1025, ibm1025
98	x-IBM1046	ibm-1046, ibm1046, cp1046, 1046
99	x-IBM1097	1097, cp1097, ibm-1097, ibm1097
100	x-IBM1098	ibm-1098, ibm1098, cp1098, 1098
101	x-IBM1112	ibm-1112, 1112, ibm1112, cp1112
102	x-IBM1122	1122, cp1122, ibm-1122, ibm1122
103	x-IBM1123	ibm-1123, ibm1123, cp1123, 1123
104	x-IBM1124	1124, cp1124, ibm-1124, ibm1124
105	x-IBM1364	1364, cp1364, ibm1364, ibm-1364
106	x-IBM1381	ibm-1381, ibm1381, cp1381, 1381
107	x-IBM1383	cp1383, 1383, ibm-1383, ibm1383
108	x-IBM300	ibm300, 300, cp300, ibm-300
109	x-IBM33722	ibm33722, 33722, ibm-33722_vascii_vpua, ibm-5050, ibm-33722, cp33722
110	x-IBM737	cp737, ibm-737, 737, ibm737
111	x-IBM833	ibm-833, ibm833, cp833
112	x-IBM834	834, ibm834, ibm-834, cp834
113	x-IBM856	856, cp856, ibm-856, ibm856
114	x-IBM874	874, cp874, ibm874, ibm-874
115	x-IBM875	875, ibm875, cp875, ibm-875
116	x-IBM921	cp921, ibm921, 921, ibm-921
117	x-IBM922	ibm922, ibm-922, 922, cp922
118	x-IBM930	cp930, ibm930, 930, ibm-930
119	x-IBM933	933, cp933, ibm933, ibm-933
120	x-IBM935	ibm935, 935, cp935, ibm-935
121	x-IBM937	ibm-937, cp937, 937, ibm937
122	x-IBM939	ibm-939, ibm939, cp939, 939
123	x-IBM942	ibm-942, ibm942, 942, cp942
124	x-IBM942C	942C, ibm942C, ibm-942C, cp942C
125	x-IBM943	ibm943, cp943, 943, ibm-943
126	x-IBM943C	ibm-943C, 943C, cp943C, ibm943C
127	x-IBM948	ibm948, ibm-948, cp948, 948
128	x-IBM949	949, ibm-949, ibm949, cp949
129	x-IBM949C	ibm949C, cp949C, 949C, ibm-949C
130	x-IBM950	950, ibm950, cp950, ibm-950
131	x-IBM964	964, ibm-964, cp964, ibm964
132	x-IBM970	970, ibm-970, ibm970, cp970, ibm-eucKR
133	x-ISCII91	iso-ir-153, ST_SEV_358-88, ISCII91, iscii, csISO153GOST1976874
134	x-ISO-2022-CN-CNS	ISO-2022-CN-CNS, ISO2022CN_CNS
135	x-ISO-2022-CN-GB	ISO-2022-CN-GB, ISO2022CN_GB
136	x-iso-8859-11	iso-8859-11, iso8859_11
137	x-JIS0208	JIS_X0208-1983, x0208, JIS0208, JIS_C6226-1983, iso-ir-87, csISO87JISX0208
138	x-JISAutoDetect	JISAutoDetect
139	x-Johab	ksc5601_1992, ms1361, johab, ksc5601-1992
140	x-MacArabic	MacArabic
141	x-MacCentralEurope	MacCentralEurope
142	x-MacCroatian	MacCroatian
143	x-MacCyrillic	MacCyrillic
144	x-MacDingbat	MacDingbat
145	x-MacGreek	MacGreek
146	x-MacHebrew	MacHebrew
147	x-MacIceland	MacIceland
148	x-MacRoman	MacRoman
149	x-MacRomania	MacRomania
150	x-MacSymbol	MacSymbol
151	x-MacThai	MacThai
152	x-MacTurkish	MacTurkish
153	x-MacUkraine	MacUkraine
154	x-MS932_0213
155	x-MS950-HKSCS	MS950_HKSCS
156	x-MS950-HKSCS-XP	MS950_HKSCS_XP
157	x-mswin-936	ms936, ms_936
158	x-PCK	pck
159	x-SJIS_0213
160	x-UTF-16LE-BOM	UnicodeLittle
161	X-UTF-32BE-BOM	UTF-32BE-BOM, UTF_32BE_BOM
162	X-UTF-32LE-BOM	UTF_32LE_BOM, UTF-32LE-BOM
163	x-windows-50220	ms50220, cp50220
164	x-windows-50221	cp50221, ms50221
165	x-windows-874	ms-874, ms874, windows-874
166	x-windows-949	ms_949, windows-949, windows949, ms949
167	x-windows-950	ms950, windows-950
168	x-windows-iso2022jp	windows-iso2022jp

Oracle Corporation Java 1.8.0_77 (170 charsets)
#	Name	Aliases
1	Big5	csBig5
2	Big5-HKSCS	big5-hkscs, big5hk, Big5_HKSCS, big5hkscs
3	CESU-8	CESU8, csCESU-8
4	EUC-JP	csEUCPkdFmtjapanese, x-euc-jp, eucjis, Extended_UNIX_Code_Packed_Format_for_Japanese, euc_jp, eucjp, x-eucjp
5	EUC-KR	ksc5601-1987, csEUCKR, ksc5601_1987, ksc5601, 5601, euc_kr, ksc_5601, ks_c_5601-1987, euckr
6	GB18030	gb18030-2000
7	GB2312	gb2312, euc-cn, x-EUC-CN, euccn, EUC_CN, gb2312-80, gb2312-1980
8	GBK	CP936, windows-936
9	IBM-Thai	ibm-838, ibm838, 838, cp838
10	IBM00858	cp858, 858, PC-Multilingual-850+euro, cp00858, ccsid00858
11	IBM01140	cp1140, 1140, cp01140, ebcdic-us-037+euro, ccsid01140
12	IBM01141	1141, cp1141, cp01141, ccsid01141, ebcdic-de-273+euro
13	IBM01142	1142, cp1142, cp01142, ccsid01142, ebcdic-no-277+euro, ebcdic-dk-277+euro
14	IBM01143	1143, cp01143, ccsid01143, cp1143, ebcdic-fi-278+euro, ebcdic-se-278+euro
15	IBM01144	cp01144, ccsid01144, ebcdic-it-280+euro, cp1144, 1144
16	IBM01145	ccsid01145, ebcdic-es-284+euro, 1145, cp1145, cp01145
17	IBM01146	ebcdic-gb-285+euro, 1146, cp1146, cp01146, ccsid01146
18	IBM01147	cp1147, 1147, cp01147, ccsid01147, ebcdic-fr-277+euro
19	IBM01148	cp1148, ebcdic-international-500+euro, 1148, cp01148, ccsid01148
20	IBM01149	ebcdic-s-871+euro, 1149, cp1149, cp01149, ccsid01149
21	IBM037	cp037, ibm037, ibm-037, csIBM037, ebcdic-cp-us, ebcdic-cp-ca, ebcdic-cp-nl, ebcdic-cp-wt, 037, cpibm37, cs-ebcdic-cp-wt, ibm-37, cs-ebcdic-cp-us, cs-ebcdic-cp-ca, cs-ebcdic-cp-nl
22	IBM1026	cp1026, ibm-1026, 1026, ibm1026
23	IBM1047	ibm-1047, 1047, cp1047
24	IBM273	ibm-273, ibm273, 273, cp273
25	IBM277	ibm277, 277, cp277, ibm-277
26	IBM278	cp278, 278, ibm-278, ebcdic-cp-se, csIBM278, ibm278, ebcdic-sv
27	IBM280	ibm280, 280, cp280, ibm-280
28	IBM284	csIBM284, ibm-284, cpibm284, ibm284, 284, cp284
29	IBM285	csIBM285, cp285, ebcdic-gb, ibm-285, cpibm285, ibm285, 285, ebcdic-cp-gb
30	IBM290	ibm290, 290, cp290, EBCDIC-JP-kana, csIBM290, ibm-290
31	IBM297	297, csIBM297, cp297, ibm297, ibm-297, cpibm297, ebcdic-cp-fr
32	IBM420	ibm420, 420, cp420, csIBM420, ibm-420, ebcdic-cp-ar1
33	IBM424	ebcdic-cp-he, csIBM424, ibm-424, ibm424, 424, cp424
34	IBM437	ibm437, 437, ibm-437, cspc8codepage437, cp437, windows-437
35	IBM500	ibm-500, ibm500, 500, ebcdic-cp-bh, ebcdic-cp-ch, csIBM500, cp500
36	IBM775	ibm-775, ibm775, 775, cp775
37	IBM850	cp850, cspc850multilingual, ibm850, 850, ibm-850
38	IBM852	csPCp852, ibm-852, ibm852, 852, cp852
39	IBM855	ibm855, 855, ibm-855, cp855, cspcp855
40	IBM857	ibm857, 857, cp857, csIBM857, ibm-857
41	IBM860	ibm860, 860, cp860, csIBM860, ibm-860
42	IBM861	cp861, ibm861, 861, ibm-861, cp-is, csIBM861
43	IBM862	csIBM862, cp862, ibm862, 862, cspc862latinhebrew, ibm-862
44	IBM863	csIBM863, ibm-863, ibm863, 863, cp863
45	IBM864	csIBM864, ibm-864, ibm864, 864, cp864
46	IBM865	ibm-865, csIBM865, cp865, ibm865, 865
47	IBM866	ibm866, 866, ibm-866, csIBM866, cp866
48	IBM868	ibm868, 868, cp868, csIBM868, ibm-868, cp-ar
49	IBM869	cp869, ibm869, 869, ibm-869, cp-gr, csIBM869
50	IBM870	870, cp870, csIBM870, ibm-870, ibm870, ebcdic-cp-roece, ebcdic-cp-yu
51	IBM871	ibm871, 871, cp871, ebcdic-cp-is, csIBM871, ibm-871
52	IBM918	918, ibm-918, ebcdic-cp-ar2, cp918
53	ISO-2022-CN	csISO2022CN, ISO2022CN
54	ISO-2022-JP	csjisencoding, iso2022jp, jis_encoding, jis, csISO2022JP
55	ISO-2022-JP-2	csISO2022JP2, iso2022jp2
56	ISO-2022-KR	csISO2022KR, ISO2022KR
57	ISO-8859-1	819, ISO8859-1, l1, ISO_8859-1:1987, ISO_8859-1, 8859_1, iso-ir-100, latin1, cp819, ISO8859_1, IBM819, ISO_8859_1, IBM-819, csISOLatin1
58	ISO-8859-13	iso_8859-13, ISO8859-13, iso8859_13, 8859_13
59	ISO-8859-15	ISO8859-15, LATIN0, ISO8859_15_FDIS, ISO8859_15, cp923, 8859_15, L9, ISO-8859-15, IBM923, csISOlatin9, ISO_8859-15, IBM-923, csISOlatin0, 923, LATIN9
60	ISO-8859-2	ISO8859-2, ibm912, l2, ISO_8859-2, 8859_2, cp912, ISO_8859-2:1987, iso8859_2, iso-ir-101, latin2, 912, csISOLatin2, ibm-912
61	ISO-8859-3	ISO8859-3, ibm913, 8859_3, l3, cp913, ISO_8859-3, iso8859_3, latin3, csISOLatin3, 913, ISO_8859-3:1988, ibm-913, iso-ir-109
62	ISO-8859-4	8859_4, latin4, l4, cp914, ISO_8859-4:1988, ibm914, ISO_8859-4, iso-ir-110, iso8859_4, csISOLatin4, iso8859-4, 914, ibm-914
63	ISO-8859-5	ISO_8859-5:1988, csISOLatinCyrillic, iso-ir-144, iso8859_5, cp915, 8859_5, ibm-915, ISO_8859-5, ibm915, 915, cyrillic, ISO8859-5
64	ISO-8859-6	ASMO-708, 8859_6, iso8859_6, ISO_8859-6, csISOLatinArabic, ibm1089, arabic, ibm-1089, 1089, ECMA-114, iso-ir-127, ISO_8859-6:1987, ISO8859-6, cp1089
65	ISO-8859-7	greek, 8859_7, greek8, ibm813, ISO_8859-7, iso8859_7, ELOT_928, cp813, ISO_8859-7:1987, sun_eu_greek, csISOLatinGreek, iso-ir-126, 813, iso8859-7, ECMA-118, ibm-813
66	ISO-8859-8	8859_8, ISO_8859-8, ISO_8859-8:1988, cp916, iso-ir-138, ISO8859-8, hebrew, iso8859_8, ibm-916, csISOLatinHebrew, 916, ibm916
67	ISO-8859-9	ibm-920, ISO_8859-9, 8859_9, ISO_8859-9:1989, ibm920, latin5, l5, iso8859_9, cp920, 920, iso-ir-148, ISO8859-9, csISOLatin5
68	JIS_X0201	JIS0201, csHalfWidthKatakana, X0201, JIS_X0201
69	JIS_X0212-1990	JIS0212, iso-ir-159, x0212, jis_x0212-1990, csISO159JISX02121990
70	KOI8-R	koi8_r, koi8, cskoi8r
71	KOI8-U	koi8_u
72	Shift_JIS	shift_jis, x-sjis, sjis, shift-jis, ms_kanji, csShiftJIS
73	TIS-620	tis620, tis620.2533
74	US-ASCII	ANSI_X3.4-1968, cp367, csASCII, iso-ir-6, ASCII, iso_646.irv:1983, ANSI_X3.4-1986, ascii7, default, ISO_646.irv:1991, ISO646-US, IBM367, 646, us
75	UTF-16	UTF_16, unicode, utf16, UnicodeBig
76	UTF-16BE	X-UTF-16BE, UTF_16BE, ISO-10646-UCS-2, UnicodeBigUnmarked
77	UTF-16LE	UnicodeLittleUnmarked, UTF_16LE, X-UTF-16LE
78	UTF-32	UTF_32, UTF32
79	UTF-32BE	X-UTF-32BE, UTF_32BE
80	UTF-32LE	X-UTF-32LE, UTF_32LE
81	UTF-8	unicode-1-1-utf-8, UTF8
82	windows-1250	cp1250, cp5346
83	windows-1251	cp5347, ansi-1251, cp1251
84	windows-1252	cp5348, cp1252
85	windows-1253	cp1253, cp5349
86	windows-1254	cp1254, cp5350
87	windows-1255	cp1255
88	windows-1256	cp1256
89	windows-1257	cp1257, cp5353
90	windows-1258	cp1258
91	windows-31j	MS932, windows-932, csWindows31J
92	x-Big5-HKSCS-2001	Big5_HKSCS_2001, big5-hkscs-2001, big5hk-2001, big5-hkscs:unicode3.0, big5hkscs-2001
93	x-Big5-Solaris	Big5_Solaris
94	x-euc-jp-linux	euc_jp_linux, euc-jp-linux
95	x-EUC-TW	euctw, cns11643, EUC-TW, euc_tw
96	x-eucJP-Open	eucJP-open, EUC_JP_Solaris
97	x-IBM1006	ibm1006, ibm-1006, 1006, cp1006
98	x-IBM1025	ibm-1025, 1025, cp1025, ibm1025
99	x-IBM1046	ibm1046, ibm-1046, 1046, cp1046
100	x-IBM1097	ibm1097, ibm-1097, 1097, cp1097
101	x-IBM1098	ibm-1098, 1098, cp1098, ibm1098
102	x-IBM1112	ibm1112, ibm-1112, 1112, cp1112
103	x-IBM1122	cp1122, ibm1122, ibm-1122, 1122
104	x-IBM1123	ibm1123, ibm-1123, 1123, cp1123
105	x-IBM1124	ibm-1124, 1124, cp1124, ibm1124
106	x-IBM1166	cp1166, ibm1166, ibm-1166, 1166
107	x-IBM1364	cp1364, ibm1364, ibm-1364, 1364
108	x-IBM1381	cp1381, ibm-1381, 1381, ibm1381
109	x-IBM1383	ibm1383, ibm-1383, 1383, cp1383
110	x-IBM300	cp300, ibm300, 300, ibm-300
111	x-IBM33722	33722, ibm-33722, cp33722, ibm33722, ibm-5050, ibm-33722_vascii_vpua
112	x-IBM737	cp737, ibm737, 737, ibm-737
113	x-IBM833	ibm833, cp833, ibm-833
114	x-IBM834	ibm834, 834, cp834, ibm-834
115	x-IBM856	ibm856, 856, cp856, ibm-856
116	x-IBM874	ibm-874, ibm874, 874, cp874
117	x-IBM875	ibm-875, ibm875, 875, cp875
118	x-IBM921	ibm921, 921, ibm-921, cp921
119	x-IBM922	ibm922, 922, cp922, ibm-922
120	x-IBM930	ibm-930, ibm930, 930, cp930
121	x-IBM933	ibm933, 933, cp933, ibm-933
122	x-IBM935	cp935, ibm935, 935, ibm-935
123	x-IBM937	ibm-937, ibm937, 937, cp937
124	x-IBM939	ibm-939, cp939, ibm939, 939
125	x-IBM942	ibm-942, cp942, ibm942, 942
126	x-IBM942C	ibm942C, cp942C, ibm-942C, 942C
127	x-IBM943	ibm943, 943, ibm-943, cp943
128	x-IBM943C	943C, cp943C, ibm943C, ibm-943C
129	x-IBM948	ibm-948, ibm948, 948, cp948
130	x-IBM949	ibm-949, ibm949, 949, cp949
131	x-IBM949C	ibm949C, ibm-949C, cp949C, 949C
132	x-IBM950	cp950, ibm950, 950, ibm-950
133	x-IBM964	ibm-964, cp964, ibm964, 964
134	x-IBM970	ibm970, ibm-eucKR, 970, cp970, ibm-970
135	x-ISCII91	ISCII91, iso-ir-153, iscii, ST_SEV_358-88, csISO153GOST1976874
136	x-ISO-2022-CN-CNS	ISO2022CN_CNS, ISO-2022-CN-CNS
137	x-ISO-2022-CN-GB	ISO2022CN_GB, ISO-2022-CN-GB
138	x-iso-8859-11	iso-8859-11, iso8859_11
139	x-JIS0208	JIS0208, JIS_C6226-1983, iso-ir-87, x0208, JIS_X0208-1983, csISO87JISX0208
140	x-JISAutoDetect	JISAutoDetect
141	x-Johab	ms1361, ksc5601_1992, johab, ksc5601-1992
142	x-MacArabic	MacArabic
143	x-MacCentralEurope	MacCentralEurope
144	x-MacCroatian	MacCroatian
145	x-MacCyrillic	MacCyrillic
146	x-MacDingbat	MacDingbat
147	x-MacGreek	MacGreek
148	x-MacHebrew	MacHebrew
149	x-MacIceland	MacIceland
150	x-MacRoman	MacRoman
151	x-MacRomania	MacRomania
152	x-MacSymbol	MacSymbol
153	x-MacThai	MacThai
154	x-MacTurkish	MacTurkish
155	x-MacUkraine	MacUkraine
156	x-MS932_0213
157	x-MS950-HKSCS	MS950_HKSCS
158	x-MS950-HKSCS-XP	MS950_HKSCS_XP
159	x-mswin-936	ms936, ms_936
160	x-PCK	pck
161	x-SJIS_0213
162	x-UTF-16LE-BOM	UnicodeLittle
163	X-UTF-32BE-BOM	UTF_32BE_BOM, UTF-32BE-BOM
164	X-UTF-32LE-BOM	UTF_32LE_BOM, UTF-32LE-BOM
165	x-windows-50220	cp50220, ms50220
166	x-windows-50221	cp50221, ms50221
167	x-windows-874	ms-874, ms874, windows-874
168	x-windows-949	windows949, ms949, windows-949, ms_949
169	x-windows-950	ms950, windows-950
170	x-windows-iso2022jp	windows-iso2022jp

 

IBM Corporation Java 1.8.0 (243 charsets)
#	Name	Aliases
1	Big5	csBig5, big5-0
2	Big5-HKSCS	big5-hkscs, big5hk, big5_hkscs, big5hkscs
3	CESU-8	cesu_8, cesu-8, CESU8, csCESU-8
4	EUC-JP	extended_unix_code_packed_format_for_japanese, cseucpkdfmtjapanese, x-euc-jp, eucjis, euc_jp, eucjp, x-eucjp
5	EUC-KR	ksc5601-1987, ksc5601_1987, ks-c-5601-1987, cseuckr, euc-kr, ksc-5601, 5601, euc_kr, ksc_5601, ks_c_5601-1987, euckr
6	GB18030	windows-54936, cp1392, ibm-1392, 1392, gb18030-2000, ibm1392
7	GB2312	euc-cn, x-euc_cn, gb2312, x-euc-cn, euccn, gb2312-80, euc_cn, gb2312-1980
8	GBK	cp936, ibm936, 936, ibm-936
9	hp-roman8	hp-roman8, r8, cp1051, ibm-1051, roman8, 1051, ibm1051
10	IBM-Thai	ibm-838, ibm838, 838, cp838
11	IBM00858	PC-Multilingual-850+euro, ibm858, cp-858, cp858, 858, cp00858, ibm-858, ccsid00858
12	IBM00924	ibm924, ebcdic-latin9–euro, cp924, 924, ibm-924, cp00924, ibm00924, ccsid00924
13	IBM01140	ibm1140, IBM-1140, cp1140, ibm-1140, 1140, cp01140, ccsid01140
14	IBM01141	ibm-1141, ibm1141, 1141, cp1141, cp01141, ccsid01141
15	IBM01142	ibm-1142, 1142, cp1142, cp01142, ibm1142, ccsid01142
16	IBM01143	1143, cp01143, ccsid01143, ibm1143, cp1143, ibm-1143
17	IBM01144	cp01144, ccsid01144, cp1144, ibm1144, ibm-1144, 1144
18	IBM01145	ccsid01145, ibm1145, ibm-1145, 1145, cp1145, cp01145
19	IBM01146	ibm-1146, 1146, cp1146, cp01146, ibm1146, ccsid01146
20	IBM01147	cp1147, ibm-1147, 1147, cp01147, ccsid01147, ibm1147
21	IBM01148	cp1148, ibm1148, ibm-1148, 1148, cp01148, ccsid01148
22	IBM01149	ibm1149, ibm-1149, 1149, cp1149, cp01149, ccsid01149
23	IBM037	cp037, ibm037, ibm-037, csIBM037, ebcdic-cp-us, ebcdic-cp-ca, ebcdic-cp-nl, ebcdic-cp-wt, 037, cpibm37, cs-ebcdic-cp-wt, ibm-37, cs-ebcdic-cp-us, cs-ebcdic-cp-ca, cs-ebcdic-cp-nl
24	IBM1026	cp1026, ibm-1026, 1026, ibm1026
25	IBM1047	ibm-1047, 1047, cp1047, ibm1047
26	IBM273	ibm-273, ibm273, 273, cp273, csibm273
27	IBM277	277, cp277, ebcdic-cp-no, ibm-277, ibm277, ebcdic-cp-dk, csibm277
28	IBM278	cp278, 278, ibm-278, ebcdic-cp-se, ebcdic-cp-fi, csibm278, ibm278, ebcdic-sv
29	IBM280	ibm280, 280, cp280, csibm280, ibm-280, ebcdic-cp-it
30	IBM284	ebcdic-cp-es, csIBM284, cpibm284, cp284, ibm-284, ibm284, 284
31	IBM285	csIBM285, cp285, ebcdic-gb, ibm-285, cpibm285, ibm285, 285, ebcdic-cp-gb
32	IBM290	cpibm290, ibm290, 290, cp290, csIBM290, ibm-290
33	IBM297	297, csIBM297, cp297, ibm297, ibm-297, cpibm297, ebcdic-cp-fr
34	IBM420	ibm420, 420, cp420, csIBM420, ibm-420, ebcdic-cp-ar1
35	IBM424	ebcdic-cp-he, csIBM424, ibm-424, ibm424, 424, cp424
36	IBM437	ibm437, 437, ibm-437, cspc8codepage437, cp437, windows-437
37	IBM500	ibm-500, ibm500, 500, ebcdic-cp-be, ebcdic-cp-bh, ebcdic-cp-ch, csIBM500, cp500
38	IBM775	ibm-775, csPC775Baltic, ibm775, 775, cp775
39	IBM850	cp850, cspc850multilingual, ibm850, 850, ibm-850
40	IBM852	csPCp852, ibm-852, ibm852, 852, cp852
41	IBM855	ibm855, 855, ibm-855, csIBM855, cp855, cspcp855
42	IBM857	ibm857, 857, cp857, csIBM857, ibm-857
43	IBM860	ibm860, 860, cp860, csIBM860, ibm-860
44	IBM861	cp861, ibm861, 861, ibm-861, cp-is, csIBM861
45	IBM862	csIBM862, cp862, ibm862, 862, cspc862latinhebrew, ibm-862
46	IBM863	csIBM863, ibm-863, ibm863, 863, cp863
47	IBM864	csIBM864, ibm-864, ibm864, 864, cp864
48	IBM865	ibm-865, csIBM865, cp865, ibm865, 865
49	IBM866	ibm866, 866, ibm-866, csIBM866, cp866
50	IBM868	ibm868, 868, cp868, csIBM868, ibm-868, cp-ar
51	IBM869	cp869, ibm869, 869, ibm-869, cp-gr, csIBM869
52	IBM870	870, cp870, csIBM870, ibm-870, ibm870, ebcdic-cp-roece, ebcdic-cp-yu
53	IBM871	ibm871, 871, cp871, ebcdic-cp-is, csIBM871, ibm-871
54	IBM918	ibm918, 918, ibm-918, csibm918, ebcdic-cp-ar2, cp918
55	ISO-2022-CN	csISO2022CN, iso-2022-cn-ext, ISO2022CN, iso2022-cn, iso-2022-cn
56	ISO-2022-JP	csjisencoding, iso2022jp, jis_encoding, jis, csISO2022JP, iso2022-jp, jis-encoding
57	ISO-2022-JP-2	csISO2022JP2, iso2022jp2, iso-2022-jp2
58	ISO-2022-KR	iso-2022-kr, csISO2022KR, ISO2022KR, iso2022-kr
59	ISO-8859-1	819, ISO8859-1, l1, ISO_8859-1:1987, ISO_8859-1, 8859_1, iso-ir-100, latin1, cp819, ISO8859_1, 8859-1, ISO-8859-1:1987, IBM819, ISO_8859_1, IBM-819, csISOLatin1
60	ISO-8859-10	919, iso8859_10, 8859_10, ibm919, latin6, l6, iso8859-10, cp919, csisolatin6, ibm-919, iso-ir-157, iso_8859-10:1992, 8859-10, iso-8859-10
61	ISO-8859-13	iso_8859-13, ISO8859-13, iso8859_13, 8859-13, 8859_13
62	ISO-8859-14	iso_8859-14:1998, iso-ir-199, iso8859-14, iso-celtic, isoceltic, iso-8859-14, iso_8859-14, iso8859_14, 8859_14, latin8, l8, 8859-14
63	ISO-8859-15	ISO8859-15-FDIS, ISO8859-15, LATIN0, ISO8859_15, cp923, 8859_15, L9, iso8859_15_fdis, ISO-8859-15, IBM923, csISOlatin9, ISO_8859-15, IBM-923, csISOlatin0, 923, 8859-15, LATIN9
64	ISO-8859-16	8859_16, iso_8859-16:2001, latin10, iso8859-16, iso8859_16, iso-ir-226, l10, iso-8859-16, iso_8859-16, 8859-16
65	ISO-8859-2	ISO8859-2, ibm912, l2, ISO_8859-2, 8859_2, ISO-8859-2:1987, cp912, ISO_8859-2:1987, 8859-2, iso8859_2, iso-ir-101, latin2, 912, csISOLatin2, ibm-912
66	ISO-8859-3	ibm913, 8859_3, iso8859-3, iso-8859-3:1988, l3, cp913, iso_8859-3, iso8859_3, iso_8859-3:1988, latin3, 8859-3, csISOLatin3, 913, ibm-913, iso-ir-109
67	ISO-8859-4	8859_4, latin4, l4, cp914, ISO-8859-4:1988, ISO_8859-4:1988, ibm914, ISO_8859-4, iso-ir-110, 8859-4, iso8859_4, csISOLatin4, iso8859-4, 914, ibm-914
68	ISO-8859-5	8859_5, ISO_8859-5, ibm915, cyrillic, ISO_8859-5:1988, csISOLatinCyrillic, 8859-5, ISO-8859-5:1988, iso-ir-144, iso8859_5, cp915, ibm-915, 915, ISO8859-5
69	ISO-8859-6	8859_6, iso8859_6, iso_8859-6, 8859-6, iso_8859-6:1987, ecma-114, csISOLatinArabic, ibm1089, asmo-708, arabic, ibm-1089, 1089, iso-ir-127, iso-8859-6:1987, iso8859-6, cp1089
70	ISO-8859-7	greek, 8859_7, greek8, ibm813, ISO_8859-7, elot-928, iso8859_7, ISO-8859-7:1987, ELOT_928, cp813, ISO_8859-7:1987, 8859-7, sun_eu_greek, csISOLatinGreek, iso-ir-126, 813, iso8859-7, ECMA-118, ibm-813
71	ISO-8859-8	8859_8, iso_8859-8, hebrew, iso8859_8, iso-8859-8:1988, iso_8859-8:1988, csISOLatinHebrew, ibm916, 8859-8, cp916, iso-ir-138, ibm-916, iso8859-8, 916
72	ISO-8859-9	ibm-920, ISO_8859-9, 8859_9, ISO_8859-9:1989, ibm920, latin5, l5, iso8859_9, cp920, 8859-9, 920, iso-ir-148, ISO8859-9, csISOLatin5
73	JIS_X0201	JIS0201, csHalfWidthKatakana, X0201, JIS_X0201
74	JIS_X0212-1990	JIS0212, iso-ir-159, x0212, jis_x0212-1990, csISO159JISX02121990
75	KOI8-R	koi8, cskoi8r, ibm878, koi8_r, 878, cp878, ibm-878
76	KOI8-U	koi8_u, ibm-1168, 1168, ibm1168, cp1168
77	KZ-1048	kz-1048, rk1048, strk1048-2002
78	PTCP154	cp1169, ibm-1169, pt154, 1169, ibm1169, ptcp154, csptcp154, cyrillic-asian
79	Shift_JIS	shift_jis, x-sjis, sjis, shift-jis, ms_kanji, csShiftJIS
80	TIS-620	tis620, tis620.2533
81	US-ASCII	ANSI_X3.4-1968, cp367, csASCII, ibm-367, iso-ir-6, direct, ASCII, iso_646.irv:1983, ANSI_X3.4-1986, ascii7, default, ISO_646.irv:1991, 367, ISO646-US, IBM367, 646, ISO-646.irv:1991, ansi-x3.4-1968, iso-646.irv:1983, ansi-x3.4-1986, us
82	UTF-16	UTF_16, unicode, utf16, UnicodeBig, UCS-2
83	UTF-16BE	X-UTF-16BE, unicode-1-1, UTF_16BE, ISO-10646-UCS-2, UTF16BE, UnicodeBigUnmarked
84	UTF-16LE	UnicodeLittleUnmarked, UTF_16LE, X-UTF-16LE, UTF16LE
85	UTF-32	UCS-4, ISO-10646-UCS-4, UTF_32, UTF32
86	UTF-32BE	X-UTF-32BE, UTF32BE, UTF_32BE
87	UTF-32LE	X-UTF-32LE, UTF32LE, UTF_32LE
88	UTF-8	unicode-1-1-utf-8, UTF_8, UTF8
89	windows-1250	cp1250, ibm1250, ibm-1250, 1250, cp5346
90	windows-1251	ibm-1251, ibm1251, 1251, cp1251, cp5347, ansi-1251
91	windows-1252	ibm-1252, 1252, cp1252, ibm1252, cp5348
92	windows-1253	1253, cp5349, ibm1253, cp1253, ibm-1253
93	windows-1254	cp1254, cp5350, ibm1254, ibm-1254, 1254
94	windows-1255	ibm-1255, ibm1255, 1255, cp1255
95	windows-1256	ibm-1256, 1256, cp1256, ibm1256
96	windows-1257	cp1257, cp5353, ibm-1257, 1257, ibm1257
97	windows-1258	cp1258, 1129, ibm-1258, 1258, cp1129, ibm1258, ibm1129, ibm-1129
98	windows-31j	MS932, windows-932, csWindows31J
99	windows-874	x-windows-874, ms874, windows-874, ms-874
100	x-Big5-HKSCS-2001	Big5_HKSCS_2001, big5-hkscs-2001, big5hk-2001, big5-hkscs:unicode3.0, big5hkscs-2001
101	x-Big5-Solaris	Big5_Solaris
102	x-COMPOUND_TEXT	x-compound-text, x11-compound-text, COMPOUND_TEXT, x-compound_text, x11-compound_text
103	x-EUC-TW	euc-tw, euctw, cns11643, x-EUC_TW, euc_tw, x-euc-tw
104	x-EUC_JP_LINUX	x-euc-jp-linux, euc_jp_linux, euc-jp-linux
105	x-eucJP-Open	eucjp-open, euc_jp_solaris
106	x-IBM-udcJP	ibmudcJP, cpudcJP, IBM-udcJP, udcJP
107	x-IBM1006	ibm1006, ibm-1006, 1006, cp1006
108	x-IBM1025	ibm-1025, 1025, cp1025, ibm1025
109	x-IBM1027	cp1027, ibm1027, ibm-1027, 1027
110	x-IBM1041	cp1041, ibm1041, ibm-1041, 1041
111	x-IBM1043	ibm-1043, 1043, cp1043, ibm1043
112	x-IBM1046	ibm1046, ibm-1046, 1046, cp1046
113	x-IBM1046S	ibm1046s, 1046s, cp1046s, ibm-1046s
114	x-IBM1047_LF	ibm1047_lf, cp1047_lf, ibm-1047_lf, 1047_lf
115	x-IBM1088	1088, ibm1088, cp1088, ibm-1088
116	x-IBM1097	ibm1097, ibm-1097, 1097, cp1097
117	x-IBM1098	ibm-1098, 1098, cp1098, ibm1098
118	x-IBM1112	ibm1112, ibm-1112, 1112, cp1112
119	x-IBM1114	cp1114, ibm-1114, 1114, ibm1114
120	x-IBM1115	cp1115, ibm1115, ibm-1115, 1115
121	x-IBM1122	cp1122, ibm1122, ibm-1122, 1122
122	x-IBM1123	ibm1123, ibm-1123, 1123, cp1123
123	x-IBM1124	ibm-1124, 1124, cp1124, ibm1124
124	x-IBM1130	ibm1130, ibm-1130, 1130, cp1130
125	x-IBM1141_LF	cp1141_lf, ibm-1141_lf, ibm1141_lf, 1141_lf
126	x-IBM1153	cp01153, ibm1153, ccsid01153, ibm01153, ibm-1153, 1153, cp1153
127	x-IBM1164	ibm-1164, 1164, cp1164, ibm1164
128	x-IBM1165	1165, ibm1165, cp1165, ibm-1165
129	x-IBM1166	cp1166, ibm1166, ibm-1166, 1166
130	x-IBM1351	ibm-1351, 1351, cp1351, ibm1351
131	x-IBM1362	ibm-1362, 1362, ibm1362, cp1362
132	x-IBM1363	1363, ibm1363, cp1363, ibm-1363
133	x-IBM1363C	ibm1363c, ibm-1363c, cp1363c, 1363c
134	x-IBM1364	cp1364, ibm1364, ibm-1364, 1364
135	x-IBM1370	cp1370, ibm-1370, 1370, ibm1370
136	x-IBM1371	cp1371, ibm1371, ibm-1371, 1371
137	x-IBM1377	ibm-1377, 1377, cp1377, ibm1377
138	x-IBM1380	ibm-1380, 1380, cp1380, ibm1380
139	x-IBM1381	cp1381, ibm-1381, 1381, ibm1381
140	x-IBM1382	cp1382, ibm1382, ibm-1382, 1382
141	x-IBM1383	ibm1383, ibm-1383, 1383, cp1383, cpeuccn, ibm-euccn, ibmeuccn
142	x-IBM1385	1385, ibm1385, cp1385, ibm-1385
143	x-IBM1386	cp1386, ibm1386, x-ibm1386, ibm-1386, 1386
144	x-IBM1388	ibm-1388, 1388, cp1388, ibm1388
145	x-IBM1390	ibm1390, ibm-1390, 1390, cp1390
146	x-IBM1390A	cp1390a, 1390a, ibm1390a, ibm-1390a
147	x-IBM1399	ibm-1399, 1399, cp1399, ibm1399
148	x-IBM1399A	cp1399a, ibm1399a, 1399a, ibm-1399a
149	x-IBM16684	cp16684, ibm16684, ibm-16684, 16684
150	x-IBM16684A	ibm16684a, 16684a, cp16684a, ibm-16684a
151	x-IBM29626	29626, ibm-29626, cp29626, ibm-29626_vascii_vpua, ibm29626
152	x-IBM29626C	cp29626c, ibm-29626c, ibm-eucjp, ibm29626c, 29626c
153	x-IBM300	cp300, ibm300, 300, ibm-300, cpibm300, csIBM300
154	x-IBM300A	300a, cp300a, ibm300a, csIBM300a, cpibm300a, ibm-300a
155	x-IBM301	cp301, ibm301, 301, ibm-301
156	x-IBM33722	33722, cp5050, ibm-33722, cp33722, ibm33722, ibm-33722_vascii_vpua, ibm5050, ibm-5050, 5050
157	x-IBM33722A	ibm33722A, 33722A, ibm-5050A, cp5050A, ibm5050A, ibm-33722A, cp33722A, 5050A
158	x-IBM33722C	33722c, ibm-5050c, cp33722c, ibm5050c, cp5050c, ibm33722c, 5050c, ibm-33722c
159	x-IBM420S	420s, ibm-420s, csibm420s, cp420s, ibm420s
160	x-IBM4933	cp4933, ibm4933, 4933, ibm-4933
161	x-IBM720	ibm-720, ibm720, 720, cp720
162	x-IBM737	cp737, ibm737, 737, ibm-737
163	x-IBM808	ibm808, 808, ibm-808, cp808
164	x-IBM833	ibm833, 833, ibm-833, cp833
165	x-IBM834	ibm834, 834, cp834, ibm-834
166	x-IBM835	ibm835, 835, cp835, ibm-835
167	x-IBM836	cp836, ibm836, 836, ibm-836
168	x-IBM837	cp837, ibm837, 837, ibm-837
169	x-IBM856	ibm856, 856, cp856, ibm-856
170	x-IBM859	cp859, ibm859, 859, ibm-859
171	x-IBM864S	csibm864s, ibm864s, ibm-864s, cp864s, 864s
172	x-IBM867	ibm867, 867, cp867, ibm-867
173	x-IBM874	ibm-874, ibm874, 874, cp874
174	x-IBM875	ibm-875, ibm875, 875, cp875
175	x-IBM897	ibm-897, ibm897, 897, cp897
176	x-IBM921	ibm921, 921, ibm-921, cp921
177	x-IBM922	ibm922, 922, cp922, ibm-922
178	x-IBM924_LF	ibm924_lf, 924_lf, cp924_lf, ibm-924_lf
179	x-IBM927	ibm-927, ibm927, 927, cp927
180	x-IBM930	ibm5026, ibm-930, ibm930, 930, 5026, ibm-5026, Cp5026, cp930
181	x-IBM930A	930A, cp930A, ibm930A, ibm-930A
182	x-IBM933	ibm933, 933, cp933, ibm-933
183	x-IBM935	cp935, ibm935, 935, ibm-935
184	x-IBM937	ibm-937, ibm937, 937, cp937
185	x-IBM939	ibm5035, cp939, 5035, ibm-5035, ibm-939, cp5035, ibm939, 939
186	x-IBM939A	ibm-939A, 939A, cp939A, ibm939A
187	x-IBM941	ibm-941, ibm941, 941, cp941
188	x-IBM942	ibm-942, cp942, ibm942, 942
189	x-IBM942C	ibm932, x-ibm932, ibm-932, ibm942c, ibm-942c, 942c, x-ibm942c, 932, cp932, cp942c
190	x-IBM943	ibm943, 943, ibm-943, cp943
191	x-IBM943C	943c, cp943c, ibm943c, ibm-943c
192	x-IBM947	cp947, ibm947, 947, ibm-947
193	x-IBM948	ibm-948, ibm948, 948, cp948
194	x-IBM949	ibm-949, ibm949, 949, cp949
195	x-IBM949C	ibm949c, ibm-949c, cp949c, 949c
196	x-IBM950	cp950, ibm950, 950, ibm-950
197	x-IBM951	ibm-951, ibm951, 951, cp951
198	x-IBM954	ibm954, 954, ibm-954, cp954
199	x-IBM954C	954c, cp954c, ibm954c, ibm-954c
200	x-IBM964	ibm-964, cp964, ibm-euctw, ibm964, 964
201	x-IBM970	cpeuckr, ibmeuckr, 970, cp970, ibm-970, ibm970, ibm-euckr
202	x-IBM971	cp971, ibm971, 971, ibm-971
203	x-ISCII91	ISCII91, iso-ir-153, iscii, ST_SEV_358-88, csISO153GOST1976874
204	x-ISO-2022-CN-CNS	ISO2022CN_CNS, ISO-2022-CN-CNS, iso2022_cn_cns, iso2022cn-cns, iso2022-cn-cns
205	x-ISO-2022-CN-GB	iso2022-cn-gb, ISO2022CN_GB, ISO-2022-CN-GB, iso2022cn-gb
206	x-iso-8859-11	iso-8859-11, iso8859_11
207	x-ISO-8859-6S	iso8859-6s, iso8859_6s, 8859_6s, iso-8859-6s
208	x-JIS0208	JIS0208, JIS_C6226-1983, iso-ir-87, x0208, JIS_X0208-1983, csISO87JISX0208
209	x-JISAutoDetect	JISAutoDetect
210	x-Johab	ms1361, ksc5601_1992, johab, ksc5601-1992
211	x-KOI8_RU	koi8_ru, koi8-ru, ibm-1167, ibm1167, 1167, cp1167
212	x-KSC5601	ksc5601
213	x-MacArabic	MacArabic
214	x-MacCentralEurope	cp1282, ibm-1282, 1282, maccentraleurope, ibm1282
215	x-MacCroatian	ibm1284, ibm-1284, 1284, cp1284, maccroatian
216	x-MacCyrillic	cp1283, ibm1283, maccyrillic, ibm-1283, 1283
217	x-MacDingbat	macdingbat
218	x-MacGreek	macgreek, ibm1280, ibm-1280, 1280, cp1280
219	x-MacHebrew	machebrew
220	x-MacIceland	maciceland, 1286, ibm1286, cp1286, ibm-1286
221	x-MacRoman	macroman, 1275, ibm1275, cp1275, ibm-1275
222	x-MacRomania	ibm-1285, 1285, cp1285, ibm1285, macromania
223	x-MacSymbol	macsymbol, cp1038, ibm1038, adobe-symbol-encoding, ibm-1038, 1038
224	x-MacThai	macthai
225	x-MacTurkish	ibm-1281, 1281, cp1281, ibm1281, macturkish
226	x-MacUkraine	macukraine
227	x-MS932_0213	MS932:2004, windows-932:2004, MS932_0213, MS932-0213, windows-932-0213
228	x-MS950-HKSCS	MS950_HKSCS
229	x-MS950-HKSCS-XP	MS950_HKSCS_XP
230	x-mswin-936	ms936, ms_936, windows-936, x-mswin-936
231	x-mswin-936A	x-mswin-936A, ms936A, bestfit936, ms_936A, 936A
232	x-PCK	pck
233	x-SJIS_0213	shift_jis:2004, sjis_0213, sjis:2004, shift_jis_0213:2004, sjis-0213, sjis_0213:2004
234	x-UTF-16LE-BOM	x-utf-16le-bom, UnicodeLittle, utf_16le_bom, X-UnicodeLittle
235	X-UTF-32BE-BOM	UTF_32BE_BOM, UTF-32BE-BOM
236	X-UTF-32LE-BOM	UTF_32LE_BOM, UTF-32LE-BOM
237	x-UTF_8J	UTF8J, UTF-8J, UTF_8J
238	x-windows-1256S	ibm-1256s, 1256s, cp1256s, windows-1256s, ibm1256s
239	x-windows-50220	cp50220, ms50220
240	x-windows-50221	cp50221, ms50221
241	x-windows-949	ibm1361, ms_949, ibm-1361, windows949, 1361, cp1361, ms949, windows-949
242	x-windows-950	ms950, windows-950
243	x-windows-iso2022jp	windows-iso2022jp

Happy Coding,
Gary