spotbugs / spotbugs

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

Home Page:https://spotbugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

System::setSecurityManager is deprecated and will be removed in a future JDK release

KengoTODA opened this issue · comments

We have several usage of System::setSecurityManager in SpotBugs implementation.

https://github.com/spotbugs/spotbugs/search?q=setSecurityManager&type=

spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java:                System.setSecurityManager(null);
spotbugs/src/main/java/edu/umd/cs/findbugs/ba/jsr305/TypeQualifierValue.java:                        System.setSecurityManager(ValidationSecurityManager.INSTANCE);
spotbugs/src/main/java/edu/umd/cs/findbugs/ba/jsr305/TypeQualifierValue.java:                    System.setSecurityManager(ValidationSecurityManager.INSTANCE);

See also #1515 (not a duplicate).

People start shifting to Java 17 (latest LTS), me and my project included. So, any ETA on this? Thanks!

I can confirm that Java 17 is pretty angry about that:

WARNING: A terminally deprecated method in java.lang.System has been called

WARNING: System::setSecurityManager has been called by edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue (file:/Users/runner/.gradle/caches/modules-2/files-2.1/com.github.spotbugs/spotbugs/4.5.1/7550ccc52981cb741fef57829763dec869c9b392/spotbugs-4.5.1.jar)
> Task :alchemist-swingui:spotbugsMain
WARNING: Please consider reporting this to the maintainers of edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue
WARNING: System::setSecurityManager will be removed in a future release

Is there an update on this issue? I'm slowly shifting projects to Java 17 and notice the warning nagging me to report the issue.

This is pretty frustrating now that we're moving over to Java 17. Our builds output 12 lines of "WARNING:..." due to this.
Such problems leads to warning-fatigue. A build shall have zero warnings. But now a bug-warning system dumps a heap of warnings in our lap, which are hard to remove.

so we welcome your contribution :)

My proposal is to stop using the ValidationSecurityManager, see #1983. Looks like it is only there to help with troubleshooting certain issues. WDYT? 🙂

At the very least would do well to have an option available to exclude.xml to disable the security manager.

Now with Java 18, this is an error, not a warning:

[INFO] --- spotbugs-maven-plugin:4.5.3.0:spotbugs (spotbugs) @ service ---
[INFO] Fork Value is true
     [java] The following errors occurred during analysis:
     [java]   Unable to construct type qualifier checker javax/annotation/Nonnull$Checker
     [java]     java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release
     [java]       At java.base/java.lang.System.setSecurityManager(System.java:416)
     [java]       At edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue.<init>(TypeQualifierValue.java:157)
     [java]       At edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue.getValue(TypeQualifierValue.java:298)
     [java]       At edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue.getValue(TypeQualifierValue.java:306)
     [java]       At edu.umd.cs.findbugs.ba.npe.TypeQualifierNullnessAnnotationDatabase.<init>(TypeQualifierNullnessAnnotationDatabase.java:70)
     [java]       At edu.umd.cs.findbugs.ba.AnalysisContext.getNullnessAnnotationDatabase(AnalysisContext.java:1055)
     [java]       At edu.umd.cs.findbugs.ba.AnalysisContext.updateDatabases(AnalysisContext.java:1008)
     [java]       At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1061)
     [java]       At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
     [java]       At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
     [java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)

This is marked as completed, and unless I'm mistaken, it's in the latest 4.7.3.0 release, however I'm seeing this error in the latest release that seems to be related to this but not quite the same:

2022-11-12T22:25:37.2078926Z [ERROR] Failed to execute goal com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs (spotbugs) on project com.io7m.jintegers.core: Execution spotbugs of goal com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs failed: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release -> [Help 1]
2022-11-12T22:25:37.2080927Z org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs (spotbugs) on project com.io7m.jintegers.core: Execution spotbugs of goal com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs failed: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release
2022-11-12T22:25:37.2081955Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:375)
2022-11-12T22:25:37.2082559Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
2022-11-12T22:25:37.2125766Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2126771Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2128066Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2128916Z     at org.apache.maven.lifecycle.internal.MojoExecutor.executeForkedExecutions (MojoExecutor.java:508)
2022-11-12T22:25:37.2129656Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:345)
2022-11-12T22:25:37.2130200Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2130737Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2133126Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2134256Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2022-11-12T22:25:37.2135181Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2022-11-12T22:25:37.2137097Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2022-11-12T22:25:37.2138118Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2022-11-12T22:25:37.2140535Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
2022-11-12T22:25:37.2142078Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2022-11-12T22:25:37.2142767Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2022-11-12T22:25:37.2145223Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
2022-11-12T22:25:37.2146101Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
2022-11-12T22:25:37.2147557Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
2022-11-12T22:25:37.2149033Z     at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:104)
2022-11-12T22:25:37.2149824Z     at java.lang.reflect.Method.invoke (Method.java:578)
2022-11-12T22:25:37.2151393Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2022-11-12T22:25:37.2152705Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2022-11-12T22:25:37.2155612Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2022-11-12T22:25:37.2156397Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2022-11-12T22:25:37.2168110Z Caused by: org.apache.maven.plugin.PluginExecutionException: Execution spotbugs of goal com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs failed: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release
2022-11-12T22:25:37.2169269Z     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:148)
2022-11-12T22:25:37.2170121Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
2022-11-12T22:25:37.2170693Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
2022-11-12T22:25:37.2171392Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2172004Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2172577Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2173219Z     at org.apache.maven.lifecycle.internal.MojoExecutor.executeForkedExecutions (MojoExecutor.java:508)
2022-11-12T22:25:37.2173865Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:345)
2022-11-12T22:25:37.2174427Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2175223Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2176031Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2176780Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2022-11-12T22:25:37.2177604Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2022-11-12T22:25:37.2178389Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2022-11-12T22:25:37.2179406Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2022-11-12T22:25:37.2180187Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
2022-11-12T22:25:37.2180967Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2022-11-12T22:25:37.2181599Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2022-11-12T22:25:37.2188902Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
2022-11-12T22:25:37.2189416Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
2022-11-12T22:25:37.2189905Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
2022-11-12T22:25:37.2190433Z     at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:104)
2022-11-12T22:25:37.2190933Z     at java.lang.reflect.Method.invoke (Method.java:578)
2022-11-12T22:25:37.2191441Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2022-11-12T22:25:37.2192250Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2022-11-12T22:25:37.2192894Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2022-11-12T22:25:37.2193475Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2022-11-12T22:25:37.2194132Z Caused by: org.apache.tools.ant.BuildException: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release
2022-11-12T22:25:37.2194771Z     at org.apache.tools.ant.taskdefs.ExecuteJava.execute (ExecuteJava.java:194)
2022-11-12T22:25:37.2195227Z     at org.apache.tools.ant.taskdefs.Java.run (Java.java:891)
2022-11-12T22:25:37.2195665Z     at org.apache.tools.ant.taskdefs.Java.executeJava (Java.java:231)
2022-11-12T22:25:37.2196127Z     at org.apache.tools.ant.taskdefs.Java.executeJava (Java.java:135)
2022-11-12T22:25:37.2196687Z     at org.apache.tools.ant.taskdefs.Java.execute (Java.java:108)
2022-11-12T22:25:37.2197085Z     at org.apache.tools.ant.UnknownElement.execute (UnknownElement.java:299)
2022-11-12T22:25:37.2197686Z     at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:104)
2022-11-12T22:25:37.2199282Z     at java.lang.reflect.Method.invoke (Method.java:578)
2022-11-12T22:25:37.2199781Z     at org.apache.tools.ant.dispatch.DispatchUtils.execute (DispatchUtils.java:99)
2022-11-12T22:25:37.2200265Z     at groovy.ant.AntBuilder.performTask (AntBuilder.java:347)
2022-11-12T22:25:37.2200686Z     at groovy.ant.AntBuilder.nodeCompleted (AntBuilder.java:286)
2022-11-12T22:25:37.2201146Z     at groovy.util.BuilderSupport.doInvokeMethod (BuilderSupport.java:161)
2022-11-12T22:25:37.2201593Z     at groovy.ant.AntBuilder.doInvokeMethod (AntBuilder.java:219)
2022-11-12T22:25:37.2202045Z     at groovy.util.BuilderSupport.invokeMethod (BuilderSupport.java:75)
2022-11-12T22:25:37.2202765Z     at org.codehaus.groovy.vmplugin.v8.IndyGuardsFiltersAndSignatures.invokeGroovyObjectInvoker (IndyGuardsFiltersAndSignatures.java:149)
2022-11-12T22:25:37.2203514Z     at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache (IndyInterface.java:318)
2022-11-12T22:25:37.2204099Z     at org.codehaus.mojo.spotbugs.SpotBugsMojo.executeSpotbugs (SpotBugsMojo.groovy:1184)
2022-11-12T22:25:37.2204670Z     at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache (IndyInterface.java:318)
2022-11-12T22:25:37.2205247Z     at org.codehaus.mojo.spotbugs.SpotBugsMojo.canGenerateReport (SpotBugsMojo.groovy:673)
2022-11-12T22:25:37.2205812Z     at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache (IndyInterface.java:318)
2022-11-12T22:25:37.2206353Z     at org.codehaus.mojo.spotbugs.SpotBugsMojo.execute (SpotBugsMojo.groovy:799)
2022-11-12T22:25:37.2206963Z     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
2022-11-12T22:25:37.2207601Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
2022-11-12T22:25:37.2208307Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
2022-11-12T22:25:37.2208868Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2209419Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2210076Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2210746Z     at org.apache.maven.lifecycle.internal.MojoExecutor.executeForkedExecutions (MojoExecutor.java:508)
2022-11-12T22:25:37.2211571Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:345)
2022-11-12T22:25:37.2212263Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2022-11-12T22:25:37.2212814Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2022-11-12T22:25:37.2213376Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2022-11-12T22:25:37.2214203Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2022-11-12T22:25:37.2214990Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2022-11-12T22:25:37.2217759Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2022-11-12T22:25:37.2218547Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2022-11-12T22:25:37.2219457Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
2022-11-12T22:25:37.2219889Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2022-11-12T22:25:37.2220327Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2022-11-12T22:25:37.2220744Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
2022-11-12T22:25:37.2221148Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
2022-11-12T22:25:37.2221536Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
2022-11-12T22:25:37.2222197Z     at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:104)
2022-11-12T22:25:37.2222816Z     at java.lang.reflect.Method.invoke (Method.java:578)
2022-11-12T22:25:37.2274170Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2022-11-12T22:25:37.2274832Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2022-11-12T22:25:37.2275447Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2022-11-12T22:25:37.2276042Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2022-11-12T22:25:37.2276618Z Caused by: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release
2022-11-12T22:25:37.2277126Z     at java.lang.System.setSecurityManager (System.java:425)
2022-11-12T22:25:37.2277634Z     at org.apache.tools.ant.types.Permissions.setSecurityManager (Permissions.java:103)
2022-11-12T22:25:37.2278291Z     at org.apache.tools.ant.taskdefs.ExecuteJava.run (ExecuteJava.java:216)
2022-11-12T22:25:37.2278671Z     at java.lang.Thread.run (Thread.java:1589)

That setSecurityManager call isn't directly called by SpotBugs, seems to have to do with ant Permissions. Maybe https://mail.openjdk.org/pipermail/security-dev/2021-June/026660.html helps.

Ah, thanks. Didn't realize the Maven plugin was tracked in a different repos. 👍