This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 94c89a1db6c35fa5a712d3a16cbe431900bd575f Author: Piotr P. Karwasz <[email protected]> AuthorDate: Wed Oct 25 21:18:33 2023 +0200 Fix FindSecBugs alerts [FindSecBugs](https://find-sec-bugs.github.io/), gives several alerts concerning alleged security problems in our code. While these are almost certainly false positives, we need to check each one of them before suppressing the related warning. --- log4j-api/pom.xml | 3 +++ .../java/org/apache/logging/log4j/simple/SimpleLogger.java | 5 +++++ .../apache/logging/log4j/simple/SimpleLoggerContext.java | 5 +++++ .../java/org/apache/logging/log4j/simple/package-info.java | 2 +- .../java/org/apache/logging/log4j/status/StatusData.java | 5 +++++ .../java/org/apache/logging/log4j/status/package-info.java | 2 +- .../java/org/apache/logging/log4j/util/LowLevelLogUtil.java | 6 ++++++ .../logging/log4j/util/PropertyFilePropertySource.java | 6 ++++++ .../java/org/apache/logging/log4j/util/package-info.java | 3 ++- .../java/org/apache/logging/log4j/core/LoggerContext.java | 5 +++++ .../org/apache/logging/log4j/core/appender/FileManager.java | 13 +++++++++++++ .../log4j/core/appender/HttpURLConnectionManager.java | 5 +++++ .../log4j/core/appender/MemoryMappedFileManager.java | 5 +++++ .../log4j/core/appender/RandomAccessFileManager.java | 5 +++++ .../core/appender/rolling/AbstractRolloverStrategy.java | 5 +++++ .../log4j/core/appender/rolling/RollingFileManager.java | 5 +++++ .../java/org/apache/logging/log4j/core/util/FileUtils.java | 5 +++++ .../java/org/apache/logging/log4j/core/util/NetUtils.java | 5 +++++ .../java/org/apache/logging/log4j/core/util/Source.java | 9 +++++++++ .../java/org/apache/logging/log4j/core/util/Throwables.java | 6 ++++++ pom.xml | 3 +-- 21 files changed, 103 insertions(+), 5 deletions(-) diff --git a/log4j-api/pom.xml b/log4j-api/pom.xml index 4f529fbd12..f198d90168 100644 --- a/log4j-api/pom.xml +++ b/log4j-api/pom.xml @@ -42,6 +42,9 @@ <!-- Used in StringBuilders through reflection --> java.sql;static=true </bnd-extra-module-options> + + <!-- FIXME: temporary --> + <spotbugs.skip>true</spotbugs.skip> </properties> <dependencies> <dependency> diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLogger.java b/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLogger.java index aae0948d50..043a7b69f6 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLogger.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLogger.java @@ -23,6 +23,7 @@ import java.util.Map; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.Marker; import org.apache.logging.log4j.ThreadContext; @@ -194,6 +195,10 @@ public class SimpleLogger extends AbstractLogger { } @Override + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) public void logMessage(final String fqcn, final Level mgsLevel, final Marker marker, final Message msg, final Throwable throwable) { final StringBuilder sb = new StringBuilder(); diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLoggerContext.java b/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLoggerContext.java index 8a207624d2..b7d2a4b60f 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLoggerContext.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/simple/SimpleLoggerContext.java @@ -20,6 +20,7 @@ import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.PrintStream; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.message.MessageFactory; import org.apache.logging.log4j.spi.AbstractLogger; import org.apache.logging.log4j.spi.ExtendedLogger; @@ -58,6 +59,10 @@ public class SimpleLoggerContext implements LoggerContext { this(new SimpleLoggerConfiguration(PropertiesUtil.getProperties("simplelog"))); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_OUT", + justification = "Opens a file retrieved from configuration (Log4j properties)" + ) public SimpleLoggerContext(final SimpleLoggerConfiguration configuration) { this.configuration = configuration; final String fileName = configuration.getLogFileName(); diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/simple/package-info.java b/log4j-api/src/main/java/org/apache/logging/log4j/simple/package-info.java index eb461e2532..15801ad9d7 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/simple/package-info.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/simple/package-info.java @@ -20,7 +20,7 @@ * Providers are able to be loaded at runtime. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.simple; import org.osgi.annotation.bundle.Export; diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/status/StatusData.java b/log4j-api/src/main/java/org/apache/logging/log4j/status/StatusData.java index e8c708e72b..8b83601d72 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/status/StatusData.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/status/StatusData.java @@ -21,6 +21,7 @@ import java.io.PrintStream; import java.text.SimpleDateFormat; import java.util.Date; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.message.Message; @@ -114,6 +115,10 @@ public class StatusData { * * @return The formatted status data as a String. */ + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) public String getFormattedStatus() { final StringBuilder sb = new StringBuilder(); final SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss,SSS"); diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/status/package-info.java b/log4j-api/src/main/java/org/apache/logging/log4j/status/package-info.java index e51ae46207..61af0c2347 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/status/package-info.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/status/package-info.java @@ -19,7 +19,7 @@ * used by applications reporting on the status of the logging system */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.status; import org.osgi.annotation.bundle.Export; diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java index d7df2e3df0..2753cfc4f1 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java @@ -20,6 +20,8 @@ import java.io.PrintWriter; import org.apache.logging.log4j.Logger; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * PrintWriter-based logging utility for classes too low level to use {@link org.apache.logging.log4j.status.StatusLogger}. * Such classes cannot use StatusLogger as StatusLogger or {@link org.apache.logging.log4j.simple.SimpleLogger} depends @@ -113,6 +115,10 @@ public final class LowLevelLogUtil { } + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) public static void logException(final Throwable exception) { if (guard.get()) { return; diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertyFilePropertySource.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertyFilePropertySource.java index 7c10d4eee2..d9d1df821b 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertyFilePropertySource.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertyFilePropertySource.java @@ -21,6 +21,8 @@ import java.io.InputStream; import java.net.URL; import java.util.Properties; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * PropertySource backed by a properties file. Follows the same conventions as {@link PropertiesPropertySource}. * @@ -36,6 +38,10 @@ public class PropertyFilePropertySource extends PropertiesPropertySource { super(loadPropertiesFile(fileName), SYSTEM_CONTEXT, 20, includeInvalid); } + @SuppressFBWarnings( + value = "URLCONNECTION_SSRF_FD", + justification = "This property source should only be used with hardcoded file names." + ) static Properties loadPropertiesFile(final String fileName) { final Properties props = new Properties(); for (final URL url : LoaderUtil.findResources(fileName)) { diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/package-info.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/package-info.java index f37e32d156..99db5c911f 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/util/package-info.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/package-info.java @@ -16,7 +16,8 @@ */ /** - * Utility APIs used elsewhere in Log4j API. + * Internal utility classes for the Log4j 2 API. Note that the use of any classes in this package is not supported. + * There are no guarantees for binary or logical compatibility in this package. */ @Export @Version("2.20.1") diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/LoggerContext.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/LoggerContext.java index 03284e641e..27b973bd96 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/LoggerContext.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/LoggerContext.java @@ -30,6 +30,7 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.function.Consumer; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.ThreadContext; import org.apache.logging.log4j.core.config.Configuration; @@ -153,6 +154,10 @@ public class LoggerContext extends AbstractLifeCycle * @param externalContext The external context. * @param configLocn The configuration location. */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The configLocn comes from a secure source (Log4j properties)" + ) public LoggerContext(final String name, final Object externalContext, final String configLocn) { this(name, externalContext, configLocn, DI.createInitializedFactory()); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/FileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/FileManager.java index 62e0cc2548..8b6dd2249b 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/FileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/FileManager.java @@ -37,6 +37,7 @@ import java.util.HashMap; import java.util.Map; import java.util.Set; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.config.Configuration; @@ -64,6 +65,10 @@ public class FileManager extends OutputStreamManager { /** * @since 2.9 */ + @SuppressFBWarnings( + value = "OVERLY_PERMISSIVE_FILE_PERMISSION", + justification = "File permissions are specified in the configuration file." + ) protected FileManager(final LoggerContext loggerContext, final String fileName, final OutputStream os, final boolean append, final boolean locking, final boolean createOnDemand, final String advertiseURI, final Layout layout, final String filePermissions, final String fileOwner, final String fileGroup, final boolean writeHeader, @@ -133,6 +138,10 @@ public class FileManager extends OutputStreamManager { } @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The destination file is specified in the configuration file." + ) protected OutputStream createOutputStream() throws IOException { final String filename = getFileName(); LOGGER.debug("Now writing to {} at {}", filename, new Date()); @@ -381,6 +390,10 @@ public class FileManager extends OutputStreamManager { * @return The FileManager for the File. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The destination file should be specified in the configuration file." + ) public FileManager createManager(final String name, final FactoryData data) { final File file = new File(name); try { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpURLConnectionManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpURLConnectionManager.java index d603fb0c40..65e7ebf1c9 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpURLConnectionManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpURLConnectionManager.java @@ -27,6 +27,7 @@ import java.util.Objects; import javax.net.ssl.HttpsURLConnection; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.LoggerContext; @@ -73,6 +74,10 @@ public class HttpURLConnectionManager extends HttpManager { } @Override + @SuppressFBWarnings( + value = "URLCONNECTION_SSRF_FD", + justification = "This connection URL is specified in a configuration file." + ) public void send(final Layout layout, final LogEvent event) throws IOException { final HttpURLConnection urlConnection = (HttpURLConnection)url.openConnection(); urlConnection.setAllowUserInteraction(false); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/MemoryMappedFileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/MemoryMappedFileManager.java index 592cd7f387..453031976c 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/MemoryMappedFileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/MemoryMappedFileManager.java @@ -32,6 +32,7 @@ import java.util.HashMap; import java.util.Map; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.util.Closer; import org.apache.logging.log4j.core.util.FileUtils; @@ -357,6 +358,10 @@ public class MemoryMappedFileManager extends OutputStreamManager { */ @SuppressWarnings("resource") @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The destination file should be specified in the configuration file." + ) public MemoryMappedFileManager createManager(final String name, final FactoryData data) { final File file = new File(name); if (!data.append) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/RandomAccessFileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/RandomAccessFileManager.java index 92444eda52..30fd5b543e 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/RandomAccessFileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/RandomAccessFileManager.java @@ -24,6 +24,7 @@ import java.nio.ByteBuffer; import java.util.HashMap; import java.util.Map; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.config.Configuration; @@ -200,6 +201,10 @@ public class RandomAccessFileManager extends OutputStreamManager { * @return The RandomAccessFileManager for the File. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The destination file should be specified in the configuration file." + ) public RandomAccessFileManager createManager(final String name, final FactoryData data) { final File file = new File(name); if (!data.append) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java index 41a311d356..650e743ace 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java @@ -28,6 +28,7 @@ import java.util.TreeMap; import java.util.regex.Matcher; import java.util.regex.Pattern; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LoggingException; import org.apache.logging.log4j.core.appender.rolling.action.Action; @@ -99,6 +100,10 @@ public abstract class AbstractRolloverStrategy implements RolloverStrategy { return getEligibleFiles("", path, pattern, true); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The file path should be specified in the configuration file." + ) protected SortedMap<Integer, Path> getEligibleFiles(final String currentFile, final String path, final String logfilePattern, final boolean isAscending) { final TreeMap<Integer, Path> eligibleFiles = new TreeMap<>(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java index 7f901bd991..8cf45f910a 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java @@ -34,6 +34,7 @@ import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReferenceFieldUpdater; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LifeCycle; import org.apache.logging.log4j.core.LogEvent; @@ -682,6 +683,10 @@ public class RollingFileManager extends FileManager { * @return a RollingFileManager. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The destination file should be specified in the configuration file." + ) public RollingFileManager createManager(final String name, final FactoryData data) { long size = 0; File file = null; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/FileUtils.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/FileUtils.java index edbca1bc17..66081581d2 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/FileUtils.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/FileUtils.java @@ -32,6 +32,7 @@ import java.nio.file.attribute.UserPrincipalLookupService; import java.util.Objects; import java.util.Set; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.status.StatusLogger; @@ -56,6 +57,10 @@ public final class FileUtils { * @param uri the URI * @return the resulting file object */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "Currently `uri` comes from a configuration file." + ) public static File fileFromUri(URI uri) { if (uri == null) { return null; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java index bacbb5482f..d2edd8125f 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java @@ -31,6 +31,7 @@ import java.util.Arrays; import java.util.Enumeration; import java.util.List; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.status.StatusLogger; import org.apache.logging.log4j.util.Strings; @@ -195,6 +196,10 @@ public final class NetUtils { * @param path the URI string or path * @return the URI object */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "Currently `path` comes from a configuration file." + ) public static URI toURI(final String path) { try { // Resolves absolute URI diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Source.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Source.java index 8a10e0c875..ebbe0ac7f3 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Source.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Source.java @@ -26,6 +26,7 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.core.config.ConfigurationSource; import org.apache.logging.log4j.status.StatusLogger; @@ -54,6 +55,10 @@ public class Source { } // LOG4J2-3527 - Don't use Paths.get(). + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The URI should be specified in a configuration file." + ) private static File toFile(final URI uri) { try { final String scheme = Objects.requireNonNull(uri, "uri").getScheme(); @@ -190,6 +195,10 @@ public class Source { * * @return this source as a Path. */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The `file`, `uri` and `location` fields come from Log4j properties." + ) public Path getPath() { return file != null ? file.toPath() : uri != null ? Paths.get(uri) : Paths.get(location); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Throwables.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Throwables.java index 6208a26458..d414830c23 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Throwables.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Throwables.java @@ -25,6 +25,8 @@ import java.io.StringWriter; import java.util.ArrayList; import java.util.List; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * Helps with Throwable objects. */ @@ -68,6 +70,10 @@ public final class Throwables { * @param throwable the Throwable * @return a List of Strings */ + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) public static List<String> toStringList(final Throwable throwable) { final StringWriter sw = new StringWriter(); final PrintWriter pw = new PrintWriter(sw); diff --git a/pom.xml b/pom.xml index d96fe7c058..05eca168ee 100644 --- a/pom.xml +++ b/pom.xml @@ -324,8 +324,7 @@ <docLabel>Site Documentation</docLabel> <projectDir /> <module.name /> - <!-- TODO: fix errors and re-enable SpotBugs --> - <spotbugs.skip>true</spotbugs.skip> + <spotbugs.maxRank>14</spotbugs.maxRank> <project.build.outputTimestamp>2023-10-23T19:03:40Z</project.build.outputTimestamp> <!-- ========================
