Hi, Spotbugs is being used both with profile “pedantic” and “release”. However violations don’t fail the build: https://github.com/apache/jackrabbit-oak/blame/fe9c04c3b567386dfb5d262971a278cd2c634a86/oak-parent/pom.xml#L1065./ I get quite some violations being reported against the current trunk with spotbugs:
INFO] --- spotbugs:4.8.6.3:check (default) @ oak-jackrabbit-api --- [INFO] BugInstance size is 3 [INFO] Error size is 0 [INFO] Total bugs: 3 [ERROR] Medium: org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default.getPrivileges() may expose internal representation by returning PrivilegeCollection$Default.privileges [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] At PrivilegeCollection.java:[line 101] EI_EXPOSE_REP [ERROR] Medium: new org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[], AccessControlManager) may expose internal representation by storing an externally mutable object into PrivilegeCollection$Default.accessControlManager [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] At PrivilegeCollection.java:[line 96] EI_EXPOSE_REP2 [ERROR] Medium: new org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[], AccessControlManager) may expose internal representation by storing an externally mutable object into PrivilegeCollection$Default.privileges [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] At PrivilegeCollection.java:[line 95] EI_EXPOSE_REP2 … [INFO] --- spotbugs:4.8.6.3:check (default) @ oak-commons --- [INFO] BugInstance size is 30 [INFO] Error size is 0 [INFO] Total bugs: 30 [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in org.apache.jackrabbit.oak.commons.FileIOUtils.append(List, File, boolean) [org.apache.jackrabbit.oak.commons.FileIOUtils] At FileIOUtils.java:[line 163] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE [ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.premain(String, Instrumentation) may expose internal static state by storing a mutable object into a static field org.apache.jackrabbit.oak.commons.Profiler.instrumentation [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 115] EI_EXPOSE_STATIC_REP2 [ERROR] Medium: Public static org.apache.jackrabbit.oak.commons.Profiler.getInstrumentation() may expose internal representation by returning Profiler.instrumentation [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 124] MS_EXPOSE_REP [ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.run(String[]) may fail to close stream [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 182] OS_OPEN_STREAM [ERROR] Medium: Primitive field org.apache.jackrabbit.oak.commons.Profiler.sumClasses is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 166] PA_PUBLIC_PRIMITIVE_ATTRIBUTE [ERROR] Medium: Primitive field org.apache.jackrabbit.oak.commons.Profiler.sumMethods is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 168] PA_PUBLIC_PRIMITIVE_ATTRIBUTE [ERROR] Medium: Class (org.apache.jackrabbit.oak.commons.TimeDurationFormatter) using singleton design pattern has non-private constructor. [org.apache.jackrabbit.oak.commons.TimeDurationFormatter] At TimeDurationFormatter.java:[lines 76-80] SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator at new org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator(File, File, Function) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator, org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator] At FileLineDifferenceIterator.java:[line 58]At FileLineDifferenceIterator.java:[line 58] CT_CONSTRUCTOR_THROW [ERROR] Medium: instanceof will always return true for all non-null values in org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl.close(), since all org.apache.commons.io.LineIterator are instances of java.io.Closeable [org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl, org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl] At FileLineDifferenceIterator.java:[line 115]Another occurrence at FileLineDifferenceIterator.java:[line 118] BC_VACUOUS_INSTANCEOF [ERROR] Medium: Read of unwritten field byteSource in org.apache.jackrabbit.oak.commons.io.LazyInputStream.ensureOpen() [org.apache.jackrabbit.oak.commons.io.LazyInputStream] At LazyInputStream.java:[line 110] NP_UNWRITTEN_FIELD [ERROR] High: Field only ever set to null: org.apache.jackrabbit.oak.commons.io.LazyInputStream.byteSource [org.apache.jackrabbit.oak.commons.io.LazyInputStream] At LazyInputStream.java:[line 42] UWF_NULL_FIELD [ERROR] Medium: org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject.<static initializer for Java23Subject>() might ignore java.lang.NoSuchMethodException [org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject, org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject] At Java23Subject.java:[line 43]At Java23Subject.java:[line 43] DE_MIGHT_IGNORE [ERROR] Medium: org.apache.jackrabbit.oak.commons.json.JsonObject.getChildren() may expose internal representation by returning JsonObject.children [org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line 133] EI_EXPOSE_REP [ERROR] Medium: org.apache.jackrabbit.oak.commons.json.JsonObject.getProperties() may expose internal representation by returning JsonObject.props [org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line 124] EI_EXPOSE_REP [ERROR] Medium: Possible null pointer dereference in org.apache.jackrabbit.oak.commons.json.JsonObject.create(JsopTokenizer, boolean) due to return value of called method [org.apache.jackrabbit.oak.commons.json.JsonObject, org.apache.jackrabbit.oak.commons.json.JsonObject] Dereferenced at JsonObject.java:[line 89]Known null at JsonObject.java:[line 89] NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.json.JsopTokenizer, org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At JsopTokenizer.java:[line 47]At JsopTokenizer.java:[line 47] CT_CONSTRUCTOR_THROW [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String, int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.json.JsopTokenizer, org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At JsopTokenizer.java:[line 43]At JsopTokenizer.java:[line 43] CT_CONSTRUCTOR_THROW [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.log.LogSilencer at new org.apache.jackrabbit.oak.commons.log.LogSilencer() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.log.LogSilencer, org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line 48]At LogSilencer.java:[line 48] CT_CONSTRUCTOR_THROW [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.log.LogSilencer at new org.apache.jackrabbit.oak.commons.log.LogSilencer(long, int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.log.LogSilencer, org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line 62]At LogSilencer.java:[line 62] CT_CONSTRUCTOR_THROW [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier at new org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier(String, Object) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier, org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier] At SystemPropertySupplier.java:[line 63]At SystemPropertySupplier.java:[line 63] CT_CONSTRUCTOR_THROW [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer at new org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer(BufferedReader, Function) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer, org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer] At ExternalSort.java:[line 1074]At ExternalSort.java:[line 1074] CT_CONSTRUCTOR_THROW [ERROR] High: org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, BufferedWriter, Comparator, Charset, boolean, Compression, Function, Function) might ignore java.lang.Exception [org.apache.jackrabbit.oak.commons.sort.ExternalSort, org.apache.jackrabbit.oak.commons.sort.ExternalSort] At ExternalSort.java:[line 840]At ExternalSort.java:[line 840] DE_MIGHT_IGNORE [ERROR] High: org.apache.jackrabbit.oak.commons.sort.ExternalSort.defaultcomparator isn't final but should be [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At ExternalSort.java:[line 1056] MS_SHOULD_BE_FINAL [ERROR] Medium: org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List, Comparator, Charset, File, boolean, Compression, Function, Predicate) may fail to clean up java.io.OutputStream on checked exception [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to clean up resource created at ExternalSort.java:[line 622] is not discharged OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE [ERROR] Medium: org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortInBatch(File, Comparator, int, long, Charset, File, boolean, int, Compression, Function, Function, Predicate) may fail to clean up java.io.InputStream on checked exception [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to clean up resource created at ExternalSort.java:[line 320] is not discharged OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE [ERROR] Medium: Redundant nullcheck of lastLine, which is known to be non-null in org.apache.jackrabbit.oak.commons.sort.ExternalSort.merge(BufferedWriter, Comparator, boolean, List, Function) [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at ExternalSort.java:[line 887] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE [ERROR] Medium: Redundant nullcheck of lastLine, which is known to be non-null in org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List, Comparator, Charset, File, boolean, Compression, Function, Predicate) [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at ExternalSort.java:[line 628] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, BufferedWriter, Comparator, Charset, boolean, Compression, Function, Function) [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At ExternalSort.java:[line 843] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, File, Comparator, Charset, boolean, boolean, Compression, Function, Function) [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At ExternalSort.java:[line 765] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE [ERROR] Medium: Exception thrown in class org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer at new org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer(InputStream, Function, int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer, org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer] At ExternalSortByteArray.java:[line 123]At ExternalSortByteArray.java:[line 123] CT_CONSTRUCTOR_THROW ….. And so on. I would propose to remove execution of that plugin as long as no-one looks at the errors and fixes those. Currently it just spams the build log. WDYT? Thanks, Konrad
