I think it is much easier to follow up on those issue with SonarQube Cloud anyways: https://sonarcloud.io/project/overview?id=org.apache.jackrabbit%3Ajackrabbit-oak. No need to defer a local build with that.
Konrad > On 14. Jan 2025, at 11:44, Konrad Windszus <[email protected]> wrote: > > Hi, > Spotbugs is being used both with profile “pedantic” and “release”. However > violations don’t fail the build: > https://github.com/apache/jackrabbit-oak/blame/fe9c04c3b567386dfb5d262971a278cd2c634a86/oak-parent/pom.xml#L1065./ > I get quite some violations being reported against the current trunk with > spotbugs: > > INFO] --- spotbugs:4.8.6.3:check (default) @ oak-jackrabbit-api --- > [INFO] BugInstance size is 3 > [INFO] Error size is 0 > [INFO] Total bugs: 3 > [ERROR] Medium: > org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default.getPrivileges() > may expose internal representation by returning > PrivilegeCollection$Default.privileges > [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] > At PrivilegeCollection.java:[line 101] EI_EXPOSE_REP > [ERROR] Medium: new > org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[], > AccessControlManager) may expose internal representation by storing an > externally mutable object into > PrivilegeCollection$Default.accessControlManager > [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] > At PrivilegeCollection.java:[line 96] EI_EXPOSE_REP2 > [ERROR] Medium: new > org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[], > AccessControlManager) may expose internal representation by storing an > externally mutable object into PrivilegeCollection$Default.privileges > [org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default] > At PrivilegeCollection.java:[line 95] EI_EXPOSE_REP2 > > … > > [INFO] --- spotbugs:4.8.6.3:check (default) @ oak-commons --- > [INFO] BugInstance size is 30 > [INFO] Error size is 0 > [INFO] Total bugs: 30 > [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in > org.apache.jackrabbit.oak.commons.FileIOUtils.append(List, File, boolean) > [org.apache.jackrabbit.oak.commons.FileIOUtils] At FileIOUtils.java:[line > 163] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE > [ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.premain(String, > Instrumentation) may expose internal static state by storing a mutable object > into a static field > org.apache.jackrabbit.oak.commons.Profiler.instrumentation > [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 115] > EI_EXPOSE_STATIC_REP2 > [ERROR] Medium: Public static > org.apache.jackrabbit.oak.commons.Profiler.getInstrumentation() may expose > internal representation by returning Profiler.instrumentation > [org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 124] > MS_EXPOSE_REP > [ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.run(String[]) may > fail to close stream [org.apache.jackrabbit.oak.commons.Profiler] At > Profiler.java:[line 182] OS_OPEN_STREAM > [ERROR] Medium: Primitive field > org.apache.jackrabbit.oak.commons.Profiler.sumClasses is public and set from > inside the class, which makes it too exposed. Consider making it private to > limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At > Profiler.java:[line 166] PA_PUBLIC_PRIMITIVE_ATTRIBUTE > [ERROR] Medium: Primitive field > org.apache.jackrabbit.oak.commons.Profiler.sumMethods is public and set from > inside the class, which makes it too exposed. Consider making it private to > limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At > Profiler.java:[line 168] PA_PUBLIC_PRIMITIVE_ATTRIBUTE > [ERROR] Medium: Class > (org.apache.jackrabbit.oak.commons.TimeDurationFormatter) using singleton > design pattern has non-private constructor. > [org.apache.jackrabbit.oak.commons.TimeDurationFormatter] At > TimeDurationFormatter.java:[lines 76-80] > SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator at new > org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator(File, File, > Function) will leave the constructor. The object under construction remains > partially initialized and may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator, > org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator] At > FileLineDifferenceIterator.java:[line 58]At > FileLineDifferenceIterator.java:[line 58] CT_CONSTRUCTOR_THROW > [ERROR] Medium: instanceof will always return true for all non-null values in > org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl.close(), > since all org.apache.commons.io.LineIterator are instances of > java.io.Closeable > [org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl, > org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl] At > FileLineDifferenceIterator.java:[line 115]Another occurrence at > FileLineDifferenceIterator.java:[line 118] BC_VACUOUS_INSTANCEOF > [ERROR] Medium: Read of unwritten field byteSource in > org.apache.jackrabbit.oak.commons.io.LazyInputStream.ensureOpen() > [org.apache.jackrabbit.oak.commons.io.LazyInputStream] At > LazyInputStream.java:[line 110] NP_UNWRITTEN_FIELD > [ERROR] High: Field only ever set to null: > org.apache.jackrabbit.oak.commons.io.LazyInputStream.byteSource > [org.apache.jackrabbit.oak.commons.io.LazyInputStream] At > LazyInputStream.java:[line 42] UWF_NULL_FIELD > [ERROR] Medium: > org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject.<static initializer > for Java23Subject>() might ignore java.lang.NoSuchMethodException > [org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject, > org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject] At > Java23Subject.java:[line 43]At Java23Subject.java:[line 43] DE_MIGHT_IGNORE > [ERROR] Medium: > org.apache.jackrabbit.oak.commons.json.JsonObject.getChildren() may expose > internal representation by returning JsonObject.children > [org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line > 133] EI_EXPOSE_REP > [ERROR] Medium: > org.apache.jackrabbit.oak.commons.json.JsonObject.getProperties() may expose > internal representation by returning JsonObject.props > [org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line > 124] EI_EXPOSE_REP > [ERROR] Medium: Possible null pointer dereference in > org.apache.jackrabbit.oak.commons.json.JsonObject.create(JsopTokenizer, > boolean) due to return value of called method > [org.apache.jackrabbit.oak.commons.json.JsonObject, > org.apache.jackrabbit.oak.commons.json.JsonObject] Dereferenced at > JsonObject.java:[line 89]Known null at JsonObject.java:[line 89] > NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new > org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String) will leave the > constructor. The object under construction remains partially initialized and > may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.json.JsopTokenizer, > org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At > JsopTokenizer.java:[line 47]At JsopTokenizer.java:[line 47] > CT_CONSTRUCTOR_THROW > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new > org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String, int) will leave > the constructor. The object under construction remains partially initialized > and may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.json.JsopTokenizer, > org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At > JsopTokenizer.java:[line 43]At JsopTokenizer.java:[line 43] > CT_CONSTRUCTOR_THROW > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.log.LogSilencer at new > org.apache.jackrabbit.oak.commons.log.LogSilencer() will leave the > constructor. The object under construction remains partially initialized and > may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.log.LogSilencer, > org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line > 48]At LogSilencer.java:[line 48] CT_CONSTRUCTOR_THROW > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.log.LogSilencer at new > org.apache.jackrabbit.oak.commons.log.LogSilencer(long, int) will leave the > constructor. The object under construction remains partially initialized and > may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.log.LogSilencer, > org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line > 62]At LogSilencer.java:[line 62] CT_CONSTRUCTOR_THROW > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier at new > org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier(String, > Object) will leave the constructor. The object under construction remains > partially initialized and may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier, > org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier] At > SystemPropertySupplier.java:[line 63]At SystemPropertySupplier.java:[line 63] > CT_CONSTRUCTOR_THROW > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer at new > org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer(BufferedReader, > Function) will leave the constructor. The object under construction remains > partially initialized and may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer, > org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer] At > ExternalSort.java:[line 1074]At ExternalSort.java:[line 1074] > CT_CONSTRUCTOR_THROW > [ERROR] High: > org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, > BufferedWriter, Comparator, Charset, boolean, Compression, Function, > Function) might ignore java.lang.Exception > [org.apache.jackrabbit.oak.commons.sort.ExternalSort, > org.apache.jackrabbit.oak.commons.sort.ExternalSort] At > ExternalSort.java:[line 840]At ExternalSort.java:[line 840] DE_MIGHT_IGNORE > [ERROR] High: > org.apache.jackrabbit.oak.commons.sort.ExternalSort.defaultcomparator isn't > final but should be [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At > ExternalSort.java:[line 1056] MS_SHOULD_BE_FINAL > [ERROR] Medium: > org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List, > Comparator, Charset, File, boolean, Compression, Function, Predicate) may > fail to clean up java.io.OutputStream on checked exception > [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to clean up > resource created at ExternalSort.java:[line 622] is not discharged > OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE > [ERROR] Medium: > org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortInBatch(File, > Comparator, int, long, Charset, File, boolean, int, Compression, Function, > Function, Predicate) may fail to clean up java.io.InputStream on checked > exception [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to > clean up resource created at ExternalSort.java:[line 320] is not discharged > OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE > [ERROR] Medium: Redundant nullcheck of lastLine, which is known to be > non-null in > org.apache.jackrabbit.oak.commons.sort.ExternalSort.merge(BufferedWriter, > Comparator, boolean, List, Function) > [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at > ExternalSort.java:[line 887] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > [ERROR] Medium: Redundant nullcheck of lastLine, which is known to be > non-null in > org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List, > Comparator, Charset, File, boolean, Compression, Function, Predicate) > [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at > ExternalSort.java:[line 628] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE > [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in > org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, > BufferedWriter, Comparator, Charset, boolean, Compression, Function, > Function) [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At > ExternalSort.java:[line 843] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE > [ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in > org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List, > File, Comparator, Charset, boolean, boolean, Compression, Function, Function) > [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At > ExternalSort.java:[line 765] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE > [ERROR] Medium: Exception thrown in class > org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer > at new > org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer(InputStream, > Function, int) will leave the constructor. The object under construction > remains partially initialized and may be vulnerable to Finalizer attacks. > [org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer, > > org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer] > At ExternalSortByteArray.java:[line 123]At ExternalSortByteArray.java:[line > 123] CT_CONSTRUCTOR_THROW > ….. > > And so on. I would propose to remove execution of that plugin as long as > no-one looks at the errors and fixes those. > Currently it just spams the build log. > > WDYT? > Thanks, > Konrad
