Hi,
Spotbugs is being used both with profile “pedantic” and “release”. However
violations don’t fail the build:
https://github.com/apache/jackrabbit-oak/blame/fe9c04c3b567386dfb5d262971a278cd2c634a86/oak-parent/pom.xml#L1065./
I get quite some violations being reported against the current trunk with
spotbugs:
INFO] --- spotbugs:4.8.6.3:check (default) @ oak-jackrabbit-api ---
[INFO] BugInstance size is 3
[INFO] Error size is 0
[INFO] Total bugs: 3
[ERROR] Medium:
org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default.getPrivileges()
may expose internal representation by returning
PrivilegeCollection$Default.privileges
[org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default]
At PrivilegeCollection.java:[line 101] EI_EXPOSE_REP
[ERROR] Medium: new
org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[],
AccessControlManager) may expose internal representation by storing an
externally mutable object into PrivilegeCollection$Default.accessControlManager
[org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default]
At PrivilegeCollection.java:[line 96] EI_EXPOSE_REP2
[ERROR] Medium: new
org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default(Privilege[],
AccessControlManager) may expose internal representation by storing an
externally mutable object into PrivilegeCollection$Default.privileges
[org.apache.jackrabbit.api.security.authorization.PrivilegeCollection$Default]
At PrivilegeCollection.java:[line 95] EI_EXPOSE_REP2
…
[INFO] --- spotbugs:4.8.6.3:check (default) @ oak-commons ---
[INFO] BugInstance size is 30
[INFO] Error size is 0
[INFO] Total bugs: 30
[ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in
org.apache.jackrabbit.oak.commons.FileIOUtils.append(List, File, boolean)
[org.apache.jackrabbit.oak.commons.FileIOUtils] At FileIOUtils.java:[line 163]
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
[ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.premain(String,
Instrumentation) may expose internal static state by storing a mutable object
into a static field org.apache.jackrabbit.oak.commons.Profiler.instrumentation
[org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 115]
EI_EXPOSE_STATIC_REP2
[ERROR] Medium: Public static
org.apache.jackrabbit.oak.commons.Profiler.getInstrumentation() may expose
internal representation by returning Profiler.instrumentation
[org.apache.jackrabbit.oak.commons.Profiler] At Profiler.java:[line 124]
MS_EXPOSE_REP
[ERROR] Medium: org.apache.jackrabbit.oak.commons.Profiler.run(String[]) may
fail to close stream [org.apache.jackrabbit.oak.commons.Profiler] At
Profiler.java:[line 182] OS_OPEN_STREAM
[ERROR] Medium: Primitive field
org.apache.jackrabbit.oak.commons.Profiler.sumClasses is public and set from
inside the class, which makes it too exposed. Consider making it private to
limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At
Profiler.java:[line 166] PA_PUBLIC_PRIMITIVE_ATTRIBUTE
[ERROR] Medium: Primitive field
org.apache.jackrabbit.oak.commons.Profiler.sumMethods is public and set from
inside the class, which makes it too exposed. Consider making it private to
limit external accessibility. [org.apache.jackrabbit.oak.commons.Profiler] At
Profiler.java:[line 168] PA_PUBLIC_PRIMITIVE_ATTRIBUTE
[ERROR] Medium: Class (org.apache.jackrabbit.oak.commons.TimeDurationFormatter)
using singleton design pattern has non-private constructor.
[org.apache.jackrabbit.oak.commons.TimeDurationFormatter] At
TimeDurationFormatter.java:[lines 76-80]
SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator at new
org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator(File, File,
Function) will leave the constructor. The object under construction remains
partially initialized and may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator,
org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator] At
FileLineDifferenceIterator.java:[line 58]At
FileLineDifferenceIterator.java:[line 58] CT_CONSTRUCTOR_THROW
[ERROR] Medium: instanceof will always return true for all non-null values in
org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl.close(),
since all org.apache.commons.io.LineIterator are instances of java.io.Closeable
[org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl,
org.apache.jackrabbit.oak.commons.io.FileLineDifferenceIterator$Impl] At
FileLineDifferenceIterator.java:[line 115]Another occurrence at
FileLineDifferenceIterator.java:[line 118] BC_VACUOUS_INSTANCEOF
[ERROR] Medium: Read of unwritten field byteSource in
org.apache.jackrabbit.oak.commons.io.LazyInputStream.ensureOpen()
[org.apache.jackrabbit.oak.commons.io.LazyInputStream] At
LazyInputStream.java:[line 110] NP_UNWRITTEN_FIELD
[ERROR] High: Field only ever set to null:
org.apache.jackrabbit.oak.commons.io.LazyInputStream.byteSource
[org.apache.jackrabbit.oak.commons.io.LazyInputStream] At
LazyInputStream.java:[line 42] UWF_NULL_FIELD
[ERROR] Medium: org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject.<static
initializer for Java23Subject>() might ignore java.lang.NoSuchMethodException
[org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject,
org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject] At
Java23Subject.java:[line 43]At Java23Subject.java:[line 43] DE_MIGHT_IGNORE
[ERROR] Medium: org.apache.jackrabbit.oak.commons.json.JsonObject.getChildren()
may expose internal representation by returning JsonObject.children
[org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line
133] EI_EXPOSE_REP
[ERROR] Medium:
org.apache.jackrabbit.oak.commons.json.JsonObject.getProperties() may expose
internal representation by returning JsonObject.props
[org.apache.jackrabbit.oak.commons.json.JsonObject] At JsonObject.java:[line
124] EI_EXPOSE_REP
[ERROR] Medium: Possible null pointer dereference in
org.apache.jackrabbit.oak.commons.json.JsonObject.create(JsopTokenizer,
boolean) due to return value of called method
[org.apache.jackrabbit.oak.commons.json.JsonObject,
org.apache.jackrabbit.oak.commons.json.JsonObject] Dereferenced at
JsonObject.java:[line 89]Known null at JsonObject.java:[line 89]
NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new
org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String) will leave the
constructor. The object under construction remains partially initialized and
may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.json.JsopTokenizer,
org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At
JsopTokenizer.java:[line 47]At JsopTokenizer.java:[line 47] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.json.JsopTokenizer at new
org.apache.jackrabbit.oak.commons.json.JsopTokenizer(String, int) will leave
the constructor. The object under construction remains partially initialized
and may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.json.JsopTokenizer,
org.apache.jackrabbit.oak.commons.json.JsopTokenizer] At
JsopTokenizer.java:[line 43]At JsopTokenizer.java:[line 43] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.log.LogSilencer at new
org.apache.jackrabbit.oak.commons.log.LogSilencer() will leave the constructor.
The object under construction remains partially initialized and may be
vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.log.LogSilencer,
org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line
48]At LogSilencer.java:[line 48] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.log.LogSilencer at new
org.apache.jackrabbit.oak.commons.log.LogSilencer(long, int) will leave the
constructor. The object under construction remains partially initialized and
may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.log.LogSilencer,
org.apache.jackrabbit.oak.commons.log.LogSilencer] At LogSilencer.java:[line
62]At LogSilencer.java:[line 62] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier at new
org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier(String,
Object) will leave the constructor. The object under construction remains
partially initialized and may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier,
org.apache.jackrabbit.oak.commons.properties.SystemPropertySupplier] At
SystemPropertySupplier.java:[line 63]At SystemPropertySupplier.java:[line 63]
CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer at new
org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer(BufferedReader,
Function) will leave the constructor. The object under construction remains
partially initialized and may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer,
org.apache.jackrabbit.oak.commons.sort.BinaryFileBuffer] At
ExternalSort.java:[line 1074]At ExternalSort.java:[line 1074]
CT_CONSTRUCTOR_THROW
[ERROR] High:
org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List,
BufferedWriter, Comparator, Charset, boolean, Compression, Function, Function)
might ignore java.lang.Exception
[org.apache.jackrabbit.oak.commons.sort.ExternalSort,
org.apache.jackrabbit.oak.commons.sort.ExternalSort] At ExternalSort.java:[line
840]At ExternalSort.java:[line 840] DE_MIGHT_IGNORE
[ERROR] High:
org.apache.jackrabbit.oak.commons.sort.ExternalSort.defaultcomparator isn't
final but should be [org.apache.jackrabbit.oak.commons.sort.ExternalSort] At
ExternalSort.java:[line 1056] MS_SHOULD_BE_FINAL
[ERROR] Medium:
org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List,
Comparator, Charset, File, boolean, Compression, Function, Predicate) may fail
to clean up java.io.OutputStream on checked exception
[org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to clean up
resource created at ExternalSort.java:[line 622] is not discharged
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
[ERROR] Medium:
org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortInBatch(File,
Comparator, int, long, Charset, File, boolean, int, Compression, Function,
Function, Predicate) may fail to clean up java.io.InputStream on checked
exception [org.apache.jackrabbit.oak.commons.sort.ExternalSort] Obligation to
clean up resource created at ExternalSort.java:[line 320] is not discharged
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
[ERROR] Medium: Redundant nullcheck of lastLine, which is known to be non-null
in org.apache.jackrabbit.oak.commons.sort.ExternalSort.merge(BufferedWriter,
Comparator, boolean, List, Function)
[org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at
ExternalSort.java:[line 887] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
[ERROR] Medium: Redundant nullcheck of lastLine, which is known to be non-null
in org.apache.jackrabbit.oak.commons.sort.ExternalSort.sortAndSave(List,
Comparator, Charset, File, boolean, Compression, Function, Predicate)
[org.apache.jackrabbit.oak.commons.sort.ExternalSort] Redundant null check at
ExternalSort.java:[line 628] RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
[ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in
org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List,
BufferedWriter, Comparator, Charset, boolean, Compression, Function, Function)
[org.apache.jackrabbit.oak.commons.sort.ExternalSort] At
ExternalSort.java:[line 843] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
[ERROR] Medium: Exceptional return value of java.io.File.delete() ignored in
org.apache.jackrabbit.oak.commons.sort.ExternalSort.mergeSortedFiles(List,
File, Comparator, Charset, boolean, boolean, Compression, Function, Function)
[org.apache.jackrabbit.oak.commons.sort.ExternalSort] At
ExternalSort.java:[line 765] RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
[ERROR] Medium: Exception thrown in class
org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer
at new
org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer(InputStream,
Function, int) will leave the constructor. The object under construction
remains partially initialized and may be vulnerable to Finalizer attacks.
[org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer,
org.apache.jackrabbit.oak.commons.sort.ExternalSortByteArray$BinaryFileBuffer]
At ExternalSortByteArray.java:[line 123]At ExternalSortByteArray.java:[line
123] CT_CONSTRUCTOR_THROW
…..
And so on. I would propose to remove execution of that plugin as long as no-one
looks at the errors and fixes those.
Currently it just spams the build log.
WDYT?
Thanks,
Konrad
