Forbid Url.openStream calls and Class.getResourceAsStream

config/detekt/detekt.yml

@@ -169,6 +169,8 @@ style:
     methods:
       - 'kotlin.io.print'
       - 'kotlin.io.println'
+      - 'java.net.URL.openStream()'
+      - 'java.lang.Class.getResourceAsStream()'
   ForbiddenVoid:
     active: true
   LibraryCodeMustSpecifyReturnType:

detekt-api/build.gradle.kts

@@ -10,6 +10,7 @@ plugins {
 dependencies {
     api(libs.kotlin.compilerEmbeddable)
     api(projects.detektPsiUtils)
+    implementation(projects.detektUtils)
 
     testImplementation(projects.detektTest)
     testImplementation(libs.bundles.testImplementation)

detekt-api/src/main/kotlin/io/gitlab/arturbosch/detekt/api/internal/Versions.kt

@@ -1,5 +1,6 @@
 package io.gitlab.arturbosch.detekt.api.internal
 
+import io.github.detekt.utils.openSafeStream
 import io.gitlab.arturbosch.detekt.api.Extension
 import java.net.URL
 import java.util.jar.Manifest
@@ -18,7 +19,7 @@ fun whichJava(): String = System.getProperty("java.runtime.version")
  * Returns the bundled detekt version.
  */
 fun whichDetekt(): String? {
-    fun readVersion(resource: URL): String? = resource.openStream()
+    fun readVersion(resource: URL): String? = resource.openSafeStream()
         .use { Manifest(it).mainAttributes.getValue("DetektVersion") }
 
     return Extension::class.java.classLoader.getResources("META-INF/MANIFEST.MF")

detekt-report-html/build.gradle.kts

@@ -5,6 +5,7 @@ plugins {
 dependencies {
     compileOnly(projects.detektApi)
     compileOnly(projects.detektMetrics)
+    implementation(projects.detektUtils)
     implementation(libs.kotlinx.html) {
         exclude(group = "org.jetbrains.kotlin")
     }

detekt-report-html/src/main/kotlin/io/github/detekt/report/html/HtmlOutputReport.kt

@@ -2,6 +2,7 @@ package io.github.detekt.report.html
 
 import io.github.detekt.metrics.ComplexityReportGenerator
 import io.github.detekt.psi.toUnifiedString
+import io.github.detekt.utils.openSafeStream
 import io.gitlab.arturbosch.detekt.api.Detektion
 import io.gitlab.arturbosch.detekt.api.Finding
 import io.gitlab.arturbosch.detekt.api.OutputReport
@@ -48,7 +49,7 @@ class HtmlOutputReport : OutputReport() {
 
     override fun render(detektion: Detektion) =
         javaClass.getResource("/$DEFAULT_TEMPLATE")!!
-            .openStream()
+            .openSafeStream()
             .bufferedReader()
             .use { it.readText() }
             .replace(PLACEHOLDER_VERSION, renderVersion())

detekt-test/build.gradle.kts

@@ -6,6 +6,7 @@ plugins {
 dependencies {
     api(projects.detektApi)
     api(projects.detektTestUtils)
+    implementation(projects.detektUtils)
     compileOnly(libs.assertj)
     implementation(projects.detektCore)
     implementation(projects.detektParser)

detekt-test/src/main/kotlin/io/gitlab/arturbosch/detekt/test/Resources.kt

@@ -1,10 +1,11 @@
 package io.gitlab.arturbosch.detekt.test
 
 import io.github.detekt.test.utils.resource
+import io.github.detekt.utils.openSafeStream
 import io.gitlab.arturbosch.detekt.api.Config
 import io.gitlab.arturbosch.detekt.core.config.YamlConfig
 import java.io.StringReader
 
-fun yamlConfig(name: String) = resource(name).toURL().openStream().reader().use(YamlConfig::load)
+fun yamlConfig(name: String) = resource(name).toURL().openSafeStream().reader().use(YamlConfig::load)
 
 fun yamlConfigFromContent(content: String): Config = StringReader(content.trimIndent()).use(YamlConfig::load)