diff --git a/CHANGELOG.md b/CHANGELOG.md index cefc5a39a1a..b393422f14a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ This is the changelog for SpotBugs. This follows [Keep a Changelog v1.0.0](http: Currently the versioning policy of this project follows [Semantic Versioning v2.0.0](http://semver.org/spec/v2.0.0.html). ## Unreleased - 2022-??-?? +### Fixed +- Avoid warning on use of security manager on Java 17 and newer. ([#1579](https://github.com/spotbugs/spotbugs/issues/1579)) ## 4.7.1 - 2022-06-26 ### Fixed diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java index c7ccafbe2d5..b539263c387 100644 --- a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java +++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java @@ -58,6 +58,7 @@ import javax.annotation.Nullable; import javax.annotation.WillClose; +import edu.umd.cs.findbugs.util.SecurityManagerHandler; import org.dom4j.Document; import org.dom4j.DocumentException; import org.dom4j.Element; @@ -1472,7 +1473,7 @@ static synchronized void loadInitialPlugins() { // Thread.currentThread().getContextClassLoader().getResource("my.java.policy"); // Policy.getPolicy().refresh(); try { - System.setSecurityManager(null); + SecurityManagerHandler.disableSecurityManager(); } catch (Throwable e) { assert true; // keep going } diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java new file mode 100644 index 00000000000..c9f536ef205 --- /dev/null +++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java @@ -0,0 +1,59 @@ +package edu.umd.cs.findbugs.util; + +/** + * Since Java 17, the security manager is deprecated for removal and invoking related methods + * causes a warning to be printed to the console. This intermediate disables use security + * manager-related APIs on Java 17 or later, unless using the security manager is explicitly + * configured by setting the edu.umd.cs.findbugs.securityManagerDisabled property. + */ +public class SecurityManagerHandler { + + /** + * Determines if the security manager is used by SpotBugs. + */ + public static boolean SECURITY_MANAGER_DISABLED; + + static { + boolean securityManagerDisabled; + try { + String property = System.getProperty("edu.umd.cs.findbugs.securityManagerDisabled"); + if (property != null) { + securityManagerDisabled = Boolean.parseBoolean(property); + } else { + String version = System.getProperty("java.version"); + if (version.startsWith("1.")) { + version = version.substring(2, 3); + } else { + int index = version.indexOf("."); + if (index != -1) { + version = version.substring(0, index); + } + } + securityManagerDisabled = Integer.parseInt(version) > 16; + } + } catch (Throwable ignored) { + securityManagerDisabled = false; + } + SECURITY_MANAGER_DISABLED = securityManagerDisabled; + } + + /** + * Disables the security manager by setting {@link System#setSecurityManager(SecurityManager)} + * to {@code null}. + */ + public static void disableSecurityManager() { + if (SECURITY_MANAGER_DISABLED) { + return; + } + doDisableSecurityManager(); + } + + /** + * This method is a safeguard for running this library on a JVM that might no longer include + * the security manager API after removal. As the JVM verifies methods lazily, and since this + * method will never be invoked, validation of this method with a missing type can never fail. + */ + private static void doDisableSecurityManager() { + System.setSecurityManager(null); + } +}