New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
false-positives for CDI targeted methods in UPM_UNCALLED_PRIVATE_METHOD #947
Comments
How is your CDI framework calling private methods? If it's using reflection to disable the access control checks, then that is not a good approach. |
I don't know, it is the official reference implementation of the CDI standard WELD, so you can have a look. |
IMO using private methods with CDI is a bad programming style and package-private / protected Methods like defined in the JPA specification should be preferred. Regarding how CDI implementations do that: it depends on the specific implementation but since Java 11 disallowed reflective modifications to the visibility of methods and fields, most are either switching over to MethodHandle / VarHandle with a private lookup or to generating helper methods in the generated proxy class. I would suggest to maintain a list of standart JavaEE annotations for this rule like the ones defined in CDI 2.0 to prevent such false-positives. |
May I ask where this is defined? |
That was just my personal opinion. Therefore the "IMO". For CDI there is no official recommendation regarding visibility, but other JavaEE standards like JPA do to make it easier on Framework developers and to be more Future-Proof. |
* Workaround UPM_UNCALLED_PRIVATE_METHOD false positive - spotbugs/spotbugs#947 * Mutable vs. immutable socket config * Cleanup + examples alignment * Compression with upgrade handlers test * Https and wss negotiation with alpn * One codec for enc and decoding Signed-off-by: Daniel Kec <daniel.kec@oracle.com>
* Http/2 and WebSockets as standalone modules * Workaround UPM_UNCALLED_PRIVATE_METHOD false positive - spotbugs/spotbugs#947 * Mutable vs. immutable socket config * Cleanup + examples alignment * Compression with upgrade handlers test * Https and wss negotiation with alpn * One codec for enc and decoding Signed-off-by: Daniel Kec <daniel.kec@oracle.com>
This is a problem for JavaFX applications too. GUI callbacks in JavaFX is commonly implemented in private methods with an It would be great if we could configure the check for That would cater for both JavaFX, DI frameworks and other use cases. |
If you have methods for CDI (or also for Spring, I don't know whether there are false-postivies though as I didn't try it) they are often private so that only the DI framework handles them usually.
This for example includes methods that are annotated with
@Inject
, or@Produces
or methods with a parameter that is annotated with@Disposes
,@Observes
or@ObservesAsync
. Those methods are usually called by the CDI framework and thus should not be marked as unused just like methods annotated with@PostConstruct
, or@PreDestroy
.The text was updated successfully, but these errors were encountered: