Closed ginkel closed 2 years ago
See https://openjdk.java.net/jeps/411
Try
-Djava.security.manager=allow
To continue to allow it, its off by default with 18.
Sure,
MAVEN_OPTS="-Djava.security.manager=allow" mvn spotbugs:spotbugs
works as a workaround, but IMHO it would be desirable if the plugin worked out-of-the-box, wouldn't it?
plugin is written in groovy, its still using it based off that stack (the groovy ant code). I checked groovy github and last they have on it is some prep work preparing to deprecate it so it really would hinge on them.
Closing issue, updated readme to note considerations such as this. Groovy has no fix yet. They reverted the code they were applying and noted it will be sometime in the future done some other way. Unfortunately this plugin is limited by their speed at getting compliant with java and there are work arounds which are now directly noted with link to details in groovy.
Thanks for the update!
Is there a groovy issue open for this? I wasn't able to find one.
I've just been annoyed by this yet again and thought it would be useful to put everything I could find here, because I think this issue is lacking in good information. This is all my understanding, and if it's wrong I'd be grateful if one of the maintainers of this repo could correct it:
The error generated by spotbugs-maven-plugin isn't caused by spotbugs, it's caused by groovy using the security manager to prevent System.exit from working. The note regarding this problem for this plugin can be found here: https://github.com/spotbugs/spotbugs-maven-plugin#groovy The note regarding this problem from the groovy team can be found here: https://groovy-lang.org/releasenotes/groovy-4.0.html#Groovy4.0releasenotes-4.0.2 The JEP for removing the security manager is https://openjdk.org/jeps/411 Finally, the 5 year old bug in the JDK that groozy are waiting for it here: https://bugs.openjdk.org/browse/JDK-8199704
I don't think that issue is ever going to be fixed, and the groovy team don't look like they are very keen on keeping up with JDK developments. :(
My preferred workaround is to make the spotbugs-maven-plugin fork and then specify the system property for it (preferred because this way limits the workaround to only affecting spotbugs-maven-plugin):
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.7.3.4</version>
<configuration>
<fork>true</fork>
<effort>Max</effort>
<xmlOutput>true</xmlOutput>
<excludeFilterFile>${basedir}/findbugsFilterFile.xml</excludeFilterFile>
<jvmArgs>-Djava.security.manager=allow</jvmArgs>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.12.0</version>
</plugin>
</plugins>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Please report to groovy then. There is nothing we can do here. As documented and as you lay this out as well. Issue is with groovy. Work around is otherwise documented and works.
Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Yaytay @.> Sent: Tuesday, April 11, 2023 4:25:02 AM To: spotbugs/spotbugs-maven-plugin @.> Cc: Jeremy Landis @.>; State change @.> Subject: Re: [spotbugs/spotbugs-maven-plugin] Java 18 compatibility (Issue #423)
I've just been annoyed by this yet again and thought it would be useful to put everything I could find here, because I think this issue is lacking in good information. This is all my understanding, and if it's wrong I'd be grateful if one of the maintainers of this repo could correct it:
The error generated by spotbugs-maven-plugin isn't caused by spotbugs, it's caused by groovy using the security manager to prevent System.exit from working. The note regarding this problem for this plugin can be found here: https://github.com/spotbugs/spotbugs-maven-plugin#groovy The note regarding this problem from the groovy team can be found here: https://groovy-lang.org/releasenotes/groovy-4.0.html#Groovy4.0releasenotes-4.0.2 The JEP for removing the security manager is https://openjdk.org/jeps/411 Finally, the 5 year old bug in the JDK that groozy are waiting for it here: https://bugs.openjdk.org/browse/JDK-8199704
I don't think that issue is ever going to be fixed, and the groovy team don't look like they are very keen on keeping up with JDK developments. :(
— Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs-maven-plugin/issues/423#issuecomment-1502899152, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAHODI7SKESG4OQ66LFEP33XAUIN5ANCNFSM5T7BCRWA. You are receiving this because you modified the open/close state.Message ID: @.***>
The issue is not with Groovy per se, it is with Ant, which this mojo explicitly uses to run SpotBugs for some reason (merely using a Groovy utility to prepare the Ant usage). I filed https://github.com/apache/ant/pull/200 to deal with this upstream, though it would be better to drop the Ant dependency and either fork via ProcessBuilder
or directly run the SpotBugs entry point class.
As far as I can tell the workaround is just to configure the mojo to fork
—there is no need to set any special JVM arguments, since the System.setSecurityManager
call is only used inside the Maven JVM when fork
is false
.
The issue is not with Groovy per se, it is with Ant, which this mojo explicitly uses to run SpotBugs for some reason (merely using a Groovy utility to prepare the Ant usage). I filed apache/ant#200 to deal with this upstream, though it would be better to drop the Ant dependency and either fork via
ProcessBuilder
or directly run the SpotBugs entry point class.As far as I can tell the workaround is just to configure the mojo to
fork
—there is no need to set any special JVM arguments, since theSystem.setSecurityManager
call is only used inside the Maven JVM whenfork
isfalse
.
Thanks for this insight, although I am seeing the opposite: fork
needs to be set to false
to avoid the warnings.
As far as I can tell the workaround is just to configure the mojo to
fork
—there is no need to set any special JVM arguments, since theSystem.setSecurityManager
call is only used inside the Maven JVM whenfork
isfalse
.
I can confirm that this (<fork>true</fork>
, without needing the jvmArgs) does work for me.
Should be reopened once https://github.com/apache/ant/commit/689b6ea90ee1fbad580a437137d80609c9336f12 is released.
@jglick I know you mentioned this project does this strangely using ant. If you know groovy well enough and think you could figure out how to get it off that, it would be a great help. I didn't write the original code but am basically by myself with this. I'd love to dump ant and also not seeing why it was written this way. In fact, I cannot even understand the rational for why it was originally written in groovy either. But its groovy now so any improvements would be greatly appreciated.
I'll eventually try to do so myself but I don't work on groovy enough to be super slick about it :)
Well, at any rate just updating to 1.10.14 (once it is released) ought to fix this issue.
https://ant.apache.org/ released yesterday
fixed on 'spotbugs' branch now.
Hi there,
running the spotbugs-maven-plugin (v4.6.0.0) on Maven 3.8.4 under Java 18 ends up with the following exception:
Any ideas?