hazendaz
commented
2 years ago See https://openjdk.java.net/jeps/411
Try
-Djava.security.manager=allow
To continue to allow it, its off by default with 18.
Closed ginkel closed 2 years ago
hazendaz
commented
2 years ago See https://openjdk.java.net/jeps/411
Try
-Djava.security.manager=allow
To continue to allow it, its off by default with 18.
ginkel
commented
2 years ago Sure,
MAVEN_OPTS="-Djava.security.manager=allow" mvn spotbugs:spotbugsworks as a workaround, but IMHO it would be desirable if the plugin worked out-of-the-box, wouldn't it?
hazendaz
commented
2 years ago plugin is written in groovy, its still using it based off that stack (the groovy ant code). I checked groovy github and last they have on it is some prep work preparing to deprecate it so it really would hinge on them.
hazendaz
commented
2 years ago Closing issue, updated readme to note considerations such as this. Groovy has no fix yet. They reverted the code they were applying and noted it will be sometime in the future done some other way. Unfortunately this plugin is limited by their speed at getting compliant with java and there are work arounds which are now directly noted with link to details in groovy.
ginkel
commented
2 years ago Thanks for the update!
jrivard
commented
1 year ago Is there a groovy issue open for this? I wasn't able to find one.
Yaytay
commented
1 year ago I've just been annoyed by this yet again and thought it would be useful to put everything I could find here, because I think this issue is lacking in good information. This is all my understanding, and if it's wrong I'd be grateful if one of the maintainers of this repo could correct it:
The error generated by spotbugs-maven-plugin isn't caused by spotbugs, it's caused by groovy using the security manager to prevent System.exit from working. The note regarding this problem for this plugin can be found here: https://github.com/spotbugs/spotbugs-maven-plugin#groovy The note regarding this problem from the groovy team can be found here: https://groovy-lang.org/releasenotes/groovy-4.0.html#Groovy4.0releasenotes-4.0.2 The JEP for removing the security manager is https://openjdk.org/jeps/411 Finally, the 5 year old bug in the JDK that groozy are waiting for it here: https://bugs.openjdk.org/browse/JDK-8199704
I don't think that issue is ever going to be fixed, and the groovy team don't look like they are very keen on keeping up with JDK developments. :(
My preferred workaround is to make the spotbugs-maven-plugin fork and then specify the system property for it (preferred because this way limits the workaround to only affecting spotbugs-maven-plugin):
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.7.3.4</version>
<configuration>
<fork>true</fork>
<effort>Max</effort>
<xmlOutput>true</xmlOutput>
<excludeFilterFile>${basedir}/findbugsFilterFile.xml</excludeFilterFile>
<jvmArgs>-Djava.security.manager=allow</jvmArgs>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.12.0</version>
</plugin>
</plugins>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>Please report to groovy then. There is nothing we can do here. As documented and as you lay this out as well. Issue is with groovy. Work around is otherwise documented and works.
Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Yaytay @.> Sent: Tuesday, April 11, 2023 4:25:02 AM To: spotbugs/spotbugs-maven-plugin @.> Cc: Jeremy Landis @.>; State change @.> Subject: Re: [spotbugs/spotbugs-maven-plugin] Java 18 compatibility (Issue #423)
I've just been annoyed by this yet again and thought it would be useful to put everything I could find here, because I think this issue is lacking in good information. This is all my understanding, and if it's wrong I'd be grateful if one of the maintainers of this repo could correct it:
The error generated by spotbugs-maven-plugin isn't caused by spotbugs, it's caused by groovy using the security manager to prevent System.exit from working. The note regarding this problem for this plugin can be found here: https://github.com/spotbugs/spotbugs-maven-plugin#groovy The note regarding this problem from the groovy team can be found here: https://groovy-lang.org/releasenotes/groovy-4.0.html#Groovy4.0releasenotes-4.0.2 The JEP for removing the security manager is https://openjdk.org/jeps/411 Finally, the 5 year old bug in the JDK that groozy are waiting for it here: https://bugs.openjdk.org/browse/JDK-8199704
I don't think that issue is ever going to be fixed, and the groovy team don't look like they are very keen on keeping up with JDK developments. :(
— Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs-maven-plugin/issues/423#issuecomment-1502899152, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAHODI7SKESG4OQ66LFEP33XAUIN5ANCNFSM5T7BCRWA. You are receiving this because you modified the open/close state.Message ID: @.***>
jglick
commented
1 year ago The issue is not with Groovy per se, it is with Ant, which this mojo explicitly uses to run SpotBugs for some reason (merely using a Groovy utility to prepare the Ant usage). I filed https://github.com/apache/ant/pull/200 to deal with this upstream, though it would be better to drop the Ant dependency and either fork via ProcessBuilder or directly run the SpotBugs entry point class.
As far as I can tell the workaround is just to configure the mojo to fork—there is no need to set any special JVM arguments, since the System.setSecurityManager call is only used inside the Maven JVM when fork is false.
JoostK
commented
1 year ago The issue is not with Groovy per se, it is with Ant, which this mojo explicitly uses to run SpotBugs for some reason (merely using a Groovy utility to prepare the Ant usage). I filed apache/ant#200 to deal with this upstream, though it would be better to drop the Ant dependency and either fork via
ProcessBuilderor directly run the SpotBugs entry point class.As far as I can tell the workaround is just to configure the mojo to
fork—there is no need to set any special JVM arguments, since theSystem.setSecurityManagercall is only used inside the Maven JVM whenforkisfalse.
Thanks for this insight, although I am seeing the opposite: fork needs to be set to false to avoid the warnings.
Yaytay
commented
1 year ago As far as I can tell the workaround is just to configure the mojo to
fork—there is no need to set any special JVM arguments, since theSystem.setSecurityManagercall is only used inside the Maven JVM whenforkisfalse.
I can confirm that this (<fork>true</fork>, without needing the jvmArgs) does work for me.
jglick
commented
9 months ago Should be reopened once https://github.com/apache/ant/commit/689b6ea90ee1fbad580a437137d80609c9336f12 is released.
hazendaz
commented
9 months ago @jglick I know you mentioned this project does this strangely using ant. If you know groovy well enough and think you could figure out how to get it off that, it would be a great help. I didn't write the original code but am basically by myself with this. I'd love to dump ant and also not seeing why it was written this way. In fact, I cannot even understand the rational for why it was originally written in groovy either. But its groovy now so any improvements would be greatly appreciated.
I'll eventually try to do so myself but I don't work on groovy enough to be super slick about it :)
jglick
commented
9 months ago Well, at any rate just updating to 1.10.14 (once it is released) ought to fix this issue.
jglick
commented
8 months ago https://ant.apache.org/ released yesterday
hazendaz
commented
8 months ago fixed on 'spotbugs' branch now.
Hi there,
running the spotbugs-maven-plugin (v4.6.0.0) on Maven 3.8.4 under Java 18 ends up with the following exception:
Any ideas?