Skip to content

Changes

Uwe Schindler edited this page Jun 19, 2016 · 49 revisions

This page lists all changes since the first released version.

Version 2.2 (released 2016-06-19)

New features / bug fixes:

  • Add support for signature polymorphic methods (issue #105, pull #106), thanks to Robert.
  • Add signatures for commons-io-unsafe-2.5 (issue #102).
  • Add some missing methods to commons-io signatures after another review (pull #104).
  • Add new setting to disable the classloading cache. This is a workarounds for build systems that change JAR files, but don't close their classloaders, leading to FileNotFoundException when trying to load class files from the changed JAR file. This affects especially the Gradle Daemon (issue #75, pull #76).

Version 2.1 (released 2016-05-22)

New features:

  • Add targetVersion support to Ant task (issue #101).
  • Add initial support for new Java 9 class file format (pull #97).
  • On Java 9 Jigsaw, don't use ASM to analyze system classes. This change makes it more unlikely that the tool will exit with "Bundled version of ASM cannot parse bytecode of java.lang.Object class; marking runtime as not suppported" on Java 9+ (commit).
  • Deprecate internalRuntimeForbidden attribute and add a new bundles signatures jdk-non-portable to and make heuristics reliable (pull #95, issue #54).
  • Add new bundled signatures jdk-internal for disallowing internal runtime APIs (issue #91, pull #95).
  • Add unsafe signatures for ResourceBundle (issue #89), thanks to Trejkaz.
  • Add a bundle jdk-reflection that contains methods that bypass Java security (pull #86), thanks to Dominik Stadler.
  • Add support for new Java version style "6.0" instead of "1.6" (pull #81).

Bug fixes:

  • Fix method checks to also look into superclasses if method was overridden (issue #100).
  • Fix class loading order bugs (issue #91).
  • Allow referencing non-jarred artefacts (pull #87), thanks to Dawid Weiss.
  • Hide warnings about missing classes/methods/fields in deprecated signatures (pull #84)

Internals:

Version 2.0 (released 2015-09-30)

This is the major 2.0 release of the forbidden-apis plugin. The main new feature is native support for the Gradle build system (minimum requirement is Gradle 2.3). But also Apache Ant and Apache Maven build systems got improved support: Ant can now load signatures from arbitrary resources by using a new XML element <signatures></signatures> that may contain any valid ANT resource, e.g., ivy's cache-filesets or plain URLs. Apache Maven now supports to load signatures files as artifacts from your repository or Maven Central (new signaturesArtifacts Mojo property).

Breaking changes:

  • Update to Java 6 as minimum requirement (pull #71).
  • Switch default Maven lifecycle phase to verify (pull #72).

New features:

  • Add support for Gradle (issue #68, pull #70, pull #73, thanks to Ryan Ernst & Chris Earle for help and suggestions).
  • Allow Maven artifacts to be loaded as signatures (issue #13, pull #79).
  • Allow arbitrary Ant resources to be loaded as signatures (pull #78).
  • Add failOnViolation setting to optionally fail builds (pull #62, thanks to Jochen Schalanda).
  • Cleanup unsafe JDK signatures for Java 8 (mostly java.time API) (issue #19, pull #57).
  • Support for Java 9 Jigsaw preview builds (pull #74).

Bug fixes:

  • Add automatic plugin execution override for M2E. It is no longer needed to add a lifecycle mapping to exclude forbiddenapis to execute inside Eclipse's M2E (issue #60).

Internals:

  • Package refactoring of Cli, Ant, Maven (pull #69).
  • Refactor loggers and make Checker a final, non abstract class (pull #67).
  • Use EnumSet for the checker options (pull #64).
  • Add support for signature file URLs (pull #77).

Version 1.8 (released 2015-04-13)

New features:

  • Initial Java 9 support (JIGSAW modules, signatures, deprecations) (issue #39, pull #50).
  • Add annotation support (@SuppressForbidden) to suppress errors for classes/methods/fields. Annotations can be defined in config, also using glob patterns (e.g., **.MySuppressForbidden) (issue #34, issue #53).
  • Forbid MessageFormat.format(String,Object[]) because it uses default locale (pull #48, thanks to Shalin Shekhar Mangar).
  • Add support for forbidding java packages using class name globs (e.g., sun.misc.**) (issue #40).
  • Sort error messages by source code line number. Also show failures in synthetic methods and lambdas where they belong (issue #12).

Bug fixes:

  • Forbidden @java.lang.Deprecated is not always detected (issue #45).
  • Re-enable class-only, non-runtime annotation checking (issue #46).

Version 1.7 (released 2014-11-24)

New features:

  • Auto-generate HTML documentation for Ant Task, Maven Mojo, and CLI (issue #32, issue #37).
  • Add a new documentation ZIP file to release (issue #32, issue #37).
  • Add help-mojo (issue #32, issue #37).
  • Add support for signaturesFilelist and signaturesFile elements (issue #36).
  • Add option to also ignore unresolvable signatures in Ant and CLI (issue #42).
  • Allow option to only print warning if Ant fileset of classes to scan is empty (like Maven) (issue #35).

Bug fixes:

  • Fix bug that deprecated signatures of Java 8 fail to load on Java 9 (issue #41).

Backwards compatibility:

  • Remove deprecated Mojo of version 1.0 (issue #33).
  • Rename some CLI options to be consistent with others (issue #42).

Version 1.6.1 (released 2014-08-05)

Bug fixes:

  • Fix wrong plugin descriptor in Maven artifact. No code change, just new binary artifact.

Version 1.6 (released 2014-08-04)

New features:

  • Option to skip the execution of the plugin (pass mvn -Dforbiddenapis.skip=true) (issue #29).
  • Maven plugin should log warning if target version is not set (issue #28).

Other changes:

  • Upgrade ASM to bugfix release 5.0.3.

Version 1.5.1 (released 2014-04-17)

Bug fixes:

  • Fix regression caused by issue #8 with non-runtime visible annotations (e.g. java.lang.Synthetic) which are not in classpath (issue #27). This hotfix disables detection of class-file only annotations. Annotations that need to be detected must have RetentionPolicy.RUNTIME to be visible to forbidden-apis.
  • Improve logging when no line numbers are available.

Version 1.5 (released 2014-04-16)

New features:

  • Make it possible to ban annotations (issue #8).

Bug fixes:

  • Upgrade ASM to bugfix release 5.0.1.
  • Forbidden class use does not work in field declarations and method declarations (issue #25).
  • Fix lookup of class references in checkType() / checkDescriptor() to also inspect superclasses and interfaces (issue #26).

Version 1.4.1 (released 2014-03-19)

New features:

  • Upgrade to ASM 5.0 (issue #24).
  • Full support for Java 8: Update deprecated signatures with final version of JDK 1.8.0; recompile and verify test classes.

Bug fixes:

  • Add some missing unsafe signatures (issue #22).

Version 1.4 (released 2013-11-21)

New features:

  • Upgrade to ASM 5.0 BETA (issue #18).
  • Add Java 8 deprecated + unsafe signatures (issue #16).
  • Detect references to invokeDynamic using method handles to forbidden methods (issue #11).
  • Skip execution for Maven projects with packaging "pom" (Maven only, issue #10).
  • Add an option to ignore unresolvable signatures (Maven only, issue #14).
  • Enhance the target parameter to also support testTarget like maven-compiler-plugin (Maven only, issue #15).

Bug fixes:

  • Fix missing methods in commons-io (issue #9).

Optimizations:

Version 1.3 (released 2013-04-28)

New features:

  • Preliminary support for Java 8 (issue #7, tested with preview build 86 of the Oracle Java 8 JDK): The tool can now read Java 8 class files and detects usage of forbidden APIs in default interface methods and closures. It does not yet ship with signature files for Java 8, as the API is not yet official.

Optimizations:

  • Reduced binary JAR size by using non-debug ASM version.

Version 1.2 (released 2013-02-16)

New features:

  • Validating test classes is now supported by the Maven Mojo. The goals were renamed to "check" and "testCheck" (issue #4).

Bug fixes:

  • fixed issue #5 (Apple-provided JDK 1.6 on MacOSX was detected as "unsupported"). The algorithm to get the bootclasspath was improved to support those JDK versions.

Version 1.1 (released 2013-02-11)

New features:

  • added a Command Line Interface (CLI, issue #3).

Bug fixes:

  • fixed issue #1 (the bundled signature jdk-system-out was not working in Maven).
  • fixed issue #2 (the Ant task was incorrectly failing to execute on empty task tag <forbiddenapis internalRuntimeForbidden="true" dir="..."/>, although the checks for internal api calls are enabled).

Version 1.0 (released 2013-02-04)

Initial release, including support for Apache Ant, Apache Maven.

Clone this wiki locally