-
Notifications
You must be signed in to change notification settings - Fork 34
Changes
This page lists all changes since the first released version.
New features / bug fixes:
- Add support for signature polymorphic methods, like
MethodHandle.invoke()
(issue #105, pull #106), thanks to Robert. - Add signatures for
commons-io-unsafe-2.5
(issue #102). - Add some missing methods to
commons-io-unsafe
signatures after another review (pull #104). - Add new setting to disable the classloading cache. This is a workarounds for build systems that change JAR files,
but don't close their classloaders, leading to
FileNotFoundException
when trying to load class files from the changed JAR file. This affects especially the Gradle Daemon (issue #75, pull #76).
New features:
- Add targetVersion support to Ant task (issue #101).
- Add initial support for new Java 9 class file format (pull #97).
- On Java 9 Jigsaw, don't use ASM to analyze system classes. This change makes it more unlikely that the tool will exit with "Bundled version of ASM cannot parse bytecode of java.lang.Object class; marking runtime as not suppported" on Java 9+ (commit).
- Deprecate
internalRuntimeForbidden
attribute and add a new bundles signaturesjdk-non-portable
to and make heuristics reliable (pull #95, issue #54). - Add new bundled signatures
jdk-internal
for disallowing internal runtime APIs (issue #91, pull #95). - Add unsafe signatures for ResourceBundle (issue #89), thanks to Trejkaz.
- Add a bundle
jdk-reflection
that contains methods that bypass Java security (pull #86), thanks to Dominik Stadler. - Add support for new Java version style "6.0" instead of "1.6" (pull #81).
Bug fixes:
- Fix method checks to also look into superclasses if method was overridden (issue #100).
- Fix class loading order bugs (issue #91).
- Allow referencing non-jarred artefacts (pull #87), thanks to Dawid Weiss.
- Hide warnings about missing classes/methods/fields in deprecated signatures (pull #84)
Internals:
- Update to ASM 5.1
This is the major 2.0 release of the forbidden-apis plugin. The main new
feature is native support for the Gradle build system (minimum requirement is Gradle 2.3).
But also Apache Ant and Apache Maven build systems got improved support: Ant can now load signatures from
arbitrary resources by using a new XML element <signatures></signatures>
that may contain
any valid ANT resource, e.g., ivy's cache-filesets or plain URLs. Apache Maven now supports
to load signatures files as artifacts from your repository or Maven Central (new signaturesArtifacts
Mojo property).
Breaking changes:
- Update to Java 6 as minimum requirement (pull #71).
- Switch default Maven lifecycle phase to
verify
(pull #72).
New features:
- Add support for Gradle (issue #68, pull #70, pull #73, thanks to Ryan Ernst & Chris Earle for help and suggestions).
- Allow Maven artifacts to be loaded as signatures (issue #13, pull #79).
- Allow arbitrary Ant resources to be loaded as signatures (pull #78).
- Add
failOnViolation
setting to optionally fail builds (pull #62, thanks to Jochen Schalanda). - Cleanup unsafe JDK signatures for Java 8 (mostly
java.time
API) (issue #19, pull #57). - Support for Java 9 Jigsaw preview builds (pull #74).
Bug fixes:
- Add automatic plugin execution override for M2E. It is no longer needed to add a lifecycle mapping to exclude forbiddenapis to execute inside Eclipse's M2E (issue #60).
Internals:
- Package refactoring of Cli, Ant, Maven (pull #69).
- Refactor loggers and make Checker a final, non abstract class (pull #67).
- Use EnumSet for the checker options (pull #64).
- Add support for signature file URLs (pull #77).
New features:
- Initial Java 9 support (JIGSAW modules, signatures, deprecations) (issue #39, pull #50).
- Add annotation support (
@SuppressForbidden
) to suppress errors for classes/methods/fields. Annotations can be defined in config, also using glob patterns (e.g.,**.MySuppressForbidden
) (issue #34, issue #53). - Forbid
MessageFormat.format(String,Object[])
because it uses default locale (pull #48, thanks to Shalin Shekhar Mangar). - Add support for forbidding java packages using class name globs (e.g.,
sun.misc.**
) (issue #40). - Sort error messages by source code line number. Also show failures in synthetic methods and lambdas where they belong (issue #12).
Bug fixes:
- Forbidden
@java.lang.Deprecated
is not always detected (issue #45). - Re-enable class-only, non-runtime annotation checking (issue #46).
New features:
- Auto-generate HTML documentation for Ant Task, Maven Mojo, and CLI (issue #32, issue #37).
- Add a new documentation ZIP file to release (issue #32, issue #37).
- Add help-mojo (issue #32, issue #37).
- Add support for signaturesFilelist and signaturesFile elements (issue #36).
- Add option to also ignore unresolvable signatures in Ant and CLI (issue #42).
- Allow option to only print warning if Ant fileset of classes to scan is empty (like Maven) (issue #35).
Bug fixes:
- Fix bug that deprecated signatures of Java 8 fail to load on Java 9 (issue #41).
Backwards compatibility:
- Remove deprecated Mojo of version 1.0 (issue #33).
- Rename some CLI options to be consistent with others (issue #42).
Bug fixes:
- Fix wrong plugin descriptor in Maven artifact. No code change, just new binary artifact.
New features:
- Option to skip the execution of the plugin (pass
mvn -Dforbiddenapis.skip=true
) (issue #29). - Maven plugin should log warning if target version is not set (issue #28).
Other changes:
- Upgrade ASM to bugfix release 5.0.3.
Bug fixes:
- Fix regression caused by issue #8 with non-runtime visible annotations (e.g.
java.lang.Synthetic
) which are not in classpath (issue #27). This hotfix disables detection of class-file only annotations. Annotations that need to be detected must haveRetentionPolicy.RUNTIME
to be visible to forbidden-apis. - Improve logging when no line numbers are available.
New features:
- Make it possible to ban annotations (issue #8).
Bug fixes:
- Upgrade ASM to bugfix release 5.0.1.
- Forbidden class use does not work in field declarations and method declarations (issue #25).
- Fix lookup of class references in
checkType()
/checkDescriptor()
to also inspect superclasses and interfaces (issue #26).
New features:
- Upgrade to ASM 5.0 (issue #24).
- Full support for Java 8: Update deprecated signatures with final version of JDK 1.8.0; recompile and verify test classes.
Bug fixes:
- Add some missing unsafe signatures (issue #22).
New features:
- Upgrade to ASM 5.0 BETA (issue #18).
- Add Java 8 deprecated + unsafe signatures (issue #16).
- Detect references to invokeDynamic using method handles to forbidden methods (issue #11).
- Skip execution for Maven projects with packaging "pom" (Maven only, issue #10).
- Add an option to ignore unresolvable signatures (Maven only, issue #14).
- Enhance the target parameter to also support testTarget like maven-compiler-plugin (Maven only, issue #15).
Bug fixes:
- Fix missing methods in commons-io (issue #9).
Optimizations:
- Improve memory usage (issue #20).
New features:
- Preliminary support for Java 8 (issue #7, tested with preview build 86 of the Oracle Java 8 JDK): The tool can now read Java 8 class files and detects usage of forbidden APIs in default interface methods and closures. It does not yet ship with signature files for Java 8, as the API is not yet official.
Optimizations:
- Reduced binary JAR size by using non-debug ASM version.
New features:
- Validating test classes is now supported by the Maven Mojo. The goals were renamed to "check" and "testCheck" (issue #4).
Bug fixes:
- fixed issue #5 (Apple-provided JDK 1.6 on MacOSX was detected as "unsupported"). The algorithm to get the bootclasspath was improved to support those JDK versions.
New features:
- added a Command Line Interface (CLI, issue #3).
Bug fixes:
- fixed issue #1 (the bundled signature
jdk-system-out
was not working in Maven). - fixed issue #2 (the Ant task was incorrectly failing to execute on empty task tag
<forbiddenapis internalRuntimeForbidden="true" dir="..."/>
, although the checks for internal api calls are enabled).
Initial release, including support for Apache Ant, Apache Maven.