From 014c34334a1a50951a22eaf555b53c4909b0f9ad Mon Sep 17 00:00:00 2001 From: Rafael Winterhalter Date: Wed, 27 Jul 2022 09:01:57 +0200 Subject: [PATCH] Do not disable the security manager on Java 17 VMs and newer as it is deprecated for removal. This fixes #1579. --- .../edu/umd/cs/findbugs/PluginLoader.java | 3 +- .../findbugs/util/SecurityManagerHandler.java | 59 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java index c7ccafbe2d5..b539263c387 100644 --- a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java +++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java @@ -58,6 +58,7 @@ import javax.annotation.Nullable; import javax.annotation.WillClose; +import edu.umd.cs.findbugs.util.SecurityManagerHandler; import org.dom4j.Document; import org.dom4j.DocumentException; import org.dom4j.Element; @@ -1472,7 +1473,7 @@ static synchronized void loadInitialPlugins() { // Thread.currentThread().getContextClassLoader().getResource("my.java.policy"); // Policy.getPolicy().refresh(); try { - System.setSecurityManager(null); + SecurityManagerHandler.disableSecurityManager(); } catch (Throwable e) { assert true; // keep going } diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java new file mode 100644 index 00000000000..c9f536ef205 --- /dev/null +++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java @@ -0,0 +1,59 @@ +package edu.umd.cs.findbugs.util; + +/** + * Since Java 17, the security manager is deprecated for removal and invoking related methods + * causes a warning to be printed to the console. This intermediate disables use security + * manager-related APIs on Java 17 or later, unless using the security manager is explicitly + * configured by setting the edu.umd.cs.findbugs.securityManagerDisabled property. + */ +public class SecurityManagerHandler { + + /** + * Determines if the security manager is used by SpotBugs. + */ + public static boolean SECURITY_MANAGER_DISABLED; + + static { + boolean securityManagerDisabled; + try { + String property = System.getProperty("edu.umd.cs.findbugs.securityManagerDisabled"); + if (property != null) { + securityManagerDisabled = Boolean.parseBoolean(property); + } else { + String version = System.getProperty("java.version"); + if (version.startsWith("1.")) { + version = version.substring(2, 3); + } else { + int index = version.indexOf("."); + if (index != -1) { + version = version.substring(0, index); + } + } + securityManagerDisabled = Integer.parseInt(version) > 16; + } + } catch (Throwable ignored) { + securityManagerDisabled = false; + } + SECURITY_MANAGER_DISABLED = securityManagerDisabled; + } + + /** + * Disables the security manager by setting {@link System#setSecurityManager(SecurityManager)} + * to {@code null}. + */ + public static void disableSecurityManager() { + if (SECURITY_MANAGER_DISABLED) { + return; + } + doDisableSecurityManager(); + } + + /** + * This method is a safeguard for running this library on a JVM that might no longer include + * the security manager API after removal. As the JVM verifies methods lazily, and since this + * method will never be invoked, validation of this method with a missing type can never fail. + */ + private static void doDisableSecurityManager() { + System.setSecurityManager(null); + } +}