Do not disable the security manager on Java 17 VMs and newer as it is…

… deprecated for removal.

This fixes spotbugs#1579. If needed, disabling the security manager can still be requested on Java 17
and newer by setting the 'edu.umd.cs.findbugs.securityManagerDisabled' property to 'false'.
Using this property also allows to disable this functionality on older VMs.

CHANGELOG.md

@@ -5,6 +5,8 @@ This is the changelog for SpotBugs. This follows [Keep a Changelog v1.0.0](http:
 Currently the versioning policy of this project follows [Semantic Versioning v2.0.0](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased - 2022-??-??
+### Fixed
+- Avoid warning on use of security manager on Java 17 and newer. ([#1579](https://github.com/spotbugs/spotbugs/issues/1579))
 
 ## 4.7.1 - 2022-06-26
 ### Fixed

spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java

@@ -58,6 +58,7 @@
 import javax.annotation.Nullable;
 import javax.annotation.WillClose;
 
+import edu.umd.cs.findbugs.util.SecurityManagerHandler;
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
 import org.dom4j.Element;
@@ -1472,7 +1473,7 @@ static synchronized void loadInitialPlugins() {
             // Thread.currentThread().getContextClassLoader().getResource("my.java.policy");
             // Policy.getPolicy().refresh();
             try {
-                System.setSecurityManager(null);
+                SecurityManagerHandler.disableSecurityManager();
             } catch (Throwable e) {
                 assert true; // keep going
             }

spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java

@@ -0,0 +1,59 @@
+package edu.umd.cs.findbugs.util;
+
+/**
+ * Since Java 17, the security manager is deprecated for removal and invoking related methods
+ * causes a warning to be printed to the console. This intermediate disables use security
+ * manager-related APIs on Java 17 or later, unless using the security manager is explicitly
+ * configured by setting the <i>edu.umd.cs.findbugs.securityManagerDisabled</i> property.
+ */
+public class SecurityManagerHandler {
+
+    /**
+     * Determines if the security manager is used by SpotBugs.
+     */
+    public static boolean SECURITY_MANAGER_DISABLED;
+
+    static {
+        boolean securityManagerDisabled;
+        try {
+            String property = System.getProperty("edu.umd.cs.findbugs.securityManagerDisabled");
+            if (property != null) {
+                securityManagerDisabled = Boolean.parseBoolean(property);
+            } else {
+                String version = System.getProperty("java.version");
+                if (version.startsWith("1.")) {
+                    version = version.substring(2, 3);
+                } else {
+                    int index = version.indexOf(".");
+                    if (index != -1) {
+                        version = version.substring(0, index);
+                    }
+                }
+                securityManagerDisabled = Integer.parseInt(version) > 16;
+            }
+        } catch (Throwable ignored) {
+            securityManagerDisabled = false;
+        }
+        SECURITY_MANAGER_DISABLED = securityManagerDisabled;
+    }
+
+    /**
+     * Disables the security manager by setting {@link System#setSecurityManager(SecurityManager)}
+     * to {@code null}.
+     */
+    public static void disableSecurityManager() {
+        if (SECURITY_MANAGER_DISABLED) {
+            return;
+        }
+        doDisableSecurityManager();
+    }
+
+    /**
+     * This method is a safeguard for running this library on a JVM that might no longer include
+     * the security manager API after removal. As the JVM verifies methods lazily, and since this
+     * method will never be invoked, validation of this method with a missing type can never fail.
+     */
+    private static void doDisableSecurityManager() {
+        System.setSecurityManager(null);
+    }
+}