Merge branch 'master' into PermissionsSuper

.gitattributes

@@ -1,3 +1,7 @@
 gradlew linguist-generated=true
 gradlew.bat linguist-generated=true
-* text eol=lf
+* text=auto eol=lf
+
+*.jar binary
+*.png binary
+*.xsl binary

.github/CONTRIBUTING.md

@@ -14,3 +14,8 @@ Just three steps to follow:
 ## Before you propose new rules
 
 Please consider to follow the same points with ***Before reporting problem in detectors***.
+
+## Before you submit a pull request
+
+1. Run `./gradlew spotlessApply build smoketest` in your local to verify your change.
+2. Make sure you updated the `CHANGELOG.md` accordingly. Detailed requirements are explained at the beginning of the changelog.

.github/dependabot.yml

@@ -4,3 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+  - package-ecosystem: "gradle"
+    directory: "/buildSrc"
+    schedule:
+      interval: "daily"

.github/workflows/build.yml

@@ -18,6 +18,7 @@ jobs:
           java-version: '17'
           distribution: temurin
           cache: gradle
+      - uses: gradle/wrapper-validation-action@v1
       - name: Download Eclipse
         run: |
           wget -nv 'https://www.eclipse.org/downloads/download.php?file=/eclipse/downloads/drops4/R-4.6.3-201703010400/eclipse-SDK-4.6.3-linux-gtk-x86_64.tar.gz&r=1' -O eclipse-SDK-4.6.3-linux-gtk-x86_64.tar.gz
@@ -31,7 +32,7 @@ jobs:
           if [ "$GPG_SECRET_PASSPHRASE" != "" ]; then
             gpg --quiet --batch --yes --decrypt --passphrase="$GPG_SECRET_PASSPHRASE" --output spotbugs.jks .github/workflows/spotbugs.jks.gpg;
           fi
-          ./gradlew spotlessCheck build smoketest ${SONAR_LOGIN:+sonarqube} --no-daemon -Dsonar.login=$SONAR_LOGIN
+          ./gradlew spotlessCheck build smoketest ${SONAR_LOGIN:+sonarqube} --no-daemon -Dsonar.login=$SONAR_LOGIN --scan
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_SECRET_PASSPHRASE: ${{ secrets.GPG_SECRET_PASSPHRASE }}

.github/workflows/release.yml

@@ -17,6 +17,7 @@ jobs:
           java-version: '17'
           distribution: temurin
           cache: gradle
+      - uses: gradle/wrapper-validation-action@v1
       - name: Download Eclipse
         run: |
           wget 'https://www.eclipse.org/downloads/download.php?file=/eclipse/downloads/drops4/R-4.6.3-201703010400/eclipse-SDK-4.6.3-linux-gtk-x86_64.tar.gz&r=1' -O eclipse-SDK-4.6.3-linux-gtk-x86_64.tar.gz

CHANGELOG.md

@@ -5,15 +5,28 @@ This is the changelog for SpotBugs. This follows [Keep a Changelog v1.0.0](http:
 Currently the versioning policy of this project follows [Semantic Versioning v2.0.0](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased - 2022-??-??
+### Fixed
+- Fixed spotbugs build with ecj compiler ([#1903](https://github.com/spotbugs/spotbugs/issues/1903))
+- Moved tests from spotbugs project to spotbugs-tests project ([#1914](https://github.com/spotbugs/spotbugs/issues/1914))
 
 ### Added
+* New detector `FindInstanceLockOnSharedStaticData` for new bug type `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA`. This detector reports a bug if an instance level lock is used to modify a shared static data. (See [SEI CERT rule LCK06-J](https://wiki.sei.cmu.edu/confluence/display/java/LCK06-J.+Do+not+use+an+instance+lock+to+protect+shared+static+data))
 * New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader))
 
+## 4.5.3 - 2022-01-04
+### Security
+- Bumped log4j from 2.16.0 to 2.17.1 to address [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105) and [CVE-2021-44832](https://nvd.nist.gov/vuln/detail/CVE-2021-44832) ([#1885](https://github.com/spotbugs/spotbugs/pull/1885), [#1897](https://github.com/spotbugs/spotbugs/pull/1897))
+
+### Fixed
+- Remove duplicated logging frameworks from the Eclipse plugin distribution ([#1868](https://github.com/spotbugs/spotbugs/issues/1868))
+- Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. ([#1883](https://github.com/spotbugs/spotbugs/issues/1883))
+
 ## 4.5.2 - 2021-12-13
 ### Security
 - Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228
 
 ### Fixed
+- False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE ([#1821](https://github.com/spotbugs/spotbugs/issues/1821)[#1820](https://github.com/spotbugs/spotbugs/issues/1820)[#1819](https://github.com/spotbugs/spotbugs/issues/1819)[#1818](https://github.com/spotbugs/spotbugs/issues/1818))
 - Updated RV_01_TO_INT to handle float and long checks ([#1518](https://github.com/spotbugs/spotbugs/issues/1518))
 
 ## 4.5.1 - 2021-12-08

GOVERNANCE.md

@@ -0,0 +1,29 @@
+# Governance Policy
+
+This document provides the governance policy for the SpotBugs Project.
+
+## SpotBugs Core Team
+
+The SpotBugs Core Team maintains the spotbugs/spotbugs GitHub repository.
+
+The GitHub team for SpotBugs Team is `@spotbugs/core-devs`. Members of the SpotBugs Core Team have write access to the repository.
+
+## How we propose changes
+
+Both SpotBugs Core Team and SpotBugs user can propose changes to the SpotBugs project via GitHub pull requests. Refer to `.github/CONTRIBUTING.md` to know more detailed requirements for your proposal.
+
+Once a pull request gets two approvals from members of SpotBugs Core Team, pull request can be merged and shipped in the next release.
+
+If pull request cannot get enough approvals during 30 days, it can be labeled as stale pull request. Stale pull requests can be closed after another 30 days.
+
+## Issue Management Policy
+
+Both SpotBugs Core Team and SpotBugs users can create issues at GitHub Issues. Refer to `.github/CONTRIBUTING.md` to get more detailed requirements for your proposal.
+
+If issue is not updated for 30 days from when it was labeled as 'need info', SpotBugs Core Team can close it.
+
+## Nomination to the SpotBugs Core Team
+
+Members of SpotBugs Core Team can nominate new members. The nomination process is held at [GitHub Team Discussions](https://docs.github.com/en/organizations/collaborating-with-your-team/about-team-discussions).
+
+We set no clear condition for nomination, but usually nominate from active contributors.

README.md

@@ -33,4 +33,4 @@ SpotBugs can be used standalone and through several integrations, including:
 * [IntelliJ IDEA](https://github.com/JetBrains/spotbugs-intellij-plugin)
 
 # Questions?
-You can contact us using [our general purpose mailing list](https://github.com/spotbugs/discuss/issues?q=).
+You can contact us using [GitHub Discussions](https://github.com/spotbugs/spotbugs/discussions).

build.gradle

@@ -1,18 +1,19 @@
 plugins {
   id "org.sonarqube" version "3.3"
-  id "com.diffplug.spotless" version "5.17.1"
+  id "com.diffplug.spotless" version "6.2.0"
   id "org.gradle.crypto.checksum" version "1.2.0"
-  id "com.github.spotbugs" version "5.0.2"
+  id "com.github.spotbugs" version "5.0.5"
   id "io.github.gradle-nexus.publish-plugin" version "1.1.0"
 }
 
 group = 'com.github.spotbugs'
-version = '4.5.3-SNAPSHOT'
+version = '4.5.4-SNAPSHOT'
 
 apply from: "$rootDir/gradle/java.gradle"
 apply from: "$rootDir/gradle/jacoco.gradle"
 
 subprojects {
+  apply plugin: "constraints"
   apply from: "$rootDir/gradle/java.gradle"
   apply from: "$rootDir/gradle/eclipse.gradle"
   apply from: "$rootDir/gradle/idea.gradle"

buildSrc/build.gradle.kts

@@ -0,0 +1,10 @@
+plugins {
+    `kotlin-dsl`
+}
+
+repositories {
+    gradlePluginPortal()
+}
+dependencies {
+    implementation("com.diffplug.gradle:goomph:3.34.1")
+}

buildSrc/src/main/kotlin/constraints.gradle.kts

@@ -0,0 +1,22 @@
+plugins {
+    `java-library`
+}
+
+dependencies {
+    constraints {
+        implementation("org.apache.logging.log4j:log4j-core") {
+            version {
+                strictly("[2.17.1, 3[")
+                prefer("2.17.1")
+            }
+            because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
+        }
+        implementation("ch.qos.logback:logback-core") {
+            version {
+                strictly("[1.2.9, 2[")
+                prefer("1.2.10")
+            }
+            because("CVE-2021-42550: Logback vulnerable to remote code execution vulnerabilities")
+        }
+    }
+}

buildSrc/src/main/kotlin/eclipse-convention.gradle.kts

@@ -0,0 +1,46 @@
+plugins {
+  id ("com.diffplug.eclipse.mavencentral")
+}
+
+val pdeTool by configurations.creating {
+  setTransitive(false)
+}
+
+eclipseMavenCentral {
+  release("4.12.0") {
+    compileOnly("org.eclipse.ant.core")
+    compileOnly("org.eclipse.core.resources")
+    compileOnly("org.eclipse.core.runtime")
+    compileOnly("org.eclipse.jdt.core")
+    compileOnly("org.eclipse.jdt.ui")
+    compileOnly("org.eclipse.jface")
+    compileOnly("org.eclipse.pde")
+    compileOnly("org.eclipse.ui.workbench")
+    testImplementation("org.eclipse.core.runtime")
+
+    dep("pdeTool", "org.eclipse.pde.build")
+
+    // TODO these packages are not listed in the manifest
+    compileOnly("org.eclipse.pde.ui")
+    compileOnly("org.eclipse.swt")
+
+    // necessary to build with the org.eclipse.swt module
+    useNativesForRunningPlatform()
+
+    constrainTransitivesToThisRelease()
+  }
+}
+
+/**
+ * Unzip "org.eclipse.pde.build" package into the outputDir.
+ */
+val unzipPdeTool = tasks.register<Copy>("unzipPdeTool") {
+  from(zipTree(pdeTool.singleFile))
+  into("$buildDir/pdeTool")
+}
+
+dependencies {
+  compileOnly(files("$buildDir/pdeTool/pdebuild.jar"){
+    builtBy(unzipPdeTool)
+  })
+}

docs/conf.py

@@ -17,9 +17,9 @@
 
 html_context = {
   'version' : '4.5',
-  'full_version' : '4.5.2',
-  'maven_plugin_version' : '4.5.0.0',
-  'gradle_plugin_version' : '5.0.0',
+  'full_version' : '4.5.3',
+  'maven_plugin_version' : '4.5.2.0',
+  'gradle_plugin_version' : '5.0.3',
   'archetype_version' : '0.2.4'
 }
 
@@ -53,7 +53,7 @@
 
 # General information about the project.
 project = u'spotbugs'
-copyright = u'2016-2021, spotbugs community'
+copyright = u'2016-2022, spotbugs community'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the

eclipsePlugin-junit/build.gradle

@@ -1,33 +1,18 @@
+plugins {
+  id "eclipse-convention"
+}
+
 apply from: "$rootDir/gradle/checkstyle.gradle"
 apply from: "$rootDir/gradle/jacoco.gradle"
 
-def localProps = new Properties()
-localProps.load(new FileInputStream("$rootDir/eclipsePlugin/local.properties"))
-
-def eclipseRootDir = file(localProps.getProperty('eclipseRoot.dir'))
-// Eclipse 4.5+ uses a different directory layout under macOS. Try to detect this first.
-def eclipseExecutable = new File(eclipseRootDir, "Contents/MacOS/eclipse")
-def eclipsePluginsDir = new File(eclipseRootDir, "Contents/Eclipse/plugins")
-if (!eclipseExecutable.exists()) {
-  // Fall back to non-macOS directory layout.
-  eclipsePluginsDir = new File(eclipseRootDir, "plugins")
+tasks.named('compileJava', JavaCompile).configure {
+  options.release = 11
 }
 
 dependencies {
   implementation project(':eclipsePlugin')
-  testImplementation 'junit:junit:4.13.1'
-  testImplementation 'org.mockito:mockito-core:4.1.0'
-
-  // List below includes all Eclipse SDK plugins except few causing troubles.
-  // TODO: it should include what is required in the MANIFEST.MF, and nothing else
-  testImplementation fileTree(dir:eclipsePluginsDir, include:'**/*.jar',
-          exclude:[
-                  '**/datanucleus-enhancer*.jar',
-                  'edu.umd.cs.findbugs.**/*.jar',
-                  'org.mockito*.jar',
-                  'com.github.spotbugs.**/*.jar',
-                  '**/*source_*.jar'
-          ])
+  testImplementation 'junit:junit:4.13.2'
+  testImplementation 'org.mockito:mockito-core:4.2.0'
 }
 
 tasks.named('jacocoTestReport', JacocoReport).configure {

eclipsePlugin-test/build.gradle

@@ -1,15 +1,10 @@
+plugins {
+  id "eclipse-convention"
+}
 apply from: "$rootDir/gradle/checkstyle.gradle"
 
-def localProps = new Properties()
-localProps.load(new FileInputStream("$rootDir/eclipsePlugin/local.properties"))
-
-def eclipseRootDir = file(localProps.getProperty('eclipseRoot.dir'))
-// Eclipse 4.5+ uses a different directory layout under macOS. Try to detect this first.
-def eclipseExecutable = new File(eclipseRootDir, "Contents/MacOS/eclipse")
-def eclipsePluginsDir = new File(eclipseRootDir, "Contents/Eclipse/plugins")
-if (!eclipseExecutable.exists()) {
-  // Fall back to non-macOS directory layout.
-  eclipsePluginsDir = new File(eclipseRootDir, "plugins")
+tasks.named('compileJava', JavaCompile).configure {
+  options.release = 11
 }
 
 sourceSets {
@@ -29,16 +24,6 @@ dependencies {
   implementation(project(':eclipsePlugin')) {
     transitive = true
   }
-  // List below includes all Eclipse SDK plugins except few causing troubles.
-  // TODO: it should include what is required in the MANIFEST.MF, and nothing else
-  compileOnly fileTree(dir:eclipsePluginsDir, include:'**/*.jar',
-          exclude:[
-                  '**/datanucleus-enhancer*.jar',
-                  'edu.umd.cs.findbugs.**/*.jar',
-                  'org.mockito*.jar',
-                  'com.github.spotbugs.**/*.jar',
-                  '**/*source_*.jar'
-          ])
 
   implementation project(':test-harness')
   implementation 'org.hamcrest:hamcrest-all:1.3'