Fix report output to truncate existing files (#1951)

* Fix report output to truncate existing files

* Undo bad conflict resolution

Co-authored-by: Steve Davis <sdavis@revolutionehr.com>
Co-authored-by: Kengo TODA <skypencil@gmail.com>

CHANGELOG.md

@@ -9,6 +9,7 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 - Updated documentation by adding parenthesis `()` to the negative odd check message ([#1995](https://github.com/spotbugs/spotbugs/issues/1995))
 
 ### Fixed
+- Fixed reports to truncate existing files before writing new content ([#1950](https://github.com/spotbugs/spotbugs/issues/1950))
 - Bumped Saxon-HE from 10.6 to 11.3 ([#1955](https://github.com/spotbugs/spotbugs/pull/1955), [#1999](https://github.com/spotbugs/spotbugs/pull/1999))
 - Fixed traversal of nested archives governed by `-nested:true` ([#1930](https://github.com/spotbugs/spotbugs/pull/1930))
 - Warnings of deprecated System::setSecurityManager calls on Java 17 ([#1983](https://github.com/spotbugs/spotbugs/pull/1983))
@@ -22,8 +23,6 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
   * `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` is reported when a method has Exception in its throws clause and 
   * `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` is reported when a method has Throwable in its throws clause (See [SEI CERT ERR07-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable))
 * New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader))
-
-### Added
 * New rule `USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE` to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on *SEC02-J. Do not base security checks on untrusted sources*. ([#SEC02-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources))
 
 ## 4.6.0 - 2022-03-08

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/TextUICommandLineTest.java

@@ -36,6 +36,19 @@ public void handleOutputFilePathUsesGzip() throws IOException {
         assertThat("GZip file should have -117 as its header", written[1], is((byte) -117));
     }
 
+    @Test
+    public void handleOutputFileTruncatesExisting() throws IOException {
+        Path file = Files.createTempFile("spotbugs", ".html");
+        Files.writeString(file, "content");
+        TextUICommandLine commandLine = new TextUICommandLine();
+        SortingBugReporter reporter = new SortingBugReporter();
+        commandLine.handleOutputFilePath(reporter, "withMessages=" + file.toFile().getAbsolutePath());
+
+        reporter.finish();
+        byte[] written = Files.readAllBytes(file);
+        assertThat("Output file should be truncated to 0 bytes", written.length, is(0));
+    }
+
     @Test
     public void htmlReportWithOption() throws IOException {
         Path xmlFile = Files.createTempFile("spotbugs", ".xml");

spotbugs/src/main/java/edu/umd/cs/findbugs/TextUICommandLine.java

@@ -278,7 +278,8 @@ public boolean justPrintVersion() {
         if (index >= 0) {
             Path path = Paths.get(optionExtraPart.substring(index + 1));
             try {
-                OutputStream oStream = Files.newOutputStream(path, StandardOpenOption.CREATE, StandardOpenOption.WRITE);
+                OutputStream oStream = Files.newOutputStream(path, StandardOpenOption.CREATE, StandardOpenOption.WRITE,
+                        StandardOpenOption.TRUNCATE_EXISTING);
                 if ("gz".equals(Util.getFileExtension(path.toFile()))) {
                     oStream = new GZIPOutputStream(oStream);
                 }