From e1ebefc3b1e13fae22ee6df6ef1c1dad9a61e38c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 2 Sep 2022 00:02:21 +0000
Subject: [PATCH 1/2] build(deps): bump com.gradle.enterprise from 3.10.2 to
 3.11.1

Bumps com.gradle.enterprise from 3.10.2 to 3.11.1.

---
updated-dependencies:
- dependency-name: com.gradle.enterprise
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 settings.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings.gradle b/settings.gradle
index a9550c618f0..c2cc8482c80 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -1,5 +1,5 @@
 plugins {
-  id "com.gradle.enterprise" version "3.10.2"
+  id "com.gradle.enterprise" version "3.11.1"
 }
 
 include ':eclipsePlugin'

From 4c0c1b9bded230ceeb2f2eb2bd22b26be8f6cf9f Mon Sep 17 00:00:00 2001
From: Rafael Winterhalter <rafael.wth@gmail.com>
Date: Mon, 5 Sep 2022 02:15:56 +0200
Subject: [PATCH 2/2] Do not disable the security manager on Java 17 VMs and
 newer as it is deprecated for removal. (#2123)

* Do not disable the security manager on Java 17 VMs and newer as it is deprecated for removal.

This fixes #1579. If needed, disabling the security manager can still be requested on Java 17
and newer by setting the 'edu.umd.cs.findbugs.securityManagerDisabled' property to 'false'.
Using this property also allows to disable this functionality on older VMs.

* make the field private and final

Co-authored-by: Kengo TODA <skypencil@gmail.com>
Co-authored-by: Kengo TODA <skypencil+github@gmail.com>
---
 CHANGELOG.md                                  |  1 +
 .../edu/umd/cs/findbugs/PluginLoader.java     |  3 +-
 .../findbugs/util/SecurityManagerHandler.java | 65 +++++++++++++++++++
 3 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc2c393a130..23eab9423b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 - Bump up logback to `1.4.0`
 - Bump up log4j2 binding to `2.18.0`
 - Fixed InvalidInputException in Eclipse while bug reporting ([#2134](https://github.com/spotbugs/spotbugs/issues/2134))
+- Avoid warning on use of security manager on Java 17 and newer. ([#1579](https://github.com/spotbugs/spotbugs/issues/1579))
 - Fixed false positives `EI_EXPOSE_REP` thrown in case of fields initialized by the `of` or `copyOf` method of a `List`, `Map` or `Set` ([#1771](https://github.com/spotbugs/spotbugs/issues/1771))
 - Fixed CFGBuilderException thrown when `dup_x2` is used to swap the reference and wide-value (double, long) in the stack ([#2146](https://github.com/spotbugs/spotbugs/pull/2146))
 
diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
index c7ccafbe2d5..b539263c387 100644
--- a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
+++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
@@ -58,6 +58,7 @@
 import javax.annotation.Nullable;
 import javax.annotation.WillClose;
 
+import edu.umd.cs.findbugs.util.SecurityManagerHandler;
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
 import org.dom4j.Element;
@@ -1472,7 +1473,7 @@ static synchronized void loadInitialPlugins() {
             // Thread.currentThread().getContextClassLoader().getResource("my.java.policy");
             // Policy.getPolicy().refresh();
             try {
-                System.setSecurityManager(null);
+                SecurityManagerHandler.disableSecurityManager();
             } catch (Throwable e) {
                 assert true; // keep going
             }
diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
new file mode 100644
index 00000000000..0418ba11f3a
--- /dev/null
+++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
@@ -0,0 +1,65 @@
+package edu.umd.cs.findbugs.util;
+
+import org.apache.commons.lang3.JavaVersion;
+import org.apache.commons.lang3.SystemUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Since Java 17, the security manager is deprecated for removal and invoking related methods
+ * causes a warning to be printed to the console. This intermediate disables the use of
+ * security manager-related APIs on Java 17 or later, unless using the security manager is
+ * explicitly configured by setting the <i>edu.umd.cs.findbugs.securityManagerDisabled</i>
+ * property.
+ */
+public class SecurityManagerHandler {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SecurityManagerHandler.class);
+
+    /**
+     * Determines if the security manager is used by SpotBugs.
+     */
+    private static final boolean SECURITY_MANAGER_DISABLED;
+
+    static {
+        boolean securityManagerDisabled;
+        try {
+            String property = System.getProperty("edu.umd.cs.findbugs.securityManagerDisabled");
+            if (property != null) {
+                securityManagerDisabled = Boolean.parseBoolean(property);
+            } else {
+                securityManagerDisabled = SystemUtils.isJavaVersionAtLeast(JavaVersion.JAVA_17);
+            }
+        } catch (Throwable t) {
+            securityManagerDisabled = false;
+            LOGGER.debug("failed to detect the ability of security manager feature, so treat it as available", t);
+        }
+        SECURITY_MANAGER_DISABLED = securityManagerDisabled;
+    }
+
+    /**
+     * Disables the security manager by setting {@link System#setSecurityManager(SecurityManager)}
+     * to {@code null}.
+     */
+    public static void disableSecurityManager() {
+        if (SECURITY_MANAGER_DISABLED) {
+            return;
+        }
+        doDisableSecurityManager();
+    }
+
+    /**
+     * This method is a safeguard for running this library on a JVM that might no longer include
+     * the security manager API after removal. As the JVM verifies methods lazily, and since this
+     * method will never be invoked, validation of this method with a missing type can never fail.
+     *
+     * As some environments do not support setting the security manager but always return null
+     * when getting it, we check if a security manager is set before disabling it.
+     */
+    private static void doDisableSecurityManager() {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            System.setSecurityManager(null);
+        }
+    }
+}