Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SpotBugs uses the SecurityManager, which is deprecated for removal as Java 17. #1709

Closed
victorwss opened this issue Sep 15, 2021 · 1 comment
Closed

SpotBugs uses the SecurityManager, which is deprecated for removal as Java 17. #1709

victorwss opened this issue Sep 15, 2021 · 1 comment

Comments

@victorwss
Copy link

victorwss commented Sep 15, 2021
edited

I just freshly updated one of my projects to build on JDK 17 and Gradle spitted out this:

WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue (file:/C:/Gradle/stuff/home/caches/modules-2/files-2.1/com.github.spotbugs/spotbugs/4.4.1/d50cf49af9b5074d5ab3d0f89889d753623f341e/spotbugs-4.4.1.jar)
WARNING: Please consider reporting this to the maintainers of edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue
WARNING: System::setSecurityManager will be removed in a future release

This happens due to JEP 411: Deprecate the Security Manager for Removal.

The offending code is in the TypeQualifierValue class.

On line 151:

                    // found it.
                    SecurityManager m = System.getSecurityManager();
                    if (m == null) {
                        if (DEBUG_CLASSLOADING) {
                            System.out.println("Setting ValidationSecurityManager");
                        }
                        System.setSecurityManager(ValidationSecurityManager.INSTANCE);
                    }

On line 191:

                SecurityManager m = System.getSecurityManager();
                if (m == null) {
                    if (DEBUG_CLASSLOADING) {
                        System.out.println("Setting ValidationSecurityManager");
                    }
                    System.setSecurityManager(ValidationSecurityManager.INSTANCE);
                }

And of course, the entire ValidationSecurityManager class.

Looking at all of this code, the purpose seems to be to deny permissions to arbitrary checkers while the sandboxedValidation method is running.

However, I don't know which sort of permissions the checkers could be trying to get. Also, I didn't scanned all the source to ensure that there aren't any other SecurityManagers usage lurking around.

  • If this is intended to be a defense against malware hidden in checkers, I think that it is a lame, because if someone is dumb enough to put malware in the classpath/modulepath and running it, it is not SpotBugs's role to enforce security and any decent malware writter would find a way to defeat that anyway.

  • If it is intended to avoid the checkers doing things in the wrong moment, recurse infinitely or anything like that, I think that implementing this via the SecurityManager is not the best way to make it work.

Anyway, we should stop relying on anything about the SecurityManager, even its mere existence.
@victorwss
Copy link
Author

Well, I found out that this is a duplicate of #1579.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@victorwss