New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not disable the security manager on Java 17 VMs and newer as it is deprecated for removal. #2123
Conversation
spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
Outdated
Show resolved
Hide resolved
spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
Outdated
Show resolved
Hide resolved
spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
Outdated
Show resolved
Hide resolved
spotbugs/src/main/java/edu/umd/cs/findbugs/util/SecurityManagerHandler.java
Show resolved
Hide resolved
Please merge the latest |
… deprecated for removal. This fixes spotbugs#1579. If needed, disabling the security manager can still be requested on Java 17 and newer by setting the 'edu.umd.cs.findbugs.securityManagerDisabled' property to 'false'. Using this property also allows to disable this functionality on older VMs.
Indeed, pushed the changes, including the rebase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you!
Not sure why the build is failing. 🤔 It seems that there are some problem like #2146? |
securityManagerDisabled = false; | ||
LOGGER.debug("failed to detect the ability of security manager feature, so treat it as available", t); | ||
} | ||
SECURITY_MANAGER_DISABLED = securityManagerDisabled; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SpotBugs reports a potential bug here, please consider to make this static field final
.
edu.umd.cs.findbugs.util.SecurityManagerHandler.SECURITY_MANAGER_DISABLED isn't final but should be
This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
Since SpotBugs 4.7.3 and spotbugs/spotbugs#2123 it is no longer necessary to set the security manager6
Since SpotBugs 4.7.3 and spotbugs/spotbugs#2123 it is no longer necessary to set the security manager6
This fixes #1579. If needed, disabling the security manager can still be requested on Java 17 and newer by setting the edu.umd.cs.findbugs.securityManagerDisabled property to
false
. Using this property also allows to disable this functionality on older VMs.