Upgrade to FindBugs 3.0.1 and add some findbugs-excludes

Update to forbiddenapi-checker 2.1, use the newly provided rule-sets and remove things that were applied upstream git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1745366 13f79535-47bb-0310-9956-ffa450edef68
2016-05-24 14:17:52 +00:00 · 2016-05-24 14:17:52 +00:00 · a7df6604a4
parent 6c976b6700
commit a7df6604a4
3 changed files with 74 additions and 14 deletions
--- a/build.xml
+++ b/build.xml
@ -200,8 +200,8 @@ under the License.
    <!-- license and api checks -->
    <property name="rat.jar" location="${main.lib}/apache-rat-0.11.jar"/>
    <property name="rat.url" value="${repository.m2}/maven2/org/apache/rat/apache-rat/0.11/apache-rat-0.11.jar"/>
-    <property name="forbidden.jar" location="${main.lib}/forbiddenapis-2.0.jar"/>
-    <property name="forbidden.url" value="${repository.m2}/maven2/de/thetaphi/forbiddenapis/2.0/forbiddenapis-2.0.jar"/>
+    <property name="forbidden.jar" location="${main.lib}/forbiddenapis-2.1.jar"/>
+    <property name="forbidden.url" value="${repository.m2}/maven2/de/thetaphi/forbiddenapis/2.1/forbiddenapis-2.1.jar"/>

    <!-- See http://www.ecma-international.org/publications/standards/Ecma-376.htm -->
    <!-- "Copy these file(s), free of charge" -->
@ -528,6 +528,7 @@ under the License.
                <include name="junit-4.11*"/>
                <include name="findbugs-*-2.0.3*"/>
                <include name="forbiddenapis-1.*.jar"/>
+                <include name="forbiddenapis-2.0.jar"/>
            </fileset>
            <fileset dir="${ooxml.lib}">
                <!-- remove jars from previous versions, but not the current version -->
@ -2017,12 +2018,15 @@ under the License.

        <!-- first check rules that apply to all the source code -->
        <forbiddenapis
-                 internalRuntimeForbidden="true"
                 classpathref="forbiddenapis.classpath"
                 suppressAnnotation="org.apache.poi.util.SuppressForbidden"
+                 targetVersion="${jdk.version.source}"
            >
-            <bundledsignatures name="jdk-unsafe-${jdk.version.source}"/>
-            <bundledsignatures name="jdk-deprecated-${jdk.version.source}"/>
+            <bundledsignatures name="jdk-unsafe"/>
+            <bundledsignatures name="jdk-deprecated"/>
+            <bundledsignatures name="jdk-internal"/>
+            <bundledsignatures name="jdk-non-portable"/>
+            <bundledsignatures name="jdk-reflection"/>
            <!--
            <bundledsignatures name="jdk-system-out"/>
            -->
@ -2046,9 +2050,9 @@ under the License.

        <!-- then check some advanced rules which we only apply to the core code and not tests or examples -->
        <forbiddenapis
-                 internalRuntimeForbidden="true"
                 classpathref="forbiddenapis.classpath"
                 suppressAnnotation="org.apache.poi.util.SuppressForbidden"
+                 targetVersion="${jdk.version.source}"
            >
            <signaturesFileset file="src/resources/devtools/forbidden-signatures-prod.txt"/>
            <!-- sources -->
@ -2062,14 +2066,14 @@ under the License.
    <target name="findbugs">
        <!-- NOTE: we did not update to 3.x yet because it requires Java 7, but we are still supporting Java 6 currently! -->
        <downloadfile
-            src="http://prdownloads.sourceforge.net/findbugs/findbugs-noUpdateChecks-2.0.3.zip?download"
-            dest="${main.lib}/findbugs-noUpdateChecks-2.0.3.zip"/>
+            src="http://prdownloads.sourceforge.net/findbugs/findbugs-noUpdateChecks-3.0.1.zip?download"
+            dest="${main.lib}/findbugs-noUpdateChecks-3.0.1.zip"/>

        <property name="findbugs.home" value="build/findbugs" />
-        <unzip src="${main.lib}/findbugs-noUpdateChecks-2.0.3.zip"
+        <unzip src="${main.lib}/findbugs-noUpdateChecks-3.0.1.zip"
               dest="${findbugs.home}/lib">
            <patternset>
-                <include name="findbugs-2.0.3/lib/**"/>
+                <include name="findbugs-3.0.1/lib/**"/>
            </patternset>
            <mapper type="flatten"/>
        </unzip>
--- a/src/resources/devtools/findbugs-filters.xml
+++ b/src/resources/devtools/findbugs-filters.xml
@ -26,4 +26,64 @@
 		<Class name="org.apache.poi.hssf.usermodel.DummyGraphics2d"/>
 		<Bug code="FI" />
 	</Match>
+
+	<!-- things that were moved or are named equally on purpose -->
+	<Match>
+		<Class name="org.apache.poi.hssf.extractor.ExcelExtractor"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.record.RecordFormatException"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.record.UnicodeString"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.usermodel.HeaderFooter"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.util.AreaReference"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.util.CellRangeAddress"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.util.CellRangeAddressList"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.util.CellReference"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hssf.util.Region"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.hwpf.usermodel.CharacterRun"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.sl.usermodel.Hyperlink"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.ss.usermodel.Hyperlink"/>
+		<Bug code="Nm" />
+	</Match>
+	<Match>
+		<Class name="org.apache.poi.xssf.model.IndexedUDFFinder"/>
+		<Bug code="Nm" />
+	</Match>
+
+	<!-- named this way on purpose -->
+	<Match>
+		<Class name="org.apache.poi.xdgf.exceptions.XDGFException"/>
+		<Bug code="Nm" />
+	</Match>
 </FindBugsFilter>
--- a/src/resources/devtools/forbidden-signatures.txt
+++ b/src/resources/devtools/forbidden-signatures.txt
@ -26,10 +26,6 @@ java.util.Locale#setDefault(java.util.Locale) @ Do not use methods that depend o
 java.util.TimeZone#getDefault() @ Do not use methods that depend on the current Local, either use Locale.ROOT or let the user define the local, see class LocaleUtil for details
 java.util.Date#toString() @ Do not use methods that depend on the current Local, either use Locale.ROOT or let the user define the local, see class LocaleUtil for details

-# Disallow reflection on private object fields/methods
-java.lang.reflect.AccessibleObject#setAccessible(java.lang.reflect.AccessibleObject[], boolean) @ Reflection usage fails with SecurityManagers and likely will not work any more in Java 9
-java.lang.reflect.AccessibleObject#setAccessible(boolean) @ Reflection usage fails with SecurityManagers and likely will not work any more in Java 9
-
 java.text.DecimalFormatSymbols#<init>() @ use DecimalFormatSymbols.getInstance()
 java.text.DecimalFormatSymbols#<init>(java.util.Locale) @ use DecimalFormatSymbols.getInstance()