From a9b4edba598ec48c137c2eb5347cf789a2963713 Mon Sep 17 00:00:00 2001 From: XDEV Renovate Bot Date: Sat, 25 Oct 2025 04:14:21 +0000 Subject: [PATCH 1/9] Update actions/upload-artifact action to v5 --- .github/workflows/check-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml index e975764..0e42c29 100644 --- a/.github/workflows/check-build.yml +++ b/.github/workflows/check-build.yml @@ -69,7 +69,7 @@ jobs: fi - name: Upload demo files - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: demo-files-java-${{ matrix.java }} path: ${{ env.DEMO_MAVEN_MODULE }}/target/${{ env.DEMO_MAVEN_MODULE }}.jar @@ -152,7 +152,7 @@ jobs: - name: Upload report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: pmd-report if-no-files-found: ignore From 0f07ec79fe16525053fc2cb7583fe567b10613e0 Mon Sep 17 00:00:00 2001 From: XDEV Renovate Bot Date: Mon, 27 Oct 2025 04:20:45 +0000 Subject: [PATCH 2/9] Update dependency com.puppycrawl.tools:checkstyle to v12.1.1 --- pom.xml | 2 +- template-placeholder/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 8a108a1..cddae72 100644 --- a/pom.xml +++ b/pom.xml @@ -45,7 +45,7 @@ com.puppycrawl.tools checkstyle - 12.1.0 + 12.1.1 diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml index 0bed85e..7203198 100644 --- a/template-placeholder/pom.xml +++ b/template-placeholder/pom.xml @@ -215,7 +215,7 @@ com.puppycrawl.tools checkstyle - 12.1.0 + 12.1.1 From 1ebe4703a7b3f80152545d7704cfffd16297e77e Mon Sep 17 00:00:00 2001 From: AB Date: Wed, 29 Oct 2025 08:38:46 +0100 Subject: [PATCH 3/9] Add `UnnecessaryWarningSuppression` https://pmd.github.io/pmd/pmd_rules_java_bestpractices.html#unnecessarywarningsuppression Detects unused suppressions --- .config/pmd/java/ruleset.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml index c72b66a..37b4f63 100644 --- a/.config/pmd/java/ruleset.xml +++ b/.config/pmd/java/ruleset.xml @@ -25,6 +25,7 @@ + From 80835757139b9630a43fe1eb0d65b857e333517b Mon Sep 17 00:00:00 2001 From: AB Date: Wed, 29 Oct 2025 13:28:01 +0100 Subject: [PATCH 4/9] Formatting --- .config/pmd/java/ruleset.xml | 179 ++++++++++++++++++----------------- 1 file changed, 91 insertions(+), 88 deletions(-) diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml index 37b4f63..341cb3a 100644 --- a/.config/pmd/java/ruleset.xml +++ b/.config/pmd/java/ruleset.xml @@ -10,6 +10,9 @@ + + + @@ -208,14 +211,14 @@ message="StringBuilder/StringBuffer should not be used" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or may be replaced by a simpler string concatenation. - - Solution: - * Do not use `StringBuffer` because it's thread-safe and usually this is not needed - * If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be optimized by the Java compiler internally. - * In all other cases: - * Check what is happening and if it makes ANY sense! If for example a CSV file is built here consider using a proper library instead! - * Abstract the Strings into a DTO, join them together using a collection (or `StringJoiner`) or use Java's Streaming API instead +Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or may be replaced by a simpler string concatenation. + +Solution: +* Do not use `StringBuffer` because it's thread-safe and usually this is not needed +* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be optimized by the Java compiler internally. +* In all other cases: + * Check what is happening and if it makes ANY sense! If for example a CSV file is built here consider using a proper library instead! + * Abstract the Strings into a DTO, join them together using a collection (or `StringJoiner`) or use Java's Streaming API instead 3 @@ -234,11 +237,11 @@ message="Setters of java.lang.System should not be called unless really needed" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior. - For example, it may break when multiple Threads are setting the value. - It may also overwrite user defined options or properties. +Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior. +For example, it may break when multiple Threads are setting the value. +It may also overwrite user defined options or properties. - Try to pass the value only to the place where it's really needed and use it there accordingly. +Try to pass the value only to the place where it's really needed and use it there accordingly. 3 @@ -257,10 +260,10 @@ message="Avoid @PostConstruct" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Using a `@PostConstruct` method is usually only done when field injection is used and initialization needs to be performed after that. +Using a `@PostConstruct` method is usually only done when field injection is used and initialization needs to be performed after that. - It's better to do this directly in the constructor with constructor injection, so that all logic will be encapsulated there. - This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PostConstruct` method is no longer possible. +It's better to do this directly in the constructor with constructor injection, so that all logic will be encapsulated there. +This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PostConstruct` method is no longer possible. 3 @@ -279,9 +282,9 @@ message="Avoid @PreDestroy" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - `@PreDestroy` should be replaced by implementing `AutoCloseable` and overwriting the `close` method instead. +`@PreDestroy` should be replaced by implementing `AutoCloseable` and overwriting the `close` method instead. - This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PreDestroy` method is no much more difficult. +This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PreDestroy` method is no much more difficult. 3 @@ -300,10 +303,10 @@ message="Avoid unmanaged threads" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Trying to manually manage threads usually gets quickly out of control and may result in various problems like uncontrollable spawning of threads. - Threads can also not be cancelled properly. +Trying to manually manage threads usually gets quickly out of control and may result in various problems like uncontrollable spawning of threads. +Threads can also not be cancelled properly. - Use managed Thread services like `ExecutorService` and `CompletableFuture` instead. +Use managed Thread services like `ExecutorService` and `CompletableFuture` instead. 3 @@ -322,10 +325,10 @@ message="ZipEntry name should be sanitized" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - ZipEntry name should be sanitized. - Unsanitized names may contain '..' which can result in path traversal ("ZipSlip"). +ZipEntry name should be sanitized. +Unsanitized names may contain '..' which can result in path traversal ("ZipSlip"). - You can suppress this warning when you properly sanitized the name. +You can suppress this warning when you properly sanitized the name. 4 @@ -344,12 +347,12 @@ message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en). - Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial). +Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en). +Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial). - Java Object Serialization may also fail to deserialize when the underlying classes are changed. +Java Object Serialization may also fail to deserialize when the underlying classes are changed. - Use proven data interchange formats like JSON instead. +Use proven data interchange formats like JSON instead. 2 @@ -371,8 +374,8 @@ message="Unescaped native HTML is unsafe and will result in XSS vulnerabilities" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" > - Do not use native HTML! Use Vaadin layouts and components to create required structure. - If you are 100% sure that you escaped the value properly and you have no better options you can suppress this. +Do not use native HTML! Use Vaadin layouts and components to create required structure. +If you are 100% sure that you escaped the value properly and you have no better options you can suppress this. 2 @@ -396,9 +399,9 @@ message="Avoid using DecimalFormat or ChoiceFormat as field since it is thread-unsafe" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - java.text.NumberFormat: DecimalFormat and ChoiceFormat are thread-unsafe. +java.text.NumberFormat: DecimalFormat and ChoiceFormat are thread-unsafe. - Solution: Create a new local one when needed in a method. +Solution: Create a new local one when needed in a method. 1 @@ -428,11 +431,11 @@ public class Foo { message="Detected possible resource expensive implicit regex pattern compilation" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - A regular expression is compiled implicitly on every invocation. - Problem: This can be (CPU) expensive, depending on the length of the regular expression. +A regular expression is compiled implicitly on every invocation. +Problem: This can be (CPU) expensive, depending on the length of the regular expression. - Solution: Compile the regex pattern only once and assign it to a private static final Pattern field. - java.util.Pattern objects are thread-safe, so they can be shared among threads. +Solution: Compile the regex pattern only once and assign it to a private static final Pattern field. +java.util.Pattern objects are thread-safe, so they can be shared among threads. 2 @@ -477,11 +480,11 @@ String good_replaceInnerLineBreakBySpace() { message="Default buffer capacity is used which usually needs expensive expansions" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - The default constructor of ByteArrayOutputStream creates a 32 bytes initial capacity and for StringWriter 16 chars. - Such a small buffer as capacity usually needs several expensive expansions. +The default constructor of ByteArrayOutputStream creates a 32 bytes initial capacity and for StringWriter 16 chars. +Such a small buffer as capacity usually needs several expensive expansions. - Solution: Explicitly declared the buffer size so that an expansion is not needed in most cases. - Typically much larger than 32, e.g. 4096. +Solution: Explicitly declared the buffer size so that an expansion is not needed in most cases. +Typically much larger than 32, e.g. 4096. 2 @@ -517,12 +520,12 @@ class Good { message="Avoid re-streaming enum values to find a value by a field" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - The time to find element is O(n); n = the number of enum values. - This identical processing is executed for every call. - Considered problematic when `n > 3`. +The time to find element is O(n); n = the number of enum values. +This identical processing is executed for every call. +Considered problematic when `n > 3`. - Solution: Use a static field-to-enum-value Map. Access time is O(1), provided the hashCode is well-defined. - Implement a fromString method to provide the reverse conversion by using the map. +Solution: Use a static field-to-enum-value Map. Access time is O(1), provided the hashCode is well-defined. +Implement a fromString method to provide the reverse conversion by using the map. 3 @@ -583,11 +586,11 @@ public enum Fruit { message="Pattern.compile is used in a method. Compiling a regex pattern can be expensive, make it a static final field." class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - A regular expression is compiled on every invocation. - Problem: this can be expensive, depending on the length of the regular expression. +A regular expression is compiled on every invocation. +Problem: this can be expensive, depending on the length of the regular expression. - Solution: Usually a pattern is a literal, not dynamic and can be compiled only once. Assign it to a private static field. - java.util.Pattern objects are thread-safe so they can be shared among threads. +Solution: Usually a pattern is a literal, not dynamic and can be compiled only once. Assign it to a private static field. +java.util.Pattern objects are thread-safe so they can be shared among threads. 2 @@ -629,10 +632,10 @@ public static void good() { message="Avoid expensive recreation of DateTimeFormatter" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Recreating a DateTimeFormatter is relatively expensive. +Recreating a DateTimeFormatter is relatively expensive. - Solution: Java 8+ java.time.DateTimeFormatter is thread-safe and can be shared among threads. - Create the formatter from a pattern only once, to initialize a static final field. +Solution: Java 8+ java.time.DateTimeFormatter is thread-safe and can be shared among threads. +Create the formatter from a pattern only once, to initialize a static final field. 2 @@ -659,11 +662,11 @@ or pmd-java:matchesSig('java.time.format.DateTimeFormatterBuilder#toFormatter(_) message="Avoid expensive recreation of security providers" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Creating a security provider is expensive because of loading of algorithms and other classes. - Additionally, it uses synchronized which leads to lock contention when used with multiple threads. +Creating a security provider is expensive because of loading of algorithms and other classes. +Additionally, it uses synchronized which leads to lock contention when used with multiple threads. - Solution: This only needs to happen once in the JVM lifetime, because once loaded the provider is typically available from the Security class. - Create the security provider only once: Only in case when it's not yet available from the Security class. +Solution: This only needs to happen once in the JVM lifetime, because once loaded the provider is typically available from the Security class. +Create the security provider only once: Only in case when it's not yet available from the Security class. 2 @@ -710,9 +713,9 @@ class Foo { message="Expensive Reflection is used" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Reflection is relatively expensive. +Reflection is relatively expensive. - Solution: Avoid reflection. Use the non-reflective, explicit way like generation by IDE. +Solution: Avoid reflection. Use the non-reflective, explicit way like generation by IDE. 2 @@ -753,11 +756,11 @@ class Good { message="SimpleDateFormat is used. Since it is thread-unsafe, it needs expensive recreation." class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - java.util.SimpleDateFormat is thread-unsafe. - The usual solution is to create a new one when needed in a method. - Creating SimpleDateFormat is relatively expensive. +java.util.SimpleDateFormat is thread-unsafe. +The usual solution is to create a new one when needed in a method. +Creating SimpleDateFormat is relatively expensive. - Solution: Use java.time.DateTimeFormatter. These classes are immutable, thus thread-safe and can be made static. +Solution: Use java.time.DateTimeFormatter. These classes are immutable, thus thread-safe and can be made static. 2 @@ -794,15 +797,15 @@ public class Foo { message="Avoid the ForkJoinPool::commonPool used in parallelStream for blocking calls" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Blocking calls, for instance remote calls, may exhaust the common pool for some time thereby blocking all other use of the common pool. - In addition, nested use of the common pool can lead to deadlock. Do not use the common pool for blocking calls. - The parallelStream() call uses the common pool. +Blocking calls, for instance remote calls, may exhaust the common pool for some time thereby blocking all other use of the common pool. +In addition, nested use of the common pool can lead to deadlock. Do not use the common pool for blocking calls. +The parallelStream() call uses the common pool. - Solution: Use a dedicated thread pool with enough threads to get proper parallelism. - The number of threads in the common pool is equal to the number of CPUs and meant to utilize all of them. - It assumes CPU-intensive non-blocking processing of in-memory data. +Solution: Use a dedicated thread pool with enough threads to get proper parallelism. +The number of threads in the common pool is equal to the number of CPUs and meant to utilize all of them. +It assumes CPU-intensive non-blocking processing of in-memory data. - See also: [_Be Aware of ForkJoinPool#commonPool()_](https://dzone.com/articles/be-aware-of-forkjoinpoolcommonpool) +See also: [_Be Aware of ForkJoinPool#commonPool()_](https://dzone.com/articles/be-aware-of-forkjoinpoolcommonpool) 2 @@ -862,15 +865,15 @@ public class Foo { message="Avoid using the common thread pool, use a separate pool" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - CompletableFuture.supplyAsync/runAsync is typically used for remote calls. - By default it uses the common pool. - The number of threads in the common pool is equal to the number of CPU's, which is suitable for in-memory processing. - For I/O, however, this number is typically not suitable because most time is spent waiting for the response and not in CPU. - The common pool must not be used for blocking calls. +CompletableFuture.supplyAsync/runAsync is typically used for remote calls. +By default it uses the common pool. +The number of threads in the common pool is equal to the number of CPU's, which is suitable for in-memory processing. +For I/O, however, this number is typically not suitable because most time is spent waiting for the response and not in CPU. +The common pool must not be used for blocking calls. - Solution: A separate, properly sized pool of threads (an Executor) should be used for the async calls. +Solution: A separate, properly sized pool of threads (an Executor) should be used for the async calls. - See also: [_Be Aware of ForkJoinPool#commonPool()_](https://dzone.com/articles/be-aware-of-forkjoinpoolcommonpool) +See also: [_Be Aware of ForkJoinPool#commonPool()_](https://dzone.com/articles/be-aware-of-forkjoinpoolcommonpool) 2 @@ -908,9 +911,9 @@ public class Foo { message="Avoid CompletionService.take, use poll" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - `take()` stalls indefinitely in case of hanging threads and consumes a thread. +`take()` stalls indefinitely in case of hanging threads and consumes a thread. - Solution: use `poll()` with a timeout value and handle the timeout. +Solution: use `poll()` with a timeout value and handle the timeout. 2 @@ -944,9 +947,9 @@ public static void collectAllCollectionReplyFromThreads(CompletionService
  • - Stalls indefinitely in case of stalled Callable(s) and consumes threads. +Stalls indefinitely in case of stalled Callable(s) and consumes threads. - Solution: Provide a timeout to the invokeAll/invokeAny method and handle the timeout. +Solution: Provide a timeout to the invokeAll/invokeAny method and handle the timeout. 2 @@ -979,9 +982,9 @@ class Foo { message="Avoid future.get without timeout" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Stalls indefinitely in case of hanging threads and consumes a thread. +Stalls indefinitely in case of hanging threads and consumes a thread. - Solution: Provide a timeout value and handle the timeout. +Solution: Provide a timeout value and handle the timeout. 2 @@ -1012,10 +1015,10 @@ public static String good(CompletableFuture complFuture) throws Exceptio message="An HttpClient is created and combined with request-response" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Apache HttpClient with its connection pool and timeouts should be setup once and then used for many requests. - It is quite expensive to create and can only provide the benefits of pooling when reused in all requests for that connection. +Apache HttpClient with its connection pool and timeouts should be setup once and then used for many requests. +It is quite expensive to create and can only provide the benefits of pooling when reused in all requests for that connection. - Solution: Create/build HttpClient with proper connection pooling and timeouts once, and then use it for requests. +Solution: Create/build HttpClient with proper connection pooling and timeouts once, and then use it for requests. 3 @@ -1054,11 +1057,11 @@ class Foo { message="A Gson object is created for each method call, which is expensive." class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> - Problem: Gson creation is relatively expensive. A JMH benchmark shows a 24x improvement reusing one instance. +Problem: Gson creation is relatively expensive. A JMH benchmark shows a 24x improvement reusing one instance. - Solution: Since Gson objects are thread-safe after creation, they can be shared between threads. - So reuse created instances from a static field. - Pay attention to use thread-safe (custom) adapters and serializers. +Solution: Since Gson objects are thread-safe after creation, they can be shared between threads. +So reuse created instances from a static field. +Pay attention to use thread-safe (custom) adapters and serializers. 3 From f0350dd55446e78ff917b5641070e6db9d379d3f Mon Sep 17 00:00:00 2001 From: XDEV Renovate Bot Date: Thu, 30 Oct 2025 04:11:25 +0000 Subject: [PATCH 5/9] Update lycheeverse/lychee-action digest to a8c4c7c --- .github/workflows/broken-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml index a99ae52..0e96b20 100644 --- a/.github/workflows/broken-links.yml +++ b/.github/workflows/broken-links.yml @@ -18,7 +18,7 @@ jobs: - name: Link Checker id: lychee - uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2 + uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2 with: fail: false # Don't fail on broken links, create an issue instead From f5923efaaa98f06a394b539ee7d795d941973e86 Mon Sep 17 00:00:00 2001 From: XDEV Renovate Bot Date: Sat, 1 Nov 2025 04:16:41 +0000 Subject: [PATCH 6/9] Update net.sourceforge.pmd to v7.18.0 --- pom.xml | 4 ++-- template-placeholder/pom.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index cddae72..046a742 100644 --- a/pom.xml +++ b/pom.xml @@ -83,12 +83,12 @@ net.sourceforge.pmd pmd-core - 7.17.0 + 7.18.0 net.sourceforge.pmd pmd-java - 7.17.0 + 7.18.0 diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml index 7203198..13bcb16 100644 --- a/template-placeholder/pom.xml +++ b/template-placeholder/pom.xml @@ -253,12 +253,12 @@ net.sourceforge.pmd pmd-core - 7.17.0 + 7.18.0 net.sourceforge.pmd pmd-java - 7.17.0 + 7.18.0 From 4ebf84d79a7204b8641896071191c7e05ae42fe1 Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 3 Nov 2025 08:46:37 +0100 Subject: [PATCH 7/9] Updated to PMD 7.18 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/pmd/pmd/releases/tag/pmd_releases%2F7.18.0 Reasoning: * Newly included/Changed * `IdenticalConditionalBranches` → self explaining * `LabeledStatement` → are confusing to use and I barely ever see them * Not included * `UnusedLabel` → Not used because `LabeledStatement` already handles these * `ConfusingTernary` → Not helpful in most situations * `AvoidCatchingGenericException` → Might be ok for maybe Throwable or Error (but we sometimes also have to catch those), however not catching Exceptions and RuntimeExceptions is an extremely bad practice --- .config/pmd/java/ruleset.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml index 341cb3a..3332029 100644 --- a/.config/pmd/java/ruleset.xml +++ b/.config/pmd/java/ruleset.xml @@ -17,6 +17,7 @@ + @@ -149,6 +150,7 @@ + From 53e5c3113b97eb080131c1809d79b6b2d3365c60 Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 3 Nov 2025 15:14:58 +0100 Subject: [PATCH 8/9] Don't allow TODO comments Fixes https://github.com/xdev-software/java-setup-template/issues/1 --- .config/checkstyle/checkstyle.xml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.config/checkstyle/checkstyle.xml b/.config/checkstyle/checkstyle.xml index 43b5290..ffbc2a9 100644 --- a/.config/checkstyle/checkstyle.xml +++ b/.config/checkstyle/checkstyle.xml @@ -122,9 +122,7 @@ - - - + From 4342c35dc276aecb146aa2877b1062c4a16ba3c0 Mon Sep 17 00:00:00 2001 From: AB Date: Fri, 7 Nov 2025 14:12:35 +0100 Subject: [PATCH 9/9] Small descriptive improvements Fixes https://github.com/xdev-software/java-setup-template/issues/2 --- .config/pmd/java/ruleset.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml index 3332029..c057d1a 100644 --- a/.config/pmd/java/ruleset.xml +++ b/.config/pmd/java/ruleset.xml @@ -213,11 +213,11 @@ message="StringBuilder/StringBuffer should not be used" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> -Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or may be replaced by a simpler string concatenation. +Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or in situations where it may be easily replaced by a simpler string concatenation. Solution: * Do not use `StringBuffer` because it's thread-safe and usually this is not needed -* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be optimized by the Java compiler internally. +* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be [optimized by the Java compiler internally](https://docs.oracle.com/javase/specs/jls/se25/html/jls-15.html#jls-15.18.1). * In all other cases: * Check what is happening and if it makes ANY sense! If for example a CSV file is built here consider using a proper library instead! * Abstract the Strings into a DTO, join them together using a collection (or `StringJoiner`) or use Java's Streaming API instead @@ -239,8 +239,8 @@ Solution: message="Setters of java.lang.System should not be called unless really needed" class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"> -Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior. -For example, it may break when multiple Threads are setting the value. +Calling setters of `java.lang.System` usually indicates bad design and likely causes unexpected behavior. +For example, it may break when multiple Threads are working with the same value. It may also overwrite user defined options or properties. Try to pass the value only to the place where it's really needed and use it there accordingly. @@ -352,7 +352,8 @@ You can suppress this warning when you properly sanitized the name. Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en). Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial). -Java Object Serialization may also fail to deserialize when the underlying classes are changed. +Java Object Serialization may also fail to deserialize properly when the underlying classes are changed. +This can result in unexpected crashes when outdated data is deserialized. Use proven data interchange formats like JSON instead. @@ -374,7 +375,8 @@ Use proven data interchange formats like JSON instead. + class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" + externalInfoUrl="https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML"> Do not use native HTML! Use Vaadin layouts and components to create required structure. If you are 100% sure that you escaped the value properly and you have no better options you can suppress this.