diff --git a/CHANGELOG.md b/CHANGELOG.md
index d1cab60e80e..5bc6e6d8bee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
- Fixed `FI_FINALIZER_NULLS_FIELDS` FPs for functions called finalize() but not with the correct signature. ([#3207](https://github.com/spotbugs/spotbugs/issues/3207))
- Fixed an error in the detection of bridge methods causing analysis crashes ([#3208](https://github.com/spotbugs/spotbugs/issues/3208))
- Fixed detector `ThrowingExceptions` by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods ([#2040](https://github.com/spotbugs/spotbugs/issues/2040))
+- Do not report `DP_DO_INSIDE_DO_PRIVILEGED`, `DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED` and `USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE` in code targeting Java 17 and above, since it advises the usage of deprecated method ([#1515](https://github.com/spotbugs/spotbugs/issues/1515)).
### Cleanup
- Cleanup thread issue and regex issue in test-harness ([#3130](https://github.com/spotbugs/spotbugs/issues/3130))
diff --git a/spotbugs/etc/messages.xml b/spotbugs/etc/messages.xml
index e04fdda47e9..8c6f0730b88 100644
--- a/spotbugs/etc/messages.xml
+++ b/spotbugs/etc/messages.xml
@@ -2582,33 +2582,42 @@ will need to be changed in order to compile it in later versions of Java.
Method invoked that should be only be invoked inside a doPrivileged block
Invocation of {2}, which should be invoked from within a doPrivileged block, in {1}
- This code invokes a method that requires a security permission check.
- If this code will be granted security permissions, but might be invoked by code that does not
- have security permissions, then the invocation needs to occur inside a doPrivileged block.
-]]>
+ This code invokes a method that requires a security permission check.
+ If this code will be granted security permissions, but might be invoked by code that does not
+ have security permissions, then the invocation needs to occur inside a doPrivileged block.
+ The java.security.AccessController<\code> class, which contains the doPrivileged methods,
+ got deprecated in Java 17 (see JEP 411), and removed in Java 24 (see JEP 486).
+ For this reason, this bug isn't reported in classes targeted Java 17 and above.
+ ]]>
Method invoked that should be only be invoked inside a doPrivileged block
Invocation of {2}, which should be invoked from within a doPrivileged block, in {1}
- This code invokes a method that requires a security permission check.
- If this code will be granted security permissions, but might be invoked by code that does not
- have security permissions, then the invocation needs to occur inside a doPrivileged block.
-]]>
+ This code invokes a method that requires a security permission check.
+ If this code will be granted security permissions, but might be invoked by code that does not
+ have security permissions, then the invocation needs to occur inside a doPrivileged block.
+ The java.security.AccessController<\code> class, which contains the doPrivileged methods,
+ got deprecated in Java 17 (see JEP 411), and removed in Java 24 (see JEP 486).
+ For this reason, this bug isn't reported in classes targeted Java 17 and above.
+ ]]>
Classloaders should only be created inside doPrivileged block
{1} creates a {2} classloader, which should be performed within a doPrivileged block
- This code creates a classloader, which needs permission if a security manage is installed.
- If this code might be invoked by code that does not
- have security permissions, then the classloader creation needs to occur inside a doPrivileged block.
-]]>
+ This code creates a classloader, which needs permission if a security manage is installed.
+ If this code might be invoked by code that does not
+ have security permissions, then the classloader creation needs to occur inside a doPrivileged block.
+ The java.security.AccessController<\code> class, which contains the doPrivileged methods,
+ got deprecated in Java 17 (see JEP 411), and removed in Java 24 (see JEP 486).
+ For this reason, this bug isn't reported in classes targeted Java 17 and above.
+ ]]>
@@ -9068,7 +9077,11 @@ Using floating-point variables should not be used as loop counters, as they are
method behaves exactly as expected.
See SEI CERT rule SEC02-J. Do not base security checks on untrusted sources.
-
]]>
+
+ The java.security.AccessController<\code> class, which contains the doPrivileged methods,
+ got deprecated in Java 17 (see JEP 411), and removed in Java 24 (see JEP 486).
+ For this reason, this bug isn't reported in classes targeted Java 17 and above.
+ ]]>
diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/DoInsideDoPrivileged.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/DoInsideDoPrivileged.java
index 56633de0f7b..857d1e3c75c 100644
--- a/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/DoInsideDoPrivileged.java
+++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/DoInsideDoPrivileged.java
@@ -40,10 +40,12 @@ public DoInsideDoPrivileged(BugReporter bugReporter) {
this.bugAccumulator = new BugAccumulator(bugReporter);
}
- boolean isDoPrivileged = false;
+ private boolean isDoPrivileged = false;
+ private boolean isDoPrivilegedDeprecated = false;
@Override
public void visit(JavaClass obj) {
+ isDoPrivilegedDeprecated = obj.getMajor() >= Const.MAJOR_17;
isDoPrivileged = Subtypes2.instanceOf(getDottedClassName(), "java.security.PrivilegedAction")
|| Subtypes2.instanceOf(getDottedClassName(), "java.security.PrivilegedExceptionAction");
@@ -51,6 +53,9 @@ public void visit(JavaClass obj) {
@Override
public void visit(Code obj) {
+ if (isDoPrivilegedDeprecated) {
+ return;
+ }
if (isDoPrivileged && "run".equals(getMethodName())) {
return;
}
diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/FindPotentialSecurityCheckBasedOnUntrustedSource.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/FindPotentialSecurityCheckBasedOnUntrustedSource.java
index f73e337b282..3e7792c684d 100644
--- a/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/FindPotentialSecurityCheckBasedOnUntrustedSource.java
+++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/detect/FindPotentialSecurityCheckBasedOnUntrustedSource.java
@@ -121,7 +121,7 @@ private static class CallPair {
private Stack parameterNameStack = new Stack<>();
private LambdaInfo currentLambda = null;
-
+ private boolean isDoPrivilegedDeprecated = false;
private boolean isDoPrivileged = false;
private boolean isDoPrivilegedRun = false;
private boolean isLambdaCalledInDoPrivileged = false;
@@ -134,6 +134,7 @@ public FindPotentialSecurityCheckBasedOnUntrustedSource(BugReporter bugReporter)
@Override
public void visit(JavaClass obj) {
+ isDoPrivilegedDeprecated = obj.getMajor() >= Const.MAJOR_17;
nonFinalMethodsCalledOnParam.clear();
isDoPrivileged = Subtypes2.instanceOf(getDottedClassName(), "java.security.PrivilegedAction")
|| Subtypes2.instanceOf(getDottedClassName(), "java.security.PrivilegedExceptionAction");
@@ -148,8 +149,8 @@ public void visit(Method obj) {
@Override
public void visit(Code obj) {
- if (!isDoPrivilegedRun && !isLambdaCalledInDoPrivileged &&
- (!getThisClass().isPublic() || !getMethod().isPublic())) {
+ if (isDoPrivilegedDeprecated
+ || (!isDoPrivilegedRun && !isLambdaCalledInDoPrivileged && (!getThisClass().isPublic() || !getMethod().isPublic()))) {
return;
}
super.visit(obj);