Changes
This page lists all changes since the first released version.
New features / improvements:
- Add Java 22 support by including updated signatures files and build system changes.
- Added support for commons-io 2.15.0 and 2.15.1 (pull #244), thanks to Jan Høydahl.
- Fix deprecations in Gradle 8.7 to add compatibility for Gradle 9.x (issue #245, pull #247), thanks to Sebastian Davids and Dawid Weiss.
Bug fixes:
- For static method calls and field accesses do not look into superclasses. This fixes static method hiding produces false positives when original method is forbidden (issue #237, pull #238), thanks to Hoss Man.
Maintenance:
- Upgrade to ASM 9.7 for Java 22 and Java 23 bytecode compatibility.
Breaking changes:
- The forbiddenapis Maven plugin now requires Maven 3.1.0 as minimum version.
New features / improvements:
- Use new Maven Resolver framework by upgrading to Maven 3.1.0 minimum version. We now compile against Maven API 3.1.0 and Aether 0.9.0.M2 (issue #223, pull #230 as initial impl, and some followup commits to align versions), thanks to Konrad Windszus.
- Add Java 21 support by including updated signatures files and build system changes.
- Remove
HttpResponse.BodyHandlers.ofFile(Path)from banned methods list starting with Java 21 (issue #225). - Added support for commons-io 2.12.0 and 2.13.0 (pull #232), thanks to Jan Høydahl.
- Added support for commons-io 2.14.0 (pull #235).
- Clarify documentation of Maven configuration parameter "includes" and "excludes" (issue #228, pull #229), thanks to Konrad Windszus.
Maintenance:
- Upgrade to ASM 9.6 for Java 21 and Java 22 bytecode compatibility.
This version is a bugfix release. Upgrading is only needed if you are affected by issue #226.
Bug fixes / enhancement:
- Provide option to enable DEBUG level logging when using the CLI (issue #226,
pull #227), thanks to the Elasticsearch and Opensearch teams for reporting the issue.
This works around the problem that
failOnMissingClasses=falseno longer reports all missing classes, so Elasticsearch/Opensearch build scripts can no longer check third party JARs with missing dependencies. By enabling debug logging, the old CLI output can be re-enabled.
New features / improvements:
- Add Java 20 support by including updated signatures files and build system changes (pull #224).
- Add
HttpResponse.BodyHandlers.ofFile(Path)to banned method lists (buggy) (issue #214), thanks to Dawid Weiss. - If
failOnMissingClassesis disabled only log a summary of classes with WARN level (issue #207, pull #210). - Improve Gradle plugin startup time by compiling Groovy code at forbiddenapis build time instead of at runtime (pull #221).
Bug fixes:
- Second try to fix Gradle 7.0 configuration cache issues (issue #179) by compiling Groovy code at forbiddenapis build time instead of at runtime (pull #221).
- Fix Signatures URLs added to any task are actually applied to all tasks bug (issue #203, pull #209).
Maintenance:
- Upgrade to ASM 9.5 for Java 20 and Java 21 bytecode compatibility (pull #224).
New features / improvements:
- Add Java 19 support by including updated signatures files and build system changes (issue #204, pull #205), thanks to Daniel Heinrich.
- Add DEBUG level logging and report classpath and JDK type to allow debugging of classpath/JDK related problems (issue #202, pull #206), thanks to Hakanai.
Maintenance:
- Upgrade to ASM 9.4 for Java 19 and Java 20 bytecode compatibility.
New features / improvements:
- Add Java 18 support by including updated signatures files and build system changes.
- Add wildcard method signatures (pull #188), thanks to Mike Drob. This allows to add method
signatures like
Class#method(**)which matches all methods with that name. This is often helpful with many overloads where all should be forbidden. - Don't enforce annotations to be available on classpath. Due to Java Language Specification, at runtime all annotations (also runtime ones) are optional. So we do not enforce their availability (pull #194).
- Improve Gradle build avoidance by ignoring ABI-compatible changes (pull #186), thanks to Mark Vieira.
- Add new signatures for historic and actual Java versions (issue #184, issue #185, pull #195),
thanks to Marcono1234. This may break builds because new violations with
jdk-unsafecould be detected in scanned code.
Bug fixes:
- Fix Gradle 7.0 configuration cache issues (issue #179), thanks to Jochen Schalanda.
- Fix Gradle 7.4
@SkipWhenEmptywarning by adding missing@IgnoreEmptyDirectoriesannotation (issue #189, pull #193), thanks to Andriy Redko and Rene Groeschke.
New features:
- Add Java 16 and 17 support by upgrading to ASM 9.2. This includes updated signatures files and build system changes (thanks also to Stephan202 and bwarwell).
- Add signatures for
commons-io-unsafe-2.9.0,commons-io-unsafe-2.10.0,commons-io-unsafe-2.11.0
Bug fixes:
- Fix wrong signature:
DateTimeFormatterBuilder#toFormatter()is using default locale bug (pull #182). - Fix false positives in JDK-17 with
RandomSupport(issue #177, pull #178), thanks to yrodiere.
Maintenance:
- Upgrade to ASM 9.2 for Java 16 and Java 17 compatibility (pull #180), thanks to Stephan202 and bmarwell.
New features:
- Add Java 15 support by upgrading to ASM 9.0. This includes updated signatures files and build system changes.
- Add signatures for
commons-io-unsafe-2.8.0 - Add support for the
maven.compiler.releaseandmaven.compiler.testReleaseproperties which can be used to since Java 9 to provide the--releaseargument for the Java compiler. The release version is being used over the target version if it was defined, otherwise the target version is being used. This allows forbiddenapis to work out-of-box with recent Maven projects (pull #167), thanks to Jochen Schalanda. - Add better reporting if ASM fails to parse a class with an unspecified RuntimeException (issue #173, pull #174), thanks to Vladimir Sitnikov.
- Move some initialization steps (especially reflection) to Plugin's static initialization (pull #166).
Bug fixes:
- Fix one issue with Maven Central POM download fails due to https requirements (pull #171), thanks to mkmaier.
Maintenance:
- Upgrade to ASM 9.0 for Java 15 and Java 16-ea compatibility
Bug fixes:
- Fix
Method not found while parsing signature: org.apache.commons.io.output.ByteArrayOutputStream#toString()happening when usingcommons-io-unsafe(any version) with version 2.7 of the library on classpath. Due to a (still binary compatible) change (move of method to abstract superclass), signatures parsing was broken (issue #168, pull #169), thanks to Quentin Caillard. A later version will have a better fix for this. This bugfix release adds support for the new library version by adding bundled signaturescommons-io-unsafe-2.7.
Maintenance:
- Upgrade ASM 8.0 to ASM 8.0.1
This is the major 3.0 release of the forbidden-apis plugin. The main new feature is support for the Gradle build cache and support for task configuration avoidance. The new version also supports Java 14.
Breaking changes:
- Update to Java 7 as minimum requirement (pull #160).
- Update to Gradle 3.2 as minimum requirement (pull #155),
thanks
mkmaier. - Removal of all deprecated task settings/properties (pull #161).
New features:
- Add Java 14 support by upgrading to ASM 8.0. This includes updated signatures files and build system changes.
- Add support for lazy tasks API / task configuration avoidance. Starting with Gradle 4.9, forbiddenapis will use the new lazy tasks API, so tasks are not generated in the configuration phase unless they are needed in the task graph. Older Gradle versions still use the old API (issue #145, pull #162), thanks to Ryan Ernst and Thomas Broyer.
- Allow to silently ignore signatures if a class was not found. This allows
to silence multi-module Maven/Gradle builds by adding a new setting to Gradle,
Maven, Ant tasks/mojos:
ignoreSignaturesOfMissingClasses. In contrast to the now deprecatedfailOnUnresolvableSignatures, it prints no warnings and at the same time it enforces that method signatures are correct (if the class was found). The previous setting had the big problem that it was often used for multi-module builds only to workaround that some classes are missing in submodules, but the (now-deprecated) settingfailOnUnresolvableSignatures=falsedisabled all signatures checking, so incorrect method descriptors (wrong parameters,...) were hidden on parsing. This lead to unseen violations, just because some method parameter was mistyped (pull #164). See also issue #83 for details. Thanks to Joep Weijers, Matthew Janssen, Dawid Weiss. - Maven task now hides the warning if the classes directory/fileset is missing (pull #163), thanks Joep Weijers
Bug fixes:
- Fix some Gradle task annotations, so the build cache works correctly
(pull #159, pull #155),
thanks
mkmaierand Vladimir Sitnikov.
Internals:
- Use
httpsforrepo.gradle.org(pull #154), thanksmkmaier. - Add some hacks to bootstrap the Maven 2 build parts (which uses
httpinstead ofhttpsto bootstrap itsself, which is no longer supported by Maven Central).
Please note: repo.gradle.org now requires TLS 1.2, which is not included in Java 7.
The same applies for repo1.maven.org. To build with Java 7, the system downgrades all
URLs to http and uses a separate replacement server for Maven Central. Unfortunately
this does not work with Gradle's repository. For safety reasons and also to actually
bootstrap the build, run everything one time with at least Java 8+. This will download
all artifacts through a secure TLS 1.2 connection and cache them locally. To build a
release, Java 7 can then be used to run the build with recommended minimum version.
New features:
- Add Java 12 and 13 support by upgrading to ASM 7.2. This includes updated signatures files and build system changes (shipped documentation is currently missing reference to Java 12 and 13, sorry).
- Replace jdk-unsafe class signatures of
java.io.FileReaderandjava.io.FileWriterby explicit constructor signatures since there are now safe methods withCharsetthat can be used since Java 11 (pull #152), thanks Andreas Asplund. This allows to use those classes in checked code starting from Java 11.
Bug fixes:
- Do not emit "and 0 more" in ignored signatures message (pull #148), thanks Dawid Weiss.
Internals:
- Add
InputStream#skip(long)to forbiddenapi's own checks because it is flaky. (pull #150), thanks Tim Allison. - Update Groovy to latest 2.4.17 bugfix release.
Please note: There is Java 12 and Java 13 support, but as of limitations (no Java 6 compile support anymore), it can not be compiled/built with those Java versions. Creating deprecated/internal signatures files needs to bootstrap with earlier Java version. Once the tools classes are built, run them in a second step with targeted Java version.
New features:
- Add Java 11 support by upgrading to ASM 6.2.1. This includes updated signatures files and build system changes (shipped documentation is currently missing reference to Java 11, sorry).
- The plugin was published on the Gradle Plugin portal. Due to a bug in plugin initialization (issue #144), older versions may not fully work. Thanks to Sebastian Davids and the Gradle team for help and pushing this forward!
- When signatures are using classes that are not found on classpath, the option to ignore those warnings is no longer so noisy: It only lists all failed signatures separately where methods/fields do not exit, but the missing classes are reported only with a single line (issue #83, pull #140), thanks ghost, Tim Allison, Dawid Weiss.
- Report more details about class that failed to load while scanning the classes to be checked (issue #142), thanks Trejkaz.
- Only print warning about Gradle daemon once.
Bug fixes:
- Gradle: Fix SourceSets added after plugin loading don't get tasks (issue #138, pull #139).
- Add a hack for the broken JavaVersion enum in Gradle. It returns version "1.9" and "1.10" (which are invalid targetCompatibility versions) and this problem is only fixed after Java 11. Before Java 11 we switch to plain "majorVersion" property (issue #143), thanks Sebastian Davids.
- Gradle: Always apply JavaBasePlugin, otherwise startup may fail with new plugin DSL, as initialization order is undefined (issue #144), thanks Sebastian Davids.
Internals:
- Refactor signatures file parsing and lookup of signatures (remove from Checker).
- Workaround for Java 1.6 (minimum version) builds with Maven Central TLS settings.
- Cleanup Gradle plugin initialization exception handling, check minimal Gradle version.
New features:
- Add Java 10 support by upgrading to ASM 6.1.1 (issue #136). This includes updated signatures files and build system changes.
- Add signatures for
commons-io-unsafe-2.6(pull #133), thanks to Jochen Schalanda. - Improve documentation about custom signatures files (issue #135), thanks Roman Leventov.
Internals:
- Add local signatures file to check ourselves (e.g., forbid direct use of ASM's
ClassReaderconstructors). - Simplify class file patching by loading bytecode of class files into byte arrays. This also works around a slowness bug in ASM 6.1.
- Upgrade to Groovy 2.4.15.
Bug fixes:
- Fix regression in Gradle Task: Dependencies on
SourceSetoutputs were not correctly setup (issue #131).
Warning: This version is buggy, please use bugfix release 2.4.1!
New features:
- Fix deprecation warning with Gradle 4. This requires changes in the Gradle task:
classesDirproperty was deprecated and replaced byclassesDirs. Most users will not see a change, as this property is only used in advanced setups. The new property is now aFileCollectioncontaining all classes output dirs of the task'sSourceSet(issue #120, pull #124), thanks to Jörn Huxhorn for reporting. See potential breaking changes in Gradle 4. - Update ASM to version 6.0 and remove class file patching. This adds full Java 9 support.
- Change source/target Java version normalization to respect new Java version numbering scheme.
targetVersionconfig property can now be'1.6', '6', '1.7', '7', '1.8', '8', '9', while the bundled signatures files now use official version numbers (issue #130). - Improve usage of Module API in Java 9 as fallback for future Java versions (issue #118). This allows usage in newer Java runtimes without upgrading ASM.
- Add documentation about custom signatures files (issue #128), thanks Roman Leventov.
New features / bug fixes:
- Improve Gradle startup time:
apply plugin: 'de.thetaphi.forbiddenapis'was changed to compileplugin-init.groovyonly once (issue #116, pull #117), thanks to Jörn Huxhorn. - Update Groovy to version 2.4.8 for Java 9 compatibility.
- Update ASM to version 5.2.
- Update Java 9 bundled signatures files.
New features / bug fixes:
- Add support for signature polymorphic methods, like
MethodHandle.invoke()(issue #105, pull #106), thanks to Robert. - Add signatures for
commons-io-unsafe-2.5(issue #102). - Add some missing methods to
commons-io-unsafesignatures after another review (pull #104). - Add new setting to disable the classloading cache. This is a workarounds for build systems that change JAR files,
but don't close their classloaders, leading to
FileNotFoundExceptionwhen trying to load class files from the changed JAR file. This affects especially the Gradle Daemon (issue #75, pull #76).
New features:
- Add targetVersion support to Ant task (issue #101).
- Add initial support for new Java 9 class file format (pull #97).
- On Java 9 Jigsaw, don't use ASM to analyze system classes. This change makes it more unlikely that the tool will exit with "Bundled version of ASM cannot parse bytecode of java.lang.Object class; marking runtime as not suppported" on Java 9+ (commit).
- Deprecate
internalRuntimeForbiddenattribute and add a new bundles signaturesjdk-non-portableto and make heuristics reliable (pull #95, issue #54). - Add new bundled signatures
jdk-internalfor disallowing internal runtime APIs (issue #91, pull #95). - Add unsafe signatures for ResourceBundle (issue #89), thanks to Trejkaz.
- Add a bundle
jdk-reflectionthat contains methods that bypass Java security (pull #86), thanks to Dominik Stadler. - Add support for new Java version style "6.0" instead of "1.6" (pull #81).
Bug fixes:
- Fix method checks to also look into superclasses if method was overridden (issue #100).
- Fix class loading order bugs (issue #91).
- Allow referencing non-jarred artefacts (pull #87), thanks to Dawid Weiss.
- Hide warnings about missing classes/methods/fields in deprecated signatures (pull #84)
Internals:
- Update to ASM 5.1
This is the major 2.0 release of the forbidden-apis plugin. The main new
feature is native support for the Gradle build system (minimum requirement is Gradle 2.3).
But also Apache Ant and Apache Maven build systems got improved support: Ant can now load signatures from
arbitrary resources by using a new XML element <signatures></signatures> that may contain
any valid ANT resource, e.g., ivy's cache-filesets or plain URLs. Apache Maven now supports
to load signatures files as artifacts from your repository or Maven Central (new signaturesArtifacts
Mojo property).
Breaking changes:
- Update to Java 6 as minimum requirement (pull #71).
- Switch default Maven lifecycle phase to
verify(pull #72).
New features:
- Add support for Gradle (issue #68, pull #70, pull #73, thanks to Ryan Ernst & Chris Earle for help and suggestions).
- Allow Maven artifacts to be loaded as signatures (issue #13, pull #79).
- Allow arbitrary Ant resources to be loaded as signatures (pull #78).
- Add
failOnViolationsetting to optionally fail builds (pull #62, thanks to Jochen Schalanda). - Cleanup unsafe JDK signatures for Java 8 (mostly
java.timeAPI) (issue #19, pull #57). - Support for Java 9 Jigsaw preview builds (pull #74).
Bug fixes:
- Add automatic plugin execution override for M2E. It is no longer needed to add a lifecycle mapping to exclude forbiddenapis to execute inside Eclipse's M2E (issue #60).
Internals:
- Package refactoring of Cli, Ant, Maven (pull #69).
- Refactor loggers and make Checker a final, non abstract class (pull #67).
- Use EnumSet for the checker options (pull #64).
- Add support for signature file URLs (pull #77).
New features:
- Initial Java 9 support (JIGSAW modules, signatures, deprecations) (issue #39, pull #50).
- Add annotation support (
@SuppressForbidden) to suppress errors for classes/methods/fields. Annotations can be defined in config, also using glob patterns (e.g.,**.MySuppressForbidden) (issue #34, issue #53). - Forbid
MessageFormat.format(String,Object[])because it uses default locale (pull #48, thanks to Shalin Shekhar Mangar). - Add support for forbidding java packages using class name globs (e.g.,
sun.misc.**) (issue #40). - Sort error messages by source code line number. Also show failures in synthetic methods and lambdas where they belong (issue #12).
Bug fixes:
- Forbidden
@java.lang.Deprecatedis not always detected (issue #45). - Re-enable class-only, non-runtime annotation checking (issue #46).
New features:
- Auto-generate HTML documentation for Ant Task, Maven Mojo, and CLI (issue #32, issue #37).
- Add a new documentation ZIP file to release (issue #32, issue #37).
- Add help-mojo (issue #32, issue #37).
- Add support for signaturesFilelist and signaturesFile elements (issue #36).
- Add option to also ignore unresolvable signatures in Ant and CLI (issue #42).
- Allow option to only print warning if Ant fileset of classes to scan is empty (like Maven) (issue #35).
Bug fixes:
- Fix bug that deprecated signatures of Java 8 fail to load on Java 9 (issue #41).
Backwards compatibility:
- Remove deprecated Mojo of version 1.0 (issue #33).
- Rename some CLI options to be consistent with others (issue #42).
Bug fixes:
- Fix wrong plugin descriptor in Maven artifact. No code change, just new binary artifact.
New features:
- Option to skip the execution of the plugin (pass
mvn -Dforbiddenapis.skip=true) (issue #29). - Maven plugin should log warning if target version is not set (issue #28).
Other changes:
- Upgrade ASM to bugfix release 5.0.3.
Bug fixes:
- Fix regression caused by issue #8 with non-runtime visible annotations (e.g.
java.lang.Synthetic) which are not in classpath (issue #27). This hotfix disables detection of class-file only annotations. Annotations that need to be detected must haveRetentionPolicy.RUNTIMEto be visible to forbidden-apis. - Improve logging when no line numbers are available.
New features:
- Make it possible to ban annotations (issue #8).
Bug fixes:
- Upgrade ASM to bugfix release 5.0.1.
- Forbidden class use does not work in field declarations and method declarations (issue #25).
- Fix lookup of class references in
checkType()/checkDescriptor()to also inspect superclasses and interfaces (issue #26).
New features:
- Upgrade to ASM 5.0 (issue #24).
- Full support for Java 8: Update deprecated signatures with final version of JDK 1.8.0; recompile and verify test classes.
Bug fixes:
- Add some missing unsafe signatures (issue #22).
New features:
- Upgrade to ASM 5.0 BETA (issue #18).
- Add Java 8 deprecated + unsafe signatures (issue #16).
- Detect references to invokeDynamic using method handles to forbidden methods (issue #11).
- Skip execution for Maven projects with packaging "pom" (Maven only, issue #10).
- Add an option to ignore unresolvable signatures (Maven only, issue #14).
- Enhance the target parameter to also support testTarget like maven-compiler-plugin (Maven only, issue #15).
Bug fixes:
- Fix missing methods in commons-io (issue #9).
Optimizations:
- Improve memory usage (issue #20).
New features:
- Preliminary support for Java 8 (issue #7, tested with preview build 86 of the Oracle Java 8 JDK): The tool can now read Java 8 class files and detects usage of forbidden APIs in default interface methods and closures. It does not yet ship with signature files for Java 8, as the API is not yet official.
Optimizations:
- Reduced binary JAR size by using non-debug ASM version.
New features:
- Validating test classes is now supported by the Maven Mojo. The goals were renamed to "check" and "testCheck" (issue #4).
Bug fixes:
- fixed issue #5 (Apple-provided JDK 1.6 on MacOSX was detected as "unsupported"). The algorithm to get the bootclasspath was improved to support those JDK versions.
New features:
- added a Command Line Interface (CLI, issue #3).
Bug fixes:
- fixed issue #1 (the bundled signature
jdk-system-outwas not working in Maven). - fixed issue #2 (the Ant task was incorrectly failing to execute on empty task tag
<forbiddenapis internalRuntimeForbidden="true" dir="..."/>, although the checks for internal api calls are enabled).
Initial release, including support for Apache Ant, Apache Maven.