lucene/gradle/validation/forbidden-apis/defaults.all.txt

#  Licensed to the Apache Software Foundation (ASF) under one or more
#  contributor license agreements.  See the NOTICE file distributed with
#  this work for additional information regarding copyright ownership.
#  The ASF licenses this file to You under the Apache License, Version 2.0
#  (the "License"); you may not use this file except in compliance with
#  the License.  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.

@defaultMessage Spawns threads with vague names; use a custom thread factory (Lucene's NamedThreadFactory, Solr's SolrNamedThreadFactory) and name threads so that you can tell (by its name) which executor it is associated with
java.util.concurrent.Executors#newFixedThreadPool(int)
java.util.concurrent.Executors#newSingleThreadExecutor()
java.util.concurrent.Executors#newCachedThreadPool()
java.util.concurrent.Executors#newSingleThreadScheduledExecutor()
java.util.concurrent.Executors#newScheduledThreadPool(int)
java.util.concurrent.Executors#defaultThreadFactory()
java.util.concurrent.Executors#privilegedThreadFactory()

@defaultMessage Properties files should be read/written with Reader/Writer, using UTF-8 charset. This allows reading older files with unicode escapes, too.
java.util.Properties#load(java.io.InputStream)
java.util.Properties#save(java.io.OutputStream,java.lang.String)
java.util.Properties#store(java.io.OutputStream,java.lang.String)

@defaultMessage The context classloader should never be used for resource lookups, unless there is a 3rd party library that needs it. Always pass a classloader down as method parameters.
java.lang.Thread#getContextClassLoader()
java.lang.Thread#setContextClassLoader(java.lang.ClassLoader)

java.lang.Character#codePointBefore(char[],int) @ Implicit start offset is error-prone when the char[] is a buffer and the first chars are random chars
java.lang.Character#codePointAt(char[],int) @ Implicit end offset is error-prone when the char[] is a buffer and the last chars are random chars

java.io.File#delete() @ use Files.delete for real exception, IOUtils.deleteFilesIgnoringExceptions if you dont care

java.util.Collections#shuffle(java.util.List) @ Use shuffle(List, Random) instead so that it can be reproduced

java.util.Locale#forLanguageTag(java.lang.String) @ use new Locale.Builder().setLanguageTag(...).build() which has error handling
java.util.Locale#toString() @ use Locale#toLanguageTag() for a standardized BCP47 locale name

@defaultMessage Constructors for wrapper classes of Java primitives should be avoided in favor of the public static methods available or autoboxing
java.lang.Integer#<init>(int)
java.lang.Integer#<init>(java.lang.String)
java.lang.Byte#<init>(byte)
java.lang.Byte#<init>(java.lang.String)
java.lang.Short#<init>(short)
java.lang.Short#<init>(java.lang.String)
java.lang.Long#<init>(long)
java.lang.Long#<init>(java.lang.String)
java.lang.Boolean#<init>(boolean)
java.lang.Boolean#<init>(java.lang.String)
java.lang.Character#<init>(char)
java.lang.Float#<init>(float)
java.lang.Float#<init>(double)
java.lang.Float#<init>(java.lang.String)
java.lang.Double#<init>(double)
java.lang.Double#<init>(java.lang.String)

@defaultMessage Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!
java.io.ObjectInputStream
java.io.ObjectOutputStream

@defaultMessage Don't set a dictionary on a Deflater using a method that takes an offset or ByteBuffer (JDK-8252739)
java.util.zip.Deflater#setDictionary(byte[],int,int)
java.util.zip.Deflater#setDictionary(java.nio.ByteBuffer)
Port forbidden APIs. See gradlew :helpForbiddenApis to see how rules are applied automatically based on the set of dependencies of a project. 2019-12-03 08:40:35 -05:00			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

SOLR-9906: SolrjNamedThreadFactory is deprecated in favor of SolrNamedThreadFactory. DefaultSolrThreadFactory is removed from solr-core in favor of SolrNamedThreadFactory in solrj package and all solr-core classes now use SolrNamedThreadFactory 2020-04-12 22:46:35 -04:00			`@defaultMessage Spawns threads with vague names; use a custom thread factory (Lucene's NamedThreadFactory, Solr's SolrNamedThreadFactory) and name threads so that you can tell (by its name) which executor it is associated with`
Port forbidden APIs. See gradlew :helpForbiddenApis to see how rules are applied automatically based on the set of dependencies of a project. 2019-12-03 08:40:35 -05:00			`java.util.concurrent.Executors#newFixedThreadPool(int)`
			`java.util.concurrent.Executors#newSingleThreadExecutor()`
			`java.util.concurrent.Executors#newCachedThreadPool()`
			`java.util.concurrent.Executors#newSingleThreadScheduledExecutor()`
			`java.util.concurrent.Executors#newScheduledThreadPool(int)`
			`java.util.concurrent.Executors#defaultThreadFactory()`
			`java.util.concurrent.Executors#privilegedThreadFactory()`

			`@defaultMessage Properties files should be read/written with Reader/Writer, using UTF-8 charset. This allows reading older files with unicode escapes, too.`
			`java.util.Properties#load(java.io.InputStream)`
			`java.util.Properties#save(java.io.OutputStream,java.lang.String)`
			`java.util.Properties#store(java.io.OutputStream,java.lang.String)`

			`@defaultMessage The context classloader should never be used for resource lookups, unless there is a 3rd party library that needs it. Always pass a classloader down as method parameters.`
			`java.lang.Thread#getContextClassLoader()`
			`java.lang.Thread#setContextClassLoader(java.lang.ClassLoader)`

			`java.lang.Character#codePointBefore(char[],int) @ Implicit start offset is error-prone when the char[] is a buffer and the first chars are random chars`
			`java.lang.Character#codePointAt(char[],int) @ Implicit end offset is error-prone when the char[] is a buffer and the last chars are random chars`

			`java.io.File#delete() @ use Files.delete for real exception, IOUtils.deleteFilesIgnoringExceptions if you dont care`

			`java.util.Collections#shuffle(java.util.List) @ Use shuffle(List, Random) instead so that it can be reproduced`

			`java.util.Locale#forLanguageTag(java.lang.String) @ use new Locale.Builder().setLanguageTag(...).build() which has error handling`
			`java.util.Locale#toString() @ use Locale#toLanguageTag() for a standardized BCP47 locale name`

			`@defaultMessage Constructors for wrapper classes of Java primitives should be avoided in favor of the public static methods available or autoboxing`
			`java.lang.Integer#<init>(int)`
			`java.lang.Integer#<init>(java.lang.String)`
			`java.lang.Byte#<init>(byte)`
			`java.lang.Byte#<init>(java.lang.String)`
			`java.lang.Short#<init>(short)`
			`java.lang.Short#<init>(java.lang.String)`
			`java.lang.Long#<init>(long)`
			`java.lang.Long#<init>(java.lang.String)`
			`java.lang.Boolean#<init>(boolean)`
			`java.lang.Boolean#<init>(java.lang.String)`
			`java.lang.Character#<init>(char)`
			`java.lang.Float#<init>(float)`
			`java.lang.Float#<init>(double)`
			`java.lang.Float#<init>(java.lang.String)`
			`java.lang.Double#<init>(double)`
			`java.lang.Double#<init>(java.lang.String)`
Merge forbidden APIs rules. 2019-12-17 07:39:10 -05:00
			`@defaultMessage Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!`
			`java.io.ObjectInputStream`
			`java.io.ObjectOutputStream`
LUCENE-9517: Don't subclass Deflater and instead create a patch for setDictionary() using a functional interface (#1850) 2020-09-10 05:12:59 -04:00
			`@defaultMessage Don't set a dictionary on a Deflater using a method that takes an offset or ByteBuffer (JDK-8252739)`
			`java.util.zip.Deflater#setDictionary(byte[],int,int)`
			`java.util.zip.Deflater#setDictionary(java.nio.ByteBuffer)`