mirror of https://github.com/apache/lucene.git
79 lines
4.4 KiB
Plaintext
79 lines
4.4 KiB
Plaintext
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
# this work for additional information regarding copyright ownership.
|
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
# (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
@defaultMessage Spawns threads with vague names; use a custom thread factory (Lucene's NamedThreadFactory, Solr's SolrNamedThreadFactory) and name threads so that you can tell (by its name) which executor it is associated with
|
|
java.util.concurrent.Executors#newFixedThreadPool(int)
|
|
java.util.concurrent.Executors#newSingleThreadExecutor()
|
|
java.util.concurrent.Executors#newCachedThreadPool()
|
|
java.util.concurrent.Executors#newSingleThreadScheduledExecutor()
|
|
java.util.concurrent.Executors#newScheduledThreadPool(int)
|
|
java.util.concurrent.Executors#defaultThreadFactory()
|
|
java.util.concurrent.Executors#privilegedThreadFactory()
|
|
|
|
@defaultMessage Properties files should be read/written with Reader/Writer, using UTF-8 charset. This allows reading older files with unicode escapes, too.
|
|
java.util.Properties#load(java.io.InputStream)
|
|
java.util.Properties#save(java.io.OutputStream,java.lang.String)
|
|
java.util.Properties#store(java.io.OutputStream,java.lang.String)
|
|
|
|
@defaultMessage The context classloader should never be used for resource lookups, unless there is a 3rd party library that needs it. Always pass a classloader down as method parameters.
|
|
java.lang.Thread#getContextClassLoader()
|
|
java.lang.Thread#setContextClassLoader(java.lang.ClassLoader)
|
|
|
|
java.lang.Character#codePointBefore(char[],int) @ Implicit start offset is error-prone when the char[] is a buffer and the first chars are random chars
|
|
java.lang.Character#codePointAt(char[],int) @ Implicit end offset is error-prone when the char[] is a buffer and the last chars are random chars
|
|
|
|
java.io.File#delete() @ use Files.delete for real exception, IOUtils.deleteFilesIgnoringExceptions if you dont care
|
|
|
|
java.util.Collections#shuffle(java.util.List) @ Use shuffle(List, Random) instead so that it can be reproduced
|
|
java.util.Stack @ Use more modern java.util.ArrayDeque as it is not synchronized
|
|
java.util.Vector @ Use more modern java.util.ArrayList as it is not synchronized
|
|
|
|
# TODO (needs some fix in forbiddenapis): this also hits java.util.Properties:
|
|
# java.util.Hashtable @ Use more modern java.util.HashMap as it is not synchronized
|
|
|
|
java.util.Locale#forLanguageTag(java.lang.String) @ use new Locale.Builder().setLanguageTag(...).build() which has error handling
|
|
java.util.Locale#toString() @ use Locale#toLanguageTag() for a standardized BCP47 locale name
|
|
|
|
@defaultMessage Constructors for wrapper classes of Java primitives should be avoided in favor of the public static methods available or autoboxing
|
|
java.lang.Integer#<init>(**)
|
|
java.lang.Byte#<init>(**)
|
|
java.lang.Short#<init>(**)
|
|
java.lang.Long#<init>(**)
|
|
java.lang.Boolean#<init>(**)
|
|
java.lang.Character#<init>(**)
|
|
java.lang.Float#<init>(**)
|
|
java.lang.Double#<init>(**)
|
|
|
|
@defaultMessage Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!
|
|
java.io.ObjectInputStream
|
|
java.io.ObjectOutputStream
|
|
|
|
@defaultMessage JNDI is RCE-in-a-box, avoid it.
|
|
javax.naming.Context
|
|
javax.management.remote.JMXConnectorFactory
|
|
javax.management.remote.rmi.RMIConnector
|
|
javax.naming.directory.InitialDirContext
|
|
javax.naming.InitialContext
|
|
javax.naming.spi.ContinuationContext
|
|
javax.naming.spi.ContinuationDirContext
|
|
javax.sql.rowset.spi.ProviderImpl
|
|
javax.sql.rowset.spi.SyncFactory
|
|
|
|
@defaultMessage Math.fma is insanely slow (2500x) in many environments (e.g. VMs). Use multiply/add and suffer the extra rounding
|
|
java.lang.Math#fma(float,float,float)
|
|
java.lang.Math#fma(double,double,double)
|
|
|
|
java.lang.Thread#sleep(**) @ Thread.sleep makes inefficient use of resources, introduces weird race conditions and slows down the code/tests. Not a scalable and good practice so we should prevent it creeping into lucene code
|