Update PMD dependencies

.github/workflows/ci.yml

@@ -68,7 +68,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: [ 8, 11 ]
+        java-version: [ 8, 11, 21, 23 ]
     steps:
     - uses: actions/checkout@v4
     - name: Set up JDK ${{ matrix.java-version }}

fernet-aws-secrets-manager-rotator/src/main/java/com/macasaet/fernet/aws/secretsmanager/rotation/AbstractFernetKeyRotator.java

@@ -49,7 +49,7 @@
  * <p>Copyright &copy; 2018 Carlos Macasaet.</p>
  * @author Carlos Macasaet
  */
-@SuppressWarnings({"PMD.LawOfDemeter", "PMD.BeanMembersShouldSerialize", "PMD.TooManyMethods"})
+@SuppressWarnings({"PMD.BeanMembersShouldSerialize", "PMD.TooManyMethods"})
 abstract class AbstractFernetKeyRotator implements RequestStreamHandler {
 
     private final Logger logger = LogManager.getLogger(getClass());
@@ -126,9 +126,6 @@ protected void handleRotationRequest(final RotationRequest request) {
                 return;
             case TEST_SECRET:
                 testSecret(secretId, clientRequestToken);
-                return;
-            default:
-                throw new IllegalArgumentException("Missing or invalid step provided");
         }
     }
 
@@ -205,6 +202,7 @@ protected void finishSecret(final String secretId, final String clientRequestTok
      * 
      * This requires the permission: <code>kms:GenerateRandom</code>
      */
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     protected void seed() {
         if (!seeded.get()) {
             synchronized (random) {
@@ -238,6 +236,7 @@ protected void wipe(final byte[] secretBytes) {
      *
      * @param secret secret data that is no longer needed
      */
+    @SuppressWarnings("PMD.UnnecessaryCast")
     protected void wipe(final ByteBuffer secret) {
         ((Buffer)secret).clear();
         final byte[] random = new byte[secret.capacity()];

fernet-aws-secrets-manager-rotator/src/main/java/com/macasaet/fernet/aws/secretsmanager/rotation/MemoryOverwritingRequestHandler.java

@@ -61,7 +61,7 @@ public void afterError(final Request<?> request, final Response<?> response, fin
         }
     }
 
-    @SuppressWarnings("PMD.LawOfDemeter")
+    @SuppressWarnings("PMD.UnnecessaryCast")
     protected void overwriteSecret(final PutSecretValueRequest putRequest) {
         final ByteBuffer buffer = putRequest.getSecretBinary();
         final byte[] bytes = new byte[buffer.capacity()];

fernet-aws-secrets-manager-rotator/src/main/java/com/macasaet/fernet/aws/secretsmanager/rotation/MultiFernetKeyRotator.java

@@ -37,7 +37,6 @@
  * <p>Copyright &copy; 2018 Carlos Macasaet.</p>
  * @author Carlos Macasaet
  */
-@SuppressWarnings("PMD.LawOfDemeter")
 public class MultiFernetKeyRotator extends AbstractFernetKeyRotator {
 
     private static final int fernetKeySize = 32;

fernet-aws-secrets-manager-rotator/src/main/java/com/macasaet/fernet/aws/secretsmanager/rotation/SecretsManager.java

@@ -43,7 +43,6 @@
  *
  * @author Carlos Macasaet
  */
-@SuppressWarnings("PMD.LawOfDemeter")
 class SecretsManager {
 
     private final AWSSecretsManager delegate;

fernet-aws-secrets-manager-rotator/src/main/java/com/macasaet/fernet/aws/secretsmanager/rotation/SimpleFernetKeyRotator.java

@@ -36,7 +36,6 @@
  * <p>Copyright &copy; 2018 Carlos Macasaet.</p>
  * @author Carlos Macasaet
  */
-@SuppressWarnings("PMD.LawOfDemeter")
 public class SimpleFernetKeyRotator extends AbstractFernetKeyRotator {
 
     private static final int fernetKeySize = 32;

fernet-java8/src/main/java/com/macasaet/fernet/Key.java

@@ -159,7 +159,6 @@ public byte[] sign(final byte version, final Instant timestamp, final IvParamete
      * @return the AES-encrypted payload. The length will always be a multiple of 16 (128 bits).
      * @see #decrypt(byte[], IvParameterSpec)
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public byte[] encrypt(final byte[] payload, final IvParameterSpec initializationVector) {
         final SecretKeySpec encryptionKeySpec = getEncryptionKeySpec();
         try {
@@ -197,7 +196,6 @@ public byte[] encrypt(final byte[] payload, final IvParameterSpec initialization
      * @return the decrypted payload
      * @see Key#encrypt(byte[], IvParameterSpec)
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     protected byte[] decrypt(final byte[] cipherText, final IvParameterSpec initializationVector) {
         try {
             final Cipher cipher = Cipher.getInstance(getCipherTransformation());
@@ -217,7 +215,6 @@ protected byte[] decrypt(final byte[] cipherText, final IvParameterSpec initiali
     /**
      * @return the Base 64 URL representation of this Fernet key
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public String serialise() {
         try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream(fernetKeyBytes)) {
             writeTo(byteStream);
@@ -249,7 +246,6 @@ public int hashCode() {
         return result;
     }
 
-    @SuppressWarnings("PMD.LawOfDemeter")
     public boolean equals(final Object obj) {
         if (this == obj) {
             return true;
@@ -263,7 +259,6 @@ public boolean equals(final Object obj) {
                 && MessageDigest.isEqual(getEncryptionKey(), other.getEncryptionKey());
     }
 
-    @SuppressWarnings("PMD.LawOfDemeter")
     protected byte[] sign(final byte version, final Instant timestamp, final IvParameterSpec initializationVector,
             final byte[] cipherText, final ByteArrayOutputStream byteStream)
         throws IOException {

fernet-java8/src/main/java/com/macasaet/fernet/StringObjectValidator.java

@@ -49,7 +49,6 @@ default Function<byte[], String> getStringCreator() {
         return bytes -> new String(bytes, getCharset());
     }
 
-    @SuppressWarnings("PMD.LawOfDemeter")
     default Function<byte[], T> getTransformer() {
         return getStringCreator().andThen(getStringTransformer());
     }

fernet-java8/src/main/java/com/macasaet/fernet/Token.java

@@ -225,7 +225,6 @@ public static Token generate(final SecureRandom random, final Key key, final byt
      * @return the decrypted, deserialised payload of this token
      * @throws TokenValidationException if <em>key</em> was NOT used to generate this token
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public <T> T validateAndDecrypt(final Key key, final Validator<T> validator) {
         return validator.validateAndDecrypt(key, this);
     }
@@ -238,12 +237,11 @@ public <T> T validateAndDecrypt(final Key key, final Validator<T> validator) {
      * @return the decrypted, deserialised payload of this token
      * @throws TokenValidationException if none of the keys were used to generate this token
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public <T> T validateAndDecrypt(final Collection<? extends Key> keys, final Validator<T> validator) {
         return validator.validateAndDecrypt(keys, this);
     }
 
-    @SuppressWarnings({"PMD.ConfusingTernary", "PMD.LawOfDemeter"})
+    @SuppressWarnings("PMD.ConfusingTernary")
     protected byte[] validateAndDecrypt(final Key key, final Instant earliestValidInstant,
             final Instant latestValidInstant) {
         if (getVersion() != (byte) 0x80) {
@@ -261,7 +259,6 @@ protected byte[] validateAndDecrypt(final Key key, final Instant earliestValidIn
     /**
      * @return the Base 64 URL encoding of this token in the form Version | Timestamp | IV | Ciphertext | HMAC
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public String serialise() {
         try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream(
                 tokenStaticBytes + getCipherText().length)) {
@@ -281,7 +278,6 @@ public String serialise() {
      * @throws IOException
      *             if data cannot be written to the underlying stream
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     public void writeTo(final OutputStream outputStream) throws IOException {
         try (DataOutputStream dataStream = new DataOutputStream(outputStream)) {
             dataStream.writeByte(getVersion());

fernet-java8/src/main/java/com/macasaet/fernet/Validator.java

@@ -98,7 +98,7 @@ default Predicate<T> getObjectValidator() {
      * @return the deserialised contents of the token
      * @throws TokenValidationException if the token is invalid.
      */
-    @SuppressWarnings({"PMD.LawOfDemeter", "PMD.DataflowAnomalyAnalysis"})
+    @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
     default T validateAndDecrypt(final Key key, final Token token) {
         final Instant now = Instant.now(getClock());
         final byte[] plainText = token.validateAndDecrypt(key, now.minus(getTimeToLive()), now.plus(getMaxClockSkew()));
@@ -124,7 +124,6 @@ default T validateAndDecrypt(final Key key, final Token token) {
      * @throws TokenValidationException
      *             if the token was not generated using any of the supplied keys.
      */
-    @SuppressWarnings("PMD.LawOfDemeter")
     default T validateAndDecrypt(final Collection<? extends Key> keys, final Token token) {
         final Key key =
                 keys.parallelStream()

fernet-java8/src/test/java/com/macasaet/fernet/KeyTest.java

@@ -23,6 +23,7 @@
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeTrue;
 import static org.mutabilitydetector.unittesting.AllowedReason.allowingForSubclassing;
 import static org.mutabilitydetector.unittesting.AllowedReason.assumingFields;
 import static org.mutabilitydetector.unittesting.MutabilityAssert.assertInstancesOf;
@@ -58,7 +59,7 @@ public final void testConstructorValidatesSigningKey() {
             new Key(invalidSigningKey, validEncryptionKey);
             fail("Expected validation exception");
             // then
-        } catch (final IllegalArgumentException iae) {
+        } catch (final IllegalArgumentException ignored) {
         }
     }
 
@@ -72,7 +73,7 @@ public final void testConstructorValidatesEncryptionKey() {
             new Key(validSigningKey, invalidEncryptionKey);
             fail("Expected validation exception");
             // then
-        } catch (final IllegalArgumentException iae) {
+        } catch (final IllegalArgumentException ignored) {
         }
     }
 
@@ -195,6 +196,11 @@ public final void verifyEqualityContract() {
 
     @Test
     public final void verifyImmutable() {
+        // MutabilityDetector does not support the latest Java versions.
+        final String javaVersion = System.getProperty("java.version");
+        assumeTrue(javaVersion.startsWith("1.8")
+                || javaVersion.startsWith("11.")
+                || javaVersion.startsWith("17."));
         assertInstancesOf(Key.class, areImmutable(),
                 allowingForSubclassing(),
                 assumingFields("signingKey", "encryptionKey").areNotModifiedAndDoNotEscape());

fernet-java8/src/test/java/com/macasaet/fernet/TokenTest.java

@@ -21,6 +21,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeTrue;
 import static org.mutabilitydetector.unittesting.AllowedReason.allowingForSubclassing;
 import static org.mutabilitydetector.unittesting.AllowedReason.assumingFields;
 import static org.mutabilitydetector.unittesting.AllowedReason.provided;
@@ -207,6 +208,11 @@ public final void verifyTokenGenerationWithDefaultEntropySource() {
 
     @Test
     public final void verifyImmutable() {
+        // MutabilityDetector does not support the latest Java versions.
+        final String javaVersion = System.getProperty("java.version");
+        assumeTrue(javaVersion.startsWith("1.8")
+                || javaVersion.startsWith("11.")
+                || javaVersion.startsWith("17."));
         assertInstancesOf(Token.class, areImmutable(),
                 allowingForSubclassing(),
                 provided(IvParameterSpec.class).isAlsoImmutable(),

fernet-jersey-auth/src/main/java/com/macasaet/fernet/jaxrs/exception/TokenValidationExceptionMapper.java

@@ -35,7 +35,6 @@
  * @author Carlos Macasaet
  */
 @Provider
-@SuppressWarnings("PMD.LawOfDemeter")
 public class TokenValidationExceptionMapper implements ExceptionMapper<TokenValidationException> {
 
     public Response toResponse(final TokenValidationException exception) {

fernet-jersey-auth/src/main/java/com/macasaet/fernet/jersey/FernetSecretBinder.java

@@ -29,7 +29,6 @@
  * @see com.macasaet.fernet.jaxrs.FernetSecret
  * @see FernetSecretFeature
  */
-@SuppressWarnings("PMD.LawOfDemeter")
 class FernetSecretBinder extends AbstractBinder {
 
     protected void configure() {

fernet-jersey-auth/src/main/java/com/macasaet/fernet/jersey/FernetTokenBinder.java

@@ -30,7 +30,6 @@
  * @see com.macasaet.fernet.jaxrs.FernetToken
  * @see com.macasaet.fernet.Token
  */
-@SuppressWarnings("PMD.LawOfDemeter")
 class FernetTokenBinder extends AbstractBinder {
 
     protected void configure() {

pom.xml

@@ -47,7 +47,7 @@
     <maven.compiler.target>1.8</maven.compiler.target>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <pmd.version>6.49.0</pmd.version>
+    <pmd.version>7.11.0</pmd.version>
     <jackson.version>2.18.2</jackson.version>
     <dependency.locations.enabled>false</dependency.locations.enabled>
     <coverageThreshold>75</coverageThreshold>
@@ -188,7 +188,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-pmd-plugin</artifactId>
-          <version>3.21.2</version>
+          <version>3.26.0</version>
           <configuration>
             <analysisCache>true</analysisCache>
             <rulesets>

src/main/config/pmd-ruleset.xml

@@ -26,7 +26,7 @@ under the License.
     These are the custom PMD rules for the Fernet Java library.
   </description>
   <rule ref="category/java/errorprone.xml">
-    <exclude name="LoggerIsNotStaticFinal" />
+    <exclude name="ConstructorCallsOverridableMethod" />
   </rule>
   <rule ref="category/java/errorprone.xml/AssignmentInOperand">
     <properties>
@@ -36,18 +36,16 @@ under the License.
   <rule ref="category/java/security.xml" />
   <rule ref="category/java/bestpractices.xml">
     <exclude name="MissingOverride" />
+    <exclude name="AvoidReassigningLoopVariables" />
   </rule>
   <rule ref="category/java/codestyle.xml">
-    <exclude name="VariableNamingConventions" />
     <exclude name="LongVariable" />
     <exclude name="TooManyStaticImports" />
     <!-- ShortClassName was complaining about the Key class -->
     <exclude name="ShortClassName" />
     <exclude name="ClassNamingConventions" />
-    <exclude name="DefaultPackage" />
     <exclude name="CommentDefaultAccessModifier" />
     <exclude name="OnlyOneReturn" />
-    <exclude name="AvoidFinalLocalVariable" />
     <exclude name="FieldNamingConventions" />
     <exclude name="AtLeastOneConstructor" />
     <exclude name="EmptyControlStatement" />
@@ -62,6 +60,11 @@ under the License.
     <exclude name="DataClass" />
     <exclude name="LoosePackageCoupling" />
   </rule>
+  <rule ref="category/java/design.xml/LawOfDemeter">
+    <properties>
+      <property name="trustRadius" value="2" />
+    </properties>
+  </rule>
   <rule ref="category/java/multithreading.xml" />
   <rule ref="category/java/performance.xml" />
 </ruleset>