Nullabbility.

Author: mp911de

.mvn/jvm.config

@@ -0,0 +1,14 @@
+--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
+--add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED
+--add-opens jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED
+--add-opens jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED
+--add-opens=java.base/java.util=ALL-UNNAMED
+--add-opens=java.base/java.lang.reflect=ALL-UNNAMED
+--add-opens=java.base/java.text=ALL-UNNAMED
+--add-opens=java.desktop/java.awt.font=ALL-UNNAMED

pom.xml

@@ -23,6 +23,7 @@
 		<assertj-core.version>3.27.3</assertj-core.version>
 		<aws-java-sdk.version>2.31.29</aws-java-sdk.version>
 		<bcpkix-jdk18on.version>1.80</bcpkix-jdk18on.version>
+		<errorprone.version>2.36.0</errorprone.version>
 		<google-api-services-iam.version>v1-rev20221013-2.0.0
 		</google-api-services-iam.version>
 		<google-cloud-iamcredentials.version>2.60.0</google-cloud-iamcredentials.version>
@@ -39,6 +40,7 @@
 		<mockk.version>1.13.17</mockk.version>
 		<mockito-core.version>5.17.0</mockito-core.version>
 		<netty.version>4.1.121.Final</netty.version>
+		<nullaway.version>0.12.3</nullaway.version>
 		<okhttp3.version>3.14.9</okhttp3.version>
 		<spring.version>7.0.0-M2</spring.version>
 		<spring-data-bom.version>2025.1.0-M1</spring-data-bom.version>
@@ -379,9 +381,22 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
 				<configuration>
-					<source>${java.version}</source>
-					<target>${java.version}</target>
+					<release>${java.version}</release>
 					<parameters>true</parameters>
+					<release>${source.level}</release>
+					<showWarnings>true</showWarnings>
+					<annotationProcessorPaths>
+						<path>
+							<groupId>com.google.errorprone</groupId>
+							<artifactId>error_prone_core</artifactId>
+							<version>${errorprone.version}</version>
+						</path>
+						<path>
+							<groupId>com.uber.nullaway</groupId>
+							<artifactId>nullaway</artifactId>
+							<version>${nullaway.version}</version>
+						</path>
+					</annotationProcessorPaths>
 				</configuration>
 				<executions>
 					<execution>
@@ -398,6 +413,13 @@
 						<goals>
 							<goal>compile</goal>
 						</goals>
+						<configuration>
+							<compilerArgs>
+								<arg>-XDcompilePolicy=simple</arg>
+								<arg>--should-stop=ifError=FLOW</arg>
+								<arg>-Xplugin:ErrorProne -XepDisableAllChecks -Xep:NullAway:ERROR -XepOpt:NullAway:OnlyNullMarked=true -XepOpt:NullAway:CustomContractAnnotations=org.springframework.lang.Contract</arg>
+							</compilerArgs>
+						</configuration>
 					</execution>
 					<execution>
 						<id>java-test-compile</id>

spring-vault-core/pom.xml

@@ -135,6 +135,11 @@
 			<artifactId>kotlinx-coroutines-reactor</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.jspecify</groupId>
+			<artifactId>jspecify</artifactId>
+			<version>1.0.0</version>
+		</dependency>
 
 		<!-- HTTP clients -->
 

spring-vault-core/src/main/java/org/springframework/vault/annotation/PropertySourceAotProcessor.java

@@ -18,6 +18,8 @@
 import java.util.Map.Entry;
 import java.util.function.Predicate;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aot.generate.GenerationContext;
 import org.springframework.beans.factory.aot.BeanRegistrationAotContribution;
 import org.springframework.beans.factory.aot.BeanRegistrationAotProcessor;
@@ -31,7 +33,6 @@
 import org.springframework.beans.factory.support.RegisteredBean;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.javapoet.CodeBlock;
-import org.springframework.lang.Nullable;
 import org.springframework.util.ClassUtils;
 import org.springframework.vault.core.lease.domain.RequestedSecret;
 import org.springframework.vault.core.lease.domain.RequestedSecret.Mode;
@@ -48,7 +49,7 @@
 class PropertySourceAotProcessor implements BeanRegistrationAotProcessor {
 
 	@Override
-	public BeanRegistrationAotContribution processAheadOfTime(RegisteredBean registeredBean) {
+	public @Nullable BeanRegistrationAotContribution processAheadOfTime(RegisteredBean registeredBean) {
 
 		if (registeredBean.getBeanClass() == org.springframework.vault.core.env.LeaseAwareVaultPropertySource.class) {
 			return BeanRegistrationAotContribution.withCustomCodeFragments(AotContribution::new);

spring-vault-core/src/main/java/org/springframework/vault/annotation/VaultPropertySource.java

@@ -113,7 +113,7 @@
 	 */
 	Renewal renewal() default Renewal.OFF;
 
-	public enum Renewal {
+	enum Renewal {
 
 		/**
 		 * Do not renew leases associated with secrets.

spring-vault-core/src/main/java/org/springframework/vault/annotation/VaultPropertySourceRegistrar.java

@@ -21,6 +21,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
@@ -36,7 +38,6 @@
 import org.springframework.core.env.MutablePropertySources;
 import org.springframework.core.env.PropertySource;
 import org.springframework.core.type.AnnotationMetadata;
-import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.vault.annotation.VaultPropertySource.Renewal;
@@ -200,17 +201,17 @@ static Set<AnnotationAttributes> attributesForRepeatable(AnnotationMetadata meta
 		Set<AnnotationAttributes> result = new LinkedHashSet<>();
 		addAttributesIfNotNull(result, metadata.getAnnotationAttributes(annotationClassName, false));
 
-		Map<String, Object> container = metadata.getAnnotationAttributes(containerClassName, false);
+		Map<String, @Nullable Object> container = metadata.getAnnotationAttributes(containerClassName, false);
 		if (container != null && container.containsKey("value")) {
-			for (Map<String, Object> containedAttributes : (Map<String, Object>[]) container.get("value")) {
+			for (Map<String, Object> containedAttributes : (Map<String, @Nullable Object>[]) container.get("value")) {
 				addAttributesIfNotNull(result, containedAttributes);
 			}
 		}
 		return Collections.unmodifiableSet(result);
 	}
 
 	private static void addAttributesIfNotNull(Set<AnnotationAttributes> result,
-			@Nullable Map<String, Object> attributes) {
+			@Nullable Map<String, @Nullable Object> attributes) {
 		if (attributes != null) {
 			result.add(AnnotationAttributes.fromMap(attributes));
 		}

spring-vault-core/src/main/java/org/springframework/vault/annotation/package-info.java

@@ -1,6 +1,5 @@
 /**
  * Annotation support for the Spring Vault.
  */
-@org.springframework.lang.NonNullApi
-@org.springframework.lang.NonNullFields
+@org.jspecify.annotations.NullMarked
 package org.springframework.vault.annotation;

spring-vault-core/src/main/java/org/springframework/vault/aot/VaultRuntimeHints.java

@@ -18,6 +18,8 @@
 import java.io.IOException;
 import java.util.stream.Stream;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aot.hint.MemberCategory;
 import org.springframework.aot.hint.ReflectionHints;
 import org.springframework.aot.hint.RuntimeHints;
@@ -41,7 +43,7 @@ class VaultRuntimeHints implements RuntimeHintsRegistrar {
 	private final CachingMetadataReaderFactory factory = new CachingMetadataReaderFactory();
 
 	@Override
-	public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
 
 		PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver(classLoader);
 

spring-vault-core/src/main/java/org/springframework/vault/aot/package-info.java

@@ -1,6 +1,5 @@
 /**
  * Ahead-of-Time support.
  */
-@org.springframework.lang.NonNullApi
-@org.springframework.lang.NonNullFields
+@org.jspecify.annotations.NullMarked
 package org.springframework.vault.aot;

spring-vault-core/src/main/java/org/springframework/vault/authentication/AppRoleAuthentication.java

@@ -20,12 +20,12 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.ResponseEntity;
-import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 import org.springframework.vault.authentication.AppRoleAuthenticationOptions.RoleId;
@@ -214,7 +214,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 
 				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(getRoleIdIdPath(this.options),
 						HttpMethod.GET, createHttpEntity(token), VaultResponse.class);
-				return (String) entity.getBody().getRequiredData().get("role_id");
+				return (String) ResponseUtil.getRequiredData(entity).get("role_id");
 			}
 			catch (HttpStatusCodeException e) {
 				throw new VaultLoginException("Cannot get Role id using AppRole: %s"
@@ -231,7 +231,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(unwrappingEndpoints.getPath(),
 						unwrappingEndpoints.getUnwrapRequestMethod(), createHttpEntity(token), VaultResponse.class);
 
-				VaultResponse response = unwrappingEndpoints.unwrap(entity.getBody());
+				VaultResponse response = unwrappingEndpoints.unwrap(ResponseUtil.getRequiredBody(entity));
 
 				return (String) response.getRequiredData().get("role_id");
 			}
@@ -257,7 +257,7 @@ private String getSecretId(SecretId secretId) throws VaultLoginException {
 			try {
 				VaultResponse response = this.restOperations.postForObject(getSecretIdPath(this.options),
 						createHttpEntity(token), VaultResponse.class);
-				return (String) response.getRequiredData().get("secret_id");
+				return (String) ResponseUtil.getRequiredData(response).get("secret_id");
 			}
 			catch (HttpStatusCodeException e) {
 				throw new VaultLoginException("Cannot get Secret id using AppRole: %s"
@@ -275,7 +275,7 @@ private String getSecretId(SecretId secretId) throws VaultLoginException {
 				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(unwrappingEndpoints.getPath(),
 						unwrappingEndpoints.getUnwrapRequestMethod(), createHttpEntity(token), VaultResponse.class);
 
-				VaultResponse response = unwrappingEndpoints.unwrap(entity.getBody());
+				VaultResponse response = unwrappingEndpoints.unwrap(ResponseUtil.getRequiredBody(entity));
 
 				return (String) response.getRequiredData().get("secret_id");
 			}