Release

.config/pmd/java/ruleset.xml

@@ -194,4 +194,117 @@
 	</rule>
 
 	<rule ref="category/java/security.xml"/>
+
+	<rule name="AvoidSystemSetterCall"
+		language="java"
+		message="Setters of java.lang.System should not be called unless really needed"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
+			For example, it may break when multiple Threads are setting the value.
+			It may also overwrite user defined options or properties.
+
+			Try to pass the value only to the place where it's really needed and use it there accordingly.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+					<![CDATA[
+//MethodCall[starts-with(@MethodName,'set')]/TypeExpression[pmd-java:typeIsExactly('java.lang.System')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
+	<rule name="AvoidPostConstruct"
+		language="java"
+		message="Avoid @PostConstruct"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			Using a `@PostConstruct` method is usually only done when field injection is used and initialization needs to be performed after that.
+
+			It's better to do this directly in the constructor with constructor injection, so that all logic will be encapsulated there.
+			This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PostConstruct` method is no longer possible.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+					<![CDATA[
+//MethodDeclaration[pmd-java:hasAnnotation('jakarta.annotation.PostConstruct')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
+	<rule name="AvoidPreDestroy"
+		language="java"
+		message="Avoid @PreDestroy"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			`@PreDestroy` should be replaced by implementing `AutoCloseable` and overwriting the `close` method instead.
+
+			This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PreDestroy` method is no much more difficult.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+					<![CDATA[
+//MethodDeclaration[pmd-java:hasAnnotation('jakarta.annotation.PreDestroy')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
+	<rule name="AvoidUnmanagedThreads"
+		language="java"
+		message="Avoid unmanaged threads"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			Trying to manually manage threads usually gets quickly out of control and may result in various problems like uncontrollable spawning of threads.
+			Threads can also not be cancelled properly.
+
+			Use managed Thread services like `ExecutorService` and `CompletableFuture` instead.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+					<![CDATA[
+//MethodCall[pmd-java:matchesSig('java.lang.Thread#start()') or pmd-java:matchesSig('java.lang.Thread#startVirtualThread(java.lang.Runnable)') or pmd-java:matchesSig('java.lang.Thread$Builder#start(java.lang.Runnable)')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
+	<rule name="JavaObjectSerializationIsUnsafe"
+		language="java"
+		message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		<description>
+			Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
+			Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
+
+			Java Object Serialization may also fail to deserialize when the underlying classes are changed.
+
+			Use proven data interchange formats like JSON instead.
+		</description>
+		<priority>2</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+					<![CDATA[
+//ClassDeclaration[@Interface = false()]/ClassBody/FieldDeclaration/VariableDeclarator/VariableId[@Name='serialVersionUID'] |
+//ConstructorCall/ClassType[pmd-java:typeIsExactly('java.io.ObjectInputStream') or pmd-java:typeIsExactly('java.io.ObjectOutputStream')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
 </ruleset>

.github/workflows/broken-links.yml

@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - run: mv .github/.lycheeignore .lycheeignore
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@5c4ee84814c983aa7164eaee476f014e53ff3963 # v2
+        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 
@@ -29,7 +29,7 @@ jobs:
           echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title \"Link Checker Report\"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ github.token }}
-          
+
       - name: Close issue if everything is fine
         if: steps.lychee.outputs.exit_code == 0 && steps.find-issue.outputs.number != ''
         run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}

.github/workflows/check-build.yml

@@ -23,25 +23,30 @@ jobs:
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-
     strategy:
       matrix:
         java: [17, 21]
         distribution: [temurin]
-
     steps:
-    - uses: actions/checkout@v4
-      
+    - uses: actions/checkout@v5
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
-
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-build-
+
     - name: Build with Maven
       run: ./mvnw -B clean package
-      
+
     - name: Check for uncommited changes
       run: |
         if [[ "$(git status --porcelain)" != "" ]]; then
@@ -64,21 +69,34 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
     timeout-minutes: 15
-
     strategy:
       matrix:
         java: [17]
         distribution: [temurin]
-
     steps:
-    - uses: actions/checkout@v4
-      
+    - uses: actions/checkout@v5
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-checkstyle-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-checkstyle-
+
+    - name: CheckStyle Cache
+      uses: actions/cache@v4
+      with:
+        path: '**/target/checkstyle-cachefile'
+        key: ${{ runner.os }}-checkstyle-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-checkstyle-
 
     - name: Run Checkstyle
       run: ./mvnw -B checkstyle:check -P checkstyle -T2C
@@ -87,21 +105,34 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
     timeout-minutes: 15
-
     strategy:
       matrix:
         java: [17]
         distribution: [temurin]
-
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-pmd-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-pmd-
+
+    - name: PMD Cache
+      uses: actions/cache@v4
+      with:
+        path: '**/target/pmd/pmd.cache'
+        key: ${{ runner.os }}-pmd-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-pmd-
 
     - name: Run PMD
       run: ./mvnw -B test pmd:aggregate-pmd-no-fork pmd:check -P pmd -DskipTests -T2C