Mark as thread safe

.settings/org.eclipse.jdt.core.prefs

@@ -1,19 +1,111 @@
 eclipse.preferences.version=1
+org.eclipse.jdt.core.builder.annotationPath.allLocations=disabled
+org.eclipse.jdt.core.compiler.annotation.inheritNullAnnotations=disabled
 org.eclipse.jdt.core.compiler.annotation.missingNonNullByDefaultAnnotation=ignore
 org.eclipse.jdt.core.compiler.annotation.nonnull=javax.annotation.Nonnull
+org.eclipse.jdt.core.compiler.annotation.nonnull.secondary=
 org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=javax.annotation.ParametersAreNonnullByDefault
+org.eclipse.jdt.core.compiler.annotation.nonnullbydefault.secondary=
 org.eclipse.jdt.core.compiler.annotation.nullable=javax.annotation.Nullable
+org.eclipse.jdt.core.compiler.annotation.nullable.secondary=
 org.eclipse.jdt.core.compiler.annotation.nullanalysis=enabled
 org.eclipse.jdt.core.compiler.codegen.targetPlatform=11
 org.eclipse.jdt.core.compiler.compliance=11
+org.eclipse.jdt.core.compiler.problem.APILeak=warning
+org.eclipse.jdt.core.compiler.problem.annotatedTypeArgumentToUnannotated=warning
+org.eclipse.jdt.core.compiler.problem.annotationSuperInterface=warning
+org.eclipse.jdt.core.compiler.problem.autoboxing=warning
+org.eclipse.jdt.core.compiler.problem.comparingIdentical=warning
+org.eclipse.jdt.core.compiler.problem.deadCode=warning
+org.eclipse.jdt.core.compiler.problem.deprecation=warning
+org.eclipse.jdt.core.compiler.problem.deprecationInDeprecatedCode=disabled
+org.eclipse.jdt.core.compiler.problem.deprecationWhenOverridingDeprecatedMethod=disabled
+org.eclipse.jdt.core.compiler.problem.discouragedReference=warning
+org.eclipse.jdt.core.compiler.problem.emptyStatement=warning
 org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
+org.eclipse.jdt.core.compiler.problem.explicitlyClosedAutoCloseable=warning
+org.eclipse.jdt.core.compiler.problem.fallthroughCase=warning
+org.eclipse.jdt.core.compiler.problem.fatalOptionalError=disabled
+org.eclipse.jdt.core.compiler.problem.fieldHiding=warning
+org.eclipse.jdt.core.compiler.problem.finalParameterBound=warning
+org.eclipse.jdt.core.compiler.problem.finallyBlockNotCompletingNormally=warning
 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
+org.eclipse.jdt.core.compiler.problem.hiddenCatchBlock=warning
+org.eclipse.jdt.core.compiler.problem.includeNullInfoFromAsserts=enabled
+org.eclipse.jdt.core.compiler.problem.incompatibleNonInheritedInterfaceMethod=warning
+org.eclipse.jdt.core.compiler.problem.incompleteEnumSwitch=warning
+org.eclipse.jdt.core.compiler.problem.indirectStaticAccess=warning
+org.eclipse.jdt.core.compiler.problem.localVariableHiding=warning
+org.eclipse.jdt.core.compiler.problem.methodWithConstructorName=warning
+org.eclipse.jdt.core.compiler.problem.missingDefaultCase=warning
+org.eclipse.jdt.core.compiler.problem.missingDeprecatedAnnotation=warning
+org.eclipse.jdt.core.compiler.problem.missingEnumCaseDespiteDefault=disabled
+org.eclipse.jdt.core.compiler.problem.missingHashCodeMethod=warning
+org.eclipse.jdt.core.compiler.problem.missingOverrideAnnotation=ignore
+org.eclipse.jdt.core.compiler.problem.missingOverrideAnnotationForInterfaceMethodImplementation=enabled
+org.eclipse.jdt.core.compiler.problem.missingSerialVersion=warning
+org.eclipse.jdt.core.compiler.problem.missingSynchronizedOnInheritedMethod=warning
+org.eclipse.jdt.core.compiler.problem.noEffectAssignment=warning
+org.eclipse.jdt.core.compiler.problem.noImplicitStringConversion=warning
+org.eclipse.jdt.core.compiler.problem.nonExternalizedStringLiteral=ignore
+org.eclipse.jdt.core.compiler.problem.nonnullParameterAnnotationDropped=warning
+org.eclipse.jdt.core.compiler.problem.nonnullTypeVariableFromLegacyInvocation=warning
 org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=warning
 org.eclipse.jdt.core.compiler.problem.nullReference=warning
 org.eclipse.jdt.core.compiler.problem.nullSpecViolation=warning
+org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=warning
+org.eclipse.jdt.core.compiler.problem.overridingPackageDefaultMethod=warning
+org.eclipse.jdt.core.compiler.problem.parameterAssignment=ignore
+org.eclipse.jdt.core.compiler.problem.pessimisticNullAnalysisForFreeTypeVariables=warning
+org.eclipse.jdt.core.compiler.problem.possibleAccidentalBooleanAssignment=warning
 org.eclipse.jdt.core.compiler.problem.potentialNullReference=warning
+org.eclipse.jdt.core.compiler.problem.potentiallyUnclosedCloseable=warning
+org.eclipse.jdt.core.compiler.problem.rawTypeReference=warning
+org.eclipse.jdt.core.compiler.problem.redundantNullAnnotation=warning
+org.eclipse.jdt.core.compiler.problem.redundantNullCheck=warning
+org.eclipse.jdt.core.compiler.problem.redundantSpecificationOfTypeArguments=warning
+org.eclipse.jdt.core.compiler.problem.redundantSuperinterface=ignore
+org.eclipse.jdt.core.compiler.problem.reportMethodCanBePotentiallyStatic=ignore
+org.eclipse.jdt.core.compiler.problem.reportMethodCanBeStatic=warning
 org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
+org.eclipse.jdt.core.compiler.problem.specialParameterHidingField=disabled
+org.eclipse.jdt.core.compiler.problem.staticAccessReceiver=warning
+org.eclipse.jdt.core.compiler.problem.suppressOptionalErrors=disabled
+org.eclipse.jdt.core.compiler.problem.suppressWarnings=enabled
+org.eclipse.jdt.core.compiler.problem.suppressWarningsNotFullyAnalysed=warning
 org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=enabled
+org.eclipse.jdt.core.compiler.problem.syntheticAccessEmulation=warning
+org.eclipse.jdt.core.compiler.problem.terminalDeprecation=warning
+org.eclipse.jdt.core.compiler.problem.typeParameterHiding=warning
+org.eclipse.jdt.core.compiler.problem.unavoidableGenericTypeProblems=disabled
+org.eclipse.jdt.core.compiler.problem.uncheckedTypeOperation=ignore
+org.eclipse.jdt.core.compiler.problem.unclosedCloseable=warning
+org.eclipse.jdt.core.compiler.problem.undocumentedEmptyBlock=warning
+org.eclipse.jdt.core.compiler.problem.unhandledWarningToken=warning
+org.eclipse.jdt.core.compiler.problem.unlikelyCollectionMethodArgumentType=warning
+org.eclipse.jdt.core.compiler.problem.unlikelyCollectionMethodArgumentTypeStrict=enabled
+org.eclipse.jdt.core.compiler.problem.unlikelyEqualsArgumentType=warning
+org.eclipse.jdt.core.compiler.problem.unnecessaryElse=warning
+org.eclipse.jdt.core.compiler.problem.unnecessaryTypeCheck=warning
+org.eclipse.jdt.core.compiler.problem.unqualifiedFieldAccess=ignore
+org.eclipse.jdt.core.compiler.problem.unstableAutoModuleName=warning
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownException=warning
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownExceptionExemptExceptionAndThrowable=enabled
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownExceptionIncludeDocCommentReference=enabled
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownExceptionWhenOverriding=disabled
+org.eclipse.jdt.core.compiler.problem.unusedExceptionParameter=warning
+org.eclipse.jdt.core.compiler.problem.unusedImport=warning
+org.eclipse.jdt.core.compiler.problem.unusedLabel=warning
+org.eclipse.jdt.core.compiler.problem.unusedLocal=warning
+org.eclipse.jdt.core.compiler.problem.unusedObjectAllocation=warning
+org.eclipse.jdt.core.compiler.problem.unusedParameter=ignore
+org.eclipse.jdt.core.compiler.problem.unusedParameterIncludeDocCommentReference=enabled
+org.eclipse.jdt.core.compiler.problem.unusedParameterWhenImplementingAbstract=disabled
+org.eclipse.jdt.core.compiler.problem.unusedParameterWhenOverridingConcrete=disabled
+org.eclipse.jdt.core.compiler.problem.unusedPrivateMember=warning
+org.eclipse.jdt.core.compiler.problem.unusedTypeParameter=warning
+org.eclipse.jdt.core.compiler.problem.unusedWarningToken=warning
+org.eclipse.jdt.core.compiler.problem.varargsArgumentNeedCast=warning
 org.eclipse.jdt.core.compiler.processAnnotations=enabled
 org.eclipse.jdt.core.compiler.release=disabled
 org.eclipse.jdt.core.compiler.source=11
@@ -57,6 +149,7 @@ org.eclipse.jdt.core.formatter.alignment_for_multiplicative_operator=16
 org.eclipse.jdt.core.formatter.alignment_for_parameterized_type_references=0
 org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration=16
 org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_permitted_types_in_type_declaration=16
 org.eclipse.jdt.core.formatter.alignment_for_record_components=16
 org.eclipse.jdt.core.formatter.alignment_for_relational_operator=0
 org.eclipse.jdt.core.formatter.alignment_for_resources_in_try=80
@@ -119,6 +212,7 @@ org.eclipse.jdt.core.formatter.comment.indent_tag_description=false
 org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags=insert
 org.eclipse.jdt.core.formatter.comment.insert_new_line_between_different_tags=do not insert
 org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter=insert
+org.eclipse.jdt.core.formatter.comment.javadoc_do_not_separate_block_tags=false
 org.eclipse.jdt.core.formatter.comment.line_length=80
 org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries=true
 org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries=true

.settings/org.eclipse.jdt.ui.prefs

@@ -1,7 +1,7 @@
 eclipse.preferences.version=1
 editor_save_participant_org.eclipse.jdt.ui.postsavelistener.cleanup=true
 formatter_profile=_itsallcode style
-formatter_settings_version=22
+formatter_settings_version=23
 org.eclipse.jdt.ui.ignorelowercasenames=true
 org.eclipse.jdt.ui.importorder=java;javax;org;com;
 org.eclipse.jdt.ui.ondemandthreshold=3
@@ -17,6 +17,7 @@ sp_cleanup.add_missing_nls_tags=false
 sp_cleanup.add_missing_override_annotations=true
 sp_cleanup.add_missing_override_annotations_interface_methods=true
 sp_cleanup.add_serial_version_id=false
+sp_cleanup.also_simplify_lambda=false
 sp_cleanup.always_use_blocks=true
 sp_cleanup.always_use_parentheses_in_expressions=false
 sp_cleanup.always_use_this_for_non_static_field_access=false
@@ -106,6 +107,7 @@ sp_cleanup.remove_unused_private_fields=true
 sp_cleanup.remove_unused_private_members=false
 sp_cleanup.remove_unused_private_methods=true
 sp_cleanup.remove_unused_private_types=true
+sp_cleanup.replace_deprecated_calls=false
 sp_cleanup.return_expression=false
 sp_cleanup.simplify_lambda_expression_and_method_ref=false
 sp_cleanup.single_used_field=false
@@ -117,6 +119,7 @@ sp_cleanup.strictly_equal_or_different=false
 sp_cleanup.stringbuffer_to_stringbuilder=false
 sp_cleanup.stringbuilder=false
 sp_cleanup.stringbuilder_for_local_vars=false
+sp_cleanup.stringconcat_stringbuffer_stringbuilder=false
 sp_cleanup.stringconcat_to_textblock=false
 sp_cleanup.substring=false
 sp_cleanup.switch=false

CHANGELOG.md

@@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- [PR #57](https://github.com/itsallcode/openfasttrace-maven-plugin/pull/57) Mark plugin as thread safe
+  - This suppresses a warning when running the Maven build in parallel with `-T 1C`
+  - This suppresses warnings about vulnerabilities in `provided` dependency `com.google.guava:guava:jar:25.1-android` via `org.apache.maven:maven-core`:
+    - CVE-2023-2976 CWE-552: Files or Directories Accessible to External Parties (7.1)
+    - CVE-2020-8908 CWE-379: Creation of Temporary File in Directory with Incorrect Permissions (3.3)
+  - This also updates test dependencies and fixes the following vulnerabilities:
+    - `commons-io:commons-io:jar:2.2`
+      - CVE-2021-29425 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (5.3)
+    - `org.codehaus.plexus:plexus-archiver:jar:2.2`
+      - CVE-2012-2098 CWE-310 (5.0)
+      - CVE-2023-37460 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (9.8)
+
 ## [1.6.2] - 2023-03-12
 
 - [PR #49](https://github.com/itsallcode/openfasttrace-maven-plugin/pull/49) Upgrade OpenFastTrace

pom.xml

@@ -18,7 +18,7 @@
         <oft.version>3.7.1</oft.version>
         <maven.core.version>3.8.7</maven.core.version>
         <skipSigningArtifacts>true</skipSigningArtifacts>
-        <junit.version>5.10.1</junit.version>
+        <junit.version>5.10.2</junit.version>
         <jacoco.version>0.8.11</jacoco.version>
         <sonar.organization>itsallcode</sonar.organization>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
@@ -118,6 +118,27 @@
             <version>3.3.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <!-- Fix CVE-2021-29425 in transitive dependency of maven-plugin-testing-harness -->
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.15.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <!-- Fix CVE-2012-2098 and CVE-2023-37460 in dependency of maven-plugin-testing-harness -->
+            <groupId>org.codehaus.plexus</groupId>
+            <artifactId>plexus-archiver</artifactId>
+            <version>4.9.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <!-- Fix CVE-2024-25710 and CVE-2024-26308 in dependency of plexus-archiver -->
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.26.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-compat</artifactId>
@@ -139,7 +160,7 @@
         <dependency>
             <groupId>org.assertj</groupId>
             <artifactId>assertj-core</artifactId>
-            <version>3.25.1</version>
+            <version>3.25.3</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -171,6 +192,7 @@
                 <version>3.1.0</version>
                 <executions>
                     <execution>
+                        <?m2e ignore?>
                         <goals>
                             <goal>toolchain</goal>
                         </goals>
@@ -226,6 +248,11 @@
                 <configuration>
                     <source>${java.version}</source>
                     <target>${java.version}</target>
+                    <compilerArgs>
+                        <!-- Ignore warnings about annotations -->
+                        <arg>-Xlint:all,-processing</arg>
+                        <arg>-Werror</arg>
+                    </compilerArgs>
                 </configuration>
             </plugin>
             <plugin>
@@ -416,6 +443,41 @@
                     <autoReleaseAfterClose>true</autoReleaseAfterClose>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.sonatype.ossindex.maven</groupId>
+                <artifactId>ossindex-maven-plugin</artifactId>
+                <version>3.2.0</version>
+                <executions>
+                    <execution>
+                        <id>audit</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>audit</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <excludeVulnerabilityIds>
+                        <!-- com.google.guava:guava:jar:25.1-android has scope provided -->
+                        <exclude>CVE-2023-2976</exclude>
+                        <exclude>CVE-2020-8908</exclude>
+                    </excludeVulnerabilityIds>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>io.github.zlika</groupId>
+                <artifactId>reproducible-build-maven-plugin</artifactId>
+                <version>0.16</version>
+                <executions>
+                    <execution>
+                        <id>strip-jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>strip-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
-</project>
+</project>

src/main/java/org/itsallcode/openfasttrace/maven/TraceMojo.java

@@ -22,7 +22,7 @@
 /**
  * Trace requirements using OpenFastTrace
  */
-@Mojo(name = "trace", defaultPhase = LifecyclePhase.VERIFY)
+@Mojo(name = "trace", defaultPhase = LifecyclePhase.VERIFY, threadSafe = true)
 public class TraceMojo extends AbstractMojo
 {
     /**
@@ -46,7 +46,7 @@ public class TraceMojo extends AbstractMojo
      * <p>
      * Default: <code>html</code>
      */
-    @Parameter(defaultValue = "html", property = "reportOutputFormat", required = true)
+    @Parameter(property = "reportOutputFormat", defaultValue = "html", required = true)
     private String reportOutputFormat;
 
     /**
@@ -63,15 +63,15 @@ public class TraceMojo extends AbstractMojo
      * <p>
      * Default: <code>FAILURE_DETAILS</code>
      */
-    @Parameter(defaultValue = "FAILURE_DETAILS", property = "reportVerbosity", required = true)
+    @Parameter(property = "reportVerbosity", defaultValue = "FAILURE_DETAILS", required = true)
     private ReportVerbosity reportVerbosity;
 
     /**
      * Show the origin in the tracing report.
      * <p>
      * Default: <code>false</code>
      */
-    @Parameter(defaultValue = "false", property = "reportShowOrigin", required = true)
+    @Parameter(property = "reportShowOrigin", defaultValue = "false", required = true)
     private boolean reportShowOrigin;
 
     @Parameter(defaultValue = "${project}", readonly = true)
@@ -115,7 +115,7 @@ public void execute() throws MojoFailureException
         }
     }
 
-    private void logTracingReport(final Oft oft, final Trace trace)
+    private static void logTracingReport(final Oft oft, final Trace trace)
     {
         final ReportSettings reportSettings = ReportSettings.builder()
                 .outputFormat("plain")
@@ -137,7 +137,7 @@ private void writeTracingReport(final Oft oft, final Trace trace)
         oft.reportToPath(trace, outputPath, reportSettings);
     }
 
-    private String formatSettings(final ReportSettings reportSettings)
+    private static String formatSettings(final ReportSettings reportSettings)
     {
         return "[output format: " + reportSettings.getOutputFormat()
                 + ", verbosity: " + reportSettings.getReportVerbosity()
@@ -154,7 +154,7 @@ private Path getOutputPath()
         return outputPath;
     }
 
-    private void createDir(final Path path)
+    private static void createDir(final Path path)
     {
         if (path.toFile().exists())
         {
@@ -207,14 +207,14 @@ private MavenProject readProject(final Path pomFile)
         }
     }
 
-    private List<Path> getSourcePathOfProject(final MavenProject project)
+    private List<Path> getSourcePathOfProject(final MavenProject mavenProject)
     {
-        final Stream<Path> sourcePathsOfSubModules = project.getModules().stream()
+        final Stream<Path> sourcePathsOfSubModules = mavenProject.getModules().stream()
                 .map(moduleName -> readProject(getPomOfSubModule(moduleName)))
                 .flatMap(eachProject -> this.getSourcePathOfProject(eachProject).stream());
         final Stream<Path> thisProjectsSourcePaths = Stream
-                .concat(project.getCompileSourceRoots().stream(),
-                        project.getTestCompileSourceRoots().stream())
+                .concat(mavenProject.getCompileSourceRoots().stream(),
+                        mavenProject.getTestCompileSourceRoots().stream())
                 .map(Paths::get);
         return Stream.concat(sourcePathsOfSubModules, thisProjectsSourcePaths).collect(Collectors.toList());
     }