FindBugs bug cleanup

core/pom.xml

@@ -510,6 +510,13 @@ THE SOFTWARE.
       <version>1.0</version>
     </dependency>
 
+    <dependency>
+      <groupId>findbugs</groupId>
+      <artifactId>annotations</artifactId>
+      <version>1.0.0</version>
+      <scope>provided</scope>
+    </dependency>
+
     <!-- offline profiler API to put in the classpath if we need it -->
     <!--dependency>
       <groupId>com.yourkit.api</groupId>
@@ -751,7 +758,7 @@ THE SOFTWARE.
       </build>
     </profile>
     <profile>
-      <!-- run FindBugs for better error detection -->
+      <!-- run FindBugs for better error detection. run as "mvn -Pfindbugs install site" -->
       <id>findbugs</id>
       <reporting>
         <plugins>
@@ -761,8 +768,7 @@ THE SOFTWARE.
             <version>2.3.2</version>
             <configuration>
               <effort>Max</effort>
-              <threshold>Normal</threshold>
-              <onlyAnalyze>hudson.-</onlyAnalyze>
+              <threshold>High</threshold>
               <excludeFilterFile>src/findbugs-filter.xml</excludeFilterFile>
             </configuration>
           </plugin>

core/src/findbugs-filter.xml

-<!--
-The MIT License
-
-Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
--->
-
 <FindBugsFilter>
   <Match>
-    <!-- elimination of certain bug patterns by policy -->
-    <Or>
-      <!-- It's hard to imagine a scenario where Hudson is granted higher privilege but called by a lower privileged client. -->
-      <Bug pattern="DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED" />
-
-      <!-- exposing internal data structure via array is considered OK in Hudson. Hudson really doesn't try to defend against the malicious code -->
-      <Bug pattern="EI_EXPOSE_REP" />
-      <Bug pattern="EI_EXPOSE_REP2" />
-
-      <!-- FindBugs detect false positives. -->
-      <Bug pattern="SBSC_USE_STRINGBUFFER_CONCATENATION" />
-
-      <!-- Hudson defines mutable static field throughout the code so that debug features can be selectively made on and off at runtime -->
-      <Bug pattern="MS_SHOULD_BE_FINAL" />
-      <Bug pattern="MS_CANNOT_BE_FINAL" />
-
-      <!-- Hudson depends on singletons in many places. I actually think this is bad, but we can't fix this in one day. -->
-      <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" />
-    </Or>
-  </Match>
-
-  <Match>
-    <!-- generated class -->
     <Or>
-      <Class name="hudson.scheduler.CrontabParser" />
-      <Class name="hudson.scheduler.CrontabLexer" />
+      <!-- Used for backward compatibility and extending utility classes -->
+      <Bug pattern="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS"/>
+      <!-- Various debug probes have non final static fields -->
+      <Bug pattern="MS_SHOULD_BE_FINAL"/>
+      <!-- Groovy generates this -->
+      <Bug pattern="UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS"/>
     </Or>
   </Match>
 
+  <!-- exclude medium and low priorities -->
   <Match>
-    <!-- fields left for backward compatibility -->
-    <Or>
-      <Class name="hudson.model.FingerprintMap" />
-      <Class name="hudson.scm.CVSSCM$DescriptorImpl" />
-      <Class name="hudson.scm.CVSSCM$DescriptorImpl$RepositoryBrowser" />
-      <Class name="hudson.tasks.Mailer" />
-    </Or>
-    <Or>
-      <Bug pattern="UUF_UNUSED_FIELD" />
-      <Bug pattern="URF_UNREAD_FIELD" />
-    </Or>
+    <Priority value="2"/>
   </Match>
-
   <Match>
-    <!-- this class is not serialized -->
-    <Or>
-      <Class name="hudson.maven.MavenProbeAction" />
-      <Class name="hudson.maven.SplittableBuildListener" />
-      <Class name="hudson.maven.MavenBuild$ProxyImpl" />
-      <Class name="hudson.maven.MavenBuild$ProxyImpl2" />
-      <Class name="hudson.maven.MavenProcessFactory$SocketHandler$AcceptorImpl" />
-      <Class name="hudson.util.StreamTaskListener" />
-      <Class name="hudson.model.StreamBuildListener" />
-      <Class name="hudson.security.ContainerAuthentication" />
-      <Class name="hudson.scm.SubversionSCM$DescriptorImpl$RemotableSVNAuthenticationProviderImpl" />
-    </Or>
-    <Or>
-      <Bug code="SE_NO_SERIALVERSIONID" />
-      <Bug code="Se" />
-    </Or>
+    <Priority value="3"/>
   </Match>
-
-
-<!-- individual exclusions -->
-  <Match>
-    <!-- archiveReader.readLine() may never return null since it's the first invocation -->
-    <Class name="hudson.PluginWrapper"/>
-    <Bug pattern="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE" />
-  </Match>
-
-  <Match>
-    <!-- PrintWriter doesn't carry any resource, so let it GC-ed is harmless. -->
-    <Class name="hudson.TcpSlaveAgentListener$ConnectionHandler" />
-    <Bug pattern="OS_OPEN_STREAM" />
-  </Match>
-
-  <Match>
-    <!-- FindBugs fail to take the writeObject method into account. -->
-    <Class name="hudson.maven.MavenProcessFactory$Connection" />
-    <Bug code="Se" />
-  </Match>
-
-  <Match>
-    <Class name="hudson.util.ProcessTreeKiller$Unix$UnixSystem" />
-    <Bug pattern="DMI_HARDCODED_ABSOLUTE_FILENAME" />
-  </Match>
-
-  <Match>
-    <!-- Can't change this for backward compatibility -->
-    <Or>
-      <Class name="hudson.scm.CVSSCM$DescriptorImpl$RepositoryBrowser" />
-      <Class name="hudson.tasks.BuildWrapper$Environment" />
-    </Or>
-    <Bug pattern="SIC_INNER_SHOULD_BE_STATIC" />
-  </Match>
-
-  <Match>
-    <Class name="hudson.org.apache.tools.ant..+" />
-  </Match>
-
-  <Match>
-    <!-- just a diagnostics method -->
-    <Class name="jenkins.model.Jenkins" />
-    <Bug pattern="DM_GC" />
-  </Match>
-
-  <Match>
-    <!-- TODO: this is actually bad but I can't think of how to fix this while preserving the order -->
-    <Class name="hudson.tasks.BuildStep" />
-    <Bug pattern="IC_SUPERCLASS_USES_SUBCLASS_DURING_INITIALIZATION" />
-  </Match>
-
-</FindBugsFilter>
\ No newline at end of file
+</FindBugsFilter>

core/src/main/java/hudson/WebAppMain.java

@@ -260,6 +260,7 @@ public final class WebAppMain implements ServletContextListener {
 	/**
      * Installs log handler to monitor all Hudson logs.
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings("LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE")
     private void installLogger() {
         Jenkins.logRecords = handler.getView();
         Logger.getLogger("hudson").addHandler(handler);

core/src/main/java/hudson/cli/CliManagerImpl.java

@@ -59,7 +59,7 @@ import static java.util.logging.Level.*;
  * @author Kohsuke Kawaguchi
  */
 public class CliManagerImpl implements CliEntryPoint, Serializable {
-    private final Channel channel;
+    private transient final Channel channel;
 
     public CliManagerImpl(Channel channel) {
         this.channel = channel;

core/src/main/java/hudson/logging/LogRecorderManager.java

@@ -112,6 +112,7 @@ public class LogRecorderManager extends AbstractModelObject {
     /**
      * Configure the logging level.
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings("LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE")
     public HttpResponse doConfigLogger(@QueryParameter String name, @QueryParameter String level) {
         Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
         Level lv;

core/src/main/java/hudson/model/AperiodicWork.java

@@ -74,7 +74,7 @@ public abstract class AperiodicWork extends SafeTimerTask implements ExtensionPo
      * By default it chooses the value randomly between 0 and {@link #getRecurrencePeriod()}
      */
     public long getInitialDelay() {
-        return Math.abs(new Random().nextLong())%getRecurrencePeriod();
+        return Math.abs(RANDOM.nextLong())%getRecurrencePeriod();
     }
 
     @Override
@@ -92,4 +92,5 @@ public abstract class AperiodicWork extends SafeTimerTask implements ExtensionPo
         return Jenkins.getInstance().getExtensionList(AperiodicWork.class);
     }
 
+    private static final Random RANDOM = new Random();
 }

core/src/main/java/hudson/model/FingerprintCleanupThread.java

@@ -45,11 +45,8 @@ import java.util.regex.Pattern;
 @Extension
 public final class FingerprintCleanupThread extends AsyncPeriodicWork {
 
-    private static FingerprintCleanupThread theInstance;
-
     public FingerprintCleanupThread() {
         super("Fingerprint cleanup");
-        theInstance = this;
     }
 
     public long getRecurrencePeriod() {
@@ -57,7 +54,11 @@ public final class FingerprintCleanupThread extends AsyncPeriodicWork {
     }
 
     public static void invoke() {
-        theInstance.run();
+        getInstance().run();
+    }
+
+    private static FingerprintCleanupThread getInstance() {
+        return Jenkins.getInstance().getExtensionList(AsyncPeriodicWork.class).get(FingerprintCleanupThread.class);
     }
 
     protected void execute(TaskListener listener) {

core/src/main/java/hudson/model/PeriodicWork.java

@@ -75,7 +75,7 @@ public abstract class PeriodicWork extends SafeTimerTask implements ExtensionPoi
      * By default it chooses the value randomly between 0 and {@link #getRecurrencePeriod()}
      */
     public long getInitialDelay() {
-        return Math.abs(new Random().nextLong())%getRecurrencePeriod();
+        return Math.abs(RANDOM.nextLong())%getRecurrencePeriod();
     }
 
     /**
@@ -89,4 +89,6 @@ public abstract class PeriodicWork extends SafeTimerTask implements ExtensionPoi
     protected static final long MIN = 1000*60;
     protected static final long HOUR =60*MIN;
     protected static final long DAY = 24*HOUR;
+
+    private static final Random RANDOM = new Random();
 }

core/src/main/java/hudson/model/Slave.java

@@ -336,7 +336,7 @@ public abstract class Slave extends Node implements Serializable {
     /**
      * Invoked by XStream when this object is read into memory.
      */
-    private Object readResolve() {
+    protected Object readResolve() {
         // convert the old format to the new one
         if (launcher == null) {
             launcher = (agentCommand == null || agentCommand.trim().length() == 0)

core/src/main/java/hudson/model/WorkspaceCleanupThread.java

@@ -43,11 +43,8 @@ import java.util.logging.Logger;
  */
 @Extension
 public class WorkspaceCleanupThread extends AsyncPeriodicWork {
-    private static WorkspaceCleanupThread theInstance;
-
     public WorkspaceCleanupThread() {
         super("Workspace clean-up");
-        theInstance = this;
     }
 
     public long getRecurrencePeriod() {
@@ -55,7 +52,7 @@ public class WorkspaceCleanupThread extends AsyncPeriodicWork {
     }
 
     public static void invoke() {
-        theInstance.run();
+        Jenkins.getInstance().getExtensionList(AsyncPeriodicWork.class).get(WorkspaceCleanupThread.class).run();
     }
 
     // so that this can be easily accessed from sub-routine.

core/src/main/java/hudson/os/solaris/ZFSProvisioner.java

@@ -48,12 +48,10 @@ import org.jvnet.solaris.libzfs.ZFSFileSystem;
  * @author Kohsuke Kawaguchi
  */
 public class ZFSProvisioner extends FileSystemProvisioner implements Serializable {
-    private final LibZFS libzfs = new LibZFS();
-    private final Node node;
+    private static final LibZFS libzfs = new LibZFS();
     private final String rootDataset;
 
     public ZFSProvisioner(Node node) throws IOException, InterruptedException {
-        this.node = node;
         rootDataset = node.getRootPath().act(new FileCallable<String>() {
             public String invoke(File f, VirtualChannel channel) throws IOException {
                 ZFSFileSystem fs = libzfs.getFileSystemByMountPoint(f);

core/src/main/java/hudson/os/windows/ManagedWindowsServiceLauncher.java

@@ -351,7 +351,9 @@ public class ManagedWindowsServiceLauncher extends ComputerLauncher {
         }
     }
 
+    private static final Logger JINTEROP_LOGGER = Logger.getLogger("org.jinterop");
+
     static {
-        Logger.getLogger("org.jinterop").setLevel(Level.WARNING);
+        JINTEROP_LOGGER.setLevel(Level.WARNING);
     }
 }

core/src/main/java/hudson/security/NotSerilizableSecurityContext.java

@@ -31,7 +31,7 @@ import javax.servlet.http.HttpSession;
  * in Hudson.
  *
  * <p>
- * Hudson doesn't work with a clustering anyway, and so it's better to just not persist
+ * Jenkins doesn't work with a clustering anyway, and so it's better to just not persist
  * Authentication at all.
  *
  * See http://www.nabble.com/ActiveDirectory-Plugin%3A-ClassNotFoundException-while-loading--persisted-sessions%3A-td22085140.html
@@ -45,8 +45,8 @@ public class NotSerilizableSecurityContext implements SecurityContext {
 
     @Override
     public boolean equals(Object obj) {
-        if (obj instanceof SecurityContextImpl) {
-            SecurityContextImpl test = (SecurityContextImpl) obj;
+        if (obj instanceof SecurityContext) {
+            SecurityContext test = (SecurityContext) obj;
 
             if ((this.getAuthentication() == null) && (test.getAuthentication() == null)) {
                 return true;

core/src/main/java/hudson/slaves/SlaveComputer.java

@@ -575,12 +575,11 @@ public class SlaveComputer extends Computer {
             // avoid double installation of the handler. JNLP slaves can reconnect to the master multiple times
             // and each connection gets a different RemoteClassLoader, so we need to evict them by class name,
             // not by their identity.
-            Logger logger = Logger.getLogger("hudson");
-            for (Handler h : logger.getHandlers()) {
+            for (Handler h : LOGGER.getHandlers()) {
                 if (h.getClass().getName().equals(SLAVE_LOG_HANDLER.getClass().getName()))
-                    logger.removeHandler(h);
+                    LOGGER.removeHandler(h);
             }
-            logger.addHandler(SLAVE_LOG_HANDLER);
+            LOGGER.addHandler(SLAVE_LOG_HANDLER);
 
             // remove Sun PKCS11 provider if present. See http://wiki.jenkins-ci.org/display/JENKINS/Solaris+Issue+6276483
             try {
@@ -594,6 +593,7 @@ public class SlaveComputer extends Computer {
             return null;
         }
         private static final long serialVersionUID = 1L;
+        private static final Logger LOGGER = Logger.getLogger("hudson");
     }
 
     /**

core/src/main/java/hudson/tasks/junit/JUnitResultArchiver.java

@@ -68,8 +68,7 @@ import java.util.List;
  * 
  * @author Kohsuke Kawaguchi
  */
-public class JUnitResultArchiver extends Recorder implements Serializable,
-		MatrixAggregatable {
+public class JUnitResultArchiver extends Recorder implements MatrixAggregatable {
 
     /**
      * {@link FileSet} "includes" string, like "foo/bar/*.xml"

core/src/main/java/hudson/tools/ToolInstallation.java

@@ -153,7 +153,7 @@ public abstract class ToolInstallation extends AbstractDescribableImpl<ToolInsta
     /**
      * Invoked by XStream when this object is read into memory.
      */
-    private Object readResolve() {
+    protected Object readResolve() {
         if(properties==null)
             properties = new DescribableList<ToolProperty<?>,ToolPropertyDescriptor>(Saveable.NOOP);
         for (ToolProperty<?> p : properties)

core/src/main/java/hudson/util/ArgumentListBuilder.java

@@ -43,7 +43,7 @@ import java.util.Set;
  *
  * @author Kohsuke Kawaguchi
  */
-public class ArgumentListBuilder implements Serializable {
+public class ArgumentListBuilder implements Serializable, Cloneable {
     private final List<String> args = new ArrayList<String>();
     /**
      * Bit mask indicating arguments that shouldn't be echoed-back (e.g., password)

core/src/main/java/hudson/util/PluginServletFilter.java

@@ -58,6 +58,7 @@ public class PluginServletFilter implements Filter, ExtensionPoint {
     public PluginServletFilter() {
     }
 
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings("ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD")
     public void init(FilterConfig filterConfig) throws ServletException {
     	PluginServletFilter.filterConfig = filterConfig;
     	synchronized (LIST)  {

core/src/main/java/jenkins/model/Jenkins.java

@@ -666,6 +666,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
      * @param pluginManager
      *      If non-null, use existing plugin manager.  create a new one.
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings("SC_START_IN_CTOR") // bug in FindBugs. It flags UDPBroadcastThread.start() call but that's for another class
     protected Jenkins(File root, ServletContext context, PluginManager pluginManager) throws IOException, InterruptedException, ReactorException {
     	// As hudson is starting, grant this process full control
     	SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM);
@@ -2852,6 +2853,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
     /**
      * For debugging. Expose URL to perform GC.
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings("DM_GC")
     public void doGc(StaplerResponse rsp) throws IOException {
         checkPermission(Jenkins.ADMINISTER);
         System.gc();