Make the SDK build with java25 (#6718)

* Bump spotbugs version

* Add suppressions

* Skip spotbugs if using java 8

* Bump other dependency versions

* Add one more suppression

* Add one more suppression

* Exclude spotbug checks for s3-benchmarks

* Trying something

* Skip Java 17 because it's super slow

Author: zoewangg

build-tools/src/main/resources/software/amazon/awssdk/spotbugs-suppressions.xml

@@ -363,4 +363,164 @@
         <Class name="software.amazon.awssdk.utils.uri.SdkUri" />
         <Bug pattern="BC_UNCONFIRMED_CAST_OF_RETURN_VALUE" />
     </Match>
+
+    <!-- No plan to fix: These classes implement SLF4J SPI which requires specific method signatures. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.thirdparty.org.slf4j.impl.StaticLoggerBinder"/>
+            <Class name="software.amazon.awssdk.thirdparty.org.slf4j.impl.StaticMarkerBinder"/>
+        </Or>
+        <Bug pattern="SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR"/>
+    </Match>
+
+    <!-- No plan to fix: Intentional exception handling patterns throughout the codebase. -->
+    <Match>
+        <Bug pattern="THROWS_METHOD_THROWS_RUNTIMEEXCEPTION,THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION"/>
+    </Match>
+
+    <!-- False positive: InputStream is not designed for concurrent access. The synchronized reset() is inherited behavior. -->
+    <Match>
+        <Class name="software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.ChunkedEncodedInputStream"/>
+        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE"/>
+    </Match>
+
+    <!-- No plan to fix: Test constructor is intentionally package-private. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.http.apache.internal.conn.IdleConnectionReaper"/>
+            <Class name="software.amazon.awssdk.http.apache5.internal.conn.IdleConnectionReaper"/>
+            <Class name="software.amazon.awssdk.regions.util.HttpResourcesUtils"/>
+        </Or>
+        <Bug pattern="SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR"/>
+    </Match>
+
+    <!-- False positive: These classes have private constructors but use builder pattern. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider"/>
+            <Class name="software.amazon.awssdk.auth.token.credentials.aws.DefaultAwsTokenProvider"/>
+        </Or>
+        <Bug pattern="SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR"/>
+    </Match>
+
+    <!-- No plan to fix: These are final classes, not vulnerable to finalizer attacks. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.http.apache.internal.conn.SdkTlsSocketFactory"/>
+            <Class name="software.amazon.awssdk.http.apache.internal.impl.ApacheSdkHttpClient"/>
+            <Class name="software.amazon.awssdk.http.apache5.internal.conn.SdkTlsSocketFactory"/>
+            <Class name="software.amazon.awssdk.http.apache5.internal.impl.Apache5SdkHttpClient"/>
+            <Class name="software.amazon.awssdk.http.nio.netty.internal.utils.BetterFixedChannelPool"/>
+            <Class name="software.amazon.awssdk.http.crt.AwsCrtHttpClientBase"/>
+        </Or>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
+
+    <!-- No plan to fix: Forked Netty reactive streams code with its own thread-safety model via Netty's EventLoop. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerPublisher"/>
+            <Class name="~software\.amazon\.awssdk\.http\.nio\.netty\.internal\.nrs\.HandlerSubscriber.*"/>
+        </Or>
+        <Bug pattern="AT_NONATOMIC_64BIT_PRIMITIVE,AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE"/>
+    </Match>
+
+    <!-- False positive: InputStream is not designed for concurrent access. -->
+    <Match>
+        <Class name="software.amazon.awssdk.core.internal.io.ChecksumValidatingInputStream"/>
+        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE"/>
+    </Match>
+
+    <!-- No plan to fix: Final class, not vulnerable to finalizer attacks. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.core.io.ResettableInputStream"/>
+            <Class name="software.amazon.awssdk.core.internal.async.ChecksumCalculatingAsyncRequestBody"/>
+            <Class name="software.amazon.awssdk.core.internal.io.AwsChunkedEncodingInputStream"/>
+            <Class name="software.amazon.awssdk.protocols.jsoncore.JsonWriter"/>
+            <Class name="software.amazon.awssdk.codegen.lite.emitters.CodeWriter"/>
+            <Class name="software.amazon.awssdk.auth.signer.internal.chunkedencoding.AwsS3V4ChunkSigner"/>
+            <Class name="software.amazon.awssdk.enhanced.dynamodb.EnhancedType"/>
+            <Class name="software.amazon.awssdk.enhanced.dynamodb.internal.immutable.ImmutableIntrospector"/>
+            <Class name="software.amazon.awssdk.v2migration.ConstructorToFluent"/>
+        </Or>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
+
+    <!-- No plan to fix: Floating point comparison is intentional in defaults processing. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.codegen.lite.defaultsmode.DefaultsLoader"/>
+            <Class name="software.amazon.awssdk.protocols.rpcv2.internal.SdkRpcV2CborGenerator"/>
+        </Or>
+        <Bug pattern="FE_FLOATING_POINT_EQUALITY"/>
+    </Match>
+
+    <!-- No plan to fix: Async code with its own thread-safety model via reactive streams. -->
+    <Match>
+        <Or>
+            <Class name="~software\.amazon\.awssdk\.core\.internal\.async\.ByteArraySplittingTransformer.*"/>
+            <Class name="software.amazon.awssdk.core.internal.async.NonRetryableSubAsyncRequestBody"/>
+            <Class name="software.amazon.awssdk.core.internal.async.RetryableSubAsyncRequestBody"/>
+            <Class name="~software\.amazon\.awssdk\.core\.internal\.async\.SplittingPublisher.*"/>
+        </Or>
+        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE,AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE"/>
+    </Match>
+
+    <!-- False positive: Test utility class, thread safety not required. -->
+    <Match>
+        <Class name="software.amazon.awssdk.testutils.service.http.MockSyncHttpClient"/>
+        <Bug pattern="AT_STALE_THREAD_WRITE_OF_PRIMITIVE"/>
+    </Match>
+
+    <!-- No plan to fix: Serializable is required for compatibility but singleton pattern is intentional. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.core.util.DefaultSdkAutoConstructList"/>
+            <Class name="software.amazon.awssdk.core.util.DefaultSdkAutoConstructMap"/>
+        </Or>
+        <Bug pattern="SING_SINGLETON_IMPLEMENTS_SERIALIZABLE"/>
+    </Match>
+
+    <!-- False positive: STORAGE field is used via ThreadLocal methods. -->
+    <Match>
+        <Class name="software.amazon.awssdk.utilslite.SdkInternalThreadLocal"/>
+        <Bug pattern="UUF_UNUSED_FIELD"/>
+    </Match>
+
+    <!-- No plan to fix: Final class, not vulnerable to finalizer attacks. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.awscore.eventstream.EventStreamResponseHandlerFromBuilder"/>
+            <Class name="software.amazon.awssdk.protocols.json.SdkJsonGenerator"/>
+        </Or>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
+
+    <!-- No plan to fix: Static method hiding is intentional for API design. -->
+    <Match>
+        <Or>
+            <Class name="software.amazon.awssdk.awscore.exception.AwsServiceException"/>
+            <Class name="software.amazon.awssdk.awscore.internal.client.config.AwsClientOptionValidation"/>
+        </Or>
+        <Bug pattern="HSM_HIDING_METHOD"/>
+    </Match>
+
+    <!-- No plan to fix: Codegen classes are build-time only, not vulnerable to finalizer attacks. -->
+    <Match>
+        <Package name="~software\.amazon\.awssdk\.codegen.*"/>
+        <Bug pattern="CT_CONSTRUCTOR_THROW,SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR"/>
+    </Match>
+
+    <!-- False positive: Fields are used but SpotBugs doesn't detect usage in inner class. -->
+    <Match>
+        <Package name="~software\.amazon\.awssdk\.http\.urlconnection.*"/>
+        <Bug pattern="UUF_UNUSED_FIELD,CT_CONSTRUCTOR_THROW,UPM_UNCALLED_PRIVATE_METHOD,BAD_TO_BUILDER"/>
+    </Match>
+
+    <!-- No plan to fix: Service loader class. -->
+    <Match>
+        <Class name="software.amazon.awssdk.http.urlconnection.UrlConnectionSdkHttpService"/>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
 </FindBugsFilter>

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/scheme/DefaultAwsV4AuthScheme.java

@@ -30,6 +30,9 @@ public final class DefaultAwsV4AuthScheme implements AwsV4AuthScheme {
     private static final DefaultAwsV4AuthScheme DEFAULT = new DefaultAwsV4AuthScheme();
     private static final AwsV4HttpSigner DEFAULT_SIGNER = AwsV4HttpSigner.create();
 
+    private DefaultAwsV4AuthScheme() {
+    }
+
     /**
      * Returns an instance of the {@link DefaultAwsV4AuthScheme}.
      */

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/scheme/DefaultAwsV4aAuthScheme.java

@@ -29,6 +29,9 @@
 public final class DefaultAwsV4aAuthScheme implements AwsV4aAuthScheme {
     private static final DefaultAwsV4aAuthScheme DEFAULT = new DefaultAwsV4aAuthScheme();
 
+    private DefaultAwsV4aAuthScheme() {
+    }
+
     /**
      * Returns an instance of the {@link DefaultAwsV4aAuthScheme}.
      */

core/http-auth/src/main/java/software/amazon/awssdk/http/auth/internal/scheme/DefaultBearerAuthScheme.java

@@ -30,6 +30,9 @@ public final class DefaultBearerAuthScheme implements BearerAuthScheme {
     private static final DefaultBearerAuthScheme DEFAULT = new DefaultBearerAuthScheme();
     private static final BearerHttpSigner DEFAULT_SIGNER = BearerHttpSigner.create();
 
+    private DefaultBearerAuthScheme() {
+    }
+
     /**
      * Returns an instance of the {@link DefaultBearerAuthScheme}.
      */

core/http-auth/src/main/java/software/amazon/awssdk/http/auth/internal/scheme/DefaultNoAuthAuthScheme.java

@@ -43,6 +43,9 @@ public final class DefaultNoAuthAuthScheme implements NoAuthAuthScheme {
     private static final HttpSigner<AnonymousIdentity> DEFAULT_SIGNER = noAuthSigner();
     private static final AnonymousIdentity ANONYMOUS_IDENTITY = anonymousIdentity();
 
+    private DefaultNoAuthAuthScheme() {
+    }
+
     /**
      * Returns an instance of the {@link NoAuthAuthScheme}.
      */

pom.xml

@@ -125,7 +125,7 @@
         <unitils.version>3.4.6</unitils.version>
         <xmlunit.version>1.3</xmlunit.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <spotbugs.version>4.7.3.5</spotbugs.version>
+        <spotbugs.version>4.9.8.2</spotbugs.version>
         <javapoet.verion>1.13.0</javapoet.verion>
         <org.eclipse.jdt.version>3.10.0</org.eclipse.jdt.version>
         <org.eclipse.text.version>3.5.101</org.eclipse.text.version>
@@ -149,9 +149,9 @@
         <netty-open-ssl-version>2.0.74.Final</netty-open-ssl-version>
         <dynamodb-local.version>1.25.0</dynamodb-local.version>
         <sqllite.version>1.0.392</sqllite.version>
-        <blockhound.version>1.0.8.RELEASE</blockhound.version>
+        <blockhound.version>1.0.16.RELEASE</blockhound.version>
         <jetty.version>9.4.45.v20220203</jetty.version>
-        <bytebuddy.version>1.14.15</bytebuddy.version>
+        <bytebuddy.version>1.17.5</bytebuddy.version>
         <archunit.version>1.3.0</archunit.version>
         <json-schema-validator.version>1.5.4</json-schema-validator.version>
 
@@ -166,7 +166,7 @@
         <maven-dependency-plugin.version>3.1.1</maven-dependency-plugin.version>
         <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
         <checkstyle.version>8.42</checkstyle.version>
-        <jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
+        <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
         <central-publishing-maven-plugin.version>0.8.0</central-publishing-maven-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.8</nexus-staging-maven-plugin.version>
         <exec-maven-plugin.version>1.6.0</exec-maven-plugin.version>
@@ -392,47 +392,6 @@
                         </execution>
                     </executions>
                 </plugin>
-                <plugin>
-                    <groupId>com.github.spotbugs</groupId>
-                    <artifactId>spotbugs-maven-plugin</artifactId>
-                    <version>${spotbugs.version}</version>
-                    <dependencies>
-                        <dependency>
-                            <groupId>software.amazon.awssdk</groupId>
-                            <artifactId>build-tools</artifactId>
-                            <version>1.0</version>
-                        </dependency>
-                        <dependency>
-                            <groupId>org.apache.ant</groupId>
-                            <artifactId>ant</artifactId>
-                            <version>${ant.version}</version>
-                        </dependency>
-                    </dependencies>
-                    <executions>
-                        <execution>
-                            <id>findbugs</id>
-                            <phase>process-classes</phase>
-                            <goals>
-                                <goal>check</goal>
-                            </goals>
-                        </execution>
-                    </executions>
-                    <configuration>
-                        <failOnError>true</failOnError>
-                        <fork>false</fork>
-                        <spotbugsXmlOutput>true</spotbugsXmlOutput>
-                        <excludeFilterFile>software/amazon/awssdk/spotbugs-suppressions.xml</excludeFilterFile>
-                        <threshold>Low</threshold>
-                        <effort>Max</effort>
-                        <plugins>
-                            <dependency>
-                                <groupId>software.amazon.awssdk</groupId>
-                                <artifactId>build-tools</artifactId>
-                                <version>1.0</version>
-                            </dependency>
-                        </plugins>
-                    </configuration>
-                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-checkstyle-plugin</artifactId>
@@ -841,6 +800,52 @@
             <properties>
                 <maven.compiler.release>8</maven.compiler.release>
             </properties>
+            <build>
+                <pluginManagement>
+                    <plugins>
+                        <plugin>
+                            <groupId>com.github.spotbugs</groupId>
+                            <artifactId>spotbugs-maven-plugin</artifactId>
+                            <version>${spotbugs.version}</version>
+                            <dependencies>
+                                <dependency>
+                                    <groupId>software.amazon.awssdk</groupId>
+                                    <artifactId>build-tools</artifactId>
+                                    <version>1.0</version>
+                                </dependency>
+                                <dependency>
+                                    <groupId>org.apache.ant</groupId>
+                                    <artifactId>ant</artifactId>
+                                    <version>${ant.version}</version>
+                                </dependency>
+                            </dependencies>
+                            <executions>
+                                <execution>
+                                    <id>findbugs</id>
+                                    <phase>process-classes</phase>
+                                    <goals>
+                                        <goal>check</goal>
+                                    </goals>
+                                </execution>
+                            </executions>
+                            <configuration>
+                                <failOnError>true</failOnError>
+                                <fork>false</fork>
+                                <excludeFilterFile>software/amazon/awssdk/spotbugs-suppressions.xml</excludeFilterFile>
+                                <threshold>Low</threshold>
+                                <effort>Max</effort>
+                                <plugins>
+                                    <dependency>
+                                        <groupId>software.amazon.awssdk</groupId>
+                                        <artifactId>build-tools</artifactId>
+                                        <version>1.0</version>
+                                    </dependency>
+                                </plugins>
+                            </configuration>
+                        </plugin>
+                    </plugins>
+                </pluginManagement>
+            </build>
         </profile>
 
         <profile>
@@ -850,7 +855,19 @@
             </activation>
             <properties>
                 <!-- Blockhound doesn't support Java 13+ without flags: https://github.com/reactor/BlockHound/issues/33 -->
-                <argLine>-XX:+AllowRedefinitionToAddDeleteMethods</argLine>
+                <argLine>-XX:+AllowRedefinitionToAddDeleteMethods -Dreactor.blockhound.shaded.net.bytebuddy.experimental=true</argLine>
+            </properties>
+        </profile>
+
+        <profile>
+            <!-- SpotBugs 4.9.x has severe performance regression on JDK 17 (99% CPU, 6x slower than JDK 21).
+                 Skip SpotBugs on JDK 17; it still runs on JDK 11, 21, and 25. -->
+            <id>jdk-17-spotbugs-skip</id>
+            <activation>
+                <jdk>17</jdk>
+            </activation>
+            <properties>
+                <spotbugs.skip>true</spotbugs.skip>
             </properties>
         </profile>
 

test/s3-benchmarks/pom.xml

@@ -31,6 +31,7 @@
         <maven.compiler.target>8</maven.compiler.target>
         <awsjavasdk.version>${project.version}</awsjavasdk.version>
         <sdk-v1.version>1.12.261</sdk-v1.version>
+        <spotbugs.skip>true</spotbugs.skip>
     </properties>
     <name>AWS Java SDK :: Test :: S3 Benchmarks</name>
     <description>Contains benchmark code for S3 and TransferManager</description>