Disable CT_CONTRUCTOR_THROW

This warning comes up in surprising contexts and sometimes it can be
hard to diagnose what exactly is triggering it.

Polluting classes with finalize() is a non-option. Being overly-clever
with constructors is a non-starter as well. Sprinkling
@SuppressFBWarnings on code which has been stable for years also does
not make sense.

Disable this warning, as its relevance is rapidly diminishing as we
require Java versions beyond 18.

Change-Id: Ic1532d4051fb76e1b2eeae66d49342b0e9c3f176
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>

diff --git a/spotbugs/src/main/resources/spotbugs-exclude.xml b/spotbugs/src/main/resources/spotbugs-exclude.xml
index a55185c8a64c2f3f1abaf602266d85151658c5d4..27053a554397a354d26643c366547aefa8d1b94d 100644 (file)
--- a/spotbugs/src/main/resources/spotbugs-exclude.xml
+++ b/spotbugs/src/main/resources/spotbugs-exclude.xml
@@ -51,6 +51,20 @@
            such as if(foo != null) { throw new ISE() }.
       -->
       <Bug pattern="SE_PREVENT_EXT_OBJ_OVERWRITE"/>
+
+      <!--
+           As described in https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ct-be-wary-of-letting-constructors-throw-exceptions-ct-constructor-throw,
+           CT_CONSTRUCTOR_THROW is design to mitigate finalize()-based attacks.
+
+           While the effert is commendable, Object.finalize() is its way out:
+           - it was deprecated in Java 9, see https://bugs.openjdk.org/browse/JDK-8165641
+           - it was deprecated for removal in Java 18, see https://openjdk.org/jeps/421
+
+           It seems counter-productive to chase fixing this issue while we are also moving to a world where the
+           problem can be mitigated with a global JVM switch (disable-finalization), especially if it involves
+           "clever use of a private constructor".
+      -->
+      <Bug pattern="CT_CONSTRUCTOR_THROW"/>
     </Or>
   </Match>
 </FindBugsFilter>