Merge remote-tracking branch 'origin/update-from-template' into develop

Author: AB-xdev

.config/checkstyle/checkstyle.xml

@@ -74,6 +74,11 @@
 			<!-- https://docs.pmd-code.org/pmd-doc-7.11.0/pmd_rules_java_errorprone.html#avoidcatchingthrowable -->
 			<property name="illegalClassNames" value="Error,Throwable,NullPointerException,java.lang.Error,java.lang.Throwable,java.lang.NullPointerException"/>
 		</module>
+		<!-- Do not allow params and vars to end with collection type names -->
+		<module name="IllegalIdentifierName">
+			<property name="format" value="^(?!(.*(Map|List|Set))$).+$"/>
+			<property name="tokens" value="PARAMETER_DEF, VARIABLE_DEF, PATTERN_VARIABLE_DEF, RECORD_COMPONENT_DEF, LAMBDA"/>
+		</module>
 		<module name="IllegalImport"/>
 		<module name="InterfaceIsType"/>
 		<module name="JavadocStyle">
@@ -91,7 +96,7 @@
 			<property name="ignoreFieldDeclaration" value="true"/>
 			<property name="ignoreHashCodeMethod" value="true"/>
 			<!-- Defaults + other common constant values (e.g. time) -->
-			<property name="ignoreNumbers" value="-1, 0, 1, 2, 3, 4, 5, 10, 12, 24, 31, 60, 100, 1000"/>
+			<property name="ignoreNumbers" value="-1, 0, 1, 2, 3, 4, 5, 8, 10, 12, 16, 24, 25, 31, 32, 50, 60, 64, 100, 128, 200, 256, 500, 512, 1000, 1024, 2000, 2048, 4000, 4096, 8000, 8192"/>
 		</module>
 		<module name="MemberName"/>
 		<module name="MethodLength"/>
@@ -123,7 +128,8 @@
 		<module name="StringLiteralEquality"/>
 		<module name="SuppressWarningsHolder"/>
 		<module name="TodoComment">
-			<property name="severity" value="info"/>
+			<!-- Default is "TODO:" -->
+			<property name="format" value="(?i)(TODO)"/>
 		</module>
 		<module name="TypecastParenPad"/>
 		<module name="TypeName"/>

.config/pmd/java/ruleset.xml

@@ -17,6 +17,7 @@
 	<rule ref="category/java/bestpractices.xml/AvoidUsingHardCodedIP"/>
 	<rule ref="category/java/bestpractices.xml/ConstantsInInterface"/>
 	<rule ref="category/java/bestpractices.xml/ExhaustiveSwitchHasDefault"/>
+	<rule ref="category/java/bestpractices.xml/LabeledStatement"/>
 	<rule ref="category/java/bestpractices.xml/LiteralsFirstInComparisons"/>
 	<!-- CheckStyle can't handle this switch behavior -> delegated to PMD -->
 	<rule ref="category/java/bestpractices.xml/NonExhaustiveSwitch"/>
@@ -149,6 +150,7 @@
 	<rule ref="category/java/errorprone.xml/DontUseFloatTypeForLoopIndices"/>
 	<rule ref="category/java/errorprone.xml/EqualsNull"/>
 	<rule ref="category/java/errorprone.xml/IdempotentOperations"/>
+	<rule ref="category/java/errorprone.xml/IdenticalConditionalBranches"/>
 	<rule ref="category/java/errorprone.xml/ImplicitSwitchFallThrough"/>
 	<rule ref="category/java/errorprone.xml/InstantiationToGetClass"/>
 	<rule ref="category/java/errorprone.xml/InvalidLogMessageFormat"/>
@@ -211,11 +213,11 @@
 		message="StringBuilder/StringBuffer should not be used"
 		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
-Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or may be replaced by a simpler string concatenation.
+Usually all cases where `StringBuilder` (or the outdated `StringBuffer`) is used are either due to confusing (legacy) logic or in situations where it may be easily replaced by a simpler string concatenation.
 
 Solution:
 * Do not use `StringBuffer` because it's thread-safe and usually this is not needed
-* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be optimized by the Java compiler internally.
+* If `StringBuilder` is only used in a simple method (like `toString`) and is effectively inlined: Use a simpler string concatenation (`"a" + x + "b"`). This will be [optimized by the Java compiler internally](https://docs.oracle.com/javase/specs/jls/se25/html/jls-15.html#jls-15.18.1).
 * In all other cases: 
 	* Check what is happening and if it makes ANY sense! If for example a CSV file is built here consider using a proper library instead!
 	* Abstract the Strings into a DTO, join them together using a collection (or `StringJoiner`) or use Java's Streaming API instead
@@ -237,8 +239,8 @@ Solution:
 		message="Setters of java.lang.System should not be called unless really needed"
 		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
-Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
-For example, it may break when multiple Threads are setting the value.
+Calling setters of `java.lang.System` usually indicates bad design and likely causes unexpected behavior.
+For example, it may break when multiple Threads are working with the same value.
 It may also overwrite user defined options or properties.
 
 Try to pass the value only to the place where it's really needed and use it there accordingly.
@@ -350,7 +352,8 @@ You can suppress this warning when you properly sanitized the name.
 Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
 Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
 
-Java Object Serialization may also fail to deserialize when the underlying classes are changed.
+Java Object Serialization may also fail to deserialize properly when the underlying classes are changed.
+This can result in unexpected crashes when outdated data is deserialized.
 
 Use proven data interchange formats like JSON instead.
 		</description>
@@ -372,7 +375,8 @@ Use proven data interchange formats like JSON instead.
 	<rule name="VaadinNativeHTMLIsUnsafe"
 		language="java"
 		message="Unescaped native HTML is unsafe and will result in XSS vulnerabilities"
-		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" >
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+		externalInfoUrl="https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML">
 		<description>
 Do not use native HTML! Use Vaadin layouts and components to create required structure.
 If you are 100% sure that you escaped the value properly and you have no better options you can suppress this.
@@ -390,6 +394,30 @@ If you are 100% sure that you escaped the value properly and you have no better
 		</properties>
 	</rule>
 
+	<!-- Jakarta Persistence -->
+	<rule name="AvoidListAsEntityRelation"
+		language="java"
+		message="Use a Set instead of a List in entity relations"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+		externalInfoUrl="https://www.baeldung.com/spring-jpa-onetomany-list-vs-set#bd-pros-and-cons">
+		<description>
+`List` allows duplicates while a `Set` does not.
+A `Set` also prevents duplicates when the ORM reads multiple identical rows from the database (e.g. when using JOIN).
+		</description>
+		<priority>2</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+<![CDATA[
+//ClassDeclaration[pmd-java:hasAnnotation('jakarta.persistence.Entity')]
+//FieldDeclaration[pmd-java:hasAnnotation('jakarta.persistence.ManyToMany') or pmd-java:hasAnnotation('jakarta.persistence.OneToMany')]
+/ClassType[pmd-java:typeIs('java.util.List')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
 
 	<!-- Rules from JPinPoint with slight modifications -->
 	<!-- https://github.com/jborgers/PMD-jPinpoint-rules -->

.github/workflows/broken-links.yml

@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - run: mv .github/.lycheeignore .lycheeignore
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
+        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

.github/workflows/check-build.yml

@@ -28,7 +28,7 @@ jobs:
         java: [21]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -37,7 +37,7 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Cache Gradle
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           ~/.gradle/caches
@@ -50,7 +50,7 @@ jobs:
       run: ./gradlew build buildPlugin --info --stacktrace
 
     - name: Try upload test reports when failure occurs
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       if: failure()
       with:
         name: test-reports-${{ matrix.java }}
@@ -75,10 +75,10 @@ jobs:
         fi
 
     - name: Upload plugin files
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: plugin-files-java-${{ matrix.java }}
-        path: build/libs/intellij-plugin-openrewriter-*.jar
+        path: build/distributions/*.zip
         if-no-files-found: error
 
   checkstyle:
@@ -90,7 +90,7 @@ jobs:
         java: [21]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -99,7 +99,7 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Cache Gradle
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           ~/.gradle/caches
@@ -120,7 +120,7 @@ jobs:
         java: [21]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -132,7 +132,7 @@ jobs:
       run: ./gradlew pmdMain pmdTest -PpmdEnabled --stacktrace -x test
 
     - name: Cache Gradle
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           ~/.gradle/caches
@@ -143,7 +143,7 @@ jobs:
 
     - name: Upload report
       if: always()
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: pmd-report
         if-no-files-found: ignore

.github/workflows/check-ide-compatibility.yml

@@ -41,7 +41,7 @@ jobs:
         done
         sudo df -h
 
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -50,7 +50,7 @@ jobs:
         java-version: 21
 
     - name: Cache Gradle
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           ~/.gradle/caches
@@ -64,7 +64,7 @@ jobs:
       run: ./gradlew verifyPlugin --info --stacktrace
 
     - name: Upload report
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       if: ${{ always() }}
       with:
         name: plugin-verifier-reports

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -22,7 +22,7 @@ jobs:
         distribution: 'temurin'
 
     - name: Try restore Gradle Cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@v5
       with:
         path: |
           ~/.gradle/caches
@@ -59,7 +59,7 @@ jobs:
     outputs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Configure Git
       run: |
@@ -91,7 +91,7 @@ jobs:
 
     - name: Create Release
       id: create_release
-      uses: shogo82148/actions-create-release@28d99e2a5b407558d17c15d0384fc0d7fb625b4c # v1
+      uses: shogo82148/actions-create-release@559c27ce7eb834825e2b55927c64f6d1bd1db716 # v1
       with:
         tag_name: v${{ steps.version.outputs.release }}
         release_name: v${{ steps.version.outputs.release }}
@@ -112,7 +112,7 @@ jobs:
     needs: [prepare_release]
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -135,7 +135,7 @@ jobs:
       run: ./gradlew publishPlugin --info --stacktrace
 
     - name: Upload plugin files
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: plugin-files
         path: build/distributions/*
@@ -145,7 +145,7 @@ jobs:
     needs: [publish]
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Init Git and pull
       run: |

.github/workflows/sync-labels.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           sparse-checkout: .github/labels.yml
 

.github/workflows/test-deploy.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up JDK
         uses: actions/setup-java@v5
@@ -35,7 +35,7 @@ jobs:
         run: ./gradlew publishPlugin --info --stacktrace
 
       - name: Upload plugin files
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: plugin-files-java-${{ matrix.java }}
           path: build/distributions/*

.github/workflows/update-from-template.yml

@@ -36,7 +36,7 @@ jobs:
       update_branch_merged_commit: ${{ steps.manage-branches.outputs.update_branch_merged_commit }}
       create_update_branch_merged_pr: ${{ steps.manage-branches.outputs.create_update_branch_merged_pr }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           # Required because otherwise there are always changes detected when executing diff/rev-list
           fetch-depth: 0
@@ -183,7 +183,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           # Required because otherwise there are always changes detected when executing diff/rev-list
           fetch-depth: 0

.gitignore

@@ -26,6 +26,7 @@ build/
 !.idea/saveactions_settings.xml
 !.idea/checkstyle-idea.xml
 !.idea/externalDependencies.xml
+!.idea/pmd-x.xml
 !.idea/PMDPlugin.xml
 
 !.idea/inspectionProfiles/