# Display basic plugin information $ mvn forbiddenapis:help # Display detailed information about all goals and parameters $ mvn forbiddenapis:help -Ddetail=trueIf you need to use the plugin's full coordinates instead of its prefix, you can do that as follows:
# Display basic plugin information $ mvn de.thetaphi:forbiddenapis:3.9:help # Display detailed information about all goals and parameters $ mvn de.thetaphi:forbiddenapis:3.9:help -Ddetail=trueYou can also use the Maven help plugin to describe the forbiddenapis plugin:
# Basic plugin description using help plugin $ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9" # Detailed plugin description with all parameters $ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9" -Ddetail=trueTo get specific information about a goal, use the goal parameter:
# Help for the 'check' goal $ mvn de.thetaphi:forbiddenapis:3.9:help -Dgoal=check -Ddetail=true # Help for the 'check' goal using the help plugin $ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9" -Dgoal=check -Ddetail=trueNote: When using the plugin's help goal directly, you don't need to specify the version if the plugin is already configured in your POM or if you want to use the latest version.
<plugin> <groupId>de.thetaphi</groupId> <artifactId>forbiddenapis</artifactId> <version>3.9</version> <configuration> <bundledSignatures> <!-- Automatically selects appropriate signatures based on 'maven.compiler.target' --> <bundledSignature>jdk-unsafe</bundledSignature> <!-- Prevent usage of deprecated APIs --> <bundledSignature>jdk-deprecated</bundledSignature> <!-- Block internal JDK classes --> <bundledSignature>jdk-internal</bundledSignature> <!-- Disallow non-portable classes like sun.misc.Unsafe --> <bundledSignature>jdk-non-portable</bundledSignature> <!-- Prevent unsafe reflective access --> <bundledSignature>jdk-reflection</bundledSignature> <!-- Blocks System.out usage in production code Error example: [ERROR] Forbidden field access: java.lang.System#out [prints to System.out; should only be used for debugging, not in production code] --> <bundledSignature>jdk-system-out</bundledSignature> <!-- Blocks unsafe Commons IO methods Note: Requires commons-io dependency to be present in classpath If missing, you'll see: "Class 'org.apache.commons.io.CopyUtils' not found on classpath" --> <bundledSignature>commons-io-unsafe-2.11.0</bundledSignature> </bundledSignatures> <!-- Silently ignores methods/fields from missing classes during signature parsing Useful when bundled signatures reference classes not in your project's classpath --> <ignoreSignaturesOfMissingClasses>true</ignoreSignaturesOfMissingClasses> <!-- Fail build on violations (default is true) --> <failOnViolation>true</failOnViolation> </configuration> <executions> <execution> <id>forbiddenapis-check</id> <!-- Runs during package phase, but you can use 'verify' for better integration with other plugins --> <phase>package</phase> <goals> <goal>check</goal> <goal>testCheck</goal> </goals> </execution> </executions> </plugin>Running the Plugin:
# Run manually $ mvn forbiddenapis:check $ mvn forbiddenapis:testCheck # Run as part of build lifecycle $ mvn verify # Skip forbidden API checks temporarily $ mvn verify -Dforbiddenapis.skip=true