Maven | Forbidden API Checker
  1. Forbidden API Plugin
  2. The help goal
  3. Example
  1. Forbidden API Plugin
    The Forbidden API Checker plugin allows you to parse Java bytecode to find invocations of forbidden method/class/field signatures and fail the build when violations are detected. This is particularly useful for maintaining code quality and preventing the use of deprecated, unsafe, or non-portable APIs.

    References:
    - Maven repository: https://mvnrepository.com/artifact/de.thetaphi/forbiddenapis/3.9
    - Home Page: https://github.com/policeman-tools/forbidden-apis

    Plugin coordinates:
    • Group Id: de.thetaphi
    • Artifact Id: forbiddenapis
    • Version: 3.9

    Goal Prefix: forbiddenapis

    The forbiddenapis plugin provides the following goals:
    • help: Displays help information about the forbiddenapis plugin and its available goals.

    • check: Analyzes project-generated class files (compile scope) to detect calls to forbidden APIs from the project classpath and a list of API signatures (either inline, from files, or using bundled signatures). Fails the build if violations are found.

    • testCheck: Similar to the check goal but analyzes test-scoped class files to detect calls to forbidden APIs. This ensures that test code also adheres to the same API restrictions.

    Key configuration options:
    • bundledSignatures: Use predefined signature sets (e.g., jdk-unsafe, jdk-deprecated).
    • signaturesFiles: Reference external signature files for custom API restrictions.
    • signatures: Define inline API signatures directly in the configuration.
    • excludes: Exclude specific classes or packages from checking using Ant-style patterns.
    • includes: Include only specific classes or packages for checking using Ant-style patterns.
    • suppressAnnotations: Suppress violations using custom annotations (e.g., @SuppressForbidden).
    • ignoreSignaturesOfMissingClasses: Skip signature validation when referenced classes are not on classpath.
    • failOnViolation: Control whether violations should fail the build (default: true).
  2. The help goal
    The help goal provides general information about the forbiddenapis plugin, including available goals and their parameters.

    Use the detail parameter to get detailed information about all goals and their configuration options:
    # Display basic plugin information
$ mvn forbiddenapis:help

# Display detailed information about all goals and parameters
$ mvn forbiddenapis:help -Ddetail=true
    If you need to use the plugin's full coordinates instead of its prefix, you can do that as follows:
    # Display basic plugin information
$ mvn de.thetaphi:forbiddenapis:3.9:help

# Display detailed information about all goals and parameters
$ mvn de.thetaphi:forbiddenapis:3.9:help -Ddetail=true
    You can also use the Maven help plugin to describe the forbiddenapis plugin:
    # Basic plugin description using help plugin
$ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9"

# Detailed plugin description with all parameters
$ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9" -Ddetail=true
    To get specific information about a goal, use the goal parameter:
    # Help for the 'check' goal
$ mvn de.thetaphi:forbiddenapis:3.9:help -Dgoal=check -Ddetail=true

# Help for the 'check' goal using the help plugin
$ mvn help:describe -Dplugin="de.thetaphi:forbiddenapis:3.9" -Dgoal=check -Ddetail=true
    Note: When using the plugin's help goal directly, you don't need to specify the version if the plugin is already configured in your POM or if you want to use the latest version.
  3. Example Configuration
    References:
    - Maven Usage: https://github.com/policeman-tools/forbidden-apis/wiki/MavenUsage
    - Signatures Files: https://github.com/policeman-tools/forbidden-apis/tree/main/src/main/resources/de/thetaphi/forbiddenapis/signatures
    - Bundled Signatures: https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignatures

    Add the following plugin configuration to your pom.xml:
    <plugin>
    <groupId>de.thetaphi</groupId>
    <artifactId>forbiddenapis</artifactId>
    <version>3.9</version>

    <configuration>
        <bundledSignatures>
            <!-- Automatically selects appropriate signatures based on 'maven.compiler.target' -->
            <bundledSignature>jdk-unsafe</bundledSignature>

            <!-- Prevent usage of deprecated APIs -->
            <bundledSignature>jdk-deprecated</bundledSignature>

            <!-- Block internal JDK classes -->
            <bundledSignature>jdk-internal</bundledSignature>

            <!-- Disallow non-portable classes like sun.misc.Unsafe -->
            <bundledSignature>jdk-non-portable</bundledSignature>

            <!-- Prevent unsafe reflective access -->
            <bundledSignature>jdk-reflection</bundledSignature>

            <!--
            Blocks System.out usage in production code
            Error example: [ERROR] Forbidden field access: java.lang.System#out
            [prints to System.out; should only be used for debugging, not in production code]
            -->
            <bundledSignature>jdk-system-out</bundledSignature>

            <!--
            Blocks unsafe Commons IO methods
            Note: Requires commons-io dependency to be present in classpath
            If missing, you'll see: "Class 'org.apache.commons.io.CopyUtils' not found on classpath"
            -->
            <bundledSignature>commons-io-unsafe-2.11.0</bundledSignature>
        </bundledSignatures>

        <!--
        Silently ignores methods/fields from missing classes during signature parsing
        Useful when bundled signatures reference classes not in your project's classpath
        -->
        <ignoreSignaturesOfMissingClasses>true</ignoreSignaturesOfMissingClasses>

        <!-- Fail build on violations (default is true) -->
        <failOnViolation>true</failOnViolation>
    </configuration>

    <executions>
        <execution>
            <id>forbiddenapis-check</id>
            <!-- Runs during package phase, but you can use 'verify' for better integration with other plugins -->
            <phase>package</phase>
            <goals>
                <goal>check</goal>
                <goal>testCheck</goal>
            </goals>
        </execution>
    </executions>
</plugin>
    Running the Plugin:
    # Run manually
$ mvn forbiddenapis:check
$ mvn forbiddenapis:testCheck

# Run as part of build lifecycle
$ mvn verify

# Skip forbidden API checks temporarily
$ mvn verify -Dforbiddenapis.skip=true
© 2025  mtitek