Note
This is effectively fixed in Java 23 as annotation processing is now disabled by default.
This is a test library to check if your compiler automatically executes Java Annotation Processors.
Warning
This library will likely crash the compiler
JSR 269 introduced Annotation processing into Java.
Annotation processing is done by the Java compiler itself (because it's from a time before buildtools like Maven or Gradle).
This itself is not a problem but the following design aspects are:
Unless annotation processing is disabled with the
-proc:noneoption, the compiler searches for any annotation processors that are available. The search path can be specified with the-processorpathoption. If no path is specified, then the user class path is used. Processors are located by means of service provider-configuration files namedMETA-INF/services/javax.annotation.processing... [Javac Documentation]
So if a malicious or manipulated library somehow ends up in your project, it can execute ANY code when compilation happens due to Java's service-loading.
Everything that uses a Java Compiler (like javac or ecj) with the default options (IDEs like Eclipse/IntelliJ or the maven-compiler-plugin) is affected.
- Specify the code you want to run inside CodeExecutionProcessor
- Build the library by running
mvn clean install - Add the following dependency to your code:
⚠ If you use Eclipse: Make sure that "Build automatically" is disabled! (see below)<dependency> <groupId>software.xdev</groupId> <artifactId>java-annotation-processing-code-execution</artifactId> <version>1.0-SNAPSHOT</version> </dependency>
- Compile/Build your code using maven, your IDE or whatever.
→ The code inside CodeExecutionProcessor should be executed
As mentioned above there is a compiler flag -proc:none which disables annotation processing by the compiler.
Ensure that the compiler is executed with -proc:none, like this:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.10.1</version>
<configuration>
<compilerArgs>
<arg>-proc:none</arg>
</compilerArgs>
</configuration>
</plugin>The best solution is to configure this in all modules by doing it inside the parent poms build -> pluginManagement -> plugins-section
Gradle is most likely not affected as it usually uses a Java Toolchain and annotation processors must be declared explicitly
IDEs usually have custom support for Annotation Processing.
Impact varies based on the used build tool.
IDEA automatically imports the -proc:none argument from Maven if configured correctly.
However this doesn't disable the Annotation Processors which are defined in Maven pom.xmls (as they are a separate setting in the IDE) and it still tries to run them when building, which leads to errors like java: java.lang.ClassNotFoundException: org.hibernate.jpamodelgen.JPAMetaModelEntityProcessor.
You have to disable them in the settings.
Warning
Adding this library might cause the IDE to crash because the build process is not sandboxed.
You might be no longer able to open your project because Eclipse instantly rebuilds the project on restart which causes a crash again.
So make sure that "Build automatically" is disabled!
As far as I have seen Eclipse is not affected by default because Annotation processing isn't enabled by default (or not implemented in a stable way?).
However if you e.g. set Settings: Maven > Annotation Processing : Annotation Processing Mode to Experimental: Delegate annotation processing to maven plugins
or if you enable it inside a project (Right click project : Properties : Java Compiler > Annotation Processing : Enable annotation processing) the complete IDE will crash.