Question 1

How to set up forbidden APIs in a Maven project?

Accepted Answer

Add the plugin to your pom.xml and configure the forbiddenapis mojo with your signature files. The Maven usage page in the Wiki provides step-by-step examples, including how to define rules and exclusions.

Question 2

What are common forbidden API signatures for security?

Accepted Answer

Common signatures include calls to unsafe APIs like Runtime.exec() for command injection, internal sun.misc classes, or deprecated methods that pose risks. The Wiki offers sample signatures and guidance on crafting rules for OWASP top vulnerabilities.

Question 3

Can forbidden APIs checker work with Kotlin or Scala?

Accepted Answer

Yes, it analyzes JVM bytecode, so it works with any language compiling to Java bytecode, but you may need to adjust signatures for language-specific constructs or generated code, and the Wiki has limited examples for non-Java languages.

Question 4

Forbidden APIs vs Checkstyle: which is better for API enforcement?

Accepted Answer

Forbidden APIs specializes in bytecode-level detection and build failure for specific API calls, ideal for strict compliance, while Checkstyle focuses on source code style and broader rules without bytecode analysis. Use Forbidden APIs for precise blocking and Checkstyle for coding conventions.

Question 5

How to exclude test classes from forbidden API checks?

Accepted Answer

Configure exclusion patterns in your build file; for example, in Gradle, use the exclude filter in the forbiddenApis task to skip directories like src/test. The Wiki details exclusion syntax for each build system to avoid false positives.

Question 6

Does forbidden APIs support incremental compilation to avoid slow builds?

Accepted Answer

It parses bytecode on each build run, which can add overhead, especially for large projects. While build plugins may cache results, the tool isn't optimized for incremental analysis, so expect some performance impact in fast development cycles.

Question 7

Why does forbidden APIs fail my build with internal API errors?

Accepted Answer

This often happens when using JDK-internal classes like com.sun.* accidentally. Check your signature files and dependency usage; use the CLI tool to scan specific JARs, and refer to the Wiki's troubleshooting section for common misconfigurations.

forbidden-apis

What is forbidden-apis?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions