<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
PMD is an extensible multilanguage static code analyzer. It finds common programming flaws like unused variables,
empty catch blocks, unnecessary object creation, and so forth. It's mainly concerned with Java and
Apex, but supports 16 other languages. It comes with 400+ built-in rules. It can be
extended with custom rules. It uses JavaCC and Antlr to parse source files into abstract syntax trees
(AST) and runs rules against them to find violations. Rules can be written in Java or using a XPath query.
Currently, PMD supports Java, JavaScript, Salesforce.com Apex and Visualforce,
Kotlin, Swift, Modelica, PLSQL, Apache Velocity, JSP, WSDL, Maven POM, HTML, XML and XSL.
Scala is supported, but there are currently no Scala rules available.
Additionally, it includes CPD, the copy-paste-detector. CPD finds duplicated code in
Coco, C/C++, C#, Dart, Fortran, Gherkin, Go, Groovy, HTML, Java, JavaScript, JSP, Julia, Kotlin,
Lua, Matlab, Modelica, Objective-C, Perl, PHP, PLSQL, Python, Ruby, Salesforce.com Apex and
Visualforce, Scala, Swift, T-SQL, Typescript, Apache Velocity, WSDL, XML and XSL.
<name>PMD development</name>
<name>PMD commits</name>
<name>github contributors</name>
<junit5.version>5.8.2</junit5.version> <!-- needed by kotest -->
<argLine>-Xmx512m -Dfile.encoding=${project.build.sourceEncoding} ${extraArgLine}</argLine>
<extraArgLine /> <!-- empty by default, profiles set it as needed -->
<!-- This is default but let's be clear -->
<!-- Use the latest ant version to preserve file permissions when doing replaceregexp -->
<!-- adds kotlin source directories for checkstyle header checks -->
<!-- Kotlin compiler for test-compile -->
<!-- The kotlin plugin has to run before the maven-compiler-plugin -->
<!-- Replacing default-compile as it is treated specially by maven -->
<!-- Replacing default-testCompile as it is treated specially by maven -->
<!-- used by pmd-lang-test::net.sourceforge.pmd.lang.test.BaseTextComparisonTest -->
<!-- https://kotest.io/docs/framework/project-config.html#runtime-detection -->
<statelessTestsetInfoReporter implementation="net.sourceforge.pmd.buildtools.surefire.PMDStatelessTestSetInfoConsoleReporter">
<statelessTestsetReporter implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5Xml30StatelessReporter">
<!-- exclude any internal package and up to two sub-packages inside -->
<head>API Note:</head>
<head>Implementation Requirements:</head>
<head>Implementation Note:</head>
<!-- When using kotlin/dokka, you need to disable maven-javadoc-plugin@attach-javadocs -->
<!-- Skip the default pmd executions, which is triggered by pmd:check and avoid
unnecessary pmd analysis of the main code.
We use executions pmd-main and pmd-test instead and explicitly run pmd:pmd. -->
<!-- Note: we can't use a property for the version here due to https://issues.apache.org/jira/browse/MRELEASE-932 -->
<!-- We use the comment "pmd.dogfood.version" as a marker and manually change the version - see .ci/build.sh -->
<version>7.5.0</version> <!-- pmd.dogfood.version -->
<version>7.5.0</version> <!-- pmd.dogfood.version -->
<version>7.5.0</version> <!-- pmd.dogfood.version -->
<version>7.5.0</version> <!-- pmd.dogfood.version -->
<!-- This contains the dogfood ruleset -->
<!-- Allow to build PMD with Java 23 -->
<!--This plugin's configuration is used to store Eclipse
m2e settings only. It has no influence on the Maven build itself. -->
<message>No Snapshots Allowed!</message>
<message>Best Practice is to always define plugin versions!</message>
<!-- configuration is in plugin management section -->
<!-- configuration is in plugin management section -->
<!-- PMD is released in two phases: first everything without pmd-cli/pmd-dist
(profile cli-dist-modules disabled), and then only pmd-cli/pmd-dist.
The BOM for the main artifact net.sourceforge.pmd:pmd is created and published
in the first phase and doesn't contain pmd-cli/pmd-dist. In order to be able
to reproduce the BOM, we exclude this two modules always.
<!-- Enable japicmp for all modules by default -->
<!-- scala-reflect and scala-library needed by pmd-apex via apex-link -->
<!-- byte-buddy is used by mockito.
Using a newer version than the one from mockito 4.11.0 for Java 21 compatibility
At least byte-buddy 1.14.3 is required for Java 21.
<!-- Kotlin -->
<!-- transitive dependency through org.scalameta:trees_2.13
upgrade to 3.16.1 to fix CVE-2021-22569 A potential Denial of Service issue in protobuf-java
upgrade to 3.16.3 to fix CVE-2022-3171 protobuf-java has a potential Denial of Service issue
<!-- Make sure to use the correct version the JUnit5 needs. E.g. 5.8.2 needs 1.8.2
Kotest might bring a wrong version.
see junit5.version -->
<name>Central Repository</name>
<name>Sonatype Nexus Snapshots</name>
<name>Central Repository</name>
<name>Sonatype Nexus Snapshots</name>
<name>Apache Snapshot Repository</name>
<!-- Adds an SLF4J implementation, useful when developing within an IDE -->
<id>Java 18+</id>
<!-- java.security.manager=allow is needed under Java 18+ for usages of com.github.stefanbirkner.systemlambda.SystemLambda.catchSystemExit -->
<!-- skips many plugins. Useful for sonar and coveralls and reproducible builds -->
Configuration: https://docs.coveralls.io/java | https://github.com/hazendaz/coveralls-maven-plugin
Report is available here: https://coveralls.io/github/pmd/pmd -->
Configuration: https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/
Report is available here: https://sonarcloud.io/dashboard?id=net.sourceforge.pmd%3Apmd