Edit me

24-April-2020 - 6.23.0

The PMD team is pleased to announce PMD 6.23.0.

This is a minor release.

New and noteworthy

PMD adopts Contributor Code of Conduct

To facilitate healthy and constructive community behavior PMD adopts Contributor Convenant as its code of conduct.

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

You can find the code of conduct in the file code_of_conduct.md in our repository.

Performance improvements for XPath 2.0 rules

XPath rules written with XPath 2.0 now support conversion to a rulechain rule, which improves their performance. The rulechain is a mechanism that allows several rules to be executed in a single tree traversal. Conversion to the rulechain is possible if your XPath expression looks like //someNode/... | //someOtherNode/... | ..., that is, a union of one or more path expressions that start with //. Instead of traversing the whole tree once per path expression (and per rule), a single traversal executes all rules in your ruleset as needed.

This conversion is performed automatically and cannot be disabled. The conversion should not change the result of your rules, if it does, please report a bug at https://github.com/pmd/pmd/issues

Note that XPath 1.0 support, the default XPath version, is deprecated since PMD 6.22.0. We highly recommend that you upgrade your rules to XPath 2.0. Please refer to the migration guide.

Javascript improvements for ES6

PMD uses the Rhino library to parse Javascript. The default version has been set to ES6, so that some ECMAScript 2015 features are supported. E.g. let statements and for-of loops are now parsed. However Rhino does not support all features.

New JSON renderer

PMD now supports a JSON renderer (use it with -f json on the CLI). See the documentation and example

New Rules

Fixed Issues

  • apex-design
    • #2358: [apex] Invalid Apex in Cognitive Complexity tests
  • apex-security
    • #2210: [apex] ApexCRUDViolation: Support WITH SECURITY_ENFORCED
    • #2399: [apex] ApexCRUDViolation: false positive with security enforced with line break
  • core
    • #1286: [core] Export Supporting JSON Format
    • #2019: [core] Insufficient deprecation warnings for XPath attributes
    • #2357: Add code of conduct: Contributor Covenant
    • #2426: [core] CodeClimate renderer links are dead
    • #2432: [core] Close ZIP data sources even if a runtime exception or error is thrown
  • doc
    • #2355: [doc] Improve documentation about incremental analysis
    • #2356: [doc] Add missing doc about pmd.github.io
    • #2412: [core] HTMLRenderer doesn’t render links to source files
    • #2413: [doc] Improve documentation about the available renderers (PMD/CPD)
  • java
    • #2378: [java] AbstractJUnitRule has bad performance on large code bases
  • java-bestpractices
    • #2398: [java] AbstractClassWithoutAbstractMethod false negative with inner abstract classes
  • java-codestyle
    • #1164: [java] ClassNamingConventions suggests to add Util for class containing only static constants
    • #1723: [java] UseDiamondOperator false-positive inside lambda
  • java-design
    • #2390: [java] AbstractClassWithoutAnyMethod: missing violation for nested classes
  • java-errorprone
    • #2402: [java] CloseResource possible false positive with Primitive Streams
  • java-multithreading
    • #2313: [java] Documenation for DoNotUseThreads is outdated
  • javascript
    • #1235: [javascript] Use of let results in an Empty Statement in the AST
    • #2379: [javascript] Support for-of loop
  • javascript-errorprone
    • #384: [javascript] Trailing commas not detected on French default locale

API Changes

Deprecated APIs

Internal API

Those APIs are not intended to be used by clients, and will be hidden or removed with PMD 7.0.0. You can identify them with the @InternalApi annotation. You’ll also get a deprecation warning.


As part of the changes we’d like to do to AST classes for 7.0.0, we would like to hide some methods and constructors that rule writers should not have access to. The following usages are now deprecated in the Apex, Javascript, PL/SQL, Scala and Visualforce ASTs:

  • Manual instantiation of nodes. Constructors of node classes are deprecated and marked InternalApi. Nodes should only be obtained from the parser, which for rules, means that they never need to instantiate node themselves. Those constructors will be made package private with 7.0.0.
  • Subclassing of abstract node classes, or usage of their type. The base classes are internal API and will be hidden in version 7.0.0. You should not couple your code to them.
    • In the meantime you should use interfaces like VfNode or Node, or the other published interfaces in this package, to refer to nodes generically.
    • Concrete node classes will be made final with 7.0.0.
  • Setters found in any node class or interface. Rules should consider the AST immutable. We will make those setters package private with 7.0.0.
  • The implementation classes of Parser (eg VfParser) are deprecated and should not be used directly. Use LanguageVersionHandler#getParser instead.
  • The implementation classes of TokenManager (eg VfTokenManager) are deprecated and should not be used outside of our implementation. This also affects CPD-only modules.

These deprecations are added to the following language modules in this release. Please look at the package documentation to find out the full list of deprecations.

These deprecations have already been rolled out in a previous version for the following languages:

Outside of these packages, these changes also concern the following TokenManager implementations, and their corresponding Parser if it exists (in the same package):

In the Java AST the following attributes are deprecated and will issue a warning when used in XPath rules:

For removal

External Contributions


  • 237 commits
  • 64 closed tickets & PRs
  • Days since last release: 42