PMD full changelog

Fixed Issues:
core:
6503: [core] Links in HTML report are broken
java-errorprone:
6502: [java] CloseResource: False positive for allowedResourceMethodPatterns entries when using unqualified method calls
java-security:
6531: [java] InsecureCryptoIv: False negative with fixed IVs from array initializers
Merged pull requests:
6467: [ci] Use typos gh-action - Andreas Dangel (@adangel)
6488: [doc] Update security.md for CVE-2026-28338 - Andreas Dangel (@adangel)
6489: [doc] CPD: document –report-file parameter - Andreas Dangel (@adangel)
6504: [core] Fix #6503: Don’t escape externalInfoUrl in reports - Andreas Dangel (@adangel)
6505: [java] Fix #6502: CloseResource should consider unqualified method calls - Andreas Dangel (@adangel)
6545: [java] Fix #6531: False negative in InsecureCryptoIv with array initializers - Zbynek Konecny (@zbynek)
Dependency updates:
6476: Bump PMD from 7.21.0 to 7.22.0
6479: chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0
6480: chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
6481: chore(deps): bump com.puppycrawl.tools:checkstyle from 13.2.0 to 13.3.0
6482: chore(deps): bump org.mockito:mockito-core from 5.21.0 to 5.22.0
6483: chore(deps-dev): bump net.bytebuddy:byte-buddy from 1.18.5 to 1.18.7
6484: chore(deps): bump org.yaml:snakeyaml from 2.5 to 2.6
6485: chore(deps): bump org.checkerframework:checker-qual from 3.53.1 to 3.54.0
6486: chore(deps-dev): bump net.bytebuddy:byte-buddy-agent from 1.18.5 to 1.18.7
6487: chore(deps): bump com.google.protobuf:protobuf-java from 4.33.5 to 4.34.0
6490: chore: Update gems, remove github-pages
6498: chore(deps): bump ruby/setup-ruby from 1.288.0 to 1.290.0
6499: chore(deps-dev): bump commons-logging:commons-logging from 1.3.5 to 1.3.6
6500: chore(deps-dev): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2
6501: chore(deps): bump org.apache.maven.plugins:maven-resources-plugin from 3.4.0 to 3.5.0
6506: chore(deps): bump actions/create-github-app-token

New and noteworthy:
Security fixes:
This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages.
Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code
(e.g. pull requests from external contributors) and expose the HTML report as a build artifact.
JavaScript executes in the browser context of anyone who opens the report.
Note: The default html format is not affected by unescaped violation messages, but a similar problem
existed with suppressed violation markers.
If you use these reports, it is recommended to upgrade PMD.
Reported by Smaran Chand (@smaranchand).
New and Changed Rules:
New Rules:
The new Java rule UnnecessaryInterfaceDeclaration detects classes that
implement interfaces that are already implemented by its superclass, and interfaces
that extend other interfaces already declared by their superinterfaces.
These declarations are redundant and can be removed to simplify the code.
Changed Rules:
The rule CloseResource introduces a new property, allowedResourceMethodPatterns,
which lets you specify method invocation patterns whose return values are resources managed externally.
This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from
HttpServletRequest/HttpServletResponse - because the servlet container, not application code,
is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer
resources returned by methods on (Http)ServletRequest and (Http)ServletResponse
(both javax.servlet and jakarta.servlet).
Fixed Issues:
core:
6471: [core] BaseAntlrTerminalNode should return type instead of index for getTokenKind()
6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
doc:
6396: [doc] Mention test-pmd-tool as alternative for testing
java-bestpractices:
6431: [java] UnitTestShouldIncludeAssert: False positive with SoftAssertionsExtension on parent/grandparent classes
j

New and noteworthy:
Build Requirement is Java 17:
From now on, Java 17 or newer is required to build PMD. PMD itself still remains compatible with Java 8,
so that it still can be used in a pure Java 8 environment. This allows us to use the latest
checkstyle version during the build.
Fixed Issues:
core
4714: [core] Allow trailing commas in multivalued properties
apex
5935: [apex] @SuppressWarnings - allow whitespace around comma when suppressing multiple rules
apex-design
6022: [apex] ExcessiveClassLength/ExcessiveParameterList include the metric in the message
java-codestyle
5919: [java] ClassNamingConventions: Include integration tests in testClassPattern by default
6029: [java] Fix UnnecessaryCast false-negative in method calls
java-design
5569: [java] ExcessivePublicCount should report number of public "things"
java-documentation
6058: [java] DanglingJavadoc FP in module-info files
java-errorprone
5878: [java] DontUseFloatTypeForLoopIndices false-negative if variable is declared before loop
6075: [java] AssignmentInOperand false positive with lambda expressions
java-multithreading
5880: [java] DoubleCheckedLocking is not detected if more than 1 assignment or more than 2 if statements
misc
6012: [pmd-rulesets] Rulesets should be in alphabetical order
API Changes:
Deprecations:
java
The following methods have been deprecated. Due to refactoring of the internal base class, these methods are not
used anymore and are not required to be implemented anymore:
ExcessiveImportsRule#isViolation
ExcessiveParameterListRule#isViolation
ExcessivePublicCountRule#isViolation
Merged pull requests:
6021: [java] Fix #5569: ExcessiveImports/ExcessiveParameterList/ExcessivePublicCount include the metric in the message - UncleOwen (@UncleOwen)
6022: [apex] ExcessiveClassLength/ExcessiveParameterList include the metric in the message - UncleOwen (@UncleOwen)
6023: [test] Fix #6012: Alphabetically sort all default rules - Zbynek Konecny (@zbynek)
6024: [java] Fix #5878: DontUse

New and noteworthy:
Java 16 Support:
This release of PMD brings support for Java 16. PMD supports JEP 394: Pattern Matching for instanceof and JEP 395: Records. Both have been promoted to be a standard language feature of Java 16.
PMD also supports JEP 397: Sealed Classes (Second Preview) as a preview language feature. In order to analyze a project with PMD that uses these language features, you’ll need to enable it via the environment variable PMD_JAVA_OPTS and select the new language version 16-preview:
export PMD_JAVA_OPTS=--enable-preview
./run.sh pmd -language java -version 16-preview ...
Note: Support for Java 14 preview language features have been removed. The version “14-preview” is no longer available.
Modified Rules:
The Apex rule ApexDoc has two new properties: reportPrivate and reportProtected. Previously the rule only considered public and global classes, methods, and properties.

New and noteworthy:
CPD now supports XML as well:
Thanks to Fernando Cosso CPD can now find duplicates in XML files as well.
This is useful to find duplicated sections in XML files.
Updated PMD Designer:
This PMD release ships a new version of the pmd-designer.
For the changes, see PMD Designer Changelog.
New Rules:
The new Java Rule LiteralsFirstInComparisons (java-bestpractices) find String literals, that are used in comparisons and are not positioned first. Using the String literal as the receiver of e.g. equals helps to avoid NullPointerExceptions.
This rule is replacing the two old rules PositionLiteralsFirstInComparisons and PositionLiteralsFirstInCaseInsensitiveComparisons and extends the check for the methods compareTo, compareToIgnoreCase and contentEquals in addition to equals and equalsIgnoreCase.
Note: This rule also replaces the two mentioned rules in Java's quickstart ruleset.
Deprecated Rules:
The two Java rules PositionLiteralsFirstInComparisons and PositionLiteralsFirs