Thomas Broyer

There should probably be a new annotation, or a new attribute in `@BugPattern`, to signify that the check should be disabled by default, while still providing a default severity for...

I wouldn't mind suggestions being disabled by default, partly because there's none enabled by default, and I don't think I use any check that defaults to a suggestion level. I...

It looks to me like this is well-known Java deserialization without an allow-list: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#java Specifically in [ContextClassLoaderObjectInputStream](https://github.com/Jaspersoft/jasperreports/blob/master/core/src/main/java/net/sf/jasperreports/engine/util/ContextClassLoaderObjectInputStream.java), through [JRLoader](https://github.com/Jaspersoft/jasperreports/blob/master/core/src/main/java/net/sf/jasperreports/engine/util/JRLoader.java), used to load compiled Jasper templates. There might be other similar...

Thank you for those details 👍

I wouldn't oppose a warning to make all non-override methods in an anonymous class private, even without detecting this edge case (those using it for a good reason could still...

> or I might have been worried by how some people prefer not to use `@Nullable` if a field is initialized lazily after object creation. (I'm mostly not a big...

AFAICT, NullAway does that analysis and should prevent any way to leave the field uninitialized (thus null)

And AFAICT, `java.sql.Timestamp` is by definition a `timestamp`, not a `timestamptz`

> > And AFAICT, `java.sql.Timestamp` is by definition a `timestamp`, not a `timestamptz` > > I gather you are suggesting that we should always treat it as a timestamp then?...

This will run disabled checks for now though: https://github.com/google/error-prone/commit/157ce4423be68b86eb537b463ea36b905778f6c7