| Version | Change log |
| PMD 7.22.0 Mar 1, 2026 |
New and noteworthy: Security fixes: This release fixes a stored XSS vulnerability in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages. Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g. pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report. Note: The default html format is not affected by unescaped violation messages, but a similar problem existed with suppressed violation markers. If you use these reports, it is recommended to upgrade PMD. Reported by Smaran Chand (@smaranchand). New and Changed Rules: New Rules: The new Java rule UnnecessaryInterfaceDeclaration detects classes that implement interfaces that are already implemented by its superclass, and interfaces that extend other interfaces already declared by their superinterfaces. These declarations are redundant and can be removed to simplify the code. Changed Rules: The rule CloseResource introduces a new property, allowedResourceMethodPatterns, which lets you specify method invocation patterns whose return values are resources managed externally. This is useful for ignoring managed resources - for example, Reader/Writer instances obtained from HttpServletRequest/HttpServletResponse - because the servlet container, not application code, is responsible for closing them. By default, the rule ignores InputStream/OutputStream/Reader/Writer resources returned by methods on (Http)ServletRequest and (Http)ServletResponse (both javax.servlet and jakarta.servlet). Fixed Issues: core: 6471: [core] BaseAntlrTerminalNode should return type instead of index for getTokenKind() 6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer doc: 6396: [doc] Mention test-pmd-tool as alternative for testing java-bestpractices: 6431: [java] UnitTestShouldIncludeAssert: False positive with SoftAssertionsExtension on parent/grandparent classes j |
| PMD 7.15.0 Jul 23, 2025 |
New and noteworthy: New Rules: The new Apex rule AvoidBooleanMethodParameters finds methods that take a boolean parameter. This can make method calls difficult to understand and maintain as the method is clearly doing two things. Fixed Issues: apex-design: 5427: [apex] New Rule: Avoid Boolean Method Parameters apex-security: 5788: [apex] ApexCRUDViolation unable to detect insecure SOQL if it is a direct input argument doc: 5790: [doc] Website rule reference pages are returning 404 java-bestpractices: 5785: [java] UnusedPrivateField doesn't play well with UnnecessaryWarningSuppression 5793: [java] NonExhaustiveSwitch fails on exhaustive switch with sealed class java-codestyle: 1639: [java] UnnecessaryImport false positive for multiline @link Javadoc 2304: [java] UnnecessaryImport false positive for on-demand imports in JavaDoc 5832: [java] UnnecessaryImport false positive for multiline @see Javadoc java-design: 5804: [java] UselessOverridingMethod doesn't play well with UnnecessarySuppressWarning API Changes: Rule Test Schema: The rule test schema has been extended to support verifying suppressed violations. See Testing your rules for more information. |
| PMD 7.14.0 Jun 18, 2025 |
New and noteworthy: PMD CLI now uses threaded execution by default: In the PMD CLI, the --threads (-t) option can now accept a thread count given relative to the number of cores of the machine. For instance, it is now possible to write -t 1C to spawn one thread per core, or -t 0.5C to spawn one thread for every other core. The thread count option now defaults to 1C, meaning parallel execution is used by default. You can disable this by using -t 1. New Rule UnnecessaryWarningSuppression (experimental) ??? This new Java rule UnnecessaryWarningSuppression reports unused suppression annotations and comments. Violations of this rule cannot be suppressed. How to use it? Just include it in your ruleset: <rule ref="category/java/bestpractices.xml/UnnecessaryWarningSuppression" /> Note: This rule is currently experimental. It is available for now only for Java. The rule for now only reports annotations specific to PMD, like @SuppressWarnings("PMD"). In the future we might be able to check for other common ones like @SuppressWarnings("unchecked") or "fallthrough". Since violations of this rule cannot be suppressed, we opted here on the side of false-negatives and don’t report every unused case yet. However, suppressing specific PMD rules is working as expected. Migrating to Central Publisher Portal: We’ve now migrated to Central Publisher Portal. Snapshots of PMD are still available, however the repository URL changed. To consume these with maven, you can use the following snippet: <repositories> <repository> <name>Central Portal Snapshots</name> <id>central-portal-snapshots</id> <url>https://central.sonatype.com/repository/maven-snapshots/</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> Releases of PMD are available on Maven Central as |
| PMD 7.2.0 Jun 5, 2024 | |
| PMD 7.1.0 Apr 26, 2024 | |
| PMD 6.55.0 Feb 26, 2023 | |
| PMD 6.54.0 Jan 28, 2023 | |
| PMD 6.38.0 Aug 28, 2021 | |
| PMD 6.32.0 Feb 27, 2021 |
New and noteworthy: Java 16 Support: This release of PMD brings support for Java 16. PMD supports JEP 394: Pattern Matching for instanceof and JEP 395: Records. Both have been promoted to be a standard language feature of Java 16. PMD also supports JEP 397: Sealed Classes (Second Preview) as a preview language feature. In order to analyze a project with PMD that uses these language features, you’ll need to enable it via the environment variable PMD_JAVA_OPTS and select the new language version 16-preview: export PMD_JAVA_OPTS=--enable-preview ./run.sh pmd -language java -version 16-preview ... Note: Support for Java 14 preview language features have been removed. The version “14-preview” is no longer available. Modified Rules: The Apex rule ApexDoc has two new properties: reportPrivate and reportProtected. Previously the rule only considered public and global classes, methods, and properties. |
| PMD 6.24.0 Mar 13, 2020 |
New and noteworthy: CPD now supports XML as well: Thanks to Fernando Cosso CPD can now find duplicates in XML files as well. This is useful to find duplicated sections in XML files. Updated PMD Designer: This PMD release ships a new version of the pmd-designer. For the changes, see PMD Designer Changelog. New Rules: The new Java Rule LiteralsFirstInComparisons (java-bestpractices) find String literals, that are used in comparisons and are not positioned first. Using the String literal as the receiver of e.g. equals helps to avoid NullPointerExceptions. This rule is replacing the two old rules PositionLiteralsFirstInComparisons and PositionLiteralsFirstInCaseInsensitiveComparisons and extends the check for the methods compareTo, compareToIgnoreCase and contentEquals in addition to equals and equalsIgnoreCase. Note: This rule also replaces the two mentioned rules in Java's quickstart ruleset. Deprecated Rules: The two Java rules PositionLiteralsFirstInComparisons and PositionLiteralsFirs |
