[ignore] Fix Codacy field-placement and setAccessible() findings

Move XSD11_DETECTION_CACHE/XSD11_DETECTION_CACHE_MAX_ENTRIES to the
top of Jaxp, alongside its other fields, instead of declaring them
mid-class next to the methods that use them.

Make isXsd11Schema package-private instead of private, the same
pattern already used for clearXsd11DetectionCache(), so
JaxpSchemaLocationSecurityTest/JaxpXsd11DetectionCacheTest (both in
the same package) can call it directly instead of via
setAccessible(true).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: duncdrum

exist-core/src/main/java/org/exist/xquery/functions/validation/Jaxp.java

@@ -111,6 +111,25 @@ public class Jaxp extends BasicFunction {
     private static final String XSI_NS = "http://www.w3.org/2001/XMLSchema-instance";
     private static final String XSD_VERSIONING_NS = "http://www.w3.org/2007/XMLSchema-versioning";
 
+    /**
+     * Bound on the size of {@link #XSD11_DETECTION_CACHE} (see there for what it caches).
+     */
+    private static final int XSD11_DETECTION_CACHE_MAX_ENTRIES = 256;
+
+    /**
+     * Bounded (see {@link #XSD11_DETECTION_CACHE_MAX_ENTRIES}), LRU-evicted cache of
+     * "does the schema at this resolved URI declare vc:minVersion 1.1?", so that validating many
+     * documents against the same schema doesn't re-fetch and re-peek it every time. Cleared by
+     * {@code validation:clear-grammar-cache()} (see {@link GrammarTooling}) alongside the Xerces
+     * grammar pool, so operators have one function to clear every validation-related cache.
+     */
+    private static final Map<String, Boolean> XSD11_DETECTION_CACHE = new LinkedHashMap<>(16, 0.75f, true) {
+        @Override
+        protected boolean removeEldestEntry(final Map.Entry<String, Boolean> eldest) {
+            return size() > XSD11_DETECTION_CACHE_MAX_ENTRIES;
+        }
+    };
+
     private static final String simpleFunctionTxt = """
             Validate document by parsing $instance. Optionally \
             grammar caching can be enabled. Supported grammars types \
@@ -593,6 +612,8 @@ private static boolean detectXsd11ViaSchemaLocation(final InputSource peekInstan
      * and checks whether its root element declares {@code vc:minVersion} containing "1.1".
      * Returns {@code false} for any resolution/read failure -- this is a best-effort peek, not
      * a substitute for the real catalog-aware resolution the actual validation pass performs.
+     * Package-private (not {@code private}) so {@code JaxpSchemaLocationSecurityTest}/
+     * {@code JaxpXsd11DetectionCacheTest}, both in this package, can call it directly.
      *
      * <p>{@code location} is the literal, attacker/document-author-controlled value of the
      * instance's own {@code xsi:schemaLocation}/{@code noNamespaceSchemaLocation} hint -- if it's
@@ -619,7 +640,7 @@ private static boolean detectXsd11ViaSchemaLocation(final InputSource peekInstan
      * {@code util:} Java-interop functions to construct that object in the first place -- a
      * separate, pre-existing privilege boundary this peek doesn't change either way.</p>
      */
-    private static boolean isXsd11Schema(final String baseUri, final String location) {
+    static boolean isXsd11Schema(final String baseUri, final String location) {
         try {
             final URI baseUriNormalized = new URI(ResolverFactory.fixupExistCatalogUri(baseUri));
             final URI resolvedUri = baseUriNormalized.resolve(location);
@@ -661,22 +682,6 @@ private static boolean isXsd11Schema(final String baseUri, final String location
         }
     }
 
-    /**
-     * Bounded (see {@link #XSD11_DETECTION_CACHE_MAX_ENTRIES}), LRU-evicted cache of
-     * "does the schema at this resolved URI declare vc:minVersion 1.1?", so that validating many
-     * documents against the same schema doesn't re-fetch and re-peek it every time. Cleared by
-     * {@code validation:clear-grammar-cache()} (see {@link GrammarTooling}) alongside the Xerces
-     * grammar pool, so operators have one function to clear every validation-related cache.
-     */
-    private static final int XSD11_DETECTION_CACHE_MAX_ENTRIES = 256;
-
-    private static final Map<String, Boolean> XSD11_DETECTION_CACHE = new LinkedHashMap<>(16, 0.75f, true) {
-        @Override
-        protected boolean removeEldestEntry(final Map.Entry<String, Boolean> eldest) {
-            return size() > XSD11_DETECTION_CACHE_MAX_ENTRIES;
-        }
-    };
-
     @Nullable
     private static Boolean getCachedXsd11Detection(final String resolvedUri) {
         synchronized (XSD11_DETECTION_CACHE) {

exist-core/src/test/java/org/exist/xquery/functions/validation/JaxpSchemaLocationSecurityTest.java

@@ -25,7 +25,6 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -40,8 +39,8 @@
  * own base URI, since the hint is document-author-controlled and the peek runs unconditionally,
  * before any catalog/permission check would otherwise govern the fetch.
  *
- * <p>Tests the method directly (via reflection, since it's {@code private static}) rather than
- * through the full {@code validation:jaxp()} pipeline: going through the pipeline would also
+ * <p>Tests {@code Jaxp.isXsd11Schema} directly rather than through the full {@code
+ * validation:jaxp()} pipeline: going through the pipeline would also
  * exercise the (separate, pre-existing, unrelated) default Xerces resolution that runs when the
  * peek declines and falls through -- which would independently attempt the same kind of fetch,
  * confounding any attempt to observe whether the peek itself made a network call.</p>
@@ -77,43 +76,37 @@ public static void teardown() throws Exception {
     }
 
     @Test
-    public void sameOriginRelativeXsd11SchemaIsDetected() throws Exception {
-        assertTrue(invokeIsXsd11Schema(fileBaseUri, "schema11.xsd"));
+    public void sameOriginRelativeXsd11SchemaIsDetected() {
+        assertTrue(Jaxp.isXsd11Schema(fileBaseUri, "schema11.xsd"));
     }
 
     @Test
-    public void sameOriginRelativeXsd10SchemaIsNotDetectedAsXsd11() throws Exception {
-        assertFalse(invokeIsXsd11Schema(fileBaseUri, "schema10.xsd"));
+    public void sameOriginRelativeXsd10SchemaIsNotDetectedAsXsd11() {
+        assertFalse(Jaxp.isXsd11Schema(fileBaseUri, "schema10.xsd"));
     }
 
     @Test(timeout = 5000)
-    public void crossOriginHttpLocationIsRefused() throws Exception {
+    public void crossOriginHttpLocationIsRefused() {
         // A real instance would never have a `file://` base URI reachable from an unprivileged
         // caller (only Java-object-backed items do, which already requires elevated capability) --
         // this is just the most convenient same-scheme baseline to contrast against. The case that
         // matters is: whatever the base URI's origin, an absolute, different-origin location must
         // never be followed.
-        assertFalse(invokeIsXsd11Schema(fileBaseUri, "http://203.0.113.1:1/evil.xsd"));
+        assertFalse(Jaxp.isXsd11Schema(fileBaseUri, "http://203.0.113.1:1/evil.xsd"));
     }
 
     @Test(timeout = 5000)
-    public void crossOriginHttpLocationIsRefusedForDatabaseBaseUri() throws Exception {
+    public void crossOriginHttpLocationIsRefusedForDatabaseBaseUri() {
         // The realistic, unprivileged case: a document stored in the database (xmldb:// base URI)
         // with an absolute http:// schemaLocation hint pointing out to an attacker-controlled host.
-        assertFalse(invokeIsXsd11Schema("xmldb://db/test/instance.xml", "http://203.0.113.1:1/evil.xsd"));
+        assertFalse(Jaxp.isXsd11Schema("xmldb://db/test/instance.xml", "http://203.0.113.1:1/evil.xsd"));
     }
 
     @Test(timeout = 5000)
-    public void crossHostXmldbLocationIsRefused() throws Exception {
+    public void crossHostXmldbLocationIsRefused() {
         // An absolute xmldb:// location naming a different host is not "same scheme" enough --
         // XmldbURL.isEmbedded() treats a non-empty host as a remote XML-RPC target
         // (EmbeddedURLConnection -> XmlrpcInputStream), so this must be refused too.
-        assertFalse(invokeIsXsd11Schema("xmldb://db/test/instance.xml", "xmldb://203.0.113.1:1/db/evil.xsd"));
-    }
-
-    private static boolean invokeIsXsd11Schema(final String baseUri, final String location) throws Exception {
-        final Method method = Jaxp.class.getDeclaredMethod("isXsd11Schema", String.class, String.class);
-        method.setAccessible(true);
-        return (boolean) method.invoke(null, baseUri, location);
+        assertFalse(Jaxp.isXsd11Schema("xmldb://db/test/instance.xml", "xmldb://203.0.113.1:1/db/evil.xsd"));
     }
 }

exist-core/src/test/java/org/exist/xquery/functions/validation/JaxpXsd11DetectionCacheTest.java

@@ -24,7 +24,6 @@
 import org.junit.After;
 import org.junit.Test;
 
-import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -64,30 +63,24 @@ public void cachesResultAcrossCallsAndClearCacheInvalidatesIt() throws Exception
             final String baseUri = instance.toUri().toString();
 
             // First call: reads the real (XSD 1.1) content from disk.
-            assertTrue(invokeIsXsd11Schema(baseUri, "schema.xsd"));
+            assertTrue(Jaxp.isXsd11Schema(baseUri, "schema.xsd"));
 
             // Flip the on-disk content to XSD 1.0 without going through the cache -- if the second
             // call is actually served from cache, it must still report the stale (cached) "true",
             // not re-read this new content.
             Files.writeString(schema, XSD_1_0_SCHEMA, StandardCharsets.UTF_8);
             assertTrue("second call should be served from cache, not re-read the changed file",
-                    invokeIsXsd11Schema(baseUri, "schema.xsd"));
+                    Jaxp.isXsd11Schema(baseUri, "schema.xsd"));
 
             // Clearing the cache (what validation:clear-grammar-cache() does) must make the next
             // call re-read the file and observe the now-current (XSD 1.0) content.
             Jaxp.clearXsd11DetectionCache();
             assertFalse("after clearing the cache, the now-current XSD 1.0 content must be observed",
-                    invokeIsXsd11Schema(baseUri, "schema.xsd"));
+                    Jaxp.isXsd11Schema(baseUri, "schema.xsd"));
         } finally {
             Files.deleteIfExists(tempDir.resolve("instance.xml"));
             Files.deleteIfExists(tempDir.resolve("schema.xsd"));
             Files.deleteIfExists(tempDir);
         }
     }
-
-    private static boolean invokeIsXsd11Schema(final String baseUri, final String location) throws Exception {
-        final Method method = Jaxp.class.getDeclaredMethod("isXsd11Schema", String.class, String.class);
-        method.setAccessible(true);
-        return (boolean) method.invoke(null, baseUri, location);
-    }
 }