https://groovy.apache.org/wiki/GEP-25.html says:
"""
Dynamic dispatch — a call whose target cannot be resolved statically
yields a loud "flow not tracked" note rather than a silent verdict.
"""
This ignores dynamic calls that are done by the static compiler and in
DGM or script executions through scripting engines, shells, classloaders
or the compiler itself actually... a transform could be written in
non-static Groovy.
I am not saying such things must be in a first version, but a plan for
this would be good. Also this sounds like a pretty big chunk.
bye Jochen
On 6/17/26 04:59, Paul King wrote:
Hi folks,
I added a (very) draft GEP that would allow Groovy to have extra
checking around tainted data, like Ballerina does. We currently
provide a fixed set of specialised mechanisms, e.g. like GStrings for
SQL, to handle common cases. However, we lack a general mechanism.
Such a checker is more for us to maintain, and makes the security
surface area larger in the sense that the only thing worse than not
providing a taint handling mechanism is providing one that gives false
positives too frequently, or has holes that give folks a false sense
of security.
Having said that, the IT industry seems to be placing more emphasis on
security matters, and scrutiny of Groovy by AI agents seems likely to
only increase, so I think preparing ourselves to have such a feature
in case circumstances demand it down the track, is a worthy task.
Feedback welcome.
Cheers, Paul.
