Java Spring Boot: Prevent user code from running during discovery

Context

While we don't intend to run the target application in order to generate the OpenAPI doc, neither can we generate it with an entirely static scan. Essentially we need to setup the application as if it were about to start listening for traffic, generate the doc, and then abort.

Because of the way Spring works, this process of setting up the application may, by default, cause user code to run. If this code is only prepared to run in the user's target environment, it may fail while trying to run in the context of API Discovery, preventing discovery from completing successfully. For example, the application may attempt to connect to a database during the setup phase, and if it cannot connect the setup will fail.

Solution

By monitoring and intercepting certain steps in the setup process, we can prevent most cases where user code would be run as part of setup, thereby preventing errors that would occur as a result.

There are some caveats to this approach:

• Because Spring is extremely configurable, we cannot guarantee that all possible ways to run user code have been prevented. We can only target the most typical mechanisms.
• Preventing user code from running may have unforeseeable side effects, up to and including causing the discovery process to fail.
• Even if the discovery process does not fail, preventing user code from running may impact the accuracy of the resulting OpenAPI doc.

Options

1. Always limit user code from running
2. Allow the user to configure whether to run user code
   1. Could either default to "yes" or "no"
3. Run discovery once allowing user code to run, and if it fails, run it again while preventing user code from running (default to allow since it is more likely to be more accurate)
   1. Allow the user to disable one or both of those modes?