At I Programmer we continue to monitor Java's status closely. Here's what we've recorded throughout 2023.

Why Choose Java

Why go for Java, when there's C#, Go, Rust and Python? It's because Java has always been the favorite of enterprises:

Enterprises talked and still talk Java. Look no further than the Fortune 500 list of companies reliance on it. Yes, Blue Chips love it. The reasons are plenty. The one that enterprises value most is backwards compatibility, being notoriously allergic to radical updates and upgrades. Systems that worked 20 years ago, written in Java 5, should be able to compile and run under version 8. Stability is what matters.

No wonder that those big corps are getting behind it, like Microsoft releasing its own build of OpenJDK. Why would Microsoft do that that when there are so many OpenJDK choices already?

Java and Azure

One reason is to establish a foothold on Java's market share. The other is that internally it uses Java a lot in its own infrastructure, especially its Azure ecosystem (Azure Spring Cloud, Azure App Service, Azure Functions, Azure Kubernetes), and for that it needs to have its own uniform and universal build applied to them.

But Microsoft has not confined Java and Spring support to VSCode. It has also pumped up support for Intellij and then there's  Azure, which proves the point that given the Microservices and Cloud frenzy the goal is to firmly establish Azure as THE platform to go to when developing Java applications. So we have the release of "Azure Toolkit for IntelliJ", a plugin that provides templates and functionality with which you easily create, develop, test, and deploy Azure applications, and "Integrating Azure and Spring with Spring Cloud Azure" an open-source project that provides seamless Spring integration with Azure services.

Tooling

Since talking about tooling, Java is the most well catered language IDE-wise. There's Netbeans, JDeveloper, Eclipse, BlueJ, but in reality the choice is between IntelliJ and VSCode. IntelliJ is of course closely associated with Java and Kotlin, while VSCode with C# and the like. But for those devs who code in Java as well as other languages and do not want to switch IDEs depending on the language, VSCode is of course the recommended choice.

The latest news from that IDE battlefield is that last month Oracle released the "Java Platform Extension" for VSCode to offer an even more enriched experience for those programming in Java and VSCode. And Jetbrains have also recently released a version of Intellij with AI capabilities. So if you go the Java way 2023 onwards, tooling wise you are well covered.

Software Supply Chain Security

A big issue attracting the limelight throughout 2023 has been the software supply chain security. To build useful software we don't reinvent the wheel but we base on work already done coming bundled in the form of libraries. The problem is that even a mediocre open source project can have loads of such dependencies which themselves depend on others , forming a lengthy chain. Not a problem per se unless malicious code or security vulnerability finds its way anywhere in this chain.

As such, SBOMs (Software Bills of Materials) was a trending topic since it got widely recognized as means for defending against supply chain attacks, magnified by the US President Biden's Executive Order on Improving the Nation’s Cybersecurity as of May of 2021.

Java has been well covered in that respect too, with the release of Jbom, an open source project hosted by the Eclipse Foundation that generates Runtime and Static SBOMs for local and remote Java apps.

Jbom works with Instrumentation which gives it its big advantage over the other solutions. Instrumentation allows you to do security analysis from within the running application - by watching the code run. Others who scanning file systems , code repos , or containers could easily fail to detect libraries accurately. By doing the scanning at runtime you have none of those issues.

Shortly after the February release of jbom, Java's supply chain continued to strengthen due to March's release of Sigstore Java. Sigstore Java is a tool for signing and verifying Java package distributions with Sigstore's keyless signing. Sigstore signing empowers software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free. The sigstore-java client library still under development, provides a native Java implementation for the signing and verification services but so great that the OSSRH, aka Maven Central, is planing to replace its aging PGP based system for signing Java distributions with that of Sigstore's.

JDK 20

March also saw JDK 20 going GA, with many new features that rendered Java not just relevant to today's requirements, but a few steps ahead. Every JDK since the major revamping of Java with the venerable version 8, has added something new and exciting to the language. For instance, JDK 9 added Modules, 10 added Local-Variable Type Inference, 15 Text blocks and 19 the preview of Virtual threads under project Loom.

Version 20 didn't just add a second preview to Virtual Threads, bringing it close to production readiness and wasn't all about project Loom. Instead it saw an amalgamation of JEPs (JDK Enhancement Proposals) collected under the umbrella projects Panama and Amber too. As such the JEP's that found the way into version 20 of the JDK were:

429: Scoped Values (Incubator)
432: Record Patterns (Second Preview)
433: Pattern Matching for switch (Fourth Preview)
434: Foreign Function & Memory API (Second Preview)
436: Virtual Threads (Second Preview)
437: Structured Concurrency (Second Incubator)
438: Vector API (Fifth Incubator)

along with hundreds of smaller enhancements and thousands of bug fixes.