Affects PMD Version: 6.55.0

Rule: EmptyFinalizer

Please provide the rule name and a link to the rule documentation:
https://docs.pmd-code.org/latest/pmd_rules_java_errorprone.html#emptyfinalizer

Description:

The rule declares "Empty finalize methods serve no purpose and should be removed. ".

This is not true for the case that the method is marked "final" in a class that is not marked "final".

SpotBugs recently introduced a check "CT_CONSTRUCTOR_THROW" that errs out if an exception is thrown in a non-final class's constructor, because nefarious subclasses may perform a so-called "Finalizer Attack". Also see https://wiki.sei.cmu.edu/confluence/display/java/OBJ11-J.+Be+wary+of+letting+constructors+throw+exceptions

Moreover, declaring an empty, final finalizer method may be a performance optimization, as per https://stuartmarks.wordpress.com/2022/04/27/why-write-an-empty-finalize-method/

Code Sample demonstrating the issue:

package example;
public class PMDTest {
  protected final Object someState = initObject();
  public PMDTest() throws Exception {
  }
  @Override
  @SuppressWarnings("NoFinalizer" /* checkstyle */)
  @Deprecated
  protected final void finalize() {
  }
  private Object initObject() {
    return new Object();
  }
}

Expected outcome:

PMD reports a violation at line 12, but that's wrong. That's a false positive.

Running PMD through: [Maven]