Define in the user preferences a list of file hashes to be trusted when jar files are added to the classpath of jdt.ls

I think a good compromise would be what you suggested, to confirm that the path provided by javaagent corresponds to a file that is not provided by the workspace.

Just a few workaround to consider before we look at providing some kind of trusted resource store :

1. Can you provide javaagent argument to java.jdt.ls.vmargs under user settings (not workspace settings) ?

As you’ve discovered in https://github.com/redhat-developer/vscode-java/blob/master/src/settings.ts#L141-L158 , when the workspace settings contain javaagent in java.jdt.ls.vmargs, we bring up a popup to warn the user. However, if the setting comes from the user settings, we allow it. On most VSCode instances, this would be under ${userDataDir}/User/settings.json, and ${userDataDir} usually defaults to $HOME/.config/Code/. I’m able to get javaagent accepted as an argument without any prompt using this approach. If so, you’d probably just need to figure out what corresponds to ${userDataDir} in your environment.

1. Can you provision the contents of globalState ?

From https://github.com/redhat-developer/vscode-java/blob/master/src/settings.ts#L141-L158 , the property written to globalState to skip the security check when javaagent is defined in workspace settings, is :

key = redhat.java
value = {"java.ls.isVmargsAllowed::${workspacePath}/jdt_ws::${javaAgentFlag}":true}

where the globalState is usually the sqlite database at ${userDataDir}/User/globalStorage/state.vscdb, ${workspacePath} would be something like /tmp/code-tmp/config/User/workspaceStorage/d7f5a8f370269b38c3449ecf3ba23efb/redhat.java and ${javaAgentFlag} would be something like -javaagent:/tmp/code-tmp/lombok.jar

I’m fairly certain (2) isn’t easy to do, but (1) seems possible. If neither work, we can probably look at some kind of trustedHash setting like we do for vscode-xml.