We added read only properties after the delombok conversion, and there are many places where although we have only a public getter and private/package/protected/no setter, yet we expose the property as a fully mutable property. This was never intended and is obviously both a security leak (since it exposes as public what is meant to be private), as well as an API leak. We must ensure that if there is no public setter, then a real read only property is returned. Further, ensure that each getter and setter has "final". I think there are one or two exceptions that we use internally, but these should be solved by:

public final void setSuperMethod(Object o) { packageOrProtectedInternalMethod(o); }
void packageOrProtectedInternalMethod(Object o) { ... }

Or whatnot, such that we preserve the ability to override in our own usages, but that the actual public setter is final.