Bump the dependencies group with 3 updates

[dependabot]

Bumps the dependencies group with 3 updates: net.bytebuddy:byte-buddy, com.github.spotbugs:spotbugs and com.github.spotbugs:spotbugs-annotations.

Updates net.bytebuddy:byte-buddy from 1.16.1 to 1.17.0

Release notes

Sourced from net.bytebuddy:byte-buddy's releases.

Byte Buddy 1.17.0

• Assure that implicit choice for class reader and class writer are always symmetric with regard to internal representation.
• Retrofit MemberSubstitution to also allow for intercepting invokedynamic instructions.
• Introduce @Handle annotations to allow for injecting constant pool-stored method handle in Advice, MemberSubstitution and MethodDelegation.
• Introduce @DynamicConstant annotations to allow for injecting constant pool-stored dynamic constants in Advice, MemberSubstitution and MethodDelegation.

Changelog

Sourced from net.bytebuddy:byte-buddy's changelog.

29. January 2025: version 1.17.0

• Assure that implicit choice for class reader and class writer are always symmetric with regard to internal representation.
• Retrofit MemberSubstitution to also allow for intercepting invokedynamic instructions.
• Introduce @Handle annotations to allow for injecting constant pool-stored method handle in Advice, MemberSubstitution and MethodDelegation.
• Introduce @DynamicConstant annotations to allow for injecting constant pool-stored dynamic constants in Advice, MemberSubstitution and MethodDelegation.

Commits

• 6441732 [maven-release-plugin] prepare release byte-buddy-1.17.0
• afde65c [release] Release new version
• ee96f56 Fix compilation under JDK6.
• f8a6cd1 Fix compilation under JDK6.
• c2ff6cb Add missing rule declaration.
• 2f16f68 Fix modifiers.
• 014d098 Remove trailing spaces.
• 786a17e Add missing tests.
• 5270eb7 Add test.
• e5cc410 Add dynamic constant annotation.
• Additional commits viewable in compare view

Updates com.github.spotbugs:spotbugs from 4.8.6 to 4.9.0

Release notes

Sourced from com.github.spotbugs:spotbugs's releases.

SpotBugs 4.9.0

CHANGELOG

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs's changelog.

4.9.0 - 2025-01-15

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)
• Combine catch blocks with the same body (#3223)

... (truncated)

Commits

• ef76e9b release v4.9.0
• d64bfd2 Remove legacy cvs / svn revision data as git doesn't use that (#3262)
• 3d80c80 Move documentation items and other build items to java 11 (#3260)
• ab2a9f7 Fix map container to use interface, few missed double initialization, and mis...
• b7f48c9 [tests] Cleanup code within tests (#3259)
• 8bc2966 Move Eclipse to java 11 to match rest of the project (#3258)
• d3f97b3 Correct object creation for object to contain array marker not the variable n...
• ce7eac9 Use try with resources where possible (#3253)
• 97ac6b6 chore(deps): update plugin com.diffplug.spotless to v7.0.2 (#3255)
• 9f652a4 chore(deps): update dependency com.diffplug.spotless:spotless-plugin-gradle t...
• Additional commits viewable in compare view

Updates com.github.spotbugs:spotbugs-annotations from 4.8.6 to 4.9.0

Release notes

Sourced from com.github.spotbugs:spotbugs-annotations's releases.

SpotBugs 4.9.0

CHANGELOG

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs-annotations's changelog.

4.9.0 - 2025-01-15

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)
• Combine catch blocks with the same body (#3223)

... (truncated)

Commits

• ef76e9b release v4.9.0
• d64bfd2 Remove legacy cvs / svn revision data as git doesn't use that (#3262)
• 3d80c80 Move documentation items and other build items to java 11 (#3260)
• ab2a9f7 Fix map container to use interface, few missed double initialization, and mis...
• b7f48c9 [tests] Cleanup code within tests (#3259)
• 8bc2966 Move Eclipse to java 11 to match rest of the project (#3258)
• d3f97b3 Correct object creation for object to contain array marker not the variable n...
• ce7eac9 Use try with resources where possible (#3253)
• 97ac6b6 chore(deps): update plugin com.diffplug.spotless to v7.0.2 (#3255)
• 9f652a4 chore(deps): update dependency com.diffplug.spotless:spotless-plugin-gradle t...
• Additional commits viewable in compare view

Updates com.github.spotbugs:spotbugs-annotations from 4.8.6 to 4.9.0

Release notes

Sourced from com.github.spotbugs:spotbugs-annotations's releases.

SpotBugs 4.9.0

CHANGELOG

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs-annotations's changelog.

4.9.0 - 2025-01-15

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#2988)
• -version flag prints the version to the standard output (#2797)
• Revert the changes from (#2894) to get HTML stylesheets to work again (#2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#3059)
• Detect failure to close RocksDB's ReadOptions (#3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#3094)
• Fixed some CWE mappings (#3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#2042)
• Fix call graph, include non-parametric void methods (#3160)
• Fix multiple reporting of identical bugs messing up statistics (#3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#3187)
• Fixed method matchers with array types (#3203)
• Fix SARIF report's message property in Exception to meet the standard (#3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#3132, #3177)
• Return objects directly instead of creating more garbage collection by defining them (#3133, #3175)
• Restrict the constructor of abstract classes visibility to protected (#3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#3134)
• Use diamond operator in constructor calls of Collections (#3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#3180, #3219)
• Use method references instead of lambdas where possible (#3179)
• Move default clauses to the end of switches (#3222)
• Remove unnecessary throws declarations (#3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#3217)
• Rename shadowing fields (#3221)
• Combine catch blocks with the same body (#3223)

... (truncated)

Commits

• ef76e9b release v4.9.0
• d64bfd2 Remove legacy cvs / svn revision data as git doesn't use that (#3262)
• 3d80c80 Move documentation items and other build items to java 11 (#3260)
• ab2a9f7 Fix map container to use interface, few missed double initialization, and mis...
• b7f48c9 [tests] Cleanup code within tests (#3259)
• 8bc2966 Move Eclipse to java 11 to match rest of the project (#3258)
• d3f97b3 Correct object creation for object to contain array marker not the variable n...
• ce7eac9 Use try with resources where possible (#3253)
• 97ac6b6 chore(deps): update plugin com.diffplug.spotless to v7.0.2 (#3255)
• 9f652a4 chore(deps): update dependency com.diffplug.spotless:spotless-plugin-gradle t...
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
com.github.spotbugs:spotbugs	[>= 4.8.0.a, < 4.8.1]
com.github.spotbugs:spotbugs-annotations	[>= 4.8.0.a, < 4.8.1]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report generated by PITest - https://pitest.org - if there are surviving mutants, please check the line comments under 'Files changed', or the full report under the 'CI / pitest' check below this comment.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report generated by PITest - https://pitest.org - if there are surviving mutants, please check the line comments under 'Files changed', or the full report under the 'CI / pitest' check below this comment.