fix(deps): update dependency com.github.spotbugs:spotbugs to v4.9.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.github.spotbugs:spotbugs (source)	4.8.6 -> 4.9.4

---

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.9.4

Compare Source

Changed

• AnnotationMatcher can now ignore bugs if annotation is also applied on methods or fields. Previously only annotations on classes were considered.
• Add relevant CWE ids to bugs and refer the CWEs in the bug messages (#​3354).
• Replace LOCAL_VARIABLE_UNKNOWN with exact method name for NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE (#​3485)

Fixed

• Widen main method recognition according to JEP 445. (#​3371)
• Do not report US_USELESS_SUPPRESSION_ON_* on methods, fields, parameters, packages or classes with an *.Generated annotation with retention >= class (#​3350)(#​3409)
• Rewrite some member in ResourceValueFrame.java to Enum (#​2061)
• Ignore non-interpreted text when looking for FS_BAD_DATE_FORMAT_FLAG_COMBO (#​3387)
• Fix IllegalArgumentException thrown from FindNoSideEffectMethods detector (#​3320)
• Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito doAnswer(), doCallRealMethod(), doNothing(), doThrow() or doReturn() call (#​3334)
• Fix CT_CONSTRUCTOR_THROW false positive with public and private constructors in specific order of methods (#​3417)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE, AT_NONATOMIC_64BIT_PRIMITIVE and AT_STALE_THREAD_WRITE_OF_PRIMITIVE FP when the relevant code is in private method, which is only called with proper synchronization (#​3428)
• Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a BDDMockito call (#​3441)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE when field of a local variable is set. (#​3459)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE FP when there was no compound operation (#​3363)
• Fix NM_FIELD_NAMING_CONVENTION crash in the TestASM detector (#​3489)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in JUnit 3/4 setUp() method. (#​3169)
• Fix US_USELESS_SUPPRESSION_ON_FIELD/UUF_UNUSED_FIELD false positive (#​3496)
• Make the osgi manifest of the annotations jar Java 8 compatible (#​3498) (#​3500)
• TextUICommandLine supports all options encoded in Eclipse preferences file (#​3520)
• Unnecessary suppressions fix for records headers (#​3471)
• Dead store fix when switch case contains loops (#​3530) (#​3449)
• Consider PUTFIELD and PUTSTATIC when looking for assertions with side effects (#​3463)
• Detect cases when equals() unconditionally returns true or false (#​3528)
• Do not report that an Iterator does not throw NoSuchElementException when hasNext() returns true (#​3501)
• Detect random value cast to int when stored in temporary variable (#​3461)
• Look for interfaces default methods when searching uncalled private methods (#​1988)
• Fixed field self assignment false positive (#​2258)
• Fixed DMI_INVOKING_TOSTRING_ON_ARRAY on newer JDK (#​1147)
• Fix NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positive with Objects.requireNonNull (#​2965) (#​3573)
• Track inner classes access methods to correctly report the bugs (#​2029)
• SF_SWITCH_NO_DEFAULT false positive fix (#​1148) (#​3572)

Added

• Added the unnecessary annotation to the US_USELESS_SUPPRESSION_ON_* messages (#​3395)
• Multi-threaded code checks can be skipped with @NotThreadSafe (#​3390)
• New bug type CWO_CLOSED_WITHOUT_OPENED for locks that might be released without even being acquired. (See SEI CERT rule LCK08-J) (#​2055)
  • Breaking change: changed values and new items in ResourceValueFrame.
• Inline access method for method. (#​3481)
• Added DMI_MISLEADING_SUBSTRING for calling subString(0) on a StringBuffer/StringBuilder (#​1928)

Signing

• Signing for Eclipse plugin has been removed at the current time due to signing keys being expired. The expired key produced a warning during install, the same is true without signing.

v4.9.3

Compare Source

Added

• Introduced UselessSuppressionDetector to report the useless annotations instead of NoteSuppressedWarnings (#​3348)

Fixed

• Do not report US_USELESS_SUPPRESSION_ON_METHOD on synthetic methods (#​3351)

v4.9.2

Compare Source

Added

• Reporting useless @SuppressFBWarnings annotations (#​641)

Fixed

• Fixed html bug descriptions for AT_STALE_THREAD_WRITE_OF_PRIMITIVE and AT_NONATOMIC_64BIT_PRIMITIVE (#​3303)
• Fixed an HSM_HIDING_METHOD false positive when ECJ generates a synthetic method for an enum switch (#​3305)
• Fix AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD false negatives, detector depending on method order.
• Fix THROWS_METHOD_THROWS_CLAUSE_THROWABLE reported in a method calling MethodHandle.invokeExact due to its polymorphic signature (#​3309)
• Fix AT_STALE_THREAD_WRITE_OF_PRIMITIVE false positive in inner class (#​3310).
• Fix AT_STALE_THREAD_WRITE_OF_PRIMITIVE false positive for ECJ compiled enum switches (#​3316)
• Fix RC_REF_COMPARISON false positive with Lombok With annotation (#​3319)
• Avoid calling File.getCanonicalPath twice to improve performance (#​3325)
• Fix MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE false positive when the overridable method is outside the class (#​3328).
• Fix NullPointerException thrown from ThrowingExceptions detector (#​3337).

Removed

• Removed the TLW_TWO_LOCK_NOTIFY, LI_LAZY_INIT_INSTANCE, BRSA_BAD_RESULTSET_ACCESS, BC_NULL_INSTANCEOF, NP_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR and RCN_REDUNDANT_CHECKED_NULL_COMPARISON deprecated bug patterns.

v4.9.1

Compare Source

Added

• New detector SharedVariableAtomicityDetector for new bug types AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE, AT_NONATOMIC_64BIT_PRIMITIVE and AT_STALE_THREAD_WRITE_OF_PRIMITIVE (See SEI CERT rules VNA00-J, VNA02-J and VNA05-J).
• New detector FindHiddenMethod for bug type HSM_HIDING_METHOD. This bug is reported whenever a subclass method hides the static method of super class. (See SEI CERT MET07-J).

Fixed

• Fixed the parsing of generics methods in ThrowingExceptions (#​3267)
• Accept the 1st parameter of java.util.concurrent.CompletableFuture's completeOnTimeout(), getNow() and obtrudeValue() functions as nullable (#​1001).
• Fixed the analysis error when FindReturnRef was checking instructions corresponding to a CFG branch that was optimized away (#​3266)
• Added execute file permission to files in the distribution archive (#​3274)
• Fixed a stack overflow in MultipleInstantiationsOfSingletons when a singleton initializer makes recursive calls (#​3280)
• Fixed NPE in FindReturnRef on inner class fields (#​3283)
• Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positive when add edu.umd.cs.findbugs.annotations.Nullable (#​3243)

v4.9.0

Compare Source

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#​3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#​637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#​2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#​3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#​2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#​2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#​2988)
• -version flag prints the version to the standard output (#​2797)
• Revert the changes from (#​2894) to get HTML stylesheets to work again (#​2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#​3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#​3059)
• Detect failure to close RocksDB's ReadOptions (#​3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#​3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#​3094)
• Fixed some CWE mappings (#​3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#​3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#​3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#​2042)
• Fix call graph, include non-parametric void methods (#​3160)
• Fix multiple reporting of identical bugs messing up statistics (#​3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#​3187)
• Fixed method matchers with array types (#​3203)
• Fix SARIF report's message property in Exception to meet the standard (#​3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#​3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#​3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#​2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#​1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#​3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#​3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#​3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#​3132, #​3177)
• Return objects directly instead of creating more garbage collection by defining them (#​3133, #​3175)
• Restrict the constructor of abstract classes visibility to protected (#​3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#​3134)
• Use diamond operator in constructor calls of Collections (#​3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#​3180, #​3219)
• Use method references instead of lambdas where possible (#​3179)
• Move default clauses to the end of switches (#​3222)
• Remove unnecessary throws declarations (#​3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#​3217)
• Rename shadowing fields (#​3221)
• Combine catch blocks with the same body (#​3223)
• Merge conditions of nested ifs (#​3231)
• Use non deprecated 'getDottedClassName' instead of 'toDottedClassName'(#​3251)
• Use try with resources where possible (#​3253)

Changed

• Bump up Java version to 11

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.24%. Comparing base (09b3138) to head (49c427e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1548      +/-   ##
============================================
+ Coverage     92.82%   93.24%   +0.42%     
- Complexity      487      489       +2     
============================================
  Files            46       46              
  Lines          1170     1170              
  Branches        103      103              
============================================
+ Hits           1086     1091       +5     
+ Misses           54       49       -5     
  Partials         30       30              

Flag	Coverage Δ
unittests	93.24% <ø> (+0.42%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.