Update dependency com.github.spotbugs:spotbugs to v4.8.6

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.github.spotbugs:spotbugs (source)	4.8.1 -> 4.8.6

---

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.8.6

Compare Source

Fixed

• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches when the switch instruction is TABLESWITCH (#​2782)
• Do not throw exception when inspecting empty switch statements (#​2995)
• Adjust priority since relaxed mode reports even IGNORED_PRIORITY (#​2994)
• Fix duplicated log4j2 jar in distribution (#​3001)

v4.8.5

Compare Source

Fixed

• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED with eager instances (#​2932)
• Fix FPs when looking for multiple initialization of Singletons (#​2934)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches when switch instruction is TABLESWITCH(#​2736)
• Fix FP SE_BAD_FIELD for record fields (#​2935)

v4.8.4

Compare Source

Fixed

• Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#​2750)
• Fix possible null value in taxonomies of SARIF output (#​2744)
• Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#​2116)
• Move information contained in the SARIF property exitSignalName to exitCodeDescription (#​2739)
• Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#​2793)
• Added support for CONSTANT_Dynamic (#​2759)
• Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#​1219)
• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#​2813)
• Remove AppleExtension library (note: menus slightly changed) (#​2823)
• Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#​651, #​456)
• Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#​2843)
• Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#​2844)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#​2828)
• Update UnreadFields detector to ignore warnings for fields with certain annotations (#​574)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @​PostConstruct, @​BeforeEach, etc. (#​2872 #​2870 #​453)
• Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#​2865)
• Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#​2874)
• Added more nullability annotations in TypeQualifierResolver (#​2558 #​2694)
• Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#​2881)
• Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #​2887)
• Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#​2686)
• Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #​2837)
• Update the filter XSD namespace and location for the upcoming 4.8.4 release #​2909)

Added

• New detector MultipleInstantiationsOfSingletons and introduced new bug types:
  • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
  • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
  • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
  • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
  • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
  • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized.
    (See SEI CERT MSC07-J)
• Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

• Minor cleanup in connection with slashed and dotted names (#​2805)

Build

• Fix sonar coverage for project (#​2796)
• Upgraded the build to compile bug samples using Java 21 language features (#​2813)
• Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See https://github.com/checkstyle/checkstyle/issues/14211 for more information. (#​2798)
• Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#​2604)

v4.8.3

Compare Source

Fixed

• Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions (#​2710)
• Applied changes for bcel 6.8.0 with adjustments to constant pool (#​2756)
  • More information bcel changes can be found on (#​2757)
• Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type.
• Fix FP in CT_CONSTRUCTOR_THROW when exception throwing lambda is created, but not called in constructor (#​2695)

Changed

• Improved Matcher checks for empty strings (#​2755)
• Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis (#​2754)
• Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 (#​2760)
• Prefer log4j2 at 2.22.0 and logback at 1.4.14 (#​2760)

v4.8.2

Compare Source

Fixed

• Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource (#​2379)
• Use java.nio to load filter files (#​2684)
• Eclipse: Do not export javax.annotation packages (#​2699)
• Fixed not thread safe FindOverridableMethodCall detector (#​2701)
• Fix the weird messages of PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS bugs. (#​2646)
• Revert commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#​2686)
• Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits (#​2710)

Added

• New detector finding System.getenv() calls, where the corresponding Java property could be used (See ENV02-J).

Build

• Run build using jdk 17 and 21 without usage of toolchains so we do not defeat the purpose of building on both. (#​2722)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.