Fix SpotBugs processing.

Reuse the same activation ID as in parent POM.
Deactivate flattening when tests are ignored.

pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.jvnet.hudson.plugins</groupId>
     <artifactId>analysis-pom</artifactId>
-    <version>8.1.2</version>
+    <version>8.3.0</version>
     <relativePath />
   </parent>
 
@@ -138,6 +138,15 @@
 
   <build>
     <plugins>
+      <plugin>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-pmd-plugin</artifactId>
+      <configuration>
+        <excludeRoots combine.children="append">
+          <excludeRoot>src/main/webapp/js</excludeRoot>
+        </excludeRoots>
+      </configuration>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-clean-plugin</artifactId>

src/main/java/io/jenkins/plugins/prism/FilePermissionEnforcer.java

@@ -7,19 +7,21 @@
 import java.util.stream.Collectors;
 
 import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 import hudson.FilePath;
 
 /**
  * Enforces security restrictions for viewing files in Jenkins. Some plugins copy source code files to Jenkins' build
  * folder so that these files can be rendered in the user interface together with build results (coverage, warnings,
- * etc.). If these files are not part of the workspace of a build then Jenkins will not show them by default: otherwise
+ * etc.). If these files are not part of the workspace of a build, then Jenkins will not show them by default: otherwise
  * sensitive files could be shown by accident. You can provide a list of additional source code directories that are
  * allowed to be shown in Jenkins user interface here. Note, that such a directory must be an absolute path on the
  * <b>agent</b> that executes the build.
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "We are checking if a file is in a workspace")
 public class FilePermissionEnforcer {
     private static final PathUtil PATH_UTIL = new PathUtil();
 

src/main/java/io/jenkins/plugins/prism/SourceDirectoryFilter.java

@@ -18,6 +18,7 @@
 
 import edu.hm.hafner.util.FilteredLog;
 import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 /**
  * Filters source code directories that are not approved in Jenkins' global configuration. A directory is considered
@@ -103,6 +104,7 @@ private boolean isValidDirectory(final String sourceDirectory) {
      * @return the matching paths
      * @see FileSystem#getPathMatcher(String)
      */
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "We are selecting relative files based on a pattern")
     private List<String> findRelative(final String directory, final String pattern, final FilteredLog log) {
         if (containsNoPathMatcherPattern(pattern)) {
             return List.of(PATH_UTIL.createAbsolutePath(directory, pattern));

src/test/java/io/jenkins/plugins/prism/FilePermissionEnforcerTest.java

@@ -5,6 +5,8 @@
 import org.junit.jupiter.api.Test;
 import org.junitpioneer.jupiter.Issue;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import hudson.FilePath;
 
 import static hudson.Functions.*;
@@ -16,6 +18,7 @@
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class FilePermissionEnforcerTest {
     private static final FilePath WORKSPACE_UNIX = new FilePath(new File("/workspace"));
     private static final FilePath WORKSPACE_WINDOWS = new FilePath(new File("C:\\workspace"));

src/test/java/io/jenkins/plugins/prism/PrismConfigurationTest.java

@@ -1,24 +1,28 @@
 package io.jenkins.plugins.prism;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-
-import edu.hm.hafner.util.FilteredLog;
-import edu.hm.hafner.util.PathUtil;
-import io.jenkins.plugins.util.GlobalConfigurationFacade;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
+
 import org.junit.jupiter.api.Test;
 
+import edu.hm.hafner.util.FilteredLog;
+import edu.hm.hafner.util.PathUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+import io.jenkins.plugins.util.GlobalConfigurationFacade;
+
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
 /**
  * Tests the class {@link PrismConfiguration}.
  *
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class PrismConfigurationTest {
     private static final PathUtil PATH_UTIL = new PathUtil();
 

src/test/java/io/jenkins/plugins/prism/SourceDirectoryValidationTest.java

@@ -4,6 +4,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 import hudson.FilePath;
 import hudson.model.FreeStyleProject;
 import hudson.util.FormValidation;
@@ -20,6 +22,7 @@
  * @author Stephan Plöderl
  * @author Ullrich Hafner
  */
+@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME", justification = "In tests we need to use fake absolute paths")
 class SourceDirectoryValidationTest {
     @Test
     void shouldValidateRelativeWithoutWorkspace() {