Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump com.github.spotbugs:spotbugs from 4.2.3 to 4.8.4 #5160

Closed
wants to merge 1 commit into from
Closed

Bump com.github.spotbugs:spotbugs from 4.2.3 to 4.8.4 #5160

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 26, 2024
edited

Bumps com.github.spotbugs:spotbugs from 4.2.3 to 4.8.4.

Release notes

Sourced from com.github.spotbugs:spotbugs's releases.

SpotBugs 4.8.4

CHANGELOG

Fixed

  • Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#2750)
  • Fix possible null value in taxonomies of SARIF output (#2744)
  • Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#2116)
  • Move information contained in the SARIF property exitSignalName to exitCodeDescription (#2739)
  • Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#2793)
  • Added support for CONSTANT_Dynamic (#2759)
  • Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#1219)
  • Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#2813)
  • Remove AppleExtension library (note: menus slightly changed) (#2823)
  • Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#651, #456)
  • Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#2843)
  • Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#2844)
  • Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#2828)
  • Update UnreadFields detector to ignore warnings for fields with certain annotations (#574)
  • Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @PostConstruct, @BeforeEach, etc. (#2872 #2870 #453)
  • Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#2865)
  • Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#2874)
  • Added more nullability annotations in TypeQualifierResolver (#2558 #2694)
  • Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#2881)
  • Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #2887)
  • Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#2686)
  • Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #2837)
  • Update the filter XSD namespace and location for the upcoming 4.8.4 release #2909)

Added

  • New detector MultipleInstantiationsOfSingletons and introduced new bug types:
    • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
    • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
    • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
    • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
    • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
    • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized. (See SEI CERT MSC07-J)
  • Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

  • Minor cleanup in connection with slashed and dotted names (#2805)

Build

  • Fix sonar coverage for project (#2796)
  • Upgraded the build to compile bug samples using Java 21 language features (#2813)
  • Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See checkstyle/checkstyle#14211 for more information. (#2798)
  • Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#2604)

CHECKSUM

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs's changelog.

4.8.4 - 2024-04-07

Fixed

  • Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#2750)
  • Fix possible null value in taxonomies of SARIF output (#2744)
  • Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#2116)
  • Move information contained in the SARIF property exitSignalName to exitCodeDescription (#2739)
  • Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#2793)
  • Added support for CONSTANT_Dynamic (#2759)
  • Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#1219)
  • Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#2813)
  • Remove AppleExtension library (note: menus slightly changed) (#2823)
  • Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#651, #456)
  • Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#2843)
  • Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#2844)
  • Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#2828)
  • Update UnreadFields detector to ignore warnings for fields with certain annotations (#574)
  • Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @​PostConstruct, @​BeforeEach, etc. (#2872 #2870 #453)
  • Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#2865)
  • Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#2874)
  • Added more nullability annotations in TypeQualifierResolver (#2558 #2694)
  • Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#2881)
  • Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #2887)
  • Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#2686)
  • Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #2837)
  • Update the filter XSD namespace and location for the upcoming 4.8.4 release #2909)

Added

  • New detector MultipleInstantiationsOfSingletons and introduced new bug types:
    • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
    • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
    • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
    • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
    • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
    • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized. (See SEI CERT MSC07-J)
  • Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

  • Minor cleanup in connection with slashed and dotted names (#2805)

Build

  • Fix sonar coverage for project (#2796)
  • Upgraded the build to compile bug samples using Java 21 language features (#2813)
  • Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See checkstyle/checkstyle#14211 for more information. (#2798)
  • Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#2604)

4.8.3 - 2023-12-12

Fixed

  • Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions (#2710)
  • Applied changes for bcel 6.8.0 with adjustments to constant pool (#2756)

... (truncated)

Commits
  • a86cfd3 release v4.8.4
  • 2240767 fix: Update the filter XSD namespace and location for the upcoming 4.8.4 (#2915)
  • 1bd7c25 chore(deps): update plugin io.github.gradle-nexus.publish-plugin to v2 (#2920)
  • 789d397 Keep track of constructed BugReporters for TextUiCommandLine (#2047) (#2894)
  • 3dff769 chore(deps): update plugin com.gradle.enterprise to v3.17 (#2917)
  • 3ca5182 fix(deps): update dependency jacoco to v0.8.12 (#2918)
  • 133a6f0 fix(deps): update dependency checkstyle to v10.15.0 (#2916)
  • 6d43261 Extend the FindOverridableMethodCall detector to handle SER09-J (#2895)
  • 9c36fdc Fix for false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referen...
  • 0969918 chore(deps): update plugin org.sonarqube to v5 (#2914)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from a team as a code owner April 26, 2024 21:05
@dependabot dependabot bot added the dependencies This issue is a problem in a dependency. label Apr 26, 2024
@dependabot dependabot bot force-pushed the dependabot/maven/com.github.spotbugs-spotbugs-4.8.4 branch 5 times, most recently from af59ae0 to f30f56f Compare May 2, 2024 19:16
@dependabot
Bump com.github.spotbugs:spotbugs from 4.2.3 to 4.8.4
8d8a731 
Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.2.3 to 4.8.4.
- [Release notes](https://github.com/spotbugs/spotbugs/releases)
- [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md)
- [Commits](spotbugs/spotbugs@4.2.3...4.8.4)

---
updated-dependencies:
- dependency-name: com.github.spotbugs:spotbugs
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/maven/com.github.spotbugs-spotbugs-4.8.4 branch from f30f56f to 8d8a731 Compare May 3, 2024 18:57
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented May 3, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github May 6, 2024

Superseded by #5182.

@dependabot dependabot bot closed this May 6, 2024
@dependabot dependabot bot deleted the dependabot/maven/com.github.spotbugs-spotbugs-4.8.4 branch May 6, 2024 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies This issue is a problem in a dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants