spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)
### [`v4.8.6`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#486---2024-06-17)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.5...4.8.6)
##### Fixed
- Do not report BC_UNCONFIRMED_CAST for Java 21's type switches when the switch instruction is TABLESWITCH ([#2782](https://redirect.github.com/spotbugs/spotbugs/issues/2782))
- Do not throw exception when inspecting empty switch statements ([#2995](https://redirect.github.com/spotbugs/spotbugs/issues/2995))
- Adjust priority since relaxed mode reports even `IGNORED_PRIORITY` ([#2994](https://redirect.github.com/spotbugs/spotbugs/issues/2994))
- Fix duplicated log4j2 jar in distribution ([#3001](https://redirect.github.com/spotbugs/spotbugs/issues/3001))
### [`v4.8.5`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#485---2024-05-03)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.4...4.8.5)
##### Fixed
- Fix FP `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` with eager instances ([#2932](https://redirect.github.com/spotbugs/spotbugs/issues/2932))
- Fix FPs when looking for multiple initialization of Singletons ([#2934](https://redirect.github.com/spotbugs/spotbugs/issues/2934))
- Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches when switch instruction is TABLESWITCH([#2736](https://redirect.github.com/spotbugs/spotbugs/issues/2736))
- Fix FP `SE_BAD_FIELD` for record fields ([#2935](https://redirect.github.com/spotbugs/spotbugs/issues/2935))
### [`v4.8.4`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.3...4.8.4)
##### Fixed
- Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#2750](https://redirect.github.com/spotbugs/spotbugs/issues/2750))
- Fix possible null value in taxonomies of SARIF output ([#2744](https://redirect.github.com/spotbugs/spotbugs/issues/2744))
- Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#2116](https://redirect.github.com/spotbugs/spotbugs/issues/2116))
- Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#2739](https://redirect.github.com/spotbugs/spotbugs/issues/2739))
- Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#2793](https://redirect.github.com/spotbugs/spotbugs/issues/2793))
- Added support for CONSTANT_Dynamic ([#2759](https://redirect.github.com/spotbugs/spotbugs/issues/2759))
- Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#1219](https://redirect.github.com/spotbugs/spotbugs/issues/1219))
- Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#2813](https://redirect.github.com/spotbugs/spotbugs/pull/2813))
- Remove AppleExtension library (note: menus slightly changed) ([#2823](https://redirect.github.com/spotbugs/spotbugs/pull/2823))
- Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#651](https://redirect.github.com/spotbugs/spotbugs/issues/651), [#456](https://redirect.github.com/spotbugs/spotbugs/issues/456))
- Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#2843](https://redirect.github.com/spotbugs/spotbugs/pull/2843))
- Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#2844](https://redirect.github.com/spotbugs/spotbugs/pull/2844))
- Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#2828](https://redirect.github.com/spotbugs/spotbugs/pull/2828))
- Update UnreadFields detector to ignore warnings for fields with certain annotations ([#574](https://redirect.github.com/spotbugs/spotbugs/issues/574))
- Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@PostConstruct](https://redirect.github.com/PostConstruct), [@BeforeEach](https://redirect.github.com/BeforeEach), etc. ([#2872](https://redirect.github.com/spotbugs/spotbugs/pull/2872) [#2870](https://redirect.github.com/spotbugs/spotbugs/issues/2870) [#453](https://redirect.github.com/spotbugs/spotbugs/issues/453))
- Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#2865](https://redirect.github.com/spotbugs/spotbugs/pull/2865))
- Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#2874](https://redirect.github.com/spotbugs/spotbugs/pull/2874))
- Added more nullability annotations in TypeQualifierResolver ([#2558](https://redirect.github.com/spotbugs/spotbugs/issues/2558) [#2694](https://redirect.github.com/spotbugs/spotbugs/pull/2694))
- Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#2881](https://redirect.github.com/spotbugs/spotbugs/pull/2881))
- Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#2887](https://redirect.github.com/spotbugs/spotbugs/pull/2887))
- Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#2686](https://redirect.github.com/spotbugs/spotbugs/issues/2686))
- Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method ([#2837](https://redirect.github.com/spotbugs/spotbugs/pull/2837))
- Update the filter XSD namespace and location for the upcoming 4.8.4 release ([#2909](https://redirect.github.com/spotbugs/spotbugs/issues/2909))
##### Added
- New detector `MultipleInstantiationsOfSingletons` and introduced new bug types:
- `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor,
- `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface,
- `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface,
- `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method,
- `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and
- `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized.
(See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects))
- Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method).
##### Changed
- Minor cleanup in connection with slashed and dotted names ([#2805](https://redirect.github.com/spotbugs/spotbugs/pull/2805))
##### Build
- Fix sonar coverage for project ([#2796](https://redirect.github.com/spotbugs/spotbugs/issues/2796))
- Upgraded the build to compile bug samples using Java 21 language features ([#2813](https://redirect.github.com/spotbugs/spotbugs/pull/2813))
- Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [https://github.com/checkstyle/checkstyle/issues/14211](https://redirect.github.com/checkstyle/checkstyle/issues/14211) for more information. ([#2798](https://redirect.github.com/spotbugs/spotbugs/issues/2798))
- Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#2604](https://redirect.github.com/spotbugs/spotbugs/pull/2604/))
### [`v4.8.3`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#483---2023-12-12)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.2...4.8.3)
##### Fixed
- Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions ([#2710](https://redirect.github.com/spotbugs/spotbugs/issues/2710))
- Applied changes for bcel 6.8.0 with adjustments to constant pool ([#2756](https://redirect.github.com/spotbugs/spotbugs/pull/2756))
- More information bcel changes can be found on ([#2757](https://redirect.github.com/spotbugs/spotbugs/pull/2757))
- Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type.
- Fix FP in CT_CONSTRUCTOR_THROW when exception throwing lambda is created, but not called in constructor ([#2695](https://redirect.github.com/spotbugs/spotbugs/issues/2695))
##### Changed
- Improved Matcher checks for empty strings ([#2755](https://redirect.github.com/spotbugs/spotbugs/pull/2755))
- Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis ([#2754](https://redirect.github.com/spotbugs/spotbugs/pull/2754))
- Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 ([#2760](https://redirect.github.com/spotbugs/spotbugs/pull/2760))
- Prefer log4j2 at 2.22.0 and logback at 1.4.14 ([#2760](https://redirect.github.com/spotbugs/spotbugs/pull/2760))
### [`v4.8.2`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#482---2023-11-28)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.1...4.8.2)
##### Fixed
- Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource ([#2379](https://redirect.github.com/spotbugs/spotbugs/issues/2379))
- Use java.nio to load filter files ([#2684](https://redirect.github.com/spotbugs/spotbugs/pull/2684))
- Eclipse: Do not export javax.annotation packages ([#2699](https://redirect.github.com/spotbugs/spotbugs/pull/2699))
- Fixed not thread safe FindOverridableMethodCall detector ([#2701](https://redirect.github.com/spotbugs/spotbugs/issues/2701))
- Fix the weird messages of PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS bugs. ([#2646](https://redirect.github.com/spotbugs/spotbugs/issues/2646))
- Revert commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#2686](https://redirect.github.com/spotbugs/spotbugs/issues/2686))
- Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits ([#2710](https://redirect.github.com/spotbugs/spotbugs/issues/2710))
##### Added
- New detector finding `System.getenv()` calls, where the corresponding Java property could be used (See [ENV02-J](https://wiki.sei.cmu.edu/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables)).
##### Build
- Run build using jdk 17 and 21 without usage of toolchains so we do not defeat the purpose of building on both. ([#2722](https://redirect.github.com/spotbugs/spotbugs/pull/2722))
### [`v4.8.1`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#481---2023-11-06)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.0...4.8.1)
##### Fixed
- Fixed schema location for findbugsfilter.xsd ([#1416](https://redirect.github.com/spotbugs/spotbugs/issues/1416))
- Fixed missing null checks ([#2629](https://redirect.github.com/spotbugs/spotbugs/issues/2629))
- Disabled DontReusePublicIdentifiers due to the high false positives rate ([#2627](https://redirect.github.com/spotbugs/spotbugs/issues/2627))
- Removed signature of methods using UTF-8 in DefaultEncodingDetector ([#2634](https://redirect.github.com/spotbugs/spotbugs/issues/2634))
- Fix exception escapes when calling functions of JUnit Assert or Assertions ([#2640](https://redirect.github.com/spotbugs/spotbugs/issues/2640))
- Fixed an error in the SARIF export when a bug annotation is missing ([#2632](https://redirect.github.com/spotbugs/spotbugs/issues/2632))
- Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws ([#2628](https://redirect.github.com/spotbugs/spotbugs/issues/2628))
- Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize ([#2665](https://redirect.github.com/spotbugs/spotbugs/issues/2665))
- Lowered the priority of `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` bug ([#2652](https://redirect.github.com/spotbugs/spotbugs/issues/2652))
- Eclipse: fixed startup overhead (on computing classpath) for PDE projects ([#2671](https://redirect.github.com/spotbugs/spotbugs/pull/2671))
##### Build
- Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT ([#2651](https://redirect.github.com/spotbugs/spotbugs/pull/2651))
### [`v4.8.0`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#480---2023-10-11)
[Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.7.3...4.8.0)
##### Changed
- Bump up Apache Commons BCEL to the version 6.6.1 ([#2223](https://redirect.github.com/spotbugs/spotbugs/pull/2223))
- Bump up slf4j-api to 2.0.3 ([#2220](https://redirect.github.com/spotbugs/spotbugs/pull/2220))
- Bump up gson to 2.10 ([#2235](https://redirect.github.com/spotbugs/spotbugs/pull/2235))
- Allowed for large command line through writing arguments to file (UnionResults/UnionBugs2)
- Use com.github.stephenc.jcip for jcip-annotations fixing ([#887](https://redirect.github.com/spotbugs/spotbugs/issues/887))
- Bump ObjectWeb ASM from 9.4 to 9.6, supporting JDK 21 ([#2578](https://redirect.github.com/spotbugs/spotbugs/pull/2578))
##### Fixed
- Fixed missing classes not in report if using IErrorLogger.reportMissingClass(ClassDescriptor) ([#219](https://redirect.github.com/spotbugs/spotbugs/issues/219))
- Stop exposing junit-bom to consumers ([#2255](https://redirect.github.com/spotbugs/spotbugs/pull/2255))
- Fixed AbstractBugReporter emits wrong non-sensical debug output during filtering ([#184](https://redirect.github.com/spotbugs/spotbugs/issues/184))
- Added support for jakarta namespace ([#2289](https://redirect.github.com/spotbugs/spotbugs/pull/2289))
- Report a low priority bug for an unread field in reflective classes ([#2325](https://redirect.github.com/spotbugs/spotbugs/issues/2325))
- Fixed "Unhandled event loop exception" opening Bug Filter Configuration dialog in Eclipse ([#2327](https://redirect.github.com/spotbugs/spotbugs/issues/2327))
- Fixed detector `RandomOnceSubDetector` to not report when `doubles`, `ints`, or `longs` are called on a new `Random` or `SecureRandom` ([#2370](https://redirect.github.com/spotbugs/spotbugs/issues/2325))
- Fixed detector `TestASM` throwing error during analysis, because it doesn't note that it reports bugs.
- Eclipse annotation classpath initializer is hard-coded to jsr305 version 3.0.1, fix to 3.0.2 per [#2470](https://redirect.github.com/spotbugs/spotbugs/issues/2470)
- Fixed annotation on generic or array incorrectly considered for the nullability of a method parameter or return type ([#2502](https://redirect.github.com/spotbugs/spotbugs/issues/2502))
- Added support for CONSTANT_Dynamic in constant class pool ([#2506](https://redirect.github.com/spotbugs/spotbugs/issues/2506))
- Recognise enums and records as immutable ([#2356](https://redirect.github.com/spotbugs/spotbugs/issues/2356))
- Added detections of reliance on default encoding in java.nio.file.Files ([#2114](https://redirect.github.com/spotbugs/spotbugs/issues/2114))
- Fixed a regression in the Value Number Analysis ([#2465](https://redirect.github.com/spotbugs/spotbugs/issues/2465))
- Fix XML Output incorrectly escaped in Eclipse Bug Info view ([#2520](https://redirect.github.com/spotbugs/spotbugs/pull/2520))
- Updated the MS_EXPOSE_REP description to mention mutable objects, not just arrays ([#1669](https://redirect.github.com/spotbugs/spotbugs/issues/1669))
- Described Configuration option frc.suspicious for bug RC_REF_COMPARISON in bug description ([#2297](https://redirect.github.com/spotbugs/spotbugs/issues/2297))
- Fixed FindHEMismatch not reporting HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS for some classes ([#2402](https://redirect.github.com/spotbugs/spotbugs/issues/2402))
- Added execute file permission to files in the distribution zip ([#2540](https://redirect.github.com/spotbugs/spotbugs/issues/2540))
- Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito.verify() call check ([#872](https://redirect.github.com/spotbugs/spotbugs/issues/872))
- Do not report SIC_INNER_SHOULD_BE_STATIC for classes annotated with JUnit Nested ([#560](https://redirect.github.com/spotbugs/spotbugs/issues/560))
- Detect created, but not-thrown exceptions, which are created by not the constructor ([#2547](https://redirect.github.com/spotbugs/spotbugs/issues/2547))
- Fixed eclipse plugin Effort.values pass to effortViewer as required cast to varargs ([#2579](https://redirect.github.com/spotbugs/spotbugs/pull/2579))
##### Added
- New simple name-based AnnotationMatcher for exclude files (now bug annotations store the class java annotations in an attribute called `classAnnotationNames`). For example, use like in an excludeFilter.xml to ignore classes generated by the Immutable framework. This ignores all class, method or field bugs in classes with that annotation.
- Added the Common Weakness Enumeration (CWE) taxonomy to the Static Analysis Results Interchange Format (SARIF) report. The short and long description for the CWEs are retrived from a JSON file which is a slimmed down version of the official comprehensive CWE XML from MITRE. The JSON contains information about all CWEs. ([#2410](https://redirect.github.com/spotbugs/spotbugs/pull/2410)).
- New detector `FindAssertionsWithSideEffects` detecting bug `ASSERTION_WITH_SIDE_EFFECT` and `ASSERTION_WITH_SIDE_EFFECT_METHOD` in case of assertions which may have side effects (See [EXP06-J. Expressions used in assertions must not produce side effects](https://wiki.sei.cmu.edu/confluence/display/java/EXP06-J.+Expressions+used+in+assertions+must+not+produce+side+effects))
- New rule set `PA_PUBLIC_PRIMITIVE_ATTRIBUTE`, `PA_PUBLIC_ARRAY_ATTRIBUTE` and `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` to warn for public attributes which are written by the methods of the class. This rule is loosely based on the SEI CERT rule *OBJ01-J Limit accessibility of fields*. ([#OBJ01-J](https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields))
- Extend `SerializableIdiom` detector with new bug type: `SE_PREVENT_EXT_OBJ_OVERWRITE`. It's reported in case of the `readExternal()` method allows any caller to reset any value of an object
- New Detector `FindVulnerableSecurityCheckMethods` for new bug type `VSC_VULNERABLE_SECURITY_CHECK_METHODS`. This bug is reported whenever a non-final and non-private method of a non-final class performs a security check using the `java.lang.SecurityManager`. (See \[SEI CERT MET03-J] (https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final))
- New function added to detector `SynchronizationOnSharedBuiltinConstant`to detect `DL_SYNCHRONIZATION_ON_INTERNED_STRING` ([#2266](https://redirect.github.com/spotbugs/spotbugs/pull/2266))
- Make TypeQualifierResolver recognize org.apache.avro.reflect.Nullable ([#2066](https://redirect.github.com/spotbugs/spotbugs/pull/2066))
- New detector `FindArgumentAssertions` detecting bug `ASSERTION_OF_ARGUMENTS` in case of validation of arguments of public functions using assertions (See [MET01-J. Never use assertions to validate method arguments](https://wiki.sei.cmu.edu/confluence/display/java/MET01-J.+Never+use+assertions+to+validate+method+arguments))
- Add new detector `CT_CONSTRUCTOR_THROW` for detecting constructors that throw exceptions.
- New detector `DontReusePublicIdentifiers` for new bug type `PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS`. This bug is reported whenever a new class, interface, field, method or variable is created reusing an identifier from the *Java Standard Library* . (See [SEI CERT rule DCL01-J](https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library))
##### Security
- Disable access to external entities when processing XML ([#2217](https://redirect.github.com/spotbugs/spotbugs/pull/2217))
##### Build
- Bump Eclipse from 4.6.3 to 4.14 ([#2314](https://redirect.github.com/spotbugs/spotbugs/pull/2314))
- Use jakarta annotation 1.3.5 instead of legacy javax annotation 1.3.2 ([#2315](https://redirect.github.com/spotbugs/spotbugs/pull/2315))
- Change hamcrest-all to hamcrest-core as that is what was actually used and then update to 2.2 ([#2316](https://redirect.github.com/spotbugs/spotbugs/pull/2316))
- Only run release action on 'spotbugs' and use Eclipse 4.14 ([#2317](https://redirect.github.com/spotbugs/spotbugs/pull/2317))
- Prefer log4j2 2.20.0 ([#2480](https://redirect.github.com/spotbugs/spotbugs/pull/2480))
- Prefer logback 1.4.8 ([#2480](https://redirect.github.com/spotbugs/spotbugs/pull/2480))
- Prefer logback 1.4.11 ([#2580](https://redirect.github.com/spotbugs/spotbugs/pull/2580))
- Switch junit 4 for junit 5 vintage engine ([#2483](https://redirect.github.com/spotbugs/spotbugs/pull/2483))
- LineEndings and Spotless ([#2343](https://redirect.github.com/spotbugs/spotbugs/pull/2343))
- Cleanup gitattributes switching text to auto. For developers using windows, run 'git add . --renormalize' and see https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings if needed.
- Rework spotless setup from plugin to build file plugin matching that of gradle plugin and thus allowing spotless to be updated to 6.22.0
- Remove customized line endings for spotless so it uses git attributes as suggested by spotless
- Add trimTrailingWhitespace for spotless
- Fix deprecated usage of eclipse version from 4.13.0 to 4.13 per spotless requirements
- Bump spotbugs gradle plugin to 6.0.0-beta.3 demonstrating breaking changes for 6.0.0 in gradle/java.gradle build file ([#2582](https://redirect.github.com/spotbugs/spotbugs/pull/2582))
- Delete checked in j2ee jar and instead use servlet/ejb apis from jakarta (javax standard) ([#2585](https://redirect.github.com/spotbugs/spotbugs/pull/2585))
- Bump Eclipse from 4.14 to 4.29 (latest) ([#2589](https://redirect.github.com/spotbugs/spotbugs/pull/2589))
- Cleanup hamcrest imports / used library ([#2600](https://redirect.github.com/spotbugs/spotbugs/pull/2600))
- Migrate entirely to junit 5 ([#2605](https://redirect.github.com/spotbugs/spotbugs/pull/2605))
- Some parts of codebase were junit 3
- Delete the SpotbugsRule
- Replace custom java determination on build with Junit 5 usage
- Various 'public' methods in tests fixed to 'private'
- Junit 5 styling applied throughout
- Add missing code to the SpotBugsRunner and now use the Extension as replacement of SpotbugsRule
Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
4.7.3
->4.8.6
Release Notes
spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)
### [`v4.8.6`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#486---2024-06-17) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.5...4.8.6) ##### Fixed - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches when the switch instruction is TABLESWITCH ([#2782](https://redirect.github.com/spotbugs/spotbugs/issues/2782)) - Do not throw exception when inspecting empty switch statements ([#2995](https://redirect.github.com/spotbugs/spotbugs/issues/2995)) - Adjust priority since relaxed mode reports even `IGNORED_PRIORITY` ([#2994](https://redirect.github.com/spotbugs/spotbugs/issues/2994)) - Fix duplicated log4j2 jar in distribution ([#3001](https://redirect.github.com/spotbugs/spotbugs/issues/3001)) ### [`v4.8.5`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#485---2024-05-03) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.4...4.8.5) ##### Fixed - Fix FP `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` with eager instances ([#2932](https://redirect.github.com/spotbugs/spotbugs/issues/2932)) - Fix FPs when looking for multiple initialization of Singletons ([#2934](https://redirect.github.com/spotbugs/spotbugs/issues/2934)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches when switch instruction is TABLESWITCH([#2736](https://redirect.github.com/spotbugs/spotbugs/issues/2736)) - Fix FP `SE_BAD_FIELD` for record fields ([#2935](https://redirect.github.com/spotbugs/spotbugs/issues/2935)) ### [`v4.8.4`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.3...4.8.4) ##### Fixed - Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#2750](https://redirect.github.com/spotbugs/spotbugs/issues/2750)) - Fix possible null value in taxonomies of SARIF output ([#2744](https://redirect.github.com/spotbugs/spotbugs/issues/2744)) - Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#2116](https://redirect.github.com/spotbugs/spotbugs/issues/2116)) - Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#2739](https://redirect.github.com/spotbugs/spotbugs/issues/2739)) - Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#2793](https://redirect.github.com/spotbugs/spotbugs/issues/2793)) - Added support for CONSTANT_Dynamic ([#2759](https://redirect.github.com/spotbugs/spotbugs/issues/2759)) - Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#1219](https://redirect.github.com/spotbugs/spotbugs/issues/1219)) - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#2813](https://redirect.github.com/spotbugs/spotbugs/pull/2813)) - Remove AppleExtension library (note: menus slightly changed) ([#2823](https://redirect.github.com/spotbugs/spotbugs/pull/2823)) - Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#651](https://redirect.github.com/spotbugs/spotbugs/issues/651), [#456](https://redirect.github.com/spotbugs/spotbugs/issues/456)) - Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#2843](https://redirect.github.com/spotbugs/spotbugs/pull/2843)) - Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#2844](https://redirect.github.com/spotbugs/spotbugs/pull/2844)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#2828](https://redirect.github.com/spotbugs/spotbugs/pull/2828)) - Update UnreadFields detector to ignore warnings for fields with certain annotations ([#574](https://redirect.github.com/spotbugs/spotbugs/issues/574)) - Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@PostConstruct](https://redirect.github.com/PostConstruct), [@BeforeEach](https://redirect.github.com/BeforeEach), etc. ([#2872](https://redirect.github.com/spotbugs/spotbugs/pull/2872) [#2870](https://redirect.github.com/spotbugs/spotbugs/issues/2870) [#453](https://redirect.github.com/spotbugs/spotbugs/issues/453)) - Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#2865](https://redirect.github.com/spotbugs/spotbugs/pull/2865)) - Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#2874](https://redirect.github.com/spotbugs/spotbugs/pull/2874)) - Added more nullability annotations in TypeQualifierResolver ([#2558](https://redirect.github.com/spotbugs/spotbugs/issues/2558) [#2694](https://redirect.github.com/spotbugs/spotbugs/pull/2694)) - Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#2881](https://redirect.github.com/spotbugs/spotbugs/pull/2881)) - Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#2887](https://redirect.github.com/spotbugs/spotbugs/pull/2887)) - Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#2686](https://redirect.github.com/spotbugs/spotbugs/issues/2686)) - Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method ([#2837](https://redirect.github.com/spotbugs/spotbugs/pull/2837)) - Update the filter XSD namespace and location for the upcoming 4.8.4 release ([#2909](https://redirect.github.com/spotbugs/spotbugs/issues/2909)) ##### Added - New detector `MultipleInstantiationsOfSingletons` and introduced new bug types: - `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor, - `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface, - `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface, - `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method, - `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and - `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized. (See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects)) - Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method). ##### Changed - Minor cleanup in connection with slashed and dotted names ([#2805](https://redirect.github.com/spotbugs/spotbugs/pull/2805)) ##### Build - Fix sonar coverage for project ([#2796](https://redirect.github.com/spotbugs/spotbugs/issues/2796)) - Upgraded the build to compile bug samples using Java 21 language features ([#2813](https://redirect.github.com/spotbugs/spotbugs/pull/2813)) - Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [https://github.com/checkstyle/checkstyle/issues/14211](https://redirect.github.com/checkstyle/checkstyle/issues/14211) for more information. ([#2798](https://redirect.github.com/spotbugs/spotbugs/issues/2798)) - Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#2604](https://redirect.github.com/spotbugs/spotbugs/pull/2604/)) ### [`v4.8.3`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#483---2023-12-12) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.2...4.8.3) ##### Fixed - Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions ([#2710](https://redirect.github.com/spotbugs/spotbugs/issues/2710)) - Applied changes for bcel 6.8.0 with adjustments to constant pool ([#2756](https://redirect.github.com/spotbugs/spotbugs/pull/2756)) - More information bcel changes can be found on ([#2757](https://redirect.github.com/spotbugs/spotbugs/pull/2757)) - Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type. - Fix FP in CT_CONSTRUCTOR_THROW when exception throwing lambda is created, but not called in constructor ([#2695](https://redirect.github.com/spotbugs/spotbugs/issues/2695)) ##### Changed - Improved Matcher checks for empty strings ([#2755](https://redirect.github.com/spotbugs/spotbugs/pull/2755)) - Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis ([#2754](https://redirect.github.com/spotbugs/spotbugs/pull/2754)) - Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 ([#2760](https://redirect.github.com/spotbugs/spotbugs/pull/2760)) - Prefer log4j2 at 2.22.0 and logback at 1.4.14 ([#2760](https://redirect.github.com/spotbugs/spotbugs/pull/2760)) ### [`v4.8.2`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#482---2023-11-28) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.1...4.8.2) ##### Fixed - Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource ([#2379](https://redirect.github.com/spotbugs/spotbugs/issues/2379)) - Use java.nio to load filter files ([#2684](https://redirect.github.com/spotbugs/spotbugs/pull/2684)) - Eclipse: Do not export javax.annotation packages ([#2699](https://redirect.github.com/spotbugs/spotbugs/pull/2699)) - Fixed not thread safe FindOverridableMethodCall detector ([#2701](https://redirect.github.com/spotbugs/spotbugs/issues/2701)) - Fix the weird messages of PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS bugs. ([#2646](https://redirect.github.com/spotbugs/spotbugs/issues/2646)) - Revert commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#2686](https://redirect.github.com/spotbugs/spotbugs/issues/2686)) - Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits ([#2710](https://redirect.github.com/spotbugs/spotbugs/issues/2710)) ##### Added - New detector finding `System.getenv()` calls, where the corresponding Java property could be used (See [ENV02-J](https://wiki.sei.cmu.edu/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables)). ##### Build - Run build using jdk 17 and 21 without usage of toolchains so we do not defeat the purpose of building on both. ([#2722](https://redirect.github.com/spotbugs/spotbugs/pull/2722)) ### [`v4.8.1`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#481---2023-11-06) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.8.0...4.8.1) ##### Fixed - Fixed schema location for findbugsfilter.xsd ([#1416](https://redirect.github.com/spotbugs/spotbugs/issues/1416)) - Fixed missing null checks ([#2629](https://redirect.github.com/spotbugs/spotbugs/issues/2629)) - Disabled DontReusePublicIdentifiers due to the high false positives rate ([#2627](https://redirect.github.com/spotbugs/spotbugs/issues/2627)) - Removed signature of methods using UTF-8 in DefaultEncodingDetector ([#2634](https://redirect.github.com/spotbugs/spotbugs/issues/2634)) - Fix exception escapes when calling functions of JUnit Assert or Assertions ([#2640](https://redirect.github.com/spotbugs/spotbugs/issues/2640)) - Fixed an error in the SARIF export when a bug annotation is missing ([#2632](https://redirect.github.com/spotbugs/spotbugs/issues/2632)) - Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws ([#2628](https://redirect.github.com/spotbugs/spotbugs/issues/2628)) - Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize ([#2665](https://redirect.github.com/spotbugs/spotbugs/issues/2665)) - Lowered the priority of `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` bug ([#2652](https://redirect.github.com/spotbugs/spotbugs/issues/2652)) - Eclipse: fixed startup overhead (on computing classpath) for PDE projects ([#2671](https://redirect.github.com/spotbugs/spotbugs/pull/2671)) ##### Build - Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT ([#2651](https://redirect.github.com/spotbugs/spotbugs/pull/2651)) ### [`v4.8.0`](https://redirect.github.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#480---2023-10-11) [Compare Source](https://redirect.github.com/spotbugs/spotbugs/compare/4.7.3...4.8.0) ##### Changed - Bump up Apache Commons BCEL to the version 6.6.1 ([#2223](https://redirect.github.com/spotbugs/spotbugs/pull/2223)) - Bump up slf4j-api to 2.0.3 ([#2220](https://redirect.github.com/spotbugs/spotbugs/pull/2220)) - Bump up gson to 2.10 ([#2235](https://redirect.github.com/spotbugs/spotbugs/pull/2235)) - Allowed for large command line through writing arguments to file (UnionResults/UnionBugs2) - Use com.github.stephenc.jcip for jcip-annotations fixing ([#887](https://redirect.github.com/spotbugs/spotbugs/issues/887)) - Bump ObjectWeb ASM from 9.4 to 9.6, supporting JDK 21 ([#2578](https://redirect.github.com/spotbugs/spotbugs/pull/2578)) ##### Fixed - Fixed missing classes not in report if using IErrorLogger.reportMissingClass(ClassDescriptor) ([#219](https://redirect.github.com/spotbugs/spotbugs/issues/219)) - Stop exposing junit-bom to consumers ([#2255](https://redirect.github.com/spotbugs/spotbugs/pull/2255)) - Fixed AbstractBugReporter emits wrong non-sensical debug output during filtering ([#184](https://redirect.github.com/spotbugs/spotbugs/issues/184)) - Added support for jakarta namespace ([#2289](https://redirect.github.com/spotbugs/spotbugs/pull/2289)) - Report a low priority bug for an unread field in reflective classes ([#2325](https://redirect.github.com/spotbugs/spotbugs/issues/2325)) - Fixed "Unhandled event loop exception" opening Bug Filter Configuration dialog in Eclipse ([#2327](https://redirect.github.com/spotbugs/spotbugs/issues/2327)) - Fixed detector `RandomOnceSubDetector` to not report when `doubles`, `ints`, or `longs` are called on a new `Random` or `SecureRandom` ([#2370](https://redirect.github.com/spotbugs/spotbugs/issues/2325)) - Fixed detector `TestASM` throwing error during analysis, because it doesn't note that it reports bugs. - Eclipse annotation classpath initializer is hard-coded to jsr305 version 3.0.1, fix to 3.0.2 per [#2470](https://redirect.github.com/spotbugs/spotbugs/issues/2470) - Fixed annotation on generic or array incorrectly considered for the nullability of a method parameter or return type ([#2502](https://redirect.github.com/spotbugs/spotbugs/issues/2502)) - Added support for CONSTANT_Dynamic in constant class pool ([#2506](https://redirect.github.com/spotbugs/spotbugs/issues/2506)) - Recognise enums and records as immutable ([#2356](https://redirect.github.com/spotbugs/spotbugs/issues/2356)) - Added detections of reliance on default encoding in java.nio.file.Files ([#2114](https://redirect.github.com/spotbugs/spotbugs/issues/2114)) - Fixed a regression in the Value Number Analysis ([#2465](https://redirect.github.com/spotbugs/spotbugs/issues/2465)) - Fix XML Output incorrectly escaped in Eclipse Bug Info view ([#2520](https://redirect.github.com/spotbugs/spotbugs/pull/2520)) - Updated the MS_EXPOSE_REP description to mention mutable objects, not just arrays ([#1669](https://redirect.github.com/spotbugs/spotbugs/issues/1669)) - Described Configuration option frc.suspicious for bug RC_REF_COMPARISON in bug description ([#2297](https://redirect.github.com/spotbugs/spotbugs/issues/2297)) - Fixed FindHEMismatch not reporting HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS for some classes ([#2402](https://redirect.github.com/spotbugs/spotbugs/issues/2402)) - Added execute file permission to files in the distribution zip ([#2540](https://redirect.github.com/spotbugs/spotbugs/issues/2540)) - Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito.verify() call check ([#872](https://redirect.github.com/spotbugs/spotbugs/issues/872)) - Do not report SIC_INNER_SHOULD_BE_STATIC for classes annotated with JUnit Nested ([#560](https://redirect.github.com/spotbugs/spotbugs/issues/560)) - Detect created, but not-thrown exceptions, which are created by not the constructor ([#2547](https://redirect.github.com/spotbugs/spotbugs/issues/2547)) - Fixed eclipse plugin Effort.values pass to effortViewer as required cast to varargs ([#2579](https://redirect.github.com/spotbugs/spotbugs/pull/2579)) ##### Added - New simple name-based AnnotationMatcher for exclude files (now bug annotations store the class java annotations in an attribute called `classAnnotationNames`). For example, use likeConfiguration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.