Don't add things to libraryDependencies

[nigredo-tori]

At the moment, we add spotbugs and findsecbugs-plugin to the libraryDependencies, and use the same classpath for -cp and -auxclasspath. This means that:

• the project's dependencies can affect spotbugs' dependency resolution;
• spotbugs has to check itself for bugs;
• spotbugs dependencies can affect the project's dependency resolution;
• the produced artifact depends on spotbugs etc. for no reason.

We should keep spotbugs classpath in a separate configuration, and not mix it with the project itself.

[jqno]

Thanks for the PR's! The unit test is also appreciated very much. I've just merged and released!