Closed dependabot[bot] closed 2 months ago
The SpotBugs warnings introduced by this upgrade in workflow-cps
are both false positives:
SerializableScript
is a false positive, as can be seen by running CpsFlowExecutionTest#getCurrentExecutions
in a debugger. As can be seen by https://github.com/jboss-remoting/jboss-marshalling/blob/7834247fe18cf2552d249aefa476783fc9b0a28d/river/src/main/java/org/jboss/marshalling/river/RiverUnmarshaller.java#L1408-L1429, JBoss Marshalling invokes the constructor before calling the readObject
method, so by the time the overridable method is called its prerequisite state has already been established.ContinuationPtr
is a false positive, as can be seen by running ContinuableTest#serializeComplexContinuable
in a debugger. The overridable method is called against an object passed in to the readObject
method, so it can be guaranteed to have been initialized with the prerequisite state.Given that these are both false positives, the next question I have is how much effort will be required to suppress these false positives throughout the Jenkins plugin ecosystem. To answer that question, I think we need to investigate the result of this upgrade on more Jenkins plugins to see how many false positives are being introduced by this upgrade.
Testing this PR on other components, I am getting a number of false positives from the MultipleInstantiationsOfSingletons
, reported in https://github.com/spotbugs/spotbugs/issues/2967. Suggest ignoring this minor version and waiting for 4.8.5.x to pick up the fix for that issue, as was previously done in https://github.com/apache/commons-parent/pull/402#issuecomment-2077002936.
@dependabot ignore this minor version
OK, I won't notify you about version 4.8.x again, unless you re-open this PR.
@dependabot reopen
@dependabot rebase
Superseded by #931.
Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.8.3.1 to 4.8.4.0.
Release notes
Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.
Commits
078e270
[maven-release-plugin] prepare release spotbugs-maven-plugin-4.8.4.0332a3b4
[GHA] Add java 23-ea to CI build matrix59141d8
Merge pull request #789 from spotbugs/renovate/groovy-monorepocaf5f74
Update groovy monorepo to v4.0.216a41e35
Merge pull request #787 from spotbugs/renovate/io.version348b198
Update dependency commons-io:commons-io to v2.16.1c65a41b
Merge pull request #786 from hazendaz/release/4.8.4.07ef588a
Merge pull request #785 from hazendaz/release/4.8.4.0667c841
[pom] Formatting1367ccf
[GHA] Bump maven 4 to 4.0.0-alpha-13Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show