spotbugs/spotbugs (spotbugs)
### [`v4.8.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#481---2023-11-06)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.0...4.8.1)
##### Fixed
- Fixed schema location for findbugsfilter.xsd (\[[#1416](https://togithub.com/spotbugs/spotbugs/issues/1416)])
- Fixed missing null checks (\[[#2629](https://togithub.com/spotbugs/spotbugs/issues/2629)])
- Disabled DontReusePublicIdentifiers due to the high false positives rate (\[[#2627](https://togithub.com/spotbugs/spotbugs/issues/2627)])
- Removed signature of methods using UTF-8 in DefaultEncodingDetector (\[[#2634](https://togithub.com/spotbugs/spotbugs/issues/2634)])
- Fix exception escapes when calling functions of JUnit Assert or Assertions (\[[#2640](https://togithub.com/spotbugs/spotbugs/issues/2640)])
- Fixed an error in the SARIF export when a bug annotation is missing (\[[#2632](https://togithub.com/spotbugs/spotbugs/issues/2632)])
- Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws (\[[#2628](https://togithub.com/spotbugs/spotbugs/issues/2628)])
- Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize (\[[#2665](https://togithub.com/spotbugs/spotbugs/issues/2665)])
- Lowered the priority of `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` bug (\[[#2652](https://togithub.com/spotbugs/spotbugs/issues/2652)])
- Eclipse: fixed startup overhead (on computing classpath) for PDE projects (\[[#2671](https://togithub.com/spotbugs/spotbugs/pull/2671)])
##### Build
- Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT (\[[#2651](https://togithub.com/spotbugs/spotbugs/pull/2651)])
### [`v4.8.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#480---2023-10-11)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.3...4.8.0)
##### Changed
- Bump up Apache Commons BCEL to the version 6.6.1 ([#2223](https://togithub.com/spotbugs/spotbugs/pull/2223))
- Bump up slf4j-api to 2.0.3 ([#2220](https://togithub.com/spotbugs/spotbugs/pull/2220))
- Bump up gson to 2.10 ([#2235](https://togithub.com/spotbugs/spotbugs/pull/2235))
- Allowed for large command line through writing arguments to file (UnionResults/UnionBugs2)
- Use com.github.stephenc.jcip for jcip-annotations fixing [#887](https://togithub.com/spotbugs/spotbugs/issues/887)
##### Fixed
- Fixed missing classes not in report if using IErrorLogger.reportMissingClass(ClassDescriptor) ([#219](https://togithub.com/spotbugs/spotbugs/issues/219))
- Stop exposing junit-bom to consumers ([#2255](https://togithub.com/spotbugs/spotbugs/pull/2255))
- Fixed AbstractBugReporter emits wrong non-sensical debug output during filtering ([#184](https://togithub.com/spotbugs/spotbugs/issues/184))
- Added support for jakarta namespace ([#2289](https://togithub.com/spotbugs/spotbugs/pull/2289))
- Report a low priority bug for an unread field in reflective classes ([#2325](https://togithub.com/spotbugs/spotbugs/issues/2325))
- Fixed "Unhandled event loop exception" opening Bug Filter Configuration dialog in Eclipse ([#2327](https://togithub.com/spotbugs/spotbugs/issues/2327))
- Fixed detector `RandomOnceSubDetector` to not report when `doubles`, `ints`, or `longs` are called on a new `Random` or `SecureRandom` ([#2370](https://togithub.com/spotbugs/spotbugs/issues/2325))
- Fixed detector `TestASM` throwing error during analysis, because it doesn't note that it reports bugs.
- Eclipse annotation classpath initializer is hard-coded to jsr305 version 3.0.1, fix to 3.0.2 per [#2470](https://togithub.com/spotbugs/spotbugs/issues/2470)
- Fixed annotation on generic or array incorrectly considered for the nullability of a method parameter or return type ([#2502](https://togithub.com/spotbugs/spotbugs/issues/2502))
- Added support for CONSTANT_Dynamic in constant class pool ([#2506](https://togithub.com/spotbugs/spotbugs/issues/2506))
- Recognise enums and records as immutable ([#2356](https://togithub.com/spotbugs/spotbugs/issues/2356))
- Added detections of reliance on default encoding in java.nio.file.Files ([#2114](https://togithub.com/spotbugs/spotbugs/issues/2114))
- Fixed a regression in the Value Number Analysis ([#2465](https://togithub.com/spotbugs/spotbugs/issues/2465))
- Fix XML Output incorrectly escaped in Eclipse Bug Info view ([#2520](https://togithub.com/spotbugs/spotbugs/pull/2520))
- Updated the MS_EXPOSE_REP description to mention mutable objects, not just arrays ([#1669](https://togithub.com/spotbugs/spotbugs/issues/1669))
- Described Configuration option frc.suspicious for bug RC_REF_COMPARISON in bug description ([#2297](https://togithub.com/spotbugs/spotbugs/issues/2297))
- Fixed FindHEMismatch not reporting HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS for some classes ([#2402](https://togithub.com/spotbugs/spotbugs/issues/2402))
- Added execute file permission to files in the distribution zip ([#2540](https://togithub.com/spotbugs/spotbugs/issues/2540))
- Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito.verify() call check ([#872](https://togithub.com/spotbugs/spotbugs/issues/872))
- Do not report SIC_INNER_SHOULD_BE_STATIC for classes annotated with JUnit Nested ([#560](https://togithub.com/spotbugs/spotbugs/issues/560))
- Detect created, but not-thrown exceptions, which are created by not the constructor ([#2547](https://togithub.com/spotbugs/spotbugs/issues/2547))
- Fixed eclipse plugin Effort.values pass to effortViewer as required cast to varargs ([#2579](https://togithub.com/spotbugs/spotbugs/pull/2579))
##### Added
- New simple name-based AnnotationMatcher for exclude files (now bug annotations store the class java annotations in an attribute called `classAnnotationNames`). For example, use like in an excludeFilter.xml to ignore classes generated by the Immutable framework. This ignores all class, method or field bugs in classes with that annotation.
- Added the Common Weakness Enumeration (CWE) taxonomy to the Static Analysis Results Interchange Format (SARIF) report. The short and long description for the CWEs are retrived from a JSON file which is a slimmed down version of the official comprehensive CWE XML from MITRE. The JSON contains information about all CWEs. ([#2410](https://togithub.com/spotbugs/spotbugs/pull/2410)).
- New detector `FindAssertionsWithSideEffects` detecting bug `ASSERTION_WITH_SIDE_EFFECT` and `ASSERTION_WITH_SIDE_EFFECT_METHOD` in case of assertions which may have side effects (See [EXP06-J. Expressions used in assertions must not produce side effects](https://wiki.sei.cmu.edu/confluence/display/java/EXP06-J.+Expressions+used+in+assertions+must+not+produce+side+effects))
- New rule set `PA_PUBLIC_PRIMITIVE_ATTRIBUTE`, `PA_PUBLIC_ARRAY_ATTRIBUTE` and `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` to warn for public attributes which are written by the methods of the class. This rule is loosely based on the SEI CERT rule *OBJ01-J Limit accessibility of fields*. ([#OBJ01-J](https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields))
- Extend `SerializableIdiom` detector with new bug type: `SE_PREVENT_EXT_OBJ_OVERWRITE`. It's reported in case of the `readExternal()` method allows any caller to reset any value of an object
- New Detector `FindVulnerableSecurityCheckMethods` for new bug type `VSC_VULNERABLE_SECURITY_CHECK_METHODS`. This bug is reported whenever a non-final and non-private method of a non-final class performs a security check using the `java.lang.SecurityManager`. (See \[SEI CERT MET03-J] (https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final))
- New function added to detector `SynchronizationOnSharedBuiltinConstant`to detect `DL_SYNCHRONIZATION_ON_INTERNED_STRING` ([#2266](https://togithub.com/spotbugs/spotbugs/pull/2266))
- Make TypeQualifierResolver recognize org.apache.avro.reflect.Nullable ([#2066](https://togithub.com/spotbugs/spotbugs/pull/2066))
- New detector `FindArgumentAssertions` detecting bug `ASSERTION_OF_ARGUMENTS` in case of validation of arguments of public functions using assertions (See [MET01-J. Never use assertions to validate method arguments](https://wiki.sei.cmu.edu/confluence/display/java/MET01-J.+Never+use+assertions+to+validate+method+arguments))
- Add new detector `CT_CONSTRUCTOR_THROW` for detecting constructors that throw exceptions.
- New detector `DontReusePublicIdentifiers` for new bug type `PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS`. This bug is reported whenever a new class, interface, field, method or variable is created reusing an identifier from the *Java Standard Library* . (See [SEI CERT rule DCL01-J](https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library))
##### Security
- Disable access to external entities when processing XML ([#2217](https://togithub.com/spotbugs/spotbugs/pull/2217))
##### Build
- Bump Eclipse from 4.6.3 to 4.14 ([#2314](https://togithub.com/spotbugs/spotbugs/pull/2314))
- Use jakarta annotation 1.3.5 instead of legacy javax annotation 1.3.2 ([#2315](https://togithub.com/spotbugs/spotbugs/pull/2315))
- Change hamcrest-all to hamcrest-core as that is what was actually used and then update to 2.2 ([#2316](https://togithub.com/spotbugs/spotbugs/pull/2316))
- Only run release action on 'spotbugs' and use Eclipse 4.14 ([#2317](https://togithub.com/spotbugs/spotbugs/pull/2317))
- Prefer log4j2 2.20.0 ([#2480](https://togithub.com/spotbugs/spotbugs/pull/2480))
- Prefer logback 1.4.8 ([#2480](https://togithub.com/spotbugs/spotbugs/pull/2480))
- Prefer logback 1.4.11 ([#2580](https://togithub.com/spotbugs/spotbugs/pull/2580))
- Switch junit 4 for junit 5 vintage engine ([#2483](https://togithub.com/spotbugs/spotbugs/pull/2483))
- LineEndings and Spotless ([#2343](https://togithub.com/spotbugs/spotbugs/pull/2343))
- Cleanup gitattributes switching text to auto. For developers using windows, run 'git add . --renormalize' and see https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings if needed.
- Rework spotless setup from plugin to build file plugin matching that of gradle plugin and thus allowing spotless to be updated to 6.22.0
- Remove customized line endings for spotless so it uses git attributes as suggested by spotless
- Add trimTrailingWhitespace for spotless
- Fix deprecated usage of eclipse version from 4.13.0 to 4.13 per spotless requirements
- Bump spotbugs gradle plugin to 6.0.0-beta.3 demonstrating breaking changes for 6.0.0 in gradle/java.gradle build file ([#2582](https://togithub.com/spotbugs/spotbugs/pull/2582))
- Delete checked in j2ee jar and instead use servlet/ejb apis from jakarta (javax standard) ([#2585](https://togithub.com/spotbugs/spotbugs/pull/2585))
- Bump Eclipse from 4.14 to 4.29 (latest) ([#2589](https://togithub.com/spotbugs/spotbugs/pull/2589))
- Cleanup hamcrest imports / used library ([#2600](https://togithub.com/spotbugs/spotbugs/pull/2600))
- Migrate entirely to junit 5 ([#2605](https://togithub.com/spotbugs/spotbugs/pull/2605))
- Some parts of codebase were junit 3
- Delete the SpotbugsRule
- Replace custom java determination on build with Junit 5 usage
- Various 'public' methods in tests fixed to 'private'
- Junit 5 styling applied throughout
- Add missing code to the SpotBugsRunner and now use the Extension as replacement of SpotbugsRule
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
4.7.3
->4.8.1
Release Notes
spotbugs/spotbugs (spotbugs)
### [`v4.8.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#481---2023-11-06) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.0...4.8.1) ##### Fixed - Fixed schema location for findbugsfilter.xsd (\[[#1416](https://togithub.com/spotbugs/spotbugs/issues/1416)]) - Fixed missing null checks (\[[#2629](https://togithub.com/spotbugs/spotbugs/issues/2629)]) - Disabled DontReusePublicIdentifiers due to the high false positives rate (\[[#2627](https://togithub.com/spotbugs/spotbugs/issues/2627)]) - Removed signature of methods using UTF-8 in DefaultEncodingDetector (\[[#2634](https://togithub.com/spotbugs/spotbugs/issues/2634)]) - Fix exception escapes when calling functions of JUnit Assert or Assertions (\[[#2640](https://togithub.com/spotbugs/spotbugs/issues/2640)]) - Fixed an error in the SARIF export when a bug annotation is missing (\[[#2632](https://togithub.com/spotbugs/spotbugs/issues/2632)]) - Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws (\[[#2628](https://togithub.com/spotbugs/spotbugs/issues/2628)]) - Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize (\[[#2665](https://togithub.com/spotbugs/spotbugs/issues/2665)]) - Lowered the priority of `PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE` bug (\[[#2652](https://togithub.com/spotbugs/spotbugs/issues/2652)]) - Eclipse: fixed startup overhead (on computing classpath) for PDE projects (\[[#2671](https://togithub.com/spotbugs/spotbugs/pull/2671)]) ##### Build - Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT (\[[#2651](https://togithub.com/spotbugs/spotbugs/pull/2651)]) ### [`v4.8.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#480---2023-10-11) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.3...4.8.0) ##### Changed - Bump up Apache Commons BCEL to the version 6.6.1 ([#2223](https://togithub.com/spotbugs/spotbugs/pull/2223)) - Bump up slf4j-api to 2.0.3 ([#2220](https://togithub.com/spotbugs/spotbugs/pull/2220)) - Bump up gson to 2.10 ([#2235](https://togithub.com/spotbugs/spotbugs/pull/2235)) - Allowed for large command line through writing arguments to file (UnionResults/UnionBugs2) - Use com.github.stephenc.jcip for jcip-annotations fixing [#887](https://togithub.com/spotbugs/spotbugs/issues/887) ##### Fixed - Fixed missing classes not in report if using IErrorLogger.reportMissingClass(ClassDescriptor) ([#219](https://togithub.com/spotbugs/spotbugs/issues/219)) - Stop exposing junit-bom to consumers ([#2255](https://togithub.com/spotbugs/spotbugs/pull/2255)) - Fixed AbstractBugReporter emits wrong non-sensical debug output during filtering ([#184](https://togithub.com/spotbugs/spotbugs/issues/184)) - Added support for jakarta namespace ([#2289](https://togithub.com/spotbugs/spotbugs/pull/2289)) - Report a low priority bug for an unread field in reflective classes ([#2325](https://togithub.com/spotbugs/spotbugs/issues/2325)) - Fixed "Unhandled event loop exception" opening Bug Filter Configuration dialog in Eclipse ([#2327](https://togithub.com/spotbugs/spotbugs/issues/2327)) - Fixed detector `RandomOnceSubDetector` to not report when `doubles`, `ints`, or `longs` are called on a new `Random` or `SecureRandom` ([#2370](https://togithub.com/spotbugs/spotbugs/issues/2325)) - Fixed detector `TestASM` throwing error during analysis, because it doesn't note that it reports bugs. - Eclipse annotation classpath initializer is hard-coded to jsr305 version 3.0.1, fix to 3.0.2 per [#2470](https://togithub.com/spotbugs/spotbugs/issues/2470) - Fixed annotation on generic or array incorrectly considered for the nullability of a method parameter or return type ([#2502](https://togithub.com/spotbugs/spotbugs/issues/2502)) - Added support for CONSTANT_Dynamic in constant class pool ([#2506](https://togithub.com/spotbugs/spotbugs/issues/2506)) - Recognise enums and records as immutable ([#2356](https://togithub.com/spotbugs/spotbugs/issues/2356)) - Added detections of reliance on default encoding in java.nio.file.Files ([#2114](https://togithub.com/spotbugs/spotbugs/issues/2114)) - Fixed a regression in the Value Number Analysis ([#2465](https://togithub.com/spotbugs/spotbugs/issues/2465)) - Fix XML Output incorrectly escaped in Eclipse Bug Info view ([#2520](https://togithub.com/spotbugs/spotbugs/pull/2520)) - Updated the MS_EXPOSE_REP description to mention mutable objects, not just arrays ([#1669](https://togithub.com/spotbugs/spotbugs/issues/1669)) - Described Configuration option frc.suspicious for bug RC_REF_COMPARISON in bug description ([#2297](https://togithub.com/spotbugs/spotbugs/issues/2297)) - Fixed FindHEMismatch not reporting HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS for some classes ([#2402](https://togithub.com/spotbugs/spotbugs/issues/2402)) - Added execute file permission to files in the distribution zip ([#2540](https://togithub.com/spotbugs/spotbugs/issues/2540)) - Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito.verify() call check ([#872](https://togithub.com/spotbugs/spotbugs/issues/872)) - Do not report SIC_INNER_SHOULD_BE_STATIC for classes annotated with JUnit Nested ([#560](https://togithub.com/spotbugs/spotbugs/issues/560)) - Detect created, but not-thrown exceptions, which are created by not the constructor ([#2547](https://togithub.com/spotbugs/spotbugs/issues/2547)) - Fixed eclipse plugin Effort.values pass to effortViewer as required cast to varargs ([#2579](https://togithub.com/spotbugs/spotbugs/pull/2579)) ##### Added - New simple name-based AnnotationMatcher for exclude files (now bug annotations store the class java annotations in an attribute called `classAnnotationNames`). For example, use likeConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.