Update dependency com.github.spotbugs:spotbugs to v4.7.3

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.github.spotbugs:spotbugs (source)	4.2.3 -> 4.7.3

---

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.7.3

Compare Source

Fixed

• Fixed detector DontUseFloatsAsLoopCounters to prevent false positives. (#​2126)
• Fixed regression in 4.7.2 caused by (#​2141)
• improve compatibility with later version of jdk (>= 13). (#​2188)
• Fixed detector UncallableMethodOfAnonymousClass to not report unused methods of method-local enumerations and records (#​2120)
• Fixed detector FindSqlInjection to detect bug SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL with high priority in case of unsafe appends also in Java 11 and above (#​2183)
• Fixed detector StringConcatenation to detect bug SBSC_USE_STRINGBUFFER_CONCATENATION also in Java 11 and above (#​2182)
• Fixed OpcodeStackDetector to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#​2195)
• Bump up log4j2 binding to 2.19.0
• Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 (#​2200)
• Bump up commons-text to 1.10.0 (#​2197)
• Fixed debug detector ViewCFG to generate file names that are also valid on Windows (#​2209)

v4.7.2

Compare Source

Fixed

• Bumped gson from 2.9.0 to 2.9.1 (#​2136)
• Bump up SLF4J API to 2.0.0
• Bump up logback to 1.4.0
• Bump up log4j2 binding to 2.18.0
• Bump up Saxon-HE to 11.4 (#​2160)
• Fixed InvalidInputException in Eclipse while bug reporting (#​2134)
• Bug SA_FIELD_SELF_ASSIGNMENT is now reported from nested classes as well (#​2142)
• Avoid warning on use of security manager on Java 17 and newer. (#​1579)
• Fixed false positives EI_EXPOSE_REP thrown in case of fields initialized by the of or copyOf method of a List, Map or Set (#​1771)
• Fixed CFGBuilderException thrown when dup_x2 is used to swap the reference and wide-value (double, long) in the stack (#​2146)

v4.7.1

Compare Source

Fixed

• Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE on try-with-resources with interface references (#​1931)
• Fixed NullPointerException thrown by detector FindPotentialSecurityCheckBasedOnUntrustedSource on Kotlin files. (#​2041)
• Disabled detector ThrowingExceptions by default to avoid many false positives (#​2040)
• Fixed False positives for THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION and THROWS_METHOD_THROWS_CLAUSE_THROWABLE on evaluating synthetic classes (#​2040)
• Fixed False positive for SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#​2089)

v4.7.0

Compare Source

Changed

• Updated documentation by adding parenthesis () to the negative odd check message (#​1995)
• Let the Plugin class implement AutoCloseable so we can release the .jar file (#​2024)

Fixed

• Fixed reports to truncate existing files before writing new content (#​1950)
• Bumped Saxon-HE from 10.6 to 11.3 (#​1955, #​1999)
• Fixed traversal of nested archives governed by -nested:true (#​1930)
• Warnings of deprecated System::setSecurityManager calls on Java 17 (#​1983)
• Fixed false positive SSD bug for locking on java.lang.Class objects (#​1978)
• FindReturnRef throws an IllegalArgumentException unexpectedly (#​2019)
• Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#​2004)

Added

• New detector ThrowingExceptions and introduced new bug types:
  • THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
  • THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
  • THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
• New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
• New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
• New detector DontUseFloatsAsLoopCounters to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters
• New test detector ViewCFG to visualize the control-flow graph for SpotBugs developers

v4.6.0

Compare Source

Fixed

• Fixed spotbugs build with ecj compiler (#​1903)
• Moved tests from spotbugs project to spotbugs-tests project (#​1914)
• Fixed UI freezes in Eclipse on bug count decorations update (#​285)
• Bumped log4j from 2.17.1 to 2.17.2 (#​1960)
• Bumped gson from 2.8.9 to 2.9.0 (#​1960)

Added

• New detector FindInstanceLockOnSharedStaticData for new bug type SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)

v4.5.3

Compare Source

Security

• Bumped log4j from 2.16.0 to 2.17.1 to address CVE-2021-45105 and CVE-2021-44832 (#​1885, #​1897)

Fixed

• Remove duplicated logging frameworks from the Eclipse plugin distribution (#​1868)
• Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. (#​1883)

v4.5.2

Compare Source

Security

• Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228

Fixed

• False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE (#​1821#​1820#​1819#​1818)
• Updated RV_01_TO_INT to handle float and long checks (#​1518)

v4.5.1

Compare Source

Fixed

• Ant task does not produce XML anymore (#​1827)
• Do not emit false positives of MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE for final classes (#​1812).
• Reports cannot be created on Windows platform (#​1842)

v4.5.0

Compare Source

Changed

• Replace "分析" with "解析" in Japanese document (#​1573)
• Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin (#​540)
• Bump gson from 2.8.8 to 2.8.9 (#​1784)
• Changes related to dominators analysis in package edu.umd.cs.findbugs.classfile.engine.bcel (#​1741):
  • DominatorsAnalysisFactory renamed to NonExceptionDominatorsAnalysisFactory (clarification)
  • NonExceptionPostdominatorsAnalysisFactory renamed to NonExceptionPostDominatorsAnalysisFactory (spelling)
  • NonImplicitExceptionDominatorsAnalysis introduced (API consistency)

Added

• Rule DCN_NULLPOINTER_EXCEPTION covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#​1740)
• Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like -html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml.
• New rule REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)
• New detector FindOverridableMethodCall to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().
• Translation of online manual to Brazilian Portuguese (PT-BR).

Fixed

• False negative about the rule ES_COMPARING_STRINGS_WITH_EQ (#​1764)
• False negative about the rule IM_MULTIPLYING_RESULT_OF_IREM ([#​1498])(https://github.com/spotbugs/spotbugs/issues/1498)

Deprecated

• -output commandline option is deprecated. Use commandline options for report configuration like -xml=spotbugs.xml instead.

v4.4.2

Compare Source

Changed

• Add bug code to report in fancy-hist.xsl (#​1688)
• Bump Saxon-HE from 10.5 to 10.6 (#​1715)

Fixed

• Fixed immutable java.lang.Class as being flagged as EI (#​1695)
• Agree verb with plural subject in the description of SW_SWING_METHODS_INVOKED_IN_SWING_THREAD (#​1664)
• Wrong description of the SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS (#​1664)
• Fixed java.util.Locale as being flagged as EI (#​1702)
• Fixed reference to java.awt.Cursor which caused it to be flagged as EI (#​1702)
• Treat types with @com.google.errorprone.annotations.Immutable as immutable (#​1705)
• Fix annotation check for jdk.internal.ValueBased (#​1706)
• DMI_RANDOM_USED_ONLY_ONCE false positive (#​1539)
• NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR false negative (#​1642)
• Immutable java.util.regex.Pattern as being flagged as EI (#​1695)
• Resource leak in the JrtfsCodeBase (#​1732)

v4.4.1

Compare Source

Changed

• Bump gson from 2.8.7 to 2.8.8 (#​1658)
• Lower ExitCodes logger to debug level (#​1661)
• Fixed SARIF format to be compatible with Github code scanning API requirements (#​1630)

Fixed

• Fixed immutable classes in java.net.* as being flagged as EI (#​1653
• Classes containing only static methods with setter-like names are no longer considered as mutable (#​1601)
• Handle all immutable collections in the Guava library as immutable (#​1601)
• Classes annotated with @​Immutable or @​jdk.internal.ValueBased are considered as immutable (#​1601)
• All classes in packages java.time and java.math are now correctly handled as immutable (#​1601)

v4.4.0

Compare Source

Fixed

• Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE (#​600 and #​1338)
• Inconsistent bug description on EQ_COMPARING_CLASS_NAMES (#​1523)
• Add a declaration of charset encoding in generated reports (#​1623)
• Fixed regression in Bug Info view for Eclipse 2021-03+ (#​1477)

Added

• New detector FindBadEndOfStreamCheck for new bug type EOS_BAD_END_OF_STREAM_CHECK. This bug is reported whenever the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is first converted to byte/int and only thereafter checked against -1. (See SEI CERT rule FIO08-J)

v4.3.0

Compare Source

Fixed

• MS_EXPOSE_REP and EI_EXPOSE_REP are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)

Changed

• Bump ObjectWeb ASM from 9.1 to 9.2 supporting JDK 18 (#​1591)
• Bump Saxon-HE from 10.3 to 10.5 (#​1513)
• Bump gson from 2.8.6 to 2.8.7 (#​1556)
• Function mutableSignature() improved and factored out from the MutableStaticFields detector

Added

• New bugs MS_EXPOSE_BUF, EI_EXPOSE_BUF, EI_EXPOSE_STATIC_BUF2 and EI_EXPOSE_BUF2 by the FindReturnRef detector to detect cases where buffers or their backing arrays are exposed (see SEI CERT rule FIO05-J)
• MS_EXPOSE_REP, EI_EXPOSE_REP, EI_EXPOSE_STATIC_REP2 and EI_EXPOSE_REP2 now report for shallowly copied arrays (using clone()) of mutable objects

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.