dependency: bump spotbugs-maven-plugin from 4.7.1.1 to 4.7.2.0

[dependabot[bot]]

Bumps spotbugs-maven-plugin from 4.7.1.1 to 4.7.2.0.

Release notes

Sourced from spotbugs-maven-plugin's releases.

Spotbugs Maven Plugin 4.7.2.0

• support for spotbugs 4.7.2

Commits

• 094bf44 [maven-release-plugin] prepare release spotbugs-maven-plugin-4.7.2.0
• a124305 Merge pull request #485 from hazendaz/spotbugs
• 97012fa [pom] Bump junit to 5.9.0
• ea6cb7c [pom] Bump remainder of spotbugs to 4.7.2
• 0e2d503 Merge pull request #483 from spotbugs/renovate/major-slf4jversion
• 3faea35 Merge branch 'spotbugs' into renovate/major-slf4jversion
• 7c40f37 Merge pull request #484 from spotbugs/renovate/spotbugsversion
• 01758a3 Update dependency com.github.spotbugs:spotbugs to v4.7.2
• dfeae38 Update slf4jVersion to v2
• d39ff02 Merge pull request #481 from spotbugs/renovate/javadocpluginversion
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[rnveach]

[INFO] --- spotbugs-maven-plugin:
4.7.2.0:check (default) 
@ checkstyle ---
[INFO] BugInstance size is 1
[INFO] Error size is 0
[INFO] Total bugs: 1
[ERROR] Medium: Public 
static com.puppycrawl.tools.checkstyle.
ConfigurationLoader.
loadConfiguration
(InputSource, PropertyResolver, 
ConfigurationLoader
$IgnoredModulesOptions, ThreadModeSettings) 
may expose
 internal representation by returning 
ConfigurationLoader.configuration 
[com.puppycrawl.tools.checkstyle.
ConfigurationLoader] 
At ConfigurationLoader.java:
[line 319] MS_EXPOSE_REP

https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ms-public-static-method-may-expose-internal-representation-by-returning-array-ms-expose-rep

MS: Public static method may expose internal representation by returning array (MS_EXPOSE_REP) A public static method returns a reference to an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. One fix is to return a copy of the array.

I only looked at the message (may expose internal representation by returning) and not the place it was coming from.

This more looks like EI_EXPOSE_REP:

May expose internal representation by returning reference to mutable object (EI_EXPOSE_REP) Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

It didn't seem like a false as we have a public method returning the instance of a private field (as is), which represents the same class we are in. ConfigurationLoader only has private constructors.

I would prefer to make changes to XmlLoader to accomodate this better since I can't otherwise pass in and out an instance, but I was not seeing any easy way to do this.

[nrmancuso]

TC is the only CI failure, it is not related to this PR.