Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update spotbugs to v4.7.3 (master) (minor) #3031

Merged
merged 1 commit into from
Aug 24, 2023
Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 23, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.github.spotbugs:spotbugs-annotations (source) 4.4.2 -> 4.7.3 age adoption passing confidence
spotbugs (source) 4.4.2 -> 4.7.3 age adoption passing confidence

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)

v4.7.3

Compare Source

Fixed
  • Fixed detector DontUseFloatsAsLoopCounters to prevent false positives. (#​2126)
  • Fixed regression in 4.7.2 caused by (#​2141)
  • improve compatibility with later version of jdk (>= 13). (#​2188)
  • Fixed detector UncallableMethodOfAnonymousClass to not report unused methods of method-local enumerations and records (#​2120)
  • Fixed detector FindSqlInjection to detect bug SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL with high priority in case of unsafe appends also in Java 11 and above (#​2183)
  • Fixed detector StringConcatenation to detect bug SBSC_USE_STRINGBUFFER_CONCATENATION also in Java 11 and above (#​2182)
  • Fixed OpcodeStackDetector to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#​2195)
  • Bump up log4j2 binding to 2.19.0
  • Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 (#​2200)
  • Bump up commons-text to 1.10.0 (#​2197)
  • Fixed debug detector ViewCFG to generate file names that are also valid on Windows (#​2209)

v4.7.2

Compare Source

Fixed
  • Bumped gson from 2.9.0 to 2.9.1 (#​2136)
  • Bump up SLF4J API to 2.0.0
  • Bump up logback to 1.4.0
  • Bump up log4j2 binding to 2.18.0
  • Bump up Saxon-HE to 11.4 (#​2160)
  • Fixed InvalidInputException in Eclipse while bug reporting (#​2134)
  • Bug SA_FIELD_SELF_ASSIGNMENT is now reported from nested classes as well (#​2142)
  • Avoid warning on use of security manager on Java 17 and newer. (#​1579)
  • Fixed false positives EI_EXPOSE_REP thrown in case of fields initialized by the of or copyOf method of a List, Map or Set (#​1771)
  • Fixed CFGBuilderException thrown when dup_x2 is used to swap the reference and wide-value (double, long) in the stack (#​2146)

v4.7.1

Compare Source

Fixed
  • Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE on try-with-resources with interface references (#​1931)
  • Fixed NullPointerException thrown by detector FindPotentialSecurityCheckBasedOnUntrustedSource on Kotlin files. (#​2041)
  • Disabled detector ThrowingExceptions by default to avoid many false positives (#​2040)
  • Fixed False positives for THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION and THROWS_METHOD_THROWS_CLAUSE_THROWABLE on evaluating synthetic classes (#​2040)
  • Fixed False positive for SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#​2089)

v4.7.0

Compare Source

Changed
  • Updated documentation by adding parenthesis () to the negative odd check message (#​1995)
  • Let the Plugin class implement AutoCloseable so we can release the .jar file (#​2024)
Fixed
  • Fixed reports to truncate existing files before writing new content (#​1950)
  • Bumped Saxon-HE from 10.6 to 11.3 (#​1955, #​1999)
  • Fixed traversal of nested archives governed by -nested:true (#​1930)
  • Warnings of deprecated System::setSecurityManager calls on Java 17 (#​1983)
  • Fixed false positive SSD bug for locking on java.lang.Class objects (#​1978)
  • FindReturnRef throws an IllegalArgumentException unexpectedly (#​2019)
  • Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#​2004)
Added
  • New detector ThrowingExceptions and introduced new bug types:
    • THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
    • THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
    • THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
  • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
  • New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
  • New detector DontUseFloatsAsLoopCounters to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters
  • New test detector ViewCFG to visualize the control-flow graph for SpotBugs developers

v4.6.0

Compare Source

Fixed
  • Fixed spotbugs build with ecj compiler (#​1903)
  • Moved tests from spotbugs project to spotbugs-tests project (#​1914)
  • Fixed UI freezes in Eclipse on bug count decorations update (#​285)
  • Bumped log4j from 2.17.1 to 2.17.2 (#​1960)
  • Bumped gson from 2.8.9 to 2.9.0 (#​1960)
Added
  • New detector FindInstanceLockOnSharedStaticData for new bug type SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)

v4.5.3

Compare Source

Security
Fixed
  • Remove duplicated logging frameworks from the Eclipse plugin distribution (#​1868)
  • Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. (#​1883)

v4.5.2

Compare Source

Security
Fixed

v4.5.1

Compare Source

Fixed
  • Ant task does not produce XML anymore (#​1827)
  • Do not emit false positives of MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE for final classes (#​1812).
  • Reports cannot be created on Windows platform (#​1842)

v4.5.0

Compare Source

Changed
  • Replace "分析" with "解析" in Japanese document (#​1573)
  • Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin (#​540)
  • Bump gson from 2.8.8 to 2.8.9 (#​1784)
  • Changes related to dominators analysis in package edu.umd.cs.findbugs.classfile.engine.bcel (#​1741):
    • DominatorsAnalysisFactory renamed to NonExceptionDominatorsAnalysisFactory (clarification)
    • NonExceptionPostdominatorsAnalysisFactory renamed to NonExceptionPostDominatorsAnalysisFactory (spelling)
    • NonImplicitExceptionDominatorsAnalysis introduced (API consistency)
Added
Fixed
Deprecated
  • -output commandline option is deprecated. Use commandline options for report configuration like -xml=spotbugs.xml instead.

Configuration

📅 Schedule: Branch creation - "after 5pm on the first day of the month" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Update the dependencies label Aug 23, 2023
@renovate renovate bot enabled auto-merge (rebase) August 23, 2023 16:02
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success approve. Enjoy 🏳️‍🌈🎉.

@renovate renovate bot force-pushed the renovate/master-spotbugs branch from 3f43b87 to 3912815 Compare August 24, 2023 07:45
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success approve. Enjoy 🏳️‍🌈🎉.

@renovate renovate bot force-pushed the renovate/master-spotbugs branch from 3912815 to 1e61fe8 Compare August 24, 2023 08:14
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success approve. Enjoy 🏳️‍🌈🎉.

@renovate renovate bot force-pushed the renovate/master-spotbugs branch from 1e61fe8 to 6e2d278 Compare August 24, 2023 08:16
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success approve. Enjoy 🏳️‍🌈🎉.

@renovate renovate bot merged commit b463096 into master Aug 24, 2023
@renovate renovate bot deleted the renovate/master-spotbugs branch August 24, 2023 08:35
@geo-ghci-int geo-ghci-int bot added this to the 3.31.0 milestone Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Update the dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants