fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.apache.maven.plugins:maven-gpg-plugin	3.2.5 -> 3.2.7
org.apache.maven.plugins:maven-surefire-plugin	3.5.0 -> 3.5.2
org.apache.maven.plugins:maven-failsafe-plugin	3.5.0 -> 3.5.2
com.github.spotbugs:spotbugs (source)	4.8.2 -> 4.9.0
com.github.spotbugs:spotbugs-maven-plugin (source)	4.8.6.2 -> 4.8.6.6
com.spotify.fmt:fmt-maven-plugin	2.24 -> 2.25
net.logstash.logback:logstash-logback-encoder (source)	7.3 -> 7.4
com.github.spotbugs:spotbugs-annotations (source)	4.8.6 -> 4.9.0
org.springframework.boot:spring-boot-starter-parent (source)	2.7.16 -> 2.7.18

---

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.9.0

Compare Source

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#​3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#​637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#​2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#​3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#​2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#​2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#​2988)
• -version flag prints the version to the standard output (#​2797)
• Revert the changes from (#​2894) to get HTML stylesheets to work again (#​2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#​3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#​3059)
• Detect failure to close RocksDB's ReadOptions (#​3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#​3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#​3094)
• Fixed some CWE mappings (#​3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#​3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#​3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#​2042)
• Fix call graph, include non-parametric void methods (#​3160)
• Fix multiple reporting of identical bugs messing up statistics (#​3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#​3187)
• Fixed method matchers with array types (#​3203)
• Fix SARIF report's message property in Exception to meet the standard (#​3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#​3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#​3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#​2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#​1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#​3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#​3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#​3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#​3132, #​3177)
• Return objects directly instead of creating more garbage collection by defining them (#​3133, #​3175)
• Restrict the constructor of abstract classes visibility to protected (#​3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#​3134)
• Use diamond operator in constructor calls of Collections (#​3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#​3180, #​3219)
• Use method references instead of lambdas where possible (#​3179)
• Move default clauses to the end of switches (#​3222)
• Remove unnecessary throws declarations (#​3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#​3217)
• Rename shadowing fields (#​3221)
• Combine catch blocks with the same body (#​3223)
• Merge conditions of nested ifs (#​3231)
• Use non deprecated 'getDottedClassName' instead of 'toDottedClassName'(#​3251)
• Use try with resources where possible (#​3253)

Changed

• Bump up Java version to 11

v4.8.6

Compare Source

Fixed

• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches when the switch instruction is TABLESWITCH (#​2782)
• Do not throw exception when inspecting empty switch statements (#​2995)
• Adjust priority since relaxed mode reports even IGNORED_PRIORITY (#​2994)
• Fix duplicated log4j2 jar in distribution (#​3001)

v4.8.5

Compare Source

Fixed

• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED with eager instances (#​2932)
• Fix FPs when looking for multiple initialization of Singletons (#​2934)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches when switch instruction is TABLESWITCH(#​2736)
• Fix FP SE_BAD_FIELD for record fields (#​2935)

v4.8.4

Compare Source

Fixed

• Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#​2750)
• Fix possible null value in taxonomies of SARIF output (#​2744)
• Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#​2116)
• Move information contained in the SARIF property exitSignalName to exitCodeDescription (#​2739)
• Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#​2793)
• Added support for CONSTANT_Dynamic (#​2759)
• Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#​1219)
• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#​2813)
• Remove AppleExtension library (note: menus slightly changed) (#​2823)
• Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#​651, #​456)
• Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#​2843)
• Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#​2844)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#​2828)
• Update UnreadFields detector to ignore warnings for fields with certain annotations (#​574)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @​PostConstruct, @​BeforeEach, etc. (#​2872 #​2870 #​453)
• Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#​2865)
• Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#​2874)
• Added more nullability annotations in TypeQualifierResolver (#​2558 #​2694)
• Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#​2881)
• Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #​2887)
• Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#​2686)
• Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method (#​2837)
• Update the filter XSD namespace and location for the upcoming 4.8.4 release (#​2909)

Added

• New detector MultipleInstantiationsOfSingletons and introduced new bug types:
  • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
  • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
  • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
  • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
  • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
  • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized.
    (See SEI CERT MSC07-J)
• Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

• Minor cleanup in connection with slashed and dotted names (#​2805)

Build

• Fix sonar coverage for project (#​2796)
• Upgraded the build to compile bug samples using Java 21 language features (#​2813)
• Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See https://github.com/checkstyle/checkstyle/issues/14211 for more information. (#​2798)
• Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#​2604)

v4.8.3

Compare Source

Fixed

• Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions (#​2710)
• Applied changes for bcel 6.8.0 with adjustments to constant pool (#​2756)
  • More information bcel changes can be found on (#​2757)
• Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type.
• Fix FP in CT_CONSTRUCTOR_THROW when exception throwing lambda is created, but not called in constructor (#​2695)

Changed

• Improved Matcher checks for empty strings (#​2755)
• Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis (#​2754)
• Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 (#​2760)
• Prefer log4j2 at 2.22.0 and logback at 1.4.14 (#​2760)

spotify/fmt-maven-plugin (com.spotify.fmt:fmt-maven-plugin)

v2.25

Compare Source

What's Changed

• Upgrade Google Java Format 1.23.0 -> 1.24.0 by @​Stephan202 in https://github.com/spotify/fmt-maven-plugin/pull/194

Full Changelog: spotify/fmt-maven-plugin@2.24...2.25

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v2.7.18

Compare Source

⚠️ Noteworthy Changes

• Following the Paketo team's announcement that the Bionic CNB builders will be removed, the default builder using by bootBuildImage (Gradle) and spring-boot:build-image (Maven) has been changed to Paketo Jammy #​38477

🐞 Bug Fixes

• App fails to start with a NoSuchMethodError when using Flyway 10.0.0 #​38164
• spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int #​38146
• Mail health indicator fails when host is not set in properties #​38007

📔 Documentation

• Document supported SQL comment prefixes #​38385
• Fix link to Elasticsearch health indicator #​38330
• Improve --help and documentation for "encodepassword -a/--algorithm" in the Spring Boot CLI #​38203
• Document that TomcatConnectorCustomizers are not applied to additional connectors #​38183
• MyErrorWebExceptionHandler example in documentation isn't working #​38104
• Document that SerializationFeature.WRITE_DURATIONS_AS_TIMESTAMPS is disabled by default #​38083
• Update "Running Behind a Front-end Proxy Server" to include reactive and ForwardedHeaderTransformer #​37282
• Improve documentation of classpath.idx file and its generation by the Maven and Gradle plugins #​37125
• Document configuration for building images with Colima #​34522
• Code sample in "Developing Your First Spring Boot Application" does not work #​34513
• Document ConfigurationPropertyCaching #​34172
• Document that application.* banner variables require a packaged jar or the use of Boot's launcher #​33489
• Add section on AspectJ support #​32642
• Document server.servlet.encoding.* properties and server.servlet.encoding.mapping in particular #​32472
• Add a section on customizing embedded reactive servers #​31917
• Clarify that MVC components provided through WebMvcRegistrations are subject to subsequent processing and configuration by MVC #​31232
• Clarifying documentation on including a top-level @TestConfiguration class in a test #​30513
• Clarify that @AutoConfigureWebTestClient binds WebTestClient to mock infrastructure #​29890
• Improve systemd configuration documentation #​28453
• Document how to customize the basePackages that auto-configurations consider (for example Spring Data Repositories) #​27549
• Document additional user configuration that's required after setting spring.hateoas.use-hal-as-default-json-media-type to false #​26814
• Add how-to documentation for test-only database migrations with Flyway/Liquibase #​26796

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 5.16.7 #​38427
• Upgrade to DB2 JDBC 11.5.9.0 #​38428
• Upgrade to Dropwizard Metrics 4.2.22 #​38429
• Upgrade to Elasticsearch 7.17.15 #​38430
• Upgrade to Glassfish JAXB 2.3.9 #​38431
• Upgrade to Micrometer 1.9.17 #​38279
• Upgrade to Netty 4.1.101.Final #​38432
• Upgrade to Pooled JMS 1.2.6 #​38433
• Upgrade to Reactor Bom 2020.0.38 #​38280
• Upgrade to Spring Batch 4.3.10 #​38281
• Upgrade to Spring Data Bom 2021.2.18 #​38282
• Upgrade to Spring Framework 5.3.31 #​38283
• Upgrade to Spring HATEOAS 1.5.6 #​38373
• Upgrade to Spring Integration 5.5.20 #​38491
• Upgrade to Spring RESTDocs 2.0.8.RELEASE #​38434
• Upgrade to Spring WS 3.1.8 #​38284
• Upgrade to Tomcat 9.0.83 #​38435

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GVictorG7, @​PENEKhun, @​dreis2211, and @​izeye

v2.7.17

Compare Source

⚠️ Noteworthy Changes

• The behavior of spring.jms.listener.concurrency has been corrected to match the documentation (#​37180). If you were setting spring.jms.listener.concurrency without also setting spring.jms.listener.max-concurrency, please review your configuration when upgrading.

🐞 Bug Fixes

• @Order does not work on (CommandLine|Application)Runner @Bean methods #​37905
• Gradle plugin uses to-be-deprecated API for getting and setting file permissions #​37878
• Task executor metrics are not registered when using lazy initialization #​37832
• Constructor binding with a custom collection type does not work #​37734
• Dependency management for kafka-server-common with a test classifier is missing #​37499
• fileMode and dirMode are not applied to all entries in an archive produced by BootJar #​37496
• Gradle plugin's build info support produces a deprecation warning when using Gradle 8.4-rc-1 #​37493
• RepackageMojo doesn't support 1 digit numerical values for project.build.outputTimestamp #​37438
• Restarter creates memory leak in tests #​37373
• Contrary to the documentation, setting spring.jms.listener.concurrency alone configures the maximum concurrency #​37180
• Application fails to start when an optional config import cannot be resolved #​35683
• @ComponentScan on a test class is processed when creating a test context but is not included in the context's cache key #​31577
• AspectJ transaction management with compile-time weaving does not work with spring.main.lazy-initialization=true #​37506

📔 Documentation

• Remove link to LiveReload website due to timeout #​37643
• Refer to ActiveMQ as ActiveMQ "Classic" #​37606
• Use more idiomatic Kotlin in example for "Map Health Indicators to Micrometer Metrics" #​37491
• Document support for Java 21 #​37371

🔨 Dependency Upgrades

• Upgrade to Dropwizard Metrics 4.2.21 #​37893
• Upgrade to Elasticsearch 7.17.14 #​37840
• Upgrade to Infinispan 13.0.20.Final #​37841
• Upgrade to Jetty 9.4.53.v20231009 #​37842
• Upgrade to Jetty Reactive HTTPClient 1.1.15 #​37927
• Upgrade to Micrometer 1.9.16 #​37674
• Upgrade to Netty 4.1.100.Final #​37843
• Upgrade to Pooled JMS 1.2.5 #​37894
• Upgrade to Reactor Bom 2020.0.37 #​37675
• Upgrade to Spring AMQP 2.4.17 #​37676
• Upgrade to Spring Data Bom 2021.2.17 #​37677
• Upgrade to Spring Session Bom 2021.2.3 #​37928
• Upgrade to Tomcat 9.0.82 #​37895
• Upgrade to UnboundID LDAPSDK 6.0.10 #​37753
• Upgrade to Undertow 2.2.28.Final #​37929

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bottlerocketjonny, @​dependabot[bot], @​erichaagdev, @​esperar, @​izeye, @​jbertram, @​nielsbasjes, @​onobc, @​ttddyy, and @​vpavic

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.