Update dependency com.github.spotbugs:spotbugs to v4.9.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.github.spotbugs:spotbugs (source)	4.8.6 -> 4.9.0

---

Release Notes

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.9.0

Compare Source

Added

• Updated the SuppressFBWarnings annotation to support finer grained bug suppressions (#​3102)
• SimpleDateFormat, DateTimeFormatter, FastDateFormat string check for bad combinations of flag formatting (#​637)
• New detector ResourceInMultipleThreadsDetector and introduced new bug type:
  • AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD is reported in case of unsafe resource access in multiple threads.

Fixed

• Do not consider Records as Singletons (#​2981)
• Keep a maximum of 10000 cached analysis entries for plugin's analysis engines (#​3025)
• Only report MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT when calling own methods (#​2957)
• Check the actual caught exceptions (instead of their common type) when analyzing multi-catch blocks (#​2968)
• System property findbugs.refcomp.reportAll is now being used. For some new conditions, it will emit an experimental warning (#​2988)
• -version flag prints the version to the standard output (#​2797)
• Revert the changes from (#​2894) to get HTML stylesheets to work again (#​2969)
• Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED report when the synchronization is in a called method (#​3045)
• Let BetterCFGBuilder2.isPEI handle dup2 bytecode used by Spring AOT (#​3059)
• Detect failure to close RocksDB's ReadOptions (#​3069)
• Fix FP EI_EXPOSE_REP when there are multiple immutable assignments (#​3023)
• Fixed false positive NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for Kotlin, handle Kotlin's Intrinsics.checkNotNullParameter() (#​3094)
• Fixed some CWE mappings (#​3124)
• Recognize some classes as immutable, fixing EI_EXPOSE and MS_EXPOSE FPs (#​3137)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with TestNG's @​BeforeClass. (#​3152)
• Fixed detector FindReturnRef not finding references exposed from nested and inner classes (#​2042)
• Fix call graph, include non-parametric void methods (#​3160)
• Fix multiple reporting of identical bugs messing up statistics (#​3185)
• Added missing comma between line number and confidence when describing matching and mismatching bugs for tests (#​3187)
• Fixed method matchers with array types (#​3203)
• Fix SARIF report's message property in Exception to meet the standard (#​3197)
• Fixed FI_FINALIZER_NULLS_FIELDS FPs for functions called finalize() but not with the correct signature. (#​3207)
• Fixed an error in the detection of bridge methods causing analysis crashes (#​3208)
• Fixed detector ThrowingExceptions by removing false positive reports, such as synthetic methods (lambdas), methods which inherited their exception specifications and methods which call throwing methods (#​2040)
• Do not report DP_DO_INSIDE_DO_PRIVILEGED, DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED and USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE in code targeting Java 17 and above, since it advises the usage of deprecated method (#​1515).
• Fixed a RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT false positive for a builder delegating to another builder (#​3235)

Cleanup

• Cleanup thread issue and regex issue in test-harness (#​3130)
• Remove extra blank lines and remove public from interface objects as inherently already public (#​3131)
• Fix order of modifiers on properties/methods and ensure correct location in file (#​3132, #​3177)
• Return objects directly instead of creating more garbage collection by defining them (#​3133, #​3175)
• Restrict the constructor of abstract classes visibility to protected (#​3178)
• Cleanup double initialization and fix comments referring to findbugs instead of spotbugs(#​3134)
• Use diamond operator in constructor calls of Collections (#​3176)
• Use Collection.isEmpty() or String.isEmpty() to test for emptiness (#​3180, #​3219)
• Use method references instead of lambdas where possible (#​3179)
• Move default clauses to the end of switches (#​3222)
• Remove unnecessary throws declarations (#​3220)
• Use Boolean.parseBoolean() for string-to-boolean conversion. (#​3217)
• Rename shadowing fields (#​3221)
• Combine catch blocks with the same body (#​3223)
• Merge conditions of nested ifs (#​3231)
• Use non deprecated 'getDottedClassName' instead of 'toDottedClassName'(#​3251)
• Use try with resources where possible (#​3253)

Changed

• Bump up Java version to 11

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.60%. Comparing base (8f5a6b0) to head (08ebab4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #940   +/-   ##
=========================================
  Coverage     77.60%   77.60%           
  Complexity      270      270           
=========================================
  Files            61       61           
  Lines          2125     2125           
  Branches        299      299           
=========================================
  Hits           1649     1649           
  Misses          343      343           
  Partials        133      133           

Flag	Coverage Δ
unittests	77.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.