Update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/setup-java	action	major	v3 -> v4
codecov/codecov-action	action	major	v3 -> v4
paulhatch/semantic-version	action	minor	v5.3.0 -> v5.4.0
softprops/action-gh-release	action	major	v0.1.15 -> v2.0.4
org.mockito:mockito-junit-jupiter	dependencies	minor	5.6.0 -> 5.11.0
org.mockito:mockito-core	dependencies	minor	5.6.0 -> 5.11.0
com.google.truth.extensions:truth-java8-extension	dependencies	minor	1.1.5 -> 1.4.2
com.google.truth:truth	dependencies	minor	1.1.5 -> 1.4.2
org.junit.jupiter:junit-jupiter (source)	dependencies	patch	5.10.0 -> 5.10.2
com.github.spotbugs:spotbugs-annotations (source)	dependencies	patch	4.8.0 -> 4.8.4
com.google.guava:guava	dependencies	major	32.1.3-jre -> 33.1.0-jre
org.apache.logging.log4j:log4j-core (source)	dependencies	minor	2.20.0 -> 2.23.1
com.github.spotbugs	plugin	major	5.1.5 -> 6.0.12
com.diffplug.gradle.spotless	plugin	minor	6.22.0 -> 6.25.0

---

Release Notes

actions/setup-java (actions/setup-java)

v4

Compare Source

codecov/codecov-action (codecov/codecov-action)

v4

Compare Source

paulhatch/semantic-version (paulhatch/semantic-version)

v5.4.0

Compare Source

• Updates to Node Version #​133
• Update dependencies

softprops/action-gh-release (softprops/action-gh-release)

v2.0.4

Compare Source

• Minor follow up to #​417. #​425

v2.0.3

Compare Source

v2.0.2

Compare Source

• Revisit approach to #​384 making unresolved pattern failures opt-in #​417

v2.0.1

Compare Source

• Add support for make_latest property https://github.com/softprops/action-gh-release/pull/304 via @​samueljseay
• Fail run if files setting contains invalid patterns https://github.com/softprops/action-gh-release/pull/384 via @​rpdelaney
• Add support for proxy env variables (don't use node-fetch) https://github.com/softprops/action-gh-release/pull/386/ via @​timor-raiman
• Suppress confusing warning when input_files is empty https://github.com/softprops/action-gh-release/pull/389 via @​Drowze

v2.0.0

Compare Source

• update actions.yml declaration to node20 to address warnings

mockito/mockito (org.mockito:mockito-junit-jupiter)

v5.11.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.11.0

• 2024-03-01 - 17 commit(s) by Aouichaoui Youssef, Franz Wong, Pranoti Durugkar, Róbert Papp, dependabot[bot]
• Fixes #​3281 : Add native method to exception message of MissingMethodI… (#​3283)
• MissingMethodInvocationException is thrown when mocking native method in 5.x (#​3281)
• Bump com.google.googlejavaformat:google-java-format from 1.19.2 to 1.20.0 (#​3277)
• Bump versions.bytebuddy from 1.14.11 to 1.14.12 (#​3272)
• Bump gradle/wrapper-validation-action from 2.1.0 to 2.1.1 (#​3268)
• Bump org.shipkit:shipkit-auto-version from 2.0.3 to 2.0.4 (#​3267)
• Bump gradle/wrapper-validation-action from 2.0.1 to 2.1.0 (#​3266)
• Bump org.junit.platform:junit-platform-launcher from 1.10.1 to 1.10.2 (#​3265)
• Bump gradle/wrapper-validation-action from 2.0.0 to 2.0.1 (#​3264)
• Bump org.assertj:assertj-core from 3.25.2 to 3.25.3 (#​3261)
• Bump versions.junitJupiter from 5.10.1 to 5.10.2 (#​3260)
• Bump gradle/wrapper-validation-action from 1.1.0 to 2.0.0 (#​3258)
• Fixes #​3229: Resolve test generic arguments (#​3257)
• Bump org.shipkit:shipkit-auto-version from 2.0.2 to 2.0.3 (#​3256)
• Use kvm on ubuntu instead of macos to run Android tests (#​3252)
• Fixes #​3240 : Renamed mockito bom artifact (#​3251)
• Remove shipkit workaround for generateChangelog (#​3250)
• Bump com.gradle.enterprise from 3.16.1 to 3.16.2 (#​3249)
• Mockito bom missing artifact in maven central for java21 (#​3240)
• @Captor test parameters don't work with primitive type arguments (#​3229)
• Gradle 8.2: work around fix for release publishing (#​3053)

v5.10.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.10.0

• 2024-01-24 - 8 commit(s) by Andre Brait, dependabot[bot]
• Bump org.shipkit:shipkit-auto-version from 1.2.2 to 2.0.2 (#​3248)
• Bump org.assertj:assertj-core from 3.25.1 to 3.25.2 (#​3247)
• Bump org.shipkit:shipkit-changelog from 1.2.0 to 2.0.1 (#​3245)
• Bump com.diffplug.spotless from 6.24.0 to 6.25.0 (#​3244)
• Better typing for PluginLoader#loadPlugin(..) (#​3242)
• Bump com.github.ben-manes.versions from 0.50.0 to 0.51.0 (#​3241)
• Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#​3236)
• Fixes #​3219: Add support for static mocks on DoNotMockEnforcer (#​3220)
• Mockito#mockStatic(Class<?>) skips DoNotMockEnforcer (#​3219)

v5.9.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.9.0

• 2024-01-14 - 18 commit(s) by Björn Michael, Stefano Cordio, dependabot[bot]
• Bump org.gradle.toolchains.foojay-resolver-convention from 0.7.0 to 0.8.0 (#​3234)
• Align Javadoc configuration to Java 21 standards (#​3230)
• Bump com.google.googlejavaformat:google-java-format from 1.19.1 to 1.19.2 (#​3228)
• Run release job on Java 21 (#​3226)
• Update Gradle to 8.5 (#​3225)
• Bump org.assertj:assertj-core from 3.25.0 to 3.25.1 (#​3223)
• Bump org.assertj:assertj-core from 3.24.2 to 3.25.0 (#​3218)
• @​since at ArgumentCaptor.captor() (#​3214)
• Bump org.codehaus.groovy:groovy from 3.0.19 to 3.0.20 (#​3213)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 1.9.21 to 1.9.22 (#​3211)
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.21 to 1.9.22 (#​3210)
• Bump versions.bytebuddy from 1.14.10 to 1.14.11 (#​3208)
• Bump com.google.googlejavaformat:google-java-format from 1.18.1 to 1.19.1 (#​3206)
• Bump actions/upload-artifact from 3 to 4 (#​3201)
• Bump com.gradle.enterprise from 3.16 to 3.16.1 (#​3200)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.18.500 to 3.18.600 (#​3193)
• Bump com.gradle.enterprise from 3.15.1 to 3.16 (#​3192)
• Bump com.diffplug.spotless from 6.23.2 to 6.23.3 (#​3191)

v5.8.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.8.0

• 2023-12-01 - 15 commit(s) by Andreas Turban, Mikaël Francoeur, dependabot[bot], jfrantzius
• #​3000: fix ArrayIndexOutOfBoundsException (#​3190)
• Bump com.diffplug.spotless from 6.23.1 to 6.23.2 (#​3188)
• Bump com.diffplug.spotless from 6.23.0 to 6.23.1 (#​3186)
• Bump actions/setup-java from 3 to 4 (#​3185)
• Apply spotless to all java projects (#​3184)
• Bump com.diffplug.spotless from 6.22.0 to 6.23.0 (#​3182)
• Fixes #​3179 : Add module for Java 21 tests. (#​3180)
• Need separate module for java 21 tests (#​3179)
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.20 to 1.9.21 (#​3176)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 1.9.20 to 1.9.21 (#​3175)
• Bump versions.bytebuddy from 1.14.9 to 1.14.10 (#​3174)
• Fixes #​3160 : Fix interference between spies when spying on records. (#​3173)
• Bump com.github.ben-manes.versions from 0.49.0 to 0.50.0 (#​3172)
• Bump versions.junitJupiter from 5.10.0 to 5.10.1 (#​3169)
• Bump org.junit.platform:junit-platform-launcher from 1.10.0 to 1.10.1 (#​3168)
• Deep Stubs Incompatible With Mocking Enum (#​3167)
• Annotation-based spying on a generic class breaks existing final/inline Spies (#​3160)
• ArrayIndexOutOfBoundsException with Version 5.3.1 (#​3000)
• Deep Stubs Incompatible With Mocking Enum (#​2984)

v5.7.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.7.0

• 2023-11-02 - 15 commit(s) by Stefan M, Tim van der Lippe, Valery Yatsynovich, Vladimir Glinskikh, ascopes, dependabot[bot]
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.10 to 1.9.20 (#​3166)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 1.9.10 to 1.9.20 (#​3165)
• Attempt to detect system property mangling prior to loading ByteBuddy. (#​3164)
• Handle Termux in InlineDelegateByteBuddyMockMaker.java (#​3158)
• Bump versions.errorprone from 2.22.0 to 2.23.0 (#​3153)
• Fix license url according to spdx license spec (#​3152)
• Remove checks for unsupported Java version from unit tests (#​3150)
• Add CodeCov token to upload coverage report (#​3149)
• Migrate to JaCoCo 0.8.11 (#​3147)
• Add Java 21 to CI build matrix (#​3145)
• Feat: add generic-inferred methods for constructing ArgumentCaptors (#​3144)
• Bump gradle from 8.2 to 8.4 (#​3142)
• Bump com.github.ben-manes.versions from 0.48.0 to 0.49.0 (#​3139)
• Bump versions.bytebuddy from 1.14.8 to 1.14.9 (#​3138)
• Bump biz.aQute.bnd.builder from 6.4.0 to 7.0.0 (#​3135)

google/truth (com.google.truth.extensions:truth-java8-extension)

v1.4.2: 1.4.2

This release is the final step of copying all our methods from Truth8 to Truth. If you have not already migrated your usages from Truth8 to Truth, you may see build errors:

OptionalSubjectTest.java:39: error: reference to assertThat is ambiguous
    assertThat(Optional.of("foo")).isPresent();
    ^
  both method assertThat(@&#8203;org.checkerframework.checker.nullness.qual.Nullable Optional<?>) in Truth8 and method assertThat(@&#8203;org.checkerframework.checker.nullness.qual.Nullable Optional<?>) in Truth match

In most cases, you can migrate your whole project mechanically: git grep -l Truth8 | xargs perl -pi -e 's/\bTruth8\b/Truth/g;'. (You can make that change before upgrading to Truth 1.4.2 or as part of the same commit.)

If you instead need to migrate your project incrementally (for example, because it is very large), you may want to upgrade your version of Truth incrementally, too, following our instructions for 1.3.0 and 1.4.0.

For help

Please feel welcome to open an issue to report problems or request help.

Changelog

• Removed temporary type parameters from Truth.assertThat(Stream) and Truth.assertThat(Optional). This can create build errors, which you can fix by replacing all your references to Truth8 with references to Truth. (45782bd)

v1.4.1: 1.4.1

This release deprecates Truth8.

All its methods have become available on the main Truth class. In most cases, you can migrate your whole project mechanically: git grep -l Truth8 | xargs perl -pi -e 's/\bTruth8\b/Truth/g;'

While we do not plan to delete Truth8, we recommend migrating off it, at least if you static import assertThat: If you do not migrate, such static imports will become ambiguous in Truth 1.4.2, breaking your build.

v1.4.0: 1.4.0

In this release, our assertions on Java 8 types continue to move from the Truth8 class to the main Truth class. This change should not break compatibility for any supported JDK or Android version, even users who test under old versions of Android without API desugaring. Additionally, we will never break binary compatibility, though some users will have to make changes to their source code in order for it to compile against newer versions.

This release is likely to lead to more build failures than 1.3.0 did. However, those failures should be straightforward to fix.

Example build failure

Foo.java:152: error: reference to assertThat is ambiguous
    assertThat(repo.findFileWithName("foo")).isNull();
    ^
  both method assertThat(@​org.jspecify.nullness.Nullable Path) in Truth8 and method assertThat(@​org.jspecify.nullness.Nullable Path) in Truth match

Simplest upgrade strategy (if you can update all your code atomically in the same commit as the Truth upgrade)

In the same commit:

1. Upgrade Truth to 1.4.0.
2. Replace import static com.google.common.truth.Truth8.assertThat; with import static com.google.common.truth.Truth.assertThat;.
   • If you use Kotlin, replace import com.google.common.truth.Truth8.assertThat with import com.google.common.truth.Truth.assertThat.
3. Replace import com.google.common.truth.Truth8; with import com.google.common.truth.Truth;.
   • again, similarly for Kotlin if needed
4. Optionally replace remaining references to Truth8 with references to Truth.
   • For example, replace Truth8.assertThat(optional).isPresent() with Truth.assertThat(optional).isPresent().

If you're feeling lucky, you can try this one-liner for the code updates:

git grep -l Truth8 | xargs perl -pi -e 's/import static com.google.common.truth.Truth8.assertThat;/import static com.google.common.truth.Truth.assertThat;/g; s/import com.google.common.truth.Truth8.assertThat/import com.google.common.truth.Truth.assertThat/g; s/import com.google.common.truth.Truth8/import com.google.common.truth.Truth/g; s/\bTruth8[.]/Truth./g;'

In most cases, that can be further simplified to:

git grep -l Truth8 | xargs perl -pi -e 's/\bTruth8\b/Truth/g;'

After that process, it is possible that you'll still see build errors from ambiguous usages of assertThat static imports. If so, you can find a workaround in the section about overload ambiguity in the release notes for 1.3.0. Alternatively, you can wait to upgrade until after a future Truth release, which will eliminate the ambiguity by changing the signatures of some Truth.assertThat overloads.

Incremental upgrade strategy

If you have a very large repo or you have other reasons to prefer to upgrade incrementally, you can use the approach that we used inside Google. Roughly, that approach was:

1. Make the optional changes discussed in the release notes for 1.3.0.
2. For any remaining calls to Truth8.assertThat, change them to avoid static import.
   • That is, replace assertThat(optional).isPresent() with Truth8.assertThat(optional).isPresent().
3. Upgrade Truth to 1.4.0.
4. Optionally replace references to Truth8 with references to Truth (including restoring static imports if desired), as discussed in section about the simple upgrade strategy above.

Optional additional changes

• If you use assertWithMessage(...).about(intStreams()).that(...), expect.about(optionalLongs()).that(...), or similar, you can remove your call to about. This change will never be necessary; it is just a simplification.
  • This is similar to a previous optional change from 1.3.0, except that 1.3.0 solved this problem for streams and optionals, whereas 1.4.0 solves it for the other Truth8 types.

For help

Please feel welcome to open an issue to report problems or request help.

Changelog

• Added the remaining Truth8.assertThat overloads to the main Truth class. (9be8e77, 1f81827)
• Added more that overloads to make it possible to write type-specific assertions when using the remaining Java 8 types. (7c65fc6)

v1.3.0: 1.3.0

In this release, our assertions on Java 8 types begin to move from the truth-java8-extensions artifact and the Truth8 class to the main truth artifact and the Truth class. This change should not break compatibility for anyone, even users who test under old versions of Android without API desugaring. Additionally, we will never break binary compatibility, though some users will have to make changes to their source code in order for it to compile against newer versions.

This change will be routine for most users, but we're providing as much information as we can for any users who do encounter problems.

We will post fuller instructions for migration later on, once we've learned more from our internal migration efforts. For now, you may find that you need to make one kind of change, and you may elect to make others. (If we missed anything, please open an issue to report problems or request help.)

The change you might need to make:

• By adding new overloads of Truth.assertThat, we cause some code to fail to compile because of an overload ambiguity. This is rare, but it can happen if you static import both Truth.assertThat and some other assertThat method that includes overloads for Optional or Stream. (It does not happen for Truth8.assertThat, though, except with the Eclipse compiler. Nor it does necessarily happen for other assertThat(Stream) and assertThat(Optional) methods.) If this happens to you, you'll need to remove one of the static imports, changing the corresponding call sites from "assertThat" to "FooSubject.assertThat."
  • Alternatively, you may choose to wait until we make further changes to the new Truth.assertThat overloads. Once we make those further changes, you may be able to simultaneously replace all your imports of Truth8.assertThat with imports of Truth.assertThat as you upgrade to the new version, likely without introducing overload ambiguities.

The changes you might elect to make:

• If you use Truth8.assertThat(Stream) or Truth8.assertThat(Optional), you can migrate to the new overloads in Truth. If you static import Truth8.assertThat, you can usually make this change simply by replacing that static import with a static import of Truth.assertThat—or, if you already have an import of Truth.assertThat, by just removing the import of Truth8.assertThat. (If you additionally use less common assertion methods, like assertThat(OptionalInt), you'll want to use both imports for now. Later, we'll move assertThat(OptionalInt) and friends, too.) We recommend making this change now, since your calls to Truth8.assertThat will fail to compile against some future version of Truth, unless you plan to wait to update your Truth dependency until we've made all our changes for Java 8 types.

• If you use assertWithMessage(...).about(streams()).that(...), expect.about(optionals()).that(...), or similar, you can remove your call to about. This change will never be necessary; it is just a simplification.

• If you depend on truth-java8-extension, you may remove it. All its classes are now part of the main truth artifact. This change, too, is not necessary; it is just a simplification. (OK, if your build system has a concept of strict deps, there is a chance that you'll need to add deps on truth to replace your deps on truth-java8-extension.)

Finally, the changelog for this release:

• Made StreamSubject avoid collecting the Stream until necessary, and made its isEqualTo and isNotEqualTo methods no longer always throw. (f8ecaec)
• Added assertThat overloads for Optional and Stream to the main Truth class. (37fd8be)
• Added that overloads to make it possible to write type-specific assertions when using expect.that(optional) and expect.that(stream). (ca7e8f4)
• Moved the truth-java8-extension classes into the main truth artifact. There is no longer any need to depend on truth-java8-extension, which is now empty. (We've also removed the Truth8 GWT module.) (eb0426e)

Again, if you have any problems, please let us know.

v1.2.0: 1.2.0

• Fixed a bug that caused ProtoTruth to ignore the contents of unpacked Any messages. This fix may cause tests to fail, since ProtoTruth will now check whether the message contents match. If so, you may need to change the values that your tests expect, or there may be a bug in the code under test that had been hidden by the Truth bug. Sorry for the trouble. (8bd3ef6)
• Added isWithin().of() support to IntegerSubject and LongSubject. (6464cb5, 0e99a27)

spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)

v4.8.4

Compare Source

Fixed

• Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#​2750)
• Fix possible null value in taxonomies of SARIF output (#​2744)
• Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#​2116)
• Move information contained in the SARIF property exitSignalName to exitCodeDescription (#​2739)
• Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#​2793)
• Added support for CONSTANT_Dynamic (#​2759)
• Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#​1219)
• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#​2813)
• Remove AppleExtension library (note: menus slightly changed) (#​2823)
• Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#​651, #​456)
• Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#​2843)
• Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#​2844)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#​2828)
• Update UnreadFields detector to ignore warnings for fields with certain annotations (#​574)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @​PostConstruct, @​BeforeEach, etc. (#​2872 #​2870 #​453)
• Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#​2865)
• Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#​2874)
• Added more nullability annotations in TypeQualifierResolver (#​2558 #​2694)
• Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#​2881)
• Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #​2887)
• Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#​2686)
• Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #​2837)
• Update the filter XSD namespace and location for the upcoming 4.8.4 release #​2909)

Added

• New detector MultipleInstantiationsOfSingletons and introduced new bug types:
  • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
  • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
  • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
  • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
  • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
  • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized.
    (See SEI CERT MSC07-J)
• Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

• Minor cleanup in connection with slashed and dotted names (#​2805)

Build

• Fix sonar coverage for project (#​2796)
• Upgraded the build to compile bug samples using Java 21 language features (#​2813)
• Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See https://github.com/checkstyle/checkstyle/issues/14211 for more information. (#​2798)
• Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#​2604)

v4.8.3

Compare Source

Fixed

• Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions (#​2710)
• Applied changes for bcel 6.8.0 with adjustments to constant pool (#​2756)
  • More information bcel changes can be found on (#​2757)
• Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type.
• Fix FP in CT_CONSTRUCTOR_THROW when exception throwing lambda is created, but not called in constructor (#​2695)

Changed

• Improved Matcher checks for empty strings (#​2755)
• Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis (#​2754)
• Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 (#​2760)
• Prefer log4j2 at 2.22.0 and logback at 1.4.14 (#​2760)

v4.8.2

Compare Source

Fixed

• Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource (#​2379)
• Use java.nio to load filter files (#​2684)
• Eclipse: Do not export javax.annotation packages (#​2699)
• Fixed not thread safe FindOverridableMethodCall detector (#​2701)
• Fix the weird messages of PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS bugs. (#​2646)
• Revert commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#​2686)
• Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits (#​2710)

Added

• New detector finding System.getenv() calls, where the corresponding Java property could be used (See ENV02-J).

Build

• Run build using jdk 17 and 21 without usage of toolchains so we do not defeat the purpose of building on both. (#​2722)

v4.8.1

Compare Source

Fixed

• Fixed schema location for findbugsfilter.xsd ([#​1416])
• Fixed missing null checks ([#​2629])
• Disabled DontReusePublicIdentifiers due to the high false positives rate ([#​2627])
• Removed signature of methods using UTF-8 in DefaultEncodingDetector ([#​2634])
• Fix exception escapes when calling functions of JUnit Assert or Assertions ([#​2640])
• Fixed an error in the SARIF export when a bug annotation is missing ([#​2632])
• Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws ([#​2628])
• Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize ([#​2665])
• Lowered the priority of PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE bug ([#​2652])
• Eclipse: fixed startup overhead (on computing classpath) for PDE projects ([#​2671])

Build

• Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT ([#​2651])

---

Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (662f996) to head (68d91d3).

Additional details and impacted files

@@             Coverage Diff             @@
##                main      #237   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity         2         2           
===========================================
  Files              1         1           
  Lines              4         4           
===========================================
  Hits               4         4           

Flag	Coverage Δ
integration-tests-macos-latest	100.00% <ø> (ø)
integration-tests-ubuntu-latest	100.00% <ø> (ø)
integration-tests-windows-latest	100.00% <ø> (ø)
unit-tests-macos-latest	100.00% <ø> (ø)
unit-tests-ubuntu-latest	100.00% <ø> (ø)
unit-tests-windows-latest	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.