New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
google collections issue still present in 10.12.7 #14211
Comments
Fix #14140 did not solve. |
Did we ever identify why CI isn't finding this issue? |
CI job to catch this is disabled until open issue, there was some CI/infra problem that forced us to disable and we never comeback. If we fix #12558 it will never leak again |
@XN137, did this resolve issue for you? others report that there is still issue |
no, it did not. looking at https://repo1.maven.org/maven2/com/puppycrawl/tools/checkstyle/10.12.7/checkstyle-10.12.7.pom we can see the exclusion being present:
so lets try to use checkstyle from a simple maven project:
as we can see, it keeps downloading google collections, even though i am guessing that the dependency plugin applies an exclusion to all transitive dependencies but the normal maven dependency mechanism (and gradle) does not? so we could try to make the exclusion explicitly below or we could go back to what I had proposed originally and upgrade or we could investigate why checkstyle depends on doxia with compile scope at all |
actually seems like maven doesnt really download the jar, it just retrieves the pom (even though it will not put the jar on the classpath of the module later on):
so maybe gradle also does this and runs its conflict check before applying exclusions? |
Seems spring is aware of issue with gradle here spring-gradle-plugins/dependency-management-plugin#211 and has not deprecated their plugin due to the issue. So it seems that is at least a possible work around to the issue but haven't looked into it. In other words, this is a gradle bug which is why we are not seeing the problem with maven. |
PR above from spotbugs should be enough to help others. It works locally for me on windows, just waiting for GHA to confirm for linux, mac, windows. |
ok spring work around fixes the issue. |
Closing issue as not checkstyles problem, its a gradle issue. Work around can be seen here spotbugs/spotbugs#2798 |
Thanks everyone for looking into this. |
This is not a bug with Gradle. As mentioned in gradle/gradle#27035 (comment), the difference with Maven is that:
Checkstyle has Adding the Spring Dependency Management Plugin as a workaround sounds like an overkill, especially if you have nothing related to Spring in the project. The real workaround is to tell Gradle to select configurations.checkstyle {
resolutionStrategy.capabilitiesResolution.withCapability("com.google.collections:google-collections") {
select("com.google.guava:guava:0")
}
} |
Thank you. I will try this and we do have spring but I still stand by that gradle has a bug.
Checkstyle excluded that transient. The link you showed was before the transient was excluded. Gradle should respect that just like maven does. It does not so it's a bug as far as I'm concerned. A plugin should not cause this issue. Maven does not do that and dependency tree shows that. Spring notes this issue well in gradle resolutions for years with exclusions.
Not saying I liked our fix as i suspect it would cause other unwanted side effects but gradle has issues here when it fails to respect pom exclusions. That is regardless of what a tool uses or not.
Anyway your suggestion looks better in that it will remove my suspicion that dependency management will cause more issues for our user base and thus if it works I have less to subsequently confirm.
I'll respond back with results of this likely later tonight.
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Jose Luis Leon ***@***.***>
Sent: Tuesday, January 9, 2024 10:22:51 PM
To: checkstyle/checkstyle ***@***.***>
Cc: Jeremy Landis ***@***.***>; State change ***@***.***>
Subject: Re: [checkstyle/checkstyle] google collections issue still present in 10.12.7 (Issue #14211)
This is not a bug with Gradle. As mentioned in gradle/gradle#27035 (comment)<gradle/gradle#27035 (comment)>, the difference with Maven is that:
Gradle is now able to detect that Guava and Google Collections are in conflict and should not be used together
Checkstyle has Guava as a direct dependency, but it also has Google Collections as a transient dependency through org.apache.maven.doxia:doxia-core:1.12.0. I think the real problem is that Checkstyle ships with Doxia on its classpath when it's only used for the generation of website content (as mentioned in #14140 (comment)<#14140 (comment)>). Maybe this is a good moment to pick up the work of removing Doxia as a dependency 🙂
Adding the Spring Dependency Management Plugin as a workaround sounds like an overkill to me, especially if you have nothing related to Spring in the project. The real workaround is to tell Gradle to select Guava classes to solve the conflict, as described in Guava's v32.1.0 release notes<https://github.com/google/guava/releases/tag/v32.1.0>. I.e., adding the code below to your build.gradle file:
configurations.checkstyle {
resolutionStrategy.capabilitiesResolution.withCapability("com.google.collections:google-collections") {
select("com.google.guava:guava:0")
}
}
—
Reply to this email directly, view it on GitHub<#14211 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAHODIZJB7NVJTUMP2A7AKDYNYCQXAVCNFSM6AAAAABBIOEIG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBUGEZDSOJUHA>.
You are receiving this because you modified the open/close state.Message ID: ***@***.***>
|
The work-around suggested by @JoseLion works for me. Thanks! Hadn't seen this when upgrading my other projects because they are all Spring Boot projects so the Spring magicians were taking care of this for me in those projects 😃. |
@JoseLion Worked for me too, moving forwards with the patch. Thank you! I trust this one better to not mess up our users :) |
But we definitely come back to dependency issue to upgrade without hacks in gradle config. |
I agree, it actually seems to be a gradle issue not excluding the transient dependency. But still, a dependency (doxia) which is only required to generate website content shouldn't be shipped at all. I don't want to put a hack inside my gradle build script. So, I'll stick with the old version until this gets fixed. Is there any follow-up issue to get doxia unshipped? Isn't there something similar to compileOnly in maven? |
I can also check tomorrow (UTC+1) if it solves the issue with gradle. |
reproduced: and 10.14.2 fixing a problem.
|
Thanks @romani, outside of gradle usage never had the issue. Glad you were able to pull off our patch and end up fixing within checkstyle. If I recall I don't think this affected our latest spotbugs release from back in December. However, if anyone updated checkstyle with gradle for other usages it would have surfaced the same. |
…4.8.4 (main) (#17354) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.github.spotbugs:spotbugs-annotations](https://spotbugs.github.io/) ([source](https://togithub.com/spotbugs/spotbugs)) | `4.8.3` -> `4.8.4` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)</summary> ### [`v4.8.4`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.3...4.8.4) ##### Fixed - Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#​2750](https://togithub.com/spotbugs/spotbugs/issues/2750)) - Fix possible null value in taxonomies of SARIF output ([#​2744](https://togithub.com/spotbugs/spotbugs/issues/2744)) - Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#​2116](https://togithub.com/spotbugs/spotbugs/issues/2116)) - Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#​2739](https://togithub.com/spotbugs/spotbugs/issues/2739)) - Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#​2793](https://togithub.com/spotbugs/spotbugs/issues/2793)) - Added support for CONSTANT_Dynamic ([#​2759](https://togithub.com/spotbugs/spotbugs/issues/2759)) - Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#​1219](https://togithub.com/spotbugs/spotbugs/issues/1219)) - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Remove AppleExtension library (note: menus slightly changed) ([#​2823](https://togithub.com/spotbugs/spotbugs/pull/2823)) - Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#​651](https://togithub.com/spotbugs/spotbugs/issues/651), [#​456](https://togithub.com/spotbugs/spotbugs/issues/456)) - Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#​2843](https://togithub.com/spotbugs/spotbugs/pull/2843)) - Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#​2844](https://togithub.com/spotbugs/spotbugs/pull/2844)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#​2828](https://togithub.com/spotbugs/spotbugs/pull/2828)) - Update UnreadFields detector to ignore warnings for fields with certain annotations ([#​574](https://togithub.com/spotbugs/spotbugs/issues/574)) - Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@​PostConstruct](https://togithub.com/PostConstruct), [@​BeforeEach](https://togithub.com/BeforeEach), etc. ([#​2872](https://togithub.com/spotbugs/spotbugs/pull/2872) [#​2870](https://togithub.com/spotbugs/spotbugs/issues/2870) [#​453](https://togithub.com/spotbugs/spotbugs/issues/453)) - Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#​2865](https://togithub.com/spotbugs/spotbugs/pull/2865)) - Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#​2874](https://togithub.com/spotbugs/spotbugs/pull/2874)) - Added more nullability annotations in TypeQualifierResolver ([#​2558](https://togithub.com/spotbugs/spotbugs/issues/2558) [#​2694](https://togithub.com/spotbugs/spotbugs/pull/2694)) - Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#​2881](https://togithub.com/spotbugs/spotbugs/pull/2881)) - Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#​2887](https://togithub.com/spotbugs/spotbugs/pull/2887)) - Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#​2686](https://togithub.com/spotbugs/spotbugs/issues/2686)) - Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method [#​2837](https://togithub.com/spotbugs/spotbugs/pull/2837)) - Update the filter XSD namespace and location for the upcoming 4.8.4 release [#​2909](https://togithub.com/spotbugs/spotbugs/issues/2909)) ##### Added - New detector `MultipleInstantiationsOfSingletons` and introduced new bug types: - `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor, - `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface, - `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface, - `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method, - `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and - `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized. (See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects)) - Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method). ##### Changed - Minor cleanup in connection with slashed and dotted names ([#​2805](https://togithub.com/spotbugs/spotbugs/pull/2805)) ##### Build - Fix sonar coverage for project ([#​2796](https://togithub.com/spotbugs/spotbugs/issues/2796)) - Upgraded the build to compile bug samples using Java 21 language features ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [checkstyle/checkstyle#14211 for more information. ([#​2798](https://togithub.com/spotbugs/spotbugs/issues/2798)) - Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#​2604](https://togithub.com/spotbugs/spotbugs/pull/2604/)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 10pm every weekday,before 6am every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
…4.8.4 (stable/8.4) (#17912) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.github.spotbugs:spotbugs-annotations](https://spotbugs.github.io/) ([source](https://togithub.com/spotbugs/spotbugs)) | `4.8.3` -> `4.8.4` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)</summary> ### [`v4.8.4`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.3...4.8.4) ##### Fixed - Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#​2750](https://togithub.com/spotbugs/spotbugs/issues/2750)) - Fix possible null value in taxonomies of SARIF output ([#​2744](https://togithub.com/spotbugs/spotbugs/issues/2744)) - Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#​2116](https://togithub.com/spotbugs/spotbugs/issues/2116)) - Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#​2739](https://togithub.com/spotbugs/spotbugs/issues/2739)) - Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#​2793](https://togithub.com/spotbugs/spotbugs/issues/2793)) - Added support for CONSTANT_Dynamic ([#​2759](https://togithub.com/spotbugs/spotbugs/issues/2759)) - Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#​1219](https://togithub.com/spotbugs/spotbugs/issues/1219)) - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Remove AppleExtension library (note: menus slightly changed) ([#​2823](https://togithub.com/spotbugs/spotbugs/pull/2823)) - Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#​651](https://togithub.com/spotbugs/spotbugs/issues/651), [#​456](https://togithub.com/spotbugs/spotbugs/issues/456)) - Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#​2843](https://togithub.com/spotbugs/spotbugs/pull/2843)) - Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#​2844](https://togithub.com/spotbugs/spotbugs/pull/2844)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#​2828](https://togithub.com/spotbugs/spotbugs/pull/2828)) - Update UnreadFields detector to ignore warnings for fields with certain annotations ([#​574](https://togithub.com/spotbugs/spotbugs/issues/574)) - Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@​PostConstruct](https://togithub.com/PostConstruct), [@​BeforeEach](https://togithub.com/BeforeEach), etc. ([#​2872](https://togithub.com/spotbugs/spotbugs/pull/2872) [#​2870](https://togithub.com/spotbugs/spotbugs/issues/2870) [#​453](https://togithub.com/spotbugs/spotbugs/issues/453)) - Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#​2865](https://togithub.com/spotbugs/spotbugs/pull/2865)) - Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#​2874](https://togithub.com/spotbugs/spotbugs/pull/2874)) - Added more nullability annotations in TypeQualifierResolver ([#​2558](https://togithub.com/spotbugs/spotbugs/issues/2558) [#​2694](https://togithub.com/spotbugs/spotbugs/pull/2694)) - Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#​2881](https://togithub.com/spotbugs/spotbugs/pull/2881)) - Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#​2887](https://togithub.com/spotbugs/spotbugs/pull/2887)) - Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#​2686](https://togithub.com/spotbugs/spotbugs/issues/2686)) - Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method [#​2837](https://togithub.com/spotbugs/spotbugs/pull/2837)) - Update the filter XSD namespace and location for the upcoming 4.8.4 release [#​2909](https://togithub.com/spotbugs/spotbugs/issues/2909)) ##### Added - New detector `MultipleInstantiationsOfSingletons` and introduced new bug types: - `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor, - `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface, - `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface, - `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method, - `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and - `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized. (See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects)) - Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method). ##### Changed - Minor cleanup in connection with slashed and dotted names ([#​2805](https://togithub.com/spotbugs/spotbugs/pull/2805)) ##### Build - Fix sonar coverage for project ([#​2796](https://togithub.com/spotbugs/spotbugs/issues/2796)) - Upgraded the build to compile bug samples using Java 21 language features ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [checkstyle/checkstyle#14211 for more information. ([#​2798](https://togithub.com/spotbugs/spotbugs/issues/2798)) - Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#​2604](https://togithub.com/spotbugs/spotbugs/pull/2604/)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoic3RhYmxlLzguNCIsImxhYmVscyI6WyJhdXRvbWVyZ2UiXX0=-->
…4.8.4 (stable/8.5) (#17953) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.github.spotbugs:spotbugs-annotations](https://spotbugs.github.io/) ([source](https://togithub.com/spotbugs/spotbugs)) | `4.8.3` -> `4.8.4` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)</summary> ### [`v4.8.4`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.3...4.8.4) ##### Fixed - Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#​2750](https://togithub.com/spotbugs/spotbugs/issues/2750)) - Fix possible null value in taxonomies of SARIF output ([#​2744](https://togithub.com/spotbugs/spotbugs/issues/2744)) - Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#​2116](https://togithub.com/spotbugs/spotbugs/issues/2116)) - Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#​2739](https://togithub.com/spotbugs/spotbugs/issues/2739)) - Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#​2793](https://togithub.com/spotbugs/spotbugs/issues/2793)) - Added support for CONSTANT_Dynamic ([#​2759](https://togithub.com/spotbugs/spotbugs/issues/2759)) - Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#​1219](https://togithub.com/spotbugs/spotbugs/issues/1219)) - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Remove AppleExtension library (note: menus slightly changed) ([#​2823](https://togithub.com/spotbugs/spotbugs/pull/2823)) - Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#​651](https://togithub.com/spotbugs/spotbugs/issues/651), [#​456](https://togithub.com/spotbugs/spotbugs/issues/456)) - Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#​2843](https://togithub.com/spotbugs/spotbugs/pull/2843)) - Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#​2844](https://togithub.com/spotbugs/spotbugs/pull/2844)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#​2828](https://togithub.com/spotbugs/spotbugs/pull/2828)) - Update UnreadFields detector to ignore warnings for fields with certain annotations ([#​574](https://togithub.com/spotbugs/spotbugs/issues/574)) - Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@​PostConstruct](https://togithub.com/PostConstruct), [@​BeforeEach](https://togithub.com/BeforeEach), etc. ([#​2872](https://togithub.com/spotbugs/spotbugs/pull/2872) [#​2870](https://togithub.com/spotbugs/spotbugs/issues/2870) [#​453](https://togithub.com/spotbugs/spotbugs/issues/453)) - Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#​2865](https://togithub.com/spotbugs/spotbugs/pull/2865)) - Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#​2874](https://togithub.com/spotbugs/spotbugs/pull/2874)) - Added more nullability annotations in TypeQualifierResolver ([#​2558](https://togithub.com/spotbugs/spotbugs/issues/2558) [#​2694](https://togithub.com/spotbugs/spotbugs/pull/2694)) - Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#​2881](https://togithub.com/spotbugs/spotbugs/pull/2881)) - Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#​2887](https://togithub.com/spotbugs/spotbugs/pull/2887)) - Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#​2686](https://togithub.com/spotbugs/spotbugs/issues/2686)) - Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method [#​2837](https://togithub.com/spotbugs/spotbugs/pull/2837)) - Update the filter XSD namespace and location for the upcoming 4.8.4 release [#​2909](https://togithub.com/spotbugs/spotbugs/issues/2909)) ##### Added - New detector `MultipleInstantiationsOfSingletons` and introduced new bug types: - `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor, - `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface, - `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface, - `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method, - `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and - `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized. (See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects)) - Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method). ##### Changed - Minor cleanup in connection with slashed and dotted names ([#​2805](https://togithub.com/spotbugs/spotbugs/pull/2805)) ##### Build - Fix sonar coverage for project ([#​2796](https://togithub.com/spotbugs/spotbugs/issues/2796)) - Upgraded the build to compile bug samples using Java 21 language features ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [checkstyle/checkstyle#14211 for more information. ([#​2798](https://togithub.com/spotbugs/spotbugs/issues/2798)) - Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#​2604](https://togithub.com/spotbugs/spotbugs/pull/2604/)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoic3RhYmxlLzguNSIsImxhYmVscyI6WyJhdXRvbWVyZ2UiXX0=-->
…4.8.4 (stable/operate-8.5) (#17992) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.github.spotbugs:spotbugs-annotations](https://spotbugs.github.io/) ([source](https://togithub.com/spotbugs/spotbugs)) | `4.8.3` -> `4.8.4` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.github.spotbugs:spotbugs-annotations/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.github.spotbugs:spotbugs-annotations/4.8.3/4.8.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)</summary> ### [`v4.8.4`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#484---2024-04-07) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.8.3...4.8.4) ##### Fixed - Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. ([#​2750](https://togithub.com/spotbugs/spotbugs/issues/2750)) - Fix possible null value in taxonomies of SARIF output ([#​2744](https://togithub.com/spotbugs/spotbugs/issues/2744)) - Fix `executionSuccessful` flag in SARIF report being set to false when bugs were found ([#​2116](https://togithub.com/spotbugs/spotbugs/issues/2116)) - Move information contained in the SARIF property `exitSignalName` to `exitCodeDescription` ([#​2739](https://togithub.com/spotbugs/spotbugs/issues/2739)) - Do not report SE_NO_SERIALVERSIONID or other serialization issues for records ([#​2793](https://togithub.com/spotbugs/spotbugs/issues/2793)) - Added support for CONSTANT_Dynamic ([#​2759](https://togithub.com/spotbugs/spotbugs/issues/2759)) - Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE ([#​1219](https://togithub.com/spotbugs/spotbugs/issues/1219)) - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Remove AppleExtension library (note: menus slightly changed) ([#​2823](https://togithub.com/spotbugs/spotbugs/pull/2823)) - Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. ([#​651](https://togithub.com/spotbugs/spotbugs/issues/651), [#​456](https://togithub.com/spotbugs/spotbugs/issues/456)) - Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY ([#​2843](https://togithub.com/spotbugs/spotbugs/pull/2843)) - Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks ([#​2844](https://togithub.com/spotbugs/spotbugs/pull/2844)) - Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches ([#​2828](https://togithub.com/spotbugs/spotbugs/pull/2828)) - Update UnreadFields detector to ignore warnings for fields with certain annotations ([#​574](https://togithub.com/spotbugs/spotbugs/issues/574)) - Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with [@​PostConstruct](https://togithub.com/PostConstruct), [@​BeforeEach](https://togithub.com/BeforeEach), etc. ([#​2872](https://togithub.com/spotbugs/spotbugs/pull/2872) [#​2870](https://togithub.com/spotbugs/spotbugs/issues/2870) [#​453](https://togithub.com/spotbugs/spotbugs/issues/453)) - Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements ([#​2865](https://togithub.com/spotbugs/spotbugs/pull/2865)) - Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting ([#​2874](https://togithub.com/spotbugs/spotbugs/pull/2874)) - Added more nullability annotations in TypeQualifierResolver ([#​2558](https://togithub.com/spotbugs/spotbugs/issues/2558) [#​2694](https://togithub.com/spotbugs/spotbugs/pull/2694)) - Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() ([#​2881](https://togithub.com/spotbugs/spotbugs/pull/2881)) - Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions [#​2887](https://togithub.com/spotbugs/spotbugs/pull/2887)) - Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict ([#​2686](https://togithub.com/spotbugs/spotbugs/issues/2686)) - Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method [#​2837](https://togithub.com/spotbugs/spotbugs/pull/2837)) - Update the filter XSD namespace and location for the upcoming 4.8.4 release [#​2909](https://togithub.com/spotbugs/spotbugs/issues/2909)) ##### Added - New detector `MultipleInstantiationsOfSingletons` and introduced new bug types: - `SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR` is reported in case of a non-private constructor, - `SING_SINGLETON_IMPLEMENTS_CLONEABLE` is reported in case of a class directly implementing the `Cloneable` interface, - `SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE` is reported when a class indirectly implements the `Cloneable` interface, - `SING_SINGLETON_IMPLEMENTS_CLONE_METHOD` is reported when a class does not implement the `Cloneable` interface, but has a `clone()` method, - `SING_SINGLETON_IMPLEMENTS_SERIALIZABLE` is reported when a class directly or indirectly implements the `Serializable` interface and - `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` is reported when the instance-getter method of the singleton class is not synchronized. (See [SEI CERT MSC07-J](https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects)) - Extend `FindOverridableMethodCall` detector with new bug type: `MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT`. It's reported when an overridable method is called from `readObject()`, according to SEI CERT rule [SER09-J. Do not invoke overridable methods from the readObject() method](https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method). ##### Changed - Minor cleanup in connection with slashed and dotted names ([#​2805](https://togithub.com/spotbugs/spotbugs/pull/2805)) ##### Build - Fix sonar coverage for project ([#​2796](https://togithub.com/spotbugs/spotbugs/issues/2796)) - Upgraded the build to compile bug samples using Java 21 language features ([#​2813](https://togithub.com/spotbugs/spotbugs/pull/2813)) - Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See [checkstyle/checkstyle#14211 for more information. ([#​2798](https://togithub.com/spotbugs/spotbugs/issues/2798)) - Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. ([#​2604](https://togithub.com/spotbugs/spotbugs/pull/2604/)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoic3RhYmxlL29wZXJhdGUtOC41IiwibGFiZWxzIjpbImF1dG9tZXJnZSJdfQ==-->
See https://github.com/spotbugs/spotbugs/
Execution failed for task ':eclipsePlugin-junit:checkstyleTest'.
The text was updated successfully, but these errors were encountered: