Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump com.github.spotbugs:spotbugs-maven-plugin from 4.7.3.4 to 4.8.6.6 in /jans-core #10136

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 13, 2024

Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.7.3.4 to 4.8.6.6.

Release notes

Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.

Spotbugs Maven Plugin 4.8.6.6

  • Cleanup groovy code
  • Cleanup character encoding
  • Update deprecated maven calls
  • Groovy moved to 4.0.24

Compatibility remains with 4.8.6 of spotbugs

Spotbugs Maven Plugin 4.8.6.5

  • Moved most 'read' only maven injections to read data from maven session instead to overcome many deprecated usage. This puts it on their api and thus if things are internally deprecated, its then maven's issue rather than this plugin to figure out.
  • remove obsolete script source roots as no longer support in maven 4 and technically I've never seen them used. Please let me know if this negatively affects you as there are other manually coded items like kotlin / groovy that are in the code there so scripts could be manually added back.
  • Remove some of the read only attributes for maven injection that were not actually used.
  • More def to object type
  • Various lib / plugin updates
  • Enable partial formatting (mostly removing trailing whitespace)

Compatibility remains with 4.8.6 of spotbugs

Spotbugs Maven Plugin 4.8.6.4

  • Groovy set to 4.0.23
  • Drop maven site plugin 3.6 and before support.

Spotbugs Maven Plugin 4.8.6.3

  • Ability to disable logs in quite mode (spotbugs.quiet) #842
  • Fix output directory per #807
  • Update plugins / dependencies
  • Fix tag used to build spotbugs during GHA
  • Use inject annotation from jsr330 instead of deprecated component annotation

Build

  • Remove old overrides from pom as addressed
  • Cleanup javadocs
  • Remove snapshot from javadocs at 2.1 as non existent
  • Order attribute order of annotations
  • Use log commonly throughout (newer coded used getLog in one place)
  • Sort imports
  • Add opens for java.lang and java.util for site build as needed on newer jdks
  • Correct GHA for site distribution
  • Delete duplicate codeql github action
  • Speed up github actions

Spotbugs Maven Plugin 4.8.6.2

  • Supports spotbugs 4.8.6
  • Uses groovy 4.0.22

Spotbugs Maven Plugin 4.8.6.1

  • Supports spotbugs 4.8.6
  • Restore java 8 support

Spotbugs Maven Plugin 4.8.6.0

... (truncated)

Commits
  • 9895d2e [maven-release-plugin] prepare release spotbugs-maven-plugin-4.8.6.6
  • 028a1a3 Merge pull request #924 from hazendaz/next-up
  • 1b6f4bf [ci] Gstring to string
  • cf9ebd1 [ci] Run eclipse formatter against the code
  • 62ddea0 Merge pull request #923 from hazendaz/charset
  • 559b0ca [logging] Use correct quoting in log line
  • f2baf85 [maven] Update deprecated code from current project call for reports plugin
  • e5fd7e7 [groovy] Use less gstrings when not needed and sort parameter attributes
  • 260a4da Merge pull request #922 from hazendaz/charset
  • 192e8f2 Revert "[github] Bump to maven 4.0.0-beta-5"
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added java Pull requests that update Java code kind-dependencies Pull requests that update a dependency file labels Nov 13, 2024
Copy link

dryrunsecurity bot commented Nov 13, 2024

DryRun Security Summary

The pull request updates the spotbugs-maven-plugin from version 4.7.3.4 to 4.8.6.6 to enhance security vulnerability detection and ensure the project benefits from the latest bug fixes and improvements.

Expand for full summary

Summary:

The code change in this pull request updates the version of the spotbugs-maven-plugin from 4.7.3.4 to 4.8.6.6. This is a security-related update, as the spotbugs-maven-plugin is a tool used to detect potential security vulnerabilities in Java code. From an application security perspective, this update is important as it likely includes fixes for security vulnerabilities found in the previous version, improves the vulnerability detection capabilities, and ensures that the project benefits from the latest bug fixes, security patches, and feature improvements provided by the plugin's maintainers. This code change is a positive step in maintaining a secure codebase by regularly updating the project's dependencies and tools.

Files Changed:

  • jans-core/pom.xml: This file has been updated to change the version of the spotbugs-maven-plugin from 4.7.3.4 to 4.8.6.6. This is a security-related update, as the spotbugs-maven-plugin is a tool used to detect potential security vulnerabilities in Java code. The updated version likely includes security vulnerability fixes, improved detection capabilities, and better maintenance and support.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@dependabot dependabot bot force-pushed the dependabot/maven/jans-core/com.github.spotbugs-spotbugs-maven-plugin-4.8.6.6 branch 2 times, most recently from fe50bae to a55d6a4 Compare November 20, 2024 13:11
@dependabot dependabot bot force-pushed the dependabot/maven/jans-core/com.github.spotbugs-spotbugs-maven-plugin-4.8.6.6 branch from a55d6a4 to d54a215 Compare November 21, 2024 12:05
Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.7.3.4 to 4.8.6.6.
- [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases)
- [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.7.3.4...spotbugs-maven-plugin-4.8.6.6)

---
updated-dependencies:
- dependency-name: com.github.spotbugs:spotbugs-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/maven/jans-core/com.github.spotbugs-spotbugs-maven-plugin-4.8.6.6 branch from d54a215 to 1617662 Compare November 26, 2024 16:38
@moabu moabu force-pushed the dependabot/maven/jans-core/com.github.spotbugs-spotbugs-maven-plugin-4.8.6.6 branch from 1617662 to 533052d Compare December 26, 2024 19:25
@moabu moabu force-pushed the dependabot/maven/jans-core/com.github.spotbugs-spotbugs-maven-plugin-4.8.6.6 branch from 533052d to d72fca4 Compare December 27, 2024 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
java Pull requests that update Java code kind-dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants