build(deps): Upgrade to latest SpotBugs#19576
Conversation
amaechler
changed the title
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 4 of 4 changed files.
This is an automated review by Codex GPT-5.5
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 4 of 4 changed files.
This is an automated review by Codex GPT-5.5
amaechler
force-pushed
the
spotbugs-upgrade
branch
from
cddf817 to
64e61c3
Compare
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 4 of 4 changed files.
This is an automated review by Codex GPT-5.5
Bump spotbugs-maven-plugin to 4.10.2.0 (SpotBugs core 4.10.2) and drop the explicit 4.8.6 core override so the plugin's bundled analyzer is used. 4.10.2 is the first 4.10 release safe to adopt: 4.10.0 was never published due to a release error, and 4.10.0/4.10.1 shipped a Saxon-HE build that broke Java 11 compatibility, which 4.10.2 restored.
SpotBugs 4.9 and 4.10 add new detectors. Running spotbugs:check across all modules surfaced findings from the following new patterns: - 4.9: AT_* atomicity patterns and HSM_HIDING_METHOD, excluded project-wide alongside the existing suppressions (the flagged sites rely on external synchronization or hide methods by design). - 4.10: 70 USO_* unsafe-synchronization findings (CERT LCK00-J) from the new FindImproperSynchronization detector, excluded project-wide; Druid relies on intrinsic synchronization intentionally. NN_NAKED_NOTIFY and NCR_NOT_PROPERLY_CHECKED_READ each flag only a handful of false positives, so they are suppressed with targeted matches rather than disabled globally, keeping the detectors active for the rest of the codebase.
SpotBugs 4.9 UselessSuppressionDetector flags these two @SuppressFBWarnings annotations as unnecessary; the underlying patterns are no longer reported at these sites.
amaechler
force-pushed
the
spotbugs-upgrade
branch
from
64e61c3 to
62a4abc
Compare
amaechler
changed the title
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 4 of 4 changed files.
This is an automated review by Codex GPT-5.5
2 participants
Fixes #18373.
I came across @kgyrtkirk's issue above (#18373) which was auto-closed. Addressing the few spotbug warnings was straight-forward, especially with Claude doing all the work.
This PR removes the pin so the plugin's matching default, 4.9.3, is used.I updated this PR now to jump to the latest Spotbugs version right away.SpotBugs 4.9 ships some new "detectors". Running
mvn spotbugs:checkover all modules produced 17 new findings, handled as follows:AT_*atomicity patterns inspotbugs-exclude.xml, alongside the already-excludedAT_OPERATION_SEQUENCE_ON_CONCURRENT_ABSTRACTION. The flagged sites rely on external synchronization.HSM_HIDING_METHOD.InvalidSqlInputhides the staticInvalidInput.exception()factory methods by design.@SuppressFBWarningsannotations that the newUselessSuppressionDetectorreports as unnecessary.This PR has: