Bump com.github.spotbugs:spotbugs-maven-plugin from 4.8.3.1 to 4.9.8.1

[dependabot]

Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.8.3.1 to 4.9.8.1.

Release notes

Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.

Spotbugs Maven Plugin 4.9.8.1

Bug fix with SpotbugsInfo.EOF error (was meant to be SpotbugsInfo.EOL).

Spotbugs Maven Plugin 4.9.8.0

Bug fix release supporting spotbugs 4.9.8.

Spotbugs Maven Plugin 4.9.7.0

• Supports 4.9.7 of spotbugs
• Build updates
• Fixes spotbugs/spotbugs-maven-plugin#1215

Spotbugs Maven Plugin 4.9.6.0

• Supports spotbugs 4.9.6
• note: 4.9.5 had a defect with detection of jakarta in servlets that was unexpected and quickly patched for this release.

Spotbugs Maven Plugin 4.9.5.0

• Support spotbugs 4.9.5

Spotbugs Maven Plugin 4.9.4.2

Consumer

• Add support for 'chooseVisitors'
• Minor code cleanup
• Still supports spotbugs 4.9.4

Producer

• Remove add opens from jvm.config as no longer needed

Spotbugs Maven Plugin 4.9.4.1

Consumer

• Cleanup readme to better support plugin
• Dropped direct usage of plexus utils and commons io
• Groovy 5 now run engine
• Correct issue since 4.9.2.0 resulting in most runs getting spotbugs.html file incorrectly. This has been refactored to restore doxia 1 overrides to produce xml report only when not running in site lifecycle
• Correct defects with handling of various files on disk such as exclusion filters that were introduced into 4.9.4.0. Integration tests have been applied to prevent future regression.
• Commons io fileutils replaced by files.walk with detailed output moved to debug collection only rather than all runs
• Normalization of path to linux style
• Any regex usage is now precompiled
• Use re-entrant lock for source indexer
• Correct locale usage to use default if not given
• Block doctype and XXE when processing xml files
• Cleanup some fields from resources and in code never used

Producer

• Pin versions of github actions tools
• Run maven 3.6.3 integration test on windows to get more broad support
• Run maven integration test on mac to get more broad support
• Maven 4 integration tests will continue on linux
• Fix maven wrapper perceived path traversal issue
• Corrections to invoker to re-establish integration test verification's
• Fix bugs in integration tests

... (truncated)

Commits

• 8eb6aa9 [maven-release-plugin] prepare release spotbugs-maven-plugin-4.9.8.1
• 4ff769f Fix: Correct reported issue with 'EOF' where it should be 'EOL'
• c210782 Merge pull request #1241 from spotbugs/renovate/execpluginversion
• 662fa1e Update dependency org.codehaus.mojo:exec-maven-plugin to v3.6.2
• 8cd9648 [maven-release-plugin] prepare for next development iteration
• d8d4c69 [maven-release-plugin] prepare release spotbugs-maven-plugin-4.9.8.0
• 52cdf26 [ci] Add note about pom entries to update for testing upstream master
• 9b8e387 [pom] Prepare for 4.9.8 release
• 0a8ac5a Merge pull request #1238 from spotbugs/renovate/github-codeql-action-digest
• 4b02d8d Merge pull request #1240 from spotbugs/renovate/spotbugs.version
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cx-ben-alvo]

Checkmarx One – Scan Summary & Details – 34e37de7-c9de-45c6-8d9b-235a85ac6f1a

New Issues (11)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Passwords And Secrets - Generic Password	/release.yml: 105	details Query to find passwords and secrets in infrastructure code. ID: H0ivHBxkNH%2BEIA1eyvz9EEj%2BAgQ%3D
	ALB Deletion Protection Disabled	/positive1.tf: 15	details Application Load Balancer should have deletion protection enabled ID: zg1cBvbrhNLxVboSKpyjmWbqU9o%3D
	ALB Listening on HTTP	/positive1.tf: 9	details AWS Application Load Balancer (alb) should not listen on HTTP ID: O8byoDsd3nmhEbCNco1oynLXWfE%3D
	ALB Not Dropping Invalid Headers	/positive1.tf: 15	details It's considered a best practice when using Application Load Balancers to drop invalid header fields ID: qvZPpWm8avYYv6GPvrCd92IvwhE%3D
	CVE-2020-15250	Maven-junit:junit-4.10	details Recommended version: 4.13.1 Description: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like sys... Attack Vector: LOCAL Attack Complexity: LOW ID: jDCEPjgVMN8mXr79HI%2BAPvPG8ySXEUytsLbZmLt4Vnc%3D Vulnerable Package
	ELBv2 LB Access Log Disabled	/positive1.tf: 15	details ELBv2 LBs should have access log enabled to capture detailed information about requests sent to your load balancer. ID: SwXIeYCAhsKw6kNGc%2FMAQiV6EFM%3D
	Reversible_One_Way_Hash	/src/main/java/com/checkmarx/ast/wrapper/Execution.java: 38	details The application is using a weak hashing primitive getInstance, in /src/main/java/com/checkmarx/ast/wrapper/Execution.java at line 209 ID: a%2FNLACgFNKgn997xWUHIKiQzjos%3D Attack Vector
	APT-GET Missing Flags To Avoid Manual Input	/Dockerfile: 5	details Check if apt-get calls use flags to avoid user manual input. ID: jfZh0UJk7d3yZvWU%2BMZVe%2FotGh4%3D
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: pq3yqo20YibWk%2BA6WnaVJTu%2F1y0%3D
	IAM Access Analyzer Not Enabled	/positive1.tf: 1	details IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions ID: 8fG2AwTyno7UoR1NTnCH7kTC5F0%3D
	Shield Advanced Not In Use	/positive1.tf: 15	details AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing,... ID: LQfE6q%2BzH43A5RiXDxGr8C7Cu98%3D

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR