• Supports spotbugs 4.9.6
• note: 4.9.5 had a defect with detection of jakarta in servlets that was unexpected and quickly patched for this release.

• Support spotbugs 4.9.5

Consumer

• Add support for 'chooseVisitors'
• Minor code cleanup
• Still supports spotbugs 4.9.4

Producer

• Remove add opens from jvm.config as no longer needed

Consumer

• Cleanup readme to better support plugin
• Dropped direct usage of plexus utils and commons io
• Groovy 5 now run engine
• Correct issue since 4.9.2.0 resulting in most runs getting spotbugs.html file incorrectly. This has been refactored to restore doxia 1 overrides to produce xml report only when not running in site lifecycle
• Correct defects with handling of various files on disk such as exclusion filters that were introduced into 4.9.4.0. Integration tests have been applied to prevent future regression.
• Commons io fileutils replaced by files.walk with detailed output moved to debug collection only rather than all runs
• Normalization of path to linux style
• Any regex usage is now precompiled
• Use re-entrant lock for source indexer
• Correct locale usage to use default if not given
• Block doctype and XXE when processing xml files
• Cleanup some fields from resources and in code never used

Producer

• Pin versions of github actions tools
• Run maven 3.6.3 integration test on windows to get more broad support
• Run maven integration test on mac to get more broad support
• Maven 4 integration tests will continue on linux
• Fix maven wrapper perceived path traversal issue
• Corrections to invoker to re-establish integration test verification's
• Fix bugs in integration tests
• Better secure xml usage in integration tests
• Cleanup integration test warnings
• Make sure transfer of artifacts is correctly disabled on integration tests

• back ported all of 4.9.4.1

Release is large but mainly rewriting of underlying code. This supports spotbugs 4.9.4, additional details below.

Consumer

• Supporting spotbugs 4.9.4
• Updated all underlying dependencies
• Groovy now at 4.0.28
• Groovydocs now published with release
• Modernize groovy code usage including typing everything, avoiding any usage of groovy 'it' idiom
• Due to how groovy resolves logging, wrap any logging that needs groovy to resolve gstring with check on logger being enabled
• No longer use plexus file resource loader as it was mostly duplicated, its deprecated, and cleaner to directly implement enhancement
• Use objects require non null where appropriate
• Make sure files closed appropriately to prevent leaks
• Fix invalid look at debug flag to determine debug logging by additionally checking info logging instead and log at info
• Fix invalid usage of logging at debug where debug flag should have been used
• Plugin artifact is now a list rather than array
• Various nio updates
• Fix javadoc issues
• Cleanup regex usage for hyperlink to code off reporting
• Do not use 'assert' in code, use correct checks with illegal argument exceptions

Producer

• gha now implements concurrency restrictions to prevent unwanted builds now that github is showing costs associated with runners
• gha now implements timeout at 30 minutes to prevent long running jobs now that github is showing costs associated with runners
• github actions are now pinned to digests to prevent potential supply chain hacks
• renamed codeql.yml to codeql.yaml (all are yaml now)
• maven wrapper is updated to support defects with maven 4 usage since beta-5 was released. Now runner on maven 4.0.0-rc-4 now fully works
• maven wrapper is protected from path transversal issues
• .gitignore updated to ignore .pmd and .groovy directories
• maven wrapper now defaulted to maven 3.9.11
• central badge updated for new central hosting
• Corrected test source directory for groovy in build pom
• Add additional code coverage
• Correct spotbugs version on documentation
• Site now generating again as gmavenplus fixed defect introduced by groovy changes
• renovate set to pin github action digests
• All integration tests updated to more modern groovy usage

• Fixed long standing bug in source roots of test side of code for exclusion purposes, see #1090 and #1091.

Plugin

• Rewrite java io to java nio
• Rewrite some groovy code
• Make sure all resources are closed properly
• Don't mix java code into groovy code

Build

• Update github actions
• Add spock for building unit tests and add baseline of tests
• Rewrite all integration tests from java io to java nio
• Add stubfixer to add missing 'Override' annotations to groovy generated code

Users

• Support spotbugs 4.9.3 release

Build

• Bump junit to 5.12.1
• Bump fluido to 2.1.0

User Changes

• Supports spotbugs 4.9.2
• Keep jsr 330 compatibility at javax namespace so maven 4 works well since it would cause issues
• Fix ability to use spotbugs plugin with an classifier as it would have previously failed
• Fix possible issue when no output directory supplied and path was used, make it a file
• Move project to use doxia 2 now
• Add some additional debug logging throughout

Build Changes

• Sonar now works
• Fix report plugin name
• Remove coverity and sonar gha actions (sonar was already project level covered)
• Remove coveralls action as it was not used
• Correct sonar issues
• Use more NIO where possible
• Remove all unused items from the base of check/verify mojos as those work against scanned code and play no direct part in the scanning
• Replaced maven artifact transfer with resolver
• Run dependency analyze to fix up build as much as possible
• Stop using 'def' throughout in favor of actual objects
• Move the build to use doxia 2