chore(deps): bump com.github.spotbugs:spotbugs-maven-plugin from 4.7.3.4 to 4.9.4.0 in /jans-core

[dependabot]

Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.7.3.4 to 4.9.4.0.

Release notes

Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.

Spotbugs Maven Plugin 4.9.4.0

Release is large but mainly rewriting of underlying code. This supports spotbugs 4.9.4, additional details below.

Consumer

• Supporting spotbugs 4.9.4
• Updated all underlying dependencies
• Groovy now at 4.0.28
• Groovydocs now published with release
• Modernize groovy code usage including typing everything, avoiding any usage of groovy 'it' idiom
• Due to how groovy resolves logging, wrap any logging that needs groovy to resolve gstring with check on logger being enabled
• No longer use plexus file resource loader as it was mostly duplicated, its deprecated, and cleaner to directly implement enhancement
• Use objects require non null where appropriate
• Make sure files closed appropriately to prevent leaks
• Fix invalid look at debug flag to determine debug logging by additionally checking info logging instead and log at info
• Fix invalid usage of logging at debug where debug flag should have been used
• Plugin artifact is now a list rather than array
• Various nio updates
• Fix javadoc issues
• Cleanup regex usage for hyperlink to code off reporting
• Do not use 'assert' in code, use correct checks with illegal argument exceptions

Producer

• gha now implements concurrency restrictions to prevent unwanted builds now that github is showing costs associated with runners
• gha now implements timeout at 30 minutes to prevent long running jobs now that github is showing costs associated with runners
• github actions are now pinned to digests to prevent potential supply chain hacks
• renamed codeql.yml to codeql.yaml (all are yaml now)
• maven wrapper is updated to support defects with maven 4 usage since beta-5 was released. Now runner on maven 4.0.0-rc-4 now fully works
• maven wrapper is protected from path transversal issues
• .gitignore updated to ignore .pmd and .groovy directories
• maven wrapper now defaulted to maven 3.9.11
• central badge updated for new central hosting
• Corrected test source directory for groovy in build pom
• Add additional code coverage
• Correct spotbugs version on documentation
• Site now generating again as gmavenplus fixed defect introduced by groovy changes
• renovate set to pin github action digests
• All integration tests updated to more modern groovy usage

Spotbugs Maven Plugin 4.9.3.2

• Fixed long standing bug in source roots of test side of code for exclusion purposes, see #1090 and #1091.

Spotbugs Maven Plugin 4.9.3.1

Plugin

• Rewrite java io to java nio
• Rewrite some groovy code
• Make sure all resources are closed properly
• Don't mix java code into groovy code

... (truncated)

Commits

• 34c4962 [maven-release-plugin] prepare release spotbugs-maven-plugin-4.9.4.0
• 5ac441b Merge pull request #1145 from hazendaz/cleanup
• 37a8737 [GHA] Move to maven 4.0.0-rc-4 in maven 4 integration test
• bdcaa2c Merge pull request #1144 from hazendaz/cleanup
• a7591e5 Add support for maven 4 mainClass to maven wrapper
• f7ea524 Merge pull request #1143 from spotbugs/renovate/pin-dependencies
• 28706a7 Pin dependencies
• f4cd7d0 Merge pull request #1142 from hazendaz/master
• 0990344 [gha] Run max parallel to 6
• 2da6164 [renovate] Ping github action digests security!
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mo-auto]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[dependabot]

Superseded by #12100.