• Fixed generate site reports to include all site variations, thanks to @bradleylarrick
• Add support for source jar/zip, thanks to @cortlepp

Bug fix with SpotbugsInfo.EOF error (was meant to be SpotbugsInfo.EOL).

Bug fix release supporting spotbugs 4.9.8.

• Supports 4.9.7 of spotbugs
• Build updates
• Fixes #1215

• Supports spotbugs 4.9.6
• note: 4.9.5 had a defect with detection of jakarta in servlets that was unexpected and quickly patched for this release.

• Support spotbugs 4.9.5

Consumer

• Add support for 'chooseVisitors'
• Minor code cleanup
• Still supports spotbugs 4.9.4

Producer

• Remove add opens from jvm.config as no longer needed

Consumer

• Cleanup readme to better support plugin
• Dropped direct usage of plexus utils and commons io
• Groovy 5 now run engine
• Correct issue since 4.9.2.0 resulting in most runs getting spotbugs.html file incorrectly. This has been refactored to restore doxia 1 overrides to produce xml report only when not running in site lifecycle
• Correct defects with handling of various files on disk such as exclusion filters that were introduced into 4.9.4.0. Integration tests have been applied to prevent future regression.
• Commons io fileutils replaced by files.walk with detailed output moved to debug collection only rather than all runs
• Normalization of path to linux style
• Any regex usage is now precompiled
• Use re-entrant lock for source indexer
• Correct locale usage to use default if not given
• Block doctype and XXE when processing xml files
• Cleanup some fields from resources and in code never used

Producer

• Pin versions of github actions tools
• Run maven 3.6.3 integration test on windows to get more broad support
• Run maven integration test on mac to get more broad support
• Maven 4 integration tests will continue on linux
• Fix maven wrapper perceived path traversal issue
• Corrections to invoker to re-establish integration test verification's
• Fix bugs in integration tests
• Better secure xml usage in integration tests
• Cleanup integration test warnings
• Make sure transfer of artifacts is correctly disabled on integration tests

• back ported all of 4.9.4.1

10/19/2025 Notice

This is a backport release of all changes from 4.9.4.1 line. It was intended to provide some support for java 8 users with a very old bug issue since this plugin first came about. Unfortunately due to sonatype changes all of 4.9.x had to come back and that came with changes to java 11 apis that groovy build does not care about binary compatibility. If not using java 11 at least, don't use this version. If you are using java 8 still and want this backwards compatibility fix, please look at the source and contribute patches for at least Path.of to Paths.get and presumably others to get the compatibility back for java 8.

Using java 11+ - ok
Using java 8 - don't use this version until compatibility is restored.

There really is no true reason anyone needs to stick to java 8 at all for a build so it is rather advisable to upgrade in said case to newer java version and cross compile with release flags and use enforcer plugin for transient library byte code checks instead. While the back port issue will be addressed at some point, it may be some time.

Release is large but mainly rewriting of underlying code. This supports spotbugs 4.9.4, additional details below.

Consumer

• Supporting spotbugs 4.9.4
• Updated all underlying dependencies
• Groovy now at 4.0.28
• Groovydocs now published with release
• Modernize groovy code usage including typing everything, avoiding any usage of groovy 'it' idiom
• Due to how groovy resolves logging, wrap any logging that needs groovy to resolve gstring with check on logger being enabled
• No longer use plexus file resource loader as it was mostly duplicated, its deprecated, and cleaner to directly implement enhancement
• Use objects require non null where appropriate
• Make sure files closed appropriately to prevent leaks
• Fix invalid look at debug flag to determine debug logging by additionally checking info logging instead and log at info
• Fix invalid usage of logging at debug where debug flag should have been used
• Plugin artifact is now a list rather than array
• Various nio updates
• Fix javadoc issues
• Cleanup regex usage for hyperlink to code off reporting
• Do not use 'assert' in code, use correct checks with illegal argument exceptions

Producer

• gha now implements concurrency restrictions to prevent unwanted builds now that github is showing costs associated with runners
• gha now implements timeout at 30 minutes to prevent long running jobs now that github is showing costs associated with runners
• github actions are now pinned to digests to prevent potential supply chain hacks
• renamed codeql.yml to codeql.yaml (all are yaml now)
• maven wrapper is updated to support defects with maven 4 usage since beta-5 was released. Now runner on maven 4.0.0-rc-4 now fully works
• maven wrapper is protected from path transversal issues
• .gitignore updated to ignore .pmd and .groovy directories
• maven wrapper now defaulted to maven 3.9.11
• central badge updated for new central hosting
• Corrected test source directory for groovy in build pom
• Add additional code coverage
• Correct spotbugs version on documentation
• Site now generating again as gmavenplus fixed defect introduced by groovy changes
• renovate set to pin github action digests
• All integration tests updated to more modern groovy usage