Cross-posting this issue https://github.com/spotbugs/spotbugs/issues/2686 since it seems related to Springs dependency management. SpotBugs 4.8.1 works fine with Quarkus' dependency management, but not Spring Boot's.

Expected: Spring dependency management does not break other plugins like SpotBugs.

Possibly this is really a Gradle issue underneath it all - personally I don't see why plugins need to share a classpath, or what benefits that gives me as a user (but it definitely causes problems!).

Comment From: wilkinsona

When both Spring Boot's Gradle Plugin and the io.spring.dependency-management plugins are applied, things are configured such that the dependency management in Spring Boot's spring-boot-dependencies bom is applied to every configuration. Generally speaking, that's beneficial as it provides a consistent versions across the board. Unfortunately, in cases like this it's not beneficial as it has adversely affected the versions in the spotbugs configuration.

There are a couple of ways in which this problem can be avoided:

  1. Use Gradle's built-in platform support rather than the dependency management plugin. This allows you to configure the use of spring-boot-dependencies on a per-configuration basis
  2. Override Spring Boot's dependency management by setting the commons-lang3.version property