Update spotbugs major version in SAST templates

Description

As discussed in this comment, we're unable to bump SpotBugs to v6 for the stable CI template as it contains a breaking change that was not approved. As a result, the default SpotBugs job will remain on v5 for the 18.x milestones.

We have bumped Spotbugs to v6 in the latest CI template as part of the %18.0 release: !188953 (merged)

For context v6 was released as part of Add JDK 21 to SpotBugs-based SAST analyzer (#448708 - closed)

JDK 21 requires manual pin to SpotBugs v6

If users need JDK21 support, they must manually pin to SpotBugs v6 by following these steps.

Related

Add JDK 21 to SpotBugs-based SAST analyzer (#448708 - closed) • Jason Leasure • 17.9 • On track

Implementation plan

• In %18.0 only bump Spotbugs to v6 in the latest CI template.
  • MR: Bump spotbugs major version (!188953 - merged)
• Update documentation to highlight differences between v6 and v5
  • Anyone who wants JDK 21 needs to use v6
  • MR: Add notes for spotbugs jdk21 support (!188957 - merged)
• Leave a comment on #448708 (comment 2331107183) pointing to the updated user docs
• Highlight to SAST team that we should provide the same support for v5 before v6 is bumped in the stable CI template and more users use
  • Update SASTBot with note to manually backport SpotBugs v5: https://gitlab.com/gitlab-org/security-products/analyzers/sast-analyzer-deps-bot/-/merge_requests/30+
  • Raise this in the team meeting
• In %19.0 bump Spotbugs to v6 in the stable CI template.
  • Created issue to track this Bump SpotBugs in the stable CI template for %19.0 (#537375)