[FLINK-4499] [build] Add spotbugs plugin

[zentol]

This PR introduces the spotbugs maven plugin, which is the successor to findbugs.

This PR is partially based on #2422.

The spotbugs checks can be run with maven by specifying "-Dspotbugs" on the command-line. For travis, this is done on the "misc" test group; the only profile that actually builds all modules.

As for the rules, i deactivated all that currently caused failures. I will create follow-up JIRAs to activate rules one-by-one; this should give result in several PRs that are easy and quick to review, and lessens the chance of some draconian rule from slipping through.

[aljoscha]

The "spiritual successor". Can we actually use this? I'm asking because it's LGPL. It's probably ok because it's only a build plugin, though.

[zentol]

I was wondering the same, but figured that it's okay since it is neither required to build/run Flink nor included in the binary release and optional to boot. FYI, the checkstyle plugin is also released under LGPL (not the maven plugin, but the underlying checkstyle engine).

[greghogan]

License isn't an issue since it's only used during the build:

CAN APACHE PROJECTS DISTRIBUTE COMPONENTS UNDER PROHIBITED LICENSES? https://www.apache.org/legal/resolved.html#prohibited
Apache projects cannot distribute any such components. This means that no source code can be from Category X and that any convenience binaries produced may not include such contents. As with the previous question on platforms, the component can be relied on if the component's license terms do not affect the Apache product's licensing. For example, using a GPL'ed tool during the build is OK, however including GPL'ed source code is not.

[NicoK]

looks like the build times increase by 5-10 minutes but I'd say this is worth it
+1 from my side

[zentol]

merging.