Releases: SonarSource/sonar-java
Releases · SonarSource/sonar-java
7.9.0.28969
Release Notes - SonarJava - Version 7.9
New Feature
- [SONARJAVA-4177] - Provide OWASP Top 10 2021 security standards for rules metadata
- [SONARJAVA-4181] - Introduce rule selection for AutoScan
Task
- [SONARJAVA-3707] - Deprecate S2658 in favor of S6173
- [SONARJAVA-4145] - Update rules metadata
Improvement
- [SONARJAVA-4186] - Rules testing subtypes should correctly handle incomplete semantic
False-Positive
- [SONARJAVA-4184] - FPs on S112 when the body of a method has unresolved methods or if a called constructor declare raw exceptions
- [SONARJAVA-4189] - FP in S3985 when all the usages of a class are not resolved
- [SONARJAVA-4191] - S4838 should not report false positives when the semantic is incomplete
- [SONARJAVA-4192] - S3077 should not report an issue when the type is unknown
7.8.1.28740
Release Notes - SonarJava - Version 7.8.1
Bug
- [SONARJAVA-4148] - Duplicated "Using ECJ batch to parse source files" logs
Improvement
- [SONARJAVA-3893] - Update S128 documentation to mention fallthrough exception
False-Positive
- [SONARJAVA-3887] - Rule S5808 should not raise when an exception is thrown
- [SONARJAVA-4144] - S2699 and S6103 should not report an issue in case of incomplete semantic
- [SONARJAVA-4146] - FP in batch mode caused by missing annotations on dependent generic classes
7.8.0.28662
Release Notes - SonarJava - Version 7.8
Bug
- [SONARJAVA-4128] - Record components of local records should not have the method as owner
- [SONARJAVA-4129] - NPE in S1450 when private field is used in a record
Task
- [SONARJAVA-4141] - Update rules metadata
Improvement
- [SONARJAVA-4059] - Rule S6373 XML parsers should not allow inclusion of arbitrary files
- [SONARJAVA-4062] - Rule S6374 XML parsers should not load external schemas
- [SONARJAVA-4065] - Rule S6376 XML parsers should not be vulnerable to Denial of Service attacks
- [SONARJAVA-4067] - Rule S6377 XML signatures should be validated securely
False-Positive
- [SONARJAVA-3839] - FP in S6212 when a method has parameterized return types
- [SONARJAVA-3842] - FP in S2755 when vulnerability is mitigated in another class
- [SONARJAVA-3899] - FP on S2755 when XML DocumentBuilderFactory is initialized inside initialized block
- [SONARJAVA-4008] - Rule S2755 should accept setExpandEntityReferences solution for openJDK >= 13
7.7.0.28547
Release Notes - SonarJava - Version 7.7
Bug
- [SONARJAVA-4010] - NPE in JSymbol.hashCode()
- [SONARJAVA-4023] - The Java analyzer should populate the classpath with all the JARs provided by the SDK
New Feature
- [SONARJAVA-3770] - Implement rule S6217: Omit permitted types when subclasses are in the same file as their superclass
Task
- [SONARJAVA-3863] - Drop deprecated method "MethodSymbol.overriddenSymbol()"
- [SONARJAVA-4124] - Update license headers for 2022
- [SONARJAVA-4125] - Update rules metadata
Improvement
- [SONARJAVA-4057] - Do not generate FP when rules don't have semantic
- [SONARJAVA-4086] - Preview feature problems should not be logged under unresolved types
- [SONARJAVA-4101] - Update ECJ to 3.28.0
- [SONARJAVA-4103] - Rules S1905 - Highlight also the parenthesis of the reported issue
- [SONARJAVA-4104] - Rule S1197 Highlight the variable additionally to the []
- [SONARJAVA-4114] - Support classpath entries with comma
- [SONARJAVA-4115] - Custom rules plugin examples should shade dependencies and use latest packaging module
- [SONARJAVA-4118] - Introduce Java 17's Sealed Classes as final feature
- [SONARJAVA-4119] - Correctly parse Pattern-matching for switch from Java 17
- [SONARJAVA-4120] - Logs about preview features should not suggest "-enable-preview"
False-Positive
- [SONARJAVA-4060] - FP in S3252 when owner type is unknown
- [SONARJAVA-4070] - S1874(CallToDeprecatedMethodCheck) should ignore incomplete method signature
- [SONARJAVA-4074] - S5845: FP when using lombok.val
- [SONARJAVA-4090] - FP in S6206 when the constructor and the class have not the same visibility
- [SONARJAVA-4100] - Abstract classes should be excluded from S5790
- [SONARJAVA-4102] - S6204 should not raise an issue when removeIf is called on the list
- [SONARJAVA-4116] - Remove rule S2912 (IndexOfStartPositionCheck)
- [SONARJAVA-4117] - Support `@SuperBuilder` from Lombok
- [SONARJAVA-4122] - S3329 should not raise an issue for Cipher.DECRYPT_MODE
- [SONARJAVA-4123] - FP on S2384: Collections.emptyList() should be considered as immutable.
Documentation
- [SONARJAVA-4066] - Update custom rules 101 metadata documentation and template
False Negative
- [SONARJAVA-4055] - S4544 should raise on Interface in addition to Class
- [SONARJAVA-4058] - S5838 should support subtypes of Collections
- [SONARJAVA-4063] - FN in S3688 (disallowed classes) in case of Reflection
- [SONARJAVA-4108] - FN in S2189 : infinite do/while loops should be reported
- [SONARJAVA-4111] - FN on S1862 when equality parameters are inverted
7.6.0.28201
Release Notes - SonarJava - Version 7.6
Bug
- [SONARJAVA-4020] - S5869(DuplicatesInCharacterClassCheck): Fix false-negative and crash on regex spanning low and upper case ranges
Task
- [SONARJAVA-3987] - Move all rules targeting XML from SonarJava to SonarQube XML Analyzer
- [SONARJAVA-3988] - Drop XmlFileSensor from Java Analyzer
- [SONARJAVA-4087] - Advertise minimal required JRE version
- [SONARJAVA-4088] - Update rules metadata
Improvement
- [SONARJAVA-4069] - Improve Nullability annotations support in S2638 (ChangeMethodContractCheck)
- [SONARJAVA-4078] - Improve Nullability annotations support in S2789 (NullShouldNotBeUsedWithOptionalCheck)
- [SONARJAVA-4079] - Improve Nullability annotations support in S4682 (PrimitivesMarkedNullableCheck)
- [SONARJAVA-4080] - Improve Nullability annotations support in S2637 (NonNullSetToNullCheck)
- [SONARJAVA-4081] - Improve Nullability annotations support in S4454 (EqualsParametersMarkedNonNullCheck)
- [SONARJAVA-4082] - Improve Nullability annotations support in S2447 (BooleanMethodReturnCheck)
- [SONARJAVA-4083] - Improve Nullability annotations support in S1168 (ReturnEmptyArrayNotNullCheck)
- [SONARJAVA-4084] - Improve Nullability annotations support in S4449 (ParameterNullnessCheck)
- [SONARJAVA-4085] - Improve Nullability annotations support in S2259 (NullDereferenceCheck)
- [SONARJAVA-4089] - Improve Nullability annotations support in Exploded graph walker
- [SONARJAVA-4091] - Use of Java 17 feature should not lead to a warning message
7.5.0.28054
Release Notes - SonarJava - Version 7.5
Bug
- [SONARJAVA-4068] - S2118-S2441: Fix StackOverflowError raised for self assigned variables
Task
- [SONARJAVA-4052] - Provide quick fix availability to SQ
- [SONARJAVA-4075] - Update rules metadata
Improvement
- [SONARJAVA-4048] - Update ECJ to 3.27.0 and require Java 11
False-Positive
- [SONARJAVA-4047] - S2699: Fix FP with "andExpectAll" introduced in recent version of Spring Test
- [SONARJAVA-4064] - S2055: Fix FP when the semantic is incomplete
- [SONARJAVA-4073] - S3751 should accept protected and package scope modifiers
7.4.0.27839
Release Notes - SonarJava - Version 7.4
Bug
- [SONARJAVA-4021] - Wrong message in S1128 with unused imports from a sub-package
New Feature
- [SONARJAVA-4029] - Rule S6301: Mobile database encryption keys should not be disclosed
- [SONARJAVA-4030] - Rule S6291: Using unencrypted databases in mobile applications is security-sensitive
- [SONARJAVA-4031] - Rule S6300: Using unencrypted files in mobile applications is security-sensitive
- [SONARJAVA-4034] - Rule S4507: Add WebView debug settings
- [SONARJAVA-4036] - Rule S6362: Enabling JavaScript support for WebViews is security-sensitive
- [SONARJAVA-4037] - Rule S6363: Enabling file access for WebViews is security-sensitive
Task
- [SONARJAVA-4018] - Deprecate S2039 for Java
- [SONARJAVA-4045] - Update rules metadata
Improvement
- [SONARJAVA-3866] - Rule S6293: Using a biometric authentication independent of a cryptographic solution is security-sensitive
- [SONARJAVA-3868] - Rule S6288: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
- [SONARJAVA-4039] - Rule S5332: support Android WebView insecure mixed content policy
- [SONARJAVA-4046] - Avoid unnecessary TextEdit in quick fixes
- [SONARJAVA-4049] - S2647: remove CWE-311 from "securityStandards" to match the "See" section
False-Positive
- [SONARJAVA-2250] - FP on S2695 when the query is built in multiple statements
- [SONARJAVA-3953] - S2095 should ignore ByteArrayOutputStream from apache.commons
- [SONARJAVA-4014] - S1214 should not report interface with a parent
- [SONARJAVA-4015] - FP in S1641 when the initializer is a ternary expression
- [SONARJAVA-4016] - FP in S6206 when the return type of the getter is not the same as the one from the field
- [SONARJAVA-4025] - FP in S2637 with non-null primitive field not initialized
- [SONARJAVA-4040] - S1612 should not suggest casting though method reference for generic classes
- [SONARJAVA-4041] - S1166 should not ignore whitelist when union type is used in catch
Documentation
- [SONARJAVA-4042] - Document the quick fix metadata
False Negative
- [SONARJAVA-4011] - S2119: Random() not detected when used directly in MemberSelectExpression
- [SONARJAVA-4019] - FN in S2695 when the integer argument is coming from a constant
- [SONARJAVA-4032] - S5322 should raise on Activity or any sub classes of Context
- [SONARJAVA-4033] - S5320 should raise on Activity or any sub classes of Context
- [SONARJAVA-4038] - S5324 should raise on Activity or any sub classes of Context
7.3.0.27589
Release Notes - SonarJava - Version 7.3
Sub-task
- [SONARJAVA-3909] - Add quick fixes for S1481 (UnusedLocalVariableCheck)
- [SONARJAVA-3910] - Add quick fixes for S2293 (DiamondOperatorCheck)
- [SONARJAVA-3911] - Add quick fixes for S1155 (CollectionIsEmptyCheck)
- [SONARJAVA-3913] - Add quick fixes for S1130 (RedundantThrowsDeclarationCheck)
- [SONARJAVA-3915] - Add quick fixes for S1124 (ModifiersOrderCheck)
- [SONARJAVA-3916] - Add quick fixes for S1128 (UselessImportCheck)
- [SONARJAVA-3917] - Add quick fixes for S1161 (OverrideAnnotationCheck)
- [SONARJAVA-3918] - Add quick fixes for S1186 (EmptyMethodsCheck)
- [SONARJAVA-3919] - Add quick fixes for S5786 (JUnit5DefaultPackageClassAndMethodCheck)
- [SONARJAVA-3921] - Add quick fixes for S1905 (RedundantTypeCastCheck)
- [SONARJAVA-3922] - Add quick fixes for S3415 (AssertionArgumentOrderCheck)
- [SONARJAVA-3923] - Add quick fixes for S1068 (UnusedPrivateFieldCheck)
- [SONARJAVA-3925] - Add quick fixes for S1197 (ArrayDesignatorOnVariableCheck)
- [SONARJAVA-3926] - Add quick fixes for S1125 (BooleanLiteralCheck)
- [SONARJAVA-3927] - Add quick fixes for S3252 (StaticMemberAccessCheck)
- [SONARJAVA-3928] - Add quick fixes for S1319 (CollectionImplementationReferencedCheck)
- [SONARJAVA-3929] - Add quick fixes for S1172 (UnusedMethodParameterCheck)
- [SONARJAVA-3930] - Add quick fixes for S1612 (ReplaceLambdaByMethodRefCheck)
- [SONARJAVA-3931] - Add quick fixes for S1168 (ReturnEmptyArrayNotNullCheck)
- [SONARJAVA-3933] - Add quick fixes for S5411 (BoxedBooleanExpressionsCheck)
- [SONARJAVA-3934] - Add quick fixes for S1144 (UnusedPrivateMethodCheck)
- [SONARJAVA-3939] - Add quick fixes for S1116 (EmptyStatementUsageCheck)
- [SONARJAVA-3940] - Add quick fixes for S1858 (StringToStringCheck)
- [SONARJAVA-3941] - Add quick fixes for S1659 (OneDeclarationPerLineCheck)
- [SONARJAVA-3942] - Add quick fixes for S2209 (StaticMembersAccessCheck)
- [SONARJAVA-3943] - Add quick fixes for S5838 (AssertJChainSimplificationCheck)
- [SONARJAVA-3944] - Add quick fixes for S2325 (StaticMethodCheck)
- [SONARJAVA-3945] - Add quick fixes for S1107 (RightCurlyBraceSameLineAsNextBlockCheck)
- [SONARJAVA-3946] - Add quick fixes for S1488 (ImmediatelyReturnedVariableCheck)
- [SONARJAVA-3948] - Add quick fixes for S2153 (ImmediateReverseBoxingCheck)
- [SONARJAVA-3949] - Add quick fixes for S2446 (NotifyCheck)
- [SONARJAVA-3950] - Add quick fixes for S2200 (CompareToResultTestCheck)
- [SONARJAVA-3951] - Add quick fixes for S5164 (ThreadLocalCleanupCheck)
- [SONARJAVA-3952] - Add quick fixes for S2111 (BigDecimalDoubleConstructorCheck)
- [SONARJAVA-3955] - Add quick fixes for S4973 (CompareStringsBoxedTypesWithEqualsCheck)
- [SONARJAVA-3958] - Add quick fixes for S3984 (UnusedThrowableCheck)
- [SONARJAVA-3960] - Extends CheckVerifier to support testing of Quick-fixes
- [SONARJAVA-3961] - Add quick fixes for S3986 (DateFormatWeekYearCheck)
- [SONARJAVA-3962] - Add quick fixes for S3020 (ToArrayCheck)
- [SONARJAVA-3998] - Add quick fixes for S1195 (ArrayDesignatorAfterTypeCheck)
Bug
- [SONARJAVA-3969] - CheckVerifier expect too many issues when a //Noncompliant comment is placed after a multi-variable declaration
- [SONARJAVA-3990] - S1120 should not crash on code containing line breaking control characters
- [SONARJAVA-3993] - S6073 should not produce a NullPointerException when trying to read the body of an abstract method
- [SONARJAVA-4003] - Fix Deadlock on ProgressMonitor
New Feature
- [SONARJAVA-3854] - Rule S5329: Collection constructors should not be used as java.util.function.Function
- [SONARJAVA-3906] - Quick fixes for CODE SMELLS requiring trivial changes without compilation impact
- [SONARJAVA-3936] - Quick fixes for BUGS requiring trivial changes without compilation impact
Task
- [SONARJAVA-4004] - Extend QuickFixHelper with nextVariable and previousVariable
- [SONARJAVA-4005] - Update rules metadata
- [SONARJAVA-4006] - Update SonarLint core version to use the new version of the API
Improvement
- [SONARJAVA-3864] - Missing arguments in Deprecated annotation should be reported in its own rule
- [SONARJAVA-3867] - S2479 Add a flag to allow tabs in string literals
- [SONARJAVA-3881] - Change message of S3655 to mention isEmpty and improve rule description
- [SONARJAVA-3907] - Add support for SonarLint quick fixes in the Java analyzer
- [SONARJAVA-3947] - Typo in S6216 issue description
- [SONARJAVA-3965] - Provide a new extensible API for issue reporting
- [SONARJAVA-3989] - Remove overlap between S2638 and S4454 with "nonnull" argument of "equals" method
- [SONARJAVA-4001] - Compute the end position of multi-line token only once
- [SONARJAVA-4002] - S1659 should report only one issue per line
False-Positive
- [SONARJAVA-3905...
7.2.0.26923
Release Notes - SonarJava - Version 7.2.0.26923
Bug
- [SONARJAVA-3872] - "JSymbol.convertMetadata" should not throw an Exception when ecj fails
- [SONARJAVA-3897] - Fix S1845(MembersDifferOnlyByCapitalizationCheck) duplicated issues
- [SONARJAVA-3904] - Java 16's record keyword and sealed classes-related keywords should be highlighted as keywords
New Feature
- [SONARJAVA-3745] - Implement rule S6204: Use Stream.toList() instead of collectors
- [SONARJAVA-3748] - Implement rule S6206: Use records to represent immutable data structures
- [SONARJAVA-3752] - Implement rule S6207: Avoid redundant constructors/methods in records
- [SONARJAVA-3754] - Implement rule S6209: Ignored members during record serialization
- [SONARJAVA-3758] - Implement rule S6211: Prefer overriding default record's getter
- [SONARJAVA-3768] - Implement rule S6216: Reflection should not be used to update record's field value
- [SONARJAVA-3771] - Implement rule S6218: Equals should be overridden in the record with array fields
- [SONARJAVA-3773] - Implement rule S6219: Don't set 'serialVersionUID' to '0L' in records
Task
- [SONARJAVA-3894] - [AutoScan] batchMode should support multi-modules scope
- [SONARJAVA-3903] - Update rules metadata
Improvement
- [SONARJAVA-3740] - Extend rule S1481 to report on unused variables in pattern matching on instanceof
- [SONARJAVA-3746] - Extend rule S2201 to support 'Stream' non-void terminal methods
- [SONARJAVA-3755] - Update rule S2057 to not report on 'Serializable' records
- [SONARJAVA-3760] - Improve rule S2094: 'Classes should not be empty' to support Records
- [SONARJAVA-3763] - Support Records in rules targeting Classes
- [SONARJAVA-3769] - Remove record fields from reporting in S3011: Reflection fields update
- [SONARJAVA-3902] - Use secondary locations in S1845 (Members differs only by capitalization)
False-Positive
- [SONARJAVA-3892] - Exclude "com.sun.jersey" and "com.sun.faces" from S1191 by default
- [SONARJAVA-3898] - Don't apply S5838 for calls to equals in methods with "equals" in the name
- [SONARJAVA-3901] - FP in S2245 (PseudeRandomCheck) when passing a SecureRandom object as parameter
7.1.0.26670
Release Notes - SonarJava - Version 7.1.0.26670
Bug
- [SONARJAVA-3799] - Visit records' members correctly
- [SONARJAVA-3876] - S3986 produces an IndexOutOfBoundsException on calls to super
- [SONARJAVA-3883] - Semantic API Symbol#type() is not @nullable but return 'null'
- [SONARJAVA-3885] - NPE in S1176 (UndocumentedApiCheck) when analyzing Java 16's records
New Feature
- [SONARJAVA-3739] - Implement rule S6201: Use Pattern Matching on instanceof to substitute instanceof + cast
- [SONARJAVA-3775] - Implement rule S6220: Functional interfaces should not be sealed
- [SONARJAVA-3869] - Provide CFG for the body of a lambda
Task
- [SONARJAVA-3718] - Stop release process when performance score is exceeds threshold
- [SONARJAVA-3827] - Remove unused annotations "@DependsUpon", "@DependedUpon"
- [SONARJAVA-3871] - Enable experimental batch mode for analysis
- [SONARJAVA-3884] - Update rules metadata
Improvement
- [SONARJAVA-3738] - Upgrade ECJ to 3.26.0
- [SONARJAVA-3742] - Extend S3457 and S2275 to support String “formatted” method from Java 15
- [SONARJAVA-3870] - Remove S6212 from default quality profile.
- [SONARJAVA-3873] - Order rules based on execution time to make the best of issue streaming
False-Positive
- [SONARJAVA-3784] - FP in S3958 when Java 16 "toList()" terminator operation is used
- [SONARJAVA-3865] - Deprecate rule RSPEC-4604
- [SONARJAVA-3874] - FP in S1168 when using classes with the same unqualified name as collections