Releases: SonarSource/sonar-java
Releases · SonarSource/sonar-java
7.0.0.26422
Release Notes - SonarJava - Version 7.0.0.26422
Bug
- [SONARJAVA-3856] - S1643 ClassCastException on parentheses
Task
- [SONARJAVA-3723] - Expose latest peach analysis performance score to Java bubble
- [SONARJAVA-3724] - Compute performance score of upcoming release
- [SONARJAVA-3816] - Update rules metadata
- [SONARJAVA-3818] - Add an example of rules targeting TEST in our custom rules plugin example
- [SONARJAVA-3820] - Add missing remediation functions
- [SONARJAVA-3823] - Move java-checks-testkit's 'InternalJavaCheckVerifier' into internal package
- [SONARJAVA-3825] - Drop deprecated methods from API
- [SONARJAVA-3828] - Drop deprecated rules
- [SONARJAVA-3833] - Update tutorial to add support of new LTS SQ 8.9
Improvement
- [SONARJAVA-3777] - Improve S1128 (Unused imports) rule precision by relying on compiler warnings
- [SONARJAVA-3791] - Use jdk 16 for our builds
- [SONARJAVA-3794] - Improve S1905 (Redundant cast) rule precision by relying on compiler warnings
- [SONARJAVA-3806] - Improve S1656 (Self Assignment) rule precision by relying on compiler warnings
- [SONARJAVA-3807] - Improve S4970 (Unreachable Catch) rule precision by relying on compiler warnings
- [SONARJAVA-3840] - Regex rules should support concatenating pattern objects
- [SONARJAVA-3858] - S5838 should support "length()"/"size()" followed by "isPositive()" simplification
- [SONARJAVA-3859] - Update description for 'sonar.java.file.suffixes'
- [SONARJAVA-3860] - Map ECJ Warnings to syntax trees
- [SONARJAVA-3862] - Rework "MethodTree.isOverriding()" to match the contract in case of unknowns in hierarchy
False-Positive
- [SONARJAVA-3822] - S6073 should not report on method invocation arguments that actually return an argument matcher
- [SONARJAVA-3836] - S5786 should not raise issue on a class visibility if it contains public static method(s)
- [SONARJAVA-3844] - Rules targeting tests should work with incomplete semantic
- [SONARJAVA-3845] - Rules targeting unused elements should work with incomplete semantic
- [SONARJAVA-3846] - Rules targeting returns should work with incomplete semantic
- [SONARJAVA-3847] - Rules targeting parameters should work with incomplete semantic
- [SONARJAVA-3848] - Rules targeting types should work with incomplete semantic
- [SONARJAVA-3849] - Rules targeting control flow should work with incomplete semantic
- [SONARJAVA-3850] - Rules targeting class members should work with incomplete semantic
- [SONARJAVA-3851] - Rules targeting methods calls should work with incomplete semantic
- [SONARJAVA-3852] - Rules targeting methods should work with incomplete semantic
- [SONARJAVA-3857] - FP S131 for a switch on an unknown symbol
False Negative
- [SONARJAVA-3841] - FN in S5998 (regex stackoverflow) for possessive quantifiers
6.15.1.26025
Release Notes - SonarJava - Version 6.15.1.26025
Bug
- [SONARJAVA-3808] - NPE in JMethodSymbol.overriddenSymbol
- [SONARJAVA-3812] - Analysis should stop without logging when a CancellationException is thrown
Task
- [SONARJAVA-3815] - Update rules metadata
- [SONARJAVA-3817] - Remove rules resulting in failing tests from default quality profile
- [SONARJAVA-3821] - Do not ship "sonar-plugin-api" implementation class with the analyzer components
Improvement
- [SONARJAVA-3801] - Rule S4423 should support okhttp library
- [SONARJAVA-3805] - Rule S5332 should support okhttp library
False-Positive
- [SONARJAVA-3797] - FP in S1854 for effective-final assignment of variables used in a lambda
- [SONARJAVA-3798] - FP in S1258 and S3749 when using Lombok "@DaTa" annotation
- [SONARJAVA-3804] - FP in S3077 when volatile is used with @immutable and @threadsafe annotations
- [SONARJAVA-3809] - S5979 should not report on objects initialized with `MockitoJUnit.rule()` followed by options
- [SONARJAVA-3811] - Rule S5542 should not be triggered when using CBC mode
- [SONARJAVA-3814] - S6212 should not suggest to use "var" when the initializer is a lambda or a method reference
False Negative
- [SONARJAVA-3785] - Rule S4605 is not detected with @SpringBootApplication
- [SONARJAVA-3810] - S5547 should report on some more weak algorithms
- [SONARJAVA-3813] - Rule S4790 should support more weak hash algorithms
6.15.0.25849
Release Notes - SonarJava - Version 6.15.0.25849
Bug
- [SONARJAVA-3786] - Delete rule RSPEC-4603
- [SONARJAVA-3788] - Fix IndexOutOfBoundsException in S1166 (CatchUsesExceptionWithContextCheck:307)
- [SONARJAVA-3789] - Fix ClassCastException in S6202 (IsInstanceMethodCheck:70)
- [SONARJAVA-3790] - Fix ClassCastException in S5411 (BoxedBooleanExpressionsCheck:158)
- [SONARJAVA-3792] - Compilation of custom rule project fails due to missing metadata files
New Feature
- [SONARJAVA-3716] - Provide a user property to produce performance metrics
- [SONARJAVA-3741] - Rule S6202: Operator "instanceof" should be used instead of "A.class.isInstance()"
- [SONARJAVA-3743] - Rule S6203: Text blocks should not be used in complex expression
- [SONARJAVA-3749] - Rule S6205: Switch arrow labels should not use redundant keywords
- [SONARJAVA-3753] - Rule S6208: Comma-separated labels should be used in Switch with colon case
- [SONARJAVA-3759] - Rule S6212: Local-Variable Type Inference (var) should be used
- [SONARJAVA-3761] - Rule S6213: Restricted Identifiers should not be used as Identifiers
Task
- [SONARJAVA-3714] - Collect SquidSensor runtime data
- [SONARJAVA-3717] - Increase reliability of cirrus-ci nightly analyses by restarting some failed jobs
- [SONARJAVA-3720] - Push internal CI performance metrics to repository
- [SONARJAVA-3721] - Enable performance measurement for ruling
- [SONARJAVA-3722] - Compute measurement cost in performance metrics
- [SONARJAVA-3726] - Update tutorial with SQ 8.8 and latest embedded release of SonarJava
- [SONARJAVA-3728] - Update rules metadata
- [SONARJAVA-3793] - Drop usage of deprecated internal method "hasSemantic()" in our rules
Improvement
- [SONARJAVA-3666] - Add text block support for regex rules
- [SONARJAVA-3715] - Add size of file to slowest files analyzed output
- [SONARJAVA-3732] - Execute the move of the regex parser into analyzer-commons
- [SONARJAVA-3736] - Support Text Block in rules relying on String literals from expressions
- [SONARJAVA-3737] - Improve rules relying on String literals to support identifier from a final or effectively final variable.
- [SONARJAVA-3744] - Extend existing rules to support Switch Expression
- [SONARJAVA-3751] - Extend S4738 to suggest Java 9 "List.of", "Map.of", "Set.of" instead of Guava
- [SONARJAVA-3762] - S5838 should support Java 11 "String.isBlank()"
- [SONARJAVA-3766] - Improve rule description for ReDoS
- [SONARJAVA-3778] - Fix performance hotspots in S103 due to slow regex
- [SONARJAVA-3781] - All method overrides should be returned instead of only the first one
- [SONARJAVA-3787] - Children of Switch Statement should not be a Switch Expression
- [SONARJAVA-3796] - Fix possible Catastrophic backtracking in regex for S3518: Division by zero rule
False-Positive
- [SONARJAVA-3731] - S5786 should not report on abstract classes or overridding test methods
- [SONARJAVA-3734] - FP in S5979 when "ExtendWith" annotation is coming from a meta-annotation
- [SONARJAVA-3750] - S1199 should not report an issue for any Switch case containing a block
- [SONARJAVA-3772] - FP in S1943: Do not report an issue on any usage of Java 11 FileWriter and FileReader
- [SONARJAVA-3774] - S2755 should not raise when a non null resolver is set with XMLInputFactory.setXMLResolver
- [SONARJAVA-3776] - Fix FPs in S4276 when the generic argument left is a primitive wrapper
False Negative
- [SONARJAVA-3757] - "Nullable" from eclipse should be considered as a Strong Nullable.
6.14.0.25463
Release Notes - SonarJava - Version 6.14.0.25463
Task
- [SONARJAVA-3702] - Rule S3066: change rule type to Code-Smell
- [SONARJAVA-3703] - Add custom rules examples from tutorial in repository
- [SONARJAVA-3708] - Rule S3751: change rule type to Code-Smell
- [SONARJAVA-3709] - Deprecate S3369
- [SONARJAVA-3727] - Update rules metadata
Improvement
- [SONARJAVA-3215] - S1166 add heuristics to support custom log frameworks
- [SONARJAVA-3558] - Issue filter should extends its filter to IDE-specific suppressed warnings
- [SONARJAVA-3568] - S5852 should use automata to increase its accuracy
- [SONARJAVA-3624] - Regex FP/FN with Supplementary Multilingual Plane
- [SONARJAVA-3629] - Improve S6002 RegexLookaheadCheck to support negative lookahead
- [SONARJAVA-3636] - Improve secondary message for regex rules when issues are reported across different string literals
- [SONARJAVA-3689] - Improve rule S110 to not report when hierarchy is too big already in library code
- [SONARJAVA-3701] - Prepare the move of the regex parser into its own project
- [SONARJAVA-3729] - Change S4434 to a security-hotspot
- [SONARJAVA-3730] - Add an exception to rule S121 for early returns
- [SONARJAVA-3733] - ReDoS: Don't call cubic and worse runtimes quadratic
- [SONARJAVA-3735] - Upgrade ECJ to 3.25.0
False-Positive
- [SONARJAVA-3570] - Relax Rule S5411 for boxed booleans if there is a null-checked before
- [SONARJAVA-3603] - FP on S4276 when Function is using "compose" or "andThen" methods
- [SONARJAVA-3625] - Possible FP in S5998 when using backreferences to large groups
- [SONARJAVA-3631] - FP in S6001 parsing of multi-digit backreferences
- [SONARJAVA-3635] - S2384 should not raise an issue when mutable members in temporary variable are not stored
- [SONARJAVA-3669] - S2325 should not raise on empty methods
- [SONARJAVA-3696] - S2755 should not raise when a xml document is build
- [SONARJAVA-3706] - FP in S2384, S2386: support any unmodifiable and immutable methods
- [SONARJAVA-3713] - FP in S5852 (ReDoS) involving possessive quantifiers
- [SONARJAVA-3747] - FPs in S5852 when repetition overlaps with non-repetition part
False Negative
- [SONARJAVA-2745] - FN on S2142: no issue raised when catching the generic Exception
- [SONARJAVA-3639] - FN in S5994 when `*+` is followed by a repetition
- [SONARJAVA-3640] - FN in S6002 for full matches and anchored patterns
- [SONARJAVA-3641] - FN in S5998
- [SONARJAVA-3653] - S5996 should raise issues even if the regex can match the empty string
- [SONARJAVA-3710] - Include Eclipse’s NonNullByDefault annotation on nonNullFields check
6.13.0.25138
Release Notes - SonarJava - Version 6.13.0.25138
Bug
- [SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ
New Feature
- [SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt
- [SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive
- [SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms
- [SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive
- [SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive
- [SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive
- [SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive
- [SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive
Task
- [SONARJAVA-3697] - Update rules metadata
- [SONARJAVA-3699] - Deprecate rule S2653
- [SONARJAVA-3700] - Deprecate rule S2089
Improvement
- [SONARJAVA-3660] - S2077 update message for primary and secondary locations
- [SONARJAVA-3663] - S2976 implementation moved to S5445
- [SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"
- [SONARJAVA-3686] - Deprecate rule S4834
- [SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module
- [SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference
- [SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit
False-Positive
- [SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used
- [SONARJAVA-3532] - S5042 should focus on zipbomb attacks
- [SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors
- [SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case
- [SONARJAVA-3678] - FP in S5853 when map/flatMap is used
- [SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized
- [SONARJAVA-3685] - FP in S1125 when using null
- [SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @nested when the enclosing class properly initializes annotated objects
- [SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces
False Negative
- [SONARJAVA-3469] - FN in S1219 when using blocks
- [SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes
6.12.0.24852
Release Notes - SonarJava - Version 6.12.0.24852
Bug
- [SONARJAVA-3487] - [Java 14 - Records preview feature] NPE when accessing recordComponent.owner()
- [SONARJAVA-3488] - [Java 14 - Records preview feature] NPE when computing metrics of methods
- [SONARJAVA-3489] - [Java 14 - Records preview feature] S1123 NPE when visiting records
- [SONARJAVA-3490] - [Java 14 - Records preview feature] S1117 NPE when visiting records
New Feature
- [SONARJAVA-2961] - Rule S4977: Type parameters should not shadow other type parameters
- [SONARJAVA-3255] - Rule S5663: Simple string literal should be used for single line strings
- [SONARJAVA-3256] - Rule S5664: Whitespace for text block indent should be consistent
- [SONARJAVA-3257] - Rule S5665: Escape sequences should not be used in text blocks
- [SONARJAVA-3505] - Upgrade to ECJ 3.24 to enable support of Java 15
- [SONARJAVA-3606] - Rule S5979: Annotated Mockito objects should be initialized
- [SONARJAVA-3658] - Add support of Java 15 Text Blocks with a new dedicated Kind: TEXT_BLOCK
- [SONARJAVA-3670] - Rule S6126: String multiline concatenation can be replaced with a Text block
Task
- [SONARJAVA-3680] - Update rules metadata
Improvement
- [SONARJAVA-3114] - Message about missing bytecode dependencies should appear only when dependencies are actually missing
- [SONARJAVA-3563] - Report 10 slowest analyzed files
- [SONARJAVA-3657] - Improve S3986 to cover DateTimeFormatter
- [SONARJAVA-3665] - Add support of Text Blocks in S2973 (Escaped unicode characters)
- [SONARJAVA-3667] - Fix text block support in S2479
- [SONARJAVA-3671] - Improve rule S1192 to Support Text blocks
- [SONARJAVA-3672] - S1213 Check order of static and instance variables
False-Positive
- [SONARJAVA-3659] - S2755 should not raise an issue when "EntityResolver" is customized
- [SONARJAVA-3661] - FP on S2259 (Null Pointer Dereference) when using MapUtils from Apache Collections
- [SONARJAVA-3662] - Improve rule S2142 to check methods called inside catch block
6.11.0.24617
Release Notes - SonarJava - Version 6.11.0.24617
Bug
- [SONARJAVA-3609] - JAR files passed to sonar.java.libraries remain locked after the analysis on Windows
- [SONARJAVA-3652] - SuppressWarnings Filter lose knowledge of filtered lines
New Feature
- [SONARJAVA-3614] - Rule S6073: Mockito argument matchers should be used on all parameters
- [SONARJAVA-3630] - Rule S6103: AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
- [SONARJAVA-3632] - Rule S6104: Map "computeIfAbsent()" should not be used to add "null" values.
- [SONARJAVA-3637] - Introduce "sonar.java.jdkHome" to specify the JDK to be used by the analyzer to resolve JDK types
Task
- [SONARJAVA-3644] - Update rule metadata
Improvement
- [SONARJAVA-2154] - Reduce plugin size by removing guava dependency
- [SONARJAVA-3581] - S1994: Add a message on the secondary location
- [SONARJAVA-3582] - S2886: Add a message on the secondary location
- [SONARJAVA-3583] - S3516: Add a message on the secondary location
- [SONARJAVA-3584] - S1764: Add a message on secondary locations
- [SONARJAVA-3585] - S2115: Add a message on secondary locations
- [SONARJAVA-3589] - S2229: Add a message on secondary locations
- [SONARJAVA-3590] - S3415: Add a message on secondary locations
- [SONARJAVA-3591] - S2139: Add a message on secondary locations
- [SONARJAVA-3592] - S1191: Add a message on secondary locations
- [SONARJAVA-3593] - S3010: Add a message on secondary locations
- [SONARJAVA-3594] - S135: Add a message on secondary locations
- [SONARJAVA-3595] - S4288: Add a message on secondary locations
- [SONARJAVA-3596] - S4276: Add a message on secondary locations
- [SONARJAVA-3597] - S2786: Improve the primary message so that the secondary location becomes obvious
- [SONARJAVA-3634] - Extend rule S1860 according to JEP 390: Warnings for Value-Based Classes
- [SONARJAVA-3638] - Rule S2384: change rule type to Code-Smell
- [SONARJAVA-3645] - Improve debug logs
- [SONARJAVA-3651] - S4925: add support for DB2 JDBC Type 4 driver.
- [SONARJAVA-3654] - Provide MongoDB Nullness annotations to the SE engine
- [SONARJAVA-3655] - Update S6068 to cover latest mockito version
False-Positive
- [SONARJAVA-3467] - FP on S1948 when using both field and setter/constructor injection
- [SONARJAVA-3574] - S2755 FP when Factory is declared with lombok "val"
- [SONARJAVA-3578] - FP in S2147 when the type of the Exception is needed inside the body.
- [SONARJAVA-3620] - FP in S2384 when unmodifiable collection is returned from a non-final field
- [SONARJAVA-3628] - FP in S5853 when assertions "flatExtracting" prevent the chaining
- [SONARJAVA-3633] - FP in S4032 when there are several source directories
- [SONARJAVA-3642] - FP in S1874 when parent constructor is deprecated but not used
- [SONARJAVA-3647] - FP in S1481 when "for-each" variable nested in a lambda is actually used in the body
- [SONARJAVA-3650] - FP in S2970 for nested class using JUnit 5 Soft assertions extension.
False Negative
- [SONARJAVA-3555] - S4830 should support X509ExtendedTrustManager
- [SONARJAVA-3575] - FN in S2095: support Apache commons IOUtils methods not closing the stream
- [SONARJAVA-3626] - FN Rule S3824: Apply the same SymbolicValue for static constants or enum constants when used as MemberSelect
6.10.0.24201
Release Notes - SonarJava - Version 6.10.0.24201
Bug
- [SONARJAVA-3056] - Classes for the analysis are loaded with parent first strategy
- [SONARJAVA-3602] - JavaCheckVerifier does not support consistent behavior when having multiple issues reported on the same line
New Feature
- [SONARJAVA-3550] - Rule S5994: Regex patterns following a possessive quantifier should not always fail
- [SONARJAVA-3552] - Rule S5996: Regex boundaries should not be used in a way that can never match
- [SONARJAVA-3554] - Rule S5998: Regular expressions should not overflow the stack
- [SONARJAVA-3557] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference
- [SONARJAVA-3560] - Rule S6002: Regex lookahead assertions should not be contradictory
- [SONARJAVA-3566] - Rule S5855: Regex alternatives should not be redundant
- [SONARJAVA-3567] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
- [SONARJAVA-3572] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes
- [SONARJAVA-3608] - Rule S6068: Call to Mockito method "verify", "when" or "given" should be simplified
- [SONARJAVA-3610] - Rule S6070: The regex escape sequence \cX should only be used with characters in the @-_ range
Task
- [SONARJAVA-3544] - Fix the regression on issue filtering by reverting SONARJAVA-3241 before SQ 8.x LTS
- [SONARJAVA-3549] - Add support for automata-based analyses for regular expressions
- [SONARJAVA-3551] - Implement helper to find whether state in regex automaton is reachable without consuming input
- [SONARJAVA-3564] - Implement intersects and supersetOf helper for regex automata
- [SONARJAVA-3600] - Remove (re)declaration of fail fast property.
- [SONARJAVA-3622] - Drop unused Symbolic Execution debugging rules
- [SONARJAVA-3627] - Update rules metadata
Improvement
- [SONARJAVA-3546] - Issue message of S5961 should contains the number of actual assertions
- [SONARJAVA-3547] - Improve rule S1612 to replace casts with method reference
- [SONARJAVA-3548] - Improve rule S5838 to handle maps and longs
- [SONARJAVA-3553] - S5778 and S5783: Improve primary and secondary issue message
- [SONARJAVA-3559] - Do not report issues of S1130 on Runtime Exceptions
- [SONARJAVA-3561] - AbstractRegexCheck should target more regex providers
- [SONARJAVA-3562] - Improve Regex rules to consider more string literals as Pattern
- [SONARJAVA-3569] - Improve issue locations of S5869
- [SONARJAVA-3587] - Typo in message of S3457
- [SONARJAVA-3588] - Java Analyzer should be able to parse Jigsaw module-info.java files even when misconfigured
- [SONARJAVA-3616] - Make S2699 support RestAssured 2.x as well (and not only 3.x & 4.x)
- [SONARJAVA-3623] - Update rule S5803 to support all annotations named @VisibleForTesting
False-Positive
- [SONARJAVA-3470] - Add more exceptions to S107
- [SONARJAVA-3545] - Rule S4973 shouldn't report an issue if "==" is used to compare Boolean constants
- [SONARJAVA-3565] - FP on S1948 when using SpringBean from Apache Wicket
- [SONARJAVA-3571] - FP on S1948 when collection implements Serializable
- [SONARJAVA-3577] - FP in S3457 when slf4j log arguments contains a concatenation and a single Throwable
- [SONARJAVA-3579] - FP in S1170 when class is annotated with @lombok.Builder and field with @default
- [SONARJAVA-3580] - FP in S2390: do not report an issue on static class nested in the parent.
- [SONARJAVA-3586] - Support Nullable annotation from reactor-core
- [SONARJAVA-3598] - FP in S2973 when symbol is in lowercase
- [SONARJAVA-3599] - FP in S2226 for non final Servlet fields initialized in init() method without parameters
- [SONARJAVA-3605] - FP in S3305 when field has an initializer
- [SONARJAVA-3612] - FP in S1185 when class is annotated "@transactional"
- [SONARJAVA-3613] - FP in S1193 when the catch block contains more code
- [SONARJAVA-3615] - FP in S1905 when casted argument is a method reference to a varargs.
- [SONARJAVA-3617] - S1170 should not raise an issue when the initializer contains "this" or "super"
- [SONARJAVA-3618] - FP on S3438 when "value" is set inside the property tag
- [SONARJAVA-3619] - FP S2589 when Boolean variable doesn't always evaluate to TRUE/FALSE
- [SONARJAVA-3621] - Union of Unknown types should be Unknown
False Negative
- [SONARJAVA-3130] - S3824: raise issue when "containsKey" is used
- [SONARJAVA-3482] - Support character classes as operand to reluctant quantifier in rule S5857
- [SONARJAVA-3483] - FN in S5869 with escaped character classes
6.9.0.23563
Release Notes - SonarJava - Version 6.9.0.23563
Bug
- [SONARJAVA-3285] - Java 13/14 preview feature "Text Block" produce highlighting IllegalArgumentException
- [SONARJAVA-3541] - NPE in Symbolic Execution engine when dealing with java 14 switch expressions without default
New Feature
- [SONARJAVA-3374] - Rule S5804 allowing user enumeration is security-sensitive
- [SONARJAVA-3396] - Rule S5808 Authorizations should be based on strong decisions
- [SONARJAVA-3411] - Rule S5876 A new session should be created during user authentication
- [SONARJAVA-3542] - RSPEC-5993 Constructors of an "abstract" class should not be declared "public"
Task
- [SONARJAVA-3543] - Update rules metadata
Improvement
- [SONARJAVA-3376] - Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm
- [SONARJAVA-3414] - Rule S4790: its content should be replaced by S2070
- [SONARJAVA-3472] - Document wildcards pattern in rule's parameters (S110, S1176)
- [SONARJAVA-3478] - S2201: Support common Collection and Map methods
- [SONARJAVA-3525] - S2333 supports redundant modifiers on nested interfaces and classes
- [SONARJAVA-3536] - Consistently support Nullable/CheckForNull/Nonnull annotations in rules
- [SONARJAVA-3539] - FP in S5845 when BigDecimal and BigInteger are compared with string
False-Positive
- [SONARJAVA-3468] - FP on S1905 when casted argument is an ambiguous method reference.
- [SONARJAVA-3479] - FP in S2184 when return is in another scope
- [SONARJAVA-3535] - Rule S3749 should not raise when the singleton has @ConfigurationProperties annotation
- [SONARJAVA-3540] - FP in S2175 when a primitive is auto-boxed into a subtype of Number.
False Negative
- [SONARJAVA-3388] - Rule S2070 should support "org.springframework.util.DigestUtils"
- [SONARJAVA-3538] - S5853 does not handle custom assertions
6.8.0.23379
Release Notes - SonarJava - Version 6.8
New Feature
- [SONARJAVA-3372] - Rule S5803: Class members annotated with @VisibleForTesting should not be accessed from production code
- [SONARJAVA-3509] - Rule S5958: AssertJ "assertThatThrownBy" should not be used alone
- [SONARJAVA-3511] - Rule S5961: Test methods should not contain too many assertions
- [SONARJAVA-3514] - Rule S5967: Tests method should not be annotated with competing annotations
- [SONARJAVA-3515] - Rule S5960: Assertions should not be used in production code
- [SONARJAVA-3516] - Rule S5969: Mocking all non-private methods of a class should be avoided
- [SONARJAVA-3517] - Rule S5970: Spring's ModelAndViewAssert assertions should be used instead of other assertions
- [SONARJAVA-3522] - Rule S3414: Tests should be kept in a dedicated source directory
- [SONARJAVA-3524] - Rule S5973: Tests should be stable
- [SONARJAVA-3526] - Rule S5976: Similar tests should be grouped in a single Parameterized test
- [SONARJAVA-3527] - Rule S5977: Tests should use fixed data instead of randomized data
Task
- [SONARJAVA-3036] - Update to common-xml-parser version 1.12
- [SONARJAVA-3520] - Add S3577: "Test classes should comply with a naming convention" in Sonar way
- [SONARJAVA-3533] - Update rules metadata
Improvement
- [SONARJAVA-3476] - Improve issue location for S5843
- [SONARJAVA-3481] - Add missing escape sequences to regex parser
- [SONARJAVA-3485] - Change issue type of S899 to Bug
- [SONARJAVA-3492] - S1215 should detect "System.runFinalization()" the same way it detects System.gc()
- [SONARJAVA-3500] - Support latest version of Play framework in S3330 and S2092
- [SONARJAVA-3513] - Improve S5810 to support static and test methods with return values
- [SONARJAVA-3518] - S125: reports issue on whole commented block
- [SONARJAVA-3521] - SuppressWarnings Filter should remove issue of S3740 when "rawTypes" is used
- [SONARJAVA-3523] - Extend S3415 (Arguments order) to support TestNG assertions
- [SONARJAVA-3531] - S2187 should consider methods annotated with "@State" from Pact framework as test methods
False-Positive
- [SONARJAVA-3477] - S1214 should report only when an interface contains only constants
- [SONARJAVA-3498] - FP in S1193 for instance of non-throwable types
- [SONARJAVA-3504] - FP on S1948 for fields having non-serializable interface as type but serializable type as initializer
- [SONARJAVA-3506] - FP in S2275 when second argument of String.format is an array
- [SONARJAVA-3507] - FP in S3012 when copying array of primitives types to a Collection
- [SONARJAVA-3519] - FP on S3878 when the argument before the vararg is also an array
- [SONARJAVA-3528] - FP on S5778 when calling mockito methods
- [SONARJAVA-3530] - FP on S3577 when test class ends with "Tests" or is an abstract class
- [SONARJAVA-3534] - FP S3077(VolatileNonPrimitiveFieldCheck) should consider enum as immutable
False Negative
- [SONARJAVA-3491] - FN S2789 (NullShouldNotBeUsedWithOptionalCheck) on null assignment
- [SONARJAVA-3501] - FN on Unused Imports when using Lombok