6.7.0.23054

Release Notes - SonarJava - Version 6.7

Bug

• [SONARJAVA-3244] - S3065: ClassCastException with implicit type casting
• [SONARJAVA-3311] - SE should correctly handle new class in catch
• [SONARJAVA-3381] - Performance Issue when computing the flow of an expression

Task

• [SONARJAVA-3510] - Update rules metadata
• [SONARJAVA-3512] - Deprecate S4784 in favor of S5852

Improvement

• [SONARJAVA-3026] - S3518 Division by zero on floats and double should not mention ArithmeticException
• [SONARJAVA-3069] - Adapt SE engine to Switch Expressions
• [SONARJAVA-3345] - S3518 (division by zero) should handle BigDecimal and BigInteger
• [SONARJAVA-3484] - Change issue type of S2039 and S2386 to Code Smell
• [SONARJAVA-3493] - Remove ASM dependency
• [SONARJAVA-3494] - Rework S2095 (UnclosedResourceCheck) to remove calls to parent() method

False-Positive

• [SONARJAVA-2060] - FP in S2095 : java.sql.Statement will implicitly close created ResultSets
• [SONARJAVA-3043] - S3655 should not raise an issue when a method doing nothing is called between "isPresent" and "get()"
• [SONARJAVA-3157] - FP on Rule S2637 - issue raised on non-initialized fields
• [SONARJAVA-3186] - SE based rules should not raise when exiting on exception with unknown type
• [SONARJAVA-3187] - S2259 FP on null when called Class.isInstance
• [SONARJAVA-3235] - FP on S3655 when the Optional is a class instance field
• [SONARJAVA-3238] - FP on S1948 when class has multiple bounds in parameter type
• [SONARJAVA-3242] - S5164, S1640: FP when variable is called with qualified name
• [SONARJAVA-3451] - FP in S2095: sessions, producers, and consumers of a closed connection with JMS 2.0.
• [SONARJAVA-3466] - FP S5845(AssertionTypesCheck) AssertJ is able to compare date/time and string
• [SONARJAVA-3495] - FP in S2159 when type compared is Unknown
• [SONARJAVA-3499] - FP on S3749 when using javax.persistence.PersistenceContext
• [SONARJAVA-3508] - FP on S4449 when using Preconditions.checkNotNull(arg) with a @nullable argument

False Negative

• [SONARJAVA-2129] - FN on S2095: java.util.Properties.load(InputStream) should not close the stream passed as parameter
• [SONARJAVA-3447] - FN on S2259 when a method is annotated with spring's annotation @nullable
• [SONARJAVA-3503] - FN on S3052 when the initializer is a cast expression

6.6.0.22815

Release Notes - SonarJava - Version 6.6

Bug

• [SONARJAVA-3382] - Computing method behavior for Java 14 methods fails
• [SONARJAVA-3448] - IndexOutOfBoundsException on S5863 when "containsX" is called without argument.
• [SONARJAVA-3452] - Analysis fails when transpiling JSP with jar stripped of code
• [SONARJAVA-3453] - JSP files shouldn't be analyzed for SQ < 8.3

New Feature

• [SONARJAVA-3286] - Support Java 14
• [SONARJAVA-3404] - Rule S5852: Using slow regular expressions is security-sensitive
• [SONARJAVA-3412] - Rule S5840: Regex patterns and their sub-patterns should not always fail
• [SONARJAVA-3413] - Rule S5842: Regex repetition pattern's body should not match the empty String
• [SONARJAVA-3415] - Rule S5843: Regular expressions should not be too complicated
• [SONARJAVA-3416] - Rule S5846: Empty lines should not be tested with regex MULTILINE flag
• [SONARJAVA-3417] - Rule S5850: Alternatives in regular expressions should be grouped when used with anchors
• [SONARJAVA-3419] - Rule S5854: Regex containing characters subjects to normalization should use the CANON_EQ flag
• [SONARJAVA-3420] - Rule S5856: Regular expressions should be syntactically valid
• [SONARJAVA-3421] - Rule S5857: Regular expressions character classes should be preferred over non-greedy quantifiers
• [SONARJAVA-3422] - Rule S5860: Names of regular expressions named groups should be used
• [SONARJAVA-3423] - Rule S5866: Case insensitive Unicode regular expressions should enable the “UNICODE_CASE” flag
• [SONARJAVA-3424] - Rule S5867: Unicode-aware versions of character classes should be preferred
• [SONARJAVA-3425] - Create a dedicated regex parser to allow implementation of java rules targeting regex
• [SONARJAVA-3426] - Rule S5868: Unicode Grapheme Clusters should be avoided inside regex character classes
• [SONARJAVA-3427] - Rule S5869: Character classes in regular expressions should not contain the same character twice

Task

• [SONARJAVA-3464] - Update rules metadata

Improvement

• [SONARJAVA-2163] - S2187 support detecting of test class without tests for classes matched by maven-surefire and gradle
• [SONARJAVA-3049] - Resolve semantic for switch expression
• [SONARJAVA-3270] - Update ASM to 8.0.1 for Java 14 support
• [SONARJAVA-3332] - Upgrade ECJ to 3.22.0 for Java 14 support
• [SONARJAVA-3434] - S5542: add a secondary location to the insecure cypher declaration
• [SONARJAVA-3460] - S3457, S2275: Rework printf-style format rules

False-Positive

• [SONARJAVA-3237] - S1142 should be ignored in equals methods
• [SONARJAVA-3254] - S3398 Should not suggest to move static method to non-static inner
• [SONARJAVA-3304] - FP in S2201: support new switch expression
• [SONARJAVA-3368] - FP in S4276: interfaces with generic wildcard types can't be specialized
• [SONARJAVA-3369] - FP S1228 (PackageInfoCheck) when there are several source directories
• [SONARJAVA-3370] - FP S5411 (BoxedBooleanExpressionsCheck) on method invocation having @NotNull
• [SONARJAVA-3377] - Avoid FP for Google AutoValue classes
• [SONARJAVA-3379] - FP in S4248 for Pattern in a class annotated with Lombok @UtilityClass
• [SONARJAVA-3418] - S2275: FP when passing a Throwable as last argument
• [SONARJAVA-3437] - FP in S2325 due to Lombok "@UtilityClass"
• [SONARJAVA-3449] - FP on S2141 when equals() without default implementation is defined in an interface
• [SONARJAVA-3450] - FP on S3973 on valid generated equals methods from IntelliJ
• [SONARJAVA-3454] - FP in S2970 when "assertThatThrownBy" is used alone
• [SONARJAVA-3456] - Don't raise S2160 when extending class overriding equals using an abstract definition
• [SONARJAVA-3461] - FP in S5838: simplification with "isEqualTo" can not always be made on Object assertions
• [SONARJAVA-3465] - FPs and FNs related to quoting characters in regular expressions

False Negative

• [SONARJAVA-3400] - FN in S2885(StaticMultithreadedUnsafeFieldsCheck) for DateFormat.getDateInstance()
• [SONARJAVA-3403] - FN in S4970: support unrelated Exception
• [SONARJAVA-3440] - FN in S1194: Support extending sub-classes of Error
• [SONARJAVA-3455] - FN in S2111 for boxed Double and Float
• [SONARJAVA-3457] - FN in S5361 when using backslashes
• [SONARJAVA-3459] - FN on S1128 (UselessImportCheck) when comments contain the class name within a word

6.3.2.22818

Fix missing coverage before bug fix release 6.3.2

6.5.1.22586

Bug fix for JSP transpiling

6.5.0.22421

    Release Notes - SonarJava - Version 6.5

Bug

• [SONARJAVA-3438] - S5122: ClassCastException when annotation is defined with an identifier

New Feature

• [SONARJAVA-3384] - Rule S5831: AssertJ configuration should be applied
• [SONARJAVA-3390] - Rule S5833: AssertJ methods setting the assertion context should come before an assertion
• [SONARJAVA-3393] - Rule S5838: Chained AssertJ assertions should be simplified to the corresponding dedicated assertion
• [SONARJAVA-3395] - Rule S5841: AssertJ assertions "allMatch" and "doesNotContains" should also test for emptiness
• [SONARJAVA-3399] - Rule S5845: Assertions of dissimilar types should not be made
• [SONARJAVA-3402] - Rule S5853: Consecutive AssertJ "assertThat" statement should be chained
• [SONARJAVA-3405] - Rule S5863: Assertions should not compare an object to itself

Task

• [SONARJAVA-3443] - Update rules metadata

Improvement

• [SONARJAVA-3349] - S2698: support AssertJ assertions without message
• [SONARJAVA-3351] - Rule S5826: Methods setUp() and tearDown() should be correctly annotated starting with JUnit4
• [SONARJAVA-3383] - S5783 and S5778: Support AssertJ
• [SONARJAVA-3389] - S2698: improve issue reporting
• [SONARJAVA-3397] - S3658, S5778, S5779, S5783 support AssertJ "fail"
• [SONARJAVA-3398] - S2970(AssertionsCompletenessCheck) should support all AssertJ assertions
• [SONARJAVA-3401] - Extend S3415 (Arguments order) to support AssertJ assertions
• [SONARJAVA-3432] - S2479: support whitespace and control characters in "char"
• [SONARJAVA-3435] - S1214: add secondary locations to interface's constants
• [SONARJAVA-3442] - FN in S2133: detect getClass called on new array
• [SONARJAVA-3444] - Deprecate 10 security-hotspot rules that overlap with security-injection rules
• [SONARJAVA-3445] - Deprecate S4787 in favor of cryptography rules
• [SONARJAVA-3446] - Deprecate S2255 and S3331 not considered anymore as sensitive

False-Positive

• [SONARJAVA-3386] - FP on S2187 when test class is a JUnit4 test class also inheriting from a JUnit3 TestCase
• [SONARJAVA-3394] - FP in S3749 when spring class is not a singleton
• [SONARJAVA-3429] - FP in S2384, S2386: support common method returning unmodifiable collections
• [SONARJAVA-3431] - S3415: better support of constant used as actual value
• [SONARJAVA-3441] - FP in S1174 when "finalize()" is not from Object.

6.4.0.21967

    Release Notes - SonarSource Code Analyzer for Java - Version 6.4

False-Positive

• [SONARJAVA-3324] - FP in S2970 when using JUnit 5 Soft assertions extension.
• [SONARJAVA-3357] - S1452: java Collectors second parameter should be excluded
• [SONARJAVA-3358] - S1604: don't report method with annotations
• [SONARJAVA-3378] - FP in S1612 when lambda argument is a subtype of ambiguous method parameter

Bug

• [SONARJAVA-3375] - FP S2973(EscapedUnicodeCharactersCheck) with Unicode Whitespaces
• [SONARJAVA-3380] - Sourcemap for JSP can have multiple input files
• [SONARJAVA-3385] - NPE in JSymbol when searching the enclosing class of a variable within an interface

New Feature

• [SONARJAVA-2794] - Rule S2479: Newline and control characters should not be used in string literals
• [SONARJAVA-2944] - Rule S4970: Derived exceptions should not hide their parents catch block
• [SONARJAVA-3258] - Rule S5669: Vararg method arguments should not be confusing
• [SONARJAVA-3353] - Rule S5776: Exception testing via JUnit ExpectedException rule should not be mixed with other assertions
• [SONARJAVA-3354] - Rule S5777: Exception testing via JUnit @test annotation should be avoided
• [SONARJAVA-3356] - Rule S5779: Assertion methods should not be used within the try block of a try-catch catching an Error
• [SONARJAVA-3359] - Rule S5783: Only one method invocation is expected when testing checked exceptions
• [SONARJAVA-3360] - Rule S5778: Only one method invocation is expected when testing runtime exceptions
• [SONARJAVA-3361] - Rule S5785: JUnit assertTrue/assertFalse should be simplified to its dedicated assertion
• [SONARJAVA-3362] - Rule S5786: JUnit5 test classes and methods should have default package visibility
• [SONARJAVA-3366] - Rule S5790: JUnit5 nested test classes should be annotated with @nested
• [SONARJAVA-3367] - Rule S5793: Migrate your tests from JUnit4 to the new JUnit5 annotations
• [SONARJAVA-3373] - Rule S5810: JUnit5 test classes and methods should not have private visibility

Task

• [SONARJAVA-3364] - Update rules metadata

Improvement

• [SONARJAVA-2549] - FN on S2293 on method invocation
• [SONARJAVA-3334] - S2699 should support Awaitility test framework
• [SONARJAVA-3339] - Reconsider S3027 scope: String.indexOf performance
• [SONARJAVA-3343] - Change issue type of S1444 to code smell
• [SONARJAVA-3344] - Change issue type of S3011 to code smell
• [SONARJAVA-3346] - Deprecate S1148 in favor of S4507
• [SONARJAVA-3348] - False negative in S2698: support fail() from JUnit 5
• [SONARJAVA-3350] - S2701: support null literal
• [SONARJAVA-3355] - Improve SourceMap API to provide InputFile for source file
• [SONARJAVA-3365] - Update the message, title and description of S1607
• [SONARJAVA-3371] - Support same set of assertion for rules using common assertions

6.3.0.21585

    Release Notes - SonarSource Code Analyzer for Java - Version 6.3.0.21585

False-Positive

• [SONARJAVA-3316] - FP S5542 (EncryptionAlgorithmCheck) more secure algorithms and algorithm name using different case
• [SONARJAVA-3320] - S1165/S2039: Fix false positives for Lombok's field modifier annotations
• [SONARJAVA-3321] - FP S5542 (EncryptionAlgorithmCheck): should support default security java provider
• [SONARJAVA-3330] - FP in S3749 when fields are injected by Lombok @requiredargsconstructor
• [SONARJAVA-3338] - FP on S1118: improve support of Lombok's annotation generating constructor

Bug

• [SONARJAVA-3322] - S2441 does not handle correctly unknown types
• [SONARJAVA-3328] - JSP transpiling is broken when root dir is symlink
• [SONARJAVA-3347] - [JSP] Fix compilation of custom tags in JSPs

New Feature

• [SONARJAVA-1871] - Offer access to Parameterized Type in Java Analyzer semantic API
• [SONARJAVA-2357] - Provide MethodMatcher API to be used in custom rules
• [SONARJAVA-2941] - Rule S3740: Generic types shouldn't be used raw
• [SONARJAVA-3309] - Transpile JSP to Java
• [SONARJAVA-3310] - Use source maps to report precise issues on JSP files
• [SONARJAVA-3314] - Rule S5738: Deprecated code marked for removal should be removed
• [SONARJAVA-3340] - Jasper dependency should not be required
• [SONARJAVA-3341] - Change issue type of S1104 to code smell

Task

• [SONARJAVA-3241] - Rewrite IssueFiltering mechanism as IssueFilter from SonarQube API is deprecated
• [SONARJAVA-3267] - Drop sonarjava_feedback metric
• [SONARJAVA-3307] - Migrate SonarJava custom rules tutorial to SonarJava 6.X and LTS 7.9
• [SONARJAVA-3333] - Update rules metadata
• [SONARJAVA-3336] - Update documentation regarding new JavaCheckVerifier
• [SONARJAVA-3342] - Update doc about XSS scanning

Improvement

• [SONARJAVA-2410] - Issue filter should also filter rules depending of the java warning suppressed
• [SONARJAVA-3313] - Improve log message for missing compiled classes
• [SONARJAVA-3315] - Unify JavaCheckVerifiers and simplify its usage to test rules
• [SONARJAVA-3317] - Improve performance
• [SONARJAVA-3318] - S2077 should present to the user all the locations where the formatted SQL query string is used
• [SONARJAVA-3323] - S1166 should be able to be configured with an empty whitelist
• [SONARJAVA-3325] - Remove dependency on Ant for JSP transpiling
• [SONARJAVA-3326] - Remove dependency on Eclipse JDT for JSP transpiling
• [SONARJAVA-3331] - FN in S3749: support @component annotation
• [SONARJAVA-3337] - Update branding to drop 'SonarJava'

5.0-RC1

SONARJAVA-2516 Include java9 'Set.of()' and guava 'ImmutableSet.of()'

4.15-RC1

SONARJAVA-2466 introduce sonarpedia.json and update rules  metadata (…

4.14-RC3

SONARJAVA-2461 Goto followed by not yet referenced label (#1689)

Add test with specific problematic class