Skip to content

Releases: SonarSource/sonar-java

7.10.0.29108

25 Mar 13:06
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.10

Bug

  • [SONARJAVA-3693] - Allow to exclude generated "*_jsp.java" files from analysis
  • [SONARJAVA-4194] - Rule S1155 crash with stackoverflow when encountering large numbers of chained BinaryExpressionTrees
  • [SONARJAVA-4207] - JAR files passed to sonar.java.libraries should be unlocked when not needed anymore in Batch mode

New Feature

  • [SONARJAVA-4183] - Incremental PR analysis: Skip rules that don't need to be run on unchanged files
  • [SONARJAVA-4199] - Enable batch mode by default

Task

Improvement

  • [SONARJAVA-4179] - Logging of undefined types and missing libraries should be relevant in batch mode
  • [SONARJAVA-4198] - JSP files should be correctly analyzed in batch mode

False-Positive

  • [SONARJAVA-4094] - S1105: FP when using java 16 records and java 17 sealed classes' permitted types
  • [SONARJAVA-4193] - FP on S3329 in case of simple assigments of the IV

7.9.0.28969

07 Mar 10:21
2f81fc2
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.9

New Feature

  • [SONARJAVA-4177] - Provide OWASP Top 10 2021 security standards for rules metadata
  • [SONARJAVA-4181] - Introduce rule selection for AutoScan

Task

Improvement

  • [SONARJAVA-4186] - Rules testing subtypes should correctly handle incomplete semantic

False-Positive

  • [SONARJAVA-4184] - FPs on S112 when the body of a method has unresolved methods or if a called constructor declare raw exceptions
  • [SONARJAVA-4189] - FP in S3985 when all the usages of a class are not resolved
  • [SONARJAVA-4191] - S4838 should not report false positives when the semantic is incomplete
  • [SONARJAVA-4192] - S3077 should not report an issue when the type is unknown

7.8.1.28740

07 Feb 11:23
247da11
Compare
Choose a tag to compare

Release Notes - SonarJava - Version 7.8.1

Bug

  • [SONARJAVA-4148] - Duplicated "Using ECJ batch to parse source files" logs

Improvement

  • [SONARJAVA-3893] - Update S128 documentation to mention fallthrough exception

False-Positive

  • [SONARJAVA-3887] - Rule S5808 should not raise when an exception is thrown
  • [SONARJAVA-4144] - S2699 and S6103 should not report an issue in case of incomplete semantic
  • [SONARJAVA-4146] - FP in batch mode caused by missing annotations on dependent generic classes

7.8.0.28662

28 Jan 15:42
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.8

Bug

  • [SONARJAVA-4128] - Record components of local records should not have the method as owner
  • [SONARJAVA-4129] - NPE in S1450 when private field is used in a record

Task

Improvement

  • [SONARJAVA-4059] - Rule S6373 XML parsers should not allow inclusion of arbitrary files
  • [SONARJAVA-4062] - Rule S6374 XML parsers should not load external schemas
  • [SONARJAVA-4065] - Rule S6376 XML parsers should not be vulnerable to Denial of Service attacks
  • [SONARJAVA-4067] - Rule S6377 XML signatures should be validated securely

False-Positive

  • [SONARJAVA-3839] - FP in S6212 when a method has parameterized return types
  • [SONARJAVA-3842] - FP in S2755 when vulnerability is mitigated in another class
  • [SONARJAVA-3899] - FP on S2755 when XML DocumentBuilderFactory is initialized inside initialized block
  • [SONARJAVA-4008] - Rule S2755 should accept setExpandEntityReferences solution for openJDK >= 13

7.7.0.28547

18 Jan 09:59
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.7

Bug

  • [SONARJAVA-4010] - NPE in JSymbol.hashCode()
  • [SONARJAVA-4023] - The Java analyzer should populate the classpath with all the JARs provided by the SDK

New Feature

  • [SONARJAVA-3770] - Implement rule S6217: Omit permitted types when subclasses are in the same file as their superclass

Task

Improvement

  • [SONARJAVA-4057] - Do not generate FP when rules don't have semantic
  • [SONARJAVA-4086] - Preview feature problems should not be logged under unresolved types
  • [SONARJAVA-4101] - Update ECJ to 3.28.0
  • [SONARJAVA-4103] - Rules S1905 - Highlight also the parenthesis of the reported issue
  • [SONARJAVA-4104] - Rule S1197 Highlight the variable additionally to the []
  • [SONARJAVA-4114] - Support classpath entries with comma
  • [SONARJAVA-4115] - Custom rules plugin examples should shade dependencies and use latest packaging module
  • [SONARJAVA-4118] - Introduce Java 17's Sealed Classes as final feature
  • [SONARJAVA-4119] - Correctly parse Pattern-matching for switch from Java 17
  • [SONARJAVA-4120] - Logs about preview features should not suggest "-enable-preview"

False-Positive

  • [SONARJAVA-4060] - FP in S3252 when owner type is unknown
  • [SONARJAVA-4070] - S1874(CallToDeprecatedMethodCheck) should ignore incomplete method signature
  • [SONARJAVA-4074] - S5845: FP when using lombok.val
  • [SONARJAVA-4090] - FP in S6206 when the constructor and the class have not the same visibility
  • [SONARJAVA-4100] - Abstract classes should be excluded from S5790
  • [SONARJAVA-4102] - S6204 should not raise an issue when removeIf is called on the list
  • [SONARJAVA-4116] - Remove rule S2912 (IndexOfStartPositionCheck)
  • [SONARJAVA-4117] - Support `@SuperBuilder` from Lombok
  • [SONARJAVA-4122] - S3329 should not raise an issue for Cipher.DECRYPT_MODE
  • [SONARJAVA-4123] - FP on S2384: Collections.emptyList() should be considered as immutable.

Documentation

  • [SONARJAVA-4066] - Update custom rules 101 metadata documentation and template

False Negative

  • [SONARJAVA-4055] - S4544 should raise on Interface in addition to Class
  • [SONARJAVA-4058] - S5838 should support subtypes of Collections
  • [SONARJAVA-4063] - FN in S3688 (disallowed classes) in case of Reflection
  • [SONARJAVA-4108] - FN in S2189 : infinite do/while loops should be reported
  • [SONARJAVA-4111] - FN on S1862 when equality parameters are inverted

7.6.0.28201

29 Nov 14:20
d356226
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.6

Bug

  • [SONARJAVA-4020] - S5869(DuplicatesInCharacterClassCheck): Fix false-negative and crash on regex spanning low and upper case ranges

Task

Improvement

  • [SONARJAVA-4069] - Improve Nullability annotations support in S2638 (ChangeMethodContractCheck)
  • [SONARJAVA-4078] - Improve Nullability annotations support in S2789 (NullShouldNotBeUsedWithOptionalCheck)
  • [SONARJAVA-4079] - Improve Nullability annotations support in S4682 (PrimitivesMarkedNullableCheck)
  • [SONARJAVA-4080] - Improve Nullability annotations support in S2637 (NonNullSetToNullCheck)
  • [SONARJAVA-4081] - Improve Nullability annotations support in S4454 (EqualsParametersMarkedNonNullCheck)
  • [SONARJAVA-4082] - Improve Nullability annotations support in S2447 (BooleanMethodReturnCheck)
  • [SONARJAVA-4083] - Improve Nullability annotations support in S1168 (ReturnEmptyArrayNotNullCheck)
  • [SONARJAVA-4084] - Improve Nullability annotations support in S4449 (ParameterNullnessCheck)
  • [SONARJAVA-4085] - Improve Nullability annotations support in S2259 (NullDereferenceCheck)
  • [SONARJAVA-4089] - Improve Nullability annotations support in Exploded graph walker
  • [SONARJAVA-4091] - Use of Java 17 feature should not lead to a warning message

7.5.0.28054

15 Nov 09:46
54b377c
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.5

Bug

  • [SONARJAVA-4068] - S2118-S2441: Fix StackOverflowError raised for self assigned variables

Task

Improvement

False-Positive

  • [SONARJAVA-4047] - S2699: Fix FP with "andExpectAll" introduced in recent version of Spring Test
  • [SONARJAVA-4064] - S2055: Fix FP when the semantic is incomplete
  • [SONARJAVA-4073] - S3751 should accept protected and package scope modifiers

7.4.0.27839

19 Oct 07:15
3b1a383
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.4

Bug

  • [SONARJAVA-4021] - Wrong message in S1128 with unused imports from a sub-package

New Feature

  • [SONARJAVA-4029] - Rule S6301: Mobile database encryption keys should not be disclosed
  • [SONARJAVA-4030] - Rule S6291: Using unencrypted databases in mobile applications is security-sensitive
  • [SONARJAVA-4031] - Rule S6300: Using unencrypted files in mobile applications is security-sensitive
  • [SONARJAVA-4034] - Rule S4507: Add WebView debug settings
  • [SONARJAVA-4036] - Rule S6362: Enabling JavaScript support for WebViews is security-sensitive
  • [SONARJAVA-4037] - Rule S6363: Enabling file access for WebViews is security-sensitive

Task

Improvement

  • [SONARJAVA-3866] - Rule S6293: Using a biometric authentication independent of a cryptographic solution is security-sensitive
  • [SONARJAVA-3868] - Rule S6288: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
  • [SONARJAVA-4039] - Rule S5332: support Android WebView insecure mixed content policy
  • [SONARJAVA-4046] - Avoid unnecessary TextEdit in quick fixes
  • [SONARJAVA-4049] - S2647: remove CWE-311 from "securityStandards" to match the "See" section

False-Positive

  • [SONARJAVA-2250] - FP on S2695 when the query is built in multiple statements
  • [SONARJAVA-3953] - S2095 should ignore ByteArrayOutputStream from apache.commons
  • [SONARJAVA-4014] - S1214 should not report interface with a parent
  • [SONARJAVA-4015] - FP in S1641 when the initializer is a ternary expression
  • [SONARJAVA-4016] - FP in S6206 when the return type of the getter is not the same as the one from the field
  • [SONARJAVA-4025] - FP in S2637 with non-null primitive field not initialized
  • [SONARJAVA-4040] - S1612 should not suggest casting though method reference for generic classes
  • [SONARJAVA-4041] - S1166 should not ignore whitelist when union type is used in catch

Documentation

False Negative

  • [SONARJAVA-4011] - S2119: Random() not detected when used directly in MemberSelectExpression
  • [SONARJAVA-4019] - FN in S2695 when the integer argument is coming from a constant
  • [SONARJAVA-4032] - S5322 should raise on Activity or any sub classes of Context
  • [SONARJAVA-4033] - S5320 should raise on Activity or any sub classes of Context
  • [SONARJAVA-4038] - S5324 should raise on Activity or any sub classes of Context

7.3.0.27589

06 Sep 11:11
c8c5131
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.3

Sub-task

  • [SONARJAVA-3909] - Add quick fixes for S1481 (UnusedLocalVariableCheck)
  • [SONARJAVA-3910] - Add quick fixes for S2293 (DiamondOperatorCheck)
  • [SONARJAVA-3911] - Add quick fixes for S1155 (CollectionIsEmptyCheck)
  • [SONARJAVA-3913] - Add quick fixes for S1130 (RedundantThrowsDeclarationCheck)
  • [SONARJAVA-3915] - Add quick fixes for S1124 (ModifiersOrderCheck)
  • [SONARJAVA-3916] - Add quick fixes for S1128 (UselessImportCheck)
  • [SONARJAVA-3917] - Add quick fixes for S1161 (OverrideAnnotationCheck)
  • [SONARJAVA-3918] - Add quick fixes for S1186 (EmptyMethodsCheck)
  • [SONARJAVA-3919] - Add quick fixes for S5786 (JUnit5DefaultPackageClassAndMethodCheck)
  • [SONARJAVA-3921] - Add quick fixes for S1905 (RedundantTypeCastCheck)
  • [SONARJAVA-3922] - Add quick fixes for S3415 (AssertionArgumentOrderCheck)
  • [SONARJAVA-3923] - Add quick fixes for S1068 (UnusedPrivateFieldCheck)
  • [SONARJAVA-3925] - Add quick fixes for S1197 (ArrayDesignatorOnVariableCheck)
  • [SONARJAVA-3926] - Add quick fixes for S1125 (BooleanLiteralCheck)
  • [SONARJAVA-3927] - Add quick fixes for S3252 (StaticMemberAccessCheck)
  • [SONARJAVA-3928] - Add quick fixes for S1319 (CollectionImplementationReferencedCheck)
  • [SONARJAVA-3929] - Add quick fixes for S1172 (UnusedMethodParameterCheck)
  • [SONARJAVA-3930] - Add quick fixes for S1612 (ReplaceLambdaByMethodRefCheck)
  • [SONARJAVA-3931] - Add quick fixes for S1168 (ReturnEmptyArrayNotNullCheck)
  • [SONARJAVA-3933] - Add quick fixes for S5411 (BoxedBooleanExpressionsCheck)
  • [SONARJAVA-3934] - Add quick fixes for S1144 (UnusedPrivateMethodCheck)
  • [SONARJAVA-3939] - Add quick fixes for S1116 (EmptyStatementUsageCheck)
  • [SONARJAVA-3940] - Add quick fixes for S1858 (StringToStringCheck)
  • [SONARJAVA-3941] - Add quick fixes for S1659 (OneDeclarationPerLineCheck)
  • [SONARJAVA-3942] - Add quick fixes for S2209 (StaticMembersAccessCheck)
  • [SONARJAVA-3943] - Add quick fixes for S5838 (AssertJChainSimplificationCheck)
  • [SONARJAVA-3944] - Add quick fixes for S2325 (StaticMethodCheck)
  • [SONARJAVA-3945] - Add quick fixes for S1107 (RightCurlyBraceSameLineAsNextBlockCheck)
  • [SONARJAVA-3946] - Add quick fixes for S1488 (ImmediatelyReturnedVariableCheck)
  • [SONARJAVA-3948] - Add quick fixes for S2153 (ImmediateReverseBoxingCheck)
  • [SONARJAVA-3949] - Add quick fixes for S2446 (NotifyCheck)
  • [SONARJAVA-3950] - Add quick fixes for S2200 (CompareToResultTestCheck)
  • [SONARJAVA-3951] - Add quick fixes for S5164 (ThreadLocalCleanupCheck)
  • [SONARJAVA-3952] - Add quick fixes for S2111 (BigDecimalDoubleConstructorCheck)
  • [SONARJAVA-3955] - Add quick fixes for S4973 (CompareStringsBoxedTypesWithEqualsCheck)
  • [SONARJAVA-3958] - Add quick fixes for S3984 (UnusedThrowableCheck)
  • [SONARJAVA-3960] - Extends CheckVerifier to support testing of Quick-fixes
  • [SONARJAVA-3961] - Add quick fixes for S3986 (DateFormatWeekYearCheck)
  • [SONARJAVA-3962] - Add quick fixes for S3020 (ToArrayCheck)
  • [SONARJAVA-3998] - Add quick fixes for S1195 (ArrayDesignatorAfterTypeCheck)

Bug

  • [SONARJAVA-3969] - CheckVerifier expect too many issues when a //Noncompliant comment is placed after a multi-variable declaration
  • [SONARJAVA-3990] - S1120 should not crash on code containing line breaking control characters
  • [SONARJAVA-3993] - S6073 should not produce a NullPointerException when trying to read the body of an abstract method
  • [SONARJAVA-4003] - Fix Deadlock on ProgressMonitor

New Feature

  • [SONARJAVA-3854] - Rule S5329: Collection constructors should not be used as java.util.function.Function
  • [SONARJAVA-3906] - Quick fixes for CODE SMELLS requiring trivial changes without compilation impact
  • [SONARJAVA-3936] - Quick fixes for BUGS requiring trivial changes without compilation impact

Task

Improvement

  • [SONARJAVA-3864] - Missing arguments in Deprecated annotation should be reported in its own rule
  • [SONARJAVA-3867] - S2479 Add a flag to allow tabs in string literals
  • [SONARJAVA-3881] - Change message of S3655 to mention isEmpty and improve rule description
  • [SONARJAVA-3907] - Add support for SonarLint quick fixes in the Java analyzer
  • [SONARJAVA-3947] - Typo in S6216 issue description
  • [SONARJAVA-3965] - Provide a new extensible API for issue reporting
  • [SONARJAVA-3989] - Remove overlap between S2638 and S4454 with "nonnull" argument of "equals" method
  • [SONARJAVA-4001] - Compute the end position of multi-line token only once
  • [SONARJAVA-4002] - S1659 should report only one issue per line

False-Positive

Read more

7.2.0.26923

20 Jul 08:05
ff019c7
Compare
Choose a tag to compare
    Release Notes - SonarJava - Version 7.2.0.26923

Bug

  • [SONARJAVA-3872] - "JSymbol.convertMetadata" should not throw an Exception when ecj fails
  • [SONARJAVA-3897] - Fix S1845(MembersDifferOnlyByCapitalizationCheck) duplicated issues
  • [SONARJAVA-3904] - Java 16's record keyword and sealed classes-related keywords should be highlighted as keywords

New Feature

  • [SONARJAVA-3745] - Implement rule S6204: Use Stream.toList() instead of collectors
  • [SONARJAVA-3748] - Implement rule S6206: Use records to represent immutable data structures
  • [SONARJAVA-3752] - Implement rule S6207: Avoid redundant constructors/methods in records
  • [SONARJAVA-3754] - Implement rule S6209: Ignored members during record serialization
  • [SONARJAVA-3758] - Implement rule S6211: Prefer overriding default record's getter
  • [SONARJAVA-3768] - Implement rule S6216: Reflection should not be used to update record's field value
  • [SONARJAVA-3771] - Implement rule S6218: Equals should be overridden in the record with array fields
  • [SONARJAVA-3773] - Implement rule S6219: Don't set 'serialVersionUID' to '0L' in records

Task

Improvement

  • [SONARJAVA-3740] - Extend rule S1481 to report on unused variables in pattern matching on instanceof
  • [SONARJAVA-3746] - Extend rule S2201 to support 'Stream' non-void terminal methods
  • [SONARJAVA-3755] - Update rule S2057 to not report on 'Serializable' records
  • [SONARJAVA-3760] - Improve rule S2094: 'Classes should not be empty' to support Records
  • [SONARJAVA-3763] - Support Records in rules targeting Classes
  • [SONARJAVA-3769] - Remove record fields from reporting in S3011: Reflection fields update
  • [SONARJAVA-3902] - Use secondary locations in S1845 (Members differs only by capitalization)

False-Positive

  • [SONARJAVA-3892] - Exclude "com.sun.jersey" and "com.sun.faces" from S1191 by default
  • [SONARJAVA-3898] - Don't apply S5838 for calls to equals in methods with "equals" in the name
  • [SONARJAVA-3901] - FP in S2245 (PseudeRandomCheck) when passing a SecureRandom object as parameter