SonarJava v6.10.0.24201 Release Notes

Release Date: 2020-12-07 // over 3 years ago
  •     Release Notes - SonarJava - Version 6.10
    

    ๐Ÿ› Bug

    • [SONARJAVA-3056] - Classes for the analysis are loaded with parent first strategy
    • ๐Ÿ‘ [SONARJAVA-3602] - JavaCheckVerifier does not support consistent behavior when having multiple issues reported on the same line

    ๐Ÿ†• New Feature

    • [SONARJAVA-3550] - Rule S5994: Regex patterns following a possessive quantifier should not always fail
    • [SONARJAVA-3552] - Rule S5996: Regex boundaries should not be used in a way that can never match
    • [SONARJAVA-3554] - Rule S5998: Regular expressions should not overflow the stack
    • [SONARJAVA-3557] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference
    • [SONARJAVA-3560] - Rule S6002: Regex lookahead assertions should not be contradictory
    • [SONARJAVA-3566] - Rule S5855: Regex alternatives should not be redundant
    • [SONARJAVA-3567] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
    • [SONARJAVA-3572] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes
    • ๐Ÿคก [SONARJAVA-3608] - Rule S6068: Call to Mockito method "verify", "when" or "given" should be simplified
    • [SONARJAVA-3610] - Rule S6070: The regex escape sequence \cX should only be used with characters in the @-_ range

    Task

    • โช [SONARJAVA-3544] - Fix the regression on issue filtering by reverting SONARJAVA-3241 before SQ 8.x LTS
    • ๐Ÿ‘ [SONARJAVA-3549] - Add support for automata-based analyses for regular expressions
    • [SONARJAVA-3551] - Implement helper to find whether state in regex automaton is reachable without consuming input
    • [SONARJAVA-3564] - Implement intersects and supersetOf helper for regex automata
    • ๐Ÿšš [SONARJAVA-3600] - Remove (re)declaration of fail fast property.
    • [SONARJAVA-3622] - Drop unused Symbolic Execution debugging rules
    • ๐Ÿ“‡ [SONARJAVA-3627] - Update rules metadata

    ๐Ÿ‘Œ Improvement

    • [SONARJAVA-3546] - Issue message of S5961 should contains the number of actual assertions
    • [SONARJAVA-3547] - Improve rule S1612 to replace casts with method reference
    • [SONARJAVA-3548] - Improve rule S5838 to handle maps and longs
    • [SONARJAVA-3553] - S5778 and S5783: Improve primary and secondary issue message
    • [SONARJAVA-3559] - Do not report issues of S1130 on Runtime Exceptions
    • [SONARJAVA-3561] - AbstractRegexCheck should target more regex providers
    • [SONARJAVA-3562] - Improve Regex rules to consider more string literals as Pattern
    • [SONARJAVA-3569] - Improve issue locations of S5869
    • [SONARJAVA-3587] - Typo in message of S3457
    • ๐Ÿ“œ [SONARJAVA-3588] - Java Analyzer should be able to parse Jigsaw module-info.java files even when misconfigured
    • ๐Ÿ‘ [SONARJAVA-3616] - Make S2699 support RestAssured 2.x as well (and not only 3.x & 4.x)
    • โšก๏ธ [SONARJAVA-3623] - Update rule S5803 to support all annotations named @VisibleForTesting

    False-Positive

    • [SONARJAVA-3470] - Add more exceptions to S107
    • [SONARJAVA-3545] - Rule S4973 shouldn't report an issue if "==" is used to compare Boolean constants
    • [SONARJAVA-3565] - FP on S1948 when using SpringBean from Apache Wicket
    • [SONARJAVA-3571] - FP on S1948 when collection implements Serializable
    • ๐ŸŒฒ [SONARJAVA-3577] - FP in S3457 when slf4j log arguments contains a concatenation and a single Throwable
    • ๐Ÿ— [SONARJAVA-3579] - FP in S1170 when class is annotated with @lombok.Builder and field with @default
    • [SONARJAVA-3580] - FP in S2390: do not report an issue on static class nested in the parent.
    • ๐Ÿ‘ [SONARJAVA-3586] - Support Nullable annotation from reactor-core
    • [SONARJAVA-3598] - FP in S2973 when symbol is in lowercase
    • [SONARJAVA-3599] - FP in S2226 for non final Servlet fields initialized in init() method without parameters
    • [SONARJAVA-3605] - FP in S3305 when field has an initializer
    • [SONARJAVA-3612] - FP in S1185 when class is annotated "@transactional"
    • [SONARJAVA-3613] - FP in S1193 when the catch block contains more code
    • [SONARJAVA-3615] - FP in S1905 when casted argument is a method reference to a varargs.
    • [SONARJAVA-3617] - S1170 should not raise an issue when the initializer contains "this" or "super"
    • [SONARJAVA-3618] - FP on S3438 when "value" is set inside the property tag
    • [SONARJAVA-3619] - FP S2589 when Boolean variable doesn't always evaluate to TRUE/FALSE
    • [SONARJAVA-3621] - Union of Unknown types should be Unknown

    False Negative

    • [SONARJAVA-3130] - S3824: raise issue when "containsKey" is used
    • ๐Ÿ‘ [SONARJAVA-3482] - Support character classes as operand to reluctant quantifier in rule S5857
    • [SONARJAVA-3483] - FN in S5869 with escaped character classes

Previous changes from v6.9.0.23563

  •     Release Notes - SonarJava - Version 6.9.0.23563
    

    ๐Ÿ› Bug

    • [SONARJAVA-3285] - Java 13/14 preview feature "Text Block" produce highlighting IllegalArgumentException
    • 0๏ธโƒฃ [SONARJAVA-3541] - NPE in Symbolic Execution engine when dealing with java 14 switch expressions without default

    ๐Ÿ†• New Feature

    • ๐Ÿ”’ [SONARJAVA-3374] - Rule S5804 allowing user enumeration is security-sensitive
    • [SONARJAVA-3396] - Rule S5808 Authorizations should be based on strong decisions
    • [SONARJAVA-3411] - Rule S5876 A new session should be created during user authentication
    • [SONARJAVA-3542] - RSPEC-5993 Constructors of an "abstract" class should not be declared "public"

    Task

    ๐Ÿ‘Œ Improvement

    • ๐Ÿ”’ [SONARJAVA-3376] - Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm
    • [SONARJAVA-3414] - Rule S4790: its content should be replaced by S2070
    • [SONARJAVA-3472] - Document wildcards pattern in rule's parameters (S110, S1176)
    • ๐Ÿ‘ [SONARJAVA-3478] - S2201: Support common Collection and Map methods
    • ๐Ÿ‘ [SONARJAVA-3525] - S2333 supports redundant modifiers on nested interfaces and classes
    • ๐Ÿ‘ [SONARJAVA-3536] - Consistently support Nullable/CheckForNull/Nonnull annotations in rules
    • [SONARJAVA-3539] - FP in S5845 when BigDecimal and BigInteger are compared with string

    False-Positive

    False Negative

    • ๐Ÿ‘ [SONARJAVA-3388] - Rule S2070 should support "org.springframework.util.DigestUtils"
    • [SONARJAVA-3538] - S5853 does not handle custom assertions