Spotbugs changelog

Changelog History

Page 1

• v4.7.3 Changes

  October 15, 2022

  🛠 Fixed

  • 🛠 Fixed detector DontUseFloatsAsLoopCounters to prevent false positives. (#2126)
  • 🛠 Fixed regression in 4.7.2 caused by (#2141)
  • 👌 improve compatibility with later version of jdk (>= 13). (#2188)
  • 🛠 Fixed detector UncallableMethodOfAnonymousClass to not report unused methods of method-local enumerations and records (#2120)
  • Fixed detector FindSqlInjection to detect bug SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL with high priority in case of unsafe appends also in Java 11 and above (#2183)
  • 👉 Fixed detector StringConcatenation to detect bug SBSC_USE_STRINGBUFFER_CONCATENATION also in Java 11 and above (#2182)
  • 🛠 Fixed OpcodeStackDetector to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195)
  • ⬆️ Bump up log4j2 binding to 2.19.0
  • ⬆️ Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 (#2200)
  • ⬆️ Bump up commons-text to 1.10.0 (#2197)
  • 🛠 Fixed debug detector ViewCFG to generate file names that are also valid on Windows (#2209)

• v4.7.2 Changes

  September 02, 2022

  🛠 Fixed

  • ⬆️ Bumped gson from 2.9.0 to 2.9.1 (#2136)
  • ⬆️ Bump up SLF4J API to 2.0.0
  • ⬆️ Bump up logback to 1.4.0
  • ⬆️ Bump up log4j2 binding to 2.18.0
  • ⬆️ Bump up Saxon-HE to 11.4 (#2160)
  • 🛠 Fixed InvalidInputException in Eclipse while bug reporting (#2134)
  • Bug SA_FIELD_SELF_ASSIGNMENT is now reported from nested classes as well (#2142)
  • 🔒 Avoid warning on use of security manager on Java 17 and newer. (#1579)
  • 🔦 Fixed false positives EI_EXPOSE_REP thrown in case of fields initialized by the of or copyOf method of a List, Map or Set (#1771)
  • 🛠 Fixed CFGBuilderException thrown when dup_x2 is used to swap the reference and wide-value (double, long) in the stack (#2146)

• v4.7.1 Changes

  June 26, 2022

  🛠 Fixed

  • Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE on try-with-resources with interface references (#1931)
  • 🛠 Fixed NullPointerException thrown by detector FindPotentialSecurityCheckBasedOnUntrustedSource on Kotlin files. (#2041)
  • 0️⃣ Disabled detector ThrowingExceptions by default to avoid many false positives (#2040)
  • Fixed False positives for THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION and THROWS_METHOD_THROWS_CLAUSE_THROWABLE on evaluating synthetic classes (#2040)
  • Fixed False positive for SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)

• v4.7.0 Changes

  April 14, 2022

  🔄 Changed

  • 📚 Updated documentation by adding parenthesis () to the negative odd check message (#1995)
  • 🚀 Let the Plugin class implement AutoCloseable so we can release the .jar file (#2024)

  🛠 Fixed

  • 🛠 Fixed reports to truncate existing files before writing new content (#1950)
  • ⬆️ Bumped Saxon-HE from 10.6 to 11.3 (#1955, #1999)
  • 🛠 Fixed traversal of nested archives governed by -nested:true (#1930)
  • 🗄 Warnings of deprecated System::setSecurityManager calls on Java 17 (#1983)
  • 🛠 Fixed false positive SSD bug for locking on java.lang.Class objects (#1978)
  • FindReturnRef throws an IllegalArgumentException unexpectedly (#2019)
  • ⬆️ Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#2004)

  ➕ Added

  • 🆕 New detector ThrowingExceptions and introduced new bug types:
    • THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
    • THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
    • THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
  • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
  • New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
  • New detector DontUseFloatsAsLoopCounters to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters
  • 🆕 New test detector ViewCFG to visualize the control-flow graph for SpotBugs developers

• v4.6.0 Changes

  March 08, 2022

  🛠 Fixed

  • 🛠 Fixed spotbugs build with ecj compiler (#1903)
  • 🚚 Moved tests from spotbugs project to spotbugs-tests project (#1914)
  • 🛠 Fixed UI freezes in Eclipse on bug count decorations update (#285)
  • ⬆️ Bumped log4j from 2.17.1 to 2.17.2 (#1960)
  • ⬆️ Bumped gson from 2.8.9 to 2.9.0 (#1960)

  ➕ Added

  • New detector FindInstanceLockOnSharedStaticData for new bug type SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)
  • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)

• v4.5.3 Changes

  January 04, 2022

  🔒 Security

  • ⬆️ Bumped log4j from 2.16.0 to 2.17.1 to address CVE-2021-45105 and CVE-2021-44832 (#1885, #1897)

  🛠 Fixed

  • ✂ Remove duplicated logging frameworks from the Eclipse plugin distribution (#1868)
  • Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. (#1883)

• v4.5.2 Changes

  December 13, 2021

  🔒 Security

  • ⬆️ Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228

  🛠 Fixed

  • False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE (#1821#1820#1819#1818)
  • Updated RV_01_TO_INT to handle float and long checks (#1518)

• v4.5.1 Changes

  December 08, 2021

  🛠 Fixed

  • Ant task does not produce XML anymore (#1827)
  • Do not emit false positives of MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE for final classes (#1812).
  • 🏁 Reports cannot be created on Windows platform (#1842)

• v4.5.0 Changes

  November 05, 2021

  🔄 Changed

  • Replace "分析" with "解析" in Japanese document (#1573)
  • ➕ Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin (#540)
  • ⬆️ Bump gson from 2.8.8 to 2.8.9 (#1784)
  • 🔄 Changes related to dominators analysis in package edu.umd.cs.findbugs.classfile.engine.bcel (#1741):
    • DominatorsAnalysisFactory renamed to NonExceptionDominatorsAnalysisFactory (clarification)
    • NonExceptionPostdominatorsAnalysisFactory renamed to NonExceptionPostDominatorsAnalysisFactory (spelling)
    • NonImplicitExceptionDominatorsAnalysis introduced (API consistency)

  ➕ Added

  • Rule DCN_NULLPOINTER_EXCEPTION covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#1740)
  • 🔧 Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like -html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml.
  • New rule REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)
  • New detector FindOverridableMethodCall to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().
  • 🌐 Translation of online manual to Brazilian Portuguese (PT-BR).

  🛠 Fixed

  • False negative about the rule ES_COMPARING_STRINGS_WITH_EQ (#1764)
  • False negative about the rule IM_MULTIPLYING_RESULT_OF_IREM ([#1498])(https://github.com/spotbugs/spotbugs/issues/1498)

  🗄 Deprecated

  • 🔧 -output commandline option is deprecated. Use commandline options for report configuration like -xml=spotbugs.xml instead.

• v4.4.2 Changes

  October 08, 2021

  🔄 Changed

  • ➕ Add bug code to report in fancy-hist.xsl (#1688)
  • ⬆️ Bump Saxon-HE from 10.5 to 10.6 (#1715)

  🛠 Fixed

  • 🛠 Fixed immutable java.lang.Class as being flagged as EI (#1695)
  • Agree verb with plural subject in the description of SW_SWING_METHODS_INVOKED_IN_SWING_THREAD (#1664)
  • Wrong description of the SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS (#1664)
  • 🛠 Fixed java.util.Locale as being flagged as EI (#1702)
  • 🛠 Fixed reference to java.awt.Cursor which caused it to be flagged as EI (#1702)
  • Treat types with @com.google.errorprone.annotations.Immutable as immutable (#1705)
  • 🛠 Fix annotation check for jdk.internal.ValueBased (#1706)
  • DMI_RANDOM_USED_ONLY_ONCE false positive (#1539)
  • NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR false negative (#1642)
  • Immutable java.util.regex.Pattern as being flagged as EI (#1695)
  • Resource leak in the JrtfsCodeBase (#1732)

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »