All Versions
59
Latest Version
Avg Release Cycle
29 days
Latest Release
47 days ago

Changelog History
Page 1

  • v4.5.2 Changes

    December 13, 2021

    ๐Ÿ”’ Security

    • โฌ†๏ธ Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228

    ๐Ÿ›  Fixed

    • Updated RV_01_TO_INT to handle float and long checks (#1518)
  • v4.5.1 Changes

    December 08, 2021

    ๐Ÿ›  Fixed

    • Ant task does not produce XML anymore (#1827)
    • Do not emit false positives of MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE for final classes (#1812).
    • ๐Ÿ Reports cannot be created on Windows platform (#1842)
  • v4.5.0 Changes

    November 05, 2021

    ๐Ÿ”„ Changed

    • Replace "ๅˆ†ๆž" with "่งฃๆž" in Japanese document (#1573)
    • โž• Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin (#540)
    • โฌ†๏ธ Bump gson from 2.8.8 to 2.8.9 (#1784)
    • ๐Ÿ”„ Changes related to dominators analysis in package edu.umd.cs.findbugs.classfile.engine.bcel (#1741):
      • DominatorsAnalysisFactory renamed to NonExceptionDominatorsAnalysisFactory (clarification)
      • NonExceptionPostdominatorsAnalysisFactory renamed to NonExceptionPostDominatorsAnalysisFactory (spelling)
      • NonImplicitExceptionDominatorsAnalysis introduced (API consistency)

    โž• Added

    • Rule DCN_NULLPOINTER_EXCEPTION covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#1740)
    • ๐Ÿ”ง Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like -html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml.
    • New rule REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)
    • New detector FindOverridableMethodCall to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().
    • ๐ŸŒ Translation of online manual to Brazilian Portuguese (PT-BR).

    ๐Ÿ›  Fixed

    ๐Ÿ—„ Deprecated

    • ๐Ÿ”ง -output commandline option is deprecated. Use commandline options for report configuration like -xml=spotbugs.xml instead.
  • v4.4.2 Changes

    October 08, 2021

    ๐Ÿ”„ Changed

    • โž• Add bug code to report in fancy-hist.xsl (#1688)
    • โฌ†๏ธ Bump Saxon-HE from 10.5 to 10.6 (#1715)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed immutable java.lang.Class as being flagged as EI (#1695)
    • Agree verb with plural subject in the description of SW_SWING_METHODS_INVOKED_IN_SWING_THREAD (#1664)
    • Wrong description of the SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS (#1664)
    • ๐Ÿ›  Fixed java.util.Locale as being flagged as EI (#1702)
    • ๐Ÿ›  Fixed reference to java.awt.Cursor which caused it to be flagged as EI (#1702)
    • Treat types with @com.google.errorprone.annotations.Immutable as immutable (#1705)
    • ๐Ÿ›  Fix annotation check for jdk.internal.ValueBased (#1706)
    • DMI_RANDOM_USED_ONLY_ONCE false positive (#1539)
    • NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR false negative (#1642)
    • Immutable java.util.regex.Pattern as being flagged as EI (#1695)
    • Resource leak in the JrtfsCodeBase (#1732)
  • v4.4.1 Changes

    September 07, 2021

    ๐Ÿ”„ Changed

    • โฌ†๏ธ Bump gson from 2.8.7 to 2.8.8 (#1658)
    • Lower ExitCodes logger to debug level (#1661)
    • ๐Ÿ›  Fixed SARIF format to be compatible with Github code scanning API requirements (#1630)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed immutable classes in java.net.* as being flagged as EI (#1653
    • Classes containing only static methods with setter-like names are no longer considered as mutable (#1601)
    • ๐Ÿ– Handle all immutable collections in the Guava library as immutable (#1601)
    • Classes annotated with @Immutable or @jdk.internal.ValueBased are considered as immutable (#1601)
    • ๐Ÿ“ฆ All classes in packages java.time and java.math are now correctly handled as immutable (#1601)
  • v4.4.0 Changes

    August 12, 2021

    ๐Ÿ›  Fixed

    • Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE (#600 and #1338)
    • Inconsistent bug description on EQ_COMPARING_CLASS_NAMES (#1523)
    • โž• Add a declaration of charset encoding in generated reports (#1623)
    • ๐Ÿ›  Fixed regression in Bug Info view for Eclipse 2021-03+ (#1477)

    โž• Added

    • New detector FindBadEndOfStreamCheck for new bug type EOS_BAD_END_OF_STREAM_CHECK. This bug is reported whenever the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is first converted to byte/int and only thereafter checked against -1. (See SEI CERT rule FIO08-J)
  • v4.3.0 Changes

    July 01, 2021

    ๐Ÿ›  Fixed

    • ๐Ÿ”ฆ MS_EXPOSE_REP and EI_EXPOSE_REP are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)

    ๐Ÿ”„ Changed

    • โฌ†๏ธ Bump ObjectWeb ASM from 9.1 to 9.2 supporting JDK 18 (#1591)
    • โฌ†๏ธ Bump Saxon-HE from 10.3 to 10.5 (#1513)
    • โฌ†๏ธ Bump gson from 2.8.6 to 2.8.7 (#1556)
    • Function mutableSignature() improved and factored out from the MutableStaticFields detector

    โž• Added

    • ๐Ÿ”ฆ New bugs MS_EXPOSE_BUF, EI_EXPOSE_BUF, EI_EXPOSE_STATIC_BUF2 and EI_EXPOSE_BUF2 by the FindReturnRef detector to detect cases where buffers or their backing arrays are exposed (see SEI CERT rule FIO05-J)
    • ๐Ÿ”ฆ MS_EXPOSE_REP, EI_EXPOSE_REP, EI_EXPOSE_STATIC_REP2 and EI_EXPOSE_REP2 now report for shallowly copied arrays (using clone()) of mutable objects
  • v4.2.3 Changes

    April 12, 2021

    ๐Ÿ›  Fixed

    • Inconsistency in the description of DLS_DEAD_LOCAL_INCREMENT_IN_RETURN, VO_VOLATILE_INCREMENT and QF_QUESTIONABLE_FOR_LOOP (#1470)
    • โš  Should issue warning for SecureRandom object created and used only once (#1464)
    • False positive OBL_UNSATIFIED_OBLIGATION with try with resources (#79)
    • SA_LOCAL_SELF_COMPUTATION bug (#1472)
    • False positive EQ_UNUSUAL with record classes (#1367)
  • v4.2.2 Changes

    March 03, 2021

    ๐Ÿ›  Fixed

    • UWF_NULL_FIELD doesn't report line number (#1368)
    • ๐Ÿ‘ UnsupportedOperationException in BugRanker.trimToMaxRank (#1161)

    ๐Ÿ”„ Changed

    • โฌ†๏ธ Bump ASM from 9.0 to 9.1 supporting JDK17
    • โฌ†๏ธ Bump commons-lang from 3.11 to 3.12.0
    • Replace org.json:json:20201115 with com.google.code.gson:gson:2.8.6
  • v4.2.1 Changes

    February 04, 2021

    ๐Ÿ›  Fixed

    • Invalid HTML in the description of LI_LAZY_INIT_UPDATE_STATIC bug pattern (#1383)
    • NP_NONNULL_PARAM_VIOLATION false-positive in CompletableFuture.completedStage(value) (#1397)

    ๐Ÿ”„ Changed

    • โฌ†๏ธ Bump json from 20200518 to 20201115 (#1384)