All Versions
65
Latest Version
Avg Release Cycle
37 days
Latest Release
644 days ago

Changelog History
Page 1

  • v4.7.3 Changes

    October 15, 2022

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed detector DontUseFloatsAsLoopCounters to prevent false positives. (#2126)
    • ๐Ÿ›  Fixed regression in 4.7.2 caused by (#2141)
    • ๐Ÿ‘Œ improve compatibility with later version of jdk (>= 13). (#2188)
    • ๐Ÿ›  Fixed detector UncallableMethodOfAnonymousClass to not report unused methods of method-local enumerations and records (#2120)
    • Fixed detector FindSqlInjection to detect bug SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL with high priority in case of unsafe appends also in Java 11 and above (#2183)
    • ๐Ÿ‘‰ Fixed detector StringConcatenation to detect bug SBSC_USE_STRINGBUFFER_CONCATENATION also in Java 11 and above (#2182)
    • ๐Ÿ›  Fixed OpcodeStackDetector to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195)
    • โฌ†๏ธ Bump up log4j2 binding to 2.19.0
    • โฌ†๏ธ Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 (#2200)
    • โฌ†๏ธ Bump up commons-text to 1.10.0 (#2197)
    • ๐Ÿ›  Fixed debug detector ViewCFG to generate file names that are also valid on Windows (#2209)
  • v4.7.2 Changes

    September 02, 2022

    ๐Ÿ›  Fixed

    • โฌ†๏ธ Bumped gson from 2.9.0 to 2.9.1 (#2136)
    • โฌ†๏ธ Bump up SLF4J API to 2.0.0
    • โฌ†๏ธ Bump up logback to 1.4.0
    • โฌ†๏ธ Bump up log4j2 binding to 2.18.0
    • โฌ†๏ธ Bump up Saxon-HE to 11.4 (#2160)
    • ๐Ÿ›  Fixed InvalidInputException in Eclipse while bug reporting (#2134)
    • Bug SA_FIELD_SELF_ASSIGNMENT is now reported from nested classes as well (#2142)
    • ๐Ÿ”’ Avoid warning on use of security manager on Java 17 and newer. (#1579)
    • ๐Ÿ”ฆ Fixed false positives EI_EXPOSE_REP thrown in case of fields initialized by the of or copyOf method of a List, Map or Set (#1771)
    • ๐Ÿ›  Fixed CFGBuilderException thrown when dup_x2 is used to swap the reference and wide-value (double, long) in the stack (#2146)
  • v4.7.1 Changes

    June 26, 2022

    ๐Ÿ›  Fixed

    • Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE on try-with-resources with interface references (#1931)
    • ๐Ÿ›  Fixed NullPointerException thrown by detector FindPotentialSecurityCheckBasedOnUntrustedSource on Kotlin files. (#2041)
    • 0๏ธโƒฃ Disabled detector ThrowingExceptions by default to avoid many false positives (#2040)
    • Fixed False positives for THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION and THROWS_METHOD_THROWS_CLAUSE_THROWABLE on evaluating synthetic classes (#2040)
    • Fixed False positive for SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)
  • v4.7.0 Changes

    April 14, 2022

    ๐Ÿ”„ Changed

    • ๐Ÿ“š Updated documentation by adding parenthesis () to the negative odd check message (#1995)
    • ๐Ÿš€ Let the Plugin class implement AutoCloseable so we can release the .jar file (#2024)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed reports to truncate existing files before writing new content (#1950)
    • โฌ†๏ธ Bumped Saxon-HE from 10.6 to 11.3 (#1955, #1999)
    • ๐Ÿ›  Fixed traversal of nested archives governed by -nested:true (#1930)
    • ๐Ÿ—„ Warnings of deprecated System::setSecurityManager calls on Java 17 (#1983)
    • ๐Ÿ›  Fixed false positive SSD bug for locking on java.lang.Class objects (#1978)
    • FindReturnRef throws an IllegalArgumentException unexpectedly (#2019)
    • โฌ†๏ธ Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#2004)

    โž• Added

    • ๐Ÿ†• New detector ThrowingExceptions and introduced new bug types:
      • THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
      • THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
      • THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
    • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
    • New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
    • New detector DontUseFloatsAsLoopCounters to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters
    • ๐Ÿ†• New test detector ViewCFG to visualize the control-flow graph for SpotBugs developers
  • v4.6.0 Changes

    March 08, 2022

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed spotbugs build with ecj compiler (#1903)
    • ๐Ÿšš Moved tests from spotbugs project to spotbugs-tests project (#1914)
    • ๐Ÿ›  Fixed UI freezes in Eclipse on bug count decorations update (#285)
    • โฌ†๏ธ Bumped log4j from 2.17.1 to 2.17.2 (#1960)
    • โฌ†๏ธ Bumped gson from 2.8.9 to 2.9.0 (#1960)

    โž• Added

    • New detector FindInstanceLockOnSharedStaticData for new bug type SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)
    • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
  • v4.5.3 Changes

    January 04, 2022

    ๐Ÿ”’ Security

    ๐Ÿ›  Fixed

    • โœ‚ Remove duplicated logging frameworks from the Eclipse plugin distribution (#1868)
    • Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. (#1883)
  • v4.5.2 Changes

    December 13, 2021

    ๐Ÿ”’ Security

    • โฌ†๏ธ Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228

    ๐Ÿ›  Fixed

    • False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE (#1821#1820#1819#1818)
    • Updated RV_01_TO_INT to handle float and long checks (#1518)
  • v4.5.1 Changes

    December 08, 2021

    ๐Ÿ›  Fixed

    • Ant task does not produce XML anymore (#1827)
    • Do not emit false positives of MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR and MC_OVERRIDABLE_METHOD_CALL_IN_CLONE for final classes (#1812).
    • ๐Ÿ Reports cannot be created on Windows platform (#1842)
  • v4.5.0 Changes

    November 05, 2021

    ๐Ÿ”„ Changed

    • Replace "ๅˆ†ๆž" with "่งฃๆž" in Japanese document (#1573)
    • โž• Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin (#540)
    • โฌ†๏ธ Bump gson from 2.8.8 to 2.8.9 (#1784)
    • ๐Ÿ”„ Changes related to dominators analysis in package edu.umd.cs.findbugs.classfile.engine.bcel (#1741):
      • DominatorsAnalysisFactory renamed to NonExceptionDominatorsAnalysisFactory (clarification)
      • NonExceptionPostdominatorsAnalysisFactory renamed to NonExceptionPostDominatorsAnalysisFactory (spelling)
      • NonImplicitExceptionDominatorsAnalysis introduced (API consistency)

    โž• Added

    • Rule DCN_NULLPOINTER_EXCEPTION covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#1740)
    • ๐Ÿ”ง Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like -html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml.
    • New rule REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)
    • New detector FindOverridableMethodCall to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().
    • ๐ŸŒ Translation of online manual to Brazilian Portuguese (PT-BR).

    ๐Ÿ›  Fixed

    ๐Ÿ—„ Deprecated

    • ๐Ÿ”ง -output commandline option is deprecated. Use commandline options for report configuration like -xml=spotbugs.xml instead.
  • v4.4.2 Changes

    October 08, 2021

    ๐Ÿ”„ Changed

    • โž• Add bug code to report in fancy-hist.xsl (#1688)
    • โฌ†๏ธ Bump Saxon-HE from 10.5 to 10.6 (#1715)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed immutable java.lang.Class as being flagged as EI (#1695)
    • Agree verb with plural subject in the description of SW_SWING_METHODS_INVOKED_IN_SWING_THREAD (#1664)
    • Wrong description of the SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS (#1664)
    • ๐Ÿ›  Fixed java.util.Locale as being flagged as EI (#1702)
    • ๐Ÿ›  Fixed reference to java.awt.Cursor which caused it to be flagged as EI (#1702)
    • Treat types with @com.google.errorprone.annotations.Immutable as immutable (#1705)
    • ๐Ÿ›  Fix annotation check for jdk.internal.ValueBased (#1706)
    • DMI_RANDOM_USED_ONLY_ONCE false positive (#1539)
    • NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR false negative (#1642)
    • Immutable java.util.regex.Pattern as being flagged as EI (#1695)
    • Resource leak in the JrtfsCodeBase (#1732)