Spotbugs v4.7.0 Release Notes

Release Date: 2022-04-14 // about 1 month ago
  • ๐Ÿ”„ Changed

    • ๐Ÿ“š Updated documentation by adding parenthesis () to the negative odd check message (#1995)
    • ๐Ÿš€ Let the Plugin class implement AutoCloseable so we can release the .jar file (#2024)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed reports to truncate existing files before writing new content (#1950)
    • โฌ†๏ธ Bumped Saxon-HE from 10.6 to 11.3 (#1955, #1999)
    • ๐Ÿ›  Fixed traversal of nested archives governed by -nested:true (#1930)
    • ๐Ÿ—„ Warnings of deprecated System::setSecurityManager calls on Java 17 (#1983)
    • ๐Ÿ›  Fixed false positive SSD bug for locking on java.lang.Class objects (#1978)
    • FindReturnRef throws an IllegalArgumentException unexpectedly (#2019)
    • โฌ†๏ธ Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#2004)

    โž• Added

    • ๐Ÿ†• New detector ThrowingExceptions and introduced new bug types:
      • THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
      • THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
      • THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
    • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
    • New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
    • New detector DontUseFloatsAsLoopCounters to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters
    • ๐Ÿ†• New test detector ViewCFG to visualize the control-flow graph for SpotBugs developers

Previous changes from v4.6.0

  • ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed spotbugs build with ecj compiler (#1903)
    • ๐Ÿšš Moved tests from spotbugs project to spotbugs-tests project (#1914)
    • ๐Ÿ›  Fixed UI freezes in Eclipse on bug count decorations update (#285)
    • โฌ†๏ธ Bumped log4j from 2.17.1 to 2.17.2 (#1960)
    • โฌ†๏ธ Bumped gson from 2.8.9 to 2.9.0 (#1960)

    โž• Added

    • New detector FindInstanceLockOnSharedStaticData for new bug type SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)
    • New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)