7.16.0.30901

Release notes - SonarJava - 7.16

Bug

SONARJAVA-4127 UnsupportedOperationException when computing the signature of a MethodSymbol

SONARJAVA-4279 S1612 should not report an issue with incomplete semantics

SONARJAVA-4356 Several regular expressions are inefficient

SONARJAVA-4370 Memory leak in rule S5852 RedosCheck because regexCreations field is never cleaned

SONARJAVA-4371 Memory leak in multiple symbolic execution-based rules

SONARJAVA-4386 Members of RECORD tree are not ordered

SONARJAVA-4390 NPE in ECJ should be catched by JType.isSubtype(...)

SONARJAVA-4391 NPE in LombokFilter

SONARJAVA-4392 NPE in DivisionByZeroCheck

Documentation

SONARJAVA-4345 Update rules metadata

SONARJAVA-4374 S5411: Improve rule message, title, and description

SONARJAVA-4381 S1135: Update metadata to be explicit about main code only scope

False-Positive

SONARJAVA-4098 FP S1612 method reference should not be suggested when replacement is longer that actual code

SONARJAVA-4255 FP S1185(MethodOnlyCallsSuperCheck) with different modifiers

SONARJAVA-4281 Rule S1313: Exclude local IPv4-mapped IPv6 address

SONARJAVA-4292 Rule S1313: Exclude reserved documentation IP ranges

SONARJAVA-4329 FP on rule S1612 when replacing lambda on Integer conversion to String

SONARJAVA-4331 S1213 should not raise issues on static fields placed at the top of records

SONARJAVA-4343 FP on S2699 (Missing assertions in tests) with latest versions of AssertJ (>3.19) and newly added assertions

SONARJAVA-4347 FP in S1144 When annotated parameters are present

SONARJAVA-4353 S131 FP on switch that covers all enum constants

SONARJAVA-4354 S2259 FP on Springframework 5 annotations

SONARJAVA-4363 FP on S2272 when the next/previous() method calls another one which itself throw the NoSuchElementException

SONARJAVA-4365 S5786 should not report issues on classes defining publicly visible constants

SONARJAVA-4372 FP in rule S6204 when Collections.shuffle() is used as a mutator

SONARJAVA-4382 S1191 should not raise issues on imports from `com.sun.*` packages

New Feature

SONARJAVA-4266 Rule S6432: Counter Mode initialization vectors should not be reused

False Negative

SONARJAVA-4250 FN in S2692 when the number is coming from a constant

SONARJAVA-4283 S5838 does not handle primitive type inequality operators correctly

Improvement

SONARJAVA-4265 Improve the rule message of S1120

SONARJAVA-4268 Rule S5542: Detect CBC mode when used with padding

SONARJAVA-4269 S1711 should clean up type names replacing dollar signs with periods

SONARJAVA-4351 Update S5411 documentation with SONARJAVA-3570 exceptions

SONARJAVA-4384 Replace method `symbol()` on `MethodInvocationTree` and `NewClassTree` with `methodSymbol()` in public API

7.15.0.30507

Release notes - SonarJava - Version 7.15

Bug

SONARJAVA-4342 Nullness annotation on interface methods should be inherited in implementation methods

SONARJAVA-4341 IndexOutOfBoundsException when trying to access symbols of declared parameters of Compact constructor

SONARJAVA-4338 S1186: Inconsistent exceptions in documentation and implementation

SONARJAVA-4176 NPE in JSymbol.typeOwner

SONARJAVA-3529 S3958: Incorrect location in case of certain exceptional paths

Documentation

SONARJAVA-4333 Update sonar.java.jdkHome documentation

False Negative

SONARJAVA-4251 FN S2252(ForLoopFalseConditionCheck) does not support constants

False-Positive

SONARJAVA-4344 FP S3878 when the vararg has an array type

SONARJAVA-4336 S2384, 2386 should support methods from Guava returning immutable collections

SONARJAVA-4282 Exclude "com.sun.xml.ws" package from S1191 by default

SONARJAVA-4252 S2384, S2386 should support immutable collection creation from stream

SONARJAVA-4241 S1125: erroneous quick fix suggestion when negating a binary operation

SONARJAVA-4196 S5860 should cover methods start() and end() of 'java.util.regex.Matcher'

SONARJAVA-4072 FP S107 with Spring and micronaut annotations

SONARJAVA-4024 FP in S6019 because of RegexTreeHelper.isAnchoredAtEnd

SONARJAVA-3900 FP S3242(LeastSpecificTypeCheck) for functional interfaces

SONARJAVA-3896 FP S3329 should not raise when the IV is not defined

SONARJAVA-3890 S5996 should not raise an issue if $ is followed by a line break character

SONARJAVA-3668 FP on S1186: method annotated @Pointcut from AspectJ are often expected to be empty

Improvement

SONARJAVA-4335 S3776 should Ignore equals() and hashCode() methods similarly to S1541

SONARJAVA-4325 Change message suggestion for S3878 when method argument type is not Object

SONARJAVA-4257 Fix typo in S4605 message

New Feature

SONARJAVA-4349 Expose ClasspathForMain.getBinaryDirs() in public API

SONARJAVA-4348 Expose test classpath and binaries in the public API

Task

SONARJAVA-4346 Update rules metadata

SONARJAVA-4264 Remove deprecated common-java:DuplicatedBlocks rule from Sonar Way

7.14.0.30229

Release notes - SonarJava - Version 7.14

False-Positive

SONARJAVA-4330 Rule S2272: FP on method calls that are not next()

SONARJAVA-4242 SE should handle "booleanValue()" from Boolean wrapper

SONARJAVA-4174 S2259 should not raise an issue when a null variable is passed to Optional.ofNullable

SONARJAVA-4131 Add support of org.springframework.util.StringUtils#isEmpty

Improvement

SONARJAVA-4288 Update Analyzer Commons to 1.27: changes in Regex check and resources loading

SONARJAVA-4220 Update ECJ to 3.30.0

SONARJAVA-3891 Add support of org.apache.commons.lang3.ArrayUtils methods

New Feature

SONARJAVA-4284 Rules support PCI DSS Security Standard

SONARJAVA-4278 Rule S2068: Remove method checks

SONARJAVA-4275 Rule S6437: Credentials should not be hard-coded

Task

SONARJAVA-4332 Update rules metadata

7.13.0.29990

    Release Notes - SonarJava - Version 7.13

New Feature

• [SONARJAVA-4133] - Rule S6241 Region should be set explicitly when creating a new AwsClient
• [SONARJAVA-4134] - Rule S6242 Credentials Provider should be set explicitly when creating a new "AwsClient"
• [SONARJAVA-4135] - Rule S6243 Reusable resources should be initialized at construction time of Lambda functions
• [SONARJAVA-4136] - Rule S6244 Consumer Builders should be used
• [SONARJAVA-4137] - Rule S6246 Lambdas should not invoke other lambdas synchronously
• [SONARJAVA-4138] - Rule S6262 AWS region should not be set with a hardcoded String
• [SONARJAVA-4139] - Rule S6263 Using Long-term access keys are security-sensitive

Task

• [SONARJAVA-4270] - Add performance timers on the cache-aware analysis paths
• [SONARJAVA-4280] - Update rules metadata

Improvement

• [SONARJAVA-4271] - Do not attempt to scan without parsing in a context where files cannot be skipped
• [SONARJAVA-4276] - Message of S4968 should end with a full stop

7.12.1.29810

    Release Notes - SonarJava - Version 7.12.1

Bug

• [SONARJAVA-4267] - The Java analyzer crashes when running incremental analysis on generated files

False-Positive

• [SONARJAVA-4243] - FP in S6205 when the content of the block is not an expression

7.12.0.29739

    Release Notes - SonarJava - Version 7.12

Bug

• [SONARJAVA-4231] - NPE in JType.normalize

New Feature

• [SONARJAVA-2940] - Rule S4968: The upper bound of wildcard parameterized types should not be "final"
• [SONARJAVA-4149] - Rule S6326: Regular expressions should not contain multiple spaces
• [SONARJAVA-4150] - Rule S6396: Superfluous curly brace quantifiers should be avoided
• [SONARJAVA-4151] - Rule S6353: Regular expression quantifiers and character classes should be used concisely
• [SONARJAVA-4152] - Rule S6397: Character classes in regular expressions should not contain only one character
• [SONARJAVA-4154] - Rule S6331: Regular expressions should not contain empty groups
• [SONARJAVA-4170] - Rule S6395: Non-capturing groups without quantifier should not be used
• [SONARJAVA-4173] - Rule S6411 Types used as keys in Maps should implement Comparable
• [SONARJAVA-4209] - Introduce caching capabilities for Java rules
• [SONARJAVA-4222] - Rule S6418: Hard-coded secrets are security-sensitive
• [SONARJAVA-4223] - S5693: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4224] - S4605: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4225] - S1228: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4226] - S4032: Remove requirement to re-parse files on each PR analysis

Task

• [SONARJAVA-4214] - Compiler flag "enablePreviewFeatures" should be enable for java version >= maximum supported version
• [SONARJAVA-4218] - Stop ignoring S2789 unit test related to javax.annotation.meta.When.NEVER
• [SONARJAVA-4236] - Rely on released version of Analyzer Commons
• [SONARJAVA-4245] - Extract ModuleScannerContext out InputFileScannerContext
• [SONARJAVA-4246] - Expose the EndOfAnalysis interface as part of the plugin API
• [SONARJAVA-4248] - Inroduce the notion of a module key that can be utilized by checks
• [SONARJAVA-4249] - Rely on Analyzer Commons for regex helper classes
• [SONARJAVA-4253] - Update rules metadata

Improvement

• [SONARJAVA-3838] - Add support for TimeUnit.sleep() in S2925
• [SONARJAVA-4153] - Refactor S5842 using sonar-analyzer-commons
• [SONARJAVA-4155] - Refactor S5843 using sonar-analyzer-commons
• [SONARJAVA-4156] - Refactor S5850 using sonar-analyzer-commons
• [SONARJAVA-4157] - Refactor S5855 using sonar-analyzer-commons
• [SONARJAVA-4158] - Refactor S5857 using sonar-analyzer-commons
• [SONARJAVA-4159] - Refactor S5867 using sonar-analyzer-commons
• [SONARJAVA-4160] - Refactor S5868 using sonar-analyzer-commons
• [SONARJAVA-4161] - Refactor S5869 using sonar-analyzer-commons
• [SONARJAVA-4162] - Refactor S5994 using sonar-analyzer-commons
• [SONARJAVA-4163] - Refactor S5996 using sonar-analyzer-commons
• [SONARJAVA-4164] - Refactor S6001 using sonar-analyzer-commons
• [SONARJAVA-4165] - Refactor S6002 using sonar-analyzer-commons
• [SONARJAVA-4166] - Refactor S6019 using sonar-analyzer-commons
• [SONARJAVA-4167] - Refactor S6035 using sonar-analyzer-commons
• [SONARJAVA-4188] - S4423 should not report an issue when the version is not set
• [SONARJAVA-4215] - S1943 (default system encoding) should not report an issue for Java >= 18
• [SONARJAVA-4217] - Merge S1158 and S2131
• [SONARJAVA-4228] - S6377: update the issue message
• [SONARJAVA-4230] - Allow client-side disabling of caching
• [SONARJAVA-4234] - Allow caching to be disabled (or enabled) by an overriding analyzer flag
• [SONARJAVA-4235] - Improve SonarJava caching API
• [SONARJAVA-4240] - S5693 stores a single cache entry per file

False-Positive

• [SONARJAVA-4172] - S6206 should not report on non-final classes
• [SONARJAVA-4204] - FP on S1221 when a method is overridden
• [SONARJAVA-4219] - S1121 should not report an issue for assignment in Java 14 switch
• [SONARJAVA-4221] - S6073 should support MockitoHamcrest adapter
• [SONARJAVA-4227] - FP in S2068 and S6418: Secrets and Password should be correctly isolated in string literals
• [SONARJAVA-4229] - FP S6418: Use frequency of character pairs to distinguish randomness
• [SONARJAVA-4232] - S3398 : FP when reaching outer method from another instance

False Negative

• [SONARJAVA-4206] - FN on S3012 in case of do-while loop

7.11.0.29148

    Release Notes - SonarJava - Version 7.11

Task

• [SONARJAVA-4216] - Enable preview features flag for Java 18

7.10.0.29108

    Release Notes - SonarJava - Version 7.10

Bug

• [SONARJAVA-3693] - Allow to exclude generated "*_jsp.java" files from analysis
• [SONARJAVA-4194] - Rule S1155 crash with stackoverflow when encountering large numbers of chained BinaryExpressionTrees
• [SONARJAVA-4207] - JAR files passed to sonar.java.libraries should be unlocked when not needed anymore in Batch mode

New Feature

• [SONARJAVA-4183] - Incremental PR analysis: Skip rules that don't need to be run on unchanged files
• [SONARJAVA-4199] - Enable batch mode by default

Task

• [SONARJAVA-4197] - Fallback to file by file mode when a batch fails to parse
• [SONARJAVA-4200] - Document incremental analysis
• [SONARJAVA-4202] - Rules Sanity Test should include test files of compiler test sources
• [SONARJAVA-4210] - Update rules metadata

Improvement

• [SONARJAVA-4179] - Logging of undefined types and missing libraries should be relevant in batch mode
• [SONARJAVA-4198] - JSP files should be correctly analyzed in batch mode

False-Positive

• [SONARJAVA-4094] - S1105: FP when using java 16 records and java 17 sealed classes' permitted types
• [SONARJAVA-4193] - FP on S3329 in case of simple assigments of the IV

7.9.0.28969

    Release Notes - SonarJava - Version 7.9

New Feature

• [SONARJAVA-4177] - Provide OWASP Top 10 2021 security standards for rules metadata
• [SONARJAVA-4181] - Introduce rule selection for AutoScan

Task

• [SONARJAVA-3707] - Deprecate S2658 in favor of S6173
• [SONARJAVA-4145] - Update rules metadata

Improvement

• [SONARJAVA-4186] - Rules testing subtypes should correctly handle incomplete semantic

False-Positive

• [SONARJAVA-4184] - FPs on S112 when the body of a method has unresolved methods or if a called constructor declare raw exceptions
• [SONARJAVA-4189] - FP in S3985 when all the usages of a class are not resolved
• [SONARJAVA-4191] - S4838 should not report false positives when the semantic is incomplete
• [SONARJAVA-4192] - S3077 should not report an issue when the type is unknown

7.8.1.28740

Release Notes - SonarJava - Version 7.8.1

Bug

• [SONARJAVA-4148] - Duplicated "Using ECJ batch to parse source files" logs

Improvement

• [SONARJAVA-3893] - Update S128 documentation to mention fallthrough exception

False-Positive

• [SONARJAVA-3887] - Rule S5808 should not raise when an exception is thrown
• [SONARJAVA-4144] - S2699 and S6103 should not report an issue in case of incomplete semantic
• [SONARJAVA-4146] - FP in batch mode caused by missing annotations on dependent generic classes