7.12.1.29810

    Release Notes - SonarJava - Version 7.12.1

Bug

• [SONARJAVA-4267] - The Java analyzer crashes when running incremental analysis on generated files

False-Positive

• [SONARJAVA-4243] - FP in S6205 when the content of the block is not an expression

7.12.0.29739

    Release Notes - SonarJava - Version 7.12

Bug

• [SONARJAVA-4231] - NPE in JType.normalize

New Feature

• [SONARJAVA-2940] - Rule S4968: The upper bound of wildcard parameterized types should not be "final"
• [SONARJAVA-4149] - Rule S6326: Regular expressions should not contain multiple spaces
• [SONARJAVA-4150] - Rule S6396: Superfluous curly brace quantifiers should be avoided
• [SONARJAVA-4151] - Rule S6353: Regular expression quantifiers and character classes should be used concisely
• [SONARJAVA-4152] - Rule S6397: Character classes in regular expressions should not contain only one character
• [SONARJAVA-4154] - Rule S6331: Regular expressions should not contain empty groups
• [SONARJAVA-4170] - Rule S6395: Non-capturing groups without quantifier should not be used
• [SONARJAVA-4173] - Rule S6411 Types used as keys in Maps should implement Comparable
• [SONARJAVA-4209] - Introduce caching capabilities for Java rules
• [SONARJAVA-4222] - Rule S6418: Hard-coded secrets are security-sensitive
• [SONARJAVA-4223] - S5693: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4224] - S4605: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4225] - S1228: Remove requirement to re-parse files on each PR analysis
• [SONARJAVA-4226] - S4032: Remove requirement to re-parse files on each PR analysis

Task

• [SONARJAVA-4214] - Compiler flag "enablePreviewFeatures" should be enable for java version >= maximum supported version
• [SONARJAVA-4218] - Stop ignoring S2789 unit test related to javax.annotation.meta.When.NEVER
• [SONARJAVA-4236] - Rely on released version of Analyzer Commons
• [SONARJAVA-4245] - Extract ModuleScannerContext out InputFileScannerContext
• [SONARJAVA-4246] - Expose the EndOfAnalysis interface as part of the plugin API
• [SONARJAVA-4248] - Inroduce the notion of a module key that can be utilized by checks
• [SONARJAVA-4249] - Rely on Analyzer Commons for regex helper classes
• [SONARJAVA-4253] - Update rules metadata

Improvement

• [SONARJAVA-3838] - Add support for TimeUnit.sleep() in S2925
• [SONARJAVA-4153] - Refactor S5842 using sonar-analyzer-commons
• [SONARJAVA-4155] - Refactor S5843 using sonar-analyzer-commons
• [SONARJAVA-4156] - Refactor S5850 using sonar-analyzer-commons
• [SONARJAVA-4157] - Refactor S5855 using sonar-analyzer-commons
• [SONARJAVA-4158] - Refactor S5857 using sonar-analyzer-commons
• [SONARJAVA-4159] - Refactor S5867 using sonar-analyzer-commons
• [SONARJAVA-4160] - Refactor S5868 using sonar-analyzer-commons
• [SONARJAVA-4161] - Refactor S5869 using sonar-analyzer-commons
• [SONARJAVA-4162] - Refactor S5994 using sonar-analyzer-commons
• [SONARJAVA-4163] - Refactor S5996 using sonar-analyzer-commons
• [SONARJAVA-4164] - Refactor S6001 using sonar-analyzer-commons
• [SONARJAVA-4165] - Refactor S6002 using sonar-analyzer-commons
• [SONARJAVA-4166] - Refactor S6019 using sonar-analyzer-commons
• [SONARJAVA-4167] - Refactor S6035 using sonar-analyzer-commons
• [SONARJAVA-4188] - S4423 should not report an issue when the version is not set
• [SONARJAVA-4215] - S1943 (default system encoding) should not report an issue for Java >= 18
• [SONARJAVA-4217] - Merge S1158 and S2131
• [SONARJAVA-4228] - S6377: update the issue message
• [SONARJAVA-4230] - Allow client-side disabling of caching
• [SONARJAVA-4234] - Allow caching to be disabled (or enabled) by an overriding analyzer flag
• [SONARJAVA-4235] - Improve SonarJava caching API
• [SONARJAVA-4240] - S5693 stores a single cache entry per file

False-Positive

• [SONARJAVA-4172] - S6206 should not report on non-final classes
• [SONARJAVA-4204] - FP on S1221 when a method is overridden
• [SONARJAVA-4219] - S1121 should not report an issue for assignment in Java 14 switch
• [SONARJAVA-4221] - S6073 should support MockitoHamcrest adapter
• [SONARJAVA-4227] - FP in S2068 and S6418: Secrets and Password should be correctly isolated in string literals
• [SONARJAVA-4229] - FP S6418: Use frequency of character pairs to distinguish randomness
• [SONARJAVA-4232] - S3398 : FP when reaching outer method from another instance

False Negative

• [SONARJAVA-4206] - FN on S3012 in case of do-while loop

7.11.0.29148

    Release Notes - SonarJava - Version 7.11

Task

• [SONARJAVA-4216] - Enable preview features flag for Java 18

7.10.0.29108

    Release Notes - SonarJava - Version 7.10

Bug

• [SONARJAVA-3693] - Allow to exclude generated "*_jsp.java" files from analysis
• [SONARJAVA-4194] - Rule S1155 crash with stackoverflow when encountering large numbers of chained BinaryExpressionTrees
• [SONARJAVA-4207] - JAR files passed to sonar.java.libraries should be unlocked when not needed anymore in Batch mode

New Feature

• [SONARJAVA-4183] - Incremental PR analysis: Skip rules that don't need to be run on unchanged files
• [SONARJAVA-4199] - Enable batch mode by default

Task

• [SONARJAVA-4197] - Fallback to file by file mode when a batch fails to parse
• [SONARJAVA-4200] - Document incremental analysis
• [SONARJAVA-4202] - Rules Sanity Test should include test files of compiler test sources
• [SONARJAVA-4210] - Update rules metadata

Improvement

• [SONARJAVA-4179] - Logging of undefined types and missing libraries should be relevant in batch mode
• [SONARJAVA-4198] - JSP files should be correctly analyzed in batch mode

False-Positive

• [SONARJAVA-4094] - S1105: FP when using java 16 records and java 17 sealed classes' permitted types
• [SONARJAVA-4193] - FP on S3329 in case of simple assigments of the IV

7.9.0.28969

    Release Notes - SonarJava - Version 7.9

New Feature

• [SONARJAVA-4177] - Provide OWASP Top 10 2021 security standards for rules metadata
• [SONARJAVA-4181] - Introduce rule selection for AutoScan

Task

• [SONARJAVA-3707] - Deprecate S2658 in favor of S6173
• [SONARJAVA-4145] - Update rules metadata

Improvement

• [SONARJAVA-4186] - Rules testing subtypes should correctly handle incomplete semantic

False-Positive

• [SONARJAVA-4184] - FPs on S112 when the body of a method has unresolved methods or if a called constructor declare raw exceptions
• [SONARJAVA-4189] - FP in S3985 when all the usages of a class are not resolved
• [SONARJAVA-4191] - S4838 should not report false positives when the semantic is incomplete
• [SONARJAVA-4192] - S3077 should not report an issue when the type is unknown

7.8.1.28740

Release Notes - SonarJava - Version 7.8.1

Bug

• [SONARJAVA-4148] - Duplicated "Using ECJ batch to parse source files" logs

Improvement

• [SONARJAVA-3893] - Update S128 documentation to mention fallthrough exception

False-Positive

• [SONARJAVA-3887] - Rule S5808 should not raise when an exception is thrown
• [SONARJAVA-4144] - S2699 and S6103 should not report an issue in case of incomplete semantic
• [SONARJAVA-4146] - FP in batch mode caused by missing annotations on dependent generic classes

7.8.0.28662

    Release Notes - SonarJava - Version 7.8

Bug

• [SONARJAVA-4128] - Record components of local records should not have the method as owner
• [SONARJAVA-4129] - NPE in S1450 when private field is used in a record

Task

• [SONARJAVA-4141] - Update rules metadata

Improvement

• [SONARJAVA-4059] - Rule S6373 XML parsers should not allow inclusion of arbitrary files
• [SONARJAVA-4062] - Rule S6374 XML parsers should not load external schemas
• [SONARJAVA-4065] - Rule S6376 XML parsers should not be vulnerable to Denial of Service attacks
• [SONARJAVA-4067] - Rule S6377 XML signatures should be validated securely

False-Positive

• [SONARJAVA-3839] - FP in S6212 when a method has parameterized return types
• [SONARJAVA-3842] - FP in S2755 when vulnerability is mitigated in another class
• [SONARJAVA-3899] - FP on S2755 when XML DocumentBuilderFactory is initialized inside initialized block
• [SONARJAVA-4008] - Rule S2755 should accept setExpandEntityReferences solution for openJDK >= 13

7.7.0.28547

    Release Notes - SonarJava - Version 7.7

Bug

• [SONARJAVA-4010] - NPE in JSymbol.hashCode()
• [SONARJAVA-4023] - The Java analyzer should populate the classpath with all the JARs provided by the SDK

New Feature

• [SONARJAVA-3770] - Implement rule S6217: Omit permitted types when subclasses are in the same file as their superclass

Task

• [SONARJAVA-3863] - Drop deprecated method "MethodSymbol.overriddenSymbol()"
• [SONARJAVA-4124] - Update license headers for 2022
• [SONARJAVA-4125] - Update rules metadata

Improvement

• [SONARJAVA-4057] - Do not generate FP when rules don't have semantic
• [SONARJAVA-4086] - Preview feature problems should not be logged under unresolved types
• [SONARJAVA-4101] - Update ECJ to 3.28.0
• [SONARJAVA-4103] - Rules S1905 - Highlight also the parenthesis of the reported issue
• [SONARJAVA-4104] - Rule S1197 Highlight the variable additionally to the []
• [SONARJAVA-4114] - Support classpath entries with comma
• [SONARJAVA-4115] - Custom rules plugin examples should shade dependencies and use latest packaging module
• [SONARJAVA-4118] - Introduce Java 17's Sealed Classes as final feature
• [SONARJAVA-4119] - Correctly parse Pattern-matching for switch from Java 17
• [SONARJAVA-4120] - Logs about preview features should not suggest "-enable-preview"

False-Positive

• [SONARJAVA-4060] - FP in S3252 when owner type is unknown
• [SONARJAVA-4070] - S1874(CallToDeprecatedMethodCheck) should ignore incomplete method signature
• [SONARJAVA-4074] - S5845: FP when using lombok.val
• [SONARJAVA-4090] - FP in S6206 when the constructor and the class have not the same visibility
• [SONARJAVA-4100] - Abstract classes should be excluded from S5790
• [SONARJAVA-4102] - S6204 should not raise an issue when removeIf is called on the list
• [SONARJAVA-4116] - Remove rule S2912 (IndexOfStartPositionCheck)
• [SONARJAVA-4117] - Support `@SuperBuilder` from Lombok
• [SONARJAVA-4122] - S3329 should not raise an issue for Cipher.DECRYPT_MODE
• [SONARJAVA-4123] - FP on S2384: Collections.emptyList() should be considered as immutable.

Documentation

• [SONARJAVA-4066] - Update custom rules 101 metadata documentation and template

False Negative

• [SONARJAVA-4055] - S4544 should raise on Interface in addition to Class
• [SONARJAVA-4058] - S5838 should support subtypes of Collections
• [SONARJAVA-4063] - FN in S3688 (disallowed classes) in case of Reflection
• [SONARJAVA-4108] - FN in S2189 : infinite do/while loops should be reported
• [SONARJAVA-4111] - FN on S1862 when equality parameters are inverted

7.6.0.28201

    Release Notes - SonarJava - Version 7.6

Bug

• [SONARJAVA-4020] - S5869(DuplicatesInCharacterClassCheck): Fix false-negative and crash on regex spanning low and upper case ranges

Task

• [SONARJAVA-3987] - Move all rules targeting XML from SonarJava to SonarQube XML Analyzer
• [SONARJAVA-3988] - Drop XmlFileSensor from Java Analyzer
• [SONARJAVA-4087] - Advertise minimal required JRE version
• [SONARJAVA-4088] - Update rules metadata

Improvement

• [SONARJAVA-4069] - Improve Nullability annotations support in S2638 (ChangeMethodContractCheck)
• [SONARJAVA-4078] - Improve Nullability annotations support in S2789 (NullShouldNotBeUsedWithOptionalCheck)
• [SONARJAVA-4079] - Improve Nullability annotations support in S4682 (PrimitivesMarkedNullableCheck)
• [SONARJAVA-4080] - Improve Nullability annotations support in S2637 (NonNullSetToNullCheck)
• [SONARJAVA-4081] - Improve Nullability annotations support in S4454 (EqualsParametersMarkedNonNullCheck)
• [SONARJAVA-4082] - Improve Nullability annotations support in S2447 (BooleanMethodReturnCheck)
• [SONARJAVA-4083] - Improve Nullability annotations support in S1168 (ReturnEmptyArrayNotNullCheck)
• [SONARJAVA-4084] - Improve Nullability annotations support in S4449 (ParameterNullnessCheck)
• [SONARJAVA-4085] - Improve Nullability annotations support in S2259 (NullDereferenceCheck)
• [SONARJAVA-4089] - Improve Nullability annotations support in Exploded graph walker
• [SONARJAVA-4091] - Use of Java 17 feature should not lead to a warning message

7.5.0.28054

    Release Notes - SonarJava - Version 7.5

Bug

• [SONARJAVA-4068] - S2118-S2441: Fix StackOverflowError raised for self assigned variables

Task

• [SONARJAVA-4052] - Provide quick fix availability to SQ
• [SONARJAVA-4075] - Update rules metadata

Improvement

• [SONARJAVA-4048] - Update ECJ to 3.27.0 and require Java 11

False-Positive

• [SONARJAVA-4047] - S2699: Fix FP with "andExpectAll" introduced in recent version of Spring Test
• [SONARJAVA-4064] - S2055: Fix FP when the semantic is incomplete
• [SONARJAVA-4073] - S3751 should accept protected and package scope modifiers