3.11.0.6645

Bug

• [SONARPHP-1055] - S1451 should not crash on short files
• [SONARPHP-1077] - OufOfMemory in InheritanceDepthCheck

Task

• [SONARPHP-1060] - Update README with PHP 8 support
• [SONARPHP-1075] - S4784 should be deprecated because it's too noisy

Improvement

• [SONARPHP-1034] - Parser should handle union types
• [SONARPHP-1035] - Parser should handle new nullsafe operator syntax
• [SONARPHP-1036] - Parser should handle named arguments
• [SONARPHP-1037] - Parser should handle new annotation attribute syntax
• [SONARPHP-1038] - Parser should handle match expression
• [SONARPHP-1039] - Parser should handle constructor property promotion
• [SONARPHP-1040] - Parser should handle new static return type
• [SONARPHP-1041] - Parser should handle new mixed type
• [SONARPHP-1042] - Parser should handle new throw expression syntax
• [SONARPHP-1044] - Parser should handle ::class on objects
• [SONARPHP-1045] - Parser should handle non-capturing catches
• [SONARPHP-1046] - Parser should handle trailing comma in parameter lists
• [SONARPHP-1047] - Parser should handle trailing comma in closure use lists
• [SONARPHP-1054] - Adapt existing rules to named arguments

3.10.0.6474

Bug

• [SONARPHP-983] - Object instantiation with method should raise parser error
• [SONARPHP-1032] - S3699: Issue message contains "null" due to wrong method name resolving
• [SONARPHP-1033] - StackOverflow in S1764 IdenticalOperandsInBinaryExpressionCheck
• [SONARPHP-1052] - StackOverflow when scanning Abantecart

Task

• [SONARPHP-1048] - Fix outdated URLs in pom.xml
• [SONARPHP-1050] - Update orchestrator to version 3.30.0.2630

False-Positive

• [SONARPHP-885] - S2077: Resolve variable constant values to avoid noisy issues
• [SONARPHP-973] - Rule S5527 should not raise when CURLOPT_SSL_VERIFYHOST is set to 1/TRUE
• [SONARPHP-1028] - Revise rule S125 to reduce false positive noise
• [SONARPHP-1030] - S1172 shoudn't raise issues on functions which call "func_get_args"
• [SONARPHP-1031] - Reduce noise of S1172 unused function parameters should be removed
• [SONARPHP-1049] - Private constant's are reported as unused when used before init

False Negative

• [SONARPHP-754] - UseOfUninitializedVariableCheck should use a CFG to find new issues

3.9.0.6331

Bug

• [SONARPHP-1022] - Regex in S1186 implementation leads to a StackOverflowError
• [SONARPHP-1024] - NCLOC and other metrics should not be fed for PHP test files

New Feature

• [SONARPHP-371] - S110: Inheritance tree of classes should not be too deep
• [SONARPHP-1009] - S930: The number of arguments passed to a function should match the number of parameters

Task

• [SONARPHP-1025] - Compliant and Noncompliant code examples of S5915 are the same.

Improvement

• [SONARPHP-1010] - S3699: consider cross-file knowledge of method declarations to get possible returns
• [SONARPHP-1011] - S2234: consider cross-file knowledge of function declarations to get parameter order
• [SONARPHP-1018] - S100: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1019] - S107: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1020] - S1172: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1021] - Log the currently analyzed file name when a StackOverflowError happens
• [SONARPHP-1023] - S1186: Check only comments that are directly above the method

3.8.1.6222

Bug

• [SONARPHP-1024] - NCLOC and other metrics should not be fed for PHP test files

3.8.0.6152

New Feature

• [SONARPHP-984] - Add rule S2699: Tests should include assertions
• [SONARPHP-986] - Add rule S2187: TestCases should contain tests
• [SONARPHP-987] - Add rule S5785: PHPUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
• [SONARPHP-989] - Add rule S3415: Assertion arguments should be passed in the correct order
• [SONARPHP-990] - Add rule S2701: Literal boolean values should not be used in assertions
• [SONARPHP-991] - Add rule S5783: Only one method invocation is expected when testing checked exceptions
• [SONARPHP-992] - Add rule S1607: Tests should not be ignored
• [SONARPHP-993] - Add rule S5779: Assertion methods should not be used within the try block of a try-catch catching an Exception
• [SONARPHP-994] - Add rule S5899: Test methods should be discoverable
• [SONARPHP-995] - Add rule S5863: Assertions should not compare an object to itself
• [SONARPHP-999] - Add rule S3360: Test class names should end with "Test"
• [SONARPHP-1006] - Create an abstract PhpUnitCheck class
• [SONARPHP-1007] - Add rule S5935: Framework-provided functions should be used to test exceptions
• [SONARPHP-1008] - Add rules S5915: Assertions should not be made at the end of blocks expecting an exception

Improvement

• [SONARPHP-1005] - Enable checks on project test files

3.7.0.5943

Release Notes - Version 3.7

New Feature

• [SONARPHP-976] - Rule S5708: Caught Exceptions must derive from Throwable
• [SONARPHP-977] - Rule S1045: All "catch" blocks should be able to catch exceptions
• [SONARPHP-978] - Rule S5713: A subclass should not be in the same "catch" clause as a parent class
• [SONARPHP-979] - Rule S5632: Raised Exceptions must derive from Throwable
• [SONARPHP-1000] - RSPEC-5911 Class of caught exception should be defined

Improvement

• [SONARPHP-980] - S3984 should check whether a class extends Exception
• [SONARPHP-981] - Fix issue message for S2166
• [SONARPHP-982] - S2166 detects exception classes case-insensitive

3.6.0.5808

Bug

• [SONARPHP-735] - Parse error: use an array to invoke a method
• [SONARPHP-903] - Parse error on indirect call from constant
• [SONARPHP-928] - Parsing error when calling function called 'null'
• [SONARPHP-968] - Crash in DataEncryptionCheck

New Feature

• [SONARPHP-822] - Rule S4824: References used in "foreach" loops should be "unset"
• [SONARPHP-935] - Update S4830 to match new RSPEC content
• [SONARPHP-936] - Rule S5527: Server hostnames should be verified during SSL/TLS connections
• [SONARPHP-938] - Rule S5547: Cipher algorithms should be robust
• [SONARPHP-940] - RSPEC-5542 Encryption algorithms should be used with secure mode and padding scheme

Task

• [SONARPHP-971] - Update dependencies on Apache commons-lang

Improvement

• [SONARPHP-939] - Deprecate S2278 in favor of S5547
• [SONARPHP-941] - Deprecate S2277 in favor of S5542
• [SONARPHP-967] - Rule S4790: its content should be replaced by S2070
• [SONARPHP-969] - Update commons.io.version to 2.7+
• [SONARPHP-970] - Improve S1192 to reduce noise of duplicated string literals
• [SONARPHP-972] - Rule S4790 should raise when insecure algos are passed to hash(), hash_init(), hash_pbkdf2(), mhash()

False-Positive

• [SONARPHP-857] - FP S1854: "use" clause of function expression

3.5.0.5655

Release Notes - SonarSource Analyzer for PHP - Version 3.5

New Feature

• [SONARPHP-693] - Rule S1226: Method parameters, caught exceptions and foreach variables' initial values should not be ignored
• [SONARPHP-751] - Rule S2166: Classes named like "Exception" should extend "Exception" or a subclass
• [SONARPHP-764] - Rule: Array values should not be replaced unconditionally
• [SONARPHP-765] - Rule: Unary prefix operators should not be repeated
• [SONARPHP-769] - Rule: Methods should not be empty
• [SONARPHP-772] - Rule: Octal values should not be used
• [SONARPHP-774] - Rule: "switch" statements should not be nested
• [SONARPHP-775] - Rule: Parameters should be passed in the correct order
• [SONARPHP-790] - Rule S1155: "empty()" should be used to test for emptiness
• [SONARPHP-791] - Rule S1940: Boolean checks should not be inverted

3.4.0.5461

Release Notes - SonarPHP - Version 3.4

False-Positive

• [SONARPHP-789] - FP on S2037 (SelfKeywordUsageCheck): constant from parent class declared in another file
• [SONARPHP-853] - FP S1144 when anonymous nested class
• [SONARPHP-884] - RSPEC-1603 should not raise issues on namespaced classes
• [SONARPHP-906] - S1125 should ignore operands of ternary operator
• [SONARPHP-930] - FP on S1185 when a method defines default values for parameters
• [SONARPHP-932] - FP: CodeFollowingJumpStatementCheck should ignore PHP closing tags
• [SONARPHP-949] - False Positive S905: @phan-var statement
• [SONARPHP-959] - Rule S2068: filter string literal that contains the wordlist item
• [SONARPHP-960] - Rule S2068: filter database query parameters
• [SONARPHP-961] - FP on anonymous function for "$this should not be used in a static context"

Task

• [SONARPHP-937] - Remove rule S1536 that can be spotted by PHP interpreter
• [SONARPHP-963] - Change issue type of S3011 to code smell

Improvement

• [SONARPHP-927] - Stop logging warnings when importing test results based on 'dataProvider'
• [SONARPHP-948] - Deprecate RSPEC-2964
• [SONARPHP-951] - The progress report should report the current file instead of the next one
• [SONARPHP-956] - S2068 should detect hardcoded credentials in LDAP and database functions
• [SONARPHP-957] - Rule S2068: support URI userinfo component
• [SONARPHP-962] - Update branding to drop 'SonarPHP'
• [SONARPHP-964] - Fix performance issue on PHPTree.getLastToken()

SonarPHP 2.12-RC1

SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.12.

Important: the minimal compatibility has change to SonarQube 6.7 LTS.

This version fixes 7 rules, feeds "Cognitive Complexity Metric" and introduces 20 new rules:

• S1110: Redundant parentheses should be removed
• S3923: All branches in a conditional structure should not have exactly the same implementation
• S2757: "=+" should not be used instead of "+="
• S3972: Conditionals should start on new lines
• S3973: Conditionally executed code should be denoted by either indentation or curly braces
• S3801: Functions should use "return" consistently
• S3699: The output of functions that don't return anything should not be used
• S2201: Return values from functions without side effects should not be ignored
• S3981: Collection sizes and array length comparisons should make sense
• S2123: Values should not be uselessly incremented
• S4144: Methods should not have identical implementations
• S3984: Exception should not be created without being thrown
• S1075: URIs should not be hardcoded
• S4142: Duplicate values should not be passed as arguments
• S1121: Assignments should not be made from within sub-expressions
• S3358: Ternary operators should not be nested
• S2737: "catch" clauses should do more than rethrow
• NoSonar: Track uses of "NOSONAR" comments
• S2251: A "for" loop update clause should move the counter in the right direction
• S836: Variables should be initialized before use

Release Notes