7.8.0.28662

    Release Notes - SonarJava - Version 7.8

Bug

• [SONARJAVA-4128] - Record components of local records should not have the method as owner
• [SONARJAVA-4129] - NPE in S1450 when private field is used in a record

Task

• [SONARJAVA-4141] - Update rules metadata

Improvement

• [SONARJAVA-4059] - Rule S6373 XML parsers should not allow inclusion of arbitrary files
• [SONARJAVA-4062] - Rule S6374 XML parsers should not load external schemas
• [SONARJAVA-4065] - Rule S6376 XML parsers should not be vulnerable to Denial of Service attacks
• [SONARJAVA-4067] - Rule S6377 XML signatures should be validated securely

False-Positive

• [SONARJAVA-3839] - FP in S6212 when a method has parameterized return types
• [SONARJAVA-3842] - FP in S2755 when vulnerability is mitigated in another class
• [SONARJAVA-3899] - FP on S2755 when XML DocumentBuilderFactory is initialized inside initialized block
• [SONARJAVA-4008] - Rule S2755 should accept setExpandEntityReferences solution for openJDK >= 13

7.7.0.28547

    Release Notes - SonarJava - Version 7.7

Bug

• [SONARJAVA-4010] - NPE in JSymbol.hashCode()
• [SONARJAVA-4023] - The Java analyzer should populate the classpath with all the JARs provided by the SDK

New Feature

• [SONARJAVA-3770] - Implement rule S6217: Omit permitted types when subclasses are in the same file as their superclass

Task

• [SONARJAVA-3863] - Drop deprecated method "MethodSymbol.overriddenSymbol()"
• [SONARJAVA-4124] - Update license headers for 2022
• [SONARJAVA-4125] - Update rules metadata

Improvement

• [SONARJAVA-4057] - Do not generate FP when rules don't have semantic
• [SONARJAVA-4086] - Preview feature problems should not be logged under unresolved types
• [SONARJAVA-4101] - Update ECJ to 3.28.0
• [SONARJAVA-4103] - Rules S1905 - Highlight also the parenthesis of the reported issue
• [SONARJAVA-4104] - Rule S1197 Highlight the variable additionally to the []
• [SONARJAVA-4114] - Support classpath entries with comma
• [SONARJAVA-4115] - Custom rules plugin examples should shade dependencies and use latest packaging module
• [SONARJAVA-4118] - Introduce Java 17's Sealed Classes as final feature
• [SONARJAVA-4119] - Correctly parse Pattern-matching for switch from Java 17
• [SONARJAVA-4120] - Logs about preview features should not suggest "-enable-preview"

False-Positive

• [SONARJAVA-4060] - FP in S3252 when owner type is unknown
• [SONARJAVA-4070] - S1874(CallToDeprecatedMethodCheck) should ignore incomplete method signature
• [SONARJAVA-4074] - S5845: FP when using lombok.val
• [SONARJAVA-4090] - FP in S6206 when the constructor and the class have not the same visibility
• [SONARJAVA-4100] - Abstract classes should be excluded from S5790
• [SONARJAVA-4102] - S6204 should not raise an issue when removeIf is called on the list
• [SONARJAVA-4116] - Remove rule S2912 (IndexOfStartPositionCheck)
• [SONARJAVA-4117] - Support `@SuperBuilder` from Lombok
• [SONARJAVA-4122] - S3329 should not raise an issue for Cipher.DECRYPT_MODE
• [SONARJAVA-4123] - FP on S2384: Collections.emptyList() should be considered as immutable.

Documentation

• [SONARJAVA-4066] - Update custom rules 101 metadata documentation and template

False Negative

• [SONARJAVA-4055] - S4544 should raise on Interface in addition to Class
• [SONARJAVA-4058] - S5838 should support subtypes of Collections
• [SONARJAVA-4063] - FN in S3688 (disallowed classes) in case of Reflection
• [SONARJAVA-4108] - FN in S2189 : infinite do/while loops should be reported
• [SONARJAVA-4111] - FN on S1862 when equality parameters are inverted

7.6.0.28201

    Release Notes - SonarJava - Version 7.6

Bug

• [SONARJAVA-4020] - S5869(DuplicatesInCharacterClassCheck): Fix false-negative and crash on regex spanning low and upper case ranges

Task

• [SONARJAVA-3987] - Move all rules targeting XML from SonarJava to SonarQube XML Analyzer
• [SONARJAVA-3988] - Drop XmlFileSensor from Java Analyzer
• [SONARJAVA-4087] - Advertise minimal required JRE version
• [SONARJAVA-4088] - Update rules metadata

Improvement

• [SONARJAVA-4069] - Improve Nullability annotations support in S2638 (ChangeMethodContractCheck)
• [SONARJAVA-4078] - Improve Nullability annotations support in S2789 (NullShouldNotBeUsedWithOptionalCheck)
• [SONARJAVA-4079] - Improve Nullability annotations support in S4682 (PrimitivesMarkedNullableCheck)
• [SONARJAVA-4080] - Improve Nullability annotations support in S2637 (NonNullSetToNullCheck)
• [SONARJAVA-4081] - Improve Nullability annotations support in S4454 (EqualsParametersMarkedNonNullCheck)
• [SONARJAVA-4082] - Improve Nullability annotations support in S2447 (BooleanMethodReturnCheck)
• [SONARJAVA-4083] - Improve Nullability annotations support in S1168 (ReturnEmptyArrayNotNullCheck)
• [SONARJAVA-4084] - Improve Nullability annotations support in S4449 (ParameterNullnessCheck)
• [SONARJAVA-4085] - Improve Nullability annotations support in S2259 (NullDereferenceCheck)
• [SONARJAVA-4089] - Improve Nullability annotations support in Exploded graph walker
• [SONARJAVA-4091] - Use of Java 17 feature should not lead to a warning message

7.5.0.28054

    Release Notes - SonarJava - Version 7.5

Bug

• [SONARJAVA-4068] - S2118-S2441: Fix StackOverflowError raised for self assigned variables

Task

• [SONARJAVA-4052] - Provide quick fix availability to SQ
• [SONARJAVA-4075] - Update rules metadata

Improvement

• [SONARJAVA-4048] - Update ECJ to 3.27.0 and require Java 11

False-Positive

• [SONARJAVA-4047] - S2699: Fix FP with "andExpectAll" introduced in recent version of Spring Test
• [SONARJAVA-4064] - S2055: Fix FP when the semantic is incomplete
• [SONARJAVA-4073] - S3751 should accept protected and package scope modifiers

7.4.0.27839

    Release Notes - SonarJava - Version 7.4

Bug

• [SONARJAVA-4021] - Wrong message in S1128 with unused imports from a sub-package

New Feature

• [SONARJAVA-4029] - Rule S6301: Mobile database encryption keys should not be disclosed
• [SONARJAVA-4030] - Rule S6291: Using unencrypted databases in mobile applications is security-sensitive
• [SONARJAVA-4031] - Rule S6300: Using unencrypted files in mobile applications is security-sensitive
• [SONARJAVA-4034] - Rule S4507: Add WebView debug settings
• [SONARJAVA-4036] - Rule S6362: Enabling JavaScript support for WebViews is security-sensitive
• [SONARJAVA-4037] - Rule S6363: Enabling file access for WebViews is security-sensitive

Task

• [SONARJAVA-4018] - Deprecate S2039 for Java
• [SONARJAVA-4045] - Update rules metadata

Improvement

• [SONARJAVA-3866] - Rule S6293: Using a biometric authentication independent of a cryptographic solution is security-sensitive
• [SONARJAVA-3868] - Rule S6288: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
• [SONARJAVA-4039] - Rule S5332: support Android WebView insecure mixed content policy
• [SONARJAVA-4046] - Avoid unnecessary TextEdit in quick fixes
• [SONARJAVA-4049] - S2647: remove CWE-311 from "securityStandards" to match the "See" section

False-Positive

• [SONARJAVA-2250] - FP on S2695 when the query is built in multiple statements
• [SONARJAVA-3953] - S2095 should ignore ByteArrayOutputStream from apache.commons
• [SONARJAVA-4014] - S1214 should not report interface with a parent
• [SONARJAVA-4015] - FP in S1641 when the initializer is a ternary expression
• [SONARJAVA-4016] - FP in S6206 when the return type of the getter is not the same as the one from the field
• [SONARJAVA-4025] - FP in S2637 with non-null primitive field not initialized
• [SONARJAVA-4040] - S1612 should not suggest casting though method reference for generic classes
• [SONARJAVA-4041] - S1166 should not ignore whitelist when union type is used in catch

Documentation

• [SONARJAVA-4042] - Document the quick fix metadata

False Negative

• [SONARJAVA-4011] - S2119: Random() not detected when used directly in MemberSelectExpression
• [SONARJAVA-4019] - FN in S2695 when the integer argument is coming from a constant
• [SONARJAVA-4032] - S5322 should raise on Activity or any sub classes of Context
• [SONARJAVA-4033] - S5320 should raise on Activity or any sub classes of Context
• [SONARJAVA-4038] - S5324 should raise on Activity or any sub classes of Context

7.3.0.27589

    Release Notes - SonarJava - Version 7.3

Sub-task

• [SONARJAVA-3909] - Add quick fixes for S1481 (UnusedLocalVariableCheck)
• [SONARJAVA-3910] - Add quick fixes for S2293 (DiamondOperatorCheck)
• [SONARJAVA-3911] - Add quick fixes for S1155 (CollectionIsEmptyCheck)
• [SONARJAVA-3913] - Add quick fixes for S1130 (RedundantThrowsDeclarationCheck)
• [SONARJAVA-3915] - Add quick fixes for S1124 (ModifiersOrderCheck)
• [SONARJAVA-3916] - Add quick fixes for S1128 (UselessImportCheck)
• [SONARJAVA-3917] - Add quick fixes for S1161 (OverrideAnnotationCheck)
• [SONARJAVA-3918] - Add quick fixes for S1186 (EmptyMethodsCheck)
• [SONARJAVA-3919] - Add quick fixes for S5786 (JUnit5DefaultPackageClassAndMethodCheck)
• [SONARJAVA-3921] - Add quick fixes for S1905 (RedundantTypeCastCheck)
• [SONARJAVA-3922] - Add quick fixes for S3415 (AssertionArgumentOrderCheck)
• [SONARJAVA-3923] - Add quick fixes for S1068 (UnusedPrivateFieldCheck)
• [SONARJAVA-3925] - Add quick fixes for S1197 (ArrayDesignatorOnVariableCheck)
• [SONARJAVA-3926] - Add quick fixes for S1125 (BooleanLiteralCheck)
• [SONARJAVA-3927] - Add quick fixes for S3252 (StaticMemberAccessCheck)
• [SONARJAVA-3928] - Add quick fixes for S1319 (CollectionImplementationReferencedCheck)
• [SONARJAVA-3929] - Add quick fixes for S1172 (UnusedMethodParameterCheck)
• [SONARJAVA-3930] - Add quick fixes for S1612 (ReplaceLambdaByMethodRefCheck)
• [SONARJAVA-3931] - Add quick fixes for S1168 (ReturnEmptyArrayNotNullCheck)
• [SONARJAVA-3933] - Add quick fixes for S5411 (BoxedBooleanExpressionsCheck)
• [SONARJAVA-3934] - Add quick fixes for S1144 (UnusedPrivateMethodCheck)
• [SONARJAVA-3939] - Add quick fixes for S1116 (EmptyStatementUsageCheck)
• [SONARJAVA-3940] - Add quick fixes for S1858 (StringToStringCheck)
• [SONARJAVA-3941] - Add quick fixes for S1659 (OneDeclarationPerLineCheck)
• [SONARJAVA-3942] - Add quick fixes for S2209 (StaticMembersAccessCheck)
• [SONARJAVA-3943] - Add quick fixes for S5838 (AssertJChainSimplificationCheck)
• [SONARJAVA-3944] - Add quick fixes for S2325 (StaticMethodCheck)
• [SONARJAVA-3945] - Add quick fixes for S1107 (RightCurlyBraceSameLineAsNextBlockCheck)
• [SONARJAVA-3946] - Add quick fixes for S1488 (ImmediatelyReturnedVariableCheck)
• [SONARJAVA-3948] - Add quick fixes for S2153 (ImmediateReverseBoxingCheck)
• [SONARJAVA-3949] - Add quick fixes for S2446 (NotifyCheck)
• [SONARJAVA-3950] - Add quick fixes for S2200 (CompareToResultTestCheck)
• [SONARJAVA-3951] - Add quick fixes for S5164 (ThreadLocalCleanupCheck)
• [SONARJAVA-3952] - Add quick fixes for S2111 (BigDecimalDoubleConstructorCheck)
• [SONARJAVA-3955] - Add quick fixes for S4973 (CompareStringsBoxedTypesWithEqualsCheck)
• [SONARJAVA-3958] - Add quick fixes for S3984 (UnusedThrowableCheck)
• [SONARJAVA-3960] - Extends CheckVerifier to support testing of Quick-fixes
• [SONARJAVA-3961] - Add quick fixes for S3986 (DateFormatWeekYearCheck)
• [SONARJAVA-3962] - Add quick fixes for S3020 (ToArrayCheck)
• [SONARJAVA-3998] - Add quick fixes for S1195 (ArrayDesignatorAfterTypeCheck)

Bug

• [SONARJAVA-3969] - CheckVerifier expect too many issues when a //Noncompliant comment is placed after a multi-variable declaration
• [SONARJAVA-3990] - S1120 should not crash on code containing line breaking control characters
• [SONARJAVA-3993] - S6073 should not produce a NullPointerException when trying to read the body of an abstract method
• [SONARJAVA-4003] - Fix Deadlock on ProgressMonitor

New Feature

• [SONARJAVA-3854] - Rule S5329: Collection constructors should not be used as java.util.function.Function
• [SONARJAVA-3906] - Quick fixes for CODE SMELLS requiring trivial changes without compilation impact
• [SONARJAVA-3936] - Quick fixes for BUGS requiring trivial changes without compilation impact

Task

• [SONARJAVA-4004] - Extend QuickFixHelper with nextVariable and previousVariable
• [SONARJAVA-4005] - Update rules metadata
• [SONARJAVA-4006] - Update SonarLint core version to use the new version of the API

Improvement

• [SONARJAVA-3864] - Missing arguments in Deprecated annotation should be reported in its own rule
• [SONARJAVA-3867] - S2479 Add a flag to allow tabs in string literals
• [SONARJAVA-3881] - Change message of S3655 to mention isEmpty and improve rule description
• [SONARJAVA-3907] - Add support for SonarLint quick fixes in the Java analyzer
• [SONARJAVA-3947] - Typo in S6216 issue description
• [SONARJAVA-3965] - Provide a new extensible API for issue reporting
• [SONARJAVA-3989] - Remove overlap between S2638 and S4454 with "nonnull" argument of "equals" method
• [SONARJAVA-4001] - Compute the end position of multi-line token only once
• [SONARJAVA-4002] - S1659 should report only one issue per line

False-Positive

• [SONARJAVA-3905...

7.2.0.26923

    Release Notes - SonarJava - Version 7.2.0.26923

Bug

• [SONARJAVA-3872] - "JSymbol.convertMetadata" should not throw an Exception when ecj fails
• [SONARJAVA-3897] - Fix S1845(MembersDifferOnlyByCapitalizationCheck) duplicated issues
• [SONARJAVA-3904] - Java 16's record keyword and sealed classes-related keywords should be highlighted as keywords

New Feature

• [SONARJAVA-3745] - Implement rule S6204: Use Stream.toList() instead of collectors
• [SONARJAVA-3748] - Implement rule S6206: Use records to represent immutable data structures
• [SONARJAVA-3752] - Implement rule S6207: Avoid redundant constructors/methods in records
• [SONARJAVA-3754] - Implement rule S6209: Ignored members during record serialization
• [SONARJAVA-3758] - Implement rule S6211: Prefer overriding default record's getter
• [SONARJAVA-3768] - Implement rule S6216: Reflection should not be used to update record's field value
• [SONARJAVA-3771] - Implement rule S6218: Equals should be overridden in the record with array fields
• [SONARJAVA-3773] - Implement rule S6219: Don't set 'serialVersionUID' to '0L' in records

Task

• [SONARJAVA-3894] - [AutoScan] batchMode should support multi-modules scope
• [SONARJAVA-3903] - Update rules metadata

Improvement

• [SONARJAVA-3740] - Extend rule S1481 to report on unused variables in pattern matching on instanceof
• [SONARJAVA-3746] - Extend rule S2201 to support 'Stream' non-void terminal methods
• [SONARJAVA-3755] - Update rule S2057 to not report on 'Serializable' records
• [SONARJAVA-3760] - Improve rule S2094: 'Classes should not be empty' to support Records
• [SONARJAVA-3763] - Support Records in rules targeting Classes
• [SONARJAVA-3769] - Remove record fields from reporting in S3011: Reflection fields update
• [SONARJAVA-3902] - Use secondary locations in S1845 (Members differs only by capitalization)

False-Positive

• [SONARJAVA-3892] - Exclude "com.sun.jersey" and "com.sun.faces" from S1191 by default
• [SONARJAVA-3898] - Don't apply S5838 for calls to equals in methods with "equals" in the name
• [SONARJAVA-3901] - FP in S2245 (PseudeRandomCheck) when passing a SecureRandom object as parameter

7.1.0.26670

    Release Notes - SonarJava - Version 7.1.0.26670

Bug

• [SONARJAVA-3799] - Visit records' members correctly
• [SONARJAVA-3876] - S3986 produces an IndexOutOfBoundsException on calls to super
• [SONARJAVA-3883] - Semantic API Symbol#type() is not @nullable but return 'null'
• [SONARJAVA-3885] - NPE in S1176 (UndocumentedApiCheck) when analyzing Java 16's records

New Feature

• [SONARJAVA-3739] - Implement rule S6201: Use Pattern Matching on instanceof to substitute instanceof + cast
• [SONARJAVA-3775] - Implement rule S6220: Functional interfaces should not be sealed
• [SONARJAVA-3869] - Provide CFG for the body of a lambda

Task

• [SONARJAVA-3718] - Stop release process when performance score is exceeds threshold
• [SONARJAVA-3827] - Remove unused annotations "@DependsUpon", "@DependedUpon"
• [SONARJAVA-3871] - Enable experimental batch mode for analysis
• [SONARJAVA-3884] - Update rules metadata

Improvement

• [SONARJAVA-3738] - Upgrade ECJ to 3.26.0
• [SONARJAVA-3742] - Extend S3457 and S2275 to support String “formatted” method from Java 15
• [SONARJAVA-3870] - Remove S6212 from default quality profile.
• [SONARJAVA-3873] - Order rules based on execution time to make the best of issue streaming

False-Positive

• [SONARJAVA-3784] - FP in S3958 when Java 16 "toList()" terminator operation is used
• [SONARJAVA-3865] - Deprecate rule RSPEC-4604
• [SONARJAVA-3874] - FP in S1168 when using classes with the same unqualified name as collections

7.0.0.26422

    Release Notes - SonarJava - Version 7.0.0.26422

Bug

• [SONARJAVA-3856] - S1643 ClassCastException on parentheses

Task

• [SONARJAVA-3723] - Expose latest peach analysis performance score to Java bubble
• [SONARJAVA-3724] - Compute performance score of upcoming release
• [SONARJAVA-3816] - Update rules metadata
• [SONARJAVA-3818] - Add an example of rules targeting TEST in our custom rules plugin example
• [SONARJAVA-3820] - Add missing remediation functions
• [SONARJAVA-3823] - Move java-checks-testkit's 'InternalJavaCheckVerifier' into internal package
• [SONARJAVA-3825] - Drop deprecated methods from API
• [SONARJAVA-3828] - Drop deprecated rules
• [SONARJAVA-3833] - Update tutorial to add support of new LTS SQ 8.9

Improvement

• [SONARJAVA-3777] - Improve S1128 (Unused imports) rule precision by relying on compiler warnings
• [SONARJAVA-3791] - Use jdk 16 for our builds
• [SONARJAVA-3794] - Improve S1905 (Redundant cast) rule precision by relying on compiler warnings
• [SONARJAVA-3806] - Improve S1656 (Self Assignment) rule precision by relying on compiler warnings
• [SONARJAVA-3807] - Improve S4970 (Unreachable Catch) rule precision by relying on compiler warnings
• [SONARJAVA-3840] - Regex rules should support concatenating pattern objects
• [SONARJAVA-3858] - S5838 should support "length()"/"size()" followed by "isPositive()" simplification
• [SONARJAVA-3859] - Update description for 'sonar.java.file.suffixes'
• [SONARJAVA-3860] - Map ECJ Warnings to syntax trees
• [SONARJAVA-3862] - Rework "MethodTree.isOverriding()" to match the contract in case of unknowns in hierarchy

False-Positive

• [SONARJAVA-3822] - S6073 should not report on method invocation arguments that actually return an argument matcher
• [SONARJAVA-3836] - S5786 should not raise issue on a class visibility if it contains public static method(s)
• [SONARJAVA-3844] - Rules targeting tests should work with incomplete semantic
• [SONARJAVA-3845] - Rules targeting unused elements should work with incomplete semantic
• [SONARJAVA-3846] - Rules targeting returns should work with incomplete semantic
• [SONARJAVA-3847] - Rules targeting parameters should work with incomplete semantic
• [SONARJAVA-3848] - Rules targeting types should work with incomplete semantic
• [SONARJAVA-3849] - Rules targeting control flow should work with incomplete semantic
• [SONARJAVA-3850] - Rules targeting class members should work with incomplete semantic
• [SONARJAVA-3851] - Rules targeting methods calls should work with incomplete semantic
• [SONARJAVA-3852] - Rules targeting methods should work with incomplete semantic
• [SONARJAVA-3857] - FP S131 for a switch on an unknown symbol

False Negative

• [SONARJAVA-3841] - FN in S5998 (regex stackoverflow) for possessive quantifiers

6.15.1.26025

    Release Notes - SonarJava - Version 6.15.1.26025

Bug

• [SONARJAVA-3808] - NPE in JMethodSymbol.overriddenSymbol
• [SONARJAVA-3812] - Analysis should stop without logging when a CancellationException is thrown

Task

• [SONARJAVA-3815] - Update rules metadata
• [SONARJAVA-3817] - Remove rules resulting in failing tests from default quality profile
• [SONARJAVA-3821] - Do not ship "sonar-plugin-api" implementation class with the analyzer components

Improvement

• [SONARJAVA-3801] - Rule S4423 should support okhttp library
• [SONARJAVA-3805] - Rule S5332 should support okhttp library

False-Positive

• [SONARJAVA-3797] - FP in S1854 for effective-final assignment of variables used in a lambda
• [SONARJAVA-3798] - FP in S1258 and S3749 when using Lombok "@DaTa" annotation
• [SONARJAVA-3804] - FP in S3077 when volatile is used with @immutable and @threadsafe annotations
• [SONARJAVA-3809] - S5979 should not report on objects initialized with `MockitoJUnit.rule()` followed by options
• [SONARJAVA-3811] - Rule S5542 should not be triggered when using CBC mode
• [SONARJAVA-3814] - S6212 should not suggest to use "var" when the initializer is a lambda or a method reference

False Negative

• [SONARJAVA-3785] - Rule S4605 is not detected with @SpringBootApplication
• [SONARJAVA-3810] - S5547 should report on some more weak algorithms
• [SONARJAVA-3813] - Rule S4790 should support more weak hash algorithms