:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Overview

Code Quality and Security for Java Build Status Quality Gate Coverage

This SonarSource project is a code analyzer for Java projects. Information about the analysis of Java features is available here.

Features

Useful links

Have question or feedback?

To provide feedback (request a feature, report a bug etc.) use the SonarQube Community Forum. Please do not forget to specify the language (Java!), plugin version and SonarQube version.

If you have a question on how to use plugin (and the docs don't help you), we also encourage you to use the community forum.

Contributing

Topic in SonarQube Community Forum

To request a new feature, please create a new thread in SonarQube Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can use it.

Pull Request (PR)

To submit a contribution, create a pull request for this repository. Please make sure that you follow our code style and all tests are passing (all checks must be green).

Custom Rules

If you have an idea for a rule but you are not sure that everyone needs it you can implement a custom rule available only for you. Note that in order to help you, we highly recommend to first follow the Custom Rules 101 tutorial before diving directly into implementing rules from scratch.

Work with us

Would you like to work on this project full-time? We are hiring! Check out https://www.sonarsource.com/hiring

Testing

To run tests locally follow these instructions.

Build the Project and Run Unit Tests

To build the plugin and run its unit tests, execute this command from the project's root directory:

mvn clean install

Integration Tests

To run integration tests, you will need to create a properties file like the one shown below, and set the url pointing to its location in an environment variable named ORCHESTRATOR_CONFIG_URL.

# version of SonarQube Server
sonar.runtimeVersion=7.9

orchestrator.updateCenterUrl=http://update.sonarsource.org/update-center-dev.properties

# Location of Maven local repository is not automatically guessed. It can also be set with the env variable MAVEN_LOCAL_REPOSITORY.
maven.localRepository=/home/myName/.m2/repository

With for instance the ORCHESTRATOR_CONFIG_URL variable being set as:

export ORCHESTRATOR_CONFIG_URL=file:///home/user/workspace/orchestrator.properties

Before running the ITs, be sure your MAVEN_HOME environment variable is set.

Sanity Test

The "Sanity Test" is a test which runs all checks against all the test sources files without taking into account the result of the analysis. It verifies that rules are not crashing on any file in our test sources. By default, this test is excluded from the build. To launch it:

mvn clean install -P sanity

Plugin Test

The "Plugin Test" is an integration test suite which verifies plugin features such as metric calculation, coverage etc. To launch it:

mvn clean install -Pit-plugin

Ruling Test

The "Ruling Test" are an integration test suite which launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files).

To run the test, first make sure the submodules are checked out:

git submodule init 
git submodule update

Launch ruling test:

cd its/ruling
mvn clean install -DskipTests=false

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. Any implemented rule is highly likely to raise issues on the multiple projects we use as ruling code base.

  • For newly implemented rule, it means that a first build will most probably fail, caused by differences between expected results (without any values for the new rule) and the new results. You can inspect these new issues by searching for files named after your rule (squid-SXXXX.json) in the following folder:

      /path/to/project/sonar-java/its/ruling/target/actual/...
    
  • For existing rules which are modified, you may expect some differences between "actual" (from new analysis) and expected results. Review carefully the changes which are shown and update the expected resources accordingly.

All the json files contain a list of lines, indexed by file, expliciting where the issues raised by a specific rule are located. If/When everything looks good to you, you can copy the file with the actual issues located at:

its/ruling/target/actual/

Into the directory with the expected issues:

its/ruling/src/test/resources/

For example using the command:

cp its/ruling/target/actual/* its/ruling/src/test/resources/

License

Copyright 2012-2021 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

Issues
  • SONARJAVA-73 add more lombok's used annotations for UnusedPrivateFieldCheck

    SONARJAVA-73 add more lombok's used annotations for UnusedPrivateFieldCheck

    Add more used annotation from lombok.

    Getter/Setter: http://projectlombok.org/features/GetterSetter.html Data: http://projectlombok.org/features/Data.html Value: http://projectlombok.org/features/Value.html Builder: http://projectlombok.org/features/Builder.html ToString: http://projectlombok.org/features/ToString.html EqualsAndHashCode: http://projectlombok.org/features/EqualsAndHashCode.html NoArgsConstructor, RequiredArgsConstructor, AllArgsConstructor: http://projectlombok.org/features/Constructor.html

    Won't supported: Synchronized with customed name: http://projectlombok.org/features/Synchronized.html

    opened by liudongmiao 17
  • SONARJAVA-1793: Add support for Truth framework assertions.

    SONARJAVA-1793: Add support for Truth framework assertions.

    Please ensure your pull request adheres to the following guidelines:

    • [x] Use the following formatting style: SonarSource/sonar-developer-toolset
    • [x] Unit tests are passing and you provided a unit test for your fix
    • [x] ITs should pass : To run ITs locally, checkout the README of the project.
    • [x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)

    A method invocation on the 'Subject' base-type of the Truth framework will be considered as an assertion call.

    opened by Johnnei 17
  • RSPEC-1659 : Multiple variables should not be declared on the same line

    RSPEC-1659 : Multiple variables should not be declared on the same line

    Proposal for RSPEC-1659, note about it :

    • No tag => I choose convention
    • description can't be apply for Java language => some liberties in S1659.html
    • sqale cost to 5min is not too much ?
    opened by axel3rd 15
  • SONARJAVA-1079 :

    SONARJAVA-1079 : "authorized numbers" parameter & SONARJAVA-1235 : exclude final only

    opened by axel3rd 13
  • SONARJAVA-1794: Add parameter to toggle UndocumentedAPI behaviour

    SONARJAVA-1794: Add parameter to toggle UndocumentedAPI behaviour

    Please ensure your pull request adheres to the following guidelines:

    • [x] Use the following formatting style: SonarSource/sonar-developer-toolset
    • [x] Unit tests are passing and you provided a unit test for your fix
    • [x] ITs should pass : To run ITs locally, checkout the README of the project.
    • [x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)

    The new parameters allows to switch between inclusion and exclusion mode.

    opened by Johnnei 12
  • SONARJAVA-1030 Check Locks with factorization of closeables

    SONARJAVA-1030 Check Locks with factorization of closeables

    Currently missing features :

    • reporting correct messages
    • Ability to report on field for lock check
    • To be improved : the ugly hack of Ignore State of Closeable check (we should probably just drop the tracking of value of this symbol and do not bother with such a state in the first place).
    opened by benzonico 11
  • fixing the String index out of range exception while parsing surefire…

    fixing the String index out of range exception while parsing surefire…

    … reports for Dynamic test cases

    Please ensure your pull request adheres to the following guidelines:

    • [ ] Use the following formatting style: SonarSource/sonar-developer-toolset
    • [ ] Unit tests are passing and you provided a unit test for your fix
    • [ ] ITs should pass : To run ITs locally, checkout the README of the project.
    • [ ] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
    opened by rohitri-90 10
  • SONARJAVA-2219: Spring Annotations - adding missing one

    SONARJAVA-2219: Spring Annotations - adding missing one

    @m-g-sonar sorry fr so many pull requests, i hope this is now done correctly

    Hey guys!

    With my last commit i think we did miss on the @Value annotation. I added it with this Pull-Request, i think that is it, i checked the JSR-250 and spring annotation, and did not find another field-based injection annotation!

    pasted image at 2017_05_10 11_10 pm

    Br simon

    Please ensure your pull request adheres to the following guidelines:

    • [x] Use the following formatting style: SonarSource/sonar-developer-toolset
    • [x] Unit tests are passing and you provided a unit test for your fix
    • [x] ITs should pass : To run ITs locally, checkout the README of the project. - did not check
    • [x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
    opened by aepfli 9
  • Adding support for Guava VisibleForTesting annotation

    Adding support for Guava VisibleForTesting annotation

    This PR adds support for for Guava's @VisibleForTesting annotation and will no longer raise issues on protected members that have been annotated with this annotation as well as default visibility (package). This annotation indicates that the visibility of a type or member has been purposely relaxed to make the code testable.

    public final class MyFinalClass {
    
      @VisibleForTesting
      protected Logger logger; // Compliant, no S2156 rule failed
      @VisibleForTesting
      protected int calculateSomethingComplex(String input) { // Compliant, no S2156 rule failed
       // ...
      }
    }
    
    class Cone {
      @VisibleForTesting
      Logger logger; // Compliant, no S2039 rule failed
    }
    
    class MyFinalClassTest {
      @Test
      public void test() {
        MyFinalClass my = new MyFinalClass();
        my.logger = mock(Logger.class);
        assertThat(my.calculateSomethingComplex(INPUT_JSON)).isEqualTo(42);
      }
    }
    

    More info: http://eng.wealthfront.com/2011/12/02/beyond-javas-access-control-visibility

    Please ensure your pull request adheres to the following guidelines:

    • [x] Use the following formatting style: SonarSource/sonar-developer-toolset
    • [x] Unit tests are passing and you provided a unit test for your fix
    • [x] ITs should pass : To run ITs locally, checkout the README of the project.
    • [x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
    opened by cardil 9
  • Make compatible with surefire reuseForks=false

    Make compatible with surefire reuseForks=false

    JacocoController.getInstance() is executed too soon in case of surefire option reuseForks=false. In this configuration, the listener is created without javaagent enabled. It is enabled only when the VM is forked while starting a test.

    opened by fdaugan 8
Releases(7.2.0.26923)
  • 7.2.0.26923(Jul 20, 2021)

        Release Notes - SonarJava - Version 7.2.0.26923
    

    Bug

    • [SONARJAVA-3872] - "JSymbol.convertMetadata" should not throw an Exception when ecj fails
    • [SONARJAVA-3897] - Fix S1845(MembersDifferOnlyByCapitalizationCheck) duplicated issues
    • [SONARJAVA-3904] - Java 16's record keyword and sealed classes-related keywords should be highlighted as keywords

    New Feature

    • [SONARJAVA-3745] - Implement rule S6204: Use Stream.toList() instead of collectors
    • [SONARJAVA-3748] - Implement rule S6206: Use records to represent immutable data structures
    • [SONARJAVA-3752] - Implement rule S6207: Avoid redundant constructors/methods in records
    • [SONARJAVA-3754] - Implement rule S6209: Ignored members during record serialization
    • [SONARJAVA-3758] - Implement rule S6211: Prefer overriding default record's getter
    • [SONARJAVA-3768] - Implement rule S6216: Reflection should not be used to update record's field value
    • [SONARJAVA-3771] - Implement rule S6218: Equals should be overridden in the record with array fields
    • [SONARJAVA-3773] - Implement rule S6219: Don't set 'serialVersionUID' to '0L' in records

    Task

    Improvement

    • [SONARJAVA-3740] - Extend rule S1481 to report on unused variables in pattern matching on instanceof
    • [SONARJAVA-3746] - Extend rule S2201 to support 'Stream' non-void terminal methods
    • [SONARJAVA-3755] - Update rule S2057 to not report on 'Serializable' records
    • [SONARJAVA-3760] - Improve rule S2094: 'Classes should not be empty' to support Records
    • [SONARJAVA-3763] - Support Records in rules targeting Classes
    • [SONARJAVA-3769] - Remove record fields from reporting in S3011: Reflection fields update
    • [SONARJAVA-3902] - Use secondary locations in S1845 (Members differs only by capitalization)

    False-Positive

    • [SONARJAVA-3892] - Exclude "com.sun.jersey" and "com.sun.faces" from S1191 by default
    • [SONARJAVA-3898] - Don't apply S5838 for calls to equals in methods with "equals" in the name
    • [SONARJAVA-3901] - FP in S2245 (PseudeRandomCheck) when passing a SecureRandom object as parameter
    Source code(tar.gz)
    Source code(zip)
  • 7.1.0.26670(Jun 25, 2021)

        Release Notes - SonarJava - Version 7.1.0.26670
    

    Bug

    • [SONARJAVA-3799] - Visit records' members correctly
    • [SONARJAVA-3876] - S3986 produces an IndexOutOfBoundsException on calls to super
    • [SONARJAVA-3883] - Semantic API Symbol#type() is not @Nullable but return 'null'
    • [SONARJAVA-3885] - NPE in S1176 (UndocumentedApiCheck) when analyzing Java 16's records

    New Feature

    • [SONARJAVA-3739] - Implement rule S6201: Use Pattern Matching on instanceof to substitute instanceof + cast
    • [SONARJAVA-3775] - Implement rule S6220: Functional interfaces should not be sealed
    • [SONARJAVA-3869] - Provide CFG for the body of a lambda

    Task

    Improvement

    • [SONARJAVA-3738] - Upgrade ECJ to 3.26.0
    • [SONARJAVA-3742] - Extend S3457 and S2275 to support String “formatted” method from Java 15
    • [SONARJAVA-3870] - Remove S6212 from default quality profile.
    • [SONARJAVA-3873] - Order rules based on execution time to make the best of issue streaming

    False-Positive

    • [SONARJAVA-3784] - FP in S3958 when Java 16 "toList()" terminator operation is used
    • [SONARJAVA-3865] - Deprecate rule RSPEC-4604
    • [SONARJAVA-3874] - FP in S1168 when using classes with the same unqualified name as collections
    Source code(tar.gz)
    Source code(zip)
  • 7.0.0.26422(Jun 8, 2021)

        Release Notes - SonarJava - Version 7.0.0.26422
    

    Bug

    Task

    Improvement

    • [SONARJAVA-3777] - Improve S1128 (Unused imports) rule precision by relying on compiler warnings
    • [SONARJAVA-3791] - Use jdk 16 for our builds
    • [SONARJAVA-3794] - Improve S1905 (Redundant cast) rule precision by relying on compiler warnings
    • [SONARJAVA-3806] - Improve S1656 (Self Assignment) rule precision by relying on compiler warnings
    • [SONARJAVA-3807] - Improve S4970 (Unreachable Catch) rule precision by relying on compiler warnings
    • [SONARJAVA-3840] - Regex rules should support concatenating pattern objects
    • [SONARJAVA-3858] - S5838 should support "length()"/"size()" followed by "isPositive()" simplification
    • [SONARJAVA-3859] - Update description for 'sonar.java.file.suffixes'
    • [SONARJAVA-3860] - Map ECJ Warnings to syntax trees
    • [SONARJAVA-3862] - Rework "MethodTree.isOverriding()" to match the contract in case of unknowns in hierarchy

    False-Positive

    • [SONARJAVA-3822] - S6073 should not report on method invocation arguments that actually return an argument matcher
    • [SONARJAVA-3836] - S5786 should not raise issue on a class visibility if it contains public static method(s)
    • [SONARJAVA-3844] - Rules targeting tests should work with incomplete semantic
    • [SONARJAVA-3845] - Rules targeting unused elements should work with incomplete semantic
    • [SONARJAVA-3846] - Rules targeting returns should work with incomplete semantic
    • [SONARJAVA-3847] - Rules targeting parameters should work with incomplete semantic
    • [SONARJAVA-3848] - Rules targeting types should work with incomplete semantic
    • [SONARJAVA-3849] - Rules targeting control flow should work with incomplete semantic
    • [SONARJAVA-3850] - Rules targeting class members should work with incomplete semantic
    • [SONARJAVA-3851] - Rules targeting methods calls should work with incomplete semantic
    • [SONARJAVA-3852] - Rules targeting methods should work with incomplete semantic
    • [SONARJAVA-3857] - FP S131 for a switch on an unknown symbol

    False Negative

    • [SONARJAVA-3841] - FN in S5998 (regex stackoverflow) for possessive quantifiers
    Source code(tar.gz)
    Source code(zip)
  • 6.15.1.26025(Apr 29, 2021)

        Release Notes - SonarJava - Version 6.15.1.26025
    

    Bug

    • [SONARJAVA-3808] - NPE in JMethodSymbol.overriddenSymbol
    • [SONARJAVA-3812] - Analysis should stop without logging when a CancellationException is thrown

    Task

    • [SONARJAVA-3815] - Update rules metadata
    • [SONARJAVA-3817] - Remove rules resulting in failing tests from default quality profile
    • [SONARJAVA-3821] - Do not ship "sonar-plugin-api" implementation class with the analyzer components

    Improvement

    False-Positive

    • [SONARJAVA-3797] - FP in S1854 for effective-final assignment of variables used in a lambda
    • [SONARJAVA-3798] - FP in S1258 and S3749 when using Lombok "@Data" annotation
    • [SONARJAVA-3804] - FP in S3077 when volatile is used with @Immutable and @ThreadSafe annotations
    • [SONARJAVA-3809] - S5979 should not report on objects initialized with `MockitoJUnit.rule()` followed by options
    • [SONARJAVA-3811] - Rule S5542 should not be triggered when using CBC mode
    • [SONARJAVA-3814] - S6212 should not suggest to use "var" when the initializer is a lambda or a method reference

    False Negative

    • [SONARJAVA-3785] - Rule S4605 is not detected with @SpringBootApplication
    • [SONARJAVA-3810] - S5547 should report on some more weak algorithms
    • [SONARJAVA-3813] - Rule S4790 should support more weak hash algorithms
    Source code(tar.gz)
    Source code(zip)
  • 6.15.0.25849(Apr 15, 2021)

        Release Notes - SonarJava - Version  6.15.0.25849
    

    Bug

    • [SONARJAVA-3786] - Delete rule RSPEC-4603
    • [SONARJAVA-3788] - Fix IndexOutOfBoundsException in S1166 (CatchUsesExceptionWithContextCheck:307)
    • [SONARJAVA-3789] - Fix ClassCastException in S6202 (IsInstanceMethodCheck:70)
    • [SONARJAVA-3790] - Fix ClassCastException in S5411 (BoxedBooleanExpressionsCheck:158)
    • [SONARJAVA-3792] - Compilation of custom rule project fails due to missing metadata files

    New Feature

    • [SONARJAVA-3716] - Provide a user property to produce performance metrics
    • [SONARJAVA-3741] - Rule S6202: Operator "instanceof" should be used instead of "A.class.isInstance()"
    • [SONARJAVA-3743] - Rule S6203: Text blocks should not be used in complex expression
    • [SONARJAVA-3749] - Rule S6205: Switch arrow labels should not use redundant keywords
    • [SONARJAVA-3753] - Rule S6208: Comma-separated labels should be used in Switch with colon case
    • [SONARJAVA-3759] - Rule S6212: Local-Variable Type Inference (var) should be used
    • [SONARJAVA-3761] - Rule S6213: Restricted Identifiers should not be used as Identifiers

    Task

    • [SONARJAVA-3714] - Collect SquidSensor runtime data
    • [SONARJAVA-3717] - Increase reliability of cirrus-ci nightly analyses by restarting some failed jobs
    • [SONARJAVA-3720] - Push internal CI performance metrics to repository
    • [SONARJAVA-3721] - Enable performance measurement for ruling
    • [SONARJAVA-3722] - Compute measurement cost in performance metrics
    • [SONARJAVA-3726] - Update tutorial with SQ 8.8 and latest embedded release of SonarJava
    • [SONARJAVA-3728] - Update rules metadata
    • [SONARJAVA-3793] - Drop usage of deprecated internal method "hasSemantic()" in our rules

    Improvement

    • [SONARJAVA-3666] - Add text block support for regex rules
    • [SONARJAVA-3715] - Add size of file to slowest files analyzed output
    • [SONARJAVA-3732] - Execute the move of the regex parser into analyzer-commons
    • [SONARJAVA-3736] - Support Text Block in rules relying on String literals from expressions
    • [SONARJAVA-3737] - Improve rules relying on String literals to support identifier from a final or effectively final variable.
    • [SONARJAVA-3744] - Extend existing rules to support Switch Expression
    • [SONARJAVA-3751] - Extend S4738 to suggest Java 9 "List.of", "Map.of", "Set.of" instead of Guava
    • [SONARJAVA-3762] - S5838 should support Java 11 "String.isBlank()"
    • [SONARJAVA-3766] - Improve rule description for ReDoS
    • [SONARJAVA-3778] - Fix performance hotspots in S103 due to slow regex
    • [SONARJAVA-3781] - All method overrides should be returned instead of only the first one
    • [SONARJAVA-3787] - Children of Switch Statement should not be a Switch Expression
    • [SONARJAVA-3796] - Fix possible Catastrophic backtracking in regex for S3518: Division by zero rule

    False-Positive

    • [SONARJAVA-3731] - S5786 should not report on abstract classes or overridding test methods
    • [SONARJAVA-3734] - FP in S5979 when "ExtendWith" annotation is coming from a meta-annotation
    • [SONARJAVA-3750] - S1199 should not report an issue for any Switch case containing a block
    • [SONARJAVA-3772] - FP in S1943: Do not report an issue on any usage of Java 11 FileWriter and FileReader
    • [SONARJAVA-3774] - S2755 should not raise when a non null resolver is set with XMLInputFactory.setXMLResolver
    • [SONARJAVA-3776] - Fix FPs in S4276 when the generic argument left is a primitive wrapper

    False Negative

    • [SONARJAVA-3757] - "Nullable" from eclipse should be considered as a Strong Nullable.
    Source code(tar.gz)
    Source code(zip)
  • 6.14.0.25463(Mar 19, 2021)

        Release Notes - SonarJava - Version  6.14.0.25463
    

    Task

    Improvement

    • [SONARJAVA-3215] - S1166 add heuristics to support custom log frameworks
    • [SONARJAVA-3558] - Issue filter should extends its filter to IDE-specific suppressed warnings
    • [SONARJAVA-3568] - S5852 should use automata to increase its accuracy
    • [SONARJAVA-3624] - Regex FP/FN with Supplementary Multilingual Plane
    • [SONARJAVA-3629] - Improve S6002 RegexLookaheadCheck to support negative lookahead
    • [SONARJAVA-3636] - Improve secondary message for regex rules when issues are reported across different string literals
    • [SONARJAVA-3689] - Improve rule S110 to not report when hierarchy is too big already in library code
    • [SONARJAVA-3701] - Prepare the move of the regex parser into its own project
    • [SONARJAVA-3729] - Change S4434 to a security-hotspot
    • [SONARJAVA-3730] - Add an exception to rule S121 for early returns
    • [SONARJAVA-3733] - ReDoS: Don't call cubic and worse runtimes quadratic
    • [SONARJAVA-3735] - Upgrade ECJ to 3.25.0

    False-Positive

    • [SONARJAVA-3570] - Relax Rule S5411 for boxed booleans if there is a null-checked before
    • [SONARJAVA-3603] - FP on S4276 when Function is using "compose" or "andThen" methods
    • [SONARJAVA-3625] - Possible FP in S5998 when using backreferences to large groups
    • [SONARJAVA-3631] - FP in S6001 parsing of multi-digit backreferences
    • [SONARJAVA-3635] - S2384 should not raise an issue when mutable members in temporary variable are not stored
    • [SONARJAVA-3669] - S2325 should not raise on empty methods
    • [SONARJAVA-3696] - S2755 should not raise when a xml document is build
    • [SONARJAVA-3706] - FP in S2384, S2386: support any unmodifiable and immutable methods
    • [SONARJAVA-3713] - FP in S5852 (ReDoS) involving possessive quantifiers
    • [SONARJAVA-3747] - FPs in S5852 when repetition overlaps with non-repetition part

    False Negative

    • [SONARJAVA-2745] - FN on S2142: no issue raised when catching the generic Exception
    • [SONARJAVA-3639] - FN in S5994 when `*+` is followed by a repetition
    • [SONARJAVA-3640] - FN in S6002 for full matches and anchored patterns
    • [SONARJAVA-3641] - FN in S5998
    • [SONARJAVA-3653] - S5996 should raise issues even if the regex can match the empty string
    • [SONARJAVA-3710] - Include Eclipse’s NonNullByDefault annotation on nonNullFields check
    Source code(tar.gz)
    Source code(zip)
  • 6.13.0.25138(Feb 22, 2021)

        Release Notes - SonarJava - Version 6.13.0.25138
    

    Bug

    • [SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ

    New Feature

    • [SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt
    • [SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive
    • [SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms
    • [SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive
    • [SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive
    • [SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive
    • [SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive
    • [SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive

    Task

    Improvement

    • [SONARJAVA-3660] - S2077 update message for primary and secondary locations
    • [SONARJAVA-3663] - S2976 implementation moved to S5445
    • [SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"
    • [SONARJAVA-3686] - Deprecate rule S4834
    • [SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module
    • [SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference
    • [SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit

    False-Positive

    • [SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used
    • [SONARJAVA-3532] - S5042 should focus on zipbomb attacks
    • [SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors
    • [SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case
    • [SONARJAVA-3678] - FP in S5853 when map/flatMap is used
    • [SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized
    • [SONARJAVA-3685] - FP in S1125 when using null
    • [SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @Nested when the enclosing class properly initializes annotated objects
    • [SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces

    False Negative

    • [SONARJAVA-3469] - FN in S1219 when using blocks
    • [SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes
    Source code(tar.gz)
    Source code(zip)
  • 6.12.0.24852(Feb 1, 2021)

        Release Notes - SonarJava - Version 6.12.0.24852
    

    Bug

    • [SONARJAVA-3487] - [Java 14 - Records preview feature] NPE when accessing recordComponent.owner()
    • [SONARJAVA-3488] - [Java 14 - Records preview feature] NPE when computing metrics of methods
    • [SONARJAVA-3489] - [Java 14 - Records preview feature] S1123 NPE when visiting records
    • [SONARJAVA-3490] - [Java 14 - Records preview feature] S1117 NPE when visiting records

    New Feature

    • [SONARJAVA-2961] - Rule S4977: Type parameters should not shadow other type parameters
    • [SONARJAVA-3255] - Rule S5663: Simple string literal should be used for single line strings
    • [SONARJAVA-3256] - Rule S5664: Whitespace for text block indent should be consistent
    • [SONARJAVA-3257] - Rule S5665: Escape sequences should not be used in text blocks
    • [SONARJAVA-3505] - Upgrade to ECJ 3.24 to enable support of Java 15
    • [SONARJAVA-3606] - Rule S5979: Annotated Mockito objects should be initialized
    • [SONARJAVA-3658] - Add support of Java 15 Text Blocks with a new dedicated Kind: TEXT_BLOCK
    • [SONARJAVA-3670] - Rule S6126: String multiline concatenation can be replaced with a Text block

    Task

    Improvement

    • [SONARJAVA-3114] - Message about missing bytecode dependencies should appear only when dependencies are actually missing
    • [SONARJAVA-3563] - Report 10 slowest analyzed files
    • [SONARJAVA-3657] - Improve S3986 to cover DateTimeFormatter
    • [SONARJAVA-3665] - Add support of Text Blocks in S2973 (Escaped unicode characters)
    • [SONARJAVA-3667] - Fix text block support in S2479
    • [SONARJAVA-3671] - Improve rule S1192 to Support Text blocks
    • [SONARJAVA-3672] - S1213 Check order of static and instance variables

    False-Positive

    • [SONARJAVA-3659] - S2755 should not raise an issue when "EntityResolver" is customized
    • [SONARJAVA-3661] - FP on S2259 (Null Pointer Dereference) when using MapUtils from Apache Collections
    • [SONARJAVA-3662] - Improve rule S2142 to check methods called inside catch block
    Source code(tar.gz)
    Source code(zip)
  • 6.11.0.24617(Jan 13, 2021)

        Release Notes - SonarJava - Version 6.11.0.24617
    

    Bug

    • [SONARJAVA-3609] - JAR files passed to sonar.java.libraries remain locked after the analysis on Windows
    • [SONARJAVA-3652] - SuppressWarnings Filter lose knowledge of filtered lines

    New Feature

    • [SONARJAVA-3614] - Rule S6073: Mockito argument matchers should be used on all parameters
    • [SONARJAVA-3630] - Rule S6103: AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
    • [SONARJAVA-3632] - Rule S6104: Map "computeIfAbsent()" should not be used to add "null" values.
    • [SONARJAVA-3637] - Introduce "sonar.java.jdkHome" to specify the JDK to be used by the analyzer to resolve JDK types

    Task

    Improvement

    False-Positive

    • [SONARJAVA-3467] - FP on S1948 when using both field and setter/constructor injection
    • [SONARJAVA-3574] - S2755 FP when Factory is declared with lombok "val"
    • [SONARJAVA-3578] - FP in S2147 when the type of the Exception is needed inside the body.
    • [SONARJAVA-3620] - FP in S2384 when unmodifiable collection is returned from a non-final field
    • [SONARJAVA-3628] - FP in S5853 when assertions "flatExtracting" prevent the chaining
    • [SONARJAVA-3633] - FP in S4032 when there are several source directories
    • [SONARJAVA-3642] - FP in S1874 when parent constructor is deprecated but not used
    • [SONARJAVA-3647] - FP in S1481 when "for-each" variable nested in a lambda is actually used in the body
    • [SONARJAVA-3650] - FP in S2970 for nested class using JUnit 5 Soft assertions extension.

    False Negative

    • [SONARJAVA-3555] - S4830 should support X509ExtendedTrustManager
    • [SONARJAVA-3575] - FN in S2095: support Apache commons IOUtils methods not closing the stream
    • [SONARJAVA-3626] - FN Rule S3824: Apply the same SymbolicValue for static constants or enum constants when used as MemberSelect
    Source code(tar.gz)
    Source code(zip)
  • 6.10.0.24201(Dec 7, 2020)

        Release Notes - SonarJava - Version 6.10.0.24201
    

    Bug

    • [SONARJAVA-3056] - Classes for the analysis are loaded with parent first strategy
    • [SONARJAVA-3602] - JavaCheckVerifier does not support consistent behavior when having multiple issues reported on the same line

    New Feature

    • [SONARJAVA-3550] - Rule S5994: Regex patterns following a possessive quantifier should not always fail
    • [SONARJAVA-3552] - Rule S5996: Regex boundaries should not be used in a way that can never match
    • [SONARJAVA-3554] - Rule S5998: Regular expressions should not overflow the stack
    • [SONARJAVA-3557] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference
    • [SONARJAVA-3560] - Rule S6002: Regex lookahead assertions should not be contradictory
    • [SONARJAVA-3566] - Rule S5855: Regex alternatives should not be redundant
    • [SONARJAVA-3567] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
    • [SONARJAVA-3572] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes
    • [SONARJAVA-3608] - Rule S6068: Call to Mockito method "verify", "when" or "given" should be simplified
    • [SONARJAVA-3610] - Rule S6070: The regex escape sequence \cX should only be used with characters in the @-_ range

    Task

    • [SONARJAVA-3544] - Fix the regression on issue filtering by reverting SONARJAVA-3241 before SQ 8.x LTS
    • [SONARJAVA-3549] - Add support for automata-based analyses for regular expressions
    • [SONARJAVA-3551] - Implement helper to find whether state in regex automaton is reachable without consuming input
    • [SONARJAVA-3564] - Implement intersects and supersetOf helper for regex automata
    • [SONARJAVA-3600] - Remove (re)declaration of fail fast property.
    • [SONARJAVA-3622] - Drop unused Symbolic Execution debugging rules
    • [SONARJAVA-3627] - Update rules metadata

    Improvement

    • [SONARJAVA-3546] - Issue message of S5961 should contains the number of actual assertions
    • [SONARJAVA-3547] - Improve rule S1612 to replace casts with method reference
    • [SONARJAVA-3548] - Improve rule S5838 to handle maps and longs
    • [SONARJAVA-3553] - S5778 and S5783: Improve primary and secondary issue message
    • [SONARJAVA-3559] - Do not report issues of S1130 on Runtime Exceptions
    • [SONARJAVA-3561] - AbstractRegexCheck should target more regex providers
    • [SONARJAVA-3562] - Improve Regex rules to consider more string literals as Pattern
    • [SONARJAVA-3569] - Improve issue locations of S5869
    • [SONARJAVA-3587] - Typo in message of S3457
    • [SONARJAVA-3588] - Java Analyzer should be able to parse Jigsaw module-info.java files even when misconfigured
    • [SONARJAVA-3616] - Make S2699 support RestAssured 2.x as well (and not only 3.x & 4.x)
    • [SONARJAVA-3623] - Update rule S5803 to support all annotations named @VisibleForTesting

    False-Positive

    • [SONARJAVA-3470] - Add more exceptions to S107
    • [SONARJAVA-3545] - Rule S4973 shouldn't report an issue if "==" is used to compare Boolean constants
    • [SONARJAVA-3565] - FP on S1948 when using SpringBean from Apache Wicket
    • [SONARJAVA-3571] - FP on S1948 when collection implements Serializable
    • [SONARJAVA-3577] - FP in S3457 when slf4j log arguments contains a concatenation and a single Throwable
    • [SONARJAVA-3579] - FP in S1170 when class is annotated with @lombok.Builder and field with @Default
    • [SONARJAVA-3580] - FP in S2390: do not report an issue on static class nested in the parent.
    • [SONARJAVA-3586] - Support Nullable annotation from reactor-core
    • [SONARJAVA-3598] - FP in S2973 when symbol is in lowercase
    • [SONARJAVA-3599] - FP in S2226 for non final Servlet fields initialized in init() method without parameters
    • [SONARJAVA-3605] - FP in S3305 when field has an initializer
    • [SONARJAVA-3612] - FP in S1185 when class is annotated "@Transactional"
    • [SONARJAVA-3613] - FP in S1193 when the catch block contains more code
    • [SONARJAVA-3615] - FP in S1905 when casted argument is a method reference to a varargs.
    • [SONARJAVA-3617] - S1170 should not raise an issue when the initializer contains "this" or "super"
    • [SONARJAVA-3618] - FP on S3438 when "value" is set inside the property tag
    • [SONARJAVA-3619] - FP S2589 when Boolean variable doesn't always evaluate to TRUE/FALSE
    • [SONARJAVA-3621] - Union of Unknown types should be Unknown

    False Negative

    • [SONARJAVA-3130] - S3824: raise issue when "containsKey" is used
    • [SONARJAVA-3482] - Support character classes as operand to reluctant quantifier in rule S5857
    • [SONARJAVA-3483] - FN in S5869 with escaped character classes
    Source code(tar.gz)
    Source code(zip)
  • 6.9.0.23563(Oct 5, 2020)

        Release Notes - SonarJava - Version 6.9.0.23563
    

    Bug

    • [SONARJAVA-3285] - Java 13/14 preview feature "Text Block" produce highlighting IllegalArgumentException
    • [SONARJAVA-3541] - NPE in Symbolic Execution engine when dealing with java 14 switch expressions without default

    New Feature

    • [SONARJAVA-3374] - Rule S5804 allowing user enumeration is security-sensitive
    • [SONARJAVA-3396] - Rule S5808 Authorizations should be based on strong decisions
    • [SONARJAVA-3411] - Rule S5876 A new session should be created during user authentication
    • [SONARJAVA-3542] - RSPEC-5993 Constructors of an "abstract" class should not be declared "public"

    Task

    Improvement

    • [SONARJAVA-3376] - Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm
    • [SONARJAVA-3414] - Rule S4790: its content should be replaced by S2070
    • [SONARJAVA-3472] - Document wildcards pattern in rule's parameters (S110, S1176)
    • [SONARJAVA-3478] - S2201: Support common Collection and Map methods
    • [SONARJAVA-3525] - S2333 supports redundant modifiers on nested interfaces and classes
    • [SONARJAVA-3536] - Consistently support Nullable/CheckForNull/Nonnull annotations in rules
    • [SONARJAVA-3539] - FP in S5845 when BigDecimal and BigInteger are compared with string

    False-Positive

    • [SONARJAVA-3468] - FP on S1905 when casted argument is an ambiguous method reference.
    • [SONARJAVA-3479] - FP in S2184 when return is in another scope
    • [SONARJAVA-3535] - Rule S3749 should not raise when the singleton has @ConfigurationProperties annotation
    • [SONARJAVA-3540] - FP in S2175 when a primitive is auto-boxed into a subtype of Number.

    False Negative

    • [SONARJAVA-3388] - Rule S2070 should support "org.springframework.util.DigestUtils"
    • [SONARJAVA-3538] - S5853 does not handle custom assertions
    Source code(tar.gz)
    Source code(zip)
  • 6.8.0.23379(Sep 23, 2020)

        Release Notes - SonarJava - Version 6.8
    

    New Feature

    • [SONARJAVA-3372] - Rule S5803: Class members annotated with @VisibleForTesting should not be accessed from production code
    • [SONARJAVA-3509] - Rule S5958: AssertJ "assertThatThrownBy" should not be used alone
    • [SONARJAVA-3511] - Rule S5961: Test methods should not contain too many assertions
    • [SONARJAVA-3514] - Rule S5967: Tests method should not be annotated with competing annotations
    • [SONARJAVA-3515] - Rule S5960: Assertions should not be used in production code
    • [SONARJAVA-3516] - Rule S5969: Mocking all non-private methods of a class should be avoided
    • [SONARJAVA-3517] - Rule S5970: Spring's ModelAndViewAssert assertions should be used instead of other assertions
    • [SONARJAVA-3522] - Rule S3414: Tests should be kept in a dedicated source directory
    • [SONARJAVA-3524] - Rule S5973: Tests should be stable
    • [SONARJAVA-3526] - Rule S5976: Similar tests should be grouped in a single Parameterized test
    • [SONARJAVA-3527] - Rule S5977: Tests should use fixed data instead of randomized data

    Task

    Improvement

    • [SONARJAVA-3476] - Improve issue location for S5843
    • [SONARJAVA-3481] - Add missing escape sequences to regex parser
    • [SONARJAVA-3485] - Change issue type of S899 to Bug
    • [SONARJAVA-3492] - S1215 should detect "System.runFinalization()" the same way it detects System.gc()
    • [SONARJAVA-3500] - Support latest version of Play framework in S3330 and S2092
    • [SONARJAVA-3513] - Improve S5810 to support static and test methods with return values
    • [SONARJAVA-3518] - S125: reports issue on whole commented block
    • [SONARJAVA-3521] - SuppressWarnings Filter should remove issue of S3740 when "rawTypes" is used
    • [SONARJAVA-3523] - Extend S3415 (Arguments order) to support TestNG assertions
    • [SONARJAVA-3531] - S2187 should consider methods annotated with "@State" from Pact framework as test methods

    False-Positive

    • [SONARJAVA-3477] - S1214 should report only when an interface contains only constants
    • [SONARJAVA-3498] - FP in S1193 for instance of non-throwable types
    • [SONARJAVA-3504] - FP on S1948 for fields having non-serializable interface as type but serializable type as initializer
    • [SONARJAVA-3506] - FP in S2275 when second argument of String.format is an array
    • [SONARJAVA-3507] - FP in S3012 when copying array of primitives types to a Collection
    • [SONARJAVA-3519] - FP on S3878 when the argument before the vararg is also an array
    • [SONARJAVA-3528] - FP on S5778 when calling mockito methods
    • [SONARJAVA-3530] - FP on S3577 when test class ends with "Tests" or is an abstract class
    • [SONARJAVA-3534] - FP S3077(VolatileNonPrimitiveFieldCheck) should consider enum as immutable

    False Negative

    • [SONARJAVA-3491] - FN S2789 (NullShouldNotBeUsedWithOptionalCheck) on null assignment
    • [SONARJAVA-3501] - FN on Unused Imports when using Lombok
    Source code(tar.gz)
    Source code(zip)
  • 6.7.0.23054(Aug 31, 2020)

    Release Notes - SonarJava - Version 6.7

    Bug

    • [SONARJAVA-3244] - S3065: ClassCastException with implicit type casting
    • [SONARJAVA-3311] - SE should correctly handle new class in catch
    • [SONARJAVA-3381] - Performance Issue when computing the flow of an expression

    Task

    Improvement

    • [SONARJAVA-3026] - S3518 Division by zero on floats and double should not mention ArithmeticException
    • [SONARJAVA-3069] - Adapt SE engine to Switch Expressions
    • [SONARJAVA-3345] - S3518 (division by zero) should handle BigDecimal and BigInteger
    • [SONARJAVA-3484] - Change issue type of S2039 and S2386 to Code Smell
    • [SONARJAVA-3493] - Remove ASM dependency
    • [SONARJAVA-3494] - Rework S2095 (UnclosedResourceCheck) to remove calls to parent() method

    False-Positive

    • [SONARJAVA-2060] - FP in S2095 : java.sql.Statement will implicitly close created ResultSets
    • [SONARJAVA-3043] - S3655 should not raise an issue when a method doing nothing is called between "isPresent" and "get()"
    • [SONARJAVA-3157] - FP on Rule S2637 - issue raised on non-initialized fields
    • [SONARJAVA-3186] - SE based rules should not raise when exiting on exception with unknown type
    • [SONARJAVA-3187] - S2259 FP on null when called Class.isInstance
    • [SONARJAVA-3235] - FP on S3655 when the Optional is a class instance field
    • [SONARJAVA-3238] - FP on S1948 when class has multiple bounds in parameter type
    • [SONARJAVA-3242] - S5164, S1640: FP when variable is called with qualified name
    • [SONARJAVA-3451] - FP in S2095: sessions, producers, and consumers of a closed connection with JMS 2.0.
    • [SONARJAVA-3466] - FP S5845(AssertionTypesCheck) AssertJ is able to compare date/time and string
    • [SONARJAVA-3495] - FP in S2159 when type compared is Unknown
    • [SONARJAVA-3499] - FP on S3749 when using javax.persistence.PersistenceContext
    • [SONARJAVA-3508] - FP on S4449 when using Preconditions.checkNotNull(arg) with a @Nullable argument

    False Negative

    • [SONARJAVA-2129] - FN on S2095: java.util.Properties.load(InputStream) should not close the stream passed as parameter
    • [SONARJAVA-3447] - FN on S2259 when a method is annotated with spring's annotation @Nullable
    • [SONARJAVA-3503] - FN on S3052 when the initializer is a cast expression
    Source code(tar.gz)
    Source code(zip)
  • 6.6.0.22815(Jul 20, 2020)

    Release Notes - SonarJava - Version 6.6

    Bug

    • [SONARJAVA-3382] - Computing method behavior for Java 14 methods fails
    • [SONARJAVA-3448] - IndexOutOfBoundsException on S5863 when "containsX" is called without argument.
    • [SONARJAVA-3452] - Analysis fails when transpiling JSP with jar stripped of code
    • [SONARJAVA-3453] - JSP files shouldn't be analyzed for SQ < 8.3

    New Feature

    • [SONARJAVA-3286] - Support Java 14
    • [SONARJAVA-3404] - Rule S5852: Using slow regular expressions is security-sensitive
    • [SONARJAVA-3412] - Rule S5840: Regex patterns and their sub-patterns should not always fail
    • [SONARJAVA-3413] - Rule S5842: Regex repetition pattern's body should not match the empty String
    • [SONARJAVA-3415] - Rule S5843: Regular expressions should not be too complicated
    • [SONARJAVA-3416] - Rule S5846: Empty lines should not be tested with regex MULTILINE flag
    • [SONARJAVA-3417] - Rule S5850: Alternatives in regular expressions should be grouped when used with anchors
    • [SONARJAVA-3419] - Rule S5854: Regex containing characters subjects to normalization should use the CANON_EQ flag
    • [SONARJAVA-3420] - Rule S5856: Regular expressions should be syntactically valid
    • [SONARJAVA-3421] - Rule S5857: Regular expressions character classes should be preferred over non-greedy quantifiers
    • [SONARJAVA-3422] - Rule S5860: Names of regular expressions named groups should be used
    • [SONARJAVA-3423] - Rule S5866: Case insensitive Unicode regular expressions should enable the “UNICODE_CASE” flag
    • [SONARJAVA-3424] - Rule S5867: Unicode-aware versions of character classes should be preferred
    • [SONARJAVA-3425] - Create a dedicated regex parser to allow implementation of java rules targeting regex
    • [SONARJAVA-3426] - Rule S5868: Unicode Grapheme Clusters should be avoided inside regex character classes
    • [SONARJAVA-3427] - Rule S5869: Character classes in regular expressions should not contain the same character twice

    Task

    Improvement

    • [SONARJAVA-2163] - S2187 support detecting of test class without tests for classes matched by maven-surefire and gradle
    • [SONARJAVA-3049] - Resolve semantic for switch expression
    • [SONARJAVA-3270] - Update ASM to 8.0.1 for Java 14 support
    • [SONARJAVA-3332] - Upgrade ECJ to 3.22.0 for Java 14 support
    • [SONARJAVA-3434] - S5542: add a secondary location to the insecure cypher declaration
    • [SONARJAVA-3460] - S3457, S2275: Rework printf-style format rules

    False-Positive

    • [SONARJAVA-3237] - S1142 should be ignored in equals methods
    • [SONARJAVA-3254] - S3398 Should not suggest to move static method to non-static inner
    • [SONARJAVA-3304] - FP in S2201: support new switch expression
    • [SONARJAVA-3368] - FP in S4276: interfaces with generic wildcard types can't be specialized
    • [SONARJAVA-3369] - FP S1228 (PackageInfoCheck) when there are several source directories
    • [SONARJAVA-3370] - FP S5411 (BoxedBooleanExpressionsCheck) on method invocation having @NotNull
    • [SONARJAVA-3377] - Avoid FP for Google AutoValue classes
    • [SONARJAVA-3379] - FP in S4248 for Pattern in a class annotated with Lombok @UtilityClass
    • [SONARJAVA-3418] - S2275: FP when passing a Throwable as last argument
    • [SONARJAVA-3437] - FP in S2325 due to Lombok "@UtilityClass"
    • [SONARJAVA-3449] - FP on S2141 when equals() without default implementation is defined in an interface
    • [SONARJAVA-3450] - FP on S3973 on valid generated equals methods from IntelliJ
    • [SONARJAVA-3454] - FP in S2970 when "assertThatThrownBy" is used alone
    • [SONARJAVA-3456] - Don't raise S2160 when extending class overriding equals using an abstract definition
    • [SONARJAVA-3461] - FP in S5838: simplification with "isEqualTo" can not always be made on Object assertions
    • [SONARJAVA-3465] - FPs and FNs related to quoting characters in regular expressions

    False Negative

    • [SONARJAVA-3400] - FN in S2885(StaticMultithreadedUnsafeFieldsCheck) for DateFormat.getDateInstance()
    • [SONARJAVA-3403] - FN in S4970: support unrelated Exception
    • [SONARJAVA-3440] - FN in S1194: Support extending sub-classes of Error
    • [SONARJAVA-3455] - FN in S2111 for boxed Double and Float
    • [SONARJAVA-3457] - FN in S5361 when using backslashes
    • [SONARJAVA-3459] - FN on S1128 (UselessImportCheck) when comments contain the class name within a word
    Source code(tar.gz)
    Source code(zip)
  • 6.3.2.22818(Jul 20, 2020)

  • 6.5.1.22586(Jul 2, 2020)

  • 6.5.0.22421(Jun 19, 2020)

        Release Notes - SonarJava - Version 6.5
    

    Bug

    • [SONARJAVA-3438] - S5122: ClassCastException when annotation is defined with an identifier

    New Feature

    • [SONARJAVA-3384] - Rule S5831: AssertJ configuration should be applied
    • [SONARJAVA-3390] - Rule S5833: AssertJ methods setting the assertion context should come before an assertion
    • [SONARJAVA-3393] - Rule S5838: Chained AssertJ assertions should be simplified to the corresponding dedicated assertion
    • [SONARJAVA-3395] - Rule S5841: AssertJ assertions "allMatch" and "doesNotContains" should also test for emptiness
    • [SONARJAVA-3399] - Rule S5845: Assertions of dissimilar types should not be made
    • [SONARJAVA-3402] - Rule S5853: Consecutive AssertJ "assertThat" statement should be chained
    • [SONARJAVA-3405] - Rule S5863: Assertions should not compare an object to itself

    Task

    Improvement

    • [SONARJAVA-3349] - S2698: support AssertJ assertions without message
    • [SONARJAVA-3351] - Rule S5826: Methods setUp() and tearDown() should be correctly annotated starting with JUnit4
    • [SONARJAVA-3383] - S5783 and S5778: Support AssertJ
    • [SONARJAVA-3389] - S2698: improve issue reporting
    • [SONARJAVA-3397] - S3658, S5778, S5779, S5783 support AssertJ "fail"
    • [SONARJAVA-3398] - S2970(AssertionsCompletenessCheck) should support all AssertJ assertions
    • [SONARJAVA-3401] - Extend S3415 (Arguments order) to support AssertJ assertions
    • [SONARJAVA-3432] - S2479: support whitespace and control characters in "char"
    • [SONARJAVA-3435] - S1214: add secondary locations to interface's constants
    • [SONARJAVA-3442] - FN in S2133: detect getClass called on new array
    • [SONARJAVA-3444] - Deprecate 10 security-hotspot rules that overlap with security-injection rules
    • [SONARJAVA-3445] - Deprecate S4787 in favor of cryptography rules
    • [SONARJAVA-3446] - Deprecate S2255 and S3331 not considered anymore as sensitive

    False-Positive

    • [SONARJAVA-3386] - FP on S2187 when test class is a JUnit4 test class also inheriting from a JUnit3 TestCase
    • [SONARJAVA-3394] - FP in S3749 when spring class is not a singleton
    • [SONARJAVA-3429] - FP in S2384, S2386: support common method returning unmodifiable collections
    • [SONARJAVA-3431] - S3415: better support of constant used as actual value
    • [SONARJAVA-3441] - FP in S1174 when "finalize()" is not from Object.
    Source code(tar.gz)
    Source code(zip)
    sonar-java-plugin-6.5.0.22421.jar(17.97 MB)
  • 6.4.0.21967(May 14, 2020)

        Release Notes - SonarSource Code Analyzer for Java - Version 6.4
    

    False-Positive

    • [SONARJAVA-3324] - FP in S2970 when using JUnit 5 Soft assertions extension.
    • [SONARJAVA-3357] - S1452: java Collectors second parameter should be excluded
    • [SONARJAVA-3358] - S1604: don't report method with annotations
    • [SONARJAVA-3378] - FP in S1612 when lambda argument is a subtype of ambiguous method parameter

    Bug

    • [SONARJAVA-3375] - FP S2973(EscapedUnicodeCharactersCheck) with Unicode Whitespaces
    • [SONARJAVA-3380] - Sourcemap for JSP can have multiple input files
    • [SONARJAVA-3385] - NPE in JSymbol when searching the enclosing class of a variable within an interface

    New Feature

    • [SONARJAVA-2794] - Rule S2479: Newline and control characters should not be used in string literals
    • [SONARJAVA-2944] - Rule S4970: Derived exceptions should not hide their parents catch block
    • [SONARJAVA-3258] - Rule S5669: Vararg method arguments should not be confusing
    • [SONARJAVA-3353] - Rule S5776: Exception testing via JUnit ExpectedException rule should not be mixed with other assertions
    • [SONARJAVA-3354] - Rule S5777: Exception testing via JUnit @Test annotation should be avoided
    • [SONARJAVA-3356] - Rule S5779: Assertion methods should not be used within the try block of a try-catch catching an Error
    • [SONARJAVA-3359] - Rule S5783: Only one method invocation is expected when testing checked exceptions
    • [SONARJAVA-3360] - Rule S5778: Only one method invocation is expected when testing runtime exceptions
    • [SONARJAVA-3361] - Rule S5785: JUnit assertTrue/assertFalse should be simplified to its dedicated assertion
    • [SONARJAVA-3362] - Rule S5786: JUnit5 test classes and methods should have default package visibility
    • [SONARJAVA-3366] - Rule S5790: JUnit5 nested test classes should be annotated with @Nested
    • [SONARJAVA-3367] - Rule S5793: Migrate your tests from JUnit4 to the new JUnit5 annotations
    • [SONARJAVA-3373] - Rule S5810: JUnit5 test classes and methods should not have private visibility

    Task

    Improvement

    Source code(tar.gz)
    Source code(zip)
    sonar-java-plugin-6.4.0.21967.jar(17.91 MB)
  • 6.3.0.21585(Apr 8, 2020)

        Release Notes - SonarSource Code Analyzer for Java - Version 6.3.0.21585
    

    False-Positive

    • [SONARJAVA-3316] - FP S5542 (EncryptionAlgorithmCheck) more secure algorithms and algorithm name using different case
    • [SONARJAVA-3320] - S1165/S2039: Fix false positives for Lombok's field modifier annotations
    • [SONARJAVA-3321] - FP S5542 (EncryptionAlgorithmCheck): should support default security java provider
    • [SONARJAVA-3330] - FP in S3749 when fields are injected by Lombok @RequiredArgsConstructor
    • [SONARJAVA-3338] - FP on S1118: improve support of Lombok's annotation generating constructor

    Bug

    New Feature

    Task

    Improvement

    • [SONARJAVA-2410] - Issue filter should also filter rules depending of the java warning suppressed
    • [SONARJAVA-3313] - Improve log message for missing compiled classes
    • [SONARJAVA-3315] - Unify JavaCheckVerifiers and simplify its usage to test rules
    • [SONARJAVA-3317] - Improve performance
    • [SONARJAVA-3318] - S2077 should present to the user all the locations where the formatted SQL query string is used
    • [SONARJAVA-3323] - S1166 should be able to be configured with an empty whitelist
    • [SONARJAVA-3325] - Remove dependency on Ant for JSP transpiling
    • [SONARJAVA-3326] - Remove dependency on Eclipse JDT for JSP transpiling
    • [SONARJAVA-3331] - FN in S3749: support @Component annotation
    • [SONARJAVA-3337] - Update branding to drop 'SonarJava'
    Source code(tar.gz)
    Source code(zip)
Continuous Inspection

SonarQube Continuous Inspection SonarQube provides the capability to not only show health of an application but also to highlight issues newly introdu

SonarSource 5.9k Jul 24, 2021
Burp plugin for the 1Password session protocol for use by security researchers. https://bugcrowd.com/agilebits

1Password session analyzer plugin for Burp Suite This repository contains a Burp plugin that adds a special message editor view to Burp to analyze and

1Password 12 Jul 3, 2021
Tackle Data-intensive Validity Analyzer

Tackle-DiVA (Data-intensive Validity Analyzer) Tackle-DiVA is a command-line tool for data-centric application analysis. It imports a set of target ap

Konveyor 7 Jul 13, 2021
An extensible multilanguage static code analyzer.

PMD About PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and

PMD 3.5k Jul 20, 2021
A static analyzer for Java, C, C++, and Objective-C

Infer Infer is a static analysis tool for Java, C++, Objective-C, and C. Infer is written in OCaml. Installation Read our Getting Started page for det

Facebook 12.4k Jul 27, 2021
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead

NullAway: Fast Annotation-Based Null Checking for Java NullAway is a tool to help eliminate NullPointerExceptions (NPEs) in your Java code. To use Nul

Uber Open Source 3k Jul 26, 2021
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. SpotBugs is licensed unde

null 2.4k Jul 23, 2021
Catch common Java mistakes as compile-time errors

Error Prone Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. public class ShortSet { public

Google 5.7k Jul 27, 2021
Sourcetrail - free and open-source interactive source explorer

Sourcetrail Sourcetrail is a free and open-source cross-platform source explorer that helps you get productive on unfamiliar source code. Windows: Lin

Coati Software 11.7k Jul 28, 2021
Inria 1.2k Jul 27, 2021
⚡️Lightning-fast linter for .env files. Written in Rust 🦀

⚡️ Lightning-fast linter for .env files. Written in Rust ?? Dotenv-linter can check / fix / compare .env files for problems that may cause the applica

null 1.1k Jul 28, 2021
A free injection hacked client for Minecraft using Java-agents

Swift Swift is a free and open-source injection hacked client base for Minecraft using Java-agents. Issues If you notice any bugs, you can let us know

static final 16 Jul 1, 2021
OpenGrok is a fast and usable source code search and cross reference engine, written in Java

Copyright (c) 2006, 2020 Oracle and/or its affiliates. All rights reserved. OpenGrok - a wicked fast source browser OpenGrok - a wicked fast source br

Oracle 3.3k Jul 26, 2021