:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Last update: Jan 5, 2023

Overview

Code Quality and Security for Java

This SonarSource project is a code analyzer for Java projects. Information about the analysis of Java features is available here.

Features

500+ rules (including 100+ bug detection rules and 300+ code smells)
Metrics (complexity, number of lines etc.)
Import of test coverage reports
Custom rules

Useful links

Have question or feedback?

To provide feedback (request a feature, report a bug etc.) use the SonarQube Community Forum. Please do not forget to specify the language (Java!), plugin version and SonarQube version.

If you have a question on how to use plugin (and the docs don't help you), we also encourage you to use the community forum.

Contributing

Topic in SonarQube Community Forum

To request a new feature, please create a new thread in SonarQube Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can use it.

Pull Request (PR)

To submit a contribution, create a pull request for this repository. Please make sure that you follow our code style and all tests are passing (all checks must be green).

Custom Rules

If you have an idea for a rule but you are not sure that everyone needs it you can implement a custom rule available only for you. Note that in order to help you, we highly recommend to first follow the Custom Rules 101 tutorial before diving directly into implementing rules from scratch.

Work with us

Would you like to work on this project full-time? We are hiring! Check out https://www.sonarsource.com/hiring

Testing

To run tests locally follow these instructions.

Build the Project and Run Unit Tests

To build the plugin and run its unit tests, execute this command from the project's root directory:

mvn clean install

Integration Tests

To run integration tests, you will need to create a properties file like the one shown below, and set the url pointing to its location in an environment variable named ORCHESTRATOR_CONFIG_URL.

# version of SonarQube Server
sonar.runtimeVersion=7.9

orchestrator.updateCenterUrl=http://update.sonarsource.org/update-center-dev.properties

# Location of Maven local repository is not automatically guessed. It can also be set with the env variable MAVEN_LOCAL_REPOSITORY.
maven.localRepository=/home/myName/.m2/repository

With for instance the ORCHESTRATOR_CONFIG_URL variable being set as:

export ORCHESTRATOR_CONFIG_URL=file:///home/user/workspace/orchestrator.properties

Before running the ITs, be sure your MAVEN_HOME environment variable is set.

Sanity Test

The "Sanity Test" is a test which runs all checks against all the test sources files without taking into account the result of the analysis. It verifies that rules are not crashing on any file in our test sources. By default, this test is excluded from the build. To launch it:

mvn clean install -P sanity

Plugin Test

The "Plugin Test" is an integration test suite which verifies plugin features such as metric calculation, coverage etc. To launch it:

mvn clean install -Pit-plugin

Ruling Test

The "Ruling Test" are an integration test suite which launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files).

To run the test, first make sure the submodules are checked out:

git submodule init 
git submodule update

Launch ruling test:

cd its/ruling
mvn clean install -DskipTests=false

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. Any implemented rule is highly likely to raise issues on the multiple projects we use as ruling code base.

For newly implemented rule, it means that a first build will most probably fail, caused by differences between expected results (without any values for the new rule) and the new results. You can inspect these new issues by searching for files named after your rule (squid-SXXXX.json) in the following folder:
```
  /path/to/project/sonar-java/its/ruling/target/actual/...
```
For existing rules which are modified, you may expect some differences between "actual" (from new analysis) and expected results. Review carefully the changes which are shown and update the expected resources accordingly.

All the json files contain a list of lines, indexed by file, expliciting where the issues raised by a specific rule are located. If/When everything looks good to you, you can copy the file with the actual issues located at:

its/ruling/target/actual/

Into the directory with the expected issues:

its/ruling/src/test/resources/

For example using the command:

cp its/ruling/target/actual/* its/ruling/src/test/resources/

License

Licensed under the GNU Lesser General Public License, Version 3.0

Comments

SONARJAVA-73 add more lombok's used annotations for UnusedPrivateFieldCheck

Add more used annotation from lombok.

Getter/Setter: http://projectlombok.org/features/GetterSetter.html Data: http://projectlombok.org/features/Data.html Value: http://projectlombok.org/features/Value.html Builder: http://projectlombok.org/features/Builder.html ToString: http://projectlombok.org/features/ToString.html EqualsAndHashCode: http://projectlombok.org/features/EqualsAndHashCode.html NoArgsConstructor, RequiredArgsConstructor, AllArgsConstructor: http://projectlombok.org/features/Constructor.html

Won't supported: Synchronized with customed name: http://projectlombok.org/features/Synchronized.html

opened by liudongmiao 18
SONARJAVA-1793: Add support for Truth framework assertions.
Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project.

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)

A method invocation on the 'Subject' base-type of the Truth framework will be considered as an assertion call.
opened by Johnnei 17
RSPEC-1659 : Multiple variables should not be declared on the same line
Proposal for RSPEC-1659, note about it :

No tag => I choose convention

description can't be apply for Java language => some liberties in S1659.html

sqale cost to 5min is not too much ?
opened by axel3rd 15
SONARJAVA-1794: Add parameter to toggle UndocumentedAPI behaviour
Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project.

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)

The new parameters allows to switch between inclusion and exclusion mode.
opened by Johnnei 12
SONARJAVA-1030 Check Locks with factorization of closeables
Currently missing features :

reporting correct messages

Ability to report on field for lock check

To be improved : the ugly hack of Ignore State of Closeable check (we should probably just drop the tracking of value of this symbol and do not bother with such a state in the first place).
opened by benzonico 11
fixing the String index out of range exception while parsing surefire…
… reports for Dynamic test cases

Please ensure your pull request adheres to the following guidelines:

[ ] Use the following formatting style: SonarSource/sonar-developer-toolset

[ ] Unit tests are passing and you provided a unit test for your fix

[ ] ITs should pass : To run ITs locally, checkout the README of the project.

[ ] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
opened by rohitri-90 10
SONARJAVA-2219: Spring Annotations - adding missing one
@m-g-sonar sorry fr so many pull requests, i hope this is now done correctly

Hey guys!

With my last commit i think we did miss on the @Value annotation. I added it with this Pull-Request, i think that is it, i checked the JSR-250 and spring annotation, and did not find another field-based injection annotation!

Br simon

Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project. - did not check

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
opened by aepfli 9
Adding support for Guava VisibleForTesting annotation
This PR adds support for for Guava's @VisibleForTesting annotation and will no longer raise issues on protected members that have been annotated with this annotation as well as default visibility (package). This annotation indicates that the visibility of a type or member has been purposely relaxed to make the code testable.

public final class MyFinalClass { @VisibleForTesting protected Logger logger; // Compliant, no S2156 rule failed @VisibleForTesting protected int calculateSomethingComplex(String input) { // Compliant, no S2156 rule failed // ... } } class Cone { @VisibleForTesting Logger logger; // Compliant, no S2039 rule failed } class MyFinalClassTest { @Test public void test() { MyFinalClass my = new MyFinalClass(); my.logger = mock(Logger.class); assertThat(my.calculateSomethingComplex(INPUT_JSON)).isEqualTo(42); } }

More info: http://eng.wealthfront.com/2011/12/02/beyond-javas-access-control-visibility

Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project.

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
opened by cardil 9
return false as soon as a final equals method is found
This PR fixes issue reported here: https://community.sonarsource.com/t/rule-s2160-false-positive-when-class-has-one-parent-with-non-final-equals-method/4885

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project.

[ ] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
opened by troosan 8
SONARJAVA-2230 - Add restassured support for S2699
it includes: body, content, contentType, cookie, cookies, header, headers, spec, specfication, statusCode, statusLine, time

Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[ ] ITs should pass : To run ITs locally, checkout the README of the project.

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)
opened by gwelican 8
SONARJAVA-1336: Improve S128 to handle more situations
Please ensure your pull request adheres to the following guidelines:

[x] Use the following formatting style: SonarSource/sonar-developer-toolset

[x] Unit tests are passing and you provided a unit test for your fix

[x] ITs should pass : To run ITs locally, checkout the README of the project.

[x] If there is a Jira ticket available, please make your commits and pull request start with the ticket number (SONARJAVA-XXXX)

Now handles the cases by analyzing the various paths. I played around with secondary issue marking a little but getting it to markdown the most precise location(or locations in case multiple branches fail the constraint) was starting to add more and more code. So I decided that within my solution adding secondary flagging would clutter the code too much.

Feel free to shoot this solution down if I failed to grasp on how to tackle this problem properly.

During development I found that adding an irrelevant block after the switch statement could influence which call were being made to checkPreStatement which I couldn't really explain. If you're interested in those see this branch example test case: java-frontend/src/test/files/se/SwitchCaseWithoutBreakCheck.java (Line 94). Edit: I've did some more research and found that swapping the CFG building of the case labels and body fixes the test, but breaks the CFG checker (creates empty blocks). Still seems weird to me
opened by Johnnei 8
Vert.x methods for JUnit5 in AssertionsInTestsCheck
Add these methods of Eclipse Vert.x with JUnit 5 (VertxTestContext) to list of assertion methods:

laxCheckpoint

succeedingThenComplete

Exclude these methods of Eclipse Vert.x with JUnit 5 (VertxTestContext) from list of assertion methods:

verify

failing

Upgrade Vert.x version from 3.5.4 to 4.3.1. This requires code changes in VertxJUnit4.java because HttpClient changed in Vert.x 4.

Use vertx-stack-depchain dependencyManagement, this also manages netty-all, jackson-annotations, jackson-databind.
opened by julianladisch 0

Releases(7.15.0.30507)

7.15.0.30507(Nov 1, 2022)

Release notes - SonarJava - Version 7.15

Bug

SONARJAVA-4342 Nullness annotation on interface methods should be inherited in implementation methods

SONARJAVA-4341 IndexOutOfBoundsException when trying to access symbols of declared parameters of Compact constructor

SONARJAVA-4338 S1186: Inconsistent exceptions in documentation and implementation

SONARJAVA-4176 NPE in JSymbol.typeOwner

SONARJAVA-3529 S3958: Incorrect location in case of certain exceptional paths

Documentation

SONARJAVA-4333 Update sonar.java.jdkHome documentation

False Negative

SONARJAVA-4251 FN S2252(ForLoopFalseConditionCheck) does not support constants

False-Positive

SONARJAVA-4344 FP S3878 when the vararg has an array type

SONARJAVA-4336 S2384, 2386 should support methods from Guava returning immutable collections

SONARJAVA-4282 Exclude "com.sun.xml.ws" package from S1191 by default

SONARJAVA-4252 S2384, S2386 should support immutable collection creation from stream

SONARJAVA-4241 S1125: erroneous quick fix suggestion when negating a binary operation

SONARJAVA-4196 S5860 should cover methods start() and end() of 'java.util.regex.Matcher'

SONARJAVA-4072 FP S107 with Spring and micronaut annotations

SONARJAVA-4024 FP in S6019 because of RegexTreeHelper.isAnchoredAtEnd

SONARJAVA-3900 FP S3242(LeastSpecificTypeCheck) for functional interfaces

SONARJAVA-3896 FP S3329 should not raise when the IV is not defined

SONARJAVA-3890 S5996 should not raise an issue if $ is followed by a line break character

SONARJAVA-3668 FP on S1186: method annotated @Pointcut from AspectJ are often expected to be empty

Improvement

SONARJAVA-4335 S3776 should Ignore equals() and hashCode() methods similarly to S1541

SONARJAVA-4325 Change message suggestion for S3878 when method argument type is not Object

SONARJAVA-4257 Fix typo in S4605 message

New Feature

SONARJAVA-4349 Expose ClasspathForMain.getBinaryDirs() in public API

SONARJAVA-4348 Expose test classpath and binaries in the public API

Task

SONARJAVA-4346 Update rules metadata

SONARJAVA-4264 Remove deprecated common-java:DuplicatedBlocks rule from Sonar Way
Source code(tar.gz)
Source code(zip)
7.14.0.30229(Sep 30, 2022)

Release notes - SonarJava - Version 7.14

False-Positive

SONARJAVA-4330 Rule S2272: FP on method calls that are not next()

SONARJAVA-4242 SE should handle "booleanValue()" from Boolean wrapper

SONARJAVA-4174 S2259 should not raise an issue when a null variable is passed to Optional.ofNullable

SONARJAVA-4131 Add support of org.springframework.util.StringUtils#isEmpty

Improvement

SONARJAVA-4288 Update Analyzer Commons to 1.27: changes in Regex check and resources loading

SONARJAVA-4220 Update ECJ to 3.30.0

SONARJAVA-3891 Add support of org.apache.commons.lang3.ArrayUtils methods

New Feature

SONARJAVA-4284 Rules support PCI DSS Security Standard

SONARJAVA-4278 Rule S2068: Remove method checks

SONARJAVA-4275 Rule S6437: Credentials should not be hard-coded

Task

SONARJAVA-4332 Update rules metadata
Source code(tar.gz)
Source code(zip)
7.13.0.29990(Jul 4, 2022)
Release Notes - SonarJava - Version 7.13

New Feature

[SONARJAVA-4133] - Rule S6241 Region should be set explicitly when creating a new AwsClient

[SONARJAVA-4134] - Rule S6242 Credentials Provider should be set explicitly when creating a new "AwsClient"

[SONARJAVA-4135] - Rule S6243 Reusable resources should be initialized at construction time of Lambda functions

[SONARJAVA-4136] - Rule S6244 Consumer Builders should be used

[SONARJAVA-4137] - Rule S6246 Lambdas should not invoke other lambdas synchronously

[SONARJAVA-4138] - Rule S6262 AWS region should not be set with a hardcoded String

[SONARJAVA-4139] - Rule S6263 Using Long-term access keys are security-sensitive

Task

[SONARJAVA-4270] - Add performance timers on the cache-aware analysis paths

[SONARJAVA-4280] - Update rules metadata

Improvement

[SONARJAVA-4271] - Do not attempt to scan without parsing in a context where files cannot be skipped

[SONARJAVA-4276] - Message of S4968 should end with a full stop

Source code(tar.gz)
Source code(zip)
7.12.1.29810(Jun 16, 2022)
Release Notes - SonarJava - Version 7.12.1

Bug

[SONARJAVA-4267] - The Java analyzer crashes when running incremental analysis on generated files

False-Positive

[SONARJAVA-4243] - FP in S6205 when the content of the block is not an expression

Source code(tar.gz)
Source code(zip)
7.12.0.29739(May 16, 2022)
Release Notes - SonarJava - Version 7.12

Bug

[SONARJAVA-4231] - NPE in JType.normalize

New Feature

[SONARJAVA-2940] - Rule S4968: The upper bound of wildcard parameterized types should not be "final"

[SONARJAVA-4149] - Rule S6326: Regular expressions should not contain multiple spaces

[SONARJAVA-4150] - Rule S6396: Superfluous curly brace quantifiers should be avoided

[SONARJAVA-4151] - Rule S6353: Regular expression quantifiers and character classes should be used concisely

[SONARJAVA-4152] - Rule S6397: Character classes in regular expressions should not contain only one character

[SONARJAVA-4154] - Rule S6331: Regular expressions should not contain empty groups

[SONARJAVA-4170] - Rule S6395: Non-capturing groups without quantifier should not be used

[SONARJAVA-4173] - Rule S6411 Types used as keys in Maps should implement Comparable

[SONARJAVA-4209] - Introduce caching capabilities for Java rules

[SONARJAVA-4222] - Rule S6418: Hard-coded secrets are security-sensitive

[SONARJAVA-4223] - S5693: Remove requirement to re-parse files on each PR analysis

[SONARJAVA-4224] - S4605: Remove requirement to re-parse files on each PR analysis

[SONARJAVA-4225] - S1228: Remove requirement to re-parse files on each PR analysis

[SONARJAVA-4226] - S4032: Remove requirement to re-parse files on each PR analysis

Task

[SONARJAVA-4214] - Compiler flag "enablePreviewFeatures" should be enable for java version >= maximum supported version

[SONARJAVA-4218] - Stop ignoring S2789 unit test related to javax.annotation.meta.When.NEVER

[SONARJAVA-4236] - Rely on released version of Analyzer Commons

[SONARJAVA-4245] - Extract ModuleScannerContext out InputFileScannerContext

[SONARJAVA-4246] - Expose the EndOfAnalysis interface as part of the plugin API

[SONARJAVA-4248] - Inroduce the notion of a module key that can be utilized by checks

[SONARJAVA-4249] - Rely on Analyzer Commons for regex helper classes

[SONARJAVA-4253] - Update rules metadata

Improvement

[SONARJAVA-3838] - Add support for TimeUnit.sleep() in S2925

[SONARJAVA-4153] - Refactor S5842 using sonar-analyzer-commons

[SONARJAVA-4155] - Refactor S5843 using sonar-analyzer-commons

[SONARJAVA-4156] - Refactor S5850 using sonar-analyzer-commons

[SONARJAVA-4157] - Refactor S5855 using sonar-analyzer-commons

[SONARJAVA-4158] - Refactor S5857 using sonar-analyzer-commons

[SONARJAVA-4159] - Refactor S5867 using sonar-analyzer-commons

[SONARJAVA-4160] - Refactor S5868 using sonar-analyzer-commons

[SONARJAVA-4161] - Refactor S5869 using sonar-analyzer-commons

[SONARJAVA-4162] - Refactor S5994 using sonar-analyzer-commons

[SONARJAVA-4163] - Refactor S5996 using sonar-analyzer-commons

[SONARJAVA-4164] - Refactor S6001 using sonar-analyzer-commons

[SONARJAVA-4165] - Refactor S6002 using sonar-analyzer-commons

[SONARJAVA-4166] - Refactor S6019 using sonar-analyzer-commons

[SONARJAVA-4167] - Refactor S6035 using sonar-analyzer-commons

[SONARJAVA-4188] - S4423 should not report an issue when the version is not set

[SONARJAVA-4215] - S1943 (default system encoding) should not report an issue for Java >= 18

[SONARJAVA-4217] - Merge S1158 and S2131

[SONARJAVA-4228] - S6377: update the issue message

[SONARJAVA-4230] - Allow client-side disabling of caching

[SONARJAVA-4234] - Allow caching to be disabled (or enabled) by an overriding analyzer flag

[SONARJAVA-4235] - Improve SonarJava caching API

[SONARJAVA-4240] - S5693 stores a single cache entry per file

False-Positive

[SONARJAVA-4172] - S6206 should not report on non-final classes

[SONARJAVA-4204] - FP on S1221 when a method is overridden

[SONARJAVA-4219] - S1121 should not report an issue for assignment in Java 14 switch

[SONARJAVA-4221] - S6073 should support MockitoHamcrest adapter

[SONARJAVA-4227] - FP in S2068 and S6418: Secrets and Password should be correctly isolated in string literals

[SONARJAVA-4229] - FP S6418: Use frequency of character pairs to distinguish randomness

[SONARJAVA-4232] - S3398 : FP when reaching outer method from another instance

False Negative

[SONARJAVA-4206] - FN on S3012 in case of do-while loop

Source code(tar.gz)
Source code(zip)
7.11.0.29148(Mar 30, 2022)
Release Notes - SonarJava - Version 7.11

Task

[SONARJAVA-4216] - Enable preview features flag for Java 18

Source code(tar.gz)
Source code(zip)
7.10.0.29108(Mar 25, 2022)
Release Notes - SonarJava - Version 7.10

Bug

[SONARJAVA-3693] - Allow to exclude generated "*_jsp.java" files from analysis

[SONARJAVA-4194] - Rule S1155 crash with stackoverflow when encountering large numbers of chained BinaryExpressionTrees

[SONARJAVA-4207] - JAR files passed to sonar.java.libraries should be unlocked when not needed anymore in Batch mode

New Feature

[SONARJAVA-4183] - Incremental PR analysis: Skip rules that don't need to be run on unchanged files

[SONARJAVA-4199] - Enable batch mode by default

Task

[SONARJAVA-4197] - Fallback to file by file mode when a batch fails to parse

[SONARJAVA-4200] - Document incremental analysis

[SONARJAVA-4202] - Rules Sanity Test should include test files of compiler test sources

[SONARJAVA-4210] - Update rules metadata

Improvement

[SONARJAVA-4179] - Logging of undefined types and missing libraries should be relevant in batch mode

[SONARJAVA-4198] - JSP files should be correctly analyzed in batch mode

False-Positive

[SONARJAVA-4094] - S1105: FP when using java 16 records and java 17 sealed classes' permitted types

[SONARJAVA-4193] - FP on S3329 in case of simple assigments of the IV

Source code(tar.gz)
Source code(zip)
7.9.0.28969(Mar 7, 2022)
Release Notes - SonarJava - Version 7.9

New Feature

[SONARJAVA-4177] - Provide OWASP Top 10 2021 security standards for rules metadata

[SONARJAVA-4181] - Introduce rule selection for AutoScan

Task

[SONARJAVA-3707] - Deprecate S2658 in favor of S6173

[SONARJAVA-4145] - Update rules metadata

Improvement

[SONARJAVA-4186] - Rules testing subtypes should correctly handle incomplete semantic

False-Positive

[SONARJAVA-4184] - FPs on S112 when the body of a method has unresolved methods or if a called constructor declare raw exceptions

[SONARJAVA-4189] - FP in S3985 when all the usages of a class are not resolved

[SONARJAVA-4191] - S4838 should not report false positives when the semantic is incomplete

[SONARJAVA-4192] - S3077 should not report an issue when the type is unknown

Source code(tar.gz)
Source code(zip)
7.8.1.28740(Feb 7, 2022)
Release Notes - SonarJava - Version 7.8.1

Bug

[SONARJAVA-4148] - Duplicated "Using ECJ batch to parse source files" logs

Improvement

[SONARJAVA-3893] - Update S128 documentation to mention fallthrough exception

False-Positive

[SONARJAVA-3887] - Rule S5808 should not raise when an exception is thrown

[SONARJAVA-4144] - S2699 and S6103 should not report an issue in case of incomplete semantic

[SONARJAVA-4146] - FP in batch mode caused by missing annotations on dependent generic classes

Source code(tar.gz)
Source code(zip)
7.8.0.28662(Jan 28, 2022)
Release Notes - SonarJava - Version 7.8

Bug

[SONARJAVA-4128] - Record components of local records should not have the method as owner

[SONARJAVA-4129] - NPE in S1450 when private field is used in a record

Task

[SONARJAVA-4141] - Update rules metadata

Improvement

[SONARJAVA-4059] - Rule S6373 XML parsers should not allow inclusion of arbitrary files

[SONARJAVA-4062] - Rule S6374 XML parsers should not load external schemas

[SONARJAVA-4065] - Rule S6376 XML parsers should not be vulnerable to Denial of Service attacks

[SONARJAVA-4067] - Rule S6377 XML signatures should be validated securely

False-Positive

[SONARJAVA-3839] - FP in S6212 when a method has parameterized return types

[SONARJAVA-3842] - FP in S2755 when vulnerability is mitigated in another class

[SONARJAVA-3899] - FP on S2755 when XML DocumentBuilderFactory is initialized inside initialized block

[SONARJAVA-4008] - Rule S2755 should accept setExpandEntityReferences solution for openJDK >= 13

Source code(tar.gz)
Source code(zip)
7.7.0.28547(Jan 18, 2022)
Release Notes - SonarJava - Version 7.7

Bug

[SONARJAVA-4010] - NPE in JSymbol.hashCode()

[SONARJAVA-4023] - The Java analyzer should populate the classpath with all the JARs provided by the SDK

New Feature

[SONARJAVA-3770] - Implement rule S6217: Omit permitted types when subclasses are in the same file as their superclass

Task

[SONARJAVA-3863] - Drop deprecated method "MethodSymbol.overriddenSymbol()"

[SONARJAVA-4124] - Update license headers for 2022

[SONARJAVA-4125] - Update rules metadata

Improvement

[SONARJAVA-4057] - Do not generate FP when rules don't have semantic

[SONARJAVA-4086] - Preview feature problems should not be logged under unresolved types

[SONARJAVA-4101] - Update ECJ to 3.28.0

[SONARJAVA-4103] - Rules S1905 - Highlight also the parenthesis of the reported issue

[SONARJAVA-4104] - Rule S1197 Highlight the variable additionally to the []

[SONARJAVA-4114] - Support classpath entries with comma

[SONARJAVA-4115] - Custom rules plugin examples should shade dependencies and use latest packaging module

[SONARJAVA-4118] - Introduce Java 17's Sealed Classes as final feature

[SONARJAVA-4119] - Correctly parse Pattern-matching for switch from Java 17

[SONARJAVA-4120] - Logs about preview features should not suggest "-enable-preview"

False-Positive

[SONARJAVA-4060] - FP in S3252 when owner type is unknown

[SONARJAVA-4070] - S1874(CallToDeprecatedMethodCheck) should ignore incomplete method signature

[SONARJAVA-4074] - S5845: FP when using lombok.val

[SONARJAVA-4090] - FP in S6206 when the constructor and the class have not the same visibility

[SONARJAVA-4100] - Abstract classes should be excluded from S5790

[SONARJAVA-4102] - S6204 should not raise an issue when removeIf is called on the list

[SONARJAVA-4116] - Remove rule S2912 (IndexOfStartPositionCheck)

[SONARJAVA-4117] - Support "@SuperBuilder" from Lombok

[SONARJAVA-4122] - S3329 should not raise an issue for Cipher.DECRYPT_MODE

[SONARJAVA-4123] - FP on S2384: Collections.emptyList() should be considered as immutable.

Documentation

[SONARJAVA-4066] - Update custom rules 101 metadata documentation and template

False Negative

[SONARJAVA-4055] - S4544 should raise on Interface in addition to Class

[SONARJAVA-4058] - S5838 should support subtypes of Collections

[SONARJAVA-4063] - FN in S3688 (disallowed classes) in case of Reflection

[SONARJAVA-4108] - FN in S2189 : infinite do/while loops should be reported

[SONARJAVA-4111] - FN on S1862 when equality parameters are inverted

Source code(tar.gz)
Source code(zip)
7.6.0.28201(Nov 29, 2021)
Release Notes - SonarJava - Version 7.6

Bug

[SONARJAVA-4020] - S5869(DuplicatesInCharacterClassCheck): Fix false-negative and crash on regex spanning low and upper case ranges

Task

[SONARJAVA-3987] - Move all rules targeting XML from SonarJava to SonarQube XML Analyzer

[SONARJAVA-3988] - Drop XmlFileSensor from Java Analyzer

[SONARJAVA-4087] - Advertise minimal required JRE version

[SONARJAVA-4088] - Update rules metadata

Improvement

[SONARJAVA-4069] - Improve Nullability annotations support in S2638 (ChangeMethodContractCheck)

[SONARJAVA-4078] - Improve Nullability annotations support in S2789 (NullShouldNotBeUsedWithOptionalCheck)

[SONARJAVA-4079] - Improve Nullability annotations support in S4682 (PrimitivesMarkedNullableCheck)

[SONARJAVA-4080] - Improve Nullability annotations support in S2637 (NonNullSetToNullCheck)

[SONARJAVA-4081] - Improve Nullability annotations support in S4454 (EqualsParametersMarkedNonNullCheck)

[SONARJAVA-4082] - Improve Nullability annotations support in S2447 (BooleanMethodReturnCheck)

[SONARJAVA-4083] - Improve Nullability annotations support in S1168 (ReturnEmptyArrayNotNullCheck)

[SONARJAVA-4084] - Improve Nullability annotations support in S4449 (ParameterNullnessCheck)

[SONARJAVA-4085] - Improve Nullability annotations support in S2259 (NullDereferenceCheck)

[SONARJAVA-4089] - Improve Nullability annotations support in Exploded graph walker

[SONARJAVA-4091] - Use of Java 17 feature should not lead to a warning message

Source code(tar.gz)
Source code(zip)
7.5.0.28054(Nov 15, 2021)
Release Notes - SonarJava - Version 7.5

Bug

[SONARJAVA-4068] - S2118-S2441: Fix StackOverflowError raised for self assigned variables

Task

[SONARJAVA-4052] - Provide quick fix availability to SQ

[SONARJAVA-4075] - Update rules metadata

Improvement

[SONARJAVA-4048] - Update ECJ to 3.27.0 and require Java 11

False-Positive

[SONARJAVA-4047] - S2699: Fix FP with "andExpectAll" introduced in recent version of Spring Test

[SONARJAVA-4064] - S2055: Fix FP when the semantic is incomplete

[SONARJAVA-4073] - S3751 should accept protected and package scope modifiers

Source code(tar.gz)
Source code(zip)
7.4.0.27839(Oct 19, 2021)
Release Notes - SonarJava - Version 7.4

Bug

[SONARJAVA-4021] - Wrong message in S1128 with unused imports from a sub-package

New Feature

[SONARJAVA-4029] - Rule S6301: Mobile database encryption keys should not be disclosed

[SONARJAVA-4030] - Rule S6291: Using unencrypted databases in mobile applications is security-sensitive

[SONARJAVA-4031] - Rule S6300: Using unencrypted files in mobile applications is security-sensitive

[SONARJAVA-4034] - Rule S4507: Add WebView debug settings

[SONARJAVA-4036] - Rule S6362: Enabling JavaScript support for WebViews is security-sensitive

[SONARJAVA-4037] - Rule S6363: Enabling file access for WebViews is security-sensitive

Task

[SONARJAVA-4018] - Deprecate S2039 for Java

[SONARJAVA-4045] - Update rules metadata

Improvement

[SONARJAVA-3866] - Rule S6293: Using a biometric authentication independent of a cryptographic solution is security-sensitive

[SONARJAVA-3868] - Rule S6288: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

[SONARJAVA-4039] - Rule S5332: support Android WebView insecure mixed content policy

[SONARJAVA-4046] - Avoid unnecessary TextEdit in quick fixes

[SONARJAVA-4049] - S2647: remove CWE-311 from "securityStandards" to match the "See" section

False-Positive

[SONARJAVA-2250] - FP on S2695 when the query is built in multiple statements

[SONARJAVA-3953] - S2095 should ignore ByteArrayOutputStream from apache.commons

[SONARJAVA-4014] - S1214 should not report interface with a parent

[SONARJAVA-4015] - FP in S1641 when the initializer is a ternary expression

[SONARJAVA-4016] - FP in S6206 when the return type of the getter is not the same as the one from the field

[SONARJAVA-4025] - FP in S2637 with non-null primitive field not initialized

[SONARJAVA-4040] - S1612 should not suggest casting though method reference for generic classes

[SONARJAVA-4041] - S1166 should not ignore whitelist when union type is used in catch

Documentation

[SONARJAVA-4042] - Document the quick fix metadata

False Negative

[SONARJAVA-4011] - S2119: Random() not detected when used directly in MemberSelectExpression

[SONARJAVA-4019] - FN in S2695 when the integer argument is coming from a constant

[SONARJAVA-4032] - S5322 should raise on Activity or any sub classes of Context

[SONARJAVA-4033] - S5320 should raise on Activity or any sub classes of Context

[SONARJAVA-4038] - S5324 should raise on Activity or any sub classes of Context

Source code(tar.gz)
Source code(zip)
7.3.0.27589(Sep 6, 2021)
Release Notes - SonarJava - Version 7.3

Sub-task

[SONARJAVA-3909] - Add quick fixes for S1481 (UnusedLocalVariableCheck)

[SONARJAVA-3910] - Add quick fixes for S2293 (DiamondOperatorCheck)

[SONARJAVA-3911] - Add quick fixes for S1155 (CollectionIsEmptyCheck)

[SONARJAVA-3913] - Add quick fixes for S1130 (RedundantThrowsDeclarationCheck)

[SONARJAVA-3915] - Add quick fixes for S1124 (ModifiersOrderCheck)

[SONARJAVA-3916] - Add quick fixes for S1128 (UselessImportCheck)

[SONARJAVA-3917] - Add quick fixes for S1161 (OverrideAnnotationCheck)

[SONARJAVA-3918] - Add quick fixes for S1186 (EmptyMethodsCheck)

[SONARJAVA-3919] - Add quick fixes for S5786 (JUnit5DefaultPackageClassAndMethodCheck)

[SONARJAVA-3921] - Add quick fixes for S1905 (RedundantTypeCastCheck)

[SONARJAVA-3922] - Add quick fixes for S3415 (AssertionArgumentOrderCheck)

[SONARJAVA-3923] - Add quick fixes for S1068 (UnusedPrivateFieldCheck)

[SONARJAVA-3925] - Add quick fixes for S1197 (ArrayDesignatorOnVariableCheck)

[SONARJAVA-3926] - Add quick fixes for S1125 (BooleanLiteralCheck)

[SONARJAVA-3927] - Add quick fixes for S3252 (StaticMemberAccessCheck)

[SONARJAVA-3928] - Add quick fixes for S1319 (CollectionImplementationReferencedCheck)

[SONARJAVA-3929] - Add quick fixes for S1172 (UnusedMethodParameterCheck)

[SONARJAVA-3930] - Add quick fixes for S1612 (ReplaceLambdaByMethodRefCheck)

[SONARJAVA-3931] - Add quick fixes for S1168 (ReturnEmptyArrayNotNullCheck)

[SONARJAVA-3933] - Add quick fixes for S5411 (BoxedBooleanExpressionsCheck)

[SONARJAVA-3934] - Add quick fixes for S1144 (UnusedPrivateMethodCheck)

[SONARJAVA-3939] - Add quick fixes for S1116 (EmptyStatementUsageCheck)

[SONARJAVA-3940] - Add quick fixes for S1858 (StringToStringCheck)

[SONARJAVA-3941] - Add quick fixes for S1659 (OneDeclarationPerLineCheck)

[SONARJAVA-3942] - Add quick fixes for S2209 (StaticMembersAccessCheck)

[SONARJAVA-3943] - Add quick fixes for S5838 (AssertJChainSimplificationCheck)

[SONARJAVA-3944] - Add quick fixes for S2325 (StaticMethodCheck)

[SONARJAVA-3945] - Add quick fixes for S1107 (RightCurlyBraceSameLineAsNextBlockCheck)

[SONARJAVA-3946] - Add quick fixes for S1488 (ImmediatelyReturnedVariableCheck)

[SONARJAVA-3948] - Add quick fixes for S2153 (ImmediateReverseBoxingCheck)

[SONARJAVA-3949] - Add quick fixes for S2446 (NotifyCheck)

[SONARJAVA-3950] - Add quick fixes for S2200 (CompareToResultTestCheck)

[SONARJAVA-3951] - Add quick fixes for S5164 (ThreadLocalCleanupCheck)

[SONARJAVA-3952] - Add quick fixes for S2111 (BigDecimalDoubleConstructorCheck)

[SONARJAVA-3955] - Add quick fixes for S4973 (CompareStringsBoxedTypesWithEqualsCheck)

[SONARJAVA-3958] - Add quick fixes for S3984 (UnusedThrowableCheck)

[SONARJAVA-3960] - Extends CheckVerifier to support testing of Quick-fixes

[SONARJAVA-3961] - Add quick fixes for S3986 (DateFormatWeekYearCheck)

[SONARJAVA-3962] - Add quick fixes for S3020 (ToArrayCheck)

[SONARJAVA-3998] - Add quick fixes for S1195 (ArrayDesignatorAfterTypeCheck)

Bug

[SONARJAVA-3969] - CheckVerifier expect too many issues when a //Noncompliant comment is placed after a multi-variable declaration

[SONARJAVA-3990] - S1120 should not crash on code containing line breaking control characters

[SONARJAVA-3993] - S6073 should not produce a NullPointerException when trying to read the body of an abstract method

[SONARJAVA-4003] - Fix Deadlock on ProgressMonitor

New Feature

[SONARJAVA-3854] - Rule S5329: Collection constructors should not be used as java.util.function.Function

[SONARJAVA-3906] - Quick fixes for CODE SMELLS requiring trivial changes without compilation impact

[SONARJAVA-3936] - Quick fixes for BUGS requiring trivial changes without compilation impact

Task

[SONARJAVA-4004] - Extend QuickFixHelper with nextVariable and previousVariable

[SONARJAVA-4005] - Update rules metadata

[SONARJAVA-4006] - Update SonarLint core version to use the new version of the API

Improvement

[SONARJAVA-3864] - Missing arguments in Deprecated annotation should be reported in its own rule

[SONARJAVA-3867] - S2479 Add a flag to allow tabs in string literals

[SONARJAVA-3881] - Change message of S3655 to mention isEmpty and improve rule description

[SONARJAVA-3907] - Add support for SonarLint quick fixes in the Java analyzer

[SONARJAVA-3947] - Typo in S6216 issue description

[SONARJAVA-3965] - Provide a new extensible API for issue reporting

[SONARJAVA-3989] - Remove overlap between S2638 and S4454 with "nonnull" argument of "equals" method

[SONARJAVA-4001] - Compute the end position of multi-line token only once

[SONARJAVA-4002] - S1659 should report only one issue per line

False-Positive

[SONARJAVA-3905] - FP in S1123 when additional javadoc is present

[SONARJAVA-3964] - S1612 should not suggest method reference casting when the type is a primitive

[SONARJAVA-3967] - S2127 should not report an issue when the symbol is unknown

[SONARJAVA-3986] - FP in S2583 with Java 16 pattern matching

[SONARJAVA-3991] - S6212 should not suggest using "var" when the initializer is an array initializers

[SONARJAVA-3996] - FP S2200(CompareToResultTestCheck) for unusual zero literal

[SONARJAVA-4009] - FP in S2129 with anonymous classes

False Negative

[SONARJAVA-4000] - S1168 (ReturnEmptyArrayNotNullCheck) should also cover Maps

Source code(tar.gz)
Source code(zip)
7.2.0.26923(Jul 20, 2021)
Release Notes - SonarJava - Version 7.2.0.26923

Bug

[SONARJAVA-3872] - "JSymbol.convertMetadata" should not throw an Exception when ecj fails

[SONARJAVA-3897] - Fix S1845(MembersDifferOnlyByCapitalizationCheck) duplicated issues

[SONARJAVA-3904] - Java 16's record keyword and sealed classes-related keywords should be highlighted as keywords

New Feature

[SONARJAVA-3745] - Implement rule S6204: Use Stream.toList() instead of collectors

[SONARJAVA-3748] - Implement rule S6206: Use records to represent immutable data structures

[SONARJAVA-3752] - Implement rule S6207: Avoid redundant constructors/methods in records

[SONARJAVA-3754] - Implement rule S6209: Ignored members during record serialization

[SONARJAVA-3758] - Implement rule S6211: Prefer overriding default record's getter

[SONARJAVA-3768] - Implement rule S6216: Reflection should not be used to update record's field value

[SONARJAVA-3771] - Implement rule S6218: Equals should be overridden in the record with array fields

[SONARJAVA-3773] - Implement rule S6219: Don't set 'serialVersionUID' to '0L' in records

Task

[SONARJAVA-3894] - [AutoScan] batchMode should support multi-modules scope

[SONARJAVA-3903] - Update rules metadata

Improvement

[SONARJAVA-3740] - Extend rule S1481 to report on unused variables in pattern matching on instanceof

[SONARJAVA-3746] - Extend rule S2201 to support 'Stream' non-void terminal methods

[SONARJAVA-3755] - Update rule S2057 to not report on 'Serializable' records

[SONARJAVA-3760] - Improve rule S2094: 'Classes should not be empty' to support Records

[SONARJAVA-3763] - Support Records in rules targeting Classes

[SONARJAVA-3769] - Remove record fields from reporting in S3011: Reflection fields update

[SONARJAVA-3902] - Use secondary locations in S1845 (Members differs only by capitalization)

False-Positive

[SONARJAVA-3892] - Exclude "com.sun.jersey" and "com.sun.faces" from S1191 by default

[SONARJAVA-3898] - Don't apply S5838 for calls to equals in methods with "equals" in the name

[SONARJAVA-3901] - FP in S2245 (PseudeRandomCheck) when passing a SecureRandom object as parameter

Source code(tar.gz)
Source code(zip)
7.1.0.26670(Jun 25, 2021)
Release Notes - SonarJava - Version 7.1.0.26670

Bug

[SONARJAVA-3799] - Visit records' members correctly

[SONARJAVA-3876] - S3986 produces an IndexOutOfBoundsException on calls to super

[SONARJAVA-3883] - Semantic API Symbol#type() is not @Nullable but return 'null'

[SONARJAVA-3885] - NPE in S1176 (UndocumentedApiCheck) when analyzing Java 16's records

New Feature

[SONARJAVA-3739] - Implement rule S6201: Use Pattern Matching on instanceof to substitute instanceof + cast

[SONARJAVA-3775] - Implement rule S6220: Functional interfaces should not be sealed

[SONARJAVA-3869] - Provide CFG for the body of a lambda

Task

[SONARJAVA-3718] - Stop release process when performance score is exceeds threshold

[SONARJAVA-3827] - Remove unused annotations "@DependsUpon", "@DependedUpon"

[SONARJAVA-3871] - Enable experimental batch mode for analysis

[SONARJAVA-3884] - Update rules metadata

Improvement

[SONARJAVA-3738] - Upgrade ECJ to 3.26.0

[SONARJAVA-3742] - Extend S3457 and S2275 to support String “formatted” method from Java 15

[SONARJAVA-3870] - Remove S6212 from default quality profile.

[SONARJAVA-3873] - Order rules based on execution time to make the best of issue streaming

False-Positive

[SONARJAVA-3784] - FP in S3958 when Java 16 "toList()" terminator operation is used

[SONARJAVA-3865] - Deprecate rule RSPEC-4604

[SONARJAVA-3874] - FP in S1168 when using classes with the same unqualified name as collections

Source code(tar.gz)
Source code(zip)
7.0.0.26422(Jun 8, 2021)
Release Notes - SonarJava - Version 7.0.0.26422

Bug

[SONARJAVA-3856] - S1643 ClassCastException on parentheses

Task

[SONARJAVA-3723] - Expose latest peach analysis performance score to Java bubble

[SONARJAVA-3724] - Compute performance score of upcoming release

[SONARJAVA-3816] - Update rules metadata

[SONARJAVA-3818] - Add an example of rules targeting TEST in our custom rules plugin example

[SONARJAVA-3820] - Add missing remediation functions

[SONARJAVA-3823] - Move java-checks-testkit's 'InternalJavaCheckVerifier' into internal package

[SONARJAVA-3825] - Drop deprecated methods from API

[SONARJAVA-3828] - Drop deprecated rules

[SONARJAVA-3833] - Update tutorial to add support of new LTS SQ 8.9

Improvement

[SONARJAVA-3777] - Improve S1128 (Unused imports) rule precision by relying on compiler warnings

[SONARJAVA-3791] - Use jdk 16 for our builds

[SONARJAVA-3794] - Improve S1905 (Redundant cast) rule precision by relying on compiler warnings

[SONARJAVA-3806] - Improve S1656 (Self Assignment) rule precision by relying on compiler warnings

[SONARJAVA-3807] - Improve S4970 (Unreachable Catch) rule precision by relying on compiler warnings

[SONARJAVA-3840] - Regex rules should support concatenating pattern objects

[SONARJAVA-3858] - S5838 should support "length()"/"size()" followed by "isPositive()" simplification

[SONARJAVA-3859] - Update description for 'sonar.java.file.suffixes'

[SONARJAVA-3860] - Map ECJ Warnings to syntax trees

[SONARJAVA-3862] - Rework "MethodTree.isOverriding()" to match the contract in case of unknowns in hierarchy

False-Positive

[SONARJAVA-3822] - S6073 should not report on method invocation arguments that actually return an argument matcher

[SONARJAVA-3836] - S5786 should not raise issue on a class visibility if it contains public static method(s)

[SONARJAVA-3844] - Rules targeting tests should work with incomplete semantic

[SONARJAVA-3845] - Rules targeting unused elements should work with incomplete semantic

[SONARJAVA-3846] - Rules targeting returns should work with incomplete semantic

[SONARJAVA-3847] - Rules targeting parameters should work with incomplete semantic

[SONARJAVA-3848] - Rules targeting types should work with incomplete semantic

[SONARJAVA-3849] - Rules targeting control flow should work with incomplete semantic

[SONARJAVA-3850] - Rules targeting class members should work with incomplete semantic

[SONARJAVA-3851] - Rules targeting methods calls should work with incomplete semantic

[SONARJAVA-3852] - Rules targeting methods should work with incomplete semantic

[SONARJAVA-3857] - FP S131 for a switch on an unknown symbol

False Negative

[SONARJAVA-3841] - FN in S5998 (regex stackoverflow) for possessive quantifiers

Source code(tar.gz)
Source code(zip)
6.15.1.26025(Apr 29, 2021)
Release Notes - SonarJava - Version 6.15.1.26025

Bug

[SONARJAVA-3808] - NPE in JMethodSymbol.overriddenSymbol

[SONARJAVA-3812] - Analysis should stop without logging when a CancellationException is thrown

Task

[SONARJAVA-3815] - Update rules metadata

[SONARJAVA-3817] - Remove rules resulting in failing tests from default quality profile

[SONARJAVA-3821] - Do not ship "sonar-plugin-api" implementation class with the analyzer components

Improvement

[SONARJAVA-3801] - Rule S4423 should support okhttp library

[SONARJAVA-3805] - Rule S5332 should support okhttp library

False-Positive

[SONARJAVA-3797] - FP in S1854 for effective-final assignment of variables used in a lambda

[SONARJAVA-3798] - FP in S1258 and S3749 when using Lombok "@Data" annotation

[SONARJAVA-3804] - FP in S3077 when volatile is used with @Immutable and @ThreadSafe annotations

[SONARJAVA-3809] - S5979 should not report on objects initialized with `MockitoJUnit.rule()` followed by options

[SONARJAVA-3811] - Rule S5542 should not be triggered when using CBC mode

[SONARJAVA-3814] - S6212 should not suggest to use "var" when the initializer is a lambda or a method reference

False Negative

[SONARJAVA-3785] - Rule S4605 is not detected with @SpringBootApplication

[SONARJAVA-3810] - S5547 should report on some more weak algorithms

[SONARJAVA-3813] - Rule S4790 should support more weak hash algorithms

Source code(tar.gz)
Source code(zip)
6.15.0.25849(Apr 15, 2021)
Release Notes - SonarJava - Version 6.15.0.25849

Bug

[SONARJAVA-3786] - Delete rule RSPEC-4603

[SONARJAVA-3788] - Fix IndexOutOfBoundsException in S1166 (CatchUsesExceptionWithContextCheck:307)

[SONARJAVA-3789] - Fix ClassCastException in S6202 (IsInstanceMethodCheck:70)

[SONARJAVA-3790] - Fix ClassCastException in S5411 (BoxedBooleanExpressionsCheck:158)

[SONARJAVA-3792] - Compilation of custom rule project fails due to missing metadata files

New Feature

[SONARJAVA-3716] - Provide a user property to produce performance metrics

[SONARJAVA-3741] - Rule S6202: Operator "instanceof" should be used instead of "A.class.isInstance()"

[SONARJAVA-3743] - Rule S6203: Text blocks should not be used in complex expression

[SONARJAVA-3749] - Rule S6205: Switch arrow labels should not use redundant keywords

[SONARJAVA-3753] - Rule S6208: Comma-separated labels should be used in Switch with colon case

[SONARJAVA-3759] - Rule S6212: Local-Variable Type Inference (var) should be used

[SONARJAVA-3761] - Rule S6213: Restricted Identifiers should not be used as Identifiers

Task

[SONARJAVA-3714] - Collect SquidSensor runtime data

[SONARJAVA-3717] - Increase reliability of cirrus-ci nightly analyses by restarting some failed jobs

[SONARJAVA-3720] - Push internal CI performance metrics to repository

[SONARJAVA-3721] - Enable performance measurement for ruling

[SONARJAVA-3722] - Compute measurement cost in performance metrics

[SONARJAVA-3726] - Update tutorial with SQ 8.8 and latest embedded release of SonarJava

[SONARJAVA-3728] - Update rules metadata

[SONARJAVA-3793] - Drop usage of deprecated internal method "hasSemantic()" in our rules

Improvement

[SONARJAVA-3666] - Add text block support for regex rules

[SONARJAVA-3715] - Add size of file to slowest files analyzed output

[SONARJAVA-3732] - Execute the move of the regex parser into analyzer-commons

[SONARJAVA-3736] - Support Text Block in rules relying on String literals from expressions

[SONARJAVA-3737] - Improve rules relying on String literals to support identifier from a final or effectively final variable.

[SONARJAVA-3744] - Extend existing rules to support Switch Expression

[SONARJAVA-3751] - Extend S4738 to suggest Java 9 "List.of", "Map.of", "Set.of" instead of Guava

[SONARJAVA-3762] - S5838 should support Java 11 "String.isBlank()"

[SONARJAVA-3766] - Improve rule description for ReDoS

[SONARJAVA-3778] - Fix performance hotspots in S103 due to slow regex

[SONARJAVA-3781] - All method overrides should be returned instead of only the first one

[SONARJAVA-3787] - Children of Switch Statement should not be a Switch Expression

[SONARJAVA-3796] - Fix possible Catastrophic backtracking in regex for S3518: Division by zero rule

False-Positive

[SONARJAVA-3731] - S5786 should not report on abstract classes or overridding test methods

[SONARJAVA-3734] - FP in S5979 when "ExtendWith" annotation is coming from a meta-annotation

[SONARJAVA-3750] - S1199 should not report an issue for any Switch case containing a block

[SONARJAVA-3772] - FP in S1943: Do not report an issue on any usage of Java 11 FileWriter and FileReader

[SONARJAVA-3774] - S2755 should not raise when a non null resolver is set with XMLInputFactory.setXMLResolver

[SONARJAVA-3776] - Fix FPs in S4276 when the generic argument left is a primitive wrapper

False Negative

[SONARJAVA-3757] - "Nullable" from eclipse should be considered as a Strong Nullable.

Source code(tar.gz)
Source code(zip)
6.14.0.25463(Mar 19, 2021)
Release Notes - SonarJava - Version 6.14.0.25463

Task

[SONARJAVA-3702] - Rule S3066: change rule type to Code-Smell

[SONARJAVA-3703] - Add custom rules examples from tutorial in repository

[SONARJAVA-3708] - Rule S3751: change rule type to Code-Smell

[SONARJAVA-3709] - Deprecate S3369

[SONARJAVA-3727] - Update rules metadata

Improvement

[SONARJAVA-3215] - S1166 add heuristics to support custom log frameworks

[SONARJAVA-3558] - Issue filter should extends its filter to IDE-specific suppressed warnings

[SONARJAVA-3568] - S5852 should use automata to increase its accuracy

[SONARJAVA-3624] - Regex FP/FN with Supplementary Multilingual Plane

[SONARJAVA-3629] - Improve S6002 RegexLookaheadCheck to support negative lookahead

[SONARJAVA-3636] - Improve secondary message for regex rules when issues are reported across different string literals

[SONARJAVA-3689] - Improve rule S110 to not report when hierarchy is too big already in library code

[SONARJAVA-3701] - Prepare the move of the regex parser into its own project

[SONARJAVA-3729] - Change S4434 to a security-hotspot

[SONARJAVA-3730] - Add an exception to rule S121 for early returns

[SONARJAVA-3733] - ReDoS: Don't call cubic and worse runtimes quadratic

[SONARJAVA-3735] - Upgrade ECJ to 3.25.0

False-Positive

[SONARJAVA-3570] - Relax Rule S5411 for boxed booleans if there is a null-checked before

[SONARJAVA-3603] - FP on S4276 when Function is using "compose" or "andThen" methods

[SONARJAVA-3625] - Possible FP in S5998 when using backreferences to large groups

[SONARJAVA-3631] - FP in S6001 parsing of multi-digit backreferences

[SONARJAVA-3635] - S2384 should not raise an issue when mutable members in temporary variable are not stored

[SONARJAVA-3669] - S2325 should not raise on empty methods

[SONARJAVA-3696] - S2755 should not raise when a xml document is build

[SONARJAVA-3706] - FP in S2384, S2386: support any unmodifiable and immutable methods

[SONARJAVA-3713] - FP in S5852 (ReDoS) involving possessive quantifiers

[SONARJAVA-3747] - FPs in S5852 when repetition overlaps with non-repetition part

False Negative

[SONARJAVA-2745] - FN on S2142: no issue raised when catching the generic Exception

[SONARJAVA-3639] - FN in S5994 when `*+` is followed by a repetition

[SONARJAVA-3640] - FN in S6002 for full matches and anchored patterns

[SONARJAVA-3641] - FN in S5998

[SONARJAVA-3653] - S5996 should raise issues even if the regex can match the empty string

[SONARJAVA-3710] - Include Eclipse’s NonNullByDefault annotation on nonNullFields check

Source code(tar.gz)
Source code(zip)
6.13.0.25138(Feb 22, 2021)
Release Notes - SonarJava - Version 6.13.0.25138

Bug

[SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ

New Feature

[SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt

[SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive

[SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms

[SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive

[SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive

[SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive

[SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive

[SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive

Task

[SONARJAVA-3697] - Update rules metadata

[SONARJAVA-3699] - Deprecate rule S2653

[SONARJAVA-3700] - Deprecate rule S2089

Improvement

[SONARJAVA-3660] - S2077 update message for primary and secondary locations

[SONARJAVA-3663] - S2976 implementation moved to S5445

[SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"

[SONARJAVA-3686] - Deprecate rule S4834

[SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module

[SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference

[SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit

False-Positive

[SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used

[SONARJAVA-3532] - S5042 should focus on zipbomb attacks

[SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors

[SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case

[SONARJAVA-3678] - FP in S5853 when map/flatMap is used

[SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized

[SONARJAVA-3685] - FP in S1125 when using null

[SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @Nested when the enclosing class properly initializes annotated objects

[SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces

False Negative

[SONARJAVA-3469] - FN in S1219 when using blocks

[SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes

Source code(tar.gz)
Source code(zip)
6.12.0.24852(Feb 1, 2021)
Release Notes - SonarJava - Version 6.12.0.24852

Bug

[SONARJAVA-3487] - [Java 14 - Records preview feature] NPE when accessing recordComponent.owner()

[SONARJAVA-3488] - [Java 14 - Records preview feature] NPE when computing metrics of methods

[SONARJAVA-3489] - [Java 14 - Records preview feature] S1123 NPE when visiting records

[SONARJAVA-3490] - [Java 14 - Records preview feature] S1117 NPE when visiting records

New Feature

[SONARJAVA-2961] - Rule S4977: Type parameters should not shadow other type parameters

[SONARJAVA-3255] - Rule S5663: Simple string literal should be used for single line strings

[SONARJAVA-3256] - Rule S5664: Whitespace for text block indent should be consistent

[SONARJAVA-3257] - Rule S5665: Escape sequences should not be used in text blocks

[SONARJAVA-3505] - Upgrade to ECJ 3.24 to enable support of Java 15

[SONARJAVA-3606] - Rule S5979: Annotated Mockito objects should be initialized

[SONARJAVA-3658] - Add support of Java 15 Text Blocks with a new dedicated Kind: TEXT_BLOCK

[SONARJAVA-3670] - Rule S6126: String multiline concatenation can be replaced with a Text block

Task

[SONARJAVA-3680] - Update rules metadata

Improvement

[SONARJAVA-3114] - Message about missing bytecode dependencies should appear only when dependencies are actually missing

[SONARJAVA-3563] - Report 10 slowest analyzed files

[SONARJAVA-3657] - Improve S3986 to cover DateTimeFormatter

[SONARJAVA-3665] - Add support of Text Blocks in S2973 (Escaped unicode characters)

[SONARJAVA-3667] - Fix text block support in S2479

[SONARJAVA-3671] - Improve rule S1192 to Support Text blocks

[SONARJAVA-3672] - S1213 Check order of static and instance variables

False-Positive

[SONARJAVA-3659] - S2755 should not raise an issue when "EntityResolver" is customized

[SONARJAVA-3661] - FP on S2259 (Null Pointer Dereference) when using MapUtils from Apache Collections

[SONARJAVA-3662] - Improve rule S2142 to check methods called inside catch block

Source code(tar.gz)
Source code(zip)
6.11.0.24617(Jan 13, 2021)
Release Notes - SonarJava - Version 6.11.0.24617

Bug

[SONARJAVA-3609] - JAR files passed to sonar.java.libraries remain locked after the analysis on Windows

[SONARJAVA-3652] - SuppressWarnings Filter lose knowledge of filtered lines

New Feature

[SONARJAVA-3614] - Rule S6073: Mockito argument matchers should be used on all parameters

[SONARJAVA-3630] - Rule S6103: AssertJ assertions with "Consumer" arguments should contain assertion inside consumers

[SONARJAVA-3632] - Rule S6104: Map "computeIfAbsent()" should not be used to add "null" values.

[SONARJAVA-3637] - Introduce "sonar.java.jdkHome" to specify the JDK to be used by the analyzer to resolve JDK types

Task

[SONARJAVA-3644] - Update rule metadata

Improvement

[SONARJAVA-2154] - Reduce plugin size by removing guava dependency

[SONARJAVA-3581] - S1994: Add a message on the secondary location

[SONARJAVA-3582] - S2886: Add a message on the secondary location

[SONARJAVA-3583] - S3516: Add a message on the secondary location

[SONARJAVA-3584] - S1764: Add a message on secondary locations

[SONARJAVA-3585] - S2115: Add a message on secondary locations

[SONARJAVA-3589] - S2229: Add a message on secondary locations

[SONARJAVA-3590] - S3415: Add a message on secondary locations

[SONARJAVA-3591] - S2139: Add a message on secondary locations

[SONARJAVA-3592] - S1191: Add a message on secondary locations

[SONARJAVA-3593] - S3010: Add a message on secondary locations

[SONARJAVA-3594] - S135: Add a message on secondary locations

[SONARJAVA-3595] - S4288: Add a message on secondary locations

[SONARJAVA-3596] - S4276: Add a message on secondary locations

[SONARJAVA-3597] - S2786: Improve the primary message so that the secondary location becomes obvious

[SONARJAVA-3634] - Extend rule S1860 according to JEP 390: Warnings for Value-Based Classes

[SONARJAVA-3638] - Rule S2384: change rule type to Code-Smell

[SONARJAVA-3645] - Improve debug logs

[SONARJAVA-3651] - S4925: add support for DB2 JDBC Type 4 driver.

[SONARJAVA-3654] - Provide MongoDB Nullness annotations to the SE engine

[SONARJAVA-3655] - Update S6068 to cover latest mockito version

False-Positive

[SONARJAVA-3467] - FP on S1948 when using both field and setter/constructor injection

[SONARJAVA-3574] - S2755 FP when Factory is declared with lombok "val"

[SONARJAVA-3578] - FP in S2147 when the type of the Exception is needed inside the body.

[SONARJAVA-3620] - FP in S2384 when unmodifiable collection is returned from a non-final field

[SONARJAVA-3628] - FP in S5853 when assertions "flatExtracting" prevent the chaining

[SONARJAVA-3633] - FP in S4032 when there are several source directories

[SONARJAVA-3642] - FP in S1874 when parent constructor is deprecated but not used

[SONARJAVA-3647] - FP in S1481 when "for-each" variable nested in a lambda is actually used in the body

[SONARJAVA-3650] - FP in S2970 for nested class using JUnit 5 Soft assertions extension.

False Negative

[SONARJAVA-3555] - S4830 should support X509ExtendedTrustManager

[SONARJAVA-3575] - FN in S2095: support Apache commons IOUtils methods not closing the stream

[SONARJAVA-3626] - FN Rule S3824: Apply the same SymbolicValue for static constants or enum constants when used as MemberSelect

Source code(tar.gz)
Source code(zip)
6.10.0.24201(Dec 7, 2020)
Release Notes - SonarJava - Version 6.10.0.24201

Bug

[SONARJAVA-3056] - Classes for the analysis are loaded with parent first strategy

[SONARJAVA-3602] - JavaCheckVerifier does not support consistent behavior when having multiple issues reported on the same line

New Feature

[SONARJAVA-3550] - Rule S5994: Regex patterns following a possessive quantifier should not always fail

[SONARJAVA-3552] - Rule S5996: Regex boundaries should not be used in a way that can never match

[SONARJAVA-3554] - Rule S5998: Regular expressions should not overflow the stack

[SONARJAVA-3557] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference

[SONARJAVA-3560] - Rule S6002: Regex lookahead assertions should not be contradictory

[SONARJAVA-3566] - Rule S5855: Regex alternatives should not be redundant

[SONARJAVA-3567] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string

[SONARJAVA-3572] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes

[SONARJAVA-3608] - Rule S6068: Call to Mockito method "verify", "when" or "given" should be simplified

[SONARJAVA-3610] - Rule S6070: The regex escape sequence \cX should only be used with characters in the @-_ range

Task

[SONARJAVA-3544] - Fix the regression on issue filtering by reverting SONARJAVA-3241 before SQ 8.x LTS

[SONARJAVA-3549] - Add support for automata-based analyses for regular expressions

[SONARJAVA-3551] - Implement helper to find whether state in regex automaton is reachable without consuming input

[SONARJAVA-3564] - Implement intersects and supersetOf helper for regex automata

[SONARJAVA-3600] - Remove (re)declaration of fail fast property.

[SONARJAVA-3622] - Drop unused Symbolic Execution debugging rules

[SONARJAVA-3627] - Update rules metadata

Improvement

[SONARJAVA-3546] - Issue message of S5961 should contains the number of actual assertions

[SONARJAVA-3547] - Improve rule S1612 to replace casts with method reference

[SONARJAVA-3548] - Improve rule S5838 to handle maps and longs

[SONARJAVA-3553] - S5778 and S5783: Improve primary and secondary issue message

[SONARJAVA-3559] - Do not report issues of S1130 on Runtime Exceptions

[SONARJAVA-3561] - AbstractRegexCheck should target more regex providers

[SONARJAVA-3562] - Improve Regex rules to consider more string literals as Pattern

[SONARJAVA-3569] - Improve issue locations of S5869

[SONARJAVA-3587] - Typo in message of S3457

[SONARJAVA-3588] - Java Analyzer should be able to parse Jigsaw module-info.java files even when misconfigured

[SONARJAVA-3616] - Make S2699 support RestAssured 2.x as well (and not only 3.x & 4.x)

[SONARJAVA-3623] - Update rule S5803 to support all annotations named @VisibleForTesting

False-Positive

[SONARJAVA-3470] - Add more exceptions to S107

[SONARJAVA-3545] - Rule S4973 shouldn't report an issue if "==" is used to compare Boolean constants

[SONARJAVA-3565] - FP on S1948 when using SpringBean from Apache Wicket

[SONARJAVA-3571] - FP on S1948 when collection implements Serializable

[SONARJAVA-3577] - FP in S3457 when slf4j log arguments contains a concatenation and a single Throwable

[SONARJAVA-3579] - FP in S1170 when class is annotated with @lombok.Builder and field with @Default

[SONARJAVA-3580] - FP in S2390: do not report an issue on static class nested in the parent.

[SONARJAVA-3586] - Support Nullable annotation from reactor-core

[SONARJAVA-3598] - FP in S2973 when symbol is in lowercase

[SONARJAVA-3599] - FP in S2226 for non final Servlet fields initialized in init() method without parameters

[SONARJAVA-3605] - FP in S3305 when field has an initializer

[SONARJAVA-3612] - FP in S1185 when class is annotated "@Transactional"

[SONARJAVA-3613] - FP in S1193 when the catch block contains more code

[SONARJAVA-3615] - FP in S1905 when casted argument is a method reference to a varargs.

[SONARJAVA-3617] - S1170 should not raise an issue when the initializer contains "this" or "super"

[SONARJAVA-3618] - FP on S3438 when "value" is set inside the property tag

[SONARJAVA-3619] - FP S2589 when Boolean variable doesn't always evaluate to TRUE/FALSE

[SONARJAVA-3621] - Union of Unknown types should be Unknown

False Negative

[SONARJAVA-3130] - S3824: raise issue when "containsKey" is used

[SONARJAVA-3482] - Support character classes as operand to reluctant quantifier in rule S5857

[SONARJAVA-3483] - FN in S5869 with escaped character classes

Source code(tar.gz)
Source code(zip)
6.9.0.23563(Oct 5, 2020)
Release Notes - SonarJava - Version 6.9.0.23563

Bug

[SONARJAVA-3285] - Java 13/14 preview feature "Text Block" produce highlighting IllegalArgumentException

[SONARJAVA-3541] - NPE in Symbolic Execution engine when dealing with java 14 switch expressions without default

New Feature

[SONARJAVA-3374] - Rule S5804 allowing user enumeration is security-sensitive

[SONARJAVA-3396] - Rule S5808 Authorizations should be based on strong decisions

[SONARJAVA-3411] - Rule S5876 A new session should be created during user authentication

[SONARJAVA-3542] - RSPEC-5993 Constructors of an "abstract" class should not be declared "public"

Task

[SONARJAVA-3543] - Update rules metadata

Improvement

[SONARJAVA-3376] - Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm

[SONARJAVA-3414] - Rule S4790: its content should be replaced by S2070

[SONARJAVA-3472] - Document wildcards pattern in rule's parameters (S110, S1176)

[SONARJAVA-3478] - S2201: Support common Collection and Map methods

[SONARJAVA-3525] - S2333 supports redundant modifiers on nested interfaces and classes

[SONARJAVA-3536] - Consistently support Nullable/CheckForNull/Nonnull annotations in rules

[SONARJAVA-3539] - FP in S5845 when BigDecimal and BigInteger are compared with string

False-Positive

[SONARJAVA-3468] - FP on S1905 when casted argument is an ambiguous method reference.

[SONARJAVA-3479] - FP in S2184 when return is in another scope

[SONARJAVA-3535] - Rule S3749 should not raise when the singleton has @ConfigurationProperties annotation

[SONARJAVA-3540] - FP in S2175 when a primitive is auto-boxed into a subtype of Number.

False Negative

[SONARJAVA-3388] - Rule S2070 should support "org.springframework.util.DigestUtils"

[SONARJAVA-3538] - S5853 does not handle custom assertions

Source code(tar.gz)
Source code(zip)
6.8.0.23379(Sep 23, 2020)
Release Notes - SonarJava - Version 6.8

New Feature

[SONARJAVA-3372] - Rule S5803: Class members annotated with @VisibleForTesting should not be accessed from production code

[SONARJAVA-3509] - Rule S5958: AssertJ "assertThatThrownBy" should not be used alone

[SONARJAVA-3511] - Rule S5961: Test methods should not contain too many assertions

[SONARJAVA-3514] - Rule S5967: Tests method should not be annotated with competing annotations

[SONARJAVA-3515] - Rule S5960: Assertions should not be used in production code

[SONARJAVA-3516] - Rule S5969: Mocking all non-private methods of a class should be avoided

[SONARJAVA-3517] - Rule S5970: Spring's ModelAndViewAssert assertions should be used instead of other assertions

[SONARJAVA-3522] - Rule S3414: Tests should be kept in a dedicated source directory

[SONARJAVA-3524] - Rule S5973: Tests should be stable

[SONARJAVA-3526] - Rule S5976: Similar tests should be grouped in a single Parameterized test

[SONARJAVA-3527] - Rule S5977: Tests should use fixed data instead of randomized data

Task

[SONARJAVA-3036] - Update to common-xml-parser version 1.12

[SONARJAVA-3520] - Add S3577: "Test classes should comply with a naming convention" in Sonar way

[SONARJAVA-3533] - Update rules metadata

Improvement

[SONARJAVA-3476] - Improve issue location for S5843

[SONARJAVA-3481] - Add missing escape sequences to regex parser

[SONARJAVA-3485] - Change issue type of S899 to Bug

[SONARJAVA-3492] - S1215 should detect "System.runFinalization()" the same way it detects System.gc()

[SONARJAVA-3500] - Support latest version of Play framework in S3330 and S2092

[SONARJAVA-3513] - Improve S5810 to support static and test methods with return values

[SONARJAVA-3518] - S125: reports issue on whole commented block

[SONARJAVA-3521] - SuppressWarnings Filter should remove issue of S3740 when "rawTypes" is used

[SONARJAVA-3523] - Extend S3415 (Arguments order) to support TestNG assertions

[SONARJAVA-3531] - S2187 should consider methods annotated with "@State" from Pact framework as test methods

False-Positive

[SONARJAVA-3477] - S1214 should report only when an interface contains only constants

[SONARJAVA-3498] - FP in S1193 for instance of non-throwable types

[SONARJAVA-3504] - FP on S1948 for fields having non-serializable interface as type but serializable type as initializer

[SONARJAVA-3506] - FP in S2275 when second argument of String.format is an array

[SONARJAVA-3507] - FP in S3012 when copying array of primitives types to a Collection

[SONARJAVA-3519] - FP on S3878 when the argument before the vararg is also an array

[SONARJAVA-3528] - FP on S5778 when calling mockito methods

[SONARJAVA-3530] - FP on S3577 when test class ends with "Tests" or is an abstract class

[SONARJAVA-3534] - FP S3077(VolatileNonPrimitiveFieldCheck) should consider enum as immutable

False Negative

[SONARJAVA-3491] - FN S2789 (NullShouldNotBeUsedWithOptionalCheck) on null assignment

[SONARJAVA-3501] - FN on Unused Imports when using Lombok

Source code(tar.gz)
Source code(zip)
6.7.0.23054(Aug 31, 2020)
Release Notes - SonarJava - Version 6.7

Bug

[SONARJAVA-3244] - S3065: ClassCastException with implicit type casting

[SONARJAVA-3311] - SE should correctly handle new class in catch

[SONARJAVA-3381] - Performance Issue when computing the flow of an expression

Task

[SONARJAVA-3510] - Update rules metadata

[SONARJAVA-3512] - Deprecate S4784 in favor of S5852

Improvement

[SONARJAVA-3026] - S3518 Division by zero on floats and double should not mention ArithmeticException

[SONARJAVA-3069] - Adapt SE engine to Switch Expressions

[SONARJAVA-3345] - S3518 (division by zero) should handle BigDecimal and BigInteger

[SONARJAVA-3484] - Change issue type of S2039 and S2386 to Code Smell

[SONARJAVA-3493] - Remove ASM dependency

[SONARJAVA-3494] - Rework S2095 (UnclosedResourceCheck) to remove calls to parent() method

False-Positive

[SONARJAVA-2060] - FP in S2095 : java.sql.Statement will implicitly close created ResultSets

[SONARJAVA-3043] - S3655 should not raise an issue when a method doing nothing is called between "isPresent" and "get()"

[SONARJAVA-3157] - FP on Rule S2637 - issue raised on non-initialized fields

[SONARJAVA-3186] - SE based rules should not raise when exiting on exception with unknown type

[SONARJAVA-3187] - S2259 FP on null when called Class.isInstance

[SONARJAVA-3235] - FP on S3655 when the Optional is a class instance field

[SONARJAVA-3238] - FP on S1948 when class has multiple bounds in parameter type

[SONARJAVA-3242] - S5164, S1640: FP when variable is called with qualified name

[SONARJAVA-3451] - FP in S2095: sessions, producers, and consumers of a closed connection with JMS 2.0.

[SONARJAVA-3466] - FP S5845(AssertionTypesCheck) AssertJ is able to compare date/time and string

[SONARJAVA-3495] - FP in S2159 when type compared is Unknown

[SONARJAVA-3499] - FP on S3749 when using javax.persistence.PersistenceContext

[SONARJAVA-3508] - FP on S4449 when using Preconditions.checkNotNull(arg) with a @Nullable argument

False Negative

[SONARJAVA-2129] - FN on S2095: java.util.Properties.load(InputStream) should not close the stream passed as parameter

[SONARJAVA-3447] - FN on S2259 when a method is annotated with spring's annotation @Nullable

[SONARJAVA-3503] - FN on S3052 when the initializer is a cast expression

Source code(tar.gz)
Source code(zip)
6.6.0.22815(Jul 20, 2020)
Release Notes - SonarJava - Version 6.6

Bug

[SONARJAVA-3382] - Computing method behavior for Java 14 methods fails

[SONARJAVA-3448] - IndexOutOfBoundsException on S5863 when "containsX" is called without argument.

[SONARJAVA-3452] - Analysis fails when transpiling JSP with jar stripped of code

[SONARJAVA-3453] - JSP files shouldn't be analyzed for SQ < 8.3

New Feature

[SONARJAVA-3286] - Support Java 14

[SONARJAVA-3404] - Rule S5852: Using slow regular expressions is security-sensitive

[SONARJAVA-3412] - Rule S5840: Regex patterns and their sub-patterns should not always fail

[SONARJAVA-3413] - Rule S5842: Regex repetition pattern's body should not match the empty String

[SONARJAVA-3415] - Rule S5843: Regular expressions should not be too complicated

[SONARJAVA-3416] - Rule S5846: Empty lines should not be tested with regex MULTILINE flag

[SONARJAVA-3417] - Rule S5850: Alternatives in regular expressions should be grouped when used with anchors

[SONARJAVA-3419] - Rule S5854: Regex containing characters subjects to normalization should use the CANON_EQ flag

[SONARJAVA-3420] - Rule S5856: Regular expressions should be syntactically valid

[SONARJAVA-3421] - Rule S5857: Regular expressions character classes should be preferred over non-greedy quantifiers

[SONARJAVA-3422] - Rule S5860: Names of regular expressions named groups should be used

[SONARJAVA-3423] - Rule S5866: Case insensitive Unicode regular expressions should enable the “UNICODE_CASE” flag

[SONARJAVA-3424] - Rule S5867: Unicode-aware versions of character classes should be preferred

[SONARJAVA-3425] - Create a dedicated regex parser to allow implementation of java rules targeting regex

[SONARJAVA-3426] - Rule S5868: Unicode Grapheme Clusters should be avoided inside regex character classes

[SONARJAVA-3427] - Rule S5869: Character classes in regular expressions should not contain the same character twice

Task

[SONARJAVA-3464] - Update rules metadata

Improvement

[SONARJAVA-2163] - S2187 support detecting of test class without tests for classes matched by maven-surefire and gradle

[SONARJAVA-3049] - Resolve semantic for switch expression

[SONARJAVA-3270] - Update ASM to 8.0.1 for Java 14 support

[SONARJAVA-3332] - Upgrade ECJ to 3.22.0 for Java 14 support

[SONARJAVA-3434] - S5542: add a secondary location to the insecure cypher declaration

[SONARJAVA-3460] - S3457, S2275: Rework printf-style format rules

False-Positive

[SONARJAVA-3237] - S1142 should be ignored in equals methods

[SONARJAVA-3254] - S3398 Should not suggest to move static method to non-static inner

[SONARJAVA-3304] - FP in S2201: support new switch expression

[SONARJAVA-3368] - FP in S4276: interfaces with generic wildcard types can't be specialized

[SONARJAVA-3369] - FP S1228 (PackageInfoCheck) when there are several source directories

[SONARJAVA-3370] - FP S5411 (BoxedBooleanExpressionsCheck) on method invocation having @NotNull

[SONARJAVA-3377] - Avoid FP for Google AutoValue classes

[SONARJAVA-3379] - FP in S4248 for Pattern in a class annotated with Lombok @UtilityClass

[SONARJAVA-3418] - S2275: FP when passing a Throwable as last argument

[SONARJAVA-3437] - FP in S2325 due to Lombok "@UtilityClass"

[SONARJAVA-3449] - FP on S2141 when equals() without default implementation is defined in an interface

[SONARJAVA-3450] - FP on S3973 on valid generated equals methods from IntelliJ

[SONARJAVA-3454] - FP in S2970 when "assertThatThrownBy" is used alone

[SONARJAVA-3456] - Don't raise S2160 when extending class overriding equals using an abstract definition

[SONARJAVA-3461] - FP in S5838: simplification with "isEqualTo" can not always be made on Object assertions

[SONARJAVA-3465] - FPs and FNs related to quoting characters in regular expressions

False Negative

[SONARJAVA-3400] - FN in S2885(StaticMultithreadedUnsafeFieldsCheck) for DateFormat.getDateInstance()

[SONARJAVA-3403] - FN in S4970: support unrelated Exception

[SONARJAVA-3440] - FN in S1194: Support extending sub-classes of Error

[SONARJAVA-3455] - FN in S2111 for boxed Double and Float

[SONARJAVA-3457] - FN in S5361 when using backslashes

[SONARJAVA-3459] - FN on S1128 (UselessImportCheck) when comments contain the class name within a word

Source code(tar.gz)
Source code(zip)
6.3.2.22818(Jul 20, 2020)

Source code(tar.gz)
Source code(zip)

:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Related tags

Overview

Code Quality and Security for Java

Features

Useful links

Have question or feedback?

Contributing

Topic in SonarQube Community Forum

Pull Request (PR)

Custom Rules

Work with us

Testing

Build the Project and Run Unit Tests

Integration Tests

Sanity Test

Plugin Test

Ruling Test

License

Comments

Releases(7.15.0.30507)

7.15.0.30507(Nov 1, 2022)

Release notes - SonarJava - Version 7.15

Bug

Documentation

False Negative

False-Positive

Improvement

New Feature

Task

7.14.0.30229(Sep 30, 2022)

Release notes - SonarJava - Version 7.14

False-Positive

Improvement

New Feature

Task

7.13.0.29990(Jul 4, 2022)

New Feature

Task

Improvement

7.12.1.29810(Jun 16, 2022)

Bug

False-Positive

7.12.0.29739(May 16, 2022)

Bug

New Feature

Task

Improvement

False-Positive

False Negative

7.11.0.29148(Mar 30, 2022)

Task

7.10.0.29108(Mar 25, 2022)

Bug

New Feature

Task

Improvement

False-Positive

7.9.0.28969(Mar 7, 2022)

New Feature

Task

Improvement

False-Positive

7.8.1.28740(Feb 7, 2022)

Bug

Improvement

False-Positive

7.8.0.28662(Jan 28, 2022)

Bug

Task

Improvement

False-Positive

7.7.0.28547(Jan 18, 2022)

Bug

New Feature

Task

Improvement

False-Positive

Documentation

False Negative