Release Notes - SonarJava - Version 6.13.0.25138
Bug
- [SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ
New Feature
- [SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt
- [SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive
- [SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms
- [SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive
- [SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive
- [SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive
- [SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive
- [SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive
Task
- [SONARJAVA-3697] - Update rules metadata
- [SONARJAVA-3699] - Deprecate rule S2653
- [SONARJAVA-3700] - Deprecate rule S2089
Improvement
- [SONARJAVA-3660] - S2077 update message for primary and secondary locations
- [SONARJAVA-3663] - S2976 implementation moved to S5445
- [SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"
- [SONARJAVA-3686] - Deprecate rule S4834
- [SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module
- [SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference
- [SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit
False-Positive
- [SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used
- [SONARJAVA-3532] - S5042 should focus on zipbomb attacks
- [SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors
- [SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case
- [SONARJAVA-3678] - FP in S5853 when map/flatMap is used
- [SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized
- [SONARJAVA-3685] - FP in S1125 when using null
- [SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @nested when the enclosing class properly initializes annotated objects
- [SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces
False Negative
- [SONARJAVA-3469] - FN in S1219 when using blocks
- [SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes