SonarSource/sonar-java 6.13.0.25138

on GitHub

    Release Notes - SonarJava - Version 6.13.0.25138

Bug

• [SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ

New Feature

• [SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt
• [SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive
• [SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms
• [SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive
• [SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive
• [SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive
• [SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive
• [SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive

Task

• [SONARJAVA-3697] - Update rules metadata
• [SONARJAVA-3699] - Deprecate rule S2653
• [SONARJAVA-3700] - Deprecate rule S2089

Improvement

• [SONARJAVA-3660] - S2077 update message for primary and secondary locations
• [SONARJAVA-3663] - S2976 implementation moved to S5445
• [SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"
• [SONARJAVA-3686] - Deprecate rule S4834
• [SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module
• [SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference
• [SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit

False-Positive

• [SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used
• [SONARJAVA-3532] - S5042 should focus on zipbomb attacks
• [SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors
• [SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case
• [SONARJAVA-3678] - FP in S5853 when map/flatMap is used
• [SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized
• [SONARJAVA-3685] - FP in S1125 when using null
• [SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @nested when the enclosing class properly initializes annotated objects
• [SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces

False Negative

• [SONARJAVA-3469] - FN in S1219 when using blocks
• [SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes