github SonarSource/sonar-java 6.13.0.25138

latest releases: 8.5.0.37199, 8.4.0.37032, 8.3.0.36747...
3 years ago
    Release Notes - SonarJava - Version 6.13.0.25138

Bug

  • [SONARJAVA-3690] - Update SonarQube Api to be compatible with the latest SQ

New Feature

  • [SONARJAVA-2929] - Rule S2053: Hashes should include an unpredictable salt
  • [SONARJAVA-3462] - Rule S4036: Searching OS commands in PATH is security-sensitive
  • [SONARJAVA-3674] - Rule S5659: JWT should be signed and verified with strong cipher algorithms
  • [SONARJAVA-3675] - Rule S5332: Using clear-text protocols is security-sensitive
  • [SONARJAVA-3676] - Rule S5689: Disclosing fingerprints from web application technologies is security-sensitive
  • [SONARJAVA-3677] - Rule S5443: Using publicly writable directories is security-sensitive
  • [SONARJAVA-3679] - Rule S5693: Allowing requests with excessive content length is security-sensitive
  • [SONARJAVA-3681] - Rule S5247: Disabling auto-escaping in template engines is security-sensitive

Task

Improvement

  • [SONARJAVA-3660] - S2077 update message for primary and secondary locations
  • [SONARJAVA-3663] - S2976 implementation moved to S5445
  • [SONARJAVA-3664] - S4738 reports usage of Guava "createTempDir"
  • [SONARJAVA-3686] - Deprecate rule S4834
  • [SONARJAVA-3692] - Extract Symbolic Execution Engine and Checks from "java-frontend" module
  • [SONARJAVA-3694] - Improve rule S1612 to replace instanceof lambda with method reference
  • [SONARJAVA-3698] - Extract Check Verifier from "java-frontend" module into testkit

False-Positive

  • [SONARJAVA-3278] - FP on S2115: JDBC connection string should not raise when password property is not used
  • [SONARJAVA-3532] - S5042 should focus on zipbomb attacks
  • [SONARJAVA-3648] - FP on S2384 (MutableMembersUsageCheck) for enum constructors
  • [SONARJAVA-3649] - FP on S1157 (CaseInsensitiveComparisonCheck) when only one side is upper or lower case
  • [SONARJAVA-3678] - FP in S5853 when map/flatMap is used
  • [SONARJAVA-3684] - S2755 should not raise an issue when DocumentBuilder EntityResolver is customized
  • [SONARJAVA-3685] - FP in S1125 when using null
  • [SONARJAVA-3687] - S5979 should not report on classes annotated with JUnit5's @nested when the enclosing class properly initializes annotated objects
  • [SONARJAVA-3688] - FP on S5860(UnusedGroupNamesCheck) for name referenced by dollar curly braces

False Negative

  • [SONARJAVA-3469] - FN in S1219 when using blocks
  • [SONARJAVA-3683] - S4502 should raise when CSRF protection is disabled on specific routes

Don't miss a new sonar-java release

NewReleases is sending notifications on new releases.