spotbugs/spotbugs 4.8.4

SpotBugs 4.8.4

on GitHub

CHANGELOG

Fixed

• Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#2750)
• Fix possible null value in taxonomies of SARIF output (#2744)
• Fix executionSuccessful flag in SARIF report being set to false when bugs were found (#2116)
• Move information contained in the SARIF property exitSignalName to exitCodeDescription (#2739)
• Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#2793)
• Added support for CONSTANT_Dynamic (#2759)
• Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#1219)
• Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#2813)
• Remove AppleExtension library (note: menus slightly changed) (#2823)
• Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#651, #456)
• Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#2843)
• Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#2844)
• Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#2828)
• Update UnreadFields detector to ignore warnings for fields with certain annotations (#574)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with @PostConstruct, @BeforeEach, etc. (#2872 #2870 #453)
• Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#2865)
• Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#2874)
• Added more nullability annotations in TypeQualifierResolver (#2558 #2694)
• Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#2881)
• Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #2887)
• Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#2686)
• Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #2837)
• Update the filter XSD namespace and location for the upcoming 4.8.4 release #2909)

Added

• New detector MultipleInstantiationsOfSingletons and introduced new bug types:
  • SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR is reported in case of a non-private constructor,
  • SING_SINGLETON_IMPLEMENTS_CLONEABLE is reported in case of a class directly implementing the Cloneable interface,
  • SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE is reported when a class indirectly implements the Cloneable interface,
  • SING_SINGLETON_IMPLEMENTS_CLONE_METHOD is reported when a class does not implement the Cloneable interface, but has a clone() method,
  • SING_SINGLETON_IMPLEMENTS_SERIALIZABLE is reported when a class directly or indirectly implements the Serializable interface and
  • SING_SINGLETON_GETTER_NOT_SYNCHRONIZED is reported when the instance-getter method of the singleton class is not synchronized.
    (See SEI CERT MSC07-J)
• Extend FindOverridableMethodCall detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT. It's reported when an overridable method is called from readObject(), according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.

Changed

• Minor cleanup in connection with slashed and dotted names (#2805)

Build

• Fix sonar coverage for project (#2796)
• Upgraded the build to compile bug samples using Java 21 language features (#2813)
• Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See checkstyle/checkstyle#14211 for more information. (#2798)
• Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#2604)

CHECKSUM