spotbugs/spotbugs (com.github.spotbugs:spotbugs)
### [`v4.7.3`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#473---2022-10-15)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.2...4.7.3)
##### Fixed
- Fixed detector `DontUseFloatsAsLoopCounters` to prevent false positives. ([#2126](https://togithub.com/spotbugs/spotbugs/issues/2126))
- Fixed regression in `4.7.2` caused by ([#2141](https://togithub.com/spotbugs/spotbugs/pull/2141))
- improve compatibility with later version of jdk (>= 13). ([#2188](https://togithub.com/spotbugs/spotbugs/issues/2188))
- Fixed detector `UncallableMethodOfAnonymousClass` to not report unused methods of method-local enumerations and records ([#2120](https://togithub.com/spotbugs/spotbugs/issues/2120))
- Fixed detector `FindSqlInjection` to detect bug `SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL` with high priority in case of unsafe appends also in Java 11 and above ([#2183](https://togithub.com/spotbugs/spotbugs/issues/2183))
- Fixed detector `StringConcatenation` to detect bug `SBSC_USE_STRINGBUFFER_CONCATENATION` also in Java 11 and above ([#2182](https://togithub.com/spotbugs/spotbugs/issues/2182))
- Fixed `OpcodeStackDetector` to to handle propagation of taints properly in case of string concatenation in Java 9 and above ([#2195](https://togithub.com/spotbugs/spotbugs/issues/2195))
- Bump up log4j2 binding to `2.19.0`
- Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 ([#2200](https://togithub.com/spotbugs/spotbugs/pull/2200))
- Bump up commons-text to 1.10.0 ([#2197](https://togithub.com/spotbugs/spotbugs/pull/2197))
- Fixed debug detector `ViewCFG` to generate file names that are also valid on Windows ([#2209](https://togithub.com/spotbugs/spotbugs/issues/2209))
### [`v4.7.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#472---2022-09-02)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.1...4.7.2)
##### Fixed
- Bumped gson from 2.9.0 to 2.9.1 ([#2136](https://togithub.com/spotbugs/spotbugs/pull/2136))
- Bump up SLF4J API to `2.0.0`
- Bump up logback to `1.4.0`
- Bump up log4j2 binding to `2.18.0`
- Bump up Saxon-HE to `11.4` ([#2160](https://togithub.com/spotbugs/spotbugs/pull/2160))
- Fixed InvalidInputException in Eclipse while bug reporting ([#2134](https://togithub.com/spotbugs/spotbugs/issues/2134))
- Bug `SA_FIELD_SELF_ASSIGNMENT` is now reported from nested classes as well ([#2142](https://togithub.com/spotbugs/spotbugs/issues/2142))
- Avoid warning on use of security manager on Java 17 and newer. ([#1579](https://togithub.com/spotbugs/spotbugs/issues/1579))
- Fixed false positives `EI_EXPOSE_REP` thrown in case of fields initialized by the `of` or `copyOf` method of a `List`, `Map` or `Set` ([#1771](https://togithub.com/spotbugs/spotbugs/issues/1771))
- Fixed CFGBuilderException thrown when `dup_x2` is used to swap the reference and wide-value (double, long) in the stack ([#2146](https://togithub.com/spotbugs/spotbugs/pull/2146))
### [`v4.7.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#471---2022-06-26)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.0...4.7.1)
##### Fixed
- Fixed False positives for `RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE` on try-with-resources with interface references ([#1931](https://togithub.com/spotbugs/spotbugs/issues/1931))
- Fixed NullPointerException thrown by detector `FindPotentialSecurityCheckBasedOnUntrustedSource` on Kotlin files. ([#2041](https://togithub.com/spotbugs/spotbugs/issues/2041))
- Disabled detector `ThrowingExceptions` by default to avoid many false positives ([#2040](https://togithub.com/spotbugs/spotbugs/issues/2040))
- Fixed False positives for `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` and `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` on evaluating synthetic classes ([#2040](https://togithub.com/spotbugs/spotbugs/issues/2040))
- Fixed False positive for `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA` on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method ([#2089](https://togithub.com/spotbugs/spotbugs/issues/2089))
### [`v4.7.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#470---2022-04-14)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.6.0...4.7.0)
##### Changed
- Updated documentation by adding parenthesis `()` to the negative odd check message ([#1995](https://togithub.com/spotbugs/spotbugs/issues/1995))
- Let the Plugin class implement AutoCloseable so we can release the .jar file ([#2024](https://togithub.com/spotbugs/spotbugs/issues/2024))
##### Fixed
- Fixed reports to truncate existing files before writing new content ([#1950](https://togithub.com/spotbugs/spotbugs/issues/1950))
- Bumped Saxon-HE from 10.6 to 11.3 ([#1955](https://togithub.com/spotbugs/spotbugs/pull/1955), [#1999](https://togithub.com/spotbugs/spotbugs/pull/1999))
- Fixed traversal of nested archives governed by `-nested:true` ([#1930](https://togithub.com/spotbugs/spotbugs/pull/1930))
- Warnings of deprecated System::setSecurityManager calls on Java 17 ([#1983](https://togithub.com/spotbugs/spotbugs/pull/1983))
- Fixed false positive SSD bug for locking on java.lang.Class objects ([#1978](https://togithub.com/spotbugs/spotbugs/issues/1978))
- FindReturnRef throws an IllegalArgumentException unexpectedly ([#2019](https://togithub.com/spotbugs/spotbugs/issues/2019))
- Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 ([#2004](https://togithub.com/spotbugs/spotbugs/pull/2004))
##### Added
- New detector `ThrowingExceptions` and introduced new bug types:
- `THROWS_METHOD_THROWS_RUNTIMEEXCEPTION` is reported in case of a method throwing RuntimeException,
- `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` is reported when a method has Exception in its throws clause and
- `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` is reported when a method has Throwable in its throws clause (See [SEI CERT ERR07-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable))
- New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader))
- New rule `USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE` to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on *SEC02-J. Do not base security checks on untrusted sources*. ([#SEC02-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources))
- New detector `DontUseFloatsAsLoopCounters` to detect usage of floating-point variables as loop counters (`FL_FLOATS_AS_LOOP_COUNTERS`), according to SEI CERT rules [NUM09-J. Do not use floating-point variables as loop counters](https://wiki.sei.cmu.edu/confluence/display/java/NUM09-J.+Do+not+use+floating-point+variables+as+loop+counters)
- New test detector `ViewCFG` to visualize the control-flow graph for `SpotBugs` developers
### [`v4.6.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#460---2022-03-08)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.3...4.6.0)
##### Fixed
- Fixed spotbugs build with ecj compiler ([#1903](https://togithub.com/spotbugs/spotbugs/issues/1903))
- Moved tests from spotbugs project to spotbugs-tests project ([#1914](https://togithub.com/spotbugs/spotbugs/issues/1914))
- Fixed UI freezes in Eclipse on bug count decorations update ([#285](https://togithub.com/spotbugs/spotbugs/issues/285))
- Bumped log4j from 2.17.1 to 2.17.2 ([#1960](https://togithub.com/spotbugs/spotbugs/pull/1960))
- Bumped gson from 2.8.9 to 2.9.0 ([#1960](https://togithub.com/spotbugs/spotbugs/pull/1966))
##### Added
- New detector `FindInstanceLockOnSharedStaticData` for new bug type `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA`. This detector reports a bug if an instance level lock is used to modify a shared static data. (See [SEI CERT rule LCK06-J](https://wiki.sei.cmu.edu/confluence/display/java/LCK06-J.+Do+not+use+an+instance+lock+to+protect+shared+static+data))
### [`v4.5.3`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#453---2022-01-04)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.2...4.5.3)
##### Security
- Bumped log4j from 2.16.0 to 2.17.1 to address [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105) and [CVE-2021-44832](https://nvd.nist.gov/vuln/detail/CVE-2021-44832) ([#1885](https://togithub.com/spotbugs/spotbugs/pull/1885), [#1897](https://togithub.com/spotbugs/spotbugs/pull/1897))
##### Fixed
- Remove duplicated logging frameworks from the Eclipse plugin distribution ([#1868](https://togithub.com/spotbugs/spotbugs/issues/1868))
- Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. ([#1883](https://togithub.com/spotbugs/spotbugs/issues/1883))
### [`v4.5.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#452---2021-12-13)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.1...4.5.2)
##### Security
- Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228
##### Fixed
- False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE ([#1821](https://togithub.com/spotbugs/spotbugs/issues/1821)[#1820](https://togithub.com/spotbugs/spotbugs/issues/1820)[#1819](https://togithub.com/spotbugs/spotbugs/issues/1819)[#1818](https://togithub.com/spotbugs/spotbugs/issues/1818))
- Updated RV\_01\_TO_INT to handle float and long checks ([#1518](https://togithub.com/spotbugs/spotbugs/issues/1518))
### [`v4.5.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#451---2021-12-08)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.0...4.5.1)
##### Fixed
- Ant task does not produce XML anymore ([#1827](https://togithub.com/spotbugs/spotbugs/issues/1827))
- Do not emit false positives of `MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR` and `MC_OVERRIDABLE_METHOD_CALL_IN_CLONE` for final classes ([#1812](https://togithub.com/spotbugs/spotbugs/issues/1812)).
- Reports cannot be created on Windows platform ([#1842](https://togithub.com/spotbugs/spotbugs/pull/1842))
### [`v4.5.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#450---2021-11-05)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.2...4.5.0)
##### Changed
- Replace "分析" with "解析" in Japanese document ([#1573](https://togithub.com/spotbugs/spotbugs/issues/1573))
- Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin ([#540](https://togithub.com/spotbugs/spotbugs/issues/540))
- Bump gson from 2.8.8 to 2.8.9 ([#1784](https://togithub.com/spotbugs/spotbugs/pull/1784))
- Changes related to dominators analysis in package `edu.umd.cs.findbugs.classfile.engine.bcel` ([#1741](https://togithub.com/spotbugs/spotbugs/pull/1741)):
- `DominatorsAnalysisFactory` renamed to `NonExceptionDominatorsAnalysisFactory` (clarification)
- `NonExceptionPostdominatorsAnalysisFactory` renamed to `NonExceptionPostDominatorsAnalysisFactory` (spelling)
- `NonImplicitExceptionDominatorsAnalysis` introduced (API consistency)
##### Added
- Rule `DCN_NULLPOINTER_EXCEPTION` covers catching NullPointerExceptions in accordance with SEI Cert rule [ERR08-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors) ([#1740](https://togithub.com/spotbugs/spotbugs/pull/1740))
- Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like `-html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml`.
- New rule `REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS` to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule *SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields*. ([#SEC05-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields))
- New detector `FindOverridableMethodCall` to detect invocation of overridable method in constructors (`MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR`) and clone() method (`MC_OVERRIDABLE_METHOD_CALL_IN_CLONE`), according to SEI CERT rules [MET05-J. Ensure that constructors do not call overridable methods](https://wiki.sei.cmu.edu/confluence/display/java/MET05-J.+Ensure+that+constructors+do+not+call+overridable+methods) and [MET06-J. Do not invoke overridable methods in clone()](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487921).
- [Translation of online manual to Brazilian Portuguese (PT-BR)](https://spotbugs.readthedocs.io/pt_BR/latest/).
##### Fixed
- False negative about the rule ES_COMPARING_STRINGS_WITH_EQ ([#1764](https://togithub.com/spotbugs/spotbugs/issues/1764))
- False negative about the rule IM_MULTIPLYING_RESULT_OF_IREM (\[[#1498](https://togithub.com/spotbugs/spotbugs/issues/1498)])([https://github.com/spotbugs/spotbugs/issues/1498](https://togithub.com/spotbugs/spotbugs/issues/1498))
##### Deprecated
- `-output` commandline option is deprecated. Use commandline options for report configuration like `-xml=spotbugs.xml` instead.
### [`v4.4.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#442---2021-10-08)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.1...4.4.2)
##### Changed
- Add bug code to report in fancy-hist.xsl ([#1688](https://togithub.com/spotbugs/spotbugs/pull/1688))
- Bump Saxon-HE from 10.5 to 10.6 ([#1715](https://togithub.com/spotbugs/spotbugs/pull/1715))
##### Fixed
- Fixed immutable java.lang.Class as being flagged as EI ([#1695](https://togithub.com/spotbugs/spotbugs/pull/1695))
- Agree verb with plural subject in the description of
`SW_SWING_METHODS_INVOKED_IN_SWING_THREAD` ([#1664](https://togithub.com/spotbugs/spotbugs/pull/1664))
- Wrong description of the `SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS` ([#1664](https://togithub.com/spotbugs/spotbugs/pull/1664))
- Fixed java.util.Locale as being flagged as EI ([#1702](https://togithub.com/spotbugs/spotbugs/pull/1702))
- Fixed reference to java.awt.Cursor which caused it to be flagged as EI ([#1702](https://togithub.com/spotbugs/spotbugs/pull/1702))
- Treat types with `@com.google.errorprone.annotations.Immutable` as immutable ([#1705](https://togithub.com/spotbugs/spotbugs/pull/1705))
- Fix annotation check for `jdk.internal.ValueBased` ([#1706](https://togithub.com/spotbugs/spotbugs/pull/1706))
- `DMI_RANDOM_USED_ONLY_ONCE` false positive ([#1539](https://togithub.com/spotbugs/spotbugs/issues/1539))
- `NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR` false negative ([#1642](https://togithub.com/spotbugs/spotbugs/issues/1642))
- Immutable java.util.regex.Pattern as being flagged as EI ([#1695](https://togithub.com/spotbugs/spotbugs/pull/1738))
- Resource leak in the JrtfsCodeBase ([#1732](https://togithub.com/spotbugs/spotbugs/pull/1732))
### [`v4.4.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#441---2021-09-07)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.0...4.4.1)
##### Changed
- Bump gson from 2.8.7 to 2.8.8 ([#1658](https://togithub.com/spotbugs/spotbugs/pull/1658))
- Lower `ExitCodes` logger to debug level ([#1661](https://togithub.com/spotbugs/spotbugs/issues/1661))
- Fixed SARIF format to be compatible with Github code scanning API requirements ([#1630](https://togithub.com/spotbugs/spotbugs/issues/1630))
##### Fixed
- Fixed immutable classes in java.net.\* as being flagged as EI ([#1653](https://togithub.com/spotbugs/spotbugs/issues/1653)
- Classes containing only static methods with setter-like names are no longer considered as mutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601))
- Handle all immutable collections in the Guava library as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601))
- Classes annotated with [@Immutable](https://togithub.com/Immutable) or [@jdk](https://togithub.com/jdk).internal.ValueBased are considered as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601))
- All classes in packages java.time and java.math are now correctly handled as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601))
### [`v4.4.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#440---2021-08-12)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.3.0...4.4.0)
##### Fixed
- Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE ([#600](https://togithub.com/spotbugs/spotbugs/issues/600) and [#1338](https://togithub.com/spotbugs/spotbugs/issues/1338))
- Inconsistent bug description on `EQ_COMPARING_CLASS_NAMES` ([#1523](https://togithub.com/spotbugs/spotbugs/issues/1523))
- Add a declaration of charset encoding in generated reports ([#1623](https://togithub.com/spotbugs/spotbugs/pull/1623))
- Fixed regression in Bug Info view for Eclipse 2021-03+ ([#1477](https://togithub.com/spotbugs/spotbugs/issues/1477))
##### Added
- New detector `FindBadEndOfStreamCheck` for new bug type `EOS_BAD_END_OF_STREAM_CHECK`. This bug is reported whenever the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is first converted to byte/int and only thereafter checked against -1. (See [SEI CERT rule FIO08-J](https://wiki.sei.cmu.edu/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1))
### [`v4.3.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#430---2021-07-01)
[Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.2.3...4.3.0)
##### Fixed
- `MS_EXPOSE_REP` and `EI_EXPOSE_REP` are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)
##### Changed
- Bump ObjectWeb ASM from 9.1 to 9.2 supporting JDK 18 ([#1591](https://togithub.com/spotbugs/spotbugs/pull/1591))
- Bump Saxon-HE from 10.3 to 10.5 ([#1513](https://togithub.com/spotbugs/spotbugs/pull/1513))
- Bump gson from 2.8.6 to 2.8.7 ([#1556](https://togithub.com/spotbugs/spotbugs/pull/1556))
- Function `mutableSignature()` improved and factored out from the `MutableStaticFields` detector
##### Added
- New bugs `MS_EXPOSE_BUF`, `EI_EXPOSE_BUF`, `EI_EXPOSE_STATIC_BUF2` and `EI_EXPOSE_BUF2` by the `FindReturnRef` detector to detect cases where buffers or their backing arrays are exposed (see [SEI CERT rule FIO05-J](https://wiki.sei.cmu.edu/confluence/display/java/FIO05-J.+Do+not+expose+buffers+or+their+backing+arrays+methods+to+untrusted+code))
- `MS_EXPOSE_REP`, `EI_EXPOSE_REP`, `EI_EXPOSE_STATIC_REP2` and `EI_EXPOSE_REP2` now report for shallowly copied arrays (using clone()) of mutable objects
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
4.2.3
->4.7.3
Release Notes
spotbugs/spotbugs (com.github.spotbugs:spotbugs)
### [`v4.7.3`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#473---2022-10-15) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.2...4.7.3) ##### Fixed - Fixed detector `DontUseFloatsAsLoopCounters` to prevent false positives. ([#2126](https://togithub.com/spotbugs/spotbugs/issues/2126)) - Fixed regression in `4.7.2` caused by ([#2141](https://togithub.com/spotbugs/spotbugs/pull/2141)) - improve compatibility with later version of jdk (>= 13). ([#2188](https://togithub.com/spotbugs/spotbugs/issues/2188)) - Fixed detector `UncallableMethodOfAnonymousClass` to not report unused methods of method-local enumerations and records ([#2120](https://togithub.com/spotbugs/spotbugs/issues/2120)) - Fixed detector `FindSqlInjection` to detect bug `SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL` with high priority in case of unsafe appends also in Java 11 and above ([#2183](https://togithub.com/spotbugs/spotbugs/issues/2183)) - Fixed detector `StringConcatenation` to detect bug `SBSC_USE_STRINGBUFFER_CONCATENATION` also in Java 11 and above ([#2182](https://togithub.com/spotbugs/spotbugs/issues/2182)) - Fixed `OpcodeStackDetector` to to handle propagation of taints properly in case of string concatenation in Java 9 and above ([#2195](https://togithub.com/spotbugs/spotbugs/issues/2195)) - Bump up log4j2 binding to `2.19.0` - Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 ([#2200](https://togithub.com/spotbugs/spotbugs/pull/2200)) - Bump up commons-text to 1.10.0 ([#2197](https://togithub.com/spotbugs/spotbugs/pull/2197)) - Fixed debug detector `ViewCFG` to generate file names that are also valid on Windows ([#2209](https://togithub.com/spotbugs/spotbugs/issues/2209)) ### [`v4.7.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#472---2022-09-02) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.1...4.7.2) ##### Fixed - Bumped gson from 2.9.0 to 2.9.1 ([#2136](https://togithub.com/spotbugs/spotbugs/pull/2136)) - Bump up SLF4J API to `2.0.0` - Bump up logback to `1.4.0` - Bump up log4j2 binding to `2.18.0` - Bump up Saxon-HE to `11.4` ([#2160](https://togithub.com/spotbugs/spotbugs/pull/2160)) - Fixed InvalidInputException in Eclipse while bug reporting ([#2134](https://togithub.com/spotbugs/spotbugs/issues/2134)) - Bug `SA_FIELD_SELF_ASSIGNMENT` is now reported from nested classes as well ([#2142](https://togithub.com/spotbugs/spotbugs/issues/2142)) - Avoid warning on use of security manager on Java 17 and newer. ([#1579](https://togithub.com/spotbugs/spotbugs/issues/1579)) - Fixed false positives `EI_EXPOSE_REP` thrown in case of fields initialized by the `of` or `copyOf` method of a `List`, `Map` or `Set` ([#1771](https://togithub.com/spotbugs/spotbugs/issues/1771)) - Fixed CFGBuilderException thrown when `dup_x2` is used to swap the reference and wide-value (double, long) in the stack ([#2146](https://togithub.com/spotbugs/spotbugs/pull/2146)) ### [`v4.7.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#471---2022-06-26) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.7.0...4.7.1) ##### Fixed - Fixed False positives for `RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE` on try-with-resources with interface references ([#1931](https://togithub.com/spotbugs/spotbugs/issues/1931)) - Fixed NullPointerException thrown by detector `FindPotentialSecurityCheckBasedOnUntrustedSource` on Kotlin files. ([#2041](https://togithub.com/spotbugs/spotbugs/issues/2041)) - Disabled detector `ThrowingExceptions` by default to avoid many false positives ([#2040](https://togithub.com/spotbugs/spotbugs/issues/2040)) - Fixed False positives for `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` and `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` on evaluating synthetic classes ([#2040](https://togithub.com/spotbugs/spotbugs/issues/2040)) - Fixed False positive for `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA` on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method ([#2089](https://togithub.com/spotbugs/spotbugs/issues/2089)) ### [`v4.7.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#470---2022-04-14) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.6.0...4.7.0) ##### Changed - Updated documentation by adding parenthesis `()` to the negative odd check message ([#1995](https://togithub.com/spotbugs/spotbugs/issues/1995)) - Let the Plugin class implement AutoCloseable so we can release the .jar file ([#2024](https://togithub.com/spotbugs/spotbugs/issues/2024)) ##### Fixed - Fixed reports to truncate existing files before writing new content ([#1950](https://togithub.com/spotbugs/spotbugs/issues/1950)) - Bumped Saxon-HE from 10.6 to 11.3 ([#1955](https://togithub.com/spotbugs/spotbugs/pull/1955), [#1999](https://togithub.com/spotbugs/spotbugs/pull/1999)) - Fixed traversal of nested archives governed by `-nested:true` ([#1930](https://togithub.com/spotbugs/spotbugs/pull/1930)) - Warnings of deprecated System::setSecurityManager calls on Java 17 ([#1983](https://togithub.com/spotbugs/spotbugs/pull/1983)) - Fixed false positive SSD bug for locking on java.lang.Class objects ([#1978](https://togithub.com/spotbugs/spotbugs/issues/1978)) - FindReturnRef throws an IllegalArgumentException unexpectedly ([#2019](https://togithub.com/spotbugs/spotbugs/issues/2019)) - Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 ([#2004](https://togithub.com/spotbugs/spotbugs/pull/2004)) ##### Added - New detector `ThrowingExceptions` and introduced new bug types: - `THROWS_METHOD_THROWS_RUNTIMEEXCEPTION` is reported in case of a method throwing RuntimeException, - `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` is reported when a method has Exception in its throws clause and - `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` is reported when a method has Throwable in its throws clause (See [SEI CERT ERR07-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable)) - New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader)) - New rule `USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE` to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on *SEC02-J. Do not base security checks on untrusted sources*. ([#SEC02-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources)) - New detector `DontUseFloatsAsLoopCounters` to detect usage of floating-point variables as loop counters (`FL_FLOATS_AS_LOOP_COUNTERS`), according to SEI CERT rules [NUM09-J. Do not use floating-point variables as loop counters](https://wiki.sei.cmu.edu/confluence/display/java/NUM09-J.+Do+not+use+floating-point+variables+as+loop+counters) - New test detector `ViewCFG` to visualize the control-flow graph for `SpotBugs` developers ### [`v4.6.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#460---2022-03-08) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.3...4.6.0) ##### Fixed - Fixed spotbugs build with ecj compiler ([#1903](https://togithub.com/spotbugs/spotbugs/issues/1903)) - Moved tests from spotbugs project to spotbugs-tests project ([#1914](https://togithub.com/spotbugs/spotbugs/issues/1914)) - Fixed UI freezes in Eclipse on bug count decorations update ([#285](https://togithub.com/spotbugs/spotbugs/issues/285)) - Bumped log4j from 2.17.1 to 2.17.2 ([#1960](https://togithub.com/spotbugs/spotbugs/pull/1960)) - Bumped gson from 2.8.9 to 2.9.0 ([#1960](https://togithub.com/spotbugs/spotbugs/pull/1966)) ##### Added - New detector `FindInstanceLockOnSharedStaticData` for new bug type `SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA`. This detector reports a bug if an instance level lock is used to modify a shared static data. (See [SEI CERT rule LCK06-J](https://wiki.sei.cmu.edu/confluence/display/java/LCK06-J.+Do+not+use+an+instance+lock+to+protect+shared+static+data)) ### [`v4.5.3`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#453---2022-01-04) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.2...4.5.3) ##### Security - Bumped log4j from 2.16.0 to 2.17.1 to address [CVE-2021-45105](https://nvd.nist.gov/vuln/detail/CVE-2021-45105) and [CVE-2021-44832](https://nvd.nist.gov/vuln/detail/CVE-2021-44832) ([#1885](https://togithub.com/spotbugs/spotbugs/pull/1885), [#1897](https://togithub.com/spotbugs/spotbugs/pull/1897)) ##### Fixed - Remove duplicated logging frameworks from the Eclipse plugin distribution ([#1868](https://togithub.com/spotbugs/spotbugs/issues/1868)) - Corrected class name validation to no longer fail for Kotlin classes on class path containing special characters. ([#1883](https://togithub.com/spotbugs/spotbugs/issues/1883)) ### [`v4.5.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#452---2021-12-13) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.1...4.5.2) ##### Security - Bumped log4j from 2.14.1 to 2.16.0 to address CVE-2021-44228 ##### Fixed - False negative about the rule RV_DONT_JUST_NULL_CHECK_READLINE ([#1821](https://togithub.com/spotbugs/spotbugs/issues/1821)[#1820](https://togithub.com/spotbugs/spotbugs/issues/1820)[#1819](https://togithub.com/spotbugs/spotbugs/issues/1819)[#1818](https://togithub.com/spotbugs/spotbugs/issues/1818)) - Updated RV\_01\_TO_INT to handle float and long checks ([#1518](https://togithub.com/spotbugs/spotbugs/issues/1518)) ### [`v4.5.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#451---2021-12-08) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.5.0...4.5.1) ##### Fixed - Ant task does not produce XML anymore ([#1827](https://togithub.com/spotbugs/spotbugs/issues/1827)) - Do not emit false positives of `MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR` and `MC_OVERRIDABLE_METHOD_CALL_IN_CLONE` for final classes ([#1812](https://togithub.com/spotbugs/spotbugs/issues/1812)). - Reports cannot be created on Windows platform ([#1842](https://togithub.com/spotbugs/spotbugs/pull/1842)) ### [`v4.5.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#450---2021-11-05) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.2...4.5.0) ##### Changed - Replace "分析" with "解析" in Japanese document ([#1573](https://togithub.com/spotbugs/spotbugs/issues/1573)) - Add a section to document how to integrate find-sec-bugs into spotbugs-maven-plugin ([#540](https://togithub.com/spotbugs/spotbugs/issues/540)) - Bump gson from 2.8.8 to 2.8.9 ([#1784](https://togithub.com/spotbugs/spotbugs/pull/1784)) - Changes related to dominators analysis in package `edu.umd.cs.findbugs.classfile.engine.bcel` ([#1741](https://togithub.com/spotbugs/spotbugs/pull/1741)): - `DominatorsAnalysisFactory` renamed to `NonExceptionDominatorsAnalysisFactory` (clarification) - `NonExceptionPostdominatorsAnalysisFactory` renamed to `NonExceptionPostDominatorsAnalysisFactory` (spelling) - `NonImplicitExceptionDominatorsAnalysis` introduced (API consistency) ##### Added - Rule `DCN_NULLPOINTER_EXCEPTION` covers catching NullPointerExceptions in accordance with SEI Cert rule [ERR08-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors) ([#1740](https://togithub.com/spotbugs/spotbugs/pull/1740)) - Multiple types of report can be generated in batch. Set multiple commandline options for report configuration like `-html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml`. - New rule `REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS` to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule *SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields*. ([#SEC05-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields)) - New detector `FindOverridableMethodCall` to detect invocation of overridable method in constructors (`MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR`) and clone() method (`MC_OVERRIDABLE_METHOD_CALL_IN_CLONE`), according to SEI CERT rules [MET05-J. Ensure that constructors do not call overridable methods](https://wiki.sei.cmu.edu/confluence/display/java/MET05-J.+Ensure+that+constructors+do+not+call+overridable+methods) and [MET06-J. Do not invoke overridable methods in clone()](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487921). - [Translation of online manual to Brazilian Portuguese (PT-BR)](https://spotbugs.readthedocs.io/pt_BR/latest/). ##### Fixed - False negative about the rule ES_COMPARING_STRINGS_WITH_EQ ([#1764](https://togithub.com/spotbugs/spotbugs/issues/1764)) - False negative about the rule IM_MULTIPLYING_RESULT_OF_IREM (\[[#1498](https://togithub.com/spotbugs/spotbugs/issues/1498)])([https://github.com/spotbugs/spotbugs/issues/1498](https://togithub.com/spotbugs/spotbugs/issues/1498)) ##### Deprecated - `-output` commandline option is deprecated. Use commandline options for report configuration like `-xml=spotbugs.xml` instead. ### [`v4.4.2`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#442---2021-10-08) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.1...4.4.2) ##### Changed - Add bug code to report in fancy-hist.xsl ([#1688](https://togithub.com/spotbugs/spotbugs/pull/1688)) - Bump Saxon-HE from 10.5 to 10.6 ([#1715](https://togithub.com/spotbugs/spotbugs/pull/1715)) ##### Fixed - Fixed immutable java.lang.Class as being flagged as EI ([#1695](https://togithub.com/spotbugs/spotbugs/pull/1695)) - Agree verb with plural subject in the description of `SW_SWING_METHODS_INVOKED_IN_SWING_THREAD` ([#1664](https://togithub.com/spotbugs/spotbugs/pull/1664)) - Wrong description of the `SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS` ([#1664](https://togithub.com/spotbugs/spotbugs/pull/1664)) - Fixed java.util.Locale as being flagged as EI ([#1702](https://togithub.com/spotbugs/spotbugs/pull/1702)) - Fixed reference to java.awt.Cursor which caused it to be flagged as EI ([#1702](https://togithub.com/spotbugs/spotbugs/pull/1702)) - Treat types with `@com.google.errorprone.annotations.Immutable` as immutable ([#1705](https://togithub.com/spotbugs/spotbugs/pull/1705)) - Fix annotation check for `jdk.internal.ValueBased` ([#1706](https://togithub.com/spotbugs/spotbugs/pull/1706)) - `DMI_RANDOM_USED_ONLY_ONCE` false positive ([#1539](https://togithub.com/spotbugs/spotbugs/issues/1539)) - `NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR` false negative ([#1642](https://togithub.com/spotbugs/spotbugs/issues/1642)) - Immutable java.util.regex.Pattern as being flagged as EI ([#1695](https://togithub.com/spotbugs/spotbugs/pull/1738)) - Resource leak in the JrtfsCodeBase ([#1732](https://togithub.com/spotbugs/spotbugs/pull/1732)) ### [`v4.4.1`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#441---2021-09-07) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.4.0...4.4.1) ##### Changed - Bump gson from 2.8.7 to 2.8.8 ([#1658](https://togithub.com/spotbugs/spotbugs/pull/1658)) - Lower `ExitCodes` logger to debug level ([#1661](https://togithub.com/spotbugs/spotbugs/issues/1661)) - Fixed SARIF format to be compatible with Github code scanning API requirements ([#1630](https://togithub.com/spotbugs/spotbugs/issues/1630)) ##### Fixed - Fixed immutable classes in java.net.\* as being flagged as EI ([#1653](https://togithub.com/spotbugs/spotbugs/issues/1653) - Classes containing only static methods with setter-like names are no longer considered as mutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601)) - Handle all immutable collections in the Guava library as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601)) - Classes annotated with [@Immutable](https://togithub.com/Immutable) or [@jdk](https://togithub.com/jdk).internal.ValueBased are considered as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601)) - All classes in packages java.time and java.math are now correctly handled as immutable ([#1601](https://togithub.com/spotbugs/spotbugs/issues/1601)) ### [`v4.4.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#440---2021-08-12) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.3.0...4.4.0) ##### Fixed - Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE ([#600](https://togithub.com/spotbugs/spotbugs/issues/600) and [#1338](https://togithub.com/spotbugs/spotbugs/issues/1338)) - Inconsistent bug description on `EQ_COMPARING_CLASS_NAMES` ([#1523](https://togithub.com/spotbugs/spotbugs/issues/1523)) - Add a declaration of charset encoding in generated reports ([#1623](https://togithub.com/spotbugs/spotbugs/pull/1623)) - Fixed regression in Bug Info view for Eclipse 2021-03+ ([#1477](https://togithub.com/spotbugs/spotbugs/issues/1477)) ##### Added - New detector `FindBadEndOfStreamCheck` for new bug type `EOS_BAD_END_OF_STREAM_CHECK`. This bug is reported whenever the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is first converted to byte/int and only thereafter checked against -1. (See [SEI CERT rule FIO08-J](https://wiki.sei.cmu.edu/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1)) ### [`v4.3.0`](https://togithub.com/spotbugs/spotbugs/blob/HEAD/CHANGELOG.md#430---2021-07-01) [Compare Source](https://togithub.com/spotbugs/spotbugs/compare/4.2.3...4.3.0) ##### Fixed - `MS_EXPOSE_REP` and `EI_EXPOSE_REP` are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable) ##### Changed - Bump ObjectWeb ASM from 9.1 to 9.2 supporting JDK 18 ([#1591](https://togithub.com/spotbugs/spotbugs/pull/1591)) - Bump Saxon-HE from 10.3 to 10.5 ([#1513](https://togithub.com/spotbugs/spotbugs/pull/1513)) - Bump gson from 2.8.6 to 2.8.7 ([#1556](https://togithub.com/spotbugs/spotbugs/pull/1556)) - Function `mutableSignature()` improved and factored out from the `MutableStaticFields` detector ##### Added - New bugs `MS_EXPOSE_BUF`, `EI_EXPOSE_BUF`, `EI_EXPOSE_STATIC_BUF2` and `EI_EXPOSE_BUF2` by the `FindReturnRef` detector to detect cases where buffers or their backing arrays are exposed (see [SEI CERT rule FIO05-J](https://wiki.sei.cmu.edu/confluence/display/java/FIO05-J.+Do+not+expose+buffers+or+their+backing+arrays+methods+to+untrusted+code)) - `MS_EXPOSE_REP`, `EI_EXPOSE_REP`, `EI_EXPOSE_STATIC_REP2` and `EI_EXPOSE_REP2` now report for shallowly copied arrays (using clone()) of mutable objectsConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.