Fixed InvalidInputException in Eclipse while bug reporting (#2134)
Bug SA_FIELD_SELF_ASSIGNMENT is now reported from nested classes as well (#2142)
Avoid warning on use of security manager on Java 17 and newer. (#1579)
Fixed false positives EI_EXPOSE_REP thrown in case of fields initialized by the of or copyOf method of a List, Map or Set (#1771)
Fixed CFGBuilderException thrown when dup_x2 is used to swap the reference and wide-value (double, long) in the stack (#2146)
4.7.1 - 2022-06-26
Fixed
Fixed False positives for RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE on try-with-resources with interface references (#1931)
Fixed NullPointerException thrown by detector FindPotentialSecurityCheckBasedOnUntrustedSource on Kotlin files. (#2041)
Disabled detector ThrowingExceptions by default to avoid many false positives (#2040)
Fixed False positives for THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION and THROWS_METHOD_THROWS_CLAUSE_THROWABLE on evaluating synthetic classes (#2040)
Fixed False positive for SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)
4.7.0 - 2022-04-14
Changed
Updated documentation by adding parenthesis () to the negative odd check message (#1995)
Let the Plugin class implement AutoCloseable so we can release the .jar file (#2024)
Fixed
Fixed reports to truncate existing files before writing new content (#1950)
Fixed traversal of nested archives governed by -nested:true (#1930)
Warnings of deprecated System::setSecurityManager calls on Java 17 (#1983)
Fixed false positive SSD bug for locking on java.lang.Class objects (#1978)
FindReturnRef throws an IllegalArgumentException unexpectedly (#2019)
Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#2004)
Added
New detector ThrowingExceptions and introduced new bug types:
THROWS_METHOD_THROWS_RUNTIMEEXCEPTION is reported in case of a method throwing RuntimeException,
THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION is reported when a method has Exception in its throws clause and
THROWS_METHOD_THROWS_CLAUSE_THROWABLE is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
New rule PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS to warn for custom class loaders who do not call their superclasses' getPermissions() in their getPermissions() method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)
New rule USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)
Updates spotbugs-maven-plugin from 4.7.1.0 to 4.7.2
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps
spotbugs.version
from 4.7.1.0 to 4.7.2. Updatesspotbugs
from 4.7.1.0 to 4.7.2Release notes
Sourced from spotbugs's releases.
Changelog
Sourced from spotbugs's changelog.
... (truncated)
Commits
1f42a5b
release v4.7.19147e58
docs: update CHANGELOG for Saxon-HE7c835b6
Report bugSA_FIELD_SELF_ASSIGNMENT
in nested classes as well (#2161)4c0c1b9
Do not disable the security manager on Java 17 VMs and newer as it is depreca...e1ebefc
build(deps): bump com.gradle.enterprise from 3.10.2 to 3.11.14c9b635
Fix for false positivesEI_EXPOSE_REP
in case of unmodifiable collections (...06a1eeb
build(deps): bump Saxon-HE from 11.3 to 11.42e9d29c
chore: add a comment to describe why we checkdepth == 1
a363651
fix: consider the possibility of dup_x2 and dup_x105eb8b7
chore: apply spotlessUpdates
spotbugs-maven-plugin
from 4.7.1.0 to 4.7.2Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)