Update dependency com.github.spotbugs:spotbugs-annotations to v4 #97
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.1.9
->4.8.6
Release Notes
spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)
v4.8.6
Compare Source
Fixed
IGNORED_PRIORITY
(#2994)v4.8.5
Compare Source
Fixed
SING_SINGLETON_GETTER_NOT_SYNCHRONIZED
with eager instances (#2932)SE_BAD_FIELD
for record fields (#2935)v4.8.4
Compare Source
Fixed
executionSuccessful
flag in SARIF report being set to false when bugs were found (#2116)exitSignalName
toexitCodeDescription
(#2739)Added
MultipleInstantiationsOfSingletons
and introduced new bug types:SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR
is reported in case of a non-private constructor,SING_SINGLETON_IMPLEMENTS_CLONEABLE
is reported in case of a class directly implementing theCloneable
interface,SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE
is reported when a class indirectly implements theCloneable
interface,SING_SINGLETON_IMPLEMENTS_CLONE_METHOD
is reported when a class does not implement theCloneable
interface, but has aclone()
method,SING_SINGLETON_IMPLEMENTS_SERIALIZABLE
is reported when a class directly or indirectly implements theSerializable
interface andSING_SINGLETON_GETTER_NOT_SYNCHRONIZED
is reported when the instance-getter method of the singleton class is not synchronized.(See SEI CERT MSC07-J)
FindOverridableMethodCall
detector with new bug type:MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT
. It's reported when an overridable method is called fromreadObject()
, according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.Changed
Build
v4.8.3
Compare Source
Fixed
Changed
v4.8.2
Compare Source
Fixed
Added
System.getenv()
calls, where the corresponding Java property could be used (See ENV02-J).Build
v4.8.1
Compare Source
Fixed
PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
bug (#2652)Build
v4.8.0
Compare Source
Changed
Fixed
RandomOnceSubDetector
to not report whendoubles
,ints
, orlongs
are called on a newRandom
orSecureRandom
(#2370)TestASM
throwing error during analysis, because it doesn't note that it reports bugs.Added
classAnnotationNames
). For example, use like in an excludeFilter.xml to ignore classes generated by the Immutable framework. This ignores all class, method or field bugs in classes with that annotation.FindAssertionsWithSideEffects
detecting bugASSERTION_WITH_SIDE_EFFECT
andASSERTION_WITH_SIDE_EFFECT_METHOD
in case of assertions which may have side effects (See EXP06-J. Expressions used in assertions must not produce side effects)PA_PUBLIC_PRIMITIVE_ATTRIBUTE
,PA_PUBLIC_ARRAY_ATTRIBUTE
andPA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
to warn for public attributes which are written by the methods of the class. This rule is loosely based on the SEI CERT rule OBJ01-J Limit accessibility of fields. (#OBJ01-J)SerializableIdiom
detector with new bug type:SE_PREVENT_EXT_OBJ_OVERWRITE
. It's reported in case of thereadExternal()
method allows any caller to reset any value of an objectFindVulnerableSecurityCheckMethods
for new bug typeVSC_VULNERABLE_SECURITY_CHECK_METHODS
. This bug is reported whenever a non-final and non-private method of a non-final class performs a security check using thejava.lang.SecurityManager
. (See [SEI CERT MET03-J] (https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final))SynchronizationOnSharedBuiltinConstant
to detectDL_SYNCHRONIZATION_ON_INTERNED_STRING
(#2266)FindArgumentAssertions
detecting bugASSERTION_OF_ARGUMENTS
in case of validation of arguments of public functions using assertions (See MET01-J. Never use assertions to validate method arguments)CT_CONSTRUCTOR_THROW
for detecting constructors that throw exceptions.DontReusePublicIdentifiers
for new bug typePI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS
. This bug is reported whenever a new class, interface, field, method or variable is created reusing an identifier from the Java Standard Library . (See SEI CERT rule DCL01-J)Security
Build
v4.7.3
Compare Source
Fixed
DontUseFloatsAsLoopCounters
to prevent false positives. (#2126)4.7.2
caused by (#2141)UncallableMethodOfAnonymousClass
to not report unused methods of method-local enumerations and records (#2120)FindSqlInjection
to detect bugSQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL
with high priority in case of unsafe appends also in Java 11 and above (#2183)StringConcatenation
to detect bugSBSC_USE_STRINGBUFFER_CONCATENATION
also in Java 11 and above (#2182)OpcodeStackDetector
to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195)2.19.0
ViewCFG
to generate file names that are also valid on Windows (#2209)v4.7.2
Compare Source
Fixed
2.0.0
1.4.0
2.18.0
11.4
(#2160)SA_FIELD_SELF_ASSIGNMENT
is now reported from nested classes as well (#2142)EI_EXPOSE_REP
thrown in case of fields initialized by theof
orcopyOf
method of aList
,Map
orSet
(#1771)dup_x2
is used to swap the reference and wide-value (double, long) in the stack (#2146)v4.7.1
Compare Source
Fixed
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources with interface references (#1931)FindPotentialSecurityCheckBasedOnUntrustedSource
on Kotlin files. (#2041)ThrowingExceptions
by default to avoid many false positives (#2040)THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
andTHROWS_METHOD_THROWS_CLAUSE_THROWABLE
on evaluating synthetic classes (#2040)SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)v4.7.0
Compare Source
Changed
()
to the negative odd check message (#1995)Fixed
-nested:true
(#1930)Added
ThrowingExceptions
and introduced new bug types:THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
is reported in case of a method throwing RuntimeException,THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
is reported when a method has Exception in its throws clause andTHROWS_METHOD_THROWS_CLAUSE_THROWABLE
is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS
to warn for custom class loaders who do not call their superclasses'getPermissions()
in theirgetPermissions()
method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE
to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)DontUseFloatsAsLoopCounters
to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS
), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop countersViewCFG
to visualize the control-flow graph forSpotBugs
developersv4.6.0
Compare Source
Fixed
Added
FindInstanceLockOnSharedStaticData
for new bug typeSSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)v4.5.3
Compare Source
Security
Fixed
v4.5.2
Compare Source
Security
Fixed
v4.5.1
Compare Source
Fixed
MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR
andMC_OVERRIDABLE_METHOD_CALL_IN_CLONE
for final classes (#1812).v4.5.0
Compare Source
Changed
edu.umd.cs.findbugs.classfile.engine.bcel
(#1741):DominatorsAnalysisFactory
renamed toNonExceptionDominatorsAnalysisFactory
(clarification)NonExceptionPostdominatorsAnalysisFactory
renamed toNonExceptionPostDominatorsAnalysisFactory
(spelling)NonImplicitExceptionDominatorsAnalysis
introduced (API consistency)Added
DCN_NULLPOINTER_EXCEPTION
covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#1740)-html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml
.REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS
to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)FindOverridableMethodCall
to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR
) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE
), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().Fixed
Deprecated
-output
commandline option is deprecated. Use commandline options for report configuration like-xml=spotbugs.xml
instead.v4.4.2
Compare Source
Changed
Fixed
SW_SWING_METHODS_INVOKED_IN_SWING_THREAD
(#1664)SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS
(#1664)@com.google.errorprone.annotations.Immutable
as immutable (#1705)jdk.internal.ValueBased
(#1706)DMI_RANDOM_USED_ONLY_ONCE
false positive (#1539)NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR
false negative (#1642)v4.4.1
Compare Source
Changed
ExitCodes
logger to debug level (#1661)Fixed
v4.4.0
Compare Source
Fixed
EQ_COMPARING_CLASS_NAMES
(#1523)Added
FindBadEndOfStreamCheck
for new bug typeEOS_BAD_END_OF_STREAM_CHECK
. This bug is reported whenever the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is first converted to byte/int and only thereafter checked against -1. (See SEI CERT rule FIO08-J)v4.3.0
Compare Source
Fixed
MS_EXPOSE_REP
andEI_EXPOSE_REP
are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)Changed
mutableSignature()
improved and factored out from theMutableStaticFields
detectorAdded
MS_EXPOSE_BUF
,EI_EXPOSE_BUF
,EI_EXPOSE_STATIC_BUF2
andEI_EXPOSE_BUF2
by theFindReturnRef
detector to detect cases where buffers or their backing arrays are exposed (see SEI CERT rule FIO05-J)MS_EXPOSE_REP
,EI_EXPOSE_REP
,EI_EXPOSE_STATIC_REP2
andEI_EXPOSE_REP2
now report for shallowly copied arrays (using clone()) of mutable objectsv4.2.3
Compare Source
Fixed
DLS_DEAD_LOCAL_INCREMENT_IN_RETURN
,VO_VOLATILE_INCREMENT
andQF_QUESTIONABLE_FOR_LOOP
(#1470)SA_LOCAL_SELF_COMPUTATION
bug (#1472)EQ_UNUSUAL
with record classes (#1367)v4.2.2
Compare Source
Fixed
UWF_NULL_FIELD
doesn't report line number (#1368)Changed
v4.2.1
Compare Source
Fixed
LI_LAZY_INIT_UPDATE_STATIC
bug pattern (#1383)Changed
2020051
to2020111
(#1384)v4.2.0
Compare Source
Fixed
VO_VOLATILE_REFERENCE_TO_ARRAY
in synthetic code generated by Eclipse 4.17+ Java compiler (#1313)DM_BOXED_PRIMITIVE_FOR_PARSING
for Double and Float (previously only reported for Integer and Long) (#744)Added
Changed
v4.1.4
Compare Source
Fixed
IllegalArgumentException
during XML report generation (#1272)VR_UNRESOLVABLE_REFERENCE
andUPM_UNCALLED_PRIVATE_METHOD
when code is compiled with Java 11 (#1254)Changed
test-harness
tospotbugs
is nowtestImplementation
(#1317)test-harness-core
tospotbugs
is nowapi
(#1317)v4.1.3
Compare Source
Fixed
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources (#259)v4.1.2
Compare Source
Fixed
SAXBugCollectionHandler
Added
DontAssertInstanceofInTests
, which reports bugs of typeJUA_DONT_ASSERT_INSTANCEOF_IN_TESTS
.v4.1.1
Compare Source
Fixed
v4.1.0
Compare Source
Added
Fixed
Changed
v4.0.6
Compare Source
Fixed
v4.0.5
Compare Source
Fixed
lib/spotbugs.jar
(#1158)Changed
v4.0.4
Compare Source
Security
v4.0.3
Compare Source
Fixed
v4.0.2
Compare Source
Fixed
Changed
v4.0.1
Compare Source
Fixed
SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION
(#1091)v4.0.0
Compare Source
Fixed
v3.1.12
Compare Source
Added
Changed
Security
v3.1.11
Compare Source
Fixed
v3.1.10
Compare Source
Fixed
Added
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.