Update spotbugs to v4.7.3 (master) (minor) #3031
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.4.2
->4.7.3
4.4.2
->4.7.3
Release Notes
spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)
v4.7.3
Compare Source
Fixed
DontUseFloatsAsLoopCounters
to prevent false positives. (#2126)4.7.2
caused by (#2141)UncallableMethodOfAnonymousClass
to not report unused methods of method-local enumerations and records (#2120)FindSqlInjection
to detect bugSQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL
with high priority in case of unsafe appends also in Java 11 and above (#2183)StringConcatenation
to detect bugSBSC_USE_STRINGBUFFER_CONCATENATION
also in Java 11 and above (#2182)OpcodeStackDetector
to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195)2.19.0
ViewCFG
to generate file names that are also valid on Windows (#2209)v4.7.2
Compare Source
Fixed
2.0.0
1.4.0
2.18.0
11.4
(#2160)SA_FIELD_SELF_ASSIGNMENT
is now reported from nested classes as well (#2142)EI_EXPOSE_REP
thrown in case of fields initialized by theof
orcopyOf
method of aList
,Map
orSet
(#1771)dup_x2
is used to swap the reference and wide-value (double, long) in the stack (#2146)v4.7.1
Compare Source
Fixed
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources with interface references (#1931)FindPotentialSecurityCheckBasedOnUntrustedSource
on Kotlin files. (#2041)ThrowingExceptions
by default to avoid many false positives (#2040)THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
andTHROWS_METHOD_THROWS_CLAUSE_THROWABLE
on evaluating synthetic classes (#2040)SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)v4.7.0
Compare Source
Changed
()
to the negative odd check message (#1995)Fixed
-nested:true
(#1930)Added
ThrowingExceptions
and introduced new bug types:THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
is reported in case of a method throwing RuntimeException,THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
is reported when a method has Exception in its throws clause andTHROWS_METHOD_THROWS_CLAUSE_THROWABLE
is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS
to warn for custom class loaders who do not call their superclasses'getPermissions()
in theirgetPermissions()
method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J)USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE
to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J)DontUseFloatsAsLoopCounters
to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS
), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop countersViewCFG
to visualize the control-flow graph forSpotBugs
developersv4.6.0
Compare Source
Fixed
Added
FindInstanceLockOnSharedStaticData
for new bug typeSSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
. This detector reports a bug if an instance level lock is used to modify a shared static data. (See SEI CERT rule LCK06-J)v4.5.3
Compare Source
Security
Fixed
v4.5.2
Compare Source
Security
Fixed
v4.5.1
Compare Source
Fixed
MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR
andMC_OVERRIDABLE_METHOD_CALL_IN_CLONE
for final classes (#1812).v4.5.0
Compare Source
Changed
edu.umd.cs.findbugs.classfile.engine.bcel
(#1741):DominatorsAnalysisFactory
renamed toNonExceptionDominatorsAnalysisFactory
(clarification)NonExceptionPostdominatorsAnalysisFactory
renamed toNonExceptionPostDominatorsAnalysisFactory
(spelling)NonImplicitExceptionDominatorsAnalysis
introduced (API consistency)Added
DCN_NULLPOINTER_EXCEPTION
covers catching NullPointerExceptions in accordance with SEI Cert rule ERR08-J (#1740)-html=report/spotbugs.html -xml:withMessages=report/spotbugs.xml
.REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS
to detect public methods instantiating a class they get in their parameter. This rule based on the SEI CERT rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. (#SEC05-J)FindOverridableMethodCall
to detect invocation of overridable method in constructors (MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR
) and clone() method (MC_OVERRIDABLE_METHOD_CALL_IN_CLONE
), according to SEI CERT rules MET05-J. Ensure that constructors do not call overridable methods and MET06-J. Do not invoke overridable methods in clone().Fixed
Deprecated
-output
commandline option is deprecated. Use commandline options for report configuration like-xml=spotbugs.xml
instead.Configuration
📅 Schedule: Branch creation - "after 5pm on the first day of the month" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.