Update dependency com.github.spotbugs:spotbugs to v4.8.6 #83
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.7.0
->4.8.6
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
spotbugs/spotbugs (com.github.spotbugs:spotbugs)
v4.8.6
Compare Source
Fixed
IGNORED_PRIORITY
(#2994)v4.8.5
Compare Source
Fixed
SING_SINGLETON_GETTER_NOT_SYNCHRONIZED
with eager instances (#2932)SE_BAD_FIELD
for record fields (#2935)v4.8.4
Compare Source
Fixed
executionSuccessful
flag in SARIF report being set to false when bugs were found (#2116)exitSignalName
toexitCodeDescription
(#2739)Added
MultipleInstantiationsOfSingletons
and introduced new bug types:SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR
is reported in case of a non-private constructor,SING_SINGLETON_IMPLEMENTS_CLONEABLE
is reported in case of a class directly implementing theCloneable
interface,SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE
is reported when a class indirectly implements theCloneable
interface,SING_SINGLETON_IMPLEMENTS_CLONE_METHOD
is reported when a class does not implement theCloneable
interface, but has aclone()
method,SING_SINGLETON_IMPLEMENTS_SERIALIZABLE
is reported when a class directly or indirectly implements theSerializable
interface andSING_SINGLETON_GETTER_NOT_SYNCHRONIZED
is reported when the instance-getter method of the singleton class is not synchronized.(See SEI CERT MSC07-J)
FindOverridableMethodCall
detector with new bug type:MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT
. It's reported when an overridable method is called fromreadObject()
, according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.Changed
Build
v4.8.3
Compare Source
Fixed
Changed
v4.8.2
Compare Source
Fixed
Added
System.getenv()
calls, where the corresponding Java property could be used (See ENV02-J).Build
v4.8.1
Compare Source
Fixed
PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
bug ([#2652])Build
v4.8.0
Compare Source
Changed
Fixed
RandomOnceSubDetector
to not report whendoubles
,ints
, orlongs
are called on a newRandom
orSecureRandom
(#2370)TestASM
throwing error during analysis, because it doesn't note that it reports bugs.Added
classAnnotationNames
). For example, use like in an excludeFilter.xml to ignore classes generated by the Immutable framework. This ignores all class, method or field bugs in classes with that annotation.FindAssertionsWithSideEffects
detecting bugASSERTION_WITH_SIDE_EFFECT
andASSERTION_WITH_SIDE_EFFECT_METHOD
in case of assertions which may have side effects (See EXP06-J. Expressions used in assertions must not produce side effects)PA_PUBLIC_PRIMITIVE_ATTRIBUTE
,PA_PUBLIC_ARRAY_ATTRIBUTE
andPA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
to warn for public attributes which are written by the methods of the class. This rule is loosely based on the SEI CERT rule OBJ01-J Limit accessibility of fields. (#OBJ01-J)SerializableIdiom
detector with new bug type:SE_PREVENT_EXT_OBJ_OVERWRITE
. It's reported in case of thereadExternal()
method allows any caller to reset any value of an objectFindVulnerableSecurityCheckMethods
for new bug typeVSC_VULNERABLE_SECURITY_CHECK_METHODS
. This bug is reported whenever a non-final and non-private method of a non-final class performs a security check using thejava.lang.SecurityManager
. (See [SEI CERT MET03-J] (https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final))SynchronizationOnSharedBuiltinConstant
to detectDL_SYNCHRONIZATION_ON_INTERNED_STRING
(#2266)FindArgumentAssertions
detecting bugASSERTION_OF_ARGUMENTS
in case of validation of arguments of public functions using assertions (See MET01-J. Never use assertions to validate method arguments)CT_CONSTRUCTOR_THROW
for detecting constructors that throw exceptions.DontReusePublicIdentifiers
for new bug typePI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS
. This bug is reported whenever a new class, interface, field, method or variable is created reusing an identifier from the Java Standard Library . (See SEI CERT rule DCL01-J)Security
Build
v4.7.3
Compare Source
Fixed
DontUseFloatsAsLoopCounters
to prevent false positives. (#2126)4.7.2
caused by (#2141)UncallableMethodOfAnonymousClass
to not report unused methods of method-local enumerations and records (#2120)FindSqlInjection
to detect bugSQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL
with high priority in case of unsafe appends also in Java 11 and above (#2183)StringConcatenation
to detect bugSBSC_USE_STRINGBUFFER_CONCATENATION
also in Java 11 and above (#2182)OpcodeStackDetector
to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195)2.19.0
ViewCFG
to generate file names that are also valid on Windows (#2209)v4.7.2
Compare Source
Fixed
2.0.0
1.4.0
2.18.0
11.4
(#2160)SA_FIELD_SELF_ASSIGNMENT
is now reported from nested classes as well (#2142)EI_EXPOSE_REP
thrown in case of fields initialized by theof
orcopyOf
method of aList
,Map
orSet
(#1771)dup_x2
is used to swap the reference and wide-value (double, long) in the stack (#2146)v4.7.1
Compare Source
Fixed
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources with interface references (#1931)FindPotentialSecurityCheckBasedOnUntrustedSource
on Kotlin files. (#2041)ThrowingExceptions
by default to avoid many false positives (#2040)THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
andTHROWS_METHOD_THROWS_CLAUSE_THROWABLE
on evaluating synthetic classes (#2040)SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.