Releases: spotbugs/spotbugs
Releases · spotbugs/spotbugs
SpotBugs 4.8.5
CHANGELOG
Fixed
- Fix FP SING_SINGLETON_GETTER_NOT_SYNCHRONIZED with eager instances (#2932)
- Fix FPs when looking for multiple initialization of Singletons (#2934)
- Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches when switch instruction is TABLESWITCH(#2736)
- Fix FP SE_BAD_FIELD for record fields (#2935)
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.5-javadoc.jar |
c8abae80768a5cd98bb09d13ae8baee1258efaf673e4c21688a581a8bc55cbe6 |
spotbugs-4.8.5-sources.jar |
c21daa57e931c0ea342de685884251e198ea3a48993a6d4c0ac8a9513fc8dd89 |
spotbugs-4.8.5.tgz |
c514054fd8f81f242ac6d64871d30bdb7b79cb49be7bd6b58067484efae8bfa0 |
spotbugs-4.8.5.zip |
a4b7bad5bb8d2d3cdc42b07d6cdd2a0d7864c0b24732120426d0002df4a9dd0f |
spotbugs-annotations-4.8.5-javadoc.jar |
5e35895e56ea0c2c4beb71a5b6962070d7a7092a79297419482c123c14324096 |
spotbugs-annotations-4.8.5-sources.jar |
b5d0110b70b9c44915f2c3375d1b700acb6d409152baf70030787d17a684469b |
spotbugs-annotations.jar |
6e63acb693f156e4fb79151b88f9eebe731b4da65fe12843503613e0d6e6f68d |
spotbugs-ant-4.8.5-javadoc.jar |
b2807de49cc2e6d733285be3c22a4ef5a51cc95e266b6b93174fc41968eb7738 |
spotbugs-ant-4.8.5-sources.jar |
9f1431331363f45ceb9b91c0e5246eab574fbff81c56eff0e385f572d346de61 |
spotbugs-ant.jar |
a798346790437cdc18217379fa54a7e6b044ba2070891ebe01faee28af79af6c |
spotbugs.jar |
4b0809797d9e05685ef97ec92c9ae1fdabf9e63368948a66badd934183b807d0 |
test-harness-4.8.5-javadoc.jar |
f5c977da2391ef6b7237e3b89a9be56ff82fdbe4d7c59c4f1f854e79fb28142d |
test-harness-4.8.5-sources.jar |
76788749afa9e2a8d6c39231f683bd8e3faab26947975c751c0ab0fbdfc3c17a |
test-harness-4.8.5.jar |
04c7c8e778a1688ab9636ab58b55f1236ae99bb5428a934a7ba0f54857263c74 |
test-harness-core-4.8.5-javadoc.jar |
9258f6be3c3a1a4103b268b3c528a7ed0530c54b83d10bccb3c20aed6e38d2ec |
test-harness-core-4.8.5-sources.jar |
f5db3e4ebf3f90c9bbf4815824c9d94f93fb740c9610b6f70a64bf7896a4e082 |
test-harness-core-4.8.5.jar |
30c2b71900f38b77fb0e4a788b8ae1ea5b9e54f42636111576e338085c9c53dd |
test-harness-jupiter-4.8.5-javadoc.jar |
18e10f9ae7f4c88a8a7790d4ea5e9422901c6a84a768e6961b6d8ce2bc07b9ea |
test-harness-jupiter-4.8.5-sources.jar |
0aefbc5c8bd406e5dc0b1d59bc3afc6889c02010d486b22242f4f19a1a935800 |
test-harness-jupiter-4.8.5.jar |
94c5ceecb79b93f5e357b5d9805f0a7a22536a52c70a376182faa14923d86021 |
SpotBugs 4.8.4
CHANGELOG
Fixed
- Fix FP in SE_PREVENT_EXT_OBJ_OVERWRITE when the if statement checking for null value, checking multiple variables or the method exiting in the if branch with an exception. (#2750)
- Fix possible null value in taxonomies of SARIF output (#2744)
- Fix
executionSuccessful
flag in SARIF report being set to false when bugs were found (#2116)
- Move information contained in the SARIF property
exitSignalName
to exitCodeDescription
(#2739)
- Do not report SE_NO_SERIALVERSIONID or other serialization issues for records (#2793)
- Added support for CONSTANT_Dynamic (#2759)
- Ignore generic variable types when looking for BC_UNCONFIRMED_CAST_OF_RETURN_VALUE (#1219)
- Do not report BC_UNCONFIRMED_CAST for Java 21's type switches (#2813)
- Remove AppleExtension library (note: menus slightly changed) (#2823)
- Fix false positive NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE even if Objects.requireNonNull is used. (#651, #456)
- Fixed error preventing SpotBugs from reporting FE_FLOATING_POINT_EQUALITY (#2843)
- Fixed NP_LOAD_OF_KNOWN_NULL_VALUE and RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE false positives in try-with-resources generated finally blocks (#2844)
- Do not report DLS_DEAD_LOCAL_STORE for Java 21's type switches (#2828)
- Update UnreadFields detector to ignore warnings for fields with certain annotations (#574)
- Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in method annotated with
@PostConstruct
, @BeforeEach
, etc. (#2872 #2870 #453)
- Do not report DLS_DEAD_LOCAL_STORE for Hibernate bytecode enhancements (#2865)
- Fixed NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positives due to source code formatting (#2874)
- Added more nullability annotations in TypeQualifierResolver (#2558 #2694)
- Improved the bug description for VA_FORMAT_STRING_USES_NEWLINE when using text blocks, check the usage of String.formatted() (#2881)
- Fixed crash in ValueRangeAnalysisFactory when looking for redundant conditions used in assertions #2887)
- Revert again commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#2686)
- Fixed false positive MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR when referencing but not calling an overridable method #2837)
- Update the filter XSD namespace and location for the upcoming 4.8.4 release #2909)
Added
- New detector
MultipleInstantiationsOfSingletons
and introduced new bug types:
SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR
is reported in case of a non-private constructor,
SING_SINGLETON_IMPLEMENTS_CLONEABLE
is reported in case of a class directly implementing the Cloneable
interface,
SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE
is reported when a class indirectly implements the Cloneable
interface,
SING_SINGLETON_IMPLEMENTS_CLONE_METHOD
is reported when a class does not implement the Cloneable
interface, but has a clone()
method,
SING_SINGLETON_IMPLEMENTS_SERIALIZABLE
is reported when a class directly or indirectly implements the Serializable
interface and
SING_SINGLETON_GETTER_NOT_SYNCHRONIZED
is reported when the instance-getter method of the singleton class is not synchronized.
(See SEI CERT MSC07-J)
- Extend
FindOverridableMethodCall
detector with new bug type: MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT
. It's reported when an overridable method is called from readObject()
, according to SEI CERT rule SER09-J. Do not invoke overridable methods from the readObject() method.
Changed
- Minor cleanup in connection with slashed and dotted names (#2805)
Build
- Fix sonar coverage for project (#2796)
- Upgraded the build to compile bug samples using Java 21 language features (#2813)
- Add 'configurations.checkstyle resolution starategy' to control bug in gradle on exclusions not being excluded properly as seen in checkstyle usage. See checkstyle/checkstyle#14211 for more information. (#2798)
- Allow our builds to work with jdk 11 with drop back on Eclipse to 4.24 and spring to 5.3.31. (#2604)
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.4-javadoc.jar |
eeb8bff5bcd8fb6a3a59470f6a692f1364e707c81c05604306b61d251feaa945 |
spotbugs-4.8.4-sources.jar |
8b1bcd6d4f885e39140f13cd03636e6598d6e58f224f1ebc6ce691ce586c9c13 |
spotbugs-4.8.4.tgz |
11629b13aad39c453c23f8a8a43096b003afb55924a17424a9e1bc722190576b |
spotbugs-4.8.4.zip |
20584b304d4b5755c1e99e712093c3a5df58d7fca848094460ace64410537127 |
spotbugs-annotations-4.8.4-javadoc.jar |
068306fc4fd7151ad714743073ea50b2e06ff305b07fd8a00ddde9474d6fcbe8 |
spotbugs-annotations-4.8.4-sources.jar |
b5d0110b70b9c44915f2c3375d1b700acb6d409152baf70030787d17a684469b |
spotbugs-annotations.jar |
baa8208c3a16d4bc08eb3717e295604154f1c12bf9fe547799ed8bae325f2718 |
spotbugs-ant-4.8.4-javadoc.jar |
f8755ad5aeda98e314c346b64d80608e84d0b21e1cf4d1944236782fd93c552a |
spotbugs-ant-4.8.4-sources.jar |
9f1431331363f45ceb9b91c0e5246eab574fbff81c56eff0e385f572d346de61 |
spotbugs-ant.jar |
a798346790437cdc18217379fa54a7e6b044ba2070891ebe01faee28af79af6c |
spotbugs.jar |
1ca27492ff249922c8a0df73d3bad3551fad860ee2333d52fcd6d7ca05e48312 |
test-harness-4.8.4-javadoc.jar |
fc219a8628b999e1518220abb1143bd721c27a4a02737d3b42f016736265afcc |
test-harness-4.8.4-sources.jar |
76788749afa9e2a8d6c39231f683bd8e3faab26947975c751c0ab0fbdfc3c17a |
test-harness-4.8.4.jar |
2136665f90315fee5f4e6c4d5f7003e3d6b61ba0fb55346b4d583602a2587c28 |
test-harness-core-4.8.4-javadoc.jar |
303a41589c918af6ac64a9c133d62ec3efb2512be319f44e3341ee2d441e2272 |
test-harness-core-4.8.4-sources.jar |
f5db3e4ebf3f90c9bbf4815824c9d94f93fb740c9610b6f70a64bf7896a4e082 |
test-harness-core-4.8.4.jar |
5bd0e9b18f0ec45c27ee3ec882cb6db86ed42a6b884f091468496de3281dc242 |
test-harness-jupiter-4.8.4-javadoc.jar |
191183626b64d9e9a0d7a78b3eb35ecf4540b76fc3df4cd7966219ef8ef79402 |
test-harness-jupiter-4.8.4-sources.jar |
0aefbc5c8bd406e5dc0b1d59bc3afc6889c02010d486b22242f4f19a1a935800 |
test-harness-jupiter-4.8.4.jar |
d2ed802cc81dca3cf8c393fda7f77f02b01c0c1a8ffce7ec57da53aff27a1485 |
SpotBugs 4.8.3
CHANGELOG
Fixed
- Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits for checked exceptions (#2710)
- Applied changes for bcel 6.8.0 with adjustments to constant pool (#2756)
- More information bcel changes can be found on (#2757)
- Fix FN in CT_CONSTRUCTOR_THROW when the return value of the called method is not void or primitive type.
Changed
- Improved Matcher checks for empty strings (#2755)
- Allow 'onlyAnalyze' option to specify negative matches, such that this facility can be used to prevent a subset of classes to be excluded from analysis (#2754)
- Strictly require logback 1.2.13 due to CVE-2023-6481 and CVE-23-6378 (#2760)
- Prefer log4j2 at 2.22.0 and logback at 1.4.14 (#2760)
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.3-javadoc.jar |
2e01e937ceb24dc02796690e73caa9d06e576741af497f22f2b1ccd41e98065d |
spotbugs-4.8.3-sources.jar |
383f1434925a9b5df46c03dc79aac9dbc9ac1e5020f40b34f4e6ab565b8082f5 |
spotbugs-4.8.3.tgz |
4713c0ebcc76125ba11be3cfcb288a39b809fdabfbeec0acd0ac7494ef649851 |
spotbugs-4.8.3.zip |
7468aaaf370ec9df0601a46cf0157b83022d00227ef724d80ebbfbb11cb26270 |
spotbugs-annotations-4.8.3-javadoc.jar |
eb513a89ac812f50e3d7de5efbb0e135994849c18412b04759e6d67e991e356e |
spotbugs-annotations-4.8.3-sources.jar |
b5d0110b70b9c44915f2c3375d1b700acb6d409152baf70030787d17a684469b |
spotbugs-annotations.jar |
e5d4f60be8e57595766ba7f1d4535dc46aebf98dae05e16372a4d4120d3ebb6b |
spotbugs-ant-4.8.3-javadoc.jar |
a9713955805838408ed7b6adf030bffc4cd2036fa2fdb8fb772bc1857e4ac4a6 |
spotbugs-ant-4.8.3-sources.jar |
9f1431331363f45ceb9b91c0e5246eab574fbff81c56eff0e385f572d346de61 |
spotbugs-ant.jar |
a798346790437cdc18217379fa54a7e6b044ba2070891ebe01faee28af79af6c |
spotbugs.jar |
84a286b65d1c2441ac24a57a998c83d43b9d287fd68ac0df7c7524b5f419fc2b |
test-harness-4.8.3-javadoc.jar |
e3c3997b3a26bee7833b9e7ae634b32f7b060fe11af0a4111d0d62b2a872f760 |
test-harness-4.8.3-sources.jar |
633ae795c1889fa59f1faad8ea8f1f5b39155029f4f75b51557085097570feb6 |
test-harness-4.8.3.jar |
23f414f9988a3d44dded88ad2d827e95699dc6bb8d6e06a2b0920db2cac442b9 |
test-harness-core-4.8.3-javadoc.jar |
cd3a2bbcff93aba606a4e3340733d06684e2e456211068f8cb7069890c71efa0 |
test-harness-core-4.8.3-sources.jar |
f5db3e4ebf3f90c9bbf4815824c9d94f93fb740c9610b6f70a64bf7896a4e082 |
test-harness-core-4.8.3.jar |
5bd0e9b18f0ec45c27ee3ec882cb6db86ed42a6b884f091468496de3281dc242 |
test-harness-jupiter-4.8.3-javadoc.jar |
35631be40804da4e5613dfa70efc491c52d5b9d4e6d35d706efce78a4ceb1669 |
test-harness-jupiter-4.8.3-sources.jar |
0aefbc5c8bd406e5dc0b1d59bc3afc6889c02010d486b22242f4f19a1a935800 |
test-harness-jupiter-4.8.3.jar |
d2ed802cc81dca3cf8c393fda7f77f02b01c0c1a8ffce7ec57da53aff27a1485 |
SpotBugs 4.8.2
CHANGELOG
Fixed
- Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource (#2379)
- Use java.nio to load filter files (#2684)
- Eclipse: Do not export javax.annotation packages (#2699)
- Fixed not thread safe FindOverridableMethodCall detector (#2701)
- Fix the weird messages of PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS bugs. (#2646)
- Revert commons-text from 1.11.0 to 1.10.0 to resolve a version conflict (#2686)
- Fix FP in CT_CONSTRUCTOR_THROW when the finalizer does not run, since the exception is thrown before java.lang.Object's constructor exits (#2710)
Added
- New detector finding
System.getenv()
calls, where the corresponding Java property could be used (See ENV02-J).
Build
- Run build using jdk 17 and 21 without usage of toolchains so we do not defeat the purpose of building on both. (#2722)
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.2-javadoc.jar |
9147da4187712ba3ec7fd232510181366f394443cf70a76ee918738a11c539e9 |
spotbugs-4.8.2-sources.jar |
4486c8404debe8de2d5a7d71c14ad66480f463d84586cb3077c639c72192924c |
spotbugs-4.8.2.tgz |
c3eb4e2077310bf19b06ed232dc8d71f3a4884a4619fd8a7c041ed5ce5af4819 |
spotbugs-4.8.2.zip |
615400e86ee19ee1b74d0f8d1a170e2dfdb8f49d02b60fa7b276a8179c3b584a |
spotbugs-annotations-4.8.2-javadoc.jar |
22ec9f9658a7e569893db728a5cdcdb4121b4bca1ae1ee154189f2cbbc42f187 |
spotbugs-annotations-4.8.2-sources.jar |
b5d0110b70b9c44915f2c3375d1b700acb6d409152baf70030787d17a684469b |
spotbugs-annotations.jar |
3d02aacbf2d094d510c087c2a25a85e04f655b22260016473d02258237d0df27 |
spotbugs-ant-4.8.2-javadoc.jar |
b210ddbee668f591f0ff57ea8d546ac47e2753cbf56b6f1bbeb61a8d4c82d233 |
spotbugs-ant-4.8.2-sources.jar |
9f1431331363f45ceb9b91c0e5246eab574fbff81c56eff0e385f572d346de61 |
spotbugs-ant.jar |
a798346790437cdc18217379fa54a7e6b044ba2070891ebe01faee28af79af6c |
spotbugs.jar |
01974233a0da943700b9b9d190f872f6dd155d5825e05d1fae5a531bebb284eb |
test-harness-4.8.2-javadoc.jar |
a362bb855074be294da341b5ba7406c013174246c63061fc7dfc91f28795adbe |
test-harness-4.8.2-sources.jar |
633ae795c1889fa59f1faad8ea8f1f5b39155029f4f75b51557085097570feb6 |
test-harness-4.8.2.jar |
23f414f9988a3d44dded88ad2d827e95699dc6bb8d6e06a2b0920db2cac442b9 |
test-harness-core-4.8.2-javadoc.jar |
9b32bd7cc9e5af80379207b0b4ad2f6217c4e46db2db3f371d886e227b2ee266 |
test-harness-core-4.8.2-sources.jar |
f5db3e4ebf3f90c9bbf4815824c9d94f93fb740c9610b6f70a64bf7896a4e082 |
test-harness-core-4.8.2.jar |
5bd0e9b18f0ec45c27ee3ec882cb6db86ed42a6b884f091468496de3281dc242 |
test-harness-jupiter-4.8.2-javadoc.jar |
8029e928d3dfa2a93ff8d877693421f265122c5d0f4caee17fd6796d0c7e566d |
test-harness-jupiter-4.8.2-sources.jar |
0aefbc5c8bd406e5dc0b1d59bc3afc6889c02010d486b22242f4f19a1a935800 |
test-harness-jupiter-4.8.2.jar |
d2ed802cc81dca3cf8c393fda7f77f02b01c0c1a8ffce7ec57da53aff27a1485 |
SpotBugs 4.8.1
CHANGELOG
Fixed
- Fixed schema location for findbugsfilter.xsd ([#1416])
- Fixed missing null checks ([#2629])
- Disabled DontReusePublicIdentifiers due to the high false positives rate ([#2627])
- Removed signature of methods using UTF-8 in DefaultEncodingDetector ([#2634])
- Fix exception escapes when calling functions of JUnit Assert or Assertions ([#2640])
- Fixed an error in the SARIF export when a bug annotation is missing ([#2632])
- Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws ([#2628])
- Fix false positive CT_CONSTRUCTOR_THROW when supertype has final finalize ([#2665])
- Lowered the priority of
PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
bug ([#2652])
- Eclipse: fixed startup overhead (on computing classpath) for PDE projects ([#2671])
Build
- Fix deprecated GHA on '::set-output' by using GITHUB_OUTPUT ([#2651])
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.1-javadoc.jar |
f8ef08283a500d3f250f87f5b01fac2ed19acc11bc78657fd277ca7d27c9c211 |
spotbugs-4.8.1-sources.jar |
29fef7bebfe1597f8477e21cf139ac6f1ef01afabce8bb3e6ae258a3d6c3de8f |
spotbugs-4.8.1.tgz |
b8e8f755c3e629885616d898e1a857162273253559f9e0e329983c671c02cd4e |
spotbugs-4.8.1.zip |
5cb639cf1ce79dc58ba07ee459a6da8bd665e06e10cfb66a79c685601326c111 |
spotbugs-annotations-4.8.1-javadoc.jar |
56be7c8808111619cf87f4385368b8c0d30e4a01bcea4add878780608a6e932a |
spotbugs-annotations-4.8.1-sources.jar |
b5d0110b70b9c44915f2c3375d1b700acb6d409152baf70030787d17a684469b |
spotbugs-annotations.jar |
06eba41a81aaccb011c3f75afa019e509cda7f1eb7a4e057bb860c60845f915e |
spotbugs-ant-4.8.1-javadoc.jar |
3862ce0fe8a201562cb32ddfbff3d78745950aeb0d0ea8c849bf55d1aa9b71de |
spotbugs-ant-4.8.1-sources.jar |
9f1431331363f45ceb9b91c0e5246eab574fbff81c56eff0e385f572d346de61 |
spotbugs-ant.jar |
a798346790437cdc18217379fa54a7e6b044ba2070891ebe01faee28af79af6c |
spotbugs.jar |
e49adbc51addf00264042d82075db98a10ad2af9348f7275de6bc075b7245a95 |
test-harness-4.8.1-javadoc.jar |
6f2d3a6c452c972e2890161ee1ff84437bba0877bcd302041df73e9d02217d7b |
test-harness-4.8.1-sources.jar |
633ae795c1889fa59f1faad8ea8f1f5b39155029f4f75b51557085097570feb6 |
test-harness-4.8.1.jar |
23f414f9988a3d44dded88ad2d827e95699dc6bb8d6e06a2b0920db2cac442b9 |
test-harness-core-4.8.1-javadoc.jar |
af4e056c212f1039e9f756067fce7125f24160f2e70918fa710e6e3cd9993e92 |
test-harness-core-4.8.1-sources.jar |
f5db3e4ebf3f90c9bbf4815824c9d94f93fb740c9610b6f70a64bf7896a4e082 |
test-harness-core-4.8.1.jar |
5bd0e9b18f0ec45c27ee3ec882cb6db86ed42a6b884f091468496de3281dc242 |
test-harness-jupiter-4.8.1-javadoc.jar |
1d84b2c269263a7eb0641d021e99da9a6da2bfac05430b341a38a4b0530e57a9 |
test-harness-jupiter-4.8.1-sources.jar |
0aefbc5c8bd406e5dc0b1d59bc3afc6889c02010d486b22242f4f19a1a935800 |
test-harness-jupiter-4.8.1.jar |
d2ed802cc81dca3cf8c393fda7f77f02b01c0c1a8ffce7ec57da53aff27a1485 |
SpotBugs 4.8.0
CHANGELOG
Changed
- Bump up Apache Commons BCEL to the version 6.6.1 (#2223)
- Bump up slf4j-api to 2.0.3 (#2220)
- Bump up gson to 2.10 (#2235)
- Allowed for large command line through writing arguments to file (UnionResults/UnionBugs2)
- Use com.github.stephenc.jcip for jcip-annotations fixing (#887)
- Bump ObjectWeb ASM from 9.4 to 9.6, supporting JDK 21 (#2578)
Fixed
- Fixed missing classes not in report if using IErrorLogger.reportMissingClass(ClassDescriptor) (#219)
- Stop exposing junit-bom to consumers (#2255)
- Fixed AbstractBugReporter emits wrong non-sensical debug output during filtering (#184)
- Added support for jakarta namespace (#2289)
- Report a low priority bug for an unread field in reflective classes (#2325)
- Fixed "Unhandled event loop exception" opening Bug Filter Configuration dialog in Eclipse (#2327)
- Fixed detector
RandomOnceSubDetector
to not report when doubles
, ints
, or longs
are called on a new Random
or SecureRandom
(#2370)
- Fixed detector
TestASM
throwing error during analysis, because it doesn't note that it reports bugs.
- Eclipse annotation classpath initializer is hard-coded to jsr305 version 3.0.1, fix to 3.0.2 per #2470
- Fixed annotation on generic or array incorrectly considered for the nullability of a method parameter or return type (#2502)
- Added support for CONSTANT_Dynamic in constant class pool (#2506)
- Recognise enums and records as immutable (#2356)
- Added detections of reliance on default encoding in java.nio.file.Files (#2114)
- Fixed a regression in the Value Number Analysis (#2465)
- Fix XML Output incorrectly escaped in Eclipse Bug Info view (#2520)
- Updated the MS_EXPOSE_REP description to mention mutable objects, not just arrays (#1669)
- Described Configuration option frc.suspicious for bug RC_REF_COMPARISON in bug description (#2297)
- Fixed FindHEMismatch not reporting HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS for some classes (#2402)
- Added execute file permission to files in the distribution zip (#2540)
- Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito.verify() call check (#872)
- Do not report SIC_INNER_SHOULD_BE_STATIC for classes annotated with JUnit Nested (#560)
- Detect created, but not-thrown exceptions, which are created by not the constructor (#2547)
- Fixed eclipse plugin Effort.values pass to effortViewer as required cast to varargs (#2579)
Added
- New simple name-based AnnotationMatcher for exclude files (now bug annotations store the class java annotations in an attribute called
classAnnotationNames
). For example, use like in an excludeFilter.xml to ignore classes generated by the Immutable framework. This ignores all class, method or field bugs in classes with that annotation.
- Added the Common Weakness Enumeration (CWE) taxonomy to the Static Analysis Results Interchange Format (SARIF) report. The short and long description for the CWEs are retrived from a JSON file which is a slimmed down version of the official comprehensive CWE XML from MITRE. The JSON contains information about all CWEs. (#2410).
- New detector
FindAssertionsWithSideEffects
detecting bug ASSERTION_WITH_SIDE_EFFECT
and ASSERTION_WITH_SIDE_EFFECT_METHOD
in case of assertions which may have side effects (See EXP06-J. Expressions used in assertions must not produce side effects)
- New rule set
PA_PUBLIC_PRIMITIVE_ATTRIBUTE
, PA_PUBLIC_ARRAY_ATTRIBUTE
and PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE
to warn for public attributes which are written by the methods of the class. This rule is loosely based on the SEI CERT rule OBJ01-J Limit accessibility of fields. (#OBJ01-J)
- Extend
SerializableIdiom
detector with new bug type: SE_PREVENT_EXT_OBJ_OVERWRITE
. It's reported in case of the readExternal()
method allows any caller to reset any value of an object
- New Detector
FindVulnerableSecurityCheckMethods
for new bug type VSC_VULNERABLE_SECURITY_CHECK_METHODS
. This bug is reported whenever a non-final and non-private method of a non-final class performs a security check using the java.lang.SecurityManager
. (See [SEI CERT MET03-J] (https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final))
- New function added to detector
SynchronizationOnSharedBuiltinConstant
to detect DL_SYNCHRONIZATION_ON_INTERNED_STRING
(#2266)
- Make TypeQualifierResolver recognize org.apache.avro.reflect.Nullable (#2066)
- New detector
FindArgumentAssertions
detecting bug ASSERTION_OF_ARGUMENTS
in case of validation of arguments of public functions using assertions (See MET01-J. Never use assertions to validate method arguments)
- Add new detector
CT_CONSTRUCTOR_THROW
for detecting constructors that throw exceptions.
- New detector
DontReusePublicIdentifiers
for new bug type PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS
. This bug is reported whenever a new class, interface, field, method or variable is created reusing an identifier from the Java Standard Library . (See SEI CERT rule DCL01-J)
Security
- Disable access to external entities when processing XML (#2217)
Build
- Bump Eclipse from 4.6.3 to 4.14 (#2314)
- Use jakarta annotation 1.3.5 instead of legacy javax annotation 1.3.2 (#2315)
- Change hamcrest-all to hamcrest-core as that is what was actually used and then update to 2.2 (#2316)
- Only run release action on 'spotbugs' and use Eclipse 4.14 (#2317)
- Prefer log4j2 2.20.0 (#2480)
- Prefer logback 1.4.8 (#2480)
- Prefer logback 1.4.11 (#2580)
- Switch junit 4 for junit 5 vintage engine (#2483)
- LineEndings and Spotless (#2343)
- Cleanup gitattributes switching text to auto. For developers using windows, run 'git add . --renormalize' and see https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings if needed.
- Rework spotless setup from plugin to build file plugin matching that of gradle plugin and thus allowing spotless to be updated to 6.22.0
- Remove customized line endings for spotless so it uses git attributes as suggested by spotless
- Add trimTrailingWhitespace for spotless
- Fix deprecated usage of eclipse version from 4.13.0 to 4.13 per spotless requirements
- Bump spotbugs gradle plugin to 6.0.0-beta.3 demonstrating breaking changes for 6.0.0 in gradle/java.gradle build file (#2582)
- Delete checked in j2ee jar and instead use servlet/ejb apis from jakarta (javax standard) (#2585)
- Bump Eclipse from 4.14 to 4.29 (latest) (#2589)
- Cleanup hamcrest imports / used library (#2600)
- Migrate entirely to junit 5 (#2605)
- Some parts of codebase were junit 3
- Delete the SpotbugsRule
- Replace custom java determination on build with Junit 5 usage
- Various 'public' methods in tests fixed to 'private'
- Junit 5 styling applied throughout
- Add missing code to the SpotBugsRunner and now use the Extension as replacement of SpotbugsRule
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.8.0-javadoc.jar |
4cf102aa474ce8f3728e7513c51c0710024e4cd9d6b7c07672b5e3ec0e70a848 |
spotbugs-4.8.0-sources.jar |
d1e47bd320cae... |
Read more
SpotBugs 4.7.3
CHANGELOG
Fixed
- Fixed detector
DontUseFloatsAsLoopCounters
to prevent false positives. (#2126) @baloghadamsoftware
- Fixed regression in
4.7.2
caused by (#2141) @baloghadamsoftware
- improve compatibility with later version of jdk (>= 13). (#2188) @Bluesbreaker45
- Fixed detector
UncallableMethodOfAnonymousClass
to not report unused methods of method-local enumerations and records (#2120) @baloghadamsoftware
- Fixed detector
FindSqlInjection
to detect bug SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL
with high priority in case of unsafe appends also in Java 11 and above (#2183) @baloghadamsoftware
- Fixed detector
StringConcatenation
to detect bug SBSC_USE_STRINGBUFFER_CONCATENATION
also in Java 11 and above (#2182) @baloghadamsoftware
- Fixed
OpcodeStackDetector
to to handle propagation of taints properly in case of string concatenation in Java 9 and above (#2195) @baloghadamsoftware
- Bump up log4j2 binding to
2.19.0
- Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 (#2200)
- Bump up commons-text to 1.10.0 (#2197)
- Fixed debug detector
ViewCFG
to generate file names that are also valid on Windows (#2209) @baloghadamsoftware
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.7.3-javadoc.jar |
d2ba03077ea35bdac56ff4c45f8a00d0b334c3a6a3855da61d3712b4146472cf |
spotbugs-4.7.3-sources.jar |
1fd011390e107d57c7c758539a8f79908d022709920171a91d27d3b88634087c |
spotbugs-4.7.3.tgz |
f02e2f1135b23f3edfddb75f64be0491353cfeb567b5a584115aa4fd373d4431 |
spotbugs-4.7.3.zip |
dffd3f41fdc2a4cfda547d4ce700585136340e7d0803aeeb2e7ca6cf8c4a6898 |
spotbugs-annotations-4.7.3-javadoc.jar |
392b57d03cb24664dd9ba856287b38a8668c3926eabdfa0f0663fad8fa7d0f44 |
spotbugs-annotations-4.7.3-sources.jar |
b338136e3e82d585348cde58a8fe3a678e16f51a35c31c1463e05fefef557aad |
spotbugs-annotations.jar |
c0fd1ac2e22acdd46913a2ff74551b71f124457199688698204af4bf3d43165d |
spotbugs-ant-4.7.3-javadoc.jar |
8591f80cf058830d5b824adc68b820cd901d630b9b55557c48fe4cca6ccdd2fe |
spotbugs-ant-4.7.3-sources.jar |
ce7cfbed848ccb0e3765cec6b9c60c458699aa51f60ad9216cf89dbf38d8d793 |
spotbugs-ant.jar |
b866a2a89a03b49e60b5f27e0f5987eb8c12c2d2aefc6e9ddcbcdae345c765db |
spotbugs.jar |
df37eab21a7d04aa807808a33e9f7c081451cb02c14b4a2c33119976be498520 |
test-harness-4.7.3-javadoc.jar |
4008cc377288c53b4725f43a519a701eb91226a99ab340e997694ade20ed243e |
test-harness-4.7.3-sources.jar |
7efb06093ea5f6f330a7bd76b894f396d6cb466665fcefc01a3743b07910dc29 |
test-harness-4.7.3.jar |
50b4a72c668ea7d29bf1234b4aa380df903374216f68b0a87f7ca28d4fa225f3 |
test-harness-core-4.7.3-javadoc.jar |
486c16fa3ed7c1d99d8ddcdc8e1a6aecf925911d6b473d73aeab40f1639dda52 |
test-harness-core-4.7.3-sources.jar |
f8aab3c5cdd456d6b6d632e9fc65897e657447a2e925b6b3f61bd2d15c22cb24 |
test-harness-core-4.7.3.jar |
7165f7f45a6e82e8a6d6a0a4033b6473b310c14f645cb62ebc2fbc6ce5338350 |
test-harness-jupiter-4.7.3-javadoc.jar |
5a011955082b4e27bcdeeb56b6bc6fae21f87015b354bc5ffb80442495b919b9 |
test-harness-jupiter-4.7.3-sources.jar |
210353a57016e26b1a654d936a15f039613fa1ac532d485c1b1d03902f6c6315 |
test-harness-jupiter-4.7.3.jar |
18095fec31b85981ecaafdef86ca9ae1e9588e1b9bc6d209f82829cf9d0c13f4 |
SpotBugs 4.7.2
CHANGELOG
Fixed
- Bumped gson from 2.9.0 to 2.9.1 (#2136)
- Bump up SLF4J API to
2.0.0
- Bump up logback to
1.4.0
- Bump up log4j2 binding to
2.18.0
- Bump up Saxon-HE to
11.4
(#2160)
- Fixed InvalidInputException in Eclipse while bug reporting (#2134) @iloveeclipse
- Bug
SA_FIELD_SELF_ASSIGNMENT
is now reported from nested classes as well (#2142) @baloghadamsoftware
- Avoid warning on use of security manager on Java 17 and newer. (#1579) @raphw
- Fixed false positives
EI_EXPOSE_REP
thrown in case of fields initialized by the of
or copyOf
method of a List
, Map
or Set
(#1771) @baloghadamsoftware
- Fixed CFGBuilderException thrown when
dup_x2
is used to swap the reference and wide-value (double, long) in the stack (#2146) @KengoTODA
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.7.2-javadoc.jar |
a40e94961c8b99e020aacfa7012cce4e818eac6fb8effa678e20177814113248 |
spotbugs-4.7.2-sources.jar |
fca5bab29e0373944cbb07e3329ce1c0c18133885f558fb25e3bc2ebba6a7018 |
spotbugs-4.7.2.tgz |
f02a023d03b0fde70038ccb4bc8d4a964a504262d13024a97b14d9070f7d4d96 |
spotbugs-4.7.2.zip |
3974d90eb70aad26bb647e0bbaae810c7cf927587e28ce939c2b6531414afe7d |
spotbugs-annotations-4.7.2-javadoc.jar |
b8e9f92e17a62766f86b82442a07b0f57ff4f919796e944a6e2a5bacc76e4399 |
spotbugs-annotations-4.7.2-sources.jar |
b338136e3e82d585348cde58a8fe3a678e16f51a35c31c1463e05fefef557aad |
spotbugs-annotations.jar |
e2b4c654b2d7897490cf1f22a009ac677be4c92bfc493a0dedb5706f5e489839 |
spotbugs-ant-4.7.2-javadoc.jar |
632af1c4043b35eab37318eed7ab301655553a124248b4467fb30cbd0f2f24de |
spotbugs-ant-4.7.2-sources.jar |
ce7cfbed848ccb0e3765cec6b9c60c458699aa51f60ad9216cf89dbf38d8d793 |
spotbugs-ant.jar |
b866a2a89a03b49e60b5f27e0f5987eb8c12c2d2aefc6e9ddcbcdae345c765db |
spotbugs.jar |
df5205f4d87ed53ff5b847c6aedc55d605966c0f8f9820d9c6be5ba517b09bcd |
test-harness-4.7.2-javadoc.jar |
1486f4f4be29dc24a19ad95b809b42d08f34ec9c68abfd43c5fe44d6087d8845 |
test-harness-4.7.2-sources.jar |
7efb06093ea5f6f330a7bd76b894f396d6cb466665fcefc01a3743b07910dc29 |
test-harness-4.7.2.jar |
50b4a72c668ea7d29bf1234b4aa380df903374216f68b0a87f7ca28d4fa225f3 |
test-harness-core-4.7.2-javadoc.jar |
f10c5bbe98b2666ea775cc5c0a9a94e99b116706d75254d079741ff410dbdd33 |
test-harness-core-4.7.2-sources.jar |
f8aab3c5cdd456d6b6d632e9fc65897e657447a2e925b6b3f61bd2d15c22cb24 |
test-harness-core-4.7.2.jar |
7165f7f45a6e82e8a6d6a0a4033b6473b310c14f645cb62ebc2fbc6ce5338350 |
test-harness-jupiter-4.7.2-javadoc.jar |
1bdd8c97fbef6009945e30821ba26f722d1d037c33d780f75d922e30c900ef04 |
test-harness-jupiter-4.7.2-sources.jar |
210353a57016e26b1a654d936a15f039613fa1ac532d485c1b1d03902f6c6315 |
test-harness-jupiter-4.7.2.jar |
18095fec31b85981ecaafdef86ca9ae1e9588e1b9bc6d209f82829cf9d0c13f4 |
SpotBugs 4.7.1
CHANGELOG
Fixed
- Fixed False positives for
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources with interface references (#1931) @dmivankov
- Fixed NullPointerException thrown by detector
FindPotentialSecurityCheckBasedOnUntrustedSource
on Kotlin files. (#2041) @baloghadamsoftware
- Disabled detector
ThrowingExceptions
by default to avoid many false positives (#2040) @iloveeclipse
- Fixed False positives for
THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
and THROWS_METHOD_THROWS_CLAUSE_THROWABLE
on evaluating synthetic classes (#2040) @big-andy-coates
- Fixed False positive for
SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
on proper protection by using static lock for synchronized block, but inside an unsecured (synchronized and not static) method (#2089) @gonczmisi
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.7.1-javadoc.jar |
b9562f6c370adc73277c2f7ecd1d72dea1f4961ff8a38b5c9de1df48c98d4727 |
spotbugs-4.7.1-sources.jar |
70e08fd3a294d86f364ddb57fe83e5eebb90eb372766e6c0ad41b1c206f2a7c6 |
spotbugs-4.7.1.tgz |
62195a43af19e998380ea5988dba3bdd5b927acd6a3a47a575578629313ce836 |
spotbugs-4.7.1.zip |
008c98901099114dbb0864bf693f480df4cef83929cf469d37b1cf85a348ae88 |
spotbugs-annotations-4.7.1-javadoc.jar |
8f58cc52f0517b072da3696d6d4b882944699746de63084834d688b9d0ff1102 |
spotbugs-annotations-4.7.1-sources.jar |
b338136e3e82d585348cde58a8fe3a678e16f51a35c31c1463e05fefef557aad |
spotbugs-annotations.jar |
c267764c59c7cbd2e6becebeb7c848cd6dfe23a28a76ea3bc6ccea5cce60932e |
spotbugs-ant-4.7.1-javadoc.jar |
cbd76c1382c887e0f73426646f2b12c867b48a607ccd2eb6618125ab672e9296 |
spotbugs-ant-4.7.1-sources.jar |
ce7cfbed848ccb0e3765cec6b9c60c458699aa51f60ad9216cf89dbf38d8d793 |
spotbugs-ant.jar |
b866a2a89a03b49e60b5f27e0f5987eb8c12c2d2aefc6e9ddcbcdae345c765db |
spotbugs.jar |
a6b689b6695fe64665a056875c0d57b55c07431d5d5193b2ae3971986a114d0e |
test-harness-4.7.1-javadoc.jar |
5a4e624420abcdb782158b3ce1b0e17c5e5ad3176698c617128897201bceb775 |
test-harness-4.7.1-sources.jar |
7efb06093ea5f6f330a7bd76b894f396d6cb466665fcefc01a3743b07910dc29 |
test-harness-4.7.1.jar |
50b4a72c668ea7d29bf1234b4aa380df903374216f68b0a87f7ca28d4fa225f3 |
test-harness-core-4.7.1-javadoc.jar |
6e8325372c24834f40a73feaba3fc256fdb5e6391ff086d459afd58b0fc1b073 |
test-harness-core-4.7.1-sources.jar |
f8aab3c5cdd456d6b6d632e9fc65897e657447a2e925b6b3f61bd2d15c22cb24 |
test-harness-core-4.7.1.jar |
7165f7f45a6e82e8a6d6a0a4033b6473b310c14f645cb62ebc2fbc6ce5338350 |
test-harness-jupiter-4.7.1-javadoc.jar |
83332c275c96e72ecdacf96244baf79a0357dd5c3fdd6143e0b47fc73f153441 |
test-harness-jupiter-4.7.1-sources.jar |
210353a57016e26b1a654d936a15f039613fa1ac532d485c1b1d03902f6c6315 |
test-harness-jupiter-4.7.1.jar |
18095fec31b85981ecaafdef86ca9ae1e9588e1b9bc6d209f82829cf9d0c13f4 |
SpotBugs 4.7.0
CHANGELOG
Changed
- Updated documentation by adding parenthesis
()
to the negative odd check message (#1995) @axkr
- Let the Plugin class implement AutoCloseable so we can release the .jar file (#2024) @gtoison
Fixed
- Fixed reports to truncate existing files before writing new content (#1950) @sdati
- Fixed traversal of nested archives governed by
-nested:true
(#1930) @Vogel612
- Warnings of deprecated System::setSecurityManager calls on Java 17 (#1983) @wborn
- Fixed false positive SSD bug for locking on java.lang.Class objects (#1978) @jpschewe
- FindReturnRef throws an IllegalArgumentException unexpectedly (#2019) @KengoTODA
- Bumped Saxon-HE from 10.6 to 11.3 (#1955, #1999)
- Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 (#2004)
Added
- New detector
ThrowingExceptions
and introduced new bug types @oroszbd
THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
is reported in case of a method throwing RuntimeException,
THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION
is reported when a method has Exception in its throws clause and
THROWS_METHOD_THROWS_CLAUSE_THROWABLE
is reported when a method has Throwable in its throws clause (See SEI CERT ERR07-J)
- New rule
PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS
to warn for custom class loaders who do not call their superclasses' getPermissions()
in their getPermissions()
method. This rule based on the SEI CERT rule SEC07-J Call the superclass's getPermissions() method when writing a custom class loader. (#SEC07-J) @baloghadamsoftware
- New rule
USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE
to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on SEC02-J. Do not base security checks on untrusted sources. (#SEC02-J) @baloghadamsoftware
- New detector
DontUseFloatsAsLoopCounters
to detect usage of floating-point variables as loop counters (FL_FLOATS_AS_LOOP_COUNTERS
), according to SEI CERT rules NUM09-J. Do not use floating-point variables as loop counters @adrianturtoczki
- New test detector
ViewCFG
to visualize the control-flow graph for SpotBugs
developers @baloghadamsoftware
CHECKSUM
file |
checksum (sha256) |
spotbugs-4.7.0-javadoc.jar |
43745221e8fdf50fa2f89d659034523dd58da3d10223de6e0c91704c07e025a0 |
spotbugs-4.7.0-sources.jar |
6e90f856826b48a3031e2cb903534b4fdb494759863ea14e8df93c9cf15a272c |
spotbugs-4.7.0.tgz |
8c871e279c7d9b1933158db6355b8ac817a84fd724b88b1e393e3abcf6874910 |
spotbugs-4.7.0.zip |
9ee793b0f3f78901089211dfa67b8603e38fd1abd64eac09d2590df506cfedf5 |
spotbugs-annotations-4.7.0-javadoc.jar |
76a9a7d45590494a220840d173809b2fe0ec50e554435dd9b28de9312cc6a34a |
spotbugs-annotations-4.7.0-sources.jar |
b338136e3e82d585348cde58a8fe3a678e16f51a35c31c1463e05fefef557aad |
spotbugs-annotations.jar |
8e6677102aa0de50841644cf9a57d6d503550ad774049a76c75bf157a8beebd5 |
spotbugs-ant-4.7.0-javadoc.jar |
50d84857bbdca54898e93b225835ab25eba9f0a7e340c420ab08bc17bd584f0c |
spotbugs-ant-4.7.0-sources.jar |
ce7cfbed848ccb0e3765cec6b9c60c458699aa51f60ad9216cf89dbf38d8d793 |
spotbugs-ant.jar |
b866a2a89a03b49e60b5f27e0f5987eb8c12c2d2aefc6e9ddcbcdae345c765db |
spotbugs.jar |
94c44d86c83b8fe63b20023e510874aef721b1081982051706e1da841572f295 |
test-harness-4.7.0-javadoc.jar |
3af01af49d74964569fe8ce0e4c217fbfd89e7c02ae5428148b5222e0aec8906 |
test-harness-4.7.0-sources.jar |
7efb06093ea5f6f330a7bd76b894f396d6cb466665fcefc01a3743b07910dc29 |
test-harness-4.7.0.jar |
50b4a72c668ea7d29bf1234b4aa380df903374216f68b0a87f7ca28d4fa225f3 |
test-harness-core-4.7.0-javadoc.jar |
659508cc31a9dfb5c7d4c14981a3f38f476888c7bb08479ac19401ef39201f64 |
test-harness-core-4.7.0-sources.jar |
f8aab3c5cdd456d6b6d632e9fc65897e657447a2e925b6b3f61bd2d15c22cb24 |
test-harness-core-4.7.0.jar |
7165f7f45a6e82e8a6d6a0a4033b6473b310c14f645cb62ebc2fbc6ce5338350 |
test-harness-jupiter-4.7.0-javadoc.jar |
c0300bac23ce2292be120325515128d2d9262c1f7d71b3bf1c4324b2d6b57753 |
test-harness-jupiter-4.7.0-sources.jar |
210353a57016e26b1a654d936a15f039613fa1ac532d485c1b1d03902f6c6315 |
test-harness-jupiter-4.7.0.jar |
18095fec31b85981ecaafdef86ca9ae1e9588e1b9bc6d209f82829cf9d0c13f4 |