Releases: SonarSource/sonar-java
8.17.0.39817
Release notes - SonarJava - 8.17
New Feature
SONARJAVA-5493 S7478: Use ClassFile::transformClass instead of ClassFile::build where possible
SONARJAVA-5494 S7477: When using ClassFile::transformClass, do not specify the new class name if it is unchanged
SONARJAVA-5500 S7479: Use ClassBuilder::withMethodBody instead of ClassBuilder::withMethod where possible
SONARJAVA-5518 S7482: For stateless Gatherers, omit the initialiser
SONARJAVA-5520 S7481: For sequential Gatherers, prefer Gatherer.ofSequential() over Gatherer.of() with a Throwing Combiner
SONARJAVA-5669 Implement rule S7629: defaultFinisher in Gather factory call
False Positive
SONARJAVA-5443 S6906 should not raise on virtual threads running synchronized code for Java 24 and greater
False Negative
SONARJAVA-5444 FN on S2093: does not raise issue on `Reader.of`
Improvement
SONARJAVA-5665 Improve S4036 message for users
SONARJAVA-5663 Expose OWASP Mobile Top 10 2024 in rule metadata
8.16.0.39645
Release notes - SonarJava - 8.16
New Feature
SONARJAVA-2511 Rule S4030: Collection and array contents should be used
SONARJAVA-5598 S3063: "StringBuilder" data should be used S3063
SONARJAVA-5599 S3024: Arguments to "append" should not be concatenated S3024
SONARJAVA-5602 S3033: ".length" should be used to test for the emptiness of StringBuffers S3033
Bug
SONARJAVA-5619 NPE when semantic can not resolve "java.lang.Object"
SONARJAVA-5621 Fix issue in CFG computation with generic record pattern
SONARJAVA-5628 CFG computation crashes in case of unexpected break
SONARJAVA-5630 NoSuchElementException in S3626
Task
SONARJAVA-5555 Update RSPEC before 8.16 release
SONARJAVA-5608 Update tomcat-embed-jasper to from 9.0.104 to 9.0.105 to suppress alert about CVE-2025-46701
SONARJAVA-5610 Use "sonar.scanner.skipJreProvisioning" in integration tests
SONARJAVA-5613 Centralize spring fully qualified names into constants
SONARJAVA-5617 Add Java 24 projects to peach
SONARJAVA-5624 Fix coverage of JTypeSymbol new code
SONARJAVA-5625 Upgrade spring-expression to version 6.1.21 to suppress alert
SONARJAVA-5633 Expose Configuration inside ModuleScannerContext
SONARJAVA-5635 Upgrade tomcat-embed-core to version 9.0.106
SONARJAVA-5637 Remove unused collection
SONARJAVA-5651 org.sonarsource.java:java-extension-plugin should comply with maven central requirements
Improvement
SONARJAVA-5612 Add performance benchmark table to performance rules documentation
SONARJAVA-5615 Upgrade ECJ to version 3.42
SONARJAVA-5622 Extend S7158 to work with all CharSequence
Documentation
SONARJAVA-5614 Update ECJ upgrade process
8.15.0.39343
Release notes - SonarJava - 8.15
New Feature
SONARJAVA-5501 S7474: S7474 Markdown, HTML and Javadoc tags should be consistent
SONARJAVA-5537 S7476: S7476 Comments should start with the appropriate number of slashes
SONARJAVA-5544 Deprecate rule S6291 and S6300
False Positive
SONARJAVA-5377 FP on S125 on markdown comments
SONARJAVA-5445 FP on S1123 not reading @deprecated tags in markdown javadocs
SONARJAVA-5482 FP S1854 with broken semantics
SONARJAVA-5553 FP in rule S2384 on private getters
Bug
SONARJAVA-5522 S3052 should not fail to parse floats and doubles containing an underscore
Task
SONARJAVA-4634 S6437 requires a complete test source for all the methods listed in S6437-methods.json
SONARJAVA-5543 Upgrade third-party dependencies
SONARJAVA-5562 Upgrade analyzer commons to 2.17
SONARJAVA-5567 Fix failing Quality Gate: remove unused field.
SONARJAVA-5568 Create continuous releasability check
SONARJAVA-5571 Expose public api for SE engine that were mistakenly used by improper dependency
SONARJAVA-5574 Fix UpdateRuleMetadata GitHub action to also update the sonar-java-symbolic-execution-plugin rules
SONARJAVA-5593 Update spring-security-core from 6.4.5 to 6.4.6 to suppress alert about CVE-2025-41232
SONARJAVA-5601 Update rule metadata
False Negative
SONARJAVA-5552 FN in S1943 on InputStreamReader::new
Contributors
Assets 2
8.14.1.39293
Release notes - SonarJava - 8.14.1
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules
8.9.2.39294
Release notes - SonarJava - 8.9.2
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules
8.14.0.39102
Release notes - SonarJava - 8.14
False Positive
SONARJAVA-4334 S6207 should not raise on constructors where the value of a parameter has been changed before assignment to the component
SONARJAVA-4376 FP S2129: With incomplete semantics, MethodMatcher matches the wrong method instead of nothing
SONARJAVA-4473 FP in rule S2384 when class only has private constructors
SONARJAVA-4481 False positive in rule S6207: records constructors with annotations are not redundant
SONARJAVA-4543 FP in rule S5778 with Enum final methods
SONARJAVA-4748 FP in S6833 when controller contains methods annotated with and without @responsebody
SONARJAVA-4881 FP on S2230 for @transactional on protected and package-private methods
SONARJAVA-4901 S6856 should not raise when the `ModelAttribute` of the parameter refers to a model attribute defined in a parent class
SONARJAVA-4917 FP in the S6857(SpEL rule) when used with Map
SONARJAVA-4964 S1941: FP when lambda expression is present
SONARJAVA-5101 FP in S5860 when Regex are used in Lambdas
SONARJAVA-5274 FP for S1123 on record fields
SONARJAVA-5400 FP S6241 and S6242 when the builder is S3CrtAsyncClientBuilder
SONARJAVA-5436 S108 Should suggest adding a comment as a fix to empty block
SONARJAVA-5437 S1186 Suggest adding a comment to suppress warnings on empty methods.
SONARJAVA-5480 S2699 Does not recognized assertions invoked via Spring's AssertableApplicationContext
SONARJAVA-5496 FP java:S6856 when using Spring property injection “${…}”
SONARJAVA-5547 FP on S2699 when using org.springframework.util.Assert methods
Task
SONARJAVA-5513 Update RSPEC before 8.14 release
SONARJAVA-5539 Prepare next development iteration 8.14
SONARJAVA-5541 Ignore its/plugin/projects in Mend scan
SONARJAVA-5550 Add some pom configuration to cleanup build logs and improve build caching
SONARJAVA-5551 Create GitHub action to update rule metadata.
Documentation
SONARJAVA-5517 Update S1481 rspec with examples of usage of the unnamed pattern introduced in java 22
Contributors
Assets 2
8.13.0.38826
Release notes - SonarJava - 8.13
New Feature
SONARJAVA-5454 S7467: Unused exception parameter should use the unnamed variable pattern
SONARJAVA-5457 S7466: Use `var` instead of a type with unnamed variable _
SONARJAVA-5483 S7475: The type of an unused component should be removed from pattern matching
Bug
SONARJAVA-5338 JVariableSymbol `equals(...)` returns true for unrelated symbols that are declared in different methods
SONARJAVA-5492 S1481 quickfix breaks compilation on record pattern matching
Task
SONARJAVA-5441 document how to find tag corresponding to eclipse releases
SONARJAVA-5451 Update Slack notification in .github/workflows/slack_notify.yml
SONARJAVA-5452 update autoscan differences
SONARJAVA-5456 Set max supported java version to 23 and build with java 23
SONARJAVA-5465 Prepare next development iteration 8.13
SONARJAVA-5466 add script to override ECJ and update instructions in README.md
SONARJAVA-5479 Update rules metadata
SONARJAVA-5484 Address FIXME comment about the use of IdentityHashMap
SONARJAVA-5486 Bump orchestrator to version 5.5 or greater
SONARJAVA-5509 Refactor test sample files of S1481
SONARJAVA-5511 Update required Java version and test source folder in README
SONARJAVA-5516 Update external rules
SONARJAVA-5521 Update rules metadata
Improvement
SONARJAVA-5410 S5977 Rationale in the RSpec should be improved
SONARJAVA-5430 S1481 offers a quick fix for the unused local variable in an enhanced for loop
SONARJAVA-5439 Update JDT core 3.39 -> 3.41
SONARJAVA-5485 S1481 should report on try-with-resources since Java 22
8.12.0.38599
Release notes - SonarJava - 8.12
New Feature
SONARJAVA-5403 Implement S7435: Processing persistent unique identifiers is security-sensitive
SONARJAVA-5412 Implement S7409: Exposing Java interfaces in WebViews is security-sensitive
Bug
SONARJAVA-5421 Rule S2225 crashes with NPE on toString/clone methods with lambdas returning void
Task
SONARJAVA-5415 Prepare next development iteration
SONARJAVA-5417 Exclude test fixtures from SCA analysis
SONARJAVA-5427 fix flaky test
SONARJAVA-5453 Fix quality flaws
Improvement
SONARJAVA-5420 Improve S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
8.11.0.38440
Release notes - SonarJava - 8.11
False Positive
SONARJAVA-4567 FP on S107 when method is annotated for dependency injection
SONARJAVA-5232 FP in S1192 (duplicated string literal) on messages in Exceptions
SONARJAVA-5341 FP S1479 Wrongly reports too many cases on switches when enum types are unknown
SONARJAVA-5380 FP on S107 with Lombok's @Builder
Bug
SONARJAVA-5392 S5804 throws an NPE when a throw statement is located in a constructor
Task
SONARJAVA-5345 Prepare for next development iteration 8.11.0-SNAPSHOT
SONARJAVA-5347 Upgrade analyzer-commons to 2.16
SONARJAVA-5357 bump tomcat-embed-jasper to 9.0.100
SONARJAVA-5376 Remove unused import to fix quality gate
SONARJAVA-5381 Add script to evaluate beta version of ECJ for a GitHub branch reference
SONARJAVA-5393 Autoclose issues created by Jira integration
SONARJAVA-5394 Autoclose issues created by Jira integration
SONARJAVA-5395 Autoclose issues created by Jira integration
SONARJAVA-5396 Autoclose issues created by Jira integration
SONARJAVA-5413 Update rules metadata
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules
SONARJAVA-5375 S3986 Update the message to use the year instead of the week year.
SONARJAVA-5401 S6809 Rule Description Features incomplete code
SONARJAVA-5404 GeneratedCodeFilter should support jakarta annotations
8.9.1.38281
Release notes - SonarJava - 8.9.1
Task
SONARJAVA-5362 Prepare next development iteration 8.9.1-SNAPSHOT
SONARJAVA-5363 Restrict ITs to run only against 2025.1
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules