This is the changelog for SpotBugs. This follows Keep a Changelog v1.0.0.
Currently the versioning policy of this project follows Semantic Versioning v2.0.0.
- spotbugs reports
VO_VOLATILE_REFERENCE_TO_ARRAY
in synthetic code generated by Eclipse 4.17+ Java compiler (#1313) - spotbugs reports
DM_BOXED_PRIMITIVE_FOR_PARSING
for Double and Float (previously only reported for Integer and Long) (#744) - sarif report not showing correctly the physical and logical location (#1281)
- The class search (in the GUI's class name filter) is now case-insensitive and forgives typos (part of (#749))
- Bump Saxon-HE from 10.2 to 10.3
IllegalArgumentException
during XML report generation (#1272)- Error dialog on cancelling SpotBugs job in Eclipse (#1314)
- IllegalArgumentException in OpcodeStack.constantToInt (#893)
- Typos in description, documentation and so on
- spotbugs reports
VR_UNRESOLVABLE_REFERENCE
andUPM_UNCALLED_PRIVATE_METHOD
when code is compiled with Java 11 (#1254)
- Bump jaxen from 1.1.6 to 1.2.0 supporting Java 11 compilation (#1316)
- Bump ASM from 8.0.1 to 9.0 supporting JDK16 (sealed classes)
- Bump Saxon-HE from 10.1 to 10.2
- The dependency from
test-harness
tospotbugs
is nowtestImplementation
(#1317) - The dependency from
test-harness-core
tospotbugs
is nowapi
(#1317)
- False positive
RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
on try-with-resources (#259) - Misconfiguration which makes ASM not supporting Java 14 (#1276)
- Resolved fatal exception in html report if BugInstance contains multiple Class elements and use the plain.xsl XSLT stylesheet to generate the HTML (#1025)
- A meaningless exception data from
SAXBugCollectionHandler
- Use URI for files instead of converting string to URI each time. Fixes tests on Windows.
- Allow private methods to inherit default annotations from package or class scope. (#374)
- Implement issue 390 as a detector,
DontAssertInstanceofInTests
, which reports bugs of typeJUA_DONT_ASSERT_INSTANCEOF_IN_TESTS
.
- Missing the version of commons-lang3 for Maven (#1239)
- Support custom bug annotation
- Experimental support for the SARIF 2.1.0 report (discuss#95)
- Fixed not working detector 'CbeckMustOverrideSuperAnnotation' and renamed to 'OverridingMethodsMustInvokeSuperDetector'
- Bump commons-lang3 from 3.10 to 3.11 (#1231)
- Bump commons-text from 1.8 to 1.9
- Use method call instead of reflection to get BCEL frame type (#1176)
- dependency conflict around apache-commons-lang3 (#1135)
- plain.xsl declares it is a 2.0 stylesheet, but it appears to have issues with a 2.0 processor
- eclipse plugin does not contain
lib/spotbugs.jar
(#1158)
- Bump up Apache Commons BCEL to the version 6.5.0
- Update dom4j to 2.1.3 to fix security vulnerability. (#1122)
- Avoid changing the SecurityManager when launched as an IntelliJ IDEA plugin.
- GUI was using older version of jdom2 compared to spotbugs in general, bumped it to match at 2.1.1
- Numerous places in manifest, jnlp files, and sample analysis xml were indicating older asm that was already upgraded to 7.3.1, fixed
- Added commons-text 1.8 which treats λ properly in xml as it is allowed as λ. Associated test was corrected to use proper junit and λ was changed to λ. The escape only was applicable to html. Commons-lang original treatment was incorrect.
- Resolved fatal exception in html report if BugInstance contains multiple Class elements (#1025)
- Upgrade ASM to 8.0.1 which supports Java14
- Upgraded junit4 to 4.13
- Upgraded ant to 1.10.7
- Upgraded log4j2 to 2.13.1
- Upgraded from commons-lang2 to commons-lang3 3.10
- Added commons-text 1.8 due to items deprecated in commons-lang3 and moved to this project
- replaced usage of org.xml.sax.helpers.XMLReaderFactory (deprecated since jdk9) with javax.xml.parsers.SAXParserFactory
- Resolved Saxon warning (#1077)
- Unclear message of
SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION
(#1091)
This version contains no change, except for the solution for a deployment problem.
- Latest 4.0.0 Eclipse plugin is not functional (#1067)
- change the dependency on
jaxen
toruntime
scope - change the dependency on
saxon
toruntime
scope
- Suppress
Error resolving Real SourcePath (only relative source path will be available)
warning. #1009
- Bump up Apache Commons BCEL to the version 6.4.1
- update ASM to 7.3.1 that supports Java 14 and 15
- default.xsl declares it is a 2.0 stylesheet, but it appears to have issues with a 2.0 processor (#958)
- Provide support for CheckerFramework
@NonNull
annotation - Recognize CheckerFramework type annotations on method return values (#960)
- The feature toggle
spotbugs.experimental.multiThread
for experimental multi-thread analysis - Add management for source filter using full source path, if available and simple filename does not already match (#694)
- HTML report cannot be generated with
fancy-hist.xsl
(#944)
- Depend on XSLT 2 engine explicitly (#944)
- Replace to try-with-resources
- Reset DataAnalysis.DEBUG back when analysis reaches MAX_ITER
- Remove unused methods in
BCELUtil
- Remove unused methods and deperecated methods in
edu.umd.cs.findbugs.util.Util
- Change to removeIf from Iterator and Iterator.remove
- Use Map.computeIfAbsent instead of Map.get and Map.put
- Use for-each instead of for-loop and while-loop
- Bump up SLF4J API to
1.8.0-beta4
- update ASM to 7.1 that supports Java 13
- non thread-safe implementation in
OpcodeStack.Item
(#28)
- Start migrating STDOUT/STDERR usage to a logging framework
- Improvements and bug-fixes for fancy-hist.xsl
- Bump up Apache Commons BCEL to the version 6.3.1
- SQL files
- JNLP files
speed
attribute ofDetector
element infindbugs.xml
- Fixed bug priority calculation logic in FindNonShortCircuit#reportBug
- Make TypeQualifierResolver recognize androidx.annotation.NonNull and Nullable (#880)
- Bump up Apache Commons BCEL to the version 6.3
- Update dom4j to 2.1.1 to fix security vulnerability. (#864)
- False positive: parameter must be non-null in inner class constructor (#772)
- Fix bug that enhanced xml options not recognized as textui mode
- Dataflow generates too much log (#601)
- Delete redundant put plugin (#720)
- Add new detector IRA_INEFFICIENT_REPLACEALL for detecting usage of String.replaceAll where no regex is being used (#705)
- Eclipse plugin is now signed to establish validity (#779)
- edu.umd.cs.findbugs.util.ClassName#assertIsDotted return type is changed to void
- edu.umd.cs.findbugs.util.ClassName#assertIsSlashed return type is changed to void
- edu.umd.cs.findbugs.classfile.ClassDescriptor#toDottedClassName() is depricated and getDottedClassName() can be used instead.
- Fix some out-of-bounds reports from LGTM
- Update asm to 7.0 for better Java 11 support (#785)
- Ignore @FXML annotated fields in UR_UNIT_READ (#702)
- Allow parallel workspace builds in Eclipse with Spotbugs installed
- Detect method parameter type annotations (#743)
- Update asm to 6.2.1 for better Java 12 support (#741)
- Fix hash code collision (#751)
- Partially revert #688 because of the error in specific case with
checkcast
opcode (#760)
- Don't print exit code related output if '-quiet' is passed (#714)
- Don't underflow the stack at INVOKEDYNAMIC when modeling stack frame types (#500)
- ASM_VERSION=ASM7_EXPERIMENTAL by default to support Java 11
- Removed dependency to jFormatString (GPL) code (#725)
- Read User Preferences exported from SpotBugs Eclipse Plugin (#728)
- Set ASM_VERSION=ASM6 if system property spotbugs.experimental=false
- Potential NPE in test-harness-core (#671)
- Support project path with spaces in test-harness-core (#683)
- Processing of "J" (long value constants) was not processed in
OpcodeStack.Item(OpcodeStack.Item, String)
- Processing of "Z" (boolean value constants) was not processed in
OpcodeStack.Item(OpcodeStack.Item, String)
- Processing of Box classes like
java.lang.Integer
was not processed inOpcodeStack.Item(OpcodeStack.Item, String)
- Keep IO.close(Closeable) that was deleted by 3.1.4 (#661)
- RANGE_ARRAY_LENGTH and RANGE_ARRAY_OFFSET false negative (#595)
- Close source file after analysis (#591)
- Inconsistent reporting for EI_EXPOSE_REP2 (#603)
- Update asm to 6.2 for better Java 11 support (#648)
- False positive: 'return value ignored' on Guavas Preconditions.checkNotNull() (#578)
- spotbugs-ant Ant dependency in wrong scope (#655)
- Support for errorprone @CheckReturnValue annotation (#592)
- Handle annotation on
package-info.class
properly (#592) - Update asm to 6.1.1 to support Java 10
- Update Apache BCEL to 6.2 to support Java 9 package & module reference
- Support for errorprone @CanIgnoreReturnValue annotation (#463)
- Added support for Checker Framework's Nullable annotations.
- Error on lambda analysis: "Constant pool at index 0 is null." (#547)
- Lambda methods reported as missing classes (#527)
- Unused variable reported with wrong name (#516)
- Require gradle 4.2.1 to fix gradle build failures on Java 9.0.1
- Do not print exceptions for unsupported classpath files (#497)
- Update dom4j to 2.1.0 to fix Illegal reflective access on Java 9
- NP_NONNULL_PARAM_VIOLATION false positive (#484)
- Add missing package exports to plugin manifest (#478)
- Do not try to parse module-info.class (#408)
- SpotBugs annotation is recommended instead of JSR305 annotation (#130)
- Improve color in HTML output (#433)
- Wrong Class-Path in MANIFEST.MF (#407)
- Avoid ArithmeticExceptions while interpreting ldiv/lrem values (#413)
- Parse
@CheckReturnValue
even in package-info from aux classpath (#429)
- Delete needless bundled libraries from Eclipse plugin (#330)
- Add plugin/README into the distribution (#331)
- Fix broken command line script (#323)
- Fix broken Eclipse classpath variables (#379)
- Fix errors on processing INVOKEDYNAMIC instructions (#371)
- Fix errors on processing i2f, i2d and i2l instructions if the lhs is a character (#389)
- The
YourKitProfiler
class has been removed and thefindbugs.yourkit.enabled
system property is no longer supported (#289)
- SpotBugs now consumes ASM 6.0 beta rather than alpha (#268)
- The Eclipse SpotBugs plugin is eligible as an update for FindBugs 3.0.2 and earlier (#209)
<EarlierSubtypes>
and<LaterSubtypes>
can now refer to supertypes from custom plug-ins (#215)
- The
AbstractIntegrationTest.containsExactly
andSpotBugsRule.containsExactly
methods have been replaced byCountMatcher.containsExactly
(#269)
jdepend:jdepend:2.9.1
is no longer a compile-scoped dependency but only test-scoped. (#242)ICodeBase
,IClassPath
, andURLClassPath
now implementAutoCloseable
(#258)
- In future versions of SpotBugs, classes currently implementing the deprecated
org.apache.bcel.Constants
interface may no longer do so. Subclasses should either implement this interface themselves or, preferably, use the constants defined in the (non-deprecated)org.apache.bcel.Const
class instead. (#262)
- Make TypeQualifierResolver recognize android.support.annotation.NonNull and Nullable (#182)
- Fix wrong version in Eclipse Plugin (#173)
- When AnalysisRunner has findbugs.xml in jar, don't create temp jar (#183)
- Change Eclipse Plugin ID to avoid conflict with FindBugs Eclipse Plugin (#157)
- Enhance performance of Eclipse Plugin (#159)
- Fix HTML format in
messages.xml
and others (#166) - Fix Japanese message in
messages_ja.xml
(#164)
- Make TypeQualifierResolver recognize JetBrains NotNull annotations (Patch #248)
- excludePath and includePath in AntTask (6668a9)
- Cancellation of queueing FindBugsJob in Eclipse plugin (bceec81)
- Artifact which contains only SpotBugs annotations (Bug#1341)
- Warn if excludeFilter is empty (4b7e93f)
- Partial Java9 support (FindBugs#105)
spotbugs.home
is available likefindbugs.home
(#33)
- Support user preferences exported by the Export->Preferences wizard in Eclipse (01b7df7)
- No more dependency in annotations on BugRanker and Priorities (2f9d672, 725be6e)
- Several classes are now not Serializable (#85)
OpcodeStack.Item.defineNewSpecialKind(String)
(#27)Version.RELEASE
(#125)DescriptorFactory.canonicalizeString(String)
(#128)
- Java7 Support (Issue #19)
- WebCloud and other plugins
- BlueJ Support
- Artifact which packages not only SpotBugs annotations but also JSR305 annotations
- Typos in description, documentation and so on
- StackOverflowError in ValueRangeAnalysisFactory (Bug#1369)
- Command line "@" feature (Bug#1375)
- SOAPMessage.getSOAPHeader() can and does return null (Bug#1368)
- False positive in UC_USELESS_OBJECT (Bug#1373)
- False positive in NP_LOAD_OF_KNOWN_NULL_VALUE (Bug#1372)
- Missing java.nio.file.Files support in OS_OPEN_STREAM (Bugs#1399])
- False negative in GC_UNRELATED_TYPES (Bug#1387)
- Not reliable BIT_SIGNED_CHECK (Bug#1408)
- Annotation of SIC_INNER_SHOULD_BE_STATIC_ANON (Bug#1418)
- Bug in ClassName.isAnonymous (dcfb934)
- long/double arguments handling in BuildStringPassthruGraph (370808a)
- long/double arguments handling in FindSqlInjection (32a20db)
- getEntryValueForParameter in ValueNumberAnalysis (fb11839)
- Do not generate non-constant SQL warnings for passthru methods (Bug#1416)
- Too eager "may expose internal representation by storing an externally mutable object" (Bug#1397)
- Do not report WrongMapIterator for EnumMap (Bug#1422)
- Default Case is Missing With Alias Enum Constants (Bug#1392)
- NPE when launched using IBM JDK on Linux (Bug#1383)
- Serializable should be out of target for RI_REDUNDANT_INTERFACES (FindBugs#49)
- nonnull annotations database for java.util.concurrent.ForkJoinPool ((fb8a953)[https://github.com/spotbugs/spotbugs/commit/fb8a953])
- Better handling for JDT illegal signatures(#55)
- StaticCalendarDetector is constantly throwing ClassNotFoundExceptions (#76)
- ClassFormatException when analyze class with lambda (INVOKEDYNAMIC) (#60)
Check changelog at SourceForge.