.github/workflows/build.yml

@@ -7,6 +7,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -5,8 +5,12 @@ on:
     tags:
       - '**'
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: write # to push pages branch (peaceiris/actions-gh-pages)
+
     runs-on: ubuntu-latest
 
     steps:

CHANGELOG.md

@@ -4,6 +4,20 @@ This is the changelog for SpotBugs. This follows [Keep a Changelog v1.0.0](http:
 
 Currently the versioning policy of this project follows [Semantic Versioning v2.0.0](http://semver.org/spec/v2.0.0.html).
 
+## 4.7.3 - 2022-10-15
+### Fixed
+- Fixed detector `DontUseFloatsAsLoopCounters` to prevent false positives. ([#2126](https://github.com/spotbugs/spotbugs/issues/2126))
+- Fixed regression in `4.7.2` caused by ([#2141](https://github.com/spotbugs/spotbugs/pull/2141))
+- improve compatibility with later version of jdk (>= 13). ([#2188](https://github.com/spotbugs/spotbugs/issues/2188))
+- Fixed detector `UncallableMethodOfAnonymousClass` to not report unused methods of method-local enumerations and records ([#2120](https://github.com/spotbugs/spotbugs/issues/2120))
+- Fixed detector `FindSqlInjection` to detect bug `SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE SQL` with high priority in case of unsafe appends also in Java 11 and above ([#2183](https://github.com/spotbugs/spotbugs/issues/2183))
+- Fixed detector `StringConcatenation` to detect bug `SBSC_USE_STRINGBUFFER_CONCATENATION` also in Java 11 and above ([#2182](https://github.com/spotbugs/spotbugs/issues/2182))
+- Fixed `OpcodeStackDetector` to to handle propagation of taints properly in case of string concatenation in Java 9 and above ([#2183](https://github.com/spotbugs/spotbugs/issues/2183))
+- Bump up log4j2 binding to `2.19.0`
+- Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 ([#2200](https://github.com/spotbugs/spotbugs/pull/2200))
+- Bump up commons-text to 1.10.0 ([#2197](https://github.com/spotbugs/spotbugs/pull/2197))
+- Fixed debug detector `ViewCFG` to generate file names that are also valid on Windows ([#2209](https://github.com/spotbugs/spotbugs/issues/2209))
+
 ## 4.7.2 - 2022-09-02
 ### Fixed
 - Bumped gson from 2.9.0 to 2.9.1 ([#2136](https://github.com/spotbugs/spotbugs/pull/2136))

build.gradle

@@ -1,13 +1,13 @@
 plugins {
   id "org.sonarqube" version "3.4.0.2513"
-  id "com.diffplug.spotless" version "6.10.0"
+  id "com.diffplug.spotless" version "6.11.0"
   id "org.gradle.crypto.checksum" version "1.4.0"
-  id "com.github.spotbugs" version "5.0.10"
+  id "com.github.spotbugs" version "5.0.12"
   id "io.github.gradle-nexus.publish-plugin" version "1.1.0"
 }
 
 group = 'com.github.spotbugs'
-version = '4.7.2'
+version = '4.7.3'
 
 apply from: "$rootDir/gradle/java.gradle"
 apply from: "$rootDir/gradle/jacoco.gradle"
@@ -37,7 +37,7 @@ allprojects {
     mavenCentral()
   }
   dependencies {
-    implementation platform('org.junit:junit-bom:5.9.0')
+    implementation platform('org.junit:junit-bom:5.9.1')
   }
 }
 

buildSrc/build.gradle.kts

@@ -6,5 +6,5 @@ repositories {
     gradlePluginPortal()
 }
 dependencies {
-    implementation("com.diffplug.gradle:goomph:3.37.2")
+    implementation("com.diffplug.gradle:goomph:3.39.0")
 }

buildSrc/src/main/kotlin/constraints.gradle.kts

@@ -7,7 +7,7 @@ dependencies {
         implementation("org.apache.logging.log4j:log4j-core") {
             version {
                 strictly("[2.17.1, 3[")
-                prefer("2.18.0")
+                prefer("2.19.0")
             }
             because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
         }

docs/conf.py

@@ -17,10 +17,10 @@
 
 html_context = {
   'version' : '4.7',
-  'full_version' : '4.7.2',
-  'maven_plugin_version' : '4.7.1.1',
-  'gradle_plugin_version' : '5.0.10',
-  'archetype_version' : '0.2.4'
+  'full_version' : '4.7.3',
+  'maven_plugin_version' : '4.7.2.1',
+  'gradle_plugin_version' : '5.0.12',
+  'archetype_version' : '0.2.3'
 }
 
 # If extensions (or modules to document with autodoc) are in another directory,

eclipsePlugin-junit/build.gradle

@@ -12,7 +12,7 @@ tasks.named('compileJava', JavaCompile).configure {
 dependencies {
   implementation project(':eclipsePlugin')
   testImplementation 'junit:junit:4.13.2'
-  testImplementation 'org.mockito:mockito-core:4.7.0'
+  testImplementation 'org.mockito:mockito-core:4.8.0'
 }
 
 tasks.named('jacocoTestReport', JacocoReport).configure {

settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-  id "com.gradle.enterprise" version "3.11.1"
+  id "com.gradle.enterprise" version "3.11.2"
 }
 
 include ':eclipsePlugin'

spotbugs-tests/build.gradle

@@ -2,7 +2,7 @@ apply from: "$rootDir/gradle/checkstyle.gradle"
 apply from: "$rootDir/gradle/jacoco.gradle"
 
 ext {
-  log4jVersion = '2.18.0'
+  log4jVersion = '2.19.0'
 }
 
 dependencies {
@@ -18,8 +18,9 @@ dependencies {
   implementation 'junit:junit:4.13.2'
   implementation 'org.hamcrest:hamcrest-all:1.3'
   implementation 'org.apache.ant:ant:1.10.12'
-  implementation "org.apache.logging.log4j:log4j-slf4j18-impl:$log4jVersion"
-  implementation 'com.google.errorprone:error_prone_annotations:2.15.0'
+  implementation "org.apache.logging.log4j:log4j-core:$log4jVersion"
+  implementation "org.apache.logging.log4j:log4j-slf4j2-impl:$log4jVersion"
+  implementation 'com.google.errorprone:error_prone_annotations:2.16'
   implementation files(project(":spotbugs").sourceSets.gui.output)
 }
 

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/DontUseFloatsAsLoopCountersTest.java

@@ -8,16 +8,16 @@
 
 import static edu.umd.cs.findbugs.test.CountMatcher.containsExactly;
 import static org.hamcrest.Matchers.hasItem;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 public class DontUseFloatsAsLoopCountersTest extends AbstractIntegrationTest {
     @Test
     public void testChecks() {
         performAnalysis("DontUseFloatsAsLoopCounters.class");
         assertNumOfEOSBugs(3);
-        assertBug("main", 5);
-        assertBug("main", 9);
-        assertBug("main", 12);
+        assertBug("test1", 8);
+        assertBug("test2", 15);
+        assertBug("test3", 21);
     }
 
     private void assertBug(String method, int line) {

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2120Test.java

@@ -0,0 +1,34 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static edu.umd.cs.findbugs.test.CountMatcher.containsExactly;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.number.OrderingComparison.greaterThanOrEqualTo;
+
+public class Issue2120Test extends AbstractIntegrationTest {
+    @Before
+    public void verifyJavaVersion() {
+        assumeFalse(System.getProperty("java.specification.version").startsWith("1."));
+        int javaVersion = Integer.parseInt(System.getProperty("java.specification.version"));
+        assumeThat(javaVersion, is(greaterThanOrEqualTo(11)));
+    }
+
+    @Test
+    public void test() {
+        performAnalysis("../java14/Issue2120.class",
+                "../java14/Issue2120$1MyEnum.class",
+                "../java14/Issue2120$1MyRecord.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS").build();
+        assertThat(getBugCollection(), containsExactly(0, matcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2147Test.java

@@ -0,0 +1,23 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static edu.umd.cs.findbugs.test.CountMatcher.containsExactly;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class Issue2147Test extends AbstractIntegrationTest {
+    @Test
+    public void test() {
+        performAnalysis("ghIssues/Issue2147.class",
+                "ghIssues/Issue2147A.class",
+                "ghIssues/Issue2147B.class",
+                "ghIssues/Issue2147C.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("URF_UNREAD_FIELD").build();
+        assertThat(getBugCollection(), containsExactly(0, matcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2182Test.java

@@ -0,0 +1,36 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.number.OrderingComparison.greaterThanOrEqualTo;
+
+public class Issue2182Test extends AbstractIntegrationTest {
+    @Before
+    public void verifyJavaVersion() {
+        assumeFalse(System.getProperty("java.specification.version").startsWith("1."));
+        int javaVersion = Integer.parseInt(System.getProperty("java.specification.version"));
+        assumeThat(javaVersion, is(greaterThanOrEqualTo(11)));
+    }
+
+    @Test
+    public void test() {
+        performAnalysis("../java11/ghIssues/Issue2182.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("SBSC_USE_STRINGBUFFER_CONCATENATION")
+                .inClass("Issue2182")
+                .inMethod("test")
+                .atLine(22)
+                .build();
+        assertThat(getBugCollection(), hasItem(matcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2183Test.java

@@ -0,0 +1,38 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.annotations.Confidence;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.number.OrderingComparison.greaterThanOrEqualTo;
+
+public class Issue2183Test extends AbstractIntegrationTest {
+    @Before
+    public void verifyJavaVersion() {
+        assumeFalse(System.getProperty("java.specification.version").startsWith("1."));
+        int javaVersion = Integer.parseInt(System.getProperty("java.specification.version"));
+        assumeThat(javaVersion, is(greaterThanOrEqualTo(11)));
+    }
+
+    @Test
+    public void test() {
+        performAnalysis("../java11/ghIssues/Issue2183.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE")
+                .inClass("Issue2183")
+                .inMethod("test")
+                .atLine(11)
+                .withConfidence(Confidence.HIGH)
+                .build();
+        assertThat(getBugCollection(), hasItem(matcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2184Test.java

@@ -0,0 +1,36 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.number.OrderingComparison.greaterThanOrEqualTo;
+
+public class Issue2184Test extends AbstractIntegrationTest {
+    @Before
+    public void verifyJavaVersion() {
+        assumeFalse(System.getProperty("java.specification.version").startsWith("1."));
+        int javaVersion = Integer.parseInt(System.getProperty("java.specification.version"));
+        assumeThat(javaVersion, is(greaterThanOrEqualTo(14)));
+    }
+
+    @Test
+    public void test() {
+        performAnalysis("../java14/ghIssues/Issue2184.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("PT_RELATIVE_PATH_TRAVERSAL")
+                .inClass("Issue2184")
+                .inMethod("test")
+                .atLine(17)
+                .build();
+        assertThat(getBugCollection(), hasItem(matcher));
+    }
+}

spotbugs/build.gradle

@@ -23,8 +23,8 @@ configurations {
 }
 
 ext {
-  asmVersion = '9.3'
-  log4jVersion = '2.18.0'
+  asmVersion = '9.4'
+  log4jVersion = '2.19.0'
 }
 
 sourceSets {
@@ -85,10 +85,11 @@ dependencies {
   }
   implementation 'jaxen:jaxen:1.2.0' // only transitive through dom4j:dom4j:1.6.1, which has an *optional* dependency on jaxen:jaxen.
   api 'org.apache.commons:commons-lang3:3.12.0'
-  api 'org.apache.commons:commons-text:1.9'
+  api 'org.apache.commons:commons-text:1.10.0'
   api 'org.slf4j:slf4j-api:2.0.0'
   implementation 'net.sf.saxon:Saxon-HE:11.4'
-  logBinding ("org.apache.logging.log4j:log4j-slf4j18-impl:$log4jVersion") {
+  implementation "org.apache.logging.log4j:log4j-core:$log4jVersion"
+  logBinding ("org.apache.logging.log4j:log4j-slf4j2-impl:$log4jVersion") {
     exclude group: 'org.slf4j'
   }
 
@@ -357,7 +358,7 @@ dependencies {
     logBinding("org.apache.logging.log4j:log4j-core") {
       version {
         strictly("[2.17.1, 3[")
-        prefer("2.18.0")
+        prefer("2.19.0")
       }
       because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
     }