皇上,还记得我吗?我就是1999年那个Linux伊甸园啊-----24小时滚动更新开源资讯,全年无休!

Sonar Java 5.9 发布,新增 29 条规则

Sonar Java 5.9 发布了,Sonar(SonarQube)是一个开源平台,用于管理源代码的质量。Sonar 不只是一个质量数据报告工具,更是代码质量管理平台。支持的语言包括:Java、PHP、C#、C、Cobol、PL/SQL、Flex 等。SonarQube Java 是 Sonar 的一个插件,用来分析 Java 代码。

此版本新增了 29 条无则,包括 12 条安全热点规则(SECURITY HOTSPOTS RULES)、7 个 Bug 检测和 10 个 Code Smell 规则。

值得介绍的是安全热点,它是一种特殊类型的问题,它可以识别安全敏感的代码区域,帮助安全分析师确定代码是否存在漏洞。此次新增的安全热点规则包含一些最常见的安全敏感代码模式,例如执行正则表达式、加密数据或控制访问控制。此外还有涵盖了多个框架和库的规则,如 Guava、Apache Commons、Spring 等,每条规则都解释了可能潜伏的危险,以确定代码是否易受攻击,并提供建议。

  • S4817 – Executing XPath expressions is security-sensitive (Security Hotspot)
  • S4784 – Using regular expressions is security-sensitive (Security Hotspot)
  • S4790 – Hashing data is security-sensitive (Security Hotspot)
  • S4787 – Encrypting data is security-sensitive (Security Hotspot)
  • S1523 – Dynamically executing code is security-sensitive (Security Hotspot)
  • S4825 – Sending HTTP requests is security-sensitive (Security Hotspot)
  • S4792 – Configuring loggers is security-sensitive (Security Hotspot)
  • S4834 – Controlling permissions is security-sensitive (Security Hotspot)
  • S4797 – Handling files is security-sensitive (Security Hotspot)
  • S4829 – Reading the Standard Input is security-sensitiv (Security Hotspot)
  • S4823 – Using command line arguments is security-sensitive (Security Hotspot)
  • S4818 – Using Sockets is security-sensitive (Security Hotspot)
  • S3065 – Min and max used in combination should not always return the same value (Bug)
  • S3078 – “volatile” variables should not be used with compound operators (Bug)
  • S2689 – Files opened in append mode should not be used with ObjectOutputStream (Bug)
  • S3822 – Hibernate should not update database schemas (Bug)
  • S4517 – InputSteam.read() implementation should not return a signed byte (Bug)
  • S3032 – JEE applications should not “getClassLoader” (Bug)
  • S3077 – Non-primitive fields should not be “volatile” (Bug)
  • S2139 – Exceptions should be either logged or rethrown but not both (Code Smell)
  • S4738 – Java 8 features should be preferred to Guava (Code Smell)
  • S4838 – An iteration on a Collection should be performed on the type handled by the Collection (Code Smell)
  • S4682 – “@CheckForNull” or “@Nullable” should not be used on primitive types (Code Smell)
  • S4925 – “Class.forName()” should not load JDBC 4.0+ drivers (Code Smell)
  • S4929 – “read(byte[],int,int)” should be overridden (Code Smell)
  • S4926 – “serialVersionUID” should not be declared blindly (Code Smell)
  • S4719 – “StandardCharsets” constants should be preferred (Code Smell)
  • S3864 – “Stream.peek” should not be used (Code Smell)
  • S3014 – “ThreadGroup” should not be used (Code Smell)

详情查看 发布公告

转自 https://www.oschina.net/news/101805/sonar-5-9-released

分享到:更多 ()