Releases: SonarSource/sonar-java
8.19.0.40387
Release notes - SonarJava - 8.19
False Positive
SONARJAVA-5706 S1166 FP when the parser gets lost due to Lombok generated methods
SONARJAVA-5713 S1176 Does not recognize parameters in markdown
SONARJAVA-5755 FP on S1133 when using forRemoval=false
Bug
SONARJAVA-5717 Fix fullyQualifiedName() on intersection types
SONARJAVA-5726 S1656 NullPointerException when classParent is null
SONARJAVA-5759 NPE on S3457 on enums declaration type
Task
SONARJAVA-5702 Update RSPEC before 8.19 release
SONARJAVA-5714 Clean common-beanutils usage in tests to suppress alert CVE-2025-48734
SONARJAVA-5720 Unify Platform Dogfooding of sonar-java
SONARJAVA-5736 Stop using org.apache.commons.lang3.SystemUtils
SONARJAVA-5737 Update README.md with copy from Product Marketing
SONARJAVA-5738 Stop using org.apache.commons.lang3.BooleanUtils
SONARJAVA-5739 Stop using org.apache.commons.lang3.ArrayUtils
SONARJAVA-5740 Stop using StringUtils::trim
SONARJAVA-5742 Add some SCA exclusions to match what's excluded for mend
SONARJAVA-5745 Stop using org.apache.commons.lang3.StringUtils::countMatches
SONARJAVA-5750 Add Jira integration
SONARJAVA-5764 Update GH release and releasability actions
SONARJAVA-5768 Update slack channel in sonar-java-jdt
SONARJAVA-5772 Remove dependency on jol-core
SONARJAVA-5782 Improve message in S112
SONARJAVA-5784 Upgrade tomcat embed dependency
SONARJAVA-5786 Bump org.springframework:spring-expression 6.1.21 -> 6.2.11 because of CVE-2025-41249
False Negative
SONARJAVA-5723 S6437 Support jsonwebtoken hmacShaKeyFor method
Documentation
SONARJAVA-5716 S5841: Fix typo in AssertJ "doesNotContain"
8.9.3.40165
Release notes - SonarJava - 8.9.3
Task
SONARJAVA-5651 org.sonarsource.java:java-extension-plugin should comply with maven central requirements
SONARJAVA-5732 Upgrade commons-lang3 to 3.18
SONARJAVA-5734 Prepare next development iteration
8.9.3.40136
Release notes - SonarJava - 8.9.3
Task
SONARJAVA-5732 Upgrade commons-lang3 to 3.18
SONARJAVA-5734 Prepare next development iteration
8.18.0.40025
Release notes - SonarJava - 8.18
False Positive
SONARJAVA-5678 Fix a FP case in S7479
SONARJAVA-5697 S2441 FP when Serializable is not available due to missing semantics
Bug
SONARJAVA-5685 Revert security impact from last rule metadata update
Task
SONARJAVA-5645 Update RSPEC before 8.18 release
SONARJAVA-5653 Prototyping more telemetry
SONARJAVA-5670 Make SonarComponents in JavaFrontend not @nullable.
SONARJAVA-5673 Create proxy object for sending telemetry
SONARJAVA-5675 Update dependency versions
SONARJAVA-5682 Replace use of deprecated Charsets.UTF_8 constant
SONARJAVA-5686 Report the scanner app using telemetry
SONARJAVA-5687 Delete unused test projects under "its"
SONARJAVA-5689 Aggregate telemetry measures at project level
SONARJAVA-5691 Report dependencies
SONARJAVA-5692 Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 in /java-checks-test-sources/default
SONARJAVA-5693 Report whether the analysis is autoscan
SONARJAVA-5695 Report speed of analysis and analysis errors
SONARJAVA-5698 Report Eclipse parser type errors
SONARJAVA-5703 Fix Quality Flaws caused by commons-lang3 new version
False Negative
SONARJAVA-5683 S2077 not triggered by SQL interpolation performed with String#format
Contributors
Assets 2
8.17.1.39878
e4a9d2f
alban-auzeill
Alban Auzeill
Release notes - SonarJava - 8.17.1
Bug
SONARJAVA-5685 Revert security impact from last rule metadata update
8.17.0.39817
Release notes - SonarJava - 8.17
New Feature
SONARJAVA-5493 S7478: Use ClassFile::transformClass instead of ClassFile::build where possible
SONARJAVA-5494 S7477: When using ClassFile::transformClass, do not specify the new class name if it is unchanged
SONARJAVA-5500 S7479: Use ClassBuilder::withMethodBody instead of ClassBuilder::withMethod where possible
SONARJAVA-5518 S7482: For stateless Gatherers, omit the initialiser
SONARJAVA-5520 S7481: For sequential Gatherers, prefer Gatherer.ofSequential() over Gatherer.of() with a Throwing Combiner
SONARJAVA-5669 Implement rule S7629: defaultFinisher in Gather factory call
False Positive
SONARJAVA-5443 S6906 should not raise on virtual threads running synchronized code for Java 24 and greater
False Negative
SONARJAVA-5444 FN on S2093: does not raise issue on `Reader.of`
Improvement
SONARJAVA-5665 Improve S4036 message for users
SONARJAVA-5663 Expose OWASP Mobile Top 10 2024 in rule metadata
8.16.0.39645
Release notes - SonarJava - 8.16
New Feature
SONARJAVA-2511 Rule S4030: Collection and array contents should be used
SONARJAVA-5598 S3063: "StringBuilder" data should be used S3063
SONARJAVA-5599 S3024: Arguments to "append" should not be concatenated S3024
SONARJAVA-5602 S3033: ".length" should be used to test for the emptiness of StringBuffers S3033
Bug
SONARJAVA-5619 NPE when semantic can not resolve "java.lang.Object"
SONARJAVA-5621 Fix issue in CFG computation with generic record pattern
SONARJAVA-5628 CFG computation crashes in case of unexpected break
SONARJAVA-5630 NoSuchElementException in S3626
Task
SONARJAVA-5555 Update RSPEC before 8.16 release
SONARJAVA-5608 Update tomcat-embed-jasper to from 9.0.104 to 9.0.105 to suppress alert about CVE-2025-46701
SONARJAVA-5610 Use "sonar.scanner.skipJreProvisioning" in integration tests
SONARJAVA-5613 Centralize spring fully qualified names into constants
SONARJAVA-5617 Add Java 24 projects to peach
SONARJAVA-5624 Fix coverage of JTypeSymbol new code
SONARJAVA-5625 Upgrade spring-expression to version 6.1.21 to suppress alert
SONARJAVA-5633 Expose Configuration inside ModuleScannerContext
SONARJAVA-5635 Upgrade tomcat-embed-core to version 9.0.106
SONARJAVA-5637 Remove unused collection
SONARJAVA-5651 org.sonarsource.java:java-extension-plugin should comply with maven central requirements
Improvement
SONARJAVA-5612 Add performance benchmark table to performance rules documentation
SONARJAVA-5615 Upgrade ECJ to version 3.42
SONARJAVA-5622 Extend S7158 to work with all CharSequence
Documentation
SONARJAVA-5614 Update ECJ upgrade process
8.15.0.39343
Release notes - SonarJava - 8.15
New Feature
SONARJAVA-5501 S7474: S7474 Markdown, HTML and Javadoc tags should be consistent
SONARJAVA-5537 S7476: S7476 Comments should start with the appropriate number of slashes
SONARJAVA-5544 Deprecate rule S6291 and S6300
False Positive
SONARJAVA-5377 FP on S125 on markdown comments
SONARJAVA-5445 FP on S1123 not reading @deprecated tags in markdown javadocs
SONARJAVA-5482 FP S1854 with broken semantics
SONARJAVA-5553 FP in rule S2384 on private getters
Bug
SONARJAVA-5522 S3052 should not fail to parse floats and doubles containing an underscore
Task
SONARJAVA-4634 S6437 requires a complete test source for all the methods listed in S6437-methods.json
SONARJAVA-5543 Upgrade third-party dependencies
SONARJAVA-5562 Upgrade analyzer commons to 2.17
SONARJAVA-5567 Fix failing Quality Gate: remove unused field.
SONARJAVA-5568 Create continuous releasability check
SONARJAVA-5571 Expose public api for SE engine that were mistakenly used by improper dependency
SONARJAVA-5574 Fix UpdateRuleMetadata GitHub action to also update the sonar-java-symbolic-execution-plugin rules
SONARJAVA-5593 Update spring-security-core from 6.4.5 to 6.4.6 to suppress alert about CVE-2025-41232
SONARJAVA-5601 Update rule metadata
False Negative
SONARJAVA-5552 FN in S1943 on InputStreamReader::new
Contributors
Assets 2
8.14.1.39293
Release notes - SonarJava - 8.14.1
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules
8.9.2.39294
Release notes - SonarJava - 8.9.2
Improvement
SONARJAVA-5352 Fix discrepancies between MQR and severity for Java rules