Sonar Java 5.9 釋出，新增 29 條規則

摘要： Sonar Java 5.9 釋出了，Sonar （SonarQube）是一個開源平臺，用於管理原始碼的質量。Sonar 不只是一個質量資料報告工具，更是程式碼質量管理平臺。支援的語言包括：Java、PHP、C#、C、Cobol、PL/SQL、Flex 等。SonarQube Java 是 S...

Sonar Java 5.9 釋出了，Sonar （SonarQube）是一個開源平臺，用於管理原始碼的質量。Sonar 不只是一個質量資料報告工具，更是程式碼質量管理平臺。支援的語言包括：Java、PHP、C#、C、Cobol、PL/SQL、Flex 等。SonarQube Java 是 Sonar 的一個外掛，用來分析 Java 程式碼。

此版本新增了 29 條無則，包括 12 條安全熱點規則（SECURITY HOTSPOTS RULES）、7 個 Bug 檢測和 10 個 Code Smell 規則。

值得介紹的是安全熱點，它是一種特殊型別的問題，它可以識別安全敏感的程式碼區域，幫助安全分析師確定程式碼是否存在漏洞。此次新增的安全熱點規則包含一些最常見的安全敏感程式碼模式，例如執行正則表示式、加密資料或控制訪問控制。此外還有涵蓋了多個框架和庫的規則，如 Guava、Apache Commons、Spring 等，每條規則都解釋了可能潛伏的危險，以確定程式碼是否易受攻擊，並提供建議。

• ofollow,noindex" target="_blank">S4817 - Executing XPath expressions is security-sensitive (Security Hotspot )

• S4784 - Using regular expressions is security-sensitive (Security Hotspot )

• S4790 - Hashing data is security-sensitive (Security Hotspot )

• S4787 - Encrypting data is security-sensitive (Security Hotspot )

• S1523 - Dynamically executing code is security-sensitive (Security Hotspot )

• S4825 - Sending HTTP requests is security-sensitive (Security Hotspot )

• S4792 - Configuring loggers is security-sensitive (Security Hotspot )

• S4834 - Controlling permissions is security-sensitive (Security Hotspot )

• S4797 - Handling files is security-sensitive (Security Hotspot )

• S4829 - Reading the Standard Input is security-sensitiv (Security Hotspot )

• S4823 - Using command line arguments is security-sensitive (Security Hotspot )

• S4818 - Using Sockets is security-sensitive (Security Hotspot )

• S3065 - Min and max used in combination should not always return the same value (Bug )

• S3078 - "volatile" variables should not be used with compound operators (Bug )

• S2689 - Files opened in append mode should not be used with ObjectOutputStream (Bug )

• S3822 - Hibernate should not update database schemas (Bug )

• S4517 - InputSteam.read() implementation should not return a signed byte (Bug )

• S3032 - JEE applications should not "getClassLoader" (Bug )

• S3077 - Non-primitive fields should not be "volatile" (Bug )

• S2139 - Exceptions should be either logged or rethrown but not both (Code Smell )

• S4738 - Java 8 features should be preferred to Guava (Code Smell )

• S4838 - An iteration on a Collection should be performed on the type handled by the Collection (Code Smell )

• S4682 - "@CheckForNull" or "@Nullable" should not be used on primitive types (Code Smell )

• S4925 - "Class.forName()" should not load JDBC 4.0+ drivers (Code Smell )

• S4929 - "read(byte[],int,int)" should be overridden (Code Smell )

• S4926 - "serialVersionUID" should not be declared blindly (Code Smell )

• S4719 - "StandardCharsets" constants should be preferred (Code Smell )

• S3864 - "Stream.peek" should not be used (Code Smell )

• S3014 - "ThreadGroup" should not be used (Code Smell )

詳情檢視釋出公告 。