Rust Support in VS Code Extension
We are excited to announce that the DeepSource VS Code Extension now supports Rust. Rust developers can now leverage DeepSource’s static analysis capabilities from within Visual Studio Code environment to detect and fix issues using Autofix AI™.
New in Analyzers
C#:
- Added support for .NET 8.
- Implemented false positive fixes for rule CS-R1137.
Test Coverage:
- Introduced support for branch coverage in JaCoCo and Clover test reports.
JavaScript:
- Enhanced SAST issue detection with support for more libraries. This update considers additional taint sources and sinks, improving security issue coverage.
- Improved core taint analysis algorithm to detect the flow of potentially tainted data across function boundaries within the same file.
PHP:
- Added SAST issues to detect Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).
- Improved taint analysis algorithm to detect more security issues.
Java:
- Implemented false positive fixes for rules JAVA-E1013 and JAVA-W0324.
Python:
- Implemented false positive fixes for rules PYL-E0601, PYL-W0613, and PY-W0069.
Go:
- Added support for Go v1.22.5.
Fixes and Improvements:
- Issue Navigation from Reports: Added the ability to navigate directly to an issue from the Team Reports page, allowing you to narrow down to the exact issue or root cause quickly.
- Repository Activation/Deactivation API: Introduced API functionality to activate or deactivate repositories. For sample query and more information, refer to the documentation.
- Code Health Report Enhancement: Updated the Code Health report to hide the aggregate number from the chart and display the net change for the month in the dashboard, providing clearer insights into monthly progress.
Support for Java 21
DeepSource's Java Analyzer now supports Java 21, the latest long-term support (LTS) release of Java Platform.
Java 21 introduces several new features and improvements like pattern-matching for switch statements, record patterns, among several others. DeepSource can now recognize these new patterns in your code and help you find and fix code quality and security issues in them.
Follow the discussion here and let us know your feedback!
Optional merge request status checks for GitLab
You can now disable DeepSource’s external status check from being sent to GitLab. To still block the merge request due to DeepSource check failures, you can query the Analysis Run API. We’re adding a new command in our CLI to make this easier.
To read more about why we shipped this and why you need this, read the discussion here.
Community Analyzers
Community Analyzers are open-source third-party static analyzers that are executed as part of your existing CI pipeline and the results are reported to DeepSource using the OASIS standard SARIF (Static Analysis Results Interchange Format) format.
The initial release adds support for Kube Linter, Dart Analyze, Slither and AWS CloudFormation Linter, with support for more to come soon. To simplify your onboarding experience, all analyzers have pre-configured ready-to-use CI snippets tailored for popular CI providers like GitHub Actions, Circle CI, and more. Refer to the announcement blogpost for more information and documentation for detailed setup instructions.
Bitbucket Data Center
DeepSource cloud now supports Bitbucket Data Center as a Version Control System (VCS) provider, in addition to GitHub, GitLab, Bitbucket, and Azure DevOps Services. You can now use DeepSource to monitor and improve the health of your code hosted on Bitbucket Data Center.
To add your Bitbucket Data Center organization to DeepSource Enterprise Server, navigate to the account switcher on your dashboard, and create a new workspace. Read more in the docs.
Fixes and Improvements
- Autofix tab has been redesigned and moved under the history page.
- Code Coverage now has a badge which can be added to the project's README or wiki.
- Fixed a bug where the summary section on a run details page would sometimes show just an icon with no value.
- Fixed GitHub 403 errors due to suspended installation.
- Add fallback for owner logo in public reports.
- Auto delete DeepSource created branch if commit or PR creation on it fails.
- [API] Add AccountSubscription type - The plan associated with this account's subscription.
- [API] Add IgnoreRule type - An IgnoreRule defines the condition on which to suppress an Issue's Occurrences in a Repository.
- [API] Add IssueCategorySetting type - Configuration for an IssueCategory in a Repository.
Support for stacked pull-requests
We're excited to announce first-class support for stacked pull requests on DeepSource. If you're creating pull requests off existing pull requests (also known as stacking), DeepSource will now correctly diff the second pull request and show you only those issues that you're introducing in that pull requests. Prior to this, we reverted to showing you all issues present on the branch in this case (which wasn't very nice, really).
New Transformer: Ruff
Ruff seems to have taken over the Python world lately, and we're excited to support it on DeepSource today! If you're switching your code formatting on Python to Ruff, just enable the Transformer in your `.deepsource.toml` and you should be good to go. More details in the docs.
Support for GitLab subgroups
Large teams that use GitLab often use their subgroups feature to organize their projects more meaningfully. Unlike other VCS providers like GitHub or Bitbucket, however, the subgroups are a concrete namespace for the projects and not just a loose group. We're excited to announce first-class support for GitLab subgroups on DeepSource, which will allow our users on GitLab to bring all of their repositories on DeepSource.
All your nested projects, regardless of the level of nesting, should already be synced and ready on the dashboard. If you don't see a project, just sync the repositories again from the repository activation modal.
Fixes and Improvements
- Subrepos of a repository in the monorepo mode are now supported in Auto Onboard
- When creating a ticket on Atlassian Jira from DeepSource, the reporter is now set to the current user (when available)
- On Azure DevOps Sevices teams, repository syncing no longer fails when there are multiple repositories with the same name under different projects
- Committing the DeepSource config file on GitLab when branch protection rules are enabled no longer fails; it reverts to creating a merge-request now
- Transferring repositories on Bitbucket is now reflected on DeepSource automatically without having to run a manual sync
- We fixed an issue where the severity counts in the OWASP® Top 10 report were incorrect in certain cases
- We fixed an issue in our Atlassian Jira integration where the user could select an incorrect ticket type for a project
Monorepos
We're pleased to announce the general availability of the monorepo mode for repositories, including support for three new VCS providers: GitLab, Bitbucket, and Azure DevOps Services. The initial release already supported GitHub. Learn more in the docs.
Cyclomatic Complexity
We've added checks for detecting complex code based on cyclomatic complexity thresholds. You can configure the level of complexity allowed in the Anlayzer's configuration to control how strict or relaxed the threshold is. The default threshold is set to medium.
Multiple Azure DevOps Services (ADS) tenants
We've added support for multiple Azure Directories (or tenants) when using our ADS integration. It's very common for teams using ADS to have segregation of tenants for different organizations they're a part of. With this release, it's possible to log in to DeepSource teams connected to ADS organizations across several tenants with the same DeepSource user account. Read more about getting started with ADS here.
New in Analyzers
- We've added 120+ new static analysis and SAST checks in C#, Scala, Swift, Ruby, C/C++, and Kotlin Analyzers
- Scala: We've added support for reporting documentation coverage metrics
- Go: We've added support for Go v1.21.x runtime
- C/C++: We've added support for configuring the C/C++ standard to be used for compilation in the Analyzer's meta options.
Fixes and Improvements
- Auto Onboard now supports GitLab, Bitbucket, and Azure DevOps Services teams
- Transformers and Autofix™️ are now supported in Azure DevOps Services repositories
- You can now filter the list of issues in a repository's Issues tab based on severity
- Hardcoded credentials detected by the Secrets Analyzer now have a new category called Secrets
- We've fixed a bug in the Autofix tab that showed incorrect error states when the Autofix app isn't installed with proper permissions
- We've fixed the update issue priority action on the Issue Priority settings page
- Commit messages and pull requests created by Autofix™️ and Transformers now follow Conventional Commits guidelines
- The list of users in repository members is now sorted in the reverse order of permissions
- C#: Fixed Autofix failures in CS-R1032, CS-W1000.
- C#: Fixed false-positives in CS-R1060 where it was incorrectly flagging getters that cannot be converted to auto-properties.
- C#: Fixed false-positives in CS-R1137 where it was not considering field modifications and increment/decrement operations and suggesting the corresponding field to be incorrectly use readonly.
- JavaScript: Fixed scenarios where the Analyzer was not respecting ESLint global pragmas.
- JavaScript: Fixed false-positives in JS-0093 where it incorrectly flagged expect statements in test files as unused expressions.
- JavaScript: Fixed false-positives in JS-C1003. This rule now won't flag imports from certain packages that cannot be used without a wildcard.
- JavaScript: Fixed false positives in JS-0125 due to some global environments not being respected.
- Python: Fix false-positives in PTC-W0049, PTC-W0065, PYL-W0109, FLK-E101, and PYL-E1102.
- Ruby: Fix false-positives in RB-LI1078 when the assignment happens inside a case statement that is the last statement of a method, as that value gets returned implicitly from the method
- Java: Fixed false positives in JAVA-W1051, JAVA-W1004, JAVA-W1025, JAVA-E1085, JAVA-W1028, JAVA-E1109, JAVA-W1088, JAVA-W1060, JAVA-W0324, JAVA-W1042.
Integration with VS Code
We're excited to announce DeepSource's VS Code Extension, now in private beta. You can now detect, understand, and effortlessly resolve issues directly from VS Code. You can install the plugin here. For installation steps and a quick tutorial, please read the documentation.
Support for monorepos
For teams that use a monorepo workflow for development, managing different quality and security gates for different sub-repos can be challenging, since VCS providers lack first-class support for monorepos. In this release, we've launched first-class support for monorepos. You can convert any repository on DeepSource into a monorepo and map subfolders as sub-repositories. Then, each sub-repository can be used as a first-class repository on DeepSource — complete with its own issue baseline tracking, intelligent PR checks, and quality gates. Read more about it in the docs.
New in Analyzers
We’ve added 30+ new static analysis and SAST checks:
- C#: CS-R1131, CS-R1132, CS-R1133, and CS-R1134
- Java: JAVA-E1109, JAVA-E1089, JAVA-W1090, JAVA-W1091, JAVA-W1092, JAVA-W1093, JAVA-W1094, JAVA-W1096, JAVA-W1097
- JavaScript: JS-W1042, JS-W1043, JS-W1044
- Scala: SC-R1074, SC-R1075, SC-R1076, SC-R1077, SC-R1078, SC-R1079, SC-R1080, SC-R1081, SC-R1082, SC-W1087, SC-W1088
- Ruby: RB-E1009, RB-S1004, RB-S1005
We’ve added Autofix™ for 12 checks:
- JavaScript: JS-W1042, JS-W1044
- Java: JAVA-W1086, JAVA-W1016, JAVA-E1097, JAVA-W1031, JAVA-E1063, JAVA-E1032, JAVA-W1038, JAVA-E1042, JAVA-W1091
Fixes and Improvements
- The Swift analyzer is live on Enterprise Server, with 78 checks and 15 Autofixes. Read more about it in the blog.
- The Kotlin analyzer is live on Enterprise Server, with 50 checks. Read more about it in the blog.
- Users can now use Autofix™️ on up to 1000 files at once.
- We’ve made performance improvements in the PAT authentication in the public API. You should see faster response times when using the API.
- We’ve updated broken documentation URLs being sent in commit statuses & checks.
- We’ve fixed an issue in the Jira integration in which only the first 500 projects would be shown in the integration settings.
- In our Secrets analyzer, we’ve added dedicated issues for tokens for 40 unique APIs. We now show specific remediation steps for these API providers. See the full list of the unique API providers with descriptions here:
- JAVA-W0324 is no longer reported for methods of classes that have inner classes.
- JAVA-W1066 is no longer reported for methods defined in local types.
- JAVA-C1003 is no longer raised for loops with multiple loop variables.
- JAVA-W1029 is no longer raised if the resolved type is not in explicit imports.
- JAVA-W1029 is no longer raised for swing constants such as EXIT_ON_CLOSE.
- JAVA-W0412 is no longer reported when switch cases have the same body, but different arms.
- JAVA-W1088 is no longer reported for classes annotated with @TestConfiguration.
- JAVA-E1036 is no longer reported when a remove operation is done on a map which has values of the correct type.
- JAVA-W0324 is not reported anymore for valid private methods declared and used within a nested class.
- JAVA-W1069 is no longer reported for static symbol imports that are not unused.
- JAVA-W1069 is no longer reported on constructor calls with empty type parameter lists (like SomeType<>(...))
- JAVA-E1086 is no longer reported for clone calls on arrays.
- Fixed a false positive where JAVA-W1069 was reported for symbols that existed in the same package.
- Fixed a false positive where JAVA-W1069 was reported on constructors with empty type parameter lists.
- JavaScript issues for imported modules no longer raise spurious parse errors
- Fixed some bugs with ESLint's schema validation.
- JavaScript issues JS-0059 and JS-0050 are no longer raised on the same span.
- JS-W1042 is no longer raised in TS files.
- JS-R1002 now respects ESLint pragmas.
- JS-0356 and JS-0128 no longer raise false positives on Vue files.
- PHP: we’ve added support for # for skipcq comments.
- Scala issue SC-R1069 is no longer raised for new in apply().
- Scala issue SC-W1083 no longer marks implicit parameters as unused.
- We now offer support for handling compressed test coverage artifacts reported through DeepSource CLI.
Integration with Vanta
Vanta is an industry leader in compliance automation — they simplify the complex, time-consuming process of preparing for SOC 2, ISO 27001, and several other compliances, and automate the implementation and monitoring of controls. We’re excited to announce our official integration with Vanta, which will allow companies to ensure they’re compliant with the controls related to source code security by discovering these issues directly in their Vanta dashboard. Please note that the Vanta integration is currently exclusive to DeepSource Cloud. Read more in the docs.
Improved user onboarding for GitHub organizations
We’ve made some significant improvements in the new user signup flow for teams that use GitHub with DeepSource:
- New users signing up on the DeepSource instance will now be automatically added to teams they are already a part of on GitHub, eliminating the need to be added to teams explicitly.
- In cases where a user is not associated with any GitHub team, they will be presented with a list of DeepSource Enterprise administrators during the signup process, whom they can contact to be added to a team.
- Only DeepSource Enterprise administrators will be directed to the installation page after signup, while other users will follow the aforementioned flow for a seamless experience.
Skip analysis for commits
You can now prevent DeepSource analysis and Transformers from running for a specific commit by simply including any of the following case-sensitive strings in the commit message: [skip ci], [ci skip], [no ci], and [skipcq]. Read more in the docs.
New in Analyzers
We’ve added 15 new static analysis and SAST checks:
- C#: CS-P1022, CS-P1023, CS-R1126, CS-R1127, CS-R1129, CS-R1130, CS-W1088.
- Java: JAVA-W1087, JAVA-E1107, JAVA-W1086, JAVA-W1088
- JavaScript: JS-W1041, JS-W1042
- Rust: RS-W1135, RS-A1010
We’ve added Autofix™ for 12 checks:
- JavaScript: JS-W1042
- Java: JAVA-E1106, JAVA-W1057, JAVA-W1070, JAVA-W1063, JAVA-W1029, JAVA-W1028, JAVA-W1077, JAVA-W0077, JAVA-W1064, JAVA-W1025, JAVA-W0417, and JAVA-W1030
Fixes and Improvements
- In the public API, a severity field has been added to Issue type. Also, the title field in Occurrence type now shows the correct value. Read more in the docs.
- We’ve made improvements to the layout of the repository dashboard, with a cleaner look for the header and overview.
- We’ve fixed a bug in which DeepSource was failing to store commit messages for cross-repository PRs.
- We’ve fixed a bug where the issues list would erroneously override when navigating to a different repository while the fetching of issues, associated with the previous repository, was still in progress.
- CS-W1063’s Autofix™ no longer fails due to improper marking lookup.
- CS-P1005 is no longer raised if the user is checking and updating a key's value in a Dictionary.
- CS-S1001 now excludes w3 domains.
- CS-R1028 no longer flags ctor as empty and redundant if Serializable attribute is present.
- TODO and FIXME tokens in a comment are now correctly identified.
- CS-A1003 is no longer raised inside a switch case with a default label.
- CS-W1031 now correctly detects object along with object? in parameter list.
- JAVA-S1060 is no longer reported for fields assigned in the default constructor.
- JAVA-W1040 is no longer reported in tests.
- JAVA-P1002 is no longer reported if the stream class never implements any write method.
- JAVA-W1060 is no longer reported in non-static contexts.
- JAVA-W1037 is no longer reported for switch expressions used within return statements.
- JAVA-W1010 is no longer reported for switch default cases with fallthrough.
- JAVA-E1067 is no longer raised if the usage is protected by Objects.nonNull.
- Autofix™ for JAVA-W1064 now covers more scenarios accurately.
- JAVA-W1036 is no longer reported if the type is known to be a type parameter.
- JAVA-E1086 is no longer reported for constructor calls without tainted arguments.
- JAVA-W1047 no longer treats symbols in analyzer classpath as "constants".
- JAVA-E1033 is no longer reported when a serialization proxy is used.
- JAVA-E1054 is no longer reported for variables with implicit types.
- JAVA-E0051 will now determine null literals more accurately.
- JAVA-A1023 is no longer reported for safe system related intents such as ACTION_CLOSE_SYSTEM_DIALOGS.
- JAVA-W1000 is no longer reported on anonymous classes.
- JAVA-E1085 is no longer reported if there is no use of an iterator post modification of its originating collection.
- JAVA-E1001 is no longer reported if an argument is casted to the correct type.
- JAVA-W1088 now has improved detection.
- Autofix™ for JAVA-W1025 now handles private fields with doc comments correctly.
- JAVA-W0411 is no longer reported for if-statement chains with different conditions.
- JAVA-E1054 will no longer report sanitized read operations.
- JAVA-E1064 will not be raised if a var is declared outside checker scope.
- JAVA-W0182 is no longer reported for valid exceptions deriving from custom exceptions.
- JAVA-P0065 is no longer reported in tests.
- JAVA-E1054 will no longer report sanitized read operations.
- JAVA-E1064 will no longer be raised unnecessarily for variables accessed in nested classes.
- In the JavaScript Analyzer, we now auto-detect the VueJS version now from the package.json files and raise 19 VueJS issues only on Vue3 codebases since they are not applicable in the lower versions of VueJS.
- JavaScript issue JS-0605 is now raised only on Vue2 codebase since it is not applicable in the higher versions of VueJS.
- We’ve fixed a bug in the JavaScript Analyzer, where test patterns were not being respected in certain cases.
- We’ve made a fix in the PHP Analyzer which addresses duplicate issues when there is a large number of files for analysis.
- In the Secrets Analyzer, 25 new issues have been separated for multiple providers, like AWS, GCP, Slack, Stripe, etc.
Retry analysis checks
Sometimes one or more checks in an analysis run can fail due to an unexpected error during analysis or because it took too long to finish. You can now retry either an individual or all checks in a run from the run on DeepSource. Go to the History tab in your repository's dashboard, find the check you want to retry, and click the "Retry check" button. You can also retry all unsuccessful checks by clicking the "Retry all unsuccessful checks" button. Read more in the docs.
Improved user sync from GitHub
We've improved how we sync users, roles, and access control settings from GitHub on Enterprise Server, making managing your team on DeepSource easier.
- All new users who sign up on a DeepSource Enterprise Server instance without an invite link are now automatically added to the organizations on DeepSource that they can access through GitHub.
- Whenever you add a new user to your GitHub organization, they will automatically be added to the organization on DeepSource, if it exists. This way, you save a few clicks having to manually add them to DeepSource — even if you're not using SSO/SAML.
To start using the improved user sync from GitHub, go to the Access Control tab in your team settings and enable the "Automatically sync access settings from GitHub" toggle. Read more in the docs.
New in Analyzers
- Ruby: You can now configure the Analyzer to skip non-public methods when calculating documentation coverage. To do this, add the non_public parameter to the skip_doc_coverage parameter in the config file.
- We've added 39 new checks for static analysis and SAST:
- C#: CS-R1122, CS-R1123, CS-R1124, CS-R1125, CS-W1085, CS-W1086, CS-W1087, CS-P1022, CS-R1126, CS-R1127
- Ruby: RB-S1002, RB-S1003
- Java: JAVA-W1087, JAVA-E1107, JAVA-W1086, JAVA-E1109, JAVA-W1088
- Rust: RS-W1133, RS-A1009, RS-W1134
- Docker: DOK-W1002, DOK-W1003, DOK-W1004, DOK-W1005, DOK-W1006, DOK-W1007, DOK-W1008, DOK-W1009, DOK-W1010, DOK-W1011, DOK-E1002
- SQL: SQL-L031, SQL-L032, SQL-L033, SQL-L034, SQL-L035, SQL-L036, SQL-L037, SQL-L038, SQL-L039, SQL-L040, SQL-L041, SQL-L042, SQL-L043, SQL-L044, SQL-L045, SQL-L047, SQL-L048, SQL-L049, SQL-L050, SQL-L051, SQL-L052, SQL-L053, SQL-L054, SQL-L055, SQL-L058
- We've added Autofix™️ for 10 checks:
- Java: JAVA-W1070, JAVA-W1063, JAVA-W1029, JAVA-W1028, JAVA-W1025, JAVA-W0417, JAVA-W1030, JAVA-W1077, JAVA-W0077, JAVA-W1064, JAVA-W1086
- C#: CS-R1122, CS-R1123, CS-W1016, CS-R1126, CS-R1127.
Fixes and Improvements
- We've fixed an issue where the Autofix™️ button was not visible on the history page for issues that supported Autofix™️ but were configured not to fail the analysis runs. The Autofix™️ button is now shown for all Autofix-supported issues on the runs page, regardless of their analysis run failing status.
- The Ruby Analyzer previously miscalculated the documentation coverage metric by considering only the modified files. We have resolved this issue, ensuring the metric is accurately calculated for the entire repository.
- We've temporarily disabled the Autofix™️ for RB-PR1017 as it needs a more comprehensive fix.
- Autofix™️ for RB-LI1009 previously failed to generate a fix for the issue when invoked on the Socket class. This was due to the absence of a clear replacement method for the deprecated class, requiring additional user input to resolve the issue. To prevent further failures, we have disabled reporting of this issue for the Socket class.
- We've fixed an issue where deactivated repositories' issues incorrectly appeared in the team-level Issue Distribution report, ensuring that only active repositories are included for accurate analysis.
- Previously, the Go Analyzer faced failures in issue reporting when analyzing user packages that used Generics due to a bug in the golang.org/x/tools library. To resolve this, we updated the tools library. As a result, packages utilizing Generics will now compile without any failures, leading to improved issue reporting.
- We've fixed an issue where Java Autofixes would produce incorrect output for strings or comments in languages other than English. This could cause characters to be jumbled or skipped.
- We've fixed an issue where the aggregate calculation in Java Code Coverage reports was incorrect due to a slight discrepancy in the reported number of files, ensuring accurate and reliable coverage metrics.
- We've fixed an issue where the Rust Analyzer's Autofix™ would crash when executed on the last line of a file that didn't end with a trailing newline.
- We have disabled JAVA-E1083 and JAVA-E1084 due to problems with reliability and false positives.
- The Autofix™️ for JAVA-W1010 will no longer move default cases to the end if we find that the default is associated with others due to a fallthrough.
- We've fixed false negatives caused by various TypeScript rules not being enabled in VueJS files.
- We've fixed an issue in the Secrets Analyzer where false positives were raised for generic API keys and private keys, improving the accuracy of the analysis results.
- We've fixed several false positives in this release:
- JAVA-S1060: We've fixed an issue where abstract Spring controller/repository classes were wrongly flagged as introducing unmanaged state variables.
- JAVA-E1086: We've fixed an issue where variadic arguments, which are implemented using Java arrays but are effectively treated as immutable, were incorrectly reported as potentially mutable data passed into non-public fields
- JAVA-W0182: We've fixed an issue where we incorrectly reported classes not being Exceptions/Throwables, even when named as such, because of a flaw in inheritance detection.
- JAVA-W1060: We've fixed an issue where static field accesses were incorrectly reported as occurring before being written when these static accesses were within a nonstatic context.
- JAVA-P0065: We've fixed an issue where we were incorrectly flagging explicit garbage collection invocation (System.gc() or Runtime.gc()) in tests. This correction was made considering its common usage in benchmarks, where explicit garbage collection can have valid applications.
- JAVA-E1036: We've fixed an issue where we were incorrectly flagging the wrong argument type for the Collection.remove() method due to faulty type inference in certain contexts.
- JAVA-W0095: We've fixed an issue where we were incorrectly flagging local variables assigned in return statements due to faulty type inference in certain contexts.
- JAVA-W1037: We've fixed an issue where we incorrectly flagged an assignment within a switch expression used as the method's return value.
- CS-W1082: We've fixed an issue where we incorrectly reported the result of an assignment as unused when the left-hand side of the assignment was an underscore, indicating the intentional discarding of the result.
- CS-P1003: We've fixed an issue where we were incorrectly suggesting to make static readonly fields const for structs. This recommendation was not applicable due to the inability to assign compile-time constant values to structs in C#.
- SC-W1079: We've fixed an issue where descendant nodes in sealed entities were not properly recognized when considering case objects.
- GO-S2307: We've fixed an issue where we were incorrectly flagging unsafe defer of .Close methods for io.ReadClosers.
- JAVA-E1067: We've fixed an issue where nullable parameters were incorrectly flagged as needing null checks when users utilized Objects.nonNull for null verification
- CS-P1005: We've fixed an issue where we were incorrectly recommending the use of .TryGetValue to access elements in a Dictionary, when users were checking for a key's existence and updating its value.
- JS-0295: We've fixed an issue where we incorrectly flagged comments that had explanations in front of @ts-<pragma>.
- JS-C1002: We've fixed an issue where we incorrectly flagged x, y, and z as variable names as found single char variable names, altho these are commonly used variable names in some contexts.
- JS-0128: We've fixed an issue where React imports were incorrectly flagged as unused in React files for React version >= 17, as importing React is no longer required starting from React v17 due to the automatic inclusion of React in the scope with the new JSX Transform.
- JS-0125: We've fixed an issue where we incorrectly flagged the Accelerometer variable as undefined, despite it being a valid object in specific environments or libraries
- JAVA-E1086: We've fixed an issue where we incorrectly flagged constructor calls without tainted arguments as potential sources of mutable data passed into nonpublic fields.
- JAVA-W1047: We've fixed an issue where the Java Analyzer incorrectly inferred certain referenced fields as constant values, leading to false positive reports.
- JAVA-W1036: We've fixed an issue where we incorrectly flagged the declaration of a custom serialization method with an incorrect signature when a serialization proxy was being used
- JAVA-E1054: We've fixed an issue where we incorrectly flagged the usage of boxed Boolean values in conditional expressions for lambda arguments.
- JAVA-W1000: We've fixed an issue where we incorrectly recommended Exception classes to be appropriately named for anonymous classes, even though this naming requirement does not apply to anonymous classes as they don't need explicit names.
- JAVA-A1023: We've fixed an issue where we incorrectly recommended specifying a target package or receiver permission for broadcasting intents, even though it is not always necessary and can be a valid use case for intents defined by the Intent class.
- JAVA-E1085: We've fixed an issue where we incorrectly flagged iterators as being invalidated while in scope, even in cases where a specific iterator value was not used after the underlying collection was modified, which is a valid use case.
- JAVA-E1001: We've fixed an issue where we incorrectly flagged custom serialization methods for having an incorrect signature when a serialization proxy was used, which is a valid approach in certain serialization scenarios.
- JAVA-E1001: We've fixed an issue where we incorrectly flagged type casts in string format arguments for not matching the provided format string in String.format, even though the type casts were valid and compatible with the format specifier.
- JAVA-W1088: We've fixed an issue where we incorrectly flagged test files for not containing tests when non-JUnit assertions were used in a JUnit test, even though these assertions were valid alternative assertion libraries compatible with JUnit.
- CS-R1108: We've fixed an issue where we incorrectly flagged the usage of the logical not operator to invert binary expressions as affecting readability for operators defined for types, even though this usage can be a valid and readable coding style.
- RS-E1021: We've fixed an issue where we incorrectly flagged the usage of mem::forget or mem::drop on a non-Drop type within a const context, as it is not necessary to enforce the Drop trait for constant values.
- RS-W1031: We've fixed an issue where we incorrectly flagged the usage of unwrap_or followed by a function call for constants, as the const context does not allow calling unwrap_or_else functions, making it unnecessary to raise this warning.
- GO-S2307: We've fixed an issue where the use of defer for .Close method on io.ReadClosers was incorrectly flagged as unsafe, despite it being a valid and safe usage.
- PYL-R1715: We've fixed an issue where the usage of the get() method to access values from a dictionary was incorrectly flagged when used in conditionals without an else block, as this usage is valid and doesn't require an else block.
- CS-R1109: We've fixed an issue where the missing implementation of Systems.Exception was incorrectly flagged, even in scenarios where classes inherited Exception indirectly through transitive or indirect inheritance.
- SC-W1005: We've fixed an issue where we incorrectly flagged the usage of Exception as generic when the Exception caught was deliberately left unbound, and the catch block was intentionally left empty to suppress or silence Exceptions.
- CS-R1046: We've fixed an issue where we incorrectly recommended dropping the explicit .Where() call to simplify the LINQ query for an overloaded version of Where() that received both the element and its position.
Metric Thresholds for New Code
Teams usually want to create separate quality gates for the existing code and new code being added in a pull request. This helps keeping the bar strict for new changes but a little more relaxed for existing code that could have technical debt you don’t want to deal with immediately. On DeepSource, you can now set quality gates for new code based for metricss like Line Coverage, Branch Coverage, and Composite Coverage.
To set a threshold for new code, go to the Metrics tab on your repository dashboard, select the desired metric, and set the desired threshold.
New in Analyzers
- We’ve added five new checks in this release:
- C#: CS-R1118, CS-R1119, CS-R11120, CS-R1121.
- Scala: SC-W1086.
- We’ve added support for Autofix™️ in 6 new checks:
- Java: JAVA-W1058, JAVA-E0051, JAVA-E0348, JAVA-E1044.
- Python: PY-W0078, PY-W0079.
Fixes and Improvements
- We’ve fixed an issue where Autofix™️ was failing in PTC-W0049, which pertains to functions or methods with an empty body when using the ... syntax.
- We’ve fixed an issue in the Java Analyzer where checks were not properly deduplicated, leading to multiple reports of the same check at the same location.
- We’ve fixed several false positives in this release:
- PY-W0074, PY-W0075: We’ve fixed an issue where the Analyzer was incorrectly suggesting the use of an all statement when an inner if statement had an else clause.
- PYL-W0612: We’ve fixed an issue where the Analyzer was incorrectly reporting unused variables found when a variable was defined inside pytest.raises() block.
- PYL-W0125: We’ve fixed an issue where the Analyzer was incorrectly flagging a conditional statement in a list comprehension as being used with a constant value when in fact, the conditional statement was using a @cached_property as the if-clause.
- PYL-E0102: We’ve fixed an issue where the Analyzer was incorrectly flagging methods as being redefined when using the multipledispatch package to overload functions. The issue arose because the methods had different parameter sets, but the Analyzer was not accounting for this.
- PY-W0069: We’ve fixed an issue where the Analyzer was incorrectly suggesting to remove the commented-out code block for comments like # --- Tests and helper.
- CS-W1082: We’ve fixed an issue where the Analyzer was incorrectly flagging consecutive assignments as unused.
- SC-R1061: We’ve fixed an issue where the Analyzer was not correctly taking into account the mutability of variables when compound operators, such as the += operator, were used.
Audit Log Improvements
We’ve redesigned and improved audit logs for you to easily track and manage activity within your DeepSource workspace.
- Team-level Audit Log: DeepSource now reports audit logs at the team level. You can easily track and manage activity within your workspace, including changes made to team membership, billing information, repository permissions, and more.
- Search, Filter, and Export: We have further enhanced audit logs to make it easier for you to find specific events and keep track of changes made to your workspace. You can now search through your audit logs by the event name or team member email ids, export them in CSV format, and filter audit logs based on the timeframe.
Audit logs are only available for teams with a Business or Enterprise plan. You can go to your team-level or repository settings → Audit log to try the above improvements.
Issues Tab Redesign
We’ve redesigned the sidebar in the issues tab to make it easier for you to understand the various categories of code health issues identified by DeepSource. The new design categorizes issues into specific areas like Audit Required, SAST, IAC, and more, so you can focus on solving the most relevant issues for you.
You can switch to the new issue sidebar by clicking on the button at the bottom of the sidebar.
SCIM Support for Enterprise Cloud
Following the SAML-based Single Sign On release, we’ve added support for System for Cross-domain Identity Management (SCIM) in DeepSource for Enterprise Cloud users. You can use SCIM in conjunction with SAML-based SSO for real-time provisioning, updating, and de-provisioning of team members based on changes in your Identity Provider.
To enable SCIM for your team, set up Single Sign-On for your workspace and then enable SCIM from the Security tab in your team-level settings. Refer to our docs for step-by-step instructions.
Support for multiple test-coverage reports
Some teams with large repositories generate multiple test coverage reports. Previously, the Test Coverage Analyzer expected the users to send a combined coverage report. This can become difficult if multiple jobs are running independently.
DeepSource now supports the implicit merging of coverage reports for large repositories with multiple test coverage reports. You can send multiple CI-generated reports under the same key name, and we’ll combine them all for a final result, making test coverage analysis easier. Read more in the docs.
New in Analyzers
- We now track documentation coverage in the Rust Analyzer with meta fields for configuration. Read more in the docs.
- 50 new checks for static analysis and SAST:
- C & C++: CXX-W2030, CXX-W2031, CXX-W2032, CXX-W2033, CXX-W2034, CXX-W2035, CXX-W2036, CXX-W2037, CXX-A1003, CXX-C1002
- C#: CS-R1111, CS-R1112, CS-R1113, CS-R1114, CS-R1115, CS-R1116, CS-W1083, CS-W1084
- Scala: SC-A1005, SC-R1071, SC-W1084, SC-W1085
- JavaScript: JS-W1040
- Rust: RS-E1034, RS-W1132, RS-W1128, RS-W1130, RS-C1016, RS-E1035, RS-W1129, RS-A1008, RS-W1131, RS-C1015, RS-W1116, RS-W1119, RS-P1009, RS-E1026, RS-E1027, RS-E1028, RS-E1029, RS-E1030, RS-E1031, RS-E1032, RS-W1123, RS-W1124, RS-W1125, RS-W1126, RS-W1127
- Java: JAVA-E1106, JAVA-E0321
- We’ve added Autofix™️ support for 11 checks:
- C#: CS-R1032, CS-R1107, CS-R1113, CS-W1069, CS-W1084
- Java: JAVA-W0379, JAVA-W1010, JAVA-W1032, JAVA-W1075
- JavaScript: JS-W1040
Fixes and Improvements
- We’ve added meta fields for configuring documentation coverage for the Ruby Analyzer. You can add these fields in your deepsource.toml file to configure documentation coverage for your Ruby files. Read more in the docs.
- Our public API now includes a Team object for easy querying of team member lists. Check out the docs for more information.
- We’ve resolved an issue on the issue detail page where selecting a code block would inadvertently select the line number. You can now copy code without also copying the line number.
- We have increased the storage limits for commit artifacts by 100 per repository to support large repositories with multiple test coverage reports.
- We’ve fixed an issue where the user settings page was giving a server error because of a memory leak.
- We’ve fixed four false positives:
- CS-S1001: We have fixed an issue where address fragments were flagged as insecure endpoints.
- JS-0125: We have fixed an issue where the rule was flagging NodeJS globals as undefined variables even when nodejs was added to the environment property in deepsource.toml file.
- PTC-W0049: will no longer be raised if the function is decorated.
- PYL-E1120: We have fixed a rare case where false positives were being reported when using *args.
- We’ve fixed three Autofix™️ failures in the Ruby Analyzer:
- RB-LI1078: We have fixed an issue where unused assignments in rescue statements were not being Autofixed.
- RB-LI1073: We have fixed an issue where issues were being raised for instances for which Autofix™️ was not possible.
- RB-ST1013: We have fixed an issue where issues were being raised for instances for which Autofix™️ was not possible.