Changelog

Follow us on Twitter
Copy RSS Link
August 21, 2023
ENTERPRISE SERVER v3.23.0

Integration with VS Code

We're excited to announce DeepSource's VS Code Extension, now in private beta. You can now detect, understand, and effortlessly resolve issues directly from VS Code. You can install the plugin here. For installation steps and a quick tutorial, please read the documentation.

Support for monorepos

For teams that use a monorepo workflow for development, managing different quality and security gates for different sub-repos can be challenging, since VCS providers lack first-class support for monorepos. In this release, we've launched first-class support for monorepos. You can convert any repository on DeepSource into a monorepo and map subfolders as sub-repositories. Then, each sub-repository can be used as a first-class repository on DeepSource — complete with its own issue baseline tracking, intelligent PR checks, and quality gates. Read more about it in the docs.

New in Analyzers

We’ve added 30+ new static analysis and SAST checks:

We’ve added Autofix™ for 12 checks:

Fixes and Improvements

  • The Swift analyzer is live on Enterprise Server, with 78 checks and 15 Autofixes. Read more about it in the blog.
  • The Kotlin analyzer is live on Enterprise Server, with 50 checks. Read more about it in the blog.
  • Users can now use Autofix™️ on up to 1000 files at once.
  • We’ve made performance improvements in the PAT authentication in the public API. You should see faster response times when using the API.
  • We’ve updated broken documentation URLs being sent in commit statuses & checks.
  • We’ve fixed an issue in the Jira integration in which only the first 500 projects would be shown in the integration settings.
  • In our Secrets analyzer, we’ve added dedicated issues for tokens for 40 unique APIs. We now show specific remediation steps for these API providers. See the full list of the unique API providers with descriptions here: 
  • JAVA-W0324 is no longer reported for methods of classes that have inner classes.
  • JAVA-W1066 is no longer reported for methods defined in local types.
  • JAVA-C1003 is no longer raised for loops with multiple loop variables.
  • JAVA-W1029 is no longer raised if the resolved type is not in explicit imports.
  • JAVA-W1029 is no longer raised for swing constants such as EXIT_ON_CLOSE.
  • JAVA-W0412 is no longer reported when switch cases have the same body, but different arms.
  • JAVA-W1088 is no longer reported for classes annotated with @TestConfiguration.
  • JAVA-E1036 is no longer reported when a remove operation is done on a map which has values of the correct type.
  • JAVA-W0324 is not reported anymore for valid private methods declared and used within a nested class.
  • JAVA-W1069 is no longer reported for static symbol imports that are not unused.
  • JAVA-W1069 is no longer reported on constructor calls with empty type parameter lists (like SomeType<>(...))
  • JAVA-E1086 is no longer reported for clone calls on arrays.
  • Fixed a false positive where JAVA-W1069 was reported for symbols that existed in the same package.
  • Fixed a false positive where JAVA-W1069 was reported on constructors with empty type parameter lists.
  • JavaScript issues for imported modules no longer raise spurious parse errors
  • Fixed some bugs with ESLint's schema validation.
  • JavaScript issues JS-0059 and JS-0050 are no longer raised on the same span.
  • JS-W1042 is no longer raised in TS files.
  • JS-R1002 now respects ESLint pragmas.
  • JS-0356 and JS-0128 no longer raise false positives on Vue files.
  • PHP: we’ve added support for # for skipcq comments.
  • Scala issue SC-R1069 is no longer raised for new in apply().
  • Scala issue SC-W1083 no longer marks implicit parameters as unused.
  • We now offer support for handling compressed test coverage artifacts reported through DeepSource CLI.
June 28, 2023
ENTERPRISE SERVER v3.22.0

Integration with Vanta

Vanta is an industry leader in compliance automation — they simplify the complex, time-consuming process of preparing for SOC 2, ISO 27001, and several other compliances, and automate the implementation and monitoring of controls. We’re excited to announce our official integration with Vanta, which will allow companies to ensure they’re compliant with the controls related to source code security by discovering these issues directly in their Vanta dashboard. Please note that the Vanta integration is currently exclusive to DeepSource Cloud. Read more in the docs.

Improved user onboarding for GitHub organizations

We’ve made some significant improvements in the new user signup flow for teams that use GitHub with DeepSource:

  • New users signing up on the DeepSource instance will now be automatically added to teams they are already a part of on GitHub, eliminating the need to be added to teams explicitly.
  • In cases where a user is not associated with any GitHub team, they will be presented with a list of DeepSource Enterprise administrators during the signup process, whom they can contact to be added to a team. 
  • Only DeepSource Enterprise administrators will be directed to the installation page after signup, while other users will follow the aforementioned flow for a seamless experience.

Skip analysis for commits

You can now prevent DeepSource analysis and Transformers from running for a specific commit by simply including any of the following case-sensitive strings in the commit message: [skip ci], [ci skip], [no ci], and [skipcq]. Read more in the docs.

New in Analyzers

We’ve added 15 new static analysis and SAST checks:

We’ve added Autofix™ for 12 checks:

Fixes and Improvements

  • In the public API, a severity field has been added to Issue type. Also, the title field in Occurrence type now shows the correct value. Read more in the docs.
  • We’ve made improvements to the layout of the repository dashboard, with a cleaner look for the header and overview.
  • We’ve fixed a bug in which DeepSource was failing to store commit messages for cross-repository PRs.
  • We’ve fixed a bug where the issues list would erroneously override when navigating to a different repository while the fetching of issues, associated with the previous repository, was still in progress.
  • CS-W1063’s Autofix™ no longer fails due to improper marking lookup.
  • CS-P1005 is no longer raised if the user is checking and updating a key's value in a Dictionary.
  • CS-S1001 now excludes w3 domains.
  • CS-R1028 no longer flags ctor as empty and redundant if Serializable attribute is present.
  • TODO and FIXME tokens in a comment are now correctly identified.
  • CS-A1003 is no longer raised inside a switch case with a default label.
  • CS-W1031 now correctly detects object along with object? in parameter list.
  • JAVA-S1060 is no longer reported for fields assigned in the default constructor.
  • JAVA-W1040 is no longer reported in tests.
  • JAVA-P1002 is no longer reported if the stream class never implements any write method.
  • JAVA-W1060 is no longer reported in non-static contexts.
  • JAVA-W1037 is no longer reported for switch expressions used within return statements.
  • JAVA-W1010 is no longer reported for switch default cases with fallthrough.
  • JAVA-E1067 is no longer raised if the usage is protected by Objects.nonNull.
  • Autofix™ for JAVA-W1064 now covers more scenarios accurately.
  • JAVA-W1036 is no longer reported if the type is known to be a type parameter.
  • JAVA-E1086 is no longer reported for constructor calls without tainted arguments.
  • JAVA-W1047 no longer treats symbols in analyzer classpath as "constants".
  • JAVA-E1033 is no longer reported when a serialization proxy is used.
  • JAVA-E1054 is no longer reported for variables with implicit types.
  • JAVA-E0051 will now determine null literals more accurately.
  • JAVA-A1023 is no longer reported for safe system related intents such as ACTION_CLOSE_SYSTEM_DIALOGS.
  • JAVA-W1000 is no longer reported on anonymous classes.
  • JAVA-E1085 is no longer reported if there is no use of an iterator post modification of its originating collection.
  • JAVA-E1001 is no longer reported if an argument is casted to the correct type.
  • JAVA-W1088 now has improved detection.
  • Autofix™ for JAVA-W1025 now handles private fields with doc comments correctly.
  • JAVA-W0411 is no longer reported for if-statement chains with different conditions.
  • JAVA-E1054 will no longer report sanitized read operations.
  • JAVA-E1064 will not be raised if a var is declared outside checker scope.
  • JAVA-W0182 is no longer reported for valid exceptions deriving from custom exceptions.
  • JAVA-P0065 is no longer reported in tests.
  • JAVA-E1054 will no longer report sanitized read operations.
  • JAVA-E1064 will no longer be raised unnecessarily for variables accessed in nested classes.
  • In the JavaScript Analyzer, we now auto-detect the VueJS version now from the package.json files and raise 19 VueJS issues only on Vue3 codebases since they are not applicable in the lower versions of VueJS.
  • JavaScript issue JS-0605 is now raised only on Vue2 codebase since it is not applicable in the higher versions of VueJS.
  • We’ve fixed a bug in the JavaScript Analyzer, where test patterns were not being respected in certain cases.
  • We’ve made a fix in the PHP Analyzer which addresses duplicate issues when there is a large number of files for analysis.
  • In the Secrets Analyzer, 25 new issues have been separated for multiple providers, like AWS, GCP, Slack, Stripe, etc.

June 1, 2023
ENTERPRISE SERVER v3.21.0

Retry analysis checks

Sometimes one or more checks in an analysis run can fail due to an unexpected error during analysis or because it took too long to finish. You can now retry either an individual or all checks in a run from the run on DeepSource. Go to the History tab in your repository's dashboard, find the check you want to retry, and click the "Retry check" button. You can also retry all unsuccessful checks by clicking the "Retry all unsuccessful checks" button. Read more in the docs.

Improved user sync from GitHub

We've improved how we sync users, roles, and access control settings from GitHub on Enterprise Server, making managing your team on DeepSource easier.

  • All new users who sign up on a DeepSource Enterprise Server instance without an invite link are now automatically added to the organizations on DeepSource that they can access through GitHub.
  • Whenever you add a new user to your GitHub organization, they will automatically be added to the organization on DeepSource, if it exists. This way, you save a few clicks having to manually add them to DeepSource — even if you're not using SSO/SAML.

To start using the improved user sync from GitHub, go to the Access Control tab in your team settings and enable the "Automatically sync access settings from GitHub" toggle. Read more in the docs.

New in Analyzers

  • Ruby: You can now configure the Analyzer to skip non-public methods when calculating documentation coverage. To do this, add the non_public parameter to the skip_doc_coverage parameter in the config file.
  • We've added 39 new checks for static analysis and SAST:
  • We've added Autofix™️ for 10 checks:

Fixes and Improvements

  • We've fixed an issue where the Autofix™️ button was not visible on the history page for issues that supported Autofix™️ but were configured not to fail the analysis runs. The Autofix™️ button is now shown for all Autofix-supported issues on the runs page, regardless of their analysis run failing status.
  • The Ruby Analyzer previously miscalculated the documentation coverage metric by considering only the modified files. We have resolved this issue, ensuring the metric is accurately calculated for the entire repository.
  • We've temporarily disabled the Autofix™️ for RB-PR1017 as it needs a more comprehensive fix.
  • Autofix™️ for RB-LI1009 previously failed to generate a fix for the issue when invoked on the Socket class. This was due to the absence of a clear replacement method for the deprecated class, requiring additional user input to resolve the issue. To prevent further failures, we have disabled reporting of this issue for the Socket class.
  • We've fixed an issue where deactivated repositories' issues incorrectly appeared in the team-level Issue Distribution report, ensuring that only active repositories are included for accurate analysis.
  • Previously, the Go Analyzer faced failures in issue reporting when analyzing user packages that used Generics due to a bug in the golang.org/x/tools library. To resolve this, we updated the tools library. As a result, packages utilizing Generics will now compile without any failures, leading to improved issue reporting.
  • We've fixed an issue where Java Autofixes would produce incorrect output for strings or comments in languages other than English. This could cause characters to be jumbled or skipped.
  • We've fixed an issue where the aggregate calculation in Java Code Coverage reports was incorrect due to a slight discrepancy in the reported number of files, ensuring accurate and reliable coverage metrics.
  • We've fixed an issue where the Rust Analyzer's Autofix™ would crash when executed on the last line of a file that didn't end with a trailing newline.
  • We have disabled JAVA-E1083 and JAVA-E1084 due to problems with reliability and false positives.
  • The Autofix™️ for JAVA-W1010 will no longer move default cases to the end if we find that the default is associated with others due to a fallthrough.
  • We've fixed false negatives caused by various TypeScript rules not being enabled in VueJS files.
  • We've fixed an issue in the Secrets Analyzer where false positives were raised for generic API keys and private keys, improving the accuracy of the analysis results.
  • We've fixed several false positives in this release:
  • JAVA-S1060: We've fixed an issue where abstract Spring controller/repository classes were wrongly flagged as introducing unmanaged state variables.
  • JAVA-E1086: We've fixed an issue where variadic arguments, which are implemented using Java arrays but are effectively treated as immutable, were incorrectly reported as potentially mutable data passed into non-public fields
  • JAVA-W0182: We've fixed an issue where we incorrectly reported classes not being Exceptions/Throwables, even when named as such, because of a flaw in inheritance detection.
  • JAVA-W1060: We've fixed an issue where static field accesses were incorrectly reported as occurring before being written when these static accesses were within a nonstatic context.
  • JAVA-P0065: We've fixed an issue where we were incorrectly flagging explicit garbage collection invocation (System.gc() or Runtime.gc()) in tests. This correction was made considering its common usage in benchmarks, where explicit garbage collection can have valid applications.
  • JAVA-E1036: We've fixed an issue where we were incorrectly flagging the wrong argument type for the Collection.remove()  method due to faulty type inference in certain contexts.
  • JAVA-W0095: We've fixed an issue where we were incorrectly flagging local variables assigned in return statements due to faulty type inference in certain contexts.
  • JAVA-W1037: We've fixed an issue where we incorrectly flagged an assignment within a switch expression used as the method's return value.
  • CS-W1082: We've fixed an issue where we incorrectly reported the result of an assignment as unused when the left-hand side of the assignment was an underscore, indicating the intentional discarding of the result.
  • CS-P1003: We've fixed an issue where we were incorrectly suggesting to make static readonly fields const for structs. This recommendation was not applicable due to the inability to assign compile-time constant values to structs in C#.
  • SC-W1079: We've fixed an issue where descendant nodes in sealed entities were not properly recognized when considering case objects.
  • GO-S2307: We've fixed an issue where we were incorrectly flagging unsafe defer of .Close methods for io.ReadClosers.
  • JAVA-E1067: We've fixed an issue where nullable parameters were incorrectly flagged as needing null checks when users utilized Objects.nonNull for null verification
  • CS-P1005: We've fixed an issue where we were incorrectly recommending the use of .TryGetValue to access elements in a Dictionary, when users were checking for a key's existence and updating its value.
  • JS-0295: We've fixed an issue where we incorrectly flagged comments that had explanations in front of @ts-<pragma>.
  • JS-C1002: We've fixed an issue where we incorrectly flagged x, y, and z as variable names as found single char variable names, altho these are commonly used variable names in some contexts.
  • JS-0128: We've fixed an issue where React imports were incorrectly flagged as unused in React files for React version >= 17, as importing React is no longer required starting from React v17 due to the automatic inclusion of React in the scope with the new JSX Transform.
  • JS-0125: We've fixed an issue where we incorrectly flagged the Accelerometer variable as undefined, despite it being a valid object in specific environments or libraries
  • JAVA-E1086: We've fixed an issue where we incorrectly flagged constructor calls without tainted arguments as potential sources of mutable data passed into nonpublic fields.
  • JAVA-W1047: We've fixed an issue where the Java Analyzer incorrectly inferred certain referenced fields as constant values, leading to false positive reports.
  • JAVA-W1036: We've fixed an issue where we incorrectly flagged the declaration of a custom serialization method with an incorrect signature when a serialization proxy was being used
  • JAVA-E1054: We've fixed an issue where we incorrectly flagged the usage of boxed Boolean values in conditional expressions for lambda arguments.
  • JAVA-W1000: We've fixed an issue where we incorrectly recommended Exception classes to be appropriately named for anonymous classes, even though this naming requirement does not apply to anonymous classes as they don't need explicit names.
  • JAVA-A1023: We've fixed an issue where we incorrectly recommended specifying a target package or receiver permission for broadcasting intents, even though it is not always necessary and can be a valid use case for intents defined by the Intent class.
  • JAVA-E1085: We've fixed an issue where we incorrectly flagged iterators as being invalidated while in scope, even in cases where a specific iterator value was not used after the underlying collection was modified, which is a valid use case.
  • JAVA-E1001: We've fixed an issue where we incorrectly flagged custom serialization methods for having an incorrect signature when a serialization proxy was used, which is a valid approach in certain serialization scenarios.
  • JAVA-E1001: We've fixed an issue where we incorrectly flagged type casts in string format arguments for not matching the provided format string in String.format, even though the type casts were valid and compatible with the format specifier.
  • JAVA-W1088: We've fixed an issue where we incorrectly flagged test files for not containing tests when non-JUnit assertions were used in a JUnit test, even though these assertions were valid alternative assertion libraries compatible with JUnit.
  • CS-R1108: We've fixed an issue where we incorrectly flagged the usage of the logical not operator to invert binary expressions as affecting readability for operators defined for types, even though this usage can be a valid and readable coding style.
  • RS-E1021: We've fixed an issue where we incorrectly flagged the usage of mem::forget or mem::drop on a non-Drop type within a const context, as it is not necessary to enforce the Drop trait for constant values.
  • RS-W1031: We've fixed an issue where we incorrectly flagged the usage of unwrap_or followed by a function call for constants, as the const context does not allow calling unwrap_or_else functions, making it unnecessary to raise this warning.
  • GO-S2307: We've fixed an issue where the use of defer for .Close method on io.ReadClosers was incorrectly flagged as unsafe, despite it being a valid and safe usage.
  • PYL-R1715: We've fixed an issue where the usage of the get() method to access values from a dictionary was incorrectly flagged when used in conditionals without an else block, as this usage is valid and doesn't require an else block.
  • CS-R1109: We've fixed an issue where the missing implementation of Systems.Exception was incorrectly flagged, even in scenarios where classes inherited Exception indirectly through transitive or indirect inheritance.
  • SC-W1005: We've fixed an issue where we incorrectly flagged the usage of Exception as generic when the Exception caught was deliberately left unbound, and the catch block was intentionally left empty to suppress or silence Exceptions.
  • CS-R1046: We've fixed an issue where we incorrectly recommended dropping the explicit .Where() call to simplify the LINQ query for an overloaded version of Where() that received both the element and its position.
Apr 27, 2023
ENTERPRISE SERVER v3.20.0

Metric Thresholds for New Code

Teams usually want to create separate quality gates for the existing code and new code being added in a pull request. This helps keeping the bar strict for new changes but a little more relaxed for existing code that could have technical debt you don’t want to deal with immediately. On DeepSource, you can now set quality gates for new code based for metricss like Line Coverage, Branch Coverage, and Composite Coverage.

To set a threshold for new code, go to the Metrics tab on your repository dashboard, select the desired metric, and set the desired threshold.

New in Analyzers

  • We’ve added five new checks in this release:

Fixes and Improvements

  • We’ve fixed an issue where Autofix™️ was failing in PTC-W0049, which pertains to functions or methods with an empty body when using the ... syntax.
  • We’ve fixed an issue in the Java Analyzer where checks were not properly deduplicated, leading to multiple reports of the same check at the same location.
  • We’ve fixed several false positives in this release:
  • PY-W0074, PY-W0075: We’ve fixed an issue where the Analyzer was incorrectly suggesting the use of an all statement when an inner if statement had an else clause.
  • PYL-W0612: We’ve fixed an issue where the Analyzer was incorrectly reporting unused variables found when a variable was defined inside pytest.raises() block.
  • PYL-W0125: We’ve fixed an issue where the Analyzer was incorrectly flagging a conditional statement in a list comprehension as being used with a constant value when in fact, the conditional statement was using a @cached_property as the if-clause.
  • PYL-E0102: We’ve fixed an issue where the Analyzer was incorrectly flagging methods as being redefined when using the multipledispatch package to overload functions. The issue arose because the methods had different parameter sets, but the Analyzer was not accounting for this.
  • PY-W0069: We’ve fixed an issue where the Analyzer was incorrectly suggesting to remove the commented-out code block for comments like # --- Tests and helper.
  • CS-W1082: We’ve fixed an issue where the Analyzer was incorrectly flagging consecutive assignments as unused.
  • SC-R1061: We’ve fixed an issue where the Analyzer was not correctly taking into account the mutability of variables when compound operators, such as the += operator, were used.
Apr 21, 2023
ENTERPRISE SERVER v3.20.0

Audit Log Improvements

We’ve redesigned and improved audit logs for you to easily track and manage activity within your DeepSource workspace.

  • Team-level Audit Log: DeepSource now reports audit logs at the team level. You can easily track and manage activity within your workspace, including changes made to team membership, billing information, repository permissions, and more.
  • Search, Filter, and Export: We have further enhanced audit logs to make it easier for you to find specific events and keep track of changes made to your workspace. You can now search through your audit logs by the event name or team member email ids, export them in CSV format, and filter audit logs based on the timeframe.

Audit logs are only available for teams with a Business or Enterprise plan. You can go to your team-level or repository settings → Audit log to try the above improvements.

Issues Tab Redesign

We’ve redesigned the sidebar in the issues tab to make it easier for you to understand the various categories of code health issues identified by DeepSource. The new design categorizes issues into specific areas like Audit Required, SAST, IAC, and more, so you can focus on solving the most relevant issues for you.

You can switch to the new issue sidebar by clicking on the button at the bottom of the sidebar.

SCIM Support for Enterprise Cloud

Following the SAML-based Single Sign On release, we’ve added support for System for Cross-domain Identity Management (SCIM) in DeepSource for Enterprise Cloud users. You can use SCIM in conjunction with SAML-based SSO for real-time provisioning, updating, and de-provisioning of team members based on changes in your Identity Provider.

To enable SCIM for your team, set up Single Sign-On for your workspace and then enable SCIM from the Security tab in your team-level settings. Refer to our docs for step-by-step instructions.

Support for multiple test-coverage reports

Some teams with large repositories generate multiple test coverage reports. Previously, the Test Coverage Analyzer expected the users to send a combined coverage report. This can become difficult if multiple jobs are running independently.

DeepSource now supports the implicit merging of coverage reports for large repositories with multiple test coverage reports. You can send multiple CI-generated reports under the same key name, and we’ll combine them all for a final result, making test coverage analysis easier. Read more in the docs.

New in Analyzers

  • We now track documentation coverage in the Rust Analyzer with meta fields for configuration. Read more in the docs.
  • 50 new checks for static analysis and SAST:
  • We’ve added Autofix™️ support for 11 checks:

Fixes and Improvements

  • We’ve added meta fields for configuring documentation coverage for the Ruby Analyzer. You can add these fields in your deepsource.toml file to configure documentation coverage for your Ruby files. Read more in the docs.
  • Our public API now includes a Team object for easy querying of team member lists. Check out the docs for more information.
  • We’ve resolved an issue on the issue detail page where selecting a code block would inadvertently select the line number. You can now copy code without also copying the line number.
  • We have increased the storage limits for commit artifacts by 100 per repository to support large repositories with multiple test coverage reports.
  • We’ve fixed an issue where the user settings page was giving a server error because of a memory leak.
  • We’ve fixed four false positives:
  • CS-S1001: We have fixed an issue where address fragments were flagged as insecure endpoints.
  • JS-0125: We have fixed an issue where the rule was flagging NodeJS globals as undefined variables even when nodejs was added to the environment property in deepsource.toml file.
  • PTC-W0049: will no longer be raised if the function is decorated.
  • PYL-E1120: We have fixed a rare case where false positives were being reported when using *args.
  • We’ve fixed three Autofix™️ failures in the Ruby Analyzer:
  • RB-LI1078: We have fixed an issue where unused assignments in rescue statements were not being Autofixed.
  • RB-LI1073: We have fixed an issue where issues were being raised for instances for which Autofix™️ was not possible.
  • RB-ST1013: We have fixed an issue where issues were being raised for instances for which Autofix™️ was not possible.
Mar 30, 2023
ENTERPRISE SERVER v3.19.0

Improved commits and PRs for Autofix™️

  • Conventional commits are widely accepted standards for organizing commit history among teams. However, commits generated by DeepSource lacked adherence to any standard, leading to inconsistencies in our users’ commit history. With this update, all commits raised by DeepSource now conform to the conventional commits standard.
  • Autofix™️ pull requests created by DeepSource now include a short description of the issue they are fixing. This additional context will provide you with a better understanding of the changes proposed.
An illustrative screenshot of carry-forward inference for code coverage

Carry-forward inference for Code Coverage

Teams with large repositories and complex build processes often configure their CI not to run tests on default branch merges. This posed a problem for DeepSource since we use the analysis on default branch commits as the source of truth for metrics and issues in your baseline.

This update allows you to track code coverage metrics even when tests aren’t run on your default branch commits. DeepSource will use the last known coverage file sent for a pull request as the source of truth for coverage information after the pull request is merged into the default branch. To enable this for your repository, go to Settings → Code Coverage → and toggle “Enable report inference”.

New in Analyzers

  • 38 new checks for static analysis and SAST:
  • Autofix™️ for 12 checks

Fixes and Improvements

  • We’ve added a new general page in your team settings where you can configure your team’s SSH Keys, preference settings, VCS connections, and advanced settings such as team deletion.
  • We’ve fixed an issue where the deepsource.toml config generator commits made by DeepSource GitHub bot were not signed.
  • We’ve fixed an issue where users could access empty or repositories with disabled access during GitLab repository syncs. DeepSource now ignores such repositories while syncing.
  • We’ve fixed an issue where GitLab’s latest commit SHA was not properly synced to DeepSource.
  • We now show team-level reports and pinned reports to users in your team withContributor role and Repository-level reports and pinned reports to users with a Read Only role.
  • We’ve fixed an issue where we were showing 500 error code instead of 404 for invalid URL endpoints.
  • We’ve disabled the Autofix™️ for RB-LI1021 in the Ruby Analyzer. Some Autofixes were failing as the check for this issue didn’t have Autofix available for all cases. We will enable it again once we have resolved this.
  • We’ve removed the check with issue code BAN-B324, as it was a subset of PTC-W1003.
  • We’ve fixed an Autofix™️ failure for PTC-W0050, which was incorrectly generated when multiple decorators were present on a dataclass.
  • We’ve fixed six false positives in this release:
  • JAVA-W0324: We’ve fixed an issue where the writeReplace method was not properly recognized.
  • SC-W1067: We’ve fixed an issue where top level case objects were marked as requiring the final modifier.
  • SC-W1082: We’ve fixed an issue where the exception variable was rightly used in the case’s condition, yet was flagged as unused.
  • SC-W1083: We’ve fixed an issue where lambda parameters represented by _ were marked as unused.
  • PTC-W1006: We’ve fixed an issue where token = None was being flagged as sensitive data potentially getting exposed.
Mar 16, 2023
ENTERPRISE SERVER v3.19.0

Azure DevOps

We’re excited to announce that DeepSource cloud now supports Azure DevOps as a Version Control System (VCS) provider, in addition to GitHub, GitLab, and Bitbucket. You can now use DeepSource to monitor and improve the health of your code hosted on Azure DevOps.

To add your Azure DevOps organization to DeepSource, navigate to the account switcher on your dashboard, and create a new workspace. Read more in the docs.

Single Sign-On

DeepSource cloud now supports SAML2.0-based Single Sign-On (SSO) authentication. We have added guidelines and support for Okta, OneLogin, and Azure AD as Identity Providers.

To set up SSO for your team, navigate to the Security tab in your team-level settings or refer to our docs for step-by-step instructions.

New in Analyzers

  • We’ve added 64 new checks for static analysis and SAST:
  • We’ve added Autofix™️ for 12 checks:

Fixes and Improvements

  • We’ve added support for Python 3.11 syntax in the Python Analyzer.
  • Ruby Analyzer is now up to 19% faster. We upgraded to Ruby 3.2 and enabled YJIT, which improved the speed of analysis.
  • We’ve fixed an issue where Autofix™️ was failing when PTC-W0028 was being raised for from . import … imports.
  • We’ve fixed an issue where Autofix™️ was failing when PYL-C0325 was being raised on except keyword, such as except(Exception as exc).
  • We’ve fixed several false positives in this release:
  • JAVA-W1067: We’ve fixed an issue where we were incorrectly flagging redundant cast of return value even when suppress annotations were present. Using @SuppressWarnings("unused") will ensure it is not reported.
  • JAVA-E1034: We’ve fixed an issue where we incorrectly flagged serializable classes that used the ”serialization proxy” pattern (as described in Effective Java by Josh Bloch). The Java Analyzer will now successfully detect serialization proxy classes and will not report this issue if such a class is found.
  • JAVA-W1037: We raise this issue when a return statement contains an assignment to a local variable. It was earlier incorrectly flagged when a lambda or anonymous class, within which a local variable was assigned, was returned. Now, this issue will correctly detect such cases and avoid reporting them.
  • JAVA-E1083: We’ve fixed an issue where we were not accounting for the usage of hasText function from Apache commons with null-checking strings. We will now correctly detect null checks using this function.
  • JAVA-S1060: We’ve fixed an issue where a field was reported as not being injected correctly if the field was assigned by calling a method on a constructor parameter instead of being assigned directly. The Analyzer now correctly considers such cases.
  • JAVA-E1085: We’ve fixed an issue where the usage of System.arrayCopy was not considered during analysis. The Analyzer will now recognize calls to arrayCopy as sanitizing calls.
  • JS-0057: We’ve fixed an issue where we were incorrectly flagging parameterized constructors in TypeScript as empty constructors.
  • PTC-W1003: We’ve fixed an issue where we were incorrectly flagging hashlib methods if you pass usedforsecutiy=False as insecure functions.
  • PTC-W0018: We’ve fixed an issue where we incorrectly flagged set literals, such as list({1, 2, 1}) , as unnecessary literals.
Feb 22, 2023
ENTERPRISE SERVER v3.18.0

ClangFormat Transformer

Following the beta release of our C and C++ Analyzer, we’re excited to introduce the ClangFormat Transformer in DeepSource. By enabling this Transformer, you can automate code formatting across your C and C++ projects with ClangFormat.

Just add the following snippet in the `.deepsource.toml` file to enable the Transformer in one of your repositories.

 [[transformers]]name = "clang-format"

Refer to the docs for more details.

New in Analyzers

  • We’ve added 25 new checks for static analysis and SAST:

Breaking Changes

  • API Platform: We have added breaking changes to the schema for the Check and Repository types in our GraphQL API, which is limited to the fields related to repository metrics. This also affects the webhook payloads for the events analysis_run.started and analysis_run.updated using the same object schema as the corresponding types. We recommend handling the changes in any integrations where you consume these APIs and webhook events. Read this Discuss post for more details.

New in Enterprise Server

  • In-built APM integration: You can now directly send APM metadata to Sentry. This will help us troubleshoot better when providing support for Enterprise Server installations. Here’s how you can set it up.
  • We’ve made several optimizations to the resource utilization of analysis jobs. You’ll see considerable improvements in the resource consumption of your Enterprise server cluster.
  • BitBucket Cloud for Enterprise Server: You can now use BitBucket Cloud as a VCS provider on Enterprise Server. Here are docs to help you get started.

Fixes and Improvements

  • We’ve added the following framework issue tags to the JavaScript Analyzer: react, vue, angularjs, angular, meteor, ember. These tags allow you to search and filter issues based on frameworks. You can do this by searching for tag:react for instance, under the issue tab.
  • Issues from stale analyzers are now deleted when the deepsource.toml the file is updated.
  • Invalid lines of code, such as comments, are now implicitly ignored by the Code Coverage Analyzer.
  • We’ve improved how JS-0415 reports issues with JSX depth. It previously flagged each line in a JSX tree that exceeded the maximum depth as an individual issue occurrence. We have now modified the check only to report the parent node of the JSX tree that has at least one deeply nested statement. We have also increased the maximum depth to 4.
  • We no longer raise SC-W1067 for top-level objects as final modifier for top level object is redundant.
  • CS-R1050 We now take using block’s succeeding statements into account before suggesting the usage of using keyword.
  • We’ve made several performance optimizations to the Ruby Analyzer’s runtime. The analysis runs are now up to 15 times faster than before.
  • We’ve fixed several false positives in this release:
  • SC-R1057: We’ve fixed an issue where we were incorrectly triggering this for catch clauses with error loggers.
  • GO-S2307: We’ve fixed an issue where we were incorrectly flagging types implementing io.ReadCloser and io.ReadSeekCloser as the deferred call to Close methods for them are safe.
  • CXX-W2009, CXX-W2011: We’ve fixed an issue that incorrectly flagged a function declaration as a variable declaration due to a lack of context.
  • PYL-W0613: We’ve fixed an issue where we were incorrectly flagging arguments with defaults, such as Depends(…) and Cookie(…) as unused.
  • PY-W0069: We’ve fixed an issue where we were incorrectly flagging Big-O notation, such as # O(N + M) as commented out code block.
  • BAN-B605: We’ve fixed an issue where we were incorrectly flagging constant expressions, such as os.system("dir" if WINDOWS else "ls") as possible shell injection.
  • PTC-W0050: We’ve fixed an issue where we were incorrectly flagging function calls inside set literals, for example {foo(), foo()}, as duplicates.
  • PTC-W0051: We’ve fixed an issue where we were incorrectly flagging partially similar if-elif blocks as being similar.
  • FLK-D202: We’ve fixed an issue where we were incorrectly flagging nested async functions following docstring.
  • CS-P1003: We’ve fixed an issue where we were wrongly suggesting fields of the type object to be converted to const.
  • CS-W1064: We’ve fixed an issue where we were incorrectly flagging Type.GetType(string) as a dubious call.
  • CS-W1072: We’ve fixed an issue where we incorrectly flagged inlined fields’ assignments in constructors.
  • JAVA-W1035: We’ve fixed an issue where the instantiation of a class with only static members, which inherited nonstatic members, was reported unnecessarily.
  • JAVA-W1060: We’ve fixed an issue where static field access within annotations was incorrectly reported.
  • JAVA-W1065: We’ve fixed an issue where usage of java.util.Properties was flagged though it was valid.
  • JAVA-S1066: We’ve fixed an issue where returning a spring persistence entity class from any method would be reported. This issue will now only report request handler methods that return such entities.
  • JAVA-S1060: We’ve fixed an issue where loggers in spring web app components, which are usually not a part of an object’s state, were marked as being uninjected state. From now on, the Analyzer does not consider loggers as state variables and will not be reported.
  • JAVA-C1002 We’ve fixed an issue where the assertion would be reported when the arguments to a Junit or an AssertJ assertion were both variables. Now, the assertion is only reported when either of the arguments is a constant of some kind.
Feb 13, 2023
ENTERPRISE SERVER v3.18.0

Improved User Settings

We’ve redesigned and improved the user settings for your DeepSource account. This will make it easier for you to configure all your account and workspace settings from your dashboard.

  • Account Preferences: You can now easily add an avatar to your account, change or edit your display name, see your login connections with DeepSource, and add a new connection if required.
  • Workspaces: We’ve added a new workspaces tab in your user settings where you can see a list of all the team and personal workspaces you are a part of. You can navigate to those workspaces from here. We’ve also added a search so you can filter through the list quickly.
An illustrative screenshot of single repo manual sync from GitHub

Manually sync a single repository from GitHub

If your organization has a large number of repositories (tens of thousands), sometimes there’s a delay in syncing some of them since we don’t want to trip the API rate limits of the VCS. This might cause the repository you’re looking for not to show up when you’re trying to activate DeepSource on it.

We’ve added an option to sync repositories one at a time from the repository search interface when activating a new repository, so you don’t have to wait for DeepSource to retry by itself.

An illustrative screenshot of overriding access settings while performing a manual sync

Improved manual sync of access settings for GitHub

You can now choose whether or not you want the access settings that have been changed manually on DeepSource to be overridden when performing a manual sync. This will help remove any confusion caused by DeepSource automatically overriding these changes in the past. We also show an overview of all the changes the sync will override to help you make the decision.

New in Analyzers

  • We’ve added five new SAST checks in the JavaScript Analyzer:
  • JS-S1015: Detects insecure web preferences passed to Electron.
  • JS-S1016: Detects array index that is possibly out of bounds.
  • JS-A1005: Detects unsanitized inputs that are passed to templating engines.
  • JS-A1006: Detects server-side errors that may be exposed to the client side.
  • JS-A1007: Detects unsanitized inputs used with openExternal method of the Electron’s shell module.

Fixes and Improvements

  • We’ve improved JS-D007, an issue that flags Bad usage of RegExp#exec and String#match. We will now cover calls to RegExp function with the previously supported RegEx literals.
  • We’ve improved JS-0002, an issue that flags using console in code that runs on the browser. We will now avoid flagging console.error, console.assert, console.table, and console.warn statements since they are most likely to be used intentionally.
  • We’ve fixed three false positives in this release:
  • JS-0455: We’ve fixed an issue where sx was being incorrectly flagged as an unknown property in projects that used the ThemeUI library.
  • JS-0105: We’ve fixed an issue where we were incorrectly flagging class methods that did not use this in NestJS projects to accommodate cases of dependency injection.
  • JS-D007: We’ve fixed an issue where we incorrectly flagged regex matches even when they were being put to use. We should not recommend using Regex#test when the regex matches are used elsewhere.
Jan 25, 2023
ENTERPRISE SERVER v3.17.0

Improved role-based access sync from GitHub

Managing repository permissions and access settings for users on your GitHub and DeepSource organizations separately can be tedious as your team grows. We’ve made several improvements to how we sync permissions from GitHub to simplify this and eliminate manual effort.

  • Repository-level permissions: Repository permissions to users inherited from a team on GitHub are now correctly synced on DeepSource. Previously, only direct repository collaborator roles were synced, leading to an inconsistency in the repositories that a user could see on GitHub and DeepSource. Read more in our docs.
  • Base permissions: To help you bring parity with base permissions on GitHub, we’ve added a new No Permission option to Member Base Permissions in your team’s access control settings. Selecting this will allow members read-only access to public repositories by default. They will not have any permissions on private repositories unless some level of permission is inherited from a GitHub team or through being added as a direct repository collaborator. Read more in our docs.
  • Default Base Permission: When you connect a new GitHub organization, we will automatically sync the organization’s base permission from GitHub to DeepSource. Previously, this setting defaulted to “Maintain” on DeepSource.

Please note that automatic sync of access on repositories can affect your occupied seat count on DeepSource. For instance, if a user has a Contributor role on DeepSource but a Member or Admin role on GitHub, their role will be upgraded, and they’ll now occupy a paid seat on DeepSource. To help you keep track of this, the source of a member’s addition to the organization or a repository is now shown in the list of members in Organization → Settings → My team and Repository → Settings → Repository members.

New in Analyzers

  • We’ve added 41 new checks across our Analyzers:
  • We’ve added Autofix™️ support for four checks:

New in Enterprise Server

  • RabbitMQ High Availability: As a first step towards ensuring high availability of DeepSource Enterprise Server, DeepSource now runs RabbitMQ in HA on standalone installations.
  • Export logs to SIEM tools: You can now export your DeepSource Enterprise Server logs to the SIEM tool of your choice. Read more in our docs.

Fixes and Improvements

  • We’ve fixed an issue where the test coverage Analyzer was timing out due to a parsing issue in some test coverage report formats.
  • Added the ability to regenerate the DSN for a repository from the dashboard and the API. In light of the recent CircleCI breach, we strongly recommend that all users using CircleCI for their repositories rotate their DSNs on DeepSource. You can read more about it here.
  • Setting the enabled attribute as true is now optional in the .deepsource.toml configuration file and will be true by default. If you want to disable an Analyzer, you can comment out that Analyzer entry, or add enabled = false manually in your deepsource.toml file.
  • The Scala Analyzer now automatically detects the correct Scala version even if the version meta field in the .deepsource.toml is not specified. If you’ve already set this field value, we recommend you remove it and let the Analyzer handle it appropriately.
  • Our reports now include legends in the charts to help you quickly understand the data.
  • On the run history page, the checkbox to Autofix™️ was behaving incorrectly. This has been fixed.
  • We’ve fixed an issue where the Python Analyzer was not raising flake8-compatible issues for some Python 2.7 repositories.
  • We’ve disabled obsolete issues in the JavaScript Analyzer that enforced coding styles: JS-0229, JS-0083, JS-0113.
  • We’ve updated the issue description for JS-0002 with instructions to prevent code that runs in the NodeJS environment from being flagged.
  • We now automatically exclude auto-generated and designer files from the C# Analyzer analysis. Ideally, directories such as bin and obj should be excluded when the code is committed. However, if they were added in the commits, we were incorrectly running an analysis on them.
  • The maximum JSX nesting depth for JS-0415 has been increased from 2 to 3, as 2 was a bit too restrictive.
  • We’ve improved JS-D008, an issue that flags incorrect use of Array.prototype methods. We now cover more methods and have an improved issue description to explain possible fixes.
  • The Python Analyzer was raising both FLK-E501 (Line too long) and FLK-W505 (Doc line too long) on long extraneously long docstrings. Since this was noisy, we now raise FLK-W505 only in those instances.
  • We’ve fixed several false positives in this release:
  • JAVA-W0324: We’ve fixed an issue where the @SuppressWarnings("unused") annotation was not respected, resulting in false positives.
  • JAVA-W0324: We’ve fixed an issue where we incorrectly detected privateMethod as unused for the proper usage of private methods declared inside nested classes.
  • JAVA-W1025: We’ve fixed an issue where we incorrectly detected privateMethod as unused for private fields declared within nested classes, which were used in an outer class.
  • JAVA-P0361: We were incorrectly reporting this issue this when there was a use of Map.keySet() followed by the usage of Map.get() with the same map and the same key, even if the second access was behind some condition (such as an if statement). We’ve fixed that.
  • JAVA-W1036: We incorrectly reported this issue when the actual (the type at the usage site) generic type of a method’s parameter was java.lang.Object, and the argument passed was also of type java.lang.Object. We now correctly infer the expected generic type and avoid reporting this issue when the expected generic type and argument type match.
  • JAVA-W1069: We were incorrectly reporting this issue for certain imports. We’ve fixed this by using better algorithms to detect what types/methods/fields are imported and which are used.
  • JAVA-W1042: We were incorrectly reporting this issue for methods that throw generic exceptions (like java.lang.Exception), even if the throw was added due to a call within the method that raised the exception. Now, the Java Analyzer will attempt to discover whether any checked exceptions are thrown by some method called, and if there are, it will avoid reporting this issue.
  • JAVA-W1025: We were incorrectly reporting this issue for private fields that were annotated with @MockBeans. We’ve fixed that.
  • JAVA-E1017: We were incorrectly reporting this issue for methods that called their overloads when the overload was passed casted versions of the method’s initial arguments. We’ve fixed that.
  • PYL-W0201: For relative imports inside packages, we couldn’t infer the base classes for certain classes. We’ve fixed that.
  • GO-W1027: We’ve fixed an issue where we incorrectly flagged an empty slice literal used to declare a variable for types other than a slice. We’ve fixed that.
  • RVV-B0013: We’ve fixed an issue where we didn’t correctly flag that an unused method receiver is used when a _ is present as a receiver in methods, for example, func (_ *Foo). It is recommended to omit this receiver when unused, as it is not required.
  • CS-P1001: We were incorrectly flagging the invocation of GC-related methods in protected virtual void Dispose(bool disposing). We’ve fixed that.
  • CS-W1022: We’ve fixed an issue where declared and initialized variables in separate and succeeding lines were flagged as uninitialized.
  • CS-R1071: We’ve fixed an issue where the Analyzer incorrectly recommended replacing numeric literals, such as 3.14 and 6.28 with values from the Math class even when suffixed with suffixes such as m.
  • SC-R1015: We’ve fixed an issue where the if-else chain was not adequately evaluated, thereby erroneously marking the else in else if in an if-else chain as redundant.
  • JS-0057: We’ve fixed an issue where we were incorrectly flagging empty functions with comments inside them. Functions intentionally left empty with comment(s) inside them should not be flagged as empty.
  • JS-0394: We’ve fixed an issue where we were incorrectly flagging Nuxt’s NavLink component if it had className prop.
  • JS-0122: We’ve fixed an issue where we were incorrectly flagging TypeScript interface properties that share the same name with JS global variables.
  • JS-0330: We’ve fixed an issue where we were incorrectly flagging TypeScript code where the type of the argument passed to setTimeout is non-determinable.
  • JS-0242: Destructured object properties are no longer flagged if at least one is non-const.
  • JS-0576: OnPush is the recommended component change detection strategy in Angular. But, we used to incorrectly check for onPush and flag OnPush as incorrect. Additionally, the Autofix™️ for this was incorrect as we used to transform the code to onPush instead of OnPush. We’ve fixed these.
  • JS-D023: We’ve fixed an issue where we were incorrectly flagging code that passed any non-literal argument to child_process. We now check for cases where tainted data is passed to child_process methods.
  • BAN-B413: We’ve fixed an issue where we were incorrectly flagging the PyCryptodome library as insecure. pycryptodome is a library with an API compatible with pycrypto, but with no vulnerabilities.
  • CS-R1022: We incorrectly recommended users to remove default: break;even when a comment or pragma was associated with it. We now only recommend this issue if there are no associated user comments.