Retry analysis checks
Sometimes one or more checks in an analysis run can fail due to an unexpected error during analysis or because it took too long to finish. You can now retry either an individual or all checks in a run from the run on DeepSource. Go to the History tab in your repository's dashboard, find the check you want to retry, and click the "Retry check" button. You can also retry all unsuccessful checks by clicking the "Retry all unsuccessful checks" button. Read more in the docs.
Improved user sync from GitHub
We've improved how we sync users, roles, and access control settings from GitHub on Enterprise Server, making managing your team on DeepSource easier.
- All new users who sign up on a DeepSource Enterprise Server instance without an invite link are now automatically added to the organizations on DeepSource that they can access through GitHub.
- Whenever you add a new user to your GitHub organization, they will automatically be added to the organization on DeepSource, if it exists. This way, you save a few clicks having to manually add them to DeepSource — even if you're not using SSO/SAML.
To start using the improved user sync from GitHub, go to the Access Control tab in your team settings and enable the "Automatically sync access settings from GitHub" toggle. Read more in the docs.
New in Analyzers
- Ruby: You can now configure the Analyzer to skip non-public methods when calculating documentation coverage. To do this, add the non_public parameter to the skip_doc_coverage parameter in the config file.
- We've added 39 new checks for static analysis and SAST:
- C#: CS-R1122, CS-R1123, CS-R1124, CS-R1125, CS-W1085, CS-W1086, CS-W1087, CS-P1022, CS-R1126, CS-R1127
- Ruby: RB-S1002, RB-S1003
- Java: JAVA-W1087, JAVA-E1107, JAVA-W1086, JAVA-E1109, JAVA-W1088
- Rust: RS-W1133, RS-A1009, RS-W1134
- Docker: DOK-W1002, DOK-W1003, DOK-W1004, DOK-W1005, DOK-W1006, DOK-W1007, DOK-W1008, DOK-W1009, DOK-W1010, DOK-W1011, DOK-E1002
- SQL: SQL-L031, SQL-L032, SQL-L033, SQL-L034, SQL-L035, SQL-L036, SQL-L037, SQL-L038, SQL-L039, SQL-L040, SQL-L041, SQL-L042, SQL-L043, SQL-L044, SQL-L045, SQL-L047, SQL-L048, SQL-L049, SQL-L050, SQL-L051, SQL-L052, SQL-L053, SQL-L054, SQL-L055, SQL-L058
- We've added Autofix™️ for 10 checks:
- Java: JAVA-W1070, JAVA-W1063, JAVA-W1029, JAVA-W1028, JAVA-W1025, JAVA-W0417, JAVA-W1030, JAVA-W1077, JAVA-W0077, JAVA-W1064, JAVA-W1086
- C#: CS-R1122, CS-R1123, CS-W1016, CS-R1126, CS-R1127.
Fixes and Improvements
- We've fixed an issue where the Autofix™️ button was not visible on the history page for issues that supported Autofix™️ but were configured not to fail the analysis runs. The Autofix™️ button is now shown for all Autofix-supported issues on the runs page, regardless of their analysis run failing status.
- The Ruby Analyzer previously miscalculated the documentation coverage metric by considering only the modified files. We have resolved this issue, ensuring the metric is accurately calculated for the entire repository.
- We've temporarily disabled the Autofix™️ for RB-PR1017 as it needs a more comprehensive fix.
- Autofix™️ for RB-LI1009 previously failed to generate a fix for the issue when invoked on the Socket class. This was due to the absence of a clear replacement method for the deprecated class, requiring additional user input to resolve the issue. To prevent further failures, we have disabled reporting of this issue for the Socket class.
- We've fixed an issue where deactivated repositories' issues incorrectly appeared in the team-level Issue Distribution report, ensuring that only active repositories are included for accurate analysis.
- Previously, the Go Analyzer faced failures in issue reporting when analyzing user packages that used Generics due to a bug in the golang.org/x/tools library. To resolve this, we updated the tools library. As a result, packages utilizing Generics will now compile without any failures, leading to improved issue reporting.
- We've fixed an issue where Java Autofixes would produce incorrect output for strings or comments in languages other than English. This could cause characters to be jumbled or skipped.
- We've fixed an issue where the aggregate calculation in Java Code Coverage reports was incorrect due to a slight discrepancy in the reported number of files, ensuring accurate and reliable coverage metrics.
- We've fixed an issue where the Rust Analyzer's Autofix™ would crash when executed on the last line of a file that didn't end with a trailing newline.
- We have disabled JAVA-E1083 and JAVA-E1084 due to problems with reliability and false positives.
- The Autofix™️ for JAVA-W1010 will no longer move default cases to the end if we find that the default is associated with others due to a fallthrough.
- We've fixed false negatives caused by various TypeScript rules not being enabled in VueJS files.
- We've fixed an issue in the Secrets Analyzer where false positives were raised for generic API keys and private keys, improving the accuracy of the analysis results.
- We've fixed several false positives in this release:
- JAVA-S1060: We've fixed an issue where abstract Spring controller/repository classes were wrongly flagged as introducing unmanaged state variables.
- JAVA-E1086: We've fixed an issue where variadic arguments, which are implemented using Java arrays but are effectively treated as immutable, were incorrectly reported as potentially mutable data passed into non-public fields
- JAVA-W0182: We've fixed an issue where we incorrectly reported classes not being Exceptions/Throwables, even when named as such, because of a flaw in inheritance detection.
- JAVA-W1060: We've fixed an issue where static field accesses were incorrectly reported as occurring before being written when these static accesses were within a nonstatic context.
- JAVA-P0065: We've fixed an issue where we were incorrectly flagging explicit garbage collection invocation (System.gc() or Runtime.gc()) in tests. This correction was made considering its common usage in benchmarks, where explicit garbage collection can have valid applications.
- JAVA-E1036: We've fixed an issue where we were incorrectly flagging the wrong argument type for the Collection.remove() method due to faulty type inference in certain contexts.
- JAVA-W0095: We've fixed an issue where we were incorrectly flagging local variables assigned in return statements due to faulty type inference in certain contexts.
- JAVA-W1037: We've fixed an issue where we incorrectly flagged an assignment within a switch expression used as the method's return value.
- CS-W1082: We've fixed an issue where we incorrectly reported the result of an assignment as unused when the left-hand side of the assignment was an underscore, indicating the intentional discarding of the result.
- CS-P1003: We've fixed an issue where we were incorrectly suggesting to make static readonly fields const for structs. This recommendation was not applicable due to the inability to assign compile-time constant values to structs in C#.
- SC-W1079: We've fixed an issue where descendant nodes in sealed entities were not properly recognized when considering case objects.
- GO-S2307: We've fixed an issue where we were incorrectly flagging unsafe defer of .Close methods for io.ReadClosers.
- JAVA-E1067: We've fixed an issue where nullable parameters were incorrectly flagged as needing null checks when users utilized Objects.nonNull for null verification
- CS-P1005: We've fixed an issue where we were incorrectly recommending the use of .TryGetValue to access elements in a Dictionary, when users were checking for a key's existence and updating its value.
- JS-0295: We've fixed an issue where we incorrectly flagged comments that had explanations in front of @ts-<pragma>.
- JS-C1002: We've fixed an issue where we incorrectly flagged x, y, and z as variable names as found single char variable names, altho these are commonly used variable names in some contexts.
- JS-0128: We've fixed an issue where React imports were incorrectly flagged as unused in React files for React version >= 17, as importing React is no longer required starting from React v17 due to the automatic inclusion of React in the scope with the new JSX Transform.
- JS-0125: We've fixed an issue where we incorrectly flagged the Accelerometer variable as undefined, despite it being a valid object in specific environments or libraries
- JAVA-E1086: We've fixed an issue where we incorrectly flagged constructor calls without tainted arguments as potential sources of mutable data passed into nonpublic fields.
- JAVA-W1047: We've fixed an issue where the Java Analyzer incorrectly inferred certain referenced fields as constant values, leading to false positive reports.
- JAVA-W1036: We've fixed an issue where we incorrectly flagged the declaration of a custom serialization method with an incorrect signature when a serialization proxy was being used
- JAVA-E1054: We've fixed an issue where we incorrectly flagged the usage of boxed Boolean values in conditional expressions for lambda arguments.
- JAVA-W1000: We've fixed an issue where we incorrectly recommended Exception classes to be appropriately named for anonymous classes, even though this naming requirement does not apply to anonymous classes as they don't need explicit names.
- JAVA-A1023: We've fixed an issue where we incorrectly recommended specifying a target package or receiver permission for broadcasting intents, even though it is not always necessary and can be a valid use case for intents defined by the Intent class.
- JAVA-E1085: We've fixed an issue where we incorrectly flagged iterators as being invalidated while in scope, even in cases where a specific iterator value was not used after the underlying collection was modified, which is a valid use case.
- JAVA-E1001: We've fixed an issue where we incorrectly flagged custom serialization methods for having an incorrect signature when a serialization proxy was used, which is a valid approach in certain serialization scenarios.
- JAVA-E1001: We've fixed an issue where we incorrectly flagged type casts in string format arguments for not matching the provided format string in String.format, even though the type casts were valid and compatible with the format specifier.
- JAVA-W1088: We've fixed an issue where we incorrectly flagged test files for not containing tests when non-JUnit assertions were used in a JUnit test, even though these assertions were valid alternative assertion libraries compatible with JUnit.
- CS-R1108: We've fixed an issue where we incorrectly flagged the usage of the logical not operator to invert binary expressions as affecting readability for operators defined for types, even though this usage can be a valid and readable coding style.
- RS-E1021: We've fixed an issue where we incorrectly flagged the usage of mem::forget or mem::drop on a non-Drop type within a const context, as it is not necessary to enforce the Drop trait for constant values.
- RS-W1031: We've fixed an issue where we incorrectly flagged the usage of unwrap_or followed by a function call for constants, as the const context does not allow calling unwrap_or_else functions, making it unnecessary to raise this warning.
- GO-S2307: We've fixed an issue where the use of defer for .Close method on io.ReadClosers was incorrectly flagged as unsafe, despite it being a valid and safe usage.
- PYL-R1715: We've fixed an issue where the usage of the get() method to access values from a dictionary was incorrectly flagged when used in conditionals without an else block, as this usage is valid and doesn't require an else block.
- CS-R1109: We've fixed an issue where the missing implementation of Systems.Exception was incorrectly flagged, even in scenarios where classes inherited Exception indirectly through transitive or indirect inheritance.
- SC-W1005: We've fixed an issue where we incorrectly flagged the usage of Exception as generic when the Exception caught was deliberately left unbound, and the catch block was intentionally left empty to suppress or silence Exceptions.
- CS-R1046: We've fixed an issue where we incorrectly recommended dropping the explicit .Where() call to simplify the LINQ query for an overloaded version of Where() that received both the element and its position.