Feb 23, 2023
Enterprise Server v3.18.0

ClangFormat Transformer

Following the beta release of our C and C++ Analyzer, we're excited to introduce the ClangFormat Transformer in DeepSource. By enabling this Transformer, you can automate code formatting across your C and C++ projects with ClangFormat.

Just add the following snippet in the .deepsource.toml file to enable the Transformer in one of your repositories.

[[transformers]]
name = "clang-format"

Refer to the docs for more details.

New in Analyzers

  • We've added 25 new checks for static analysis and SAST:
  • C#: CS-A1013, CS-A1014
  • Scala: SC-R1059, SC-R1060, SC-R1061, SC-R1062, SC-R1063, SC-R1064, SC-W1080, SC-W1081
  • C and C++: CXX-P2008, CXX-W2010, CXX-W2012, CXX-W2013, and CXX-P2009
  • Ruby: RB-LI1103, RB-LI1104, RB-LI1105, RB-LI1106, RB-LI1107, RB-E1001, RB-E1002, RB-W1002, RB-W1003, RB-W1004
  • We've added Autofix™️ support for the following checks in the Ruby Analyzer: RB-LI1103, RB-LI1104, RB-LI1105, RB-E1001, RB-W1002, RB-W1004.

Breaking Changes

  • API Platform: We have added breaking changes to the schema for the Check and Repository types in our GraphQL API, which is limited to the fields related to repository metrics. This also affects the webhook payloads for the events analysis_run.started and analysis_run.updated using the same object schema as the corresponding types. We recommend handling the changes in any integrations where you consume these APIs and webhook events. Read this Discuss post for more details.

New in Enterprise Server

  • In-built APM integration: You can now directly send APM metadata to Sentry. This will help us troubleshoot better when providing support for Enterprise Server installations. Here's how you can set it up.
  • We've made several optimizations to the resource utilization of analysis jobs. You'll see considerable improvements in the resource consumption of your Enterprise server cluster.
  • BitBucket Cloud for Enterprise Server: You can now use BitBucket Cloud as a VCS provider on Enterprise Server. Here are docs to help you get started.

Fixes and Improvements

  • We've added the following framework issue tags to the JavaScript Analyzer: react, vue, angularjs, angular, meteor, ember. These tags allow you to search and filter issues based on frameworks. You can do this by searching for tag:react for instance, under the issue tab.
  • Issues from stale analyzers are now deleted when the deepsource.toml file is updated.
  • Invalid lines of code, such as comments, are now implicitly ignored by the Code Coverage Analyzer.
  • We've improved how JS-0415 reports issues with JSX depth. It previously flagged each line in a JSX tree that exceeded the maximum depth as an individual issue occurrence. We have now modified the check only to report the parent node of the JSX tree that has at least one deeply nested statement. We have also increased the maximum depth to 4.
  • We no longer raise SC-W1067 for top-level objects as final modifier for top level object is redundant.
  • CS-R1050 We now take using block's succeeding statements into account before suggesting the usage of using keyword.
  • We've made several performance optimizations to the Ruby Analyzer's runtime. The analysis runs are now up to 15 times faster than before.
  • We've fixed several false positives in this release:
  • SC-R1057: We've fixed an issue where we were incorrectly triggering this for catch clauses with error loggers.
  • GO-S2307: We've fixed an issue where we were incorrectly flagging types implementing io.ReadCloser and io.ReadSeekCloser as the deferred call to Close methods for them are safe.
  • CXX-W2009, CXX-W2011: We've fixed an issue that incorrectly flagged a function declaration as a variable declaration due to a lack of context.
  • PYL-W0613: We've fixed an issue where we were incorrectly flagging arguments with defaults, such as Depends(…) and Cookie(…) as unused.
  • PY-W0069: We've fixed an issue where we were incorrectly flagging Big-O notation, such as # O(N + M) as commented out code block.
  • BAN-B605: We've fixed an issue where we were incorrectly flagging constant expressions, such as os.system("dir" if WINDOWS else "ls") as possible shell injection.
  • PTC-W0050: We've fixed an issue where we were incorrectly flagging function calls inside set literals, for example {foo(), foo()}, as duplicates.
  • PTC-W0051: We've fixed an issue where we were incorrectly flagging partially similar if-elif blocks as being similar.
  • FLK-D202: We've fixed an issue where we were incorrectly flagging nested async functions following docstring.
  • CS-P1003: We've fixed an issue where we were wrongly suggesting fields of the type object to be converted to const.
  • CS-W1064: We've fixed an issue where we were incorrectly flagging Type.GetType(string) as a dubious call.
  • CS-W1072: We've fixed an issue where we incorrectly flagged inlined fields' assignments in constructors.
  • JAVA-W1035: We've fixed an issue where the instantiation of a class with only static members, which inherited nonstatic members, was reported unnecessarily.
  • JAVA-W1060: We've fixed an issue where static field access within annotations was incorrectly reported.
  • JAVA-W1065: We've fixed an issue where usage of java.util.Properties was flagged though it was valid.
  • JAVA-S1066: We've fixed an issue where returning a spring persistence entity class from any method would be reported. This issue will now only report request handler methods that return such entities.
  • JAVA-S1060: We've fixed an issue where loggers in spring web app components, which are usually not a part of an object's state, were marked as being uninjected state. From now on, the Analyzer does not consider loggers as state variables and will not be reported.
  • JAVA-C1002 We've fixed an issue where the assertion would be reported when the arguments to a Junit or an AssertJ assertion were both variables. Now, the assertion is only reported when either of the arguments is a constant of some kind.

Ship clean and secure code.