Improved commits and PRs for Autofix™️
- Conventional commits are widely accepted standards for organizing commit history among teams. However, commits generated by DeepSource lacked adherence to any standard, leading to inconsistencies in our users’ commit history. With this update, all commits raised by DeepSource now conform to the conventional commits standard.
- Autofix™️ pull requests created by DeepSource now include a short description of the issue they are fixing. This additional context will provide you with a better understanding of the changes proposed.
Carry-forward inference for Code Coverage
Teams with large repositories and complex build processes often configure their CI not to run tests on default branch merges. This posed a problem for DeepSource since we use the analysis on default branch commits as the source of truth for metrics and issues in your baseline.
This update allows you to track code coverage metrics even when tests aren’t run on your default branch commits. DeepSource will use the last known coverage file sent for a pull request as the source of truth for coverage information after the pull request is merged into the default branch. To enable this for your repository, go to Settings → Code Coverage → and toggle “Enable report inference”.
New in Analyzers
- 38 new checks for static analysis and SAST:
- Rust: RS-A1007, RS-E1024, RS-E1025, RS-W1117, RS-W1118
- JavaScript: JS-W1039, JS-S1024, JS-S1023, JS-R1004
- Ruby: RB-C1014, RB-C1015, RB-W1017, RB-ST1117, RB-ST1123 ,RB-W1018, RB-W1019, RB-W1020, RB-W1021, RB-C1016, RB-C1017, RB-C1018, RB-C1019, RB-W1022, RB-W1023
- C#: CS-P1021, CS-R1110, CS-W1082
- Scala: SC-R1068, SC-R1069, SC-R1070
- Java: JAVA-E1104, JAVA-E1103, JAVA-E1105, JAVA-W1084, JAVA-W1082, JAVA-W1083, JAVA-E1102, JAVA-S1067
- Autofix™️ for 12 checks
- JavaScript: JS-0037, JS-W1039, JS-R1004
- Ruby: RB-C1014, RB-C1015, RB-W1017, RB-ST1117, RB-ST1123, RB-W1021, RB-C1016
- C#: CS-R1110, CS-W1082
Fixes and Improvements
- We’ve added a new general page in your team settings where you can configure your team’s SSH Keys, preference settings, VCS connections, and advanced settings such as team deletion.
- We’ve fixed an issue where the deepsource.toml config generator commits made by DeepSource GitHub bot were not signed.
- We’ve fixed an issue where users could access empty or repositories with disabled access during GitLab repository syncs. DeepSource now ignores such repositories while syncing.
- We’ve fixed an issue where GitLab’s latest commit SHA was not properly synced to DeepSource.
- We now show team-level reports and pinned reports to users in your team withContributor role and Repository-level reports and pinned reports to users with a Read Only role.
- We’ve fixed an issue where we were showing 500 error code instead of 404 for invalid URL endpoints.
- We’ve disabled the Autofix™️ for RB-LI1021 in the Ruby Analyzer. Some Autofixes were failing as the check for this issue didn’t have Autofix available for all cases. We will enable it again once we have resolved this.
- We’ve removed the check with issue code BAN-B324, as it was a subset of PTC-W1003.
- We’ve fixed an Autofix™️ failure for PTC-W0050, which was incorrectly generated when multiple decorators were present on a dataclass.
- We’ve fixed six false positives in this release:
- JAVA-W0324: We’ve fixed an issue where the writeReplace method was not properly recognized.
- SC-W1067: We’ve fixed an issue where top level case objects were marked as requiring the final modifier.
- SC-W1082: We’ve fixed an issue where the exception variable was rightly used in the case’s condition, yet was flagged as unused.
- SC-W1083: We’ve fixed an issue where lambda parameters represented by _ were marked as unused.
- PTC-W1006: We’ve fixed an issue where token = None was being flagged as sensitive data potentially getting exposed.
Azure DevOps
We’re excited to announce that DeepSource cloud now supports Azure DevOps as a Version Control System (VCS) provider, in addition to GitHub, GitLab, and Bitbucket. You can now use DeepSource to monitor and improve the health of your code hosted on Azure DevOps.
To add your Azure DevOps organization to DeepSource, navigate to the account switcher on your dashboard, and create a new workspace. Read more in the docs.
Single Sign-On
DeepSource cloud now supports SAML2.0-based Single Sign-On (SSO) authentication. We have added guidelines and support for Okta, OneLogin, and Azure AD as Identity Providers.
To set up SSO for your team, navigate to the Security tab in your team-level settings or refer to our docs for step-by-step instructions.
New in Analyzers
- We’ve added 64 new checks for static analysis and SAST:
- Rust: RS-S1016, RS-P1008, RS-W1108, RS-W1109, RS-W1112, RS-W1113, RS-W1114, RS-W1115
- C#: CS-P1020, CS-R1106, CS-W1077, CS-W1078, CS-W1079, CS-W1080
- Scala: SC-R1065, SC-W1082
- Ruby: RB-W1005, RB-W1006, RB-W1007, RB-W1008, RB-W1009, RB-W1010, RB-W1011, RB-W1012, RB-E1003, RB-C1013, RB-W1013, RB-W1014, RB-W1015, RB-W1016, RB-E1004
- Java: JAVA-W1076, JAVA-W1077, JAVA-E1092, JAVA-E1093, JAVA-E1094, JAVA-E1095, JAVA-E1096, JAVA-E1097, JAVA-E1098, JAVA-E1099, JAVA-A1052, JAVA-W1078, JAVA-W1079, JAVA-W1080, JAVA-W1081, JAVA-E1100
- JavaScript: JS-S1017, JS-S1018, JS-S1019, JS-A1009, JS-W1038, JS-S1021, JS-W1035, JS-W1036, JS-S1022.
- C & C++: CXX-A1000, CXX-A1001, CXX-W2015, CXX-W2016, CXX-W2018, CXX-S1021
- Python: PY-W0080
- We’ve added Autofix™️ for 12 checks:
- Rust: RS-W1108, RS-W1109
- Ruby: RB-W1010, RB-W1008, RB-C1013, RB-W1013, RB-W1014, RB-W1015, RB-W1016
- JavaScript: JS-S1015, JS-S1017, JS-S1018.
Fixes and Improvements
- We’ve added support for Python 3.11 syntax in the Python Analyzer.
- Ruby Analyzer is now up to 19% faster. We upgraded to Ruby 3.2 and enabled YJIT, which improved the speed of analysis.
- We’ve fixed an issue where Autofix™️ was failing when PTC-W0028 was being raised for from . import … imports.
- We’ve fixed an issue where Autofix™️ was failing when PYL-C0325 was being raised on except keyword, such as except(Exception as exc).
- We’ve fixed several false positives in this release:
- JAVA-W1067: We’ve fixed an issue where we were incorrectly flagging redundant cast of return value even when suppress annotations were present. Using @SuppressWarnings("unused") will ensure it is not reported.
- JAVA-E1034: We’ve fixed an issue where we incorrectly flagged serializable classes that used the ”serialization proxy” pattern (as described in Effective Java by Josh Bloch). The Java Analyzer will now successfully detect serialization proxy classes and will not report this issue if such a class is found.
- JAVA-W1037: We raise this issue when a return statement contains an assignment to a local variable. It was earlier incorrectly flagged when a lambda or anonymous class, within which a local variable was assigned, was returned. Now, this issue will correctly detect such cases and avoid reporting them.
- JAVA-E1083: We’ve fixed an issue where we were not accounting for the usage of hasText function from Apache commons with null-checking strings. We will now correctly detect null checks using this function.
- JAVA-S1060: We’ve fixed an issue where a field was reported as not being injected correctly if the field was assigned by calling a method on a constructor parameter instead of being assigned directly. The Analyzer now correctly considers such cases.
- JAVA-E1085: We’ve fixed an issue where the usage of System.arrayCopy was not considered during analysis. The Analyzer will now recognize calls to arrayCopy as sanitizing calls.
- JS-0057: We’ve fixed an issue where we were incorrectly flagging parameterized constructors in TypeScript as empty constructors.
- PTC-W1003: We’ve fixed an issue where we were incorrectly flagging hashlib methods if you pass usedforsecutiy=False as insecure functions.
- PTC-W0018: We’ve fixed an issue where we incorrectly flagged set literals, such as list({1, 2, 1}) , as unnecessary literals.
ClangFormat Transformer
Following the beta release of our C and C++ Analyzer, we’re excited to introduce the ClangFormat Transformer in DeepSource. By enabling this Transformer, you can automate code formatting across your C and C++ projects with ClangFormat.
Just add the following snippet in the `.deepsource.toml` file to enable the Transformer in one of your repositories.
Refer to the docs for more details.
New in Analyzers
- We’ve added 25 new checks for static analysis and SAST:
- C#: CS-A1013, CS-A1014
- Scala: SC-R1059, SC-R1060, SC-R1061, SC-R1062, SC-R1063, SC-R1064, SC-W1080, SC-W1081
- C and C++: CXX-P2008, CXX-W2010, CXX-W2012, CXX-W2013, and CXX-P2009
- Ruby: RB-LI1103, RB-LI1104, RB-LI1105, RB-LI1106, RB-LI1107, RB-E1001, RB-E1002, RB-W1002, RB-W1003, RB-W1004
- We’ve added Autofix™️ support for the following checks in the Ruby Analyzer: RB-LI1103, RB-LI1104, RB-LI1105, RB-E1001, RB-W1002, RB-W1004.
Breaking Changes
- API Platform: We have added breaking changes to the schema for the Check and Repository types in our GraphQL API, which is limited to the fields related to repository metrics. This also affects the webhook payloads for the events analysis_run.started and analysis_run.updated using the same object schema as the corresponding types. We recommend handling the changes in any integrations where you consume these APIs and webhook events. Read this Discuss post for more details.
New in Enterprise Server
- In-built APM integration: You can now directly send APM metadata to Sentry. This will help us troubleshoot better when providing support for Enterprise Server installations. Here’s how you can set it up.
- We’ve made several optimizations to the resource utilization of analysis jobs. You’ll see considerable improvements in the resource consumption of your Enterprise server cluster.
- BitBucket Cloud for Enterprise Server: You can now use BitBucket Cloud as a VCS provider on Enterprise Server. Here are docs to help you get started.
Fixes and Improvements
- We’ve added the following framework issue tags to the JavaScript Analyzer: react, vue, angularjs, angular, meteor, ember. These tags allow you to search and filter issues based on frameworks. You can do this by searching for tag:react for instance, under the issue tab.
- Issues from stale analyzers are now deleted when the deepsource.toml the file is updated.
- Invalid lines of code, such as comments, are now implicitly ignored by the Code Coverage Analyzer.
- We’ve improved how JS-0415 reports issues with JSX depth. It previously flagged each line in a JSX tree that exceeded the maximum depth as an individual issue occurrence. We have now modified the check only to report the parent node of the JSX tree that has at least one deeply nested statement. We have also increased the maximum depth to 4.
- We no longer raise SC-W1067 for top-level objects as final modifier for top level object is redundant.
- CS-R1050 We now take using block’s succeeding statements into account before suggesting the usage of using keyword.
- We’ve made several performance optimizations to the Ruby Analyzer’s runtime. The analysis runs are now up to 15 times faster than before.
- We’ve fixed several false positives in this release:
- SC-R1057: We’ve fixed an issue where we were incorrectly triggering this for catch clauses with error loggers.
- GO-S2307: We’ve fixed an issue where we were incorrectly flagging types implementing io.ReadCloser and io.ReadSeekCloser as the deferred call to Close methods for them are safe.
- CXX-W2009, CXX-W2011: We’ve fixed an issue that incorrectly flagged a function declaration as a variable declaration due to a lack of context.
- PYL-W0613: We’ve fixed an issue where we were incorrectly flagging arguments with defaults, such as Depends(…) and Cookie(…) as unused.
- PY-W0069: We’ve fixed an issue where we were incorrectly flagging Big-O notation, such as # O(N + M) as commented out code block.
- BAN-B605: We’ve fixed an issue where we were incorrectly flagging constant expressions, such as os.system("dir" if WINDOWS else "ls") as possible shell injection.
- PTC-W0050: We’ve fixed an issue where we were incorrectly flagging function calls inside set literals, for example {foo(), foo()}, as duplicates.
- PTC-W0051: We’ve fixed an issue where we were incorrectly flagging partially similar if-elif blocks as being similar.
- FLK-D202: We’ve fixed an issue where we were incorrectly flagging nested async functions following docstring.
- CS-P1003: We’ve fixed an issue where we were wrongly suggesting fields of the type object to be converted to const.
- CS-W1064: We’ve fixed an issue where we were incorrectly flagging Type.GetType(string) as a dubious call.
- CS-W1072: We’ve fixed an issue where we incorrectly flagged inlined fields’ assignments in constructors.
- JAVA-W1035: We’ve fixed an issue where the instantiation of a class with only static members, which inherited nonstatic members, was reported unnecessarily.
- JAVA-W1060: We’ve fixed an issue where static field access within annotations was incorrectly reported.
- JAVA-W1065: We’ve fixed an issue where usage of java.util.Properties was flagged though it was valid.
- JAVA-S1066: We’ve fixed an issue where returning a spring persistence entity class from any method would be reported. This issue will now only report request handler methods that return such entities.
- JAVA-S1060: We’ve fixed an issue where loggers in spring web app components, which are usually not a part of an object’s state, were marked as being uninjected state. From now on, the Analyzer does not consider loggers as state variables and will not be reported.
- JAVA-C1002 We’ve fixed an issue where the assertion would be reported when the arguments to a Junit or an AssertJ assertion were both variables. Now, the assertion is only reported when either of the arguments is a constant of some kind.
Improved User Settings
We’ve redesigned and improved the user settings for your DeepSource account. This will make it easier for you to configure all your account and workspace settings from your dashboard.
- Account Preferences: You can now easily add an avatar to your account, change or edit your display name, see your login connections with DeepSource, and add a new connection if required.
- Workspaces: We’ve added a new workspaces tab in your user settings where you can see a list of all the team and personal workspaces you are a part of. You can navigate to those workspaces from here. We’ve also added a search so you can filter through the list quickly.
Manually sync a single repository from GitHub
If your organization has a large number of repositories (tens of thousands), sometimes there’s a delay in syncing some of them since we don’t want to trip the API rate limits of the VCS. This might cause the repository you’re looking for not to show up when you’re trying to activate DeepSource on it.
We’ve added an option to sync repositories one at a time from the repository search interface when activating a new repository, so you don’t have to wait for DeepSource to retry by itself.
Improved manual sync of access settings for GitHub
You can now choose whether or not you want the access settings that have been changed manually on DeepSource to be overridden when performing a manual sync. This will help remove any confusion caused by DeepSource automatically overriding these changes in the past. We also show an overview of all the changes the sync will override to help you make the decision.
New in Analyzers
- We’ve added five new SAST checks in the JavaScript Analyzer:
- JS-S1015: Detects insecure web preferences passed to Electron.
- JS-S1016: Detects array index that is possibly out of bounds.
- JS-A1005: Detects unsanitized inputs that are passed to templating engines.
- JS-A1006: Detects server-side errors that may be exposed to the client side.
- JS-A1007: Detects unsanitized inputs used with openExternal method of the Electron’s shell module.
- We’ve added Autofix™️ support for the following Rust checks: RS-W1001, RS-W1046, RS-W1062, RS-W1074, RS-W1080, RS-W1095
Fixes and Improvements
- We’ve improved JS-D007, an issue that flags Bad usage of RegExp#exec and String#match. We will now cover calls to RegExp function with the previously supported RegEx literals.
- We’ve improved JS-0002, an issue that flags using console in code that runs on the browser. We will now avoid flagging console.error, console.assert, console.table, and console.warn statements since they are most likely to be used intentionally.
- We’ve fixed three false positives in this release:
- JS-0455: We’ve fixed an issue where sx was being incorrectly flagged as an unknown property in projects that used the ThemeUI library.
- JS-0105: We’ve fixed an issue where we were incorrectly flagging class methods that did not use this in NestJS projects to accommodate cases of dependency injection.
- JS-D007: We’ve fixed an issue where we incorrectly flagged regex matches even when they were being put to use. We should not recommend using Regex#test when the regex matches are used elsewhere.
Improved role-based access sync from GitHub
Managing repository permissions and access settings for users on your GitHub and DeepSource organizations separately can be tedious as your team grows. We’ve made several improvements to how we sync permissions from GitHub to simplify this and eliminate manual effort.
- Repository-level permissions: Repository permissions to users inherited from a team on GitHub are now correctly synced on DeepSource. Previously, only direct repository collaborator roles were synced, leading to an inconsistency in the repositories that a user could see on GitHub and DeepSource. Read more in our docs.
- Base permissions: To help you bring parity with base permissions on GitHub, we’ve added a new No Permission option to Member Base Permissions in your team’s access control settings. Selecting this will allow members read-only access to public repositories by default. They will not have any permissions on private repositories unless some level of permission is inherited from a GitHub team or through being added as a direct repository collaborator. Read more in our docs.
- Default Base Permission: When you connect a new GitHub organization, we will automatically sync the organization’s base permission from GitHub to DeepSource. Previously, this setting defaulted to “Maintain” on DeepSource.
Please note that automatic sync of access on repositories can affect your occupied seat count on DeepSource. For instance, if a user has a Contributor role on DeepSource but a Member or Admin role on GitHub, their role will be upgraded, and they’ll now occupy a paid seat on DeepSource. To help you keep track of this, the source of a member’s addition to the organization or a repository is now shown in the list of members in Organization → Settings → My team and Repository → Settings → Repository members.
New in Analyzers
- We’ve added 41 new checks across our Analyzers:
- Java: JAVA-E1085, JAVA-E1083, JAVA-E1084
- JavaScript: JS-A1000, JS-A1001, JS-A1004, JS-A1002, JS-A1003
- Go: GO-E1008, GO-E1009, GO-W1030, GO-W1028, GO-W1031, GO-W1032
- Terraform: TF-S1031, TF-S1032, TF-S1033, TF-S1034, TF-S1035, TF-S1036, TF-S1037, TF-S1038, TF-S1039, TF-S1040, TF-S2027, TF-S2028, TF-S2029, TF-S2030
- C and C++: CXX-P2000, CXX-P2001, CXX-P2003
- Rust: RS-E1022, RS-E1023, RS-W1078, RS-S1009, RS-S1014, RS-S1015
- Scala: SC-D1000, SC-W1077, SC-W1078, SC-W1079
- We’ve added Autofix™️ support for four checks:
New in Enterprise Server
- RabbitMQ High Availability: As a first step towards ensuring high availability of DeepSource Enterprise Server, DeepSource now runs RabbitMQ in HA on standalone installations.
- Export logs to SIEM tools: You can now export your DeepSource Enterprise Server logs to the SIEM tool of your choice. Read more in our docs.
Fixes and Improvements
- We’ve fixed an issue where the test coverage Analyzer was timing out due to a parsing issue in some test coverage report formats.
- Added the ability to regenerate the DSN for a repository from the dashboard and the API. In light of the recent CircleCI breach, we strongly recommend that all users using CircleCI for their repositories rotate their DSNs on DeepSource. You can read more about it here.
- Setting the enabled attribute as true is now optional in the .deepsource.toml configuration file and will be true by default. If you want to disable an Analyzer, you can comment out that Analyzer entry, or add enabled = false manually in your deepsource.toml file.
- The Scala Analyzer now automatically detects the correct Scala version even if the version meta field in the .deepsource.toml is not specified. If you’ve already set this field value, we recommend you remove it and let the Analyzer handle it appropriately.
- Our reports now include legends in the charts to help you quickly understand the data.
- On the run history page, the checkbox to Autofix™️ was behaving incorrectly. This has been fixed.
- We’ve fixed an issue where the Python Analyzer was not raising flake8-compatible issues for some Python 2.7 repositories.
- We’ve disabled obsolete issues in the JavaScript Analyzer that enforced coding styles: JS-0229, JS-0083, JS-0113.
- We’ve updated the issue description for JS-0002 with instructions to prevent code that runs in the NodeJS environment from being flagged.
- We now automatically exclude auto-generated and designer files from the C# Analyzer analysis. Ideally, directories such as bin and obj should be excluded when the code is committed. However, if they were added in the commits, we were incorrectly running an analysis on them.
- The maximum JSX nesting depth for JS-0415 has been increased from 2 to 3, as 2 was a bit too restrictive.
- We’ve improved JS-D008, an issue that flags incorrect use of Array.prototype methods. We now cover more methods and have an improved issue description to explain possible fixes.
- The Python Analyzer was raising both FLK-E501 (Line too long) and FLK-W505 (Doc line too long) on long extraneously long docstrings. Since this was noisy, we now raise FLK-W505 only in those instances.
- We’ve fixed several false positives in this release:
- JAVA-W0324: We’ve fixed an issue where the @SuppressWarnings("unused") annotation was not respected, resulting in false positives.
- JAVA-W0324: We’ve fixed an issue where we incorrectly detected privateMethod as unused for the proper usage of private methods declared inside nested classes.
- JAVA-W1025: We’ve fixed an issue where we incorrectly detected privateMethod as unused for private fields declared within nested classes, which were used in an outer class.
- JAVA-P0361: We were incorrectly reporting this issue this when there was a use of Map.keySet() followed by the usage of Map.get() with the same map and the same key, even if the second access was behind some condition (such as an if statement). We’ve fixed that.
- JAVA-W1036: We incorrectly reported this issue when the actual (the type at the usage site) generic type of a method’s parameter was java.lang.Object, and the argument passed was also of type java.lang.Object. We now correctly infer the expected generic type and avoid reporting this issue when the expected generic type and argument type match.
- JAVA-W1069: We were incorrectly reporting this issue for certain imports. We’ve fixed this by using better algorithms to detect what types/methods/fields are imported and which are used.
- JAVA-W1042: We were incorrectly reporting this issue for methods that throw generic exceptions (like java.lang.Exception), even if the throw was added due to a call within the method that raised the exception. Now, the Java Analyzer will attempt to discover whether any checked exceptions are thrown by some method called, and if there are, it will avoid reporting this issue.
- JAVA-W1025: We were incorrectly reporting this issue for private fields that were annotated with @MockBeans. We’ve fixed that.
- JAVA-E1017: We were incorrectly reporting this issue for methods that called their overloads when the overload was passed casted versions of the method’s initial arguments. We’ve fixed that.
- PYL-W0201: For relative imports inside packages, we couldn’t infer the base classes for certain classes. We’ve fixed that.
- GO-W1027: We’ve fixed an issue where we incorrectly flagged an empty slice literal used to declare a variable for types other than a slice. We’ve fixed that.
- RVV-B0013: We’ve fixed an issue where we didn’t correctly flag that an unused method receiver is used when a _ is present as a receiver in methods, for example, func (_ *Foo). It is recommended to omit this receiver when unused, as it is not required.
- CS-P1001: We were incorrectly flagging the invocation of GC-related methods in protected virtual void Dispose(bool disposing). We’ve fixed that.
- CS-W1022: We’ve fixed an issue where declared and initialized variables in separate and succeeding lines were flagged as uninitialized.
- CS-R1071: We’ve fixed an issue where the Analyzer incorrectly recommended replacing numeric literals, such as 3.14 and 6.28 with values from the Math class even when suffixed with suffixes such as m.
- SC-R1015: We’ve fixed an issue where the if-else chain was not adequately evaluated, thereby erroneously marking the else in else if in an if-else chain as redundant.
- JS-0057: We’ve fixed an issue where we were incorrectly flagging empty functions with comments inside them. Functions intentionally left empty with comment(s) inside them should not be flagged as empty.
- JS-0394: We’ve fixed an issue where we were incorrectly flagging Nuxt’s NavLink component if it had className prop.
- JS-0122: We’ve fixed an issue where we were incorrectly flagging TypeScript interface properties that share the same name with JS global variables.
- JS-0330: We’ve fixed an issue where we were incorrectly flagging TypeScript code where the type of the argument passed to setTimeout is non-determinable.
- JS-0242: Destructured object properties are no longer flagged if at least one is non-const.
- JS-0576: OnPush is the recommended component change detection strategy in Angular. But, we used to incorrectly check for onPush and flag OnPush as incorrect. Additionally, the Autofix™️ for this was incorrect as we used to transform the code to onPush instead of OnPush. We’ve fixed these.
- JS-D023: We’ve fixed an issue where we were incorrectly flagging code that passed any non-literal argument to child_process. We now check for cases where tainted data is passed to child_process methods.
- BAN-B413: We’ve fixed an issue where we were incorrectly flagging the PyCryptodome library as insecure. pycryptodome is a library with an API compatible with pycrypto, but with no vulnerabilities.
- CS-R1022: We incorrectly recommended users to remove default: break;even when a comment or pragma was associated with it. We now only recommend this issue if there are no associated user comments.
New in Analyzers
- We’ve added 36 new checks:
- Go: GO-S1047, GO-S1048, GO-C4010, GO-W4015, GO-W4016, GO-W4017, GO-W1027, GO-W1028, GO-W1029, GO-C4011, GO-C4012
- Ruby: RB-S1001, RB-W1001.
- Rust: RS-W1110, RS-W1111, RS-C1014.
- Java: JAVA-A1058, JAVA-E1082, JAVA-S1066, JAVA-W1066, JAVA-W1067, JAVA-W1068, JAVA-W1069, JAVA-W1070, JAVA-W1071, JAVA-W1072.
- Scala: SC-R1055, SC-R1056, SC-R1057, SC-R1058, SC-W1071, SC-W1072, SC-W1073, SC-W1074, SC-W1075, SC-W1076.
- We’ve added Autofix™️ support for 6 checks:
- Ruby: RB-S1001, RB-W1001.
- Rust: RS-W1110, RS-W1111, RS-C1014.
- Go: GO-W1027.
- We’ve added support for multiple coverage reports for Cobertura, OpenCover, GoCover, LCOV, and SimpleCover.
Breaking change
- Due to a recent update in git, executing any git command inside DeepSource’s Test coverage GitHub action leads to failing the CLI. We recommend switching to DeepSource CLI or following the steps here to resolve this.
Fixes and Improvements
- We’ve fixed several false positives in this release:
- GO-W1025: This was being incorrectly triggered even when there was no case of possible infinite recursion within the String method. We’ve fixed that.
- CS-R1045: Adding the array type when implicit conversion is involved (for example, new double[] {1, 2, 3, 4, 5}) was incorrectly triggering this issue. We’ve fixed that.
- CS-R1068: Expressions such as numbers.Where(num => IsEven(num)) can be written as numbers.Where(IsEven). However, this is not possible when dealing with Action<T> such as in the case of Array.ForEach<T>(T[], Action<T>. We’ve fixed that.
- CS-R1099: Using the explicit base() call to invoke the parent class’s default constructor is redundant. However, calls to overloaded constructors viathis() were also incorrectly flagged. We’ve fixed that.
- JAVA-S1065: Classes that were annotated with @RequestMapping would be reported even when they have specified methods that are annotated with more specific annotations such as @GetBinding, which is safe. We now avoid reporting such cases.
- JAVA-E1036: Certain collections API-related methods were reported as being passed the wrong generic types even when the types were correct. We’ve fixed that.
- Ruby: We’ve disabled Autofix™️ for RB-RL1017 since it needs deeper analysis info before it can attempt to fix.
- Python:
Account Switcher
We have redesigned the account switcher for your DeepSource dashboard. This makes it easier for you to distinguish between your team and personal accounts. We’ve also added a search so you can filter through the list quickly.
New in Analyzers
- 4 new checks:
- Java: JAVA-W1066, JAVA-S1065, JAVA-A1057, JAVA-C1003
- Javascript: JS-S1012, JS-S1013, JS-S1014
- JavaScript: We’ve added Autofix™️ for JS-S1013
Fixes and Improvements
- We’ve fixed an issue where Jira integration was not loading on the issue detail page if the username in the URL differed from the case in which it was originally set up.
- Issue cards on the issues page were not showing the correct first and last seen dates. We’ve fixed that.
- C#: When generating Autofix™️ code for CS-W1003, the expression d != double.NaN was being incorrectly rewritten as double.IsNaN(d). We’ve fixed that, and it now rightly refactors as !double.IsNaN(d).
- The C and C++ Analyzer was incorrectly raising an exception when the content of a source file had nonUTF-8 encoded characters. We’ve fixed that.
Pinned Reports
You can now pin the reports that are most useful to your team on the DeepSource dashboard. To do this at both team and repository levels, hover over the ellipsis icon, select change report, and pick the report you wish to pin.
New in Analyzers
- 9 new checks:
- Java: JAVA-W1065, JAVA-W1064, JAVA-W1063, JAVA-S1064
- Rust: RS-W1079, RS-W1103, RS-W1105, RS-W1106, RS-E1021
Improvements and Fixes
- API: You can now query for reports associated with an Account or a Repository. Learn more in the docs.
- Some users saw an empty state in the history page when they ignored, suppressed, or marked an issue as false-positive or manually opened a link to a run. We’ve fixed that.
- We’ve fixed an issue where a person could be added as a team member multiple times.
- Some users reported that when they reactivated/deactivated their repository to trigger a complete repo sync, it resulted in a double count in the code health trend report. We’ve fixed that.
- The repository sync broke if a Gitlab user had a subgroup with the same name as their account. We’ve fixed that.
- Fixed unexpected analysis timeouts on specific large Python repositories.
- We were facing a parsing bug while Python’s dependency installation. This was explicitly happening for flask>=20.0,<23.0 versions. We’ve fixed that.
- We’ve fixed several false positives in this release:
- PYL-C0412: Ungrouped imports from the same package inside a try/except or if block was triggering this issue. We’ve fixed that.
- JS-0464: This issue should not be raised if the codebase user uses React version >= 17. We have improved the detection of React version in the user’s project and raise this issue only if we detect the React version to be < 17.
- JS-D007 and JS-0093: These issues were triggered incorrectly on some assertion functions in test files. We’ve fixed that.
- JS-0129: When function and class declarations were used before their definition, it incorrectly triggered this issue. We’ve fixed that.
- JAVA-C1002: Constants and class object references were wrongly reported when used as the expected value of a JUnit assert call. We’ve fixed that.
- RS-W1017: We’ve added support for write! macro for this issue.
- Disabled JS-0056: Based on the feedback from some users, we have decided to no longer raise this as an issue since it is a stylistic preference whether to follow this pattern or not.
- We’ve disabled JAVA-E1029 temporarily, as users reported many false positives. We will re-enable it once we have fixed the false positives.
- The C and C++ Analyzer was not reporting any found issues due to a bug in the issue reporting module. We’ve fixed that.
This update is mostly about the Analyzers. While we’ve made several small fixes and improvements to the product, the primary focus for the week was adding new checks and Autofix™️.
New in Analyzers
- 15 new checks
- Ruby: RB-A1012, RB-W1000, RB-S1000
- C#: CS-R1100, CS-R1101, CS-R1102, CS-W1070, CS-W1071
- Java: JAVA-W1061, JAVA-S1060, JAVA-W1062, JAVA-S1061, JAVA-S1062, JAVA-S1063, JAVA-S1064
- New Autofix™️ for 3 checks
Fixes and Improvements
- You can now upload attachments for support tickets on the DeepSource dashboard.
- You can now directly copy and share the public report details from the new success window that shows up after you have created your report.
- Some users could not see if the aggregate metrics are passing/failing a threshold(if set) on runs in the history page. This has been fixed.
- Some users could not suppress failing metrics on the run page, despite having access control permissions enabled in team settings. This has been fixed.
- On some reports, changing the date filters from a longer to a shorter duration resulted in an invalid state. This has been fixed.
- Recently added Analyzer logos were not appearing correctly on the sidebar of the Discovery tab. This has been fixed.
- We dropped support for Ruby versions 2.0-2.4 due to dependency on some libraries. We have recovered support for those versions.
- After using .cfg file for dependency configuration in Python, we have now added support for .toml files.
- JavaScript: We had some failures while users were trying to Autofix™️ JS-0757. We have fixed them.
- We’ve fixed several false-positives in this release:
- CS-R1005: Event handlers contain an argument of type async void that incorrectly triggered this issue. We’ve fixed that.
- CS-A1003: Methods participating in the inheritance will no longer trigger this issue.
- JAVA-E1017: Call from one method to a different overload of that same method will no longer trigger this issue.
- JAVA-S1061: Spring persistent entities used as path variable arguments in a request handler will no longer trigger this issue.
- JAVA-E1065: Private fields marked with @FXML were incorrectly reported as uninitialized. We’ve fixed that.
- JAVA-W1042: Spring configuration methods that throw Exception will no longer trigger this issue.
- JAVA-W1004: Empty test methods autogenerated by Spring will no longer trigger this issue.
- BAN-B608: Some strings were wrongly detected as SQL triggering this issue. We’ve fixed that.
- PYL-W0201: Now that we have added support for .toml files in Python, the false positives caused due to dependencies not being installed are fixed.
- PYL-C0412: Imports inside the match statements incorrectly reported this issue even though they cannot be grouped. We’ve fixed that.
- CXX-S1006: Some users were passing the sizeOf(type) value as a variable in memory allocation functions, which wrongly triggered this issue. We’ve fixed that.
Composite Test Coverage Metric
If you’ve been tracking code coverage primarily through Line Coverage and Branch Coverage metrics, the all-new Composite Coverage metric provides a higher-order way of measuring how effective your test suite is. This metric is aggregated over line and condition or branch coverage metrics and is calculated as such:
We use branch coverage to calculate the metric if condition coverage is unavailable. If only line coverage is available, then line coverage would be identical to composite coverage. As with all other metrics, you can add a threshold. To view this for a repository, you can go to Metrics → Composite Coverage in the repository view. Please note that code coverage should be tracked on DeepSource for this metric to be visible.
Public Reports
You can now share reports externally using a public link and share them with people within or outside your team who might not have access to your DeepSource account but will find value in these reports. You can create these reports at the repository or team levels for all or selected repositories. You can also choose to password-protect a public report.
To create these reports at both repository or team-level view, you can go to the Reports tab → Public Reports → Create a report or click on the share button in any report in the reports tab.
New in Analyzers
- PHP: We have fixed a false negative for PHP-A1002. The Analyzer can now detect checks where unsanitized external data is incorporated into an SQL query and used (passed to a vulnerable function or returned) without any escaping.
New in Enterprise Server
- Breaking change: To help you optimize resource utilization within the Kubernetes cluster, we’ve added a new kube-janitor service to clean up old jobs in the atlas-jobs namespace. Since there would already be many analysis jobs piled up in the cluster, cleaning them up is essential before upgrading. Read more about upgrading in the docs.
- Jira Integration: You can now create new issues on Jira Cloud directly from DeepSource. Read more about it in the docs.
- Slack Integration: You can now connect your Slack workspace with DeepSource and receive updates on important events directly on the channel. Read more about it in the docs.
- Bugfix: Some users running older versions of PostgreSQL reported that some database migrations were failing. We have resolved this now by adding backward compatibility for those versions.
Fixes and Improvements
- API: The Repository object now includes the deepsource.toml config file as a JSON object. Read more about it in the docs.
- To make the response for reporting artifacts for test coverage more verbose, we now display the repository name and commit SHA in the CLI.
- Some analysis runs were not being correctly linked to the respective pull-request object in the Repository → History page. This has now been fixed.
- The history page now shows the correct open pull-request count.
- The aggregate value for coverage reports was not shown correctly for some users. This has been fixed.