Changelog

May 9, 2022

SSO with OneLogin, better integration with GitHub, and LCOV

OneLogin support in DeepSource Enterprise Server

DeepSource Enterprise Server, the self-hosted version of DeepSource that you can run in your own cloud, now supports Single Sign-on (SSO) with OneLogin. An admin on OneLogin can now create a custom SAML connector for DeepSource Enterprise Server and enable SAML SSO. This will allow users to log in to DeepSource using OneLogin. For more details, please refer to the docs.

Improved GitHub pull request integration

Opening a DeepSource analysis run from a pull request on GitHub used to take two clicks. It now takes just one. Read more here.

New in Analyzers

Test Coverage: Support for coverage reporting in the LCOV format (details)
PHP: Support for Autofix, with the ability to Autofix 10+ issues
PHP: 2 new issues (PHP-A1012, PHP-T1006)
Rust: 15 new issues (RS-W1049, RS-W1066, RS-W1047, RS-W1065, RS-W1067, RS-E1013, RS-A1002, RS-A1003, RS-A1004, RS-W1038, RS-W1039, RS-P1005, RS-W1045, RS-W1046)

Apr 26, 2022

Support for Go 1.18, new webhook events, and more

New webhook events

Webhooks are an excellent way to build custom workflows and integrate DeepSource with other tools. We’ve added three new webhook events in this release:

repository_issue.resolved: Triggered whenever an issue is resolved in the default branch of the repository
autofix_run.started: Triggered when a new Autofix is created
autofix_run.updated: Triggered when the status of the corresponding PR of an Autofix is updated.

Learn more about these events in the docs.

Support for Go 1.18 in the DeepSource Go Analyzer

We now support projects using Go 1.18, the latest version of the Go programming language. The version is auto-detected from go.mod from each module’s root, and no change is required in .deepsource.toml.

New in Analyzers

PHP: 2 new issues (PHP-C1001, PHP-W1084)
C#: 3 new issues (CS-R1044, CS-R1045, CS-R1046)

Fixes and improvements

When joining a team using the invite link, the user will default to the member role (if seats are available)
On uninstalling the DeepSource app from GitHub or Bitbucket, the users will now get an email informing them that their account has been deleted successfully
Fixed the broken link to a user’s DeepSource dashboard in the Bitbucket sidebar
All webhook events are now sent with the Norris/DeepSource user agent. If you haven’t met Duck Norris yet, you really should!
The Autofix button will no longer appear incorrectly on the default branch’s run history page
Fixed image and content flashing in the carousel on the signup page
Cleaned up a bunch of errors on the front end so your user experience should be much smoother now
JavaScript: Fixed false positives for JS-0377 and JS-0378
JavaScript: Fixed incorrect Autofix for JS-0002
Go: Fixed bugs in Autofix for VET-0009 and GO-E1006
Go: Improved issue descriptions for GSC-G501, GSC-G102, and GO-S1029

Apr 11, 2022

Detect unexecuted code in tests, 30+ new issues, and more

Unreachable, or “dead”, code is often a symptom that something has been missed unintentionally in the codebase. Dead code in your test suite is even more problematic because it means some part of your code that you thought will test something is, well, not serving its purpose. We’ve just added a new issue, TCV-002, in the Test Coverage Analyzer that’ll alert you whenever it finds unexecuted code in any test files.

New in Analyzers

Java: 5 new issues (JAVA-A1027, JAVA-A1028, JAVA-A1029, JAVA-A1030, JAVA-S1031)
PHP: 3 new issues (PHP-W1083, PHP-W1087, PHP-W1088)
Go: 12 new issues for go.etcd.io/etcd/client/v3 (GO-E1003, GO-R1001, GO-R1002, GO-W1003); 4 new issues for gorm.io/gorm (GO-E1004, GO-E1005, GO-W1004, GO-W1005); and 4 new general issues (GO-E1006, GO-E1007, GO-S1029, GO-W1006)
C#: 14 new issues (CS-W1016, CS-W1017, CS-W1018, CS-W1019, CS-W1020, CS-W1021, CS-R1039, CS-R1040, CS-P1005, CS-P1006, CS-A1008, CS-A1009, CS-A1010, CS-S1000)

Fixes and improvements

Users will now get directly directed to the organization they accepted an invite for.
Issues under a run are now paginated, allowing users to see all of them directly without explicitly searching for them.
Billing checkout page didn’t show the applied credits. This has been fixed.

Apr 5, 2022

6 new issues, and a new login button

The 404 page now has a new login button. After we released the new page last week, several users pointed out that it takes quite a few clicks to finally log in to DeepSource if you’ve landed on a protected URL.

New in Analyzers

PHP: Added 3 new issues (PHP-A1010, PHP-W1086, PHP-T1005).
JavaScript: Added 2 new issues (JS-S1009, JS-S0011). Read more details in this post on Discuss.
JavaScript: Syntax errors are now reported as DeepSource issues (JS-0833).

Fixes and improvements

JavaScript: We’ve updated the default module type updated to ESM. ESModules no longer ignored when the module_system field is unspecified in .deepsource.toml.
Python: Resolved several false-positives in PYL-W0143, PYL-W0613, PY-W0069, PTC-W6004, PYL-R1705, and PYL-E1102.
Rust: Fixed a false positive in RS-E1008.

Mar 28, 2022

More webhook events, 25+ new issues, and a cyborg duck

New webhook events

We’ve added three new events that you can subscribe to when you create a new webhook:

team_member.added: Triggered when a new member is added to the team.
team_member.removed: Triggered when an existing member is removed from a team.
team_member.updated: Triggered when the role of a member is changed.

You can refer to the docs for more details on these events and see what the payload looks like.

New in Analyzers

PHP: Added 2 new security issues (PHP-A1001, PHP-A1009)
Go: Added Autofix for 6 issues (RVV-A0001, RVV-A0009, SCC-S1007, SCC-SA4017, SCC-SA4018, SCC-SA9003)
Java: The Java Analyzer now supports projects using Java 17.
C#: Added 7 new issues (CS-W1014, CS-A1006, CS-A1005, CS-W1015, CS-R1037, CS-R1038, CS-R1036)
Rust: Added 10 new issues (RS-P1003, RS-W1056, RS-W1057, RS-W1058, RS-W1059, RS-W1060, RS-W1061, RS-W1062, RS-W1063, RS-W1064)
JavaScript: Added 1 new security issue (JS-S1008)
Python: Added 1 new security checker (PTC-W6004). We now have at least one issue for every OWASP Top 10 recommendation in the 2017 and 2021 lists.

Introducing, Duck Norris!

We’ve adopted Duck Norris, a cyborg duck from Quackotron, as our Mascot. He would be working on spreading the word about our mission of helping developers ship good code to the world. We also made a fun short movie about this!

Fixes and improvements

We have a brand new 404 page! Check it out here.
There’s now a home button in Discover’s sidebar, so you can easily go back to your DeepSource Home.
Fixed the broken rendering of HTML entities in the title of an issue
Fixed a redirect loop on GitLab authentication. Users will directly be redirected to the account selector directly after authorizing their GitLab account.
Standardize font sizes for cards across the dashboard. This was an eyesore, truly.
Disabled the Autofix button for unauthenticated users when browsing public repositories. Although the action wouldn’t succeed, the button was being shown as a no-op.
Fixed: Users were not able to add new events after creating a webhook.
Removed the first and last seen times of an issue in the history page, where it didn’t really make sense.
PHP: Fixed a false-positive in PHP-A1006.
PHP: Fixed wrong end line in PHP-W1074.
Go: Fixed data races to mitigate the episodic runtime panics leading to analysis timeouts.
Python: Fixed a major source of Autofix failures. Running Autofix for R1705, R1720, R1723, and R1724 should no longer have failures.
C#: CS-R1008: GenericExceptionHandlingCheck is no longer raised when an Exception is being trapped for logging purposes or when passed to Console.WriteLine.
C#: CS-P1001: ManualGarbageCollectCheck now correctly handles scenarios when GC-related methods such as SuppressFinalize are invoked inside Dispose.
C#: CS-R1029: TestHasNoAssertCheck is no longer invoked when a custom assertion is used in place of test-suite’s Assert.
Java: OWASP references in security issue descriptions are now in a uniform format.
Java: The Java analyzer will now assume a default Java version if none is provided.
Java: Multiple or nested independent Gradle and Maven projects in the same repository are now properly detected.
Java: File exclusions are now more efficiently processed.
Java: JAVA-E0110 (Equals without null check) now correctly ignores valid non-trivial equals implementations.
Java: JAVA-P1001 (inefficient replaceAll) now correctly detects certain regex signatures.
Java: JAVA-E1014 (improper getter/setter) now also accounts for final fields.
Java: JAVA-E1041 (unimplementable interface) is now smarter in detecting bad interfaces.
Java: JAVA-E0094 (Finalizer must not be invoked) will no longer be raised for overloaded methods that are not finalizers.
Java: JAVA-P0057 (URL collections are bad) will now respect spotbugs suppress annotations.
Java: JAVA-S1002 (Naive trustmanager/hostname verifier implementation) will now respect spotbugs suppress annotations.
JavaScript: Fixed a false-positive in JS-D1001.

Jan 24, 2022

All new webhooks and a simpler signup flow

New webhooks

DeepSource webhooks have been in beta since September. With this release, we have introduced two new webhooks to make integrations with DeepSource easier.

analysis_run.updated: This event is triggered each time an analyzer publishes its results on DeepSource.
repository_issue.introduced: This event is triggered when an issue is introduced to the main/default branch of your repository.

There are many more new webhooks and APIs on the way to help developers build with DeepSource!

A new signup flow

We want our new users to derive value from DeepSource quickly and seamlessly. This is why we just redesigned our sign-up experience to easily get you started with a simpler, easy-to-follow onboarding process.

Jan 10, 2022

Better repository sync, improved changelog, and more

Improved repository sync for GitLab

Due to the way GitLab’s APIs work, our integration doesn’t automatically sync new repositories to DeepSource. It is now easier to sync all your repositories while choosing to activate DeepSource on a new repository. You’d see a new “Sync repositories” button for GitLab.

Improved changelogs section

We now use Canny for publishing our changelog and it is directly integrated into the DeepSource dashboard. Keep track of all the exciting features and updates straight from your sidebar.

Other improvements and fixes

Look up an issue in the Directory from the Ignored rules tab on your repository settings.
Fixed the Go import root field in the Auto Onboard page.
Improvements to load the Billing Page more gracefully.