We are excited to announce that the DeepSource VS Code Extension now supports Rust. Rust developers can now leverage DeepSource's static analysis capabilities from within Visual Studio Code environment to detect and fix issues using Autofix AI™.

New in Analyzers

C#:

• Added support for .NET 8.
• Implemented false positive fixes for rule CS-R1137.

Test Coverage:

• Introduced support for branch coverage in JaCoCo and Clover test reports.

JavaScript:

• Enhanced SAST issue detection with support for more libraries. This update considers additional taint sources and sinks, improving security issue coverage.
• Improved core taint analysis algorithm to detect the flow of potentially tainted data across function boundaries within the same file.

PHP:

• Added SAST issues to detect Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).
• Improved taint analysis algorithm to detect more security issues.

Java:

• Implemented false positive fixes for rules JAVA-E1013 and JAVA-W0324.

Python:

• Implemented false positive fixes for rules PYL-E0601, PYL-W0613, and PY-W0069.

Go:

• Added support for Go v1.22.5.

Fixes and Improvements

• Issue Navigation from Reports: Added the ability to navigate directly to an issue from the Team Reports page, allowing you to narrow down to the exact issue or root cause quickly.
• Repository Activation/Deactivation API: Introduced API functionality to activate or deactivate repositories. For sample query and more information, refer to the documentation.
• Code Health Report Enhancement: Updated the Code Health report to hide the aggregate number from the chart and display the net change for the month in the dashboard, providing clearer insights into monthly progress.

DeepSource's Java Analyzer now supports Java 21, the latest long-term support (LTS) release of Java Platform.

Java 21 introduces several new features and improvements like pattern-matching for switch statements, record patterns, among several others. DeepSource can now recognize these new patterns in your code and help you find and fix code quality and security issues in them.

Follow the discussion here and let us know your feedback!

Optional merge request status checks for GitLab

You can now disable DeepSource's external status check from being sent to GitLab. To still block the merge request due to DeepSource check failures, you can query the Analysis Run API.

To read more about why we shipped this and why you need this, read the discussion here.

Community Analyzers are open-source third-party static analyzers that are executed as part of your existing CI pipeline and the results are reported to DeepSource using the OASIS standard SARIF (Static Analysis Results Interchange Format) format.

The initial release adds support for Kube Linter, Dart Analyze, Slither and AWS CloudFormation Linter, with support for more to come soon. To simplify your onboarding experience, all analyzers have pre-configured ready-to-use CI snippets tailored for popular CI providers like GitHub Actions, Circle CI, and more. Refer to the announcement blogpost for more information and documentation for detailed setup instructions.

Bitbucket Data Center

DeepSource cloud now supports Bitbucket Data Center as a Version Control System (VCS) provider, in addition to GitHub, GitLab, Bitbucket, and Azure DevOps Services. You can now use DeepSource to monitor and improve the health of your code hosted on Bitbucket Data Center.

To add your Bitbucket Data Center organization to DeepSource Enterprise Server, navigate to the account switcher on your dashboard, and create a new workspace. Read more in the docs.

Fixes and Improvements

• Autofix tab has been redesigned and moved under the history page.
• Code Coverage now has a badge which can be added to the project's README or wiki.
• Fixed a bug where the summary section on a run details page would sometimes show just an icon with no value.
• Fixed GitHub 403 errors due to suspended installation.
• Add fallback for owner logo in public reports.
• Auto delete DeepSource created branch if commit or PR creation on it fails.
• API: Add IgnoreRule type. An IgnoreRule defines the condition on which to suppress an Issue's Occurrences in a Repository.
• API: Add IssueCategorySetting type. Configuration for an IssueCategory in a Repository.

We're excited to announce first-class support for stacked pull requests on DeepSource. If you're creating pull requests off existing pull requests (also known as stacking), DeepSource will now correctly diff the second pull request and show you only those issues that you're introducing in that pull requests. Prior to this, we reverted to showing you all issues present on the branch in this case (which wasn't very nice, really).

New Transformer: Ruff

Ruff seems to have taken over the Python world lately, and we're excited to support it on DeepSource today! If you're switching your code formatting on Python to Ruff, just enable the Transformer in your .deepsource.toml and you should be good to go. More details in the docs.

Support for GitLab subgroups

Large teams that use GitLab often use their subgroups feature to organize their projects more meaningfully. Unlike other VCS providers like GitHub or Bitbucket, however, the subgroups are a concrete namespace for the projects and not just a loose group. We're excited to announce first-class support for GitLab subgroups on DeepSource, which will allow our users on GitLab to bring all of their repositories on DeepSource.

All your nested projects, regardless of the level of nesting, should already be synced and ready on the dashboard. If you don't see a project, just sync the repositories again from the repository activation modal.

Fixes and Improvements

• Subrepos of a repository in the monorepo mode are now supported in Auto Onboard
• When creating a ticket on Atlassian Jira from DeepSource, the reporter is now set to the current user (when available)
• On Azure DevOps Sevices teams, repository syncing no longer fails when there are multiple repositories with the same name under different projects
• Committing the DeepSource config file on GitLab when branch protection rules are enabled no longer fails; it reverts to creating a merge-request now
• Transferring repositories on Bitbucket is now reflected on DeepSource automatically without having to run a manual sync
• We fixed an issue where the severity counts in the OWASP® Top 10 report were incorrect in certain cases
• We fixed an issue in our Atlassian Jira integration where the user could select an incorrect ticket type for a project

We're pleased to announce the general availability of the monorepo mode for repositories, including support for three new VCS providers: GitLab, Bitbucket, and Azure DevOps Services. The initial release already supported GitHub. Learn more in the docs.

Cyclomatic Complexity

We've added checks for detecting complex code based on cyclomatic complexity thresholds. You can configure the level of complexity allowed in the Anlayzer's configuration to control how strict or relaxed the threshold is. The default threshold is set to medium.

Multiple Azure DevOps Services (ADS) tenants

We've added support for multiple Azure Directories (or tenants) when using our ADS integration. It's very common for teams using ADS to have segregation of tenants for different organizations they're a part of. With this release, it's possible to log in to DeepSource teams connected to ADS organizations across several tenants with the same DeepSource user account. Read more about getting started with ADS here.

New in Analyzers

• We've added 120+ new static analysis and SAST checks in C#, Scala, Swift, Ruby, C/C++, and Kotlin Analyzers
• Scala: We've added support for reporting documentation coverage metrics
• Go: We've added support for Go v1.21.x runtime
• C/C++: We've added support for configuring the C/C++ standard to be used for compilation in the Analyzer's meta options.

Fixes and Improvements

• Auto Onboard now supports GitLab, Bitbucket, and Azure DevOps Services teams
• Transformers and Autofix™️ are now supported in Azure DevOps Services repositories
• You can now filter the list of issues in a repository's Issues tab based on severity
• Hardcoded credentials detected by the Secrets Analyzer now have a new category called Secrets
• We've fixed a bug in the Autofix tab that showed incorrect error states when the Autofix app isn't installed with proper permissions
• We've fixed the update issue priority action on the Issue Priority settings page
• Commit messages and pull requests created by Autofix™️ and Transformers now follow Conventional Commits guidelines
• The list of users in repository members is now sorted in the reverse order of permissions
• C#: Fixed Autofix failures in CS-R1032, CS-W1000.
• C#: Fixed false-positives in CS-R1060 where it was incorrectly flagging getters that cannot be converted to auto-properties.
• C#: Fixed false-positives in CS-R1137 where it was not considering field modifications and increment/decrement operations and suggesting the corresponding field to be incorrectly use readonly.
• JavaScript: Fixed scenarios where the Analyzer was not respecting ESLint global pragmas.
• JavaScript: Fixed false-positives in JS-0093 where it incorrectly flagged expect statements in test files as unused expressions.
• JavaScript: Fixed false-positives in JS-C1003. This rule now won't flag imports from certain packages that cannot be used without a wildcard.
• JavaScript: Fixed false positives in JS-0125 due to some global environments not being respected.
• Python: Fix false-positives in PTC-W0049, PTC-W0065, PYL-W0109, FLK-E101, and PYL-E1102.
• Ruby: Fix false-positives in RB-LI1078 when the assignment happens inside a case statement that is the last statement of a method, as that value gets returned implicitly from the method
• Java: Fixed false positives in JAVA-W1051, JAVA-W1004, JAVA-W1025, JAVA-E1085, JAVA-W1028, JAVA-E1109, JAVA-W1088, JAVA-W1060, JAVA-W0324, JAVA-W1042.

We're excited to announce DeepSource's VS Code Extension, now in private beta. You can now detect, understand, and effortlessly resolve issues directly from VS Code. You can install the plugin here. For installation steps and a quick tutorial, please read the documentation.

Support for monorepos

For teams that use a monorepo workflow for development, managing different quality and security gates for different sub-repos can be challenging, since VCS providers lack first-class support for monorepos. In this release, we've launched first-class support for monorepos. You can convert any repository on DeepSource into a monorepo and map subfolders as sub-repositories. Then, each sub-repository can be used as a first-class repository on DeepSource — complete with its own issue baseline tracking, intelligent PR checks, and quality gates. Read more about it in the docs.

New in Analyzers

We've added 30+ new static analysis and SAST checks:

• C#: CS-R1131, CS-R1132, CS-R1133, and CS-R1134
• Java: JAVA-E1109, JAVA-E1089, JAVA-W1090, JAVA-W1091, JAVA-W1092, JAVA-W1093, JAVA-W1094, JAVA-W1096, JAVA-W1097
• JavaScript: JS-W1042, JS-W1043, JS-W1044
• Scala: SC-R1074, SC-R1075, SC-R1076, SC-R1077, SC-R1078, SC-R1079, SC-R1080, SC-R1081, SC-R1082, SC-W1087, SC-W1088
• Ruby: RB-E1009, RB-S1004, RB-S1005

We've added Autofix™ for 12 checks:

• JavaScript: JS-W1042, JS-W1044
• Java: JAVA-W1086, JAVA-W1016, JAVA-E1097, JAVA-W1031, JAVA-E1063, JAVA-E1032, JAVA-W1038, JAVA-E1042, JAVA-W1091

Fixes and Improvements

• The Swift analyzer is live on Enterprise Server, with 78 checks and 15 Autofixes. Read more about it in the blog.
• The Kotlin analyzer is live on Enterprise Server, with 50 checks. Read more about it in the blog.
• Users can now use Autofix™️ on up to 1000 files at once.
• We've made performance improvements in the PAT authentication in the public API. You should see faster response times when using the API.
• We've updated broken documentation URLs being sent in commit statuses & checks.
• We've fixed an issue in the Jira integration in which only the first 500 projects would be shown in the integration settings.
• In our Secrets analyzer, we've added dedicated issues for tokens for 40 unique APIs. We now show specific remediation steps for these API providers.
• JAVA-W0324 is no longer reported for methods of classes that have inner classes.
• JAVA-W1066 is no longer reported for methods defined in local types.
• JAVA-C1003 is no longer raised for loops with multiple loop variables.
• JAVA-W1029 is no longer raised if the resolved type is not in explicit imports.
• JAVA-W1029 is no longer raised for swing constants such as EXIT_ON_CLOSE.
• JAVA-W0412 is no longer reported when switch cases have the same body, but different arms.
• JAVA-W1088 is no longer reported for classes annotated with @TestConfiguration.
• JAVA-E1036 is no longer reported when a remove operation is done on a map which has values of the correct type.
• JAVA-W0324 is not reported anymore for valid private methods declared and used within a nested class.
• JAVA-W1069 is no longer reported for static symbol imports that are not unused.
• JAVA-W1069 is no longer reported on constructor calls with empty type parameter lists (like SomeType<>(...))
• JAVA-E1086 is no longer reported for clone calls on arrays.
• Fixed a false positive where JAVA-W1069 was reported for symbols that existed in the same package.
• Fixed a false positive where JAVA-W1069 was reported on constructors with empty type parameter lists.
• JavaScript issues for imported modules no longer raise spurious parse errors
• Fixed some bugs with ESLint's schema validation.
• JavaScript issues JS-0059 and JS-0050 are no longer raised on the same span.
• JS-W1042 is no longer raised in TS files.
• JS-R1002 now respects ESLint pragmas.
• JS-0356 and JS-0128 no longer raise false positives on Vue files.
• PHP: we've added support for # for skipcq comments.
• Scala issue SC-R1069 is no longer raised for new in apply().
• Scala issue SC-W1083 no longer marks implicit parameters as unused.
• We now offer support for handling compressed test coverage artifacts reported through DeepSource CLI.