Continuous Inspection

SonarQube Java 3.10 Released

SonarSource is pleased to announce the release of the Java plugin version 3.10.

With this new version, the Symbolic Execution engine, in charge to go through all possible execution paths to detect bugs, is now able to handle relations between symbolic values. What does this mean concretely ? Let’s have a look to a real life issue located in the Apache Vysper code  :

The simplified reasoning of Symbolic Execution engine is the following one :

  1. To reach the code where there is an issue, that means that condition (to == null || to.equals(serverEntity)) was false 6 lines above.
  2. Which means by definition that 'to' is not equal to 'serverEntity' at that point of time.
  3. As, by design in Java, the 'public boolean equals(Object obj)' method is symmetric, isServerInfoRequest = serverEntity.equals(to) is false
  4. And so the condition !isServerInfoRequest is always true
  5. Q.E.D.

Apache_Vysper

 

Moreover, this version embeds 17 new rules with some of them targeting the analysis of EJB, Spring, Web configuration files:

Please read the release notes for more information. You can install or update it via the Update Center.

Documentation is available on the product page.