In this release, we focused on enhancing your desktop experience by adding a wide range of new features and improving the existing functionality:
Customizing Rules and Test Configurations on the Desktop
This release features significant improvements for customizing static analysis on your desktop. We've introduced a browser-based interface that allows you to locally modify and save code analysis rules and test configurations to meet your organization’s development policy. See Customizing Static Analysis Rules and Creating Custom Test Configurations.
Additionally, you can now configure Jtest to apply the rule mapping stored locally or on DTP.
Change-based Testing from your IDE
You can now easily identify and run only the tests affected by locally modified code, rather than running a large set of tests unaffected by changes. This enables you to optimize your testing efforts and speed up the test execution process. See Test Impact Analysis.
Collecting Unit Test Coverage in IntelliJ IDEA
We've extended support for collecting coverage information for unit tests that ran in IntelliJ IDEA. See Collecting Unit Test Coverage in IntelliJ IDEA.
Unit Test Assistant Enhancements
Support for IntelliJ IDEA
The capabilities of Unit Test Assistant are now available in IntelliJ IDEA.
Detecting Uncovered Code
You can now configure UTA to identify uncovered code. This helps you focus test creation on uncovered lines and increase your overall code coverage. See Uncovered Code.
Cloning Test Cases
We've added the ability to clone existing test methods, which improves productivity related to the test creation process. The Clone test option enables you to rapidly duplicate an existing test method and modify the cloned test as necessary. See Creating a Basic Unit Test.
Support for IDEs
- Added support for IntelliJ 2018.1
- Removed support for outdated IDEs.
Other Changes
- DTP 5.4.0 is required to leverage DTP capabilities and workflows.
- Findings marked with the Do Not Show priority on your DTP no longer simulate suppressions and should be converted into true suppressions; see DTP 5.4.0 Release Notes.
- The
instrumentgoal/task for Maven, Gradle, and Ant is now deprecated. Use theagentgoal/task for collecting coverage information. - The paradigm for merging coverage information has been improved, which may increase your coverage results.
New and Updated Test Configurations
We've added the following built-in test configurations:
- UL 2900
- OWASP Top 10 2017
The test configurations for outdated standards have been removed:
- outdated OWASP Top 10 test configurations (2007, 2010, 2013)
- outdated JDK configurations (New Features in JDK 1.5 and 7)
- CWE-SANS Top 25 2009
- DISA-STIG for Java
- Juliet 1.1 2011
- SAMATE NIST 2010
The GLOBAL rules have been improved to help you address potential defects more efficiently. The improved accuracy might affect performance.
New Code Analysis Rules
The following rules have been added:
| Rule ID | Header |
|---|---|
| BD.API.ARGWRITE | Do not rely on the write() method to output integers outside the range 0 to 255 |
| BD.PB.MULBUF | Do not create multiple buffered wrappers on a single byte or character stream |
| BD.PB.VREADOBJ | Do not invoke overridable methods from the readObject() method |
| BD.SECURITY.FPEXC | Check floating-point inputs for exceptional values |
| BD.SECURITY.LOG | Avoid passing unvalidated binary data to log methods |
| BD.TRS.INSTLOCK | Do not use an instance lock to protect shared static data |
| CODSTA.ORG.ASSERT | Do not use assertions in production code |
| PB.IKICO | Ensure that keys used in comparison operations are immutable |
| TRS.ISTART | Do not call the 'start()' method directly on Thread class instances |
| TRS.SGC | Do not synchronize on the class object returned by the 'getClass' method |
| TRS.SOBC | Do not synchronize on a collection view if the backing collection is accessible |
Updated Code Analysis Rules
- BD.PB.VOVR
BD.TRS.ORDER
- OPT.USCL
FORMAT.U2B
GLOBAL.ASI
GLOBAL.DPPM
GLOBAL.UPAC
SECURITY.WSC.PPKG
SECURITY.WSC.INIVF
PB.NUM.UBD
PB.CUB.IMM
UC.AAI
The following rules may be differently processed by DTP and their previous suppressions may no longer be available:
- INTER.CCL
- CODSTA.BP.EXIT
Resolved Bugs and FRs
| Bug/FR ID | Description |
|---|---|
| FA-5994 | Cannot define constructor as null not accepting method for BD.EXCEPT.NP |
| FA-6140 | Not all paths are counted when reporting flowanalysis.output.performance.info for some of the rules. |
| JT-47125 | PB.CLOSE throws False Positive with try-with-resources |
| JT-48547 | PB.CUB.IMM potential false positive |
| JT-48635 | SECURITY.IBA.VPPD-2 doesnot trigger correctly |
JT-69723 | False positives related to lambdas |
| JT-69873 | UC.AAI - incompatible with Java 8 |
| JT-69939 | Different behaviors from 9.5 and 10.3.1+ |
| UTA-1028 | Recommendation for possibly mockable method not being displayed |
| UTA-2296 | Some unit tests created with UTA are failing on customer's project |
| XT-35411 | Spaces in CVS reports starting from second row |
