Changelog

An illustration of an assembly line

This update is mostly about the Analyzers. While we’ve made several small fixes and improvements to the product, the primary focus for the week was adding new checks and Autofix™️.

New in Analyzers

Fixes and Improvements

  • You can now upload attachments for support tickets on the DeepSource dashboard.
  • You can now directly copy and share the public report details from the new success window that shows up after you have created your report.
  • Some users could not see if the aggregate metrics are passing/failing a threshold(if set) on runs in the history page. This has been fixed.
  • Some users could not suppress failing metrics on the run page, despite having access control permissions enabled in team settings. This has been fixed.
  • On some reports, changing the date filters from a longer to a shorter duration resulted in an invalid state. This has been fixed.
  • Recently added Analyzer logos were not appearing correctly on the sidebar of the Discovery tab. This has been fixed.
  • We dropped support for Ruby versions 2.0-2.4 due to dependency on some libraries. We have recovered support for those versions.
  • After using .cfg file for dependency configuration in Python, we have now added support for .toml files.
  • JavaScript: We had some failures while users were trying to Autofix™️ JS-0757. We have fixed them.
  • We’ve fixed several false-positives in this release:
    • CS-R1005: Event handlers contain an argument of type async void that incorrectly triggered this issue. We’ve fixed that.
    • CS-A1003: Methods participating in the inheritance will no longer trigger this issue.
    • JAVA-E1017: Call from one method to a different overload of that same method will no longer trigger this issue.
    • JAVA-S1061: Spring persistent entities used as path variable arguments in a request handler will no longer trigger this issue.
    • JAVA-E1065: Private fields marked with @FXML were incorrectly reported as uninitialized. We’ve fixed that.
    • JAVA-W1042: Spring configuration methods that throw Exception will no longer trigger this issue.
    • JAVA-W1004: Empty test methods autogenerated by Spring will no longer trigger this issue.
    • BAN-B608: Some strings were wrongly detected as SQL triggering this issue. We’ve fixed that.
    • PYL-W0201: Now that we have added support for .toml files in Python, the false positives caused due to dependencies not being installed are fixed.
    • PYL-C0412: Imports inside the match statements incorrectly reported this issue even though they cannot be grouped. We’ve fixed that.
    • CXX-S1006: Some users were passing the sizeOf(type) value as a variable in memory allocation functions, which wrongly triggered this issue. We’ve fixed that.
An illustrative screenshot of composite coverage metric

Composite Test Coverage Metric

If you’ve been tracking code coverage primarily through Line Coverage and Branch Coverage metrics, the all-new Composite Coverage metric provides a higher-order way of measuring how effective your test suite is. This metric is aggregated over line and condition or branch coverage metrics and is calculated as such:

composite_coverage = (covered_lines + covered_conditions) / (total_lines + total_conditions) * 100

We use branch coverage to calculate the metric if condition coverage is unavailable. If only line coverage is available, then line coverage would be identical to composite coverage. As with all other metrics, you can add a threshold. To view this for a repository, you can go to Metrics → Composite Coverage in the repository view. Please note that code coverage should be tracked on DeepSource for this metric to be visible.

Public Reports

You can now share reports externally using a public link and share them with people within or outside your team who might not have access to your DeepSource account but will find value in these reports. You can create these reports at the repository or team levels for all or selected repositories. You can also choose to password-protect a public report.

An illustrative screenshot of a deepsource public report

To create these reports at both repository or team-level view, you can go to the Reports tab → Public Reports → Create a report or click on the share button in any report in the reports tab.

New in Analyzers

  • PHP: We have fixed a false negative for PHP-A1002. The Analyzer can now detect checks where unsanitized external data is incorporated into an SQL query and used (passed to a vulnerable function or returned) without any escaping.

New in Enterprise Server

  • Breaking change: To help you optimize resource utilization within the Kubernetes cluster, we’ve added a new kube-janitor service to clean up old jobs in the atlas-jobs namespace. Since there would already be many analysis jobs piled up in the cluster, cleaning them up is essential before upgrading. Read more about upgrading in the docs.
  • Jira Integration: You can now create new issues on Jira Cloud directly from DeepSource. Read more about it in the docs.
  • Slack Integration: You can now connect your Slack workspace with DeepSource and receive updates on important events directly on the channel. Read more about it in the docs.
  • Bugfix: Some users running older versions of PostgreSQL reported that some database migrations were failing. We have resolved this now by adding backward compatibility for those versions.

Fixes and Improvements

  • API: The Repository object now includes the deepsource.toml config file as a JSON object. Read more about it in the docs.
  • To make the response for reporting artifacts for test coverage more verbose, we now display the repository name and commit SHA in the CLI.
  • Some analysis runs were not being correctly linked to the respective pull-request object in the Repository → History page. This has now been fixed.
  • The history page now shows the correct open pull-request count.
  • The aggregate value for coverage reports was not shown correctly for some users. This has been fixed.

Code Health Trend report

As you manage the health of your code base, it is crucial to actively clean up existing issues and prevent new issues from making it to your default branch. This new report makes it easy to understand how many net new code health issues are being introduced in your code base.

An illustrative screenshot of code health trend chart

Go to Reports → Code Health Trend in the repository view. You can also see the report across all active repositories from the team overview.

Issues Prevented report

We’ve added a new report to help you visualize the impact of having DeepSource as part of your software development workflow. The Issues Prevented report shows you the total number of code health issues you’ve prevented in pull requests, so they didn’t make it into your code base.

An illustrative screenshot of issues autofixed chart

This report is available for each repository as well as your entire team.

New in Analyzers

Fixes and improvements

  • API: The Repository object now includes the list of active Analyzers. Learn more in the docs.
  • A few users had reported that the DeepSource widget on Bitbucket pull requests is too prominent and noisy when the analysis isn’t active. We’ve made it muted and non-obtrusive.
  • We’ve fixed a rounding error leading to metric trends being shown as 0.0% on the analysis run’s page.
A screenshot showing a preview of slack message from DeepSource

Our much-awaited integration with Slack is finally here! You can now connect your Slack workspace with DeepSource and receive updates on important events directly in a channel. The list of notifications includes:

  1. New issues introduced or existing issues resolved in the default branch
  2. Autofix run updated
  3. Repository activation status changed

Head over to the Integrations tab in your organization’s settings to get started.

Autofix for C#

The DeepSource C## Analyzer now supports automated issue fixing with Autofix, starting with 20 issues in this release. We’ve built this ground up to be accurate and fast. Read more on the discussion forum.

Integration with GitLab Pipelines

DeepSource now integrates natively with GitLab Pipelines and Commit Statuses to provide a better experience when working with GitLab’s merge requests. Read more details on what’s changed on our blog.

New in Analyzers

Fixes and improvements

  • Owners of a team can now transfer ownership of their team to another Member or Administrator. If you are an Owner, find the “Transfer ownership” button under your name on the “Team members” page.
A illustrative screenshot showing onelogin and DeepSource integration

OneLogin support in DeepSource Enterprise Server

DeepSource Enterprise Server, the self-hosted version of DeepSource that you can run in your own cloud, now supports Single Sign-on (SSO) with OneLogin. An admin on OneLogin can now create a custom SAML connector for DeepSource Enterprise Server and enable SAML SSO. This will allow users to log in to DeepSource using OneLogin. For more details, please refer to the docs.

Improved GitHub pull request integration

Opening a DeepSource analysis run from a pull request on GitHub used to take two clicks. It now takes just one. Read more here.

New in Analyzers

New webhook events

Webhooks are an excellent way to build custom workflows and integrate DeepSource with other tools. We’ve added three new webhook events in this release:

  • repository_issue.resolved: Triggered whenever an issue is resolved in the default branch of the repository
  • autofix_run.started: Triggered when a new Autofix is created
  • autofix_run.updated: Triggered when the status of the corresponding PR of an Autofix is updated.

Learn more about these events in the docs.

Support for Go 1.18 in the DeepSource Go Analyzer

We now support projects using Go 1.18, the latest version of the Go programming language. The version is auto-detected from go.mod from each module’s root, and no change is required in .deepsource.toml.

New in Analyzers

Fixes and improvements

  • When joining a team using the invite link, the user will default to the member role (if seats are available)
  • On uninstalling the DeepSource app from GitHub or Bitbucket, the users will now get an email informing them that their account has been deleted successfully
  • Fixed the broken link to a user’s DeepSource dashboard in the Bitbucket sidebar
  • All webhook events are now sent with the Norris/DeepSource user agent. If you haven’t met Duck Norris yet, you really should!
  • The Autofix button will no longer appear incorrectly on the default branch’s run history page
  • Fixed image and content flashing in the carousel on the signup page
  • Cleaned up a bunch of errors on the front end so your user experience should be much smoother now
  • JavaScript: Fixed false positives for JS-0377 and JS-0378
  • JavaScript: Fixed incorrect Autofix for JS-0002
  • Go: Fixed bugs in Autofix for VET-0009 and GO-E1006
  • Go: Improved issue descriptions for GSC-G501, GSC-G102, and GO-S1029
A code preview of unreachable code

Unreachable, or “dead”, code is often a symptom that something has been missed unintentionally in the codebase. Dead code in your test suite is even more problematic because it means some part of your code that you thought will test something is, well, not serving its purpose. We’ve just added a new issue, TCV-002, in the Test Coverage Analyzer that’ll alert you whenever it finds unexecuted code in any test files.

New in Analyzers

Fixes and improvements

  • Users will now get directly directed to the organization they accepted an invite for.
  • Issues under a run are now paginated, allowing users to see all of them directly without explicitly searching for them.
  • Billing checkout page didn’t show the applied credits. This has been fixed.
A illustrative screenshot showing onelogin and DeepSource integration

The 404 page now has a new login button. After we released the new page last week, several users pointed out that it takes quite a few clicks to finally log in to DeepSource if you’ve landed on a protected URL.

New in Analyzers

Fixes and improvements

  • JavaScript: We’ve updated the default module type updated to ESM. ESModules no longer ignored when the module_system field is unspecified in .deepsource.toml.
  • Python: Resolved several false-positives in PYL-W0143, PYL-W0613, PY-W0069, PTC-W6004, PYL-R1705, and PYL-E1102.
  • Rust: Fixed a false positive in RS-E1008.

New webhook events

We’ve added three new events that you can subscribe to when you create a new webhook:

  • team_member.added: Triggered when a new member is added to the team.
  • team_member.removed: Triggered when an existing member is removed from a team.
  • team_member.updated: Triggered when the role of a member is changed.

You can refer to the docs for more details on these events and see what the payload looks like.

New in Analyzers

Introducing, Duck Norris!

We’ve adopted Duck Norris, a cyborg duck from Quackotron, as our Mascot. He would be working on spreading the word about our mission of helping developers ship good code to the world. We also made a fun short movie about this!

Fixes and improvements

  • We have a brand new 404 page! Check it out here.
  • There’s now a home button in Discover’s sidebar, so you can easily go back to your DeepSource Home.
  • Fixed the broken rendering of HTML entities in the title of an issue
  • Fixed a redirect loop on GitLab authentication. Users will directly be redirected to the account selector directly after authorizing their GitLab account.
  • Standardize font sizes for cards across the dashboard. This was an eyesore, truly.
  • Disabled the Autofix button for unauthenticated users when browsing public repositories. Although the action wouldn’t succeed, the button was being shown as a no-op.
  • Fixed: Users were not able to add new events after creating a webhook.
  • Removed the first and last seen times of an issue in the history page, where it didn’t really make sense.
  • PHP: Fixed a false-positive in PHP-A1006.
  • PHP: Fixed wrong end line in PHP-W1074.
  • Go: Fixed data races to mitigate the episodic runtime panics leading to analysis timeouts.
  • Python: Fixed a major source of Autofix failures. Running Autofix for R1705, R1720, R1723, and R1724 should no longer have failures.
  • C#: CS-R1008: GenericExceptionHandlingCheck is no longer raised when an Exception is being trapped for logging purposes or when passed to Console.WriteLine.
  • C#: CS-P1001: ManualGarbageCollectCheck now correctly handles scenarios when GC-related methods such as SuppressFinalize are invoked inside Dispose.
  • C#: CS-R1029: TestHasNoAssertCheck is no longer invoked when a custom assertion is used in place of test-suite’s Assert.
  • Java: OWASP references in security issue descriptions are now in a uniform format.
  • Java: The Java analyzer will now assume a default Java version if none is provided.
  • Java: Multiple or nested independent Gradle and Maven projects in the same repository are now properly detected.
  • Java: File exclusions are now more efficiently processed.
  • Java: JAVA-E0110 (Equals without null check) now correctly ignores valid non-trivial equals implementations.
  • Java: JAVA-P1001 (inefficient replaceAll) now correctly detects certain regex signatures.
  • Java: JAVA-E1014 (improper getter/setter) now also accounts for final fields.
  • Java: JAVA-E1041 (unimplementable interface) is now smarter in detecting bad interfaces.
  • Java: JAVA-E0094 (Finalizer must not be invoked) will no longer be raised for overloaded methods that are not finalizers.
  • Java: JAVA-P0057 (URL collections are bad) will now respect spotbugs suppress annotations.
  • Java: JAVA-S1002 (Naive trustmanager/hostname verifier implementation) will now respect spotbugs suppress annotations.
  • JavaScript: Fixed a false-positive in JS-D1001.

New webhooks

DeepSource webhooks have been in beta since September. With this release, we have introduced two new webhooks to make integrations with DeepSource easier.

  1. analysis_run.updated: This event is triggered each time an analyzer publishes its results on DeepSource.
  2. repository_issue.introduced: This event is triggered when an issue is introduced to the main/default branch of your repository.

There are many more new webhooks and APIs on the way to help developers build with DeepSource!

A new signup flow

We want our new users to derive value from DeepSource quickly and seamlessly. This is why we just redesigned our sign-up experience to easily get you started with a simpler, easy-to-follow onboarding process.