An illustration of an assembly line
Cover image role-based access sync from GitHub

Improved role-based access sync from GitHub

Managing repository permissions and access settings for users on your GitHub and DeepSource organizations separately can be tedious as your team grows. We’ve made several improvements to how we sync permissions from GitHub to simplify this and eliminate manual effort.

  • Repository-level permissions: Repository permissions to users inherited from a team on GitHub are now correctly synced on DeepSource. Previously, only direct repository collaborator roles were synced, leading to an inconsistency in the repositories that a user could see on GitHub and DeepSource. Read more in our docs.
  • Base permissions: To help you bring parity with base permissions on GitHub, we’ve added a new No Permission option to Member Base Permissions in your team’s access control settings. Selecting this will allow members read-only access to public repositories by default. They will not have any permissions on private repositories unless some level of permission is inherited from a GitHub team or through being added as a direct repository collaborator. Read more in our docs.
  • Default Base Permission: When you connect a new GitHub organization, we will automatically sync the organization’s base permission from GitHub to DeepSource. Previously, this setting defaulted to “Maintain” on DeepSource.

Please note that automatic sync of access on repositories can affect your occupied seat count on DeepSource. For instance, if a user has a Contributor role on DeepSource but a Member or Admin role on GitHub, their role will be upgraded, and they’ll now occupy a paid seat on DeepSource. To help you keep track of this, the source of a member’s addition to the organization or a repository is now shown in the list of members in Organization → Settings → My team and Repository → Settings → Repository members.

New in Analyzers

New in Enterprise Server

  • RabbitMQ High Availability: As a first step towards ensuring high availability of DeepSource Enterprise Server, DeepSource now runs RabbitMQ in HA on standalone installations.
  • Export logs to SIEM tools: You can now export your DeepSource Enterprise Server logs to the SIEM tool of your choice. Read more in our docs.

Fixes and Improvements

  • We’ve fixed an issue where the test coverage Analyzer was timing out due to a parsing issue in some test coverage report formats.
  • Added the ability to regenerate the DSN for a repository from the dashboard and the API. In light of the recent CircleCI breach, we strongly recommend that all users using CircleCI for their repositories rotate their DSNs on DeepSource. You can read more about it here.
  • Setting the enabled attribute as true is now optional in the .deepsource.toml configuration file and will be true by default. If you want to disable an Analyzer, you can comment out that Analyzer entry, or add enabled = false manually in your deepsource.toml file.
  • The Scala Analyzer now automatically detects the correct Scala version even if the version meta field in the .deepsource.toml is not specified. If you’ve already set this field value, we recommend you remove it and let the Analyzer handle it appropriately.
  • Our reports now include legends in the charts to help you quickly understand the data.
  • On the run history page, the checkbox to Autofix™️ was behaving incorrectly. This has been fixed.
  • We’ve fixed an issue where the Python Analyzer was not raising flake8-compatible issues for some Python 2.7 repositories.
  • We’ve disabled obsolete issues in the JavaScript Analyzer that enforced coding styles: JS-0229, JS-0083, JS-0113.
  • We’ve updated the issue description for JS-0002 with instructions to prevent code that runs in the NodeJS environment from being flagged.
  • We now automatically exclude auto-generated and designer files from the C# Analyzer analysis. Ideally, directories such as bin and obj should be excluded when the code is committed. However, if they were added in the commits, we were incorrectly running an analysis on them.
  • The maximum JSX nesting depth for JS-0415 has been increased from 2 to 3, as 2 was a bit too restrictive.
  • We’ve improved JS-D008, an issue that flags incorrect use of Array.prototype methods. We now cover more methods and have an improved issue description to explain possible fixes.
  • The Python Analyzer was raising both FLK-E501 (Line too long) and FLK-W505 (Doc line too long) on long extraneously long docstrings. Since this was noisy, we now raise FLK-W505 only in those instances.
  • We’ve fixed several false positives in this release:
    • JAVA-W0324: We’ve fixed an issue where the @SuppressWarnings("unused") annotation was not respected, resulting in false positives.
    • JAVA-W0324: We’ve fixed an issue where we incorrectly detected privateMethod as unused for the proper usage of private methods declared inside nested classes.
    • JAVA-W1025: We’ve fixed an issue where we incorrectly detected privateMethod as unused for private fields declared within nested classes, which were used in an outer class.
    • JAVA-P0361: We were incorrectly reporting this issue this when there was a use of Map.keySet() followed by the usage of Map.get() with the same map and the same key, even if the second access was behind some condition (such as an if statement). We’ve fixed that.
    • JAVA-W1036: We incorrectly reported this issue when the actual (the type at the usage site) generic type of a method’s parameter was java.lang.Object, and the argument passed was also of type java.lang.Object. We now correctly infer the expected generic type and avoid reporting this issue when the expected generic type and argument type match.
    • JAVA-W1069: We were incorrectly reporting this issue for certain imports. We’ve fixed this by using better algorithms to detect what types/methods/fields are imported and which are used.
    • JAVA-W1042: We were incorrectly reporting this issue for methods that throw generic exceptions (like java.lang.Exception), even if the throw was added due to a call within the method that raised the exception. Now, the Java Analyzer will attempt to discover whether any checked exceptions are thrown by some method called, and if there are, it will avoid reporting this issue.
    • JAVA-W1025: We were incorrectly reporting this issue for private fields that were annotated with @MockBeans. We’ve fixed that.
    • JAVA-E1017: We were incorrectly reporting this issue for methods that called their overloads when the overload was passed casted versions of the method’s initial arguments. We’ve fixed that.
    • PYL-W0201: For relative imports inside packages, we couldn’t infer the base classes for certain classes. We’ve fixed that.
    • GO-W1027: We’ve fixed an issue where we incorrectly flagged an empty slice literal used to declare a variable for types other than a slice. We’ve fixed that.
    • RVV-B0013: We’ve fixed an issue where we didn’t correctly flag that an unused method receiver is used when a _ is present as a receiver in methods, for example, func (_ *Foo). It is recommended to omit this receiver when unused, as it is not required.
    • CS-P1001: We were incorrectly flagging the invocation of GC-related methods in protected virtual void Dispose(bool disposing). We’ve fixed that.
    • CS-W1022: We’ve fixed an issue where declared and initialized variables in separate and succeeding lines were flagged as uninitialized.
    • CS-R1071: We’ve fixed an issue where the Analyzer incorrectly recommended replacing numeric literals, such as 3.14 and 6.28 with values from the Math class even when suffixed with suffixes such as m.
    • SC-R1015: We’ve fixed an issue where the if-else chain was not adequately evaluated, thereby erroneously marking the else in else if in an if-else chain as redundant.
    • JS-0057: We’ve fixed an issue where we were incorrectly flagging empty functions with comments inside them. Functions intentionally left empty with comment(s) inside them should not be flagged as empty.
    • JS-0394: We’ve fixed an issue where we were incorrectly flagging Nuxt’s NavLink component if it had className prop.
    • JS-0122: We’ve fixed an issue where we were incorrectly flagging TypeScript interface properties that share the same name with JS global variables.
    • JS-0330: We’ve fixed an issue where we were incorrectly flagging TypeScript code where the type of the argument passed to setTimeout is non-determinable.
    • JS-0242: Destructured object properties are no longer flagged if at least one is non-const.
    • JS-0576: OnPush is the recommended component change detection strategy in Angular. But, we used to incorrectly check for onPush and flag OnPush as incorrect. Additionally, the Autofix™️ for this was incorrect as we used to transform the code to onPush instead of OnPush. We’ve fixed these.
    • JS-D023: We’ve fixed an issue where we were incorrectly flagging code that passed any non-literal argument to child_process. We now check for cases where tainted data is passed to child_process methods.
    • BAN-B413: We’ve fixed an issue where we were incorrectly flagging the PyCryptodome library as insecure. pycryptodome is a library with an API compatible with pycrypto, but with no vulnerabilities.
    • CS-R1022: We incorrectly recommended users to remove default: break;even when a comment or pragma was associated with it. We now only recommend this issue if there are no associated user comments.

Cover image for new in Analyzers

New in Analyzers

Breaking change

  • Due to a recent update in git, executing any git command inside DeepSource’s Test coverage GitHub action leads to failing the CLI. We recommend switching to DeepSource CLI or following the steps here to resolve this.

Fixes and Improvements

  • We’ve fixed several false positives in this release:
    • GO-W1025: This was being incorrectly triggered even when there was no case of possible infinite recursion within the String method. We’ve fixed that.
    • CS-R1045: Adding the array type when implicit conversion is involved (for example, new double[] {1, 2, 3, 4, 5}) was incorrectly triggering this issue. We’ve fixed that.
    • CS-R1068: Expressions such as numbers.Where(num => IsEven(num)) can be written as numbers.Where(IsEven). However, this is not possible when dealing with Action<T> such as in the case of Array.ForEach<T>(T[], Action<T>. We’ve fixed that.
    • CS-R1099: Using the explicit base() call to invoke the parent class’s default constructor is redundant. However, calls to overloaded constructors viathis() were also incorrectly flagged. We’ve fixed that.
    • JAVA-S1065: Classes that were annotated with @RequestMapping would be reported even when they have specified methods that are annotated with more specific annotations such as @GetBinding, which is safe. We now avoid reporting such cases.
    • JAVA-E1036: Certain collections API-related methods were reported as being passed the wrong generic types even when the types were correct. We’ve fixed that.
  • Ruby: We’ve disabled Autofix™️ for RB-RL1017 since it needs deeper analysis info before it can attempt to fix.
  • Python:
Cover image for account switcher

Account Switcher

We have redesigned the account switcher for your DeepSource dashboard. This makes it easier for you to distinguish between your team and personal accounts. We’ve also added a search so you can filter through the list quickly.

New in Analyzers

Fixes and Improvements

  • We’ve fixed an issue where Jira integration was not loading on the issue detail page if the username in the URL differed from the case in which it was originally set up.
  • Issue cards on the issues page were not showing the correct first and last seen dates. We’ve fixed that.
  • C#: When generating Autofix™️ code for CS-W1003, the expression d != double.NaN was being incorrectly rewritten as double.IsNaN(d). We’ve fixed that, and it now rightly refactors as !double.IsNaN(d).
  • The C and C++ Analyzer was incorrectly raising an exception when the content of a source file had nonUTF-8 encoded characters. We’ve fixed that.
Cover image for pinned reports

Pinned Reports

You can now pin the reports that are most useful to your team on the DeepSource dashboard. To do this at both team and repository levels, hover over the ellipsis icon, select change report, and pick the report you wish to pin.

New in Analyzers

Improvements and Fixes

  • API: You can now query for reports associated with an Account or a Repository. Learn more in the docs.
  • Some users saw an empty state in the history page when they ignored, suppressed, or marked an issue as false-positive or manually opened a link to a run. We’ve fixed that.
  • We’ve fixed an issue where a person could be added as a team member multiple times.
  • Some users reported that when they reactivated/deactivated their repository to trigger a complete repo sync, it resulted in a double count in the code health trend report. We’ve fixed that.
  • The repository sync broke if a Gitlab user had a subgroup with the same name as their account. We’ve fixed that.
  • Fixed unexpected analysis timeouts on specific large Python repositories.
  • We were facing a parsing bug while Python’s dependency installation. This was explicitly happening for flask>=20.0,<23.0 versions. We’ve fixed that.
  • We’ve fixed several false positives in this release:
    • PYL-C0412: Ungrouped imports from the same package inside a try/except or if block was triggering this issue. We’ve fixed that.
    • JS-0464: This issue should not be raised if the codebase user uses React version >= 17. We have improved the detection of React version in the user’s project and raise this issue only if we detect the React version to be < 17.
    • JS-D007 and JS-0093: These issues were triggered incorrectly on some assertion functions in test files. We’ve fixed that.
    • JS-0129: When function and class declarations were used before their definition, it incorrectly triggered this issue. We’ve fixed that.
    • JAVA-C1002: Constants and class object references were wrongly reported when used as the expected value of a JUnit assert call. We’ve fixed that.
    • RS-W1017: We’ve added support for write! macro for this issue.
    • Disabled JS-0056: Based on the feedback from some users, we have decided to no longer raise this as an issue since it is a stylistic preference whether to follow this pattern or not.
  • We’ve disabled JAVA-E1029 temporarily, as users reported many false positives. We will re-enable it once we have fixed the false positives.
  • C/C++: The Analyzer was not reporting any found issues due to a bug in the issue reporting module. We’ve fixed that.

This update is mostly about the Analyzers. While we’ve made several small fixes and improvements to the product, the primary focus for the week was adding new checks and Autofix™️.

New in Analyzers

Fixes and Improvements

  • You can now upload attachments for support tickets on the DeepSource dashboard.
  • You can now directly copy and share the public report details from the new success window that shows up after you have created your report.
  • Some users could not see if the aggregate metrics are passing/failing a threshold(if set) on runs in the history page. This has been fixed.
  • Some users could not suppress failing metrics on the run page, despite having access control permissions enabled in team settings. This has been fixed.
  • On some reports, changing the date filters from a longer to a shorter duration resulted in an invalid state. This has been fixed.
  • Recently added Analyzer logos were not appearing correctly on the sidebar of the Discovery tab. This has been fixed.
  • We dropped support for Ruby versions 2.0-2.4 due to dependency on some libraries. We have recovered support for those versions.
  • After using .cfg file for dependency configuration in Python, we have now added support for .toml files.
  • JavaScript: We had some failures while users were trying to Autofix™️ JS-0757. We have fixed them.
  • We’ve fixed several false-positives in this release:
    • CS-R1005: Event handlers contain an argument of type async void that incorrectly triggered this issue. We’ve fixed that.
    • CS-A1003: Methods participating in the inheritance will no longer trigger this issue.
    • JAVA-E1017: Call from one method to a different overload of that same method will no longer trigger this issue.
    • JAVA-S1061: Spring persistent entities used as path variable arguments in a request handler will no longer trigger this issue.
    • JAVA-E1065: Private fields marked with @FXML were incorrectly reported as uninitialized. We’ve fixed that.
    • JAVA-W1042: Spring configuration methods that throw Exception will no longer trigger this issue.
    • JAVA-W1004: Empty test methods autogenerated by Spring will no longer trigger this issue.
    • BAN-B608: Some strings were wrongly detected as SQL triggering this issue. We’ve fixed that.
    • PYL-W0201: Now that we have added support for .toml files in Python, the false positives caused due to dependencies not being installed are fixed.
    • PYL-C0412: Imports inside the match statements incorrectly reported this issue even though they cannot be grouped. We’ve fixed that.
    • CXX-S1006: Some users were passing the sizeOf(type) value as a variable in memory allocation functions, which wrongly triggered this issue. We’ve fixed that.
An illustrative screenshot of composite coverage metric

Composite Test Coverage Metric

If you’ve been tracking code coverage primarily through Line Coverage and Branch Coverage metrics, the all-new Composite Coverage metric provides a higher-order way of measuring how effective your test suite is. This metric is aggregated over line and condition or branch coverage metrics and is calculated as such:

composite_coverage = (covered_lines + covered_conditions) / (total_lines + total_conditions) * 100

We use branch coverage to calculate the metric if condition coverage is unavailable. If only line coverage is available, then line coverage would be identical to composite coverage. As with all other metrics, you can add a threshold. To view this for a repository, you can go to Metrics → Composite Coverage in the repository view. Please note that code coverage should be tracked on DeepSource for this metric to be visible.

Public Reports

You can now share reports externally using a public link and share them with people within or outside your team who might not have access to your DeepSource account but will find value in these reports. You can create these reports at the repository or team levels for all or selected repositories. You can also choose to password-protect a public report.

An illustrative screenshot of a deepsource public report

To create these reports at both repository or team-level view, you can go to the Reports tab → Public Reports → Create a report or click on the share button in any report in the reports tab.

New in Analyzers

  • PHP: We have fixed a false negative for PHP-A1002. The Analyzer can now detect checks where unsanitized external data is incorporated into an SQL query and used (passed to a vulnerable function or returned) without any escaping.

New in Enterprise Server

  • Breaking change: To help you optimize resource utilization within the Kubernetes cluster, we’ve added a new kube-janitor service to clean up old jobs in the atlas-jobs namespace. Since there would already be many analysis jobs piled up in the cluster, cleaning them up is essential before upgrading. Read more about upgrading in the docs.
  • Jira Integration: You can now create new issues on Jira Cloud directly from DeepSource. Read more about it in the docs.
  • Slack Integration: You can now connect your Slack workspace with DeepSource and receive updates on important events directly on the channel. Read more about it in the docs.
  • Bugfix: Some users running older versions of PostgreSQL reported that some database migrations were failing. We have resolved this now by adding backward compatibility for those versions.

Fixes and Improvements

  • API: The Repository object now includes the deepsource.toml config file as a JSON object. Read more about it in the docs.
  • To make the response for reporting artifacts for test coverage more verbose, we now display the repository name and commit SHA in the CLI.
  • Some analysis runs were not being correctly linked to the respective pull-request object in the Repository → History page. This has now been fixed.
  • The history page now shows the correct open pull-request count.
  • The aggregate value for coverage reports was not shown correctly for some users. This has been fixed.

Code Health Trend report

As you manage the health of your code base, it is crucial to actively clean up existing issues and prevent new issues from making it to your default branch. This new report makes it easy to understand how many net new code health issues are being introduced in your code base.

An illustrative screenshot of code health trend chart

Go to Reports → Code Health Trend in the repository view. You can also see the report across all active repositories from the team overview.

Issues Prevented report

We’ve added a new report to help you visualize the impact of having DeepSource as part of your software development workflow. The Issues Prevented report shows you the total number of code health issues you’ve prevented in pull requests, so they didn’t make it into your code base.

An illustrative screenshot of issues autofixed chart

This report is available for each repository as well as your entire team.

New in Analyzers

Fixes and improvements

  • API: The Repository object now includes the list of active Analyzers. Learn more in the docs.
  • A few users had reported that the DeepSource widget on Bitbucket pull requests is too prominent and noisy when the analysis isn’t active. We’ve made it muted and non-obtrusive.
  • We’ve fixed a rounding error leading to metric trends being shown as 0.0% on the analysis run’s page.
A screenshot showing a preview of slack message from DeepSource

Our much-awaited integration with Slack is finally here! You can now connect your Slack workspace with DeepSource and receive updates on important events directly in a channel. The list of notifications includes:

  1. New issues introduced or existing issues resolved in the default branch
  2. Autofix run updated
  3. Repository activation status changed

Head over to the Integrations tab in your organization’s settings to get started.

Autofix for C#

The DeepSource C## Analyzer now supports automated issue fixing with Autofix, starting with 20 issues in this release. We’ve built this ground up to be accurate and fast. Read more on the discussion forum.

Integration with GitLab Pipelines

DeepSource now integrates natively with GitLab Pipelines and Commit Statuses to provide a better experience when working with GitLab’s merge requests. Read more details on what’s changed on our blog.

New in Analyzers

Fixes and improvements

  • Owners of a team can now transfer ownership of their team to another Member or Administrator. If you are an Owner, find the “Transfer ownership” button under your name on the “Team members” page.
A illustrative screenshot showing onelogin and DeepSource integration

OneLogin support in DeepSource Enterprise Server

DeepSource Enterprise Server, the self-hosted version of DeepSource that you can run in your own cloud, now supports Single Sign-on (SSO) with OneLogin. An admin on OneLogin can now create a custom SAML connector for DeepSource Enterprise Server and enable SAML SSO. This will allow users to log in to DeepSource using OneLogin. For more details, please refer to the docs.

Improved GitHub pull request integration

Opening a DeepSource analysis run from a pull request on GitHub used to take two clicks. It now takes just one. Read more here.

New in Analyzers

New webhook events

Webhooks are an excellent way to build custom workflows and integrate DeepSource with other tools. We’ve added three new webhook events in this release:

  • repository_issue.resolved: Triggered whenever an issue is resolved in the default branch of the repository
  • autofix_run.started: Triggered when a new Autofix is created
  • autofix_run.updated: Triggered when the status of the corresponding PR of an Autofix is updated.

Learn more about these events in the docs.

Support for Go 1.18 in the DeepSource Go Analyzer

We now support projects using Go 1.18, the latest version of the Go programming language. The version is auto-detected from go.mod from each module’s root, and no change is required in .deepsource.toml.

New in Analyzers

Fixes and improvements

  • When joining a team using the invite link, the user will default to the member role (if seats are available)
  • On uninstalling the DeepSource app from GitHub or Bitbucket, the users will now get an email informing them that their account has been deleted successfully
  • Fixed the broken link to a user’s DeepSource dashboard in the Bitbucket sidebar
  • All webhook events are now sent with the Norris/DeepSource user agent. If you haven’t met Duck Norris yet, you really should!
  • The Autofix button will no longer appear incorrectly on the default branch’s run history page
  • Fixed image and content flashing in the carousel on the signup page
  • Cleaned up a bunch of errors on the front end so your user experience should be much smoother now
  • JavaScript: Fixed false positives for JS-0377 and JS-0378
  • JavaScript: Fixed incorrect Autofix for JS-0002
  • Go: Fixed bugs in Autofix for VET-0009 and GO-E1006
  • Go: Improved issue descriptions for GSC-G501, GSC-G102, and GO-S1029