Update release notes, refs #1042 - new rule

2018-04-23 21:01:11 +02:00
parent d7ac0b8186
commit 1f662e81f7
3 changed files with 38 additions and 17 deletions
--- a/docs/pages/release_notes.md
+++ b/docs/pages/release_notes.md
@@ -15,6 +15,7 @@ This is a minor release.
 * [New and noteworthy](#new-and-noteworthy)
    *   [Tree transversal revision](#tree-transversal-revision)
    *   [Naming rules enhancements](#naming-rules-enhancements)
+    *   [New Rules](#new-rules)
    *   [Modified Rules](#modified-rules)
 * [Fixed Issues](#fixed-issues)
 * [API Changes](#api-changes)
@@ -44,10 +45,17 @@ we have measured up to 10% improvements during Type Resolution, Symbol Table ana
     using a regex property. See the rule's documentation for more info about
     configuration and default conventions.

+#### New Rules
+
+*   The new Java rule [`InsecureCryptoIv`](pmd_rules_java_security.html#insecurecryptoiv) (`java-security`)
+    detects hard coded initialization vectors used in cryptographic operations. It is recommended to use
+    a randomly generated IV.
+
 #### Modified Rules

-*   The Java rule `UnnecessaryConstructor` (`java-codestyle`) has been rewritten as a Java rule (previously it was
-    a XPath-based rule). It supports a new property `ignoredAnnotations` and ignores by default empty constructors,
+*   The Java rule [`UnnecessaryConstructor`](pmd_rules_java_codestyle.html#unnecessaryconstructor) (`java-codestyle`)
+    has been rewritten as a Java rule (previously it was a XPath-based rule). It supports a new property
+    `ignoredAnnotations` and ignores by default empty constructors,
    that are annotated with `javax.inject.Inject`. Additionally, it detects now also unnecessary private constructors
    in enums.

@@ -87,5 +95,6 @@ we have measured up to 10% improvements during Type Resolution, Symbol Table ana
 *   [#1008](https://github.com/pmd/pmd/pull/1008): \[core] DOC: fix closing tag for &lt;pmdVersion> - [stonio](https://github.com/stonio)
 *   [#1010](https://github.com/pmd/pmd/pull/1010): \[java] UnnecessaryConstructor triggered on required empty constructor (Dagger @Inject) - [BBG](https://github.com/djydewang)
 *   [#1012](https://github.com/pmd/pmd/pull/1012): \[java] JUnitAssertionsShouldIncludeMessage - False positive with assertEquals and JUnit5 - [BBG](https://github.com/djydewang)
-*   [#1024](https://github.com/pmd/pmd/pull/1024): \[java]Issue 558: Properlogger for enums - [Utku Cuhadaroglu](https://github.com/utkuc)
+*   [#1024](https://github.com/pmd/pmd/pull/1024): \[java] Issue 558: Properlogger for enums - [Utku Cuhadaroglu](https://github.com/utkuc)
+*   [#1042](https://github.com/pmd/pmd/pull/1042): \[java] New security rule: report usage of hard coded IV in crypto operations - [Sergey Gorbaty](https://github.com/sgorbaty)

--- a/pmd-core/src/main/resources/rulesets/releases/630.xml
+++ b/pmd-core/src/main/resources/rulesets/releases/630.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+
+<ruleset name="630"
+    xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
+  <description>
+This ruleset contains links to rules that are new in PMD v6.3.0
+  </description>
+
+    <rule ref="category/java/security.xml/InsecureCryptoIv"/>
+</ruleset>
+
--- a/pmd-java/src/main/resources/category/java/security.xml
+++ b/pmd-java/src/main/resources/category/java/security.xml
@@ -1,23 +1,23 @@
 <?xml version="1.0"?>

-<ruleset name="Security"
-	xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
+<ruleset name="Security" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">

-	<description>
+    <description>
 Rules that flag potential security flaws.
    </description>

-	<rule name="InsecureCryptoIv" since="6.3.0"
-		message="Do not use hard coded initialization vector in crypto operations"
-		class="net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule"
-		externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#insecurecryptoiv">
-		<description>
+    <rule name="InsecureCryptoIv"
+          since="6.3.0"
+          message="Do not use hard coded initialization vector in crypto operations"
+          class="net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule"
+          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#insecurecryptoiv">
+        <description>
 Do not use hard coded initialization vector in cryptographic operations. Please use a randomly generated IV.
        </description>
-		<priority>3</priority>
-		<example>
+        <priority>3</priority>
+        <example>
 <![CDATA[
 public class Foo {
    void good() {
@@ -37,7 +37,6 @@ public class Foo {
 }
 ]]>
        </example>
-	</rule>
-
+    </rule>

 </ruleset>