November 2019 (version 1.31.0)

1.31.0 Update

Hi!

Welcome to the new DeepScan updates!

Please kindly go ahead with the highlights for the latest release.

Release Summary

This version includes a number of updates that we hope you've found some of them helpful.
The key highlights are:

• New rules - 8 rules are coming for better coding!
• Analysis improvements - Enhanced analysis via the modeling of widely used Lodash APIs.
• Enterprise plan - The Enterprise plan now supports the GitHub Enterprise Server.
• Enhanced ESLint support - More ESLint plugins are supported.

New Rules

We have much enhanced our rules. Check out!

• BAD_COMPARISON_WITH_FLOAT - Do not compare the result of integer-returning built-in API with a float number
• BAD_EVENT_LISTENER_CALL - Pass a function itself as the handler when adding or removing an event listener
• BAD_ESCAPE_AT_REGEXP_CONSTRUCTOR - Do not escape the string literal improperly when constructing a regular expression
• FUTILE_STRING_REPLACE - Do not use the same search and replace strings in String.prototype.replace()
• MISPLACED_COMPARISON_AT_INDEX_OF - Do not use comparison expressions as indexOf() argument
• MISSING_AWAIT - Do not miss an await operator at async function call
• MISUSED_EXPORTS_VAR - Do not assign to exports improperly
• USELESS_LOCAL_VAR_DELETE - Check for a delete operator on local variables

Improved Rules

• Detect COMPARE_NAN alarm when comparing with Number.NaN
• Detect MISMATCHED_COUNT_OF_ARGS alarm at built-in APIs that take variable number of arguments, but too few arguments are given like Math.min() with 1 argument
• Detect NO_EFFECT_CALL alarm when the first argument of Object.assign() is an object literal
• Detect STRICT_MODE_INVALID_THIS alarm at the callback functions of built-in APIs such as Array.prototype.forEach()
• Detect USELESS_ARROW_FUNC_BIND alarm at the thisArg argument of built-in APIs such as Array.prototype.forEach()

Analysis Improvements

Lodash API Modeling

DeepScan now supports more precise analysis of programs using Lodash by modeling the semantics of commonly used APIs such as _.debounce().

• The API return value is analyzed. For example, the following REACT_MISSING_CLEANUP_IN_LIFECYCLE alarm is detected utilizing the _.debounce() return value:

  import React from 'react';
  import { debounce } from 'lodash';
  
  class PostPhoto extends React.Component {
    // ...
  
    setCardWidth = () => {
      if ( this.widthDivRef ) {
          const cardWidth = this.widthDivRef.getClientRects()[ 0 ].width;
          if ( cardWidth > 0 ) {
          this.setState( { cardWidth } );
          }
      }
    };
  
    componentDidMount() {
      // DeepScan now recognizes the wrapper function that `_.debounce()` returns and detects
      // REACT_MISSING_CLEANUP_IN_LIFECYCLE because the handler is not removed properly.
      // Note that 'window.addEventListener()' returns 'undefined', not the added listener.
      this.resizeListener = window.addEventListener( 'resize', debounce( this.setCardWidth, 50 ) );
      this.setCardWidth();
    }
  
    componentWillUnmount() {
      window.removeEventListener( 'resize', this.resizeListener );
    }
  }

• The Lodash APIs are mostly side-effect free and NO_EFFECT_CALL alarms are detected accordingly
• The Lodash APIs that always return new objects are recognized at BAD_REMOVE_EVENT_LISTENER and REACT_USELESS_DEPENDENCY_OF_HOOK rules

Enterprise Plan

Welcome the GitHub Enterprise!

From this version, our On-premise server has started to support the GitHub Enterprise Server 2.18+. If you want to use DeepScan with your own GitHub server, please check out this documentation for more details.

ESLint Integration

By the security concerns, our ESLint analysis only supports the pre-defined ESLint plugins. In this release, we added more plugins to support users having analysis problems.

• @react-native-community/eslint-config
• eslint-plugin-dependencies
• eslint-plugin-promise

For the full list of supported plugins, see the Using ESLint guide.

Miscellaneous

• Non-logged user also can share the public project by Share button on the dashboard
• DeepScan no longer supports old versions of Internet Explorer. We recommend using the latest Microsoft Edge, Google Chrome, of Firefox.
• Increase UNUSED_EXPR alarm impact for various cases:
  • Alarms occurring at the left operand of , operator: the , may be intended for something else
  • Alarms occurring at the brace body of an arrow function: return may be missing
  • The unused expression evaluates to a function: calling the function may be needed
  • The unused expression is a strict equality check: an assignment may be intended instead of comparison
• Filter-out UNUSED_EXPR alarms at JSON-like JavaScript files
• Filter-out UNUSED_EXPR alarms at top-level JSX expressions because they are often intended for TypeScript type testing

Bug Fixes

• The analysis is not retried when getting the commit information fails
• The invitation by both the username and email can be duplicate
• Analyzer may abnormally terminate when the argument array of React PropTypes.oneOf() is empty