November 2019 (version 1.31.0)

1.31.0 Update

Hi!

Welcome to the new DeepScan updates!

Please kindly go ahead with the highlights for the latest release.

Release Summary

This version includes a number of updates that we hope you've found some of them helpful.
The key highlights are:

• New rules - 8 rules are coming for better coding!
• Analysis improvements - Enhanced analysis via the modeling of widely used Lodash APIs.
• Enhanced ESLint support - More ESLint plugins are supported.

New Rules

We have much enhanced our rules. Check out!

• BAD_COMPARISON_WITH_FLOAT - Do not compare the result of integer-returning built-in API with a float number
• BAD_EVENT_LISTENER_CALL - Pass a function itself as the handler when adding or removing an event listener
• BAD_ESCAPE_AT_REGEXP_CONSTRUCTOR - Do not escape the string literal improperly when constructing a regular expression
• FUTILE_STRING_REPLACE - Do not use the same search and replace strings in String.prototype.replace()
• MISPLACED_COMPARISON_AT_INDEX_OF - Do not use comparison expressions as indexOf() argument
• MISSING_AWAIT - Do not miss an await operator at async function call
• MISUSED_EXPORTS_VAR - Do not assign to exports improperly
• USELESS_LOCAL_VAR_DELETE - Check for a delete operator on local variables

Improved Rules

• Detect COMPARE_NAN alarm when comparing with Number.NaN
• Detect MISMATCHED_COUNT_OF_ARGS alarm at built-in APIs that take variable number of arguments, but too few arguments are given like Math.min() with 1 argument
• Detect NO_EFFECT_CALL alarm when the first argument of Object.assign() is an object literal
• Detect STRICT_MODE_INVALID_THIS alarm at the callback functions of built-in APIs such as Array.prototype.forEach()
• Detect USELESS_ARROW_FUNC_BIND alarm at the thisArg argument of built-in APIs such as Array.prototype.forEach()

Analysis Improvements

Lodash API Modeling

DeepScan now supports more precise analysis of programs using Lodash by modeling the semantics of commonly used APIs such as _.debounce().

• The API return value is analyzed. For example, the following REACT_MISSING_CLEANUP_IN_LIFECYCLE alarm is detected utilizing the _.debounce() return value:

  import React from 'react';
  import { debounce } from 'lodash';
  
  class PostPhoto extends React.Component {
    // ...
  
    setCardWidth = () => {
      if ( this.widthDivRef ) {
          const cardWidth = this.widthDivRef.getClientRects()[ 0 ].width;
          if ( cardWidth > 0 ) {
          this.setState( { cardWidth } );
          }
      }
    };
  
    componentDidMount() {
      // DeepScan now recognizes the wrapper function that `_.debounce()` returns and detects
      // REACT_MISSING_CLEANUP_IN_LIFECYCLE because the handler is not removed properly.
      // Note that 'window.addEventListener()' returns 'undefined', not the added listener.
      this.resizeListener = window.addEventListener( 'resize', debounce( this.setCardWidth, 50 ) );
      this.setCardWidth();
    }
  
    componentWillUnmount() {
      window.removeEventListener( 'resize', this.resizeListener );
    }
  }

• The Lodash APIs are mostly side-effect free and NO_EFFECT_CALL alarms are detected accordingly
• The Lodash APIs that always return new objects are recognized at BAD_REMOVE_EVENT_LISTENER and REACT_USELESS_DEPENDENCY_OF_HOOK rules

ESLint Integration

By the security concerns, our ESLint analysis only supports the pre-defined ESLint plugins. In this release, we added more plugins to support users having analysis problems.

• @react-native-community/eslint-config
• eslint-plugin-dependencies
• eslint-plugin-promise

For the full list of supported plugins, see the Using ESLint guide.

Miscellaneous

• Non-logged user also can share the public project by Share button on the dashboard
• DeepScan no longer supports old versions of Internet Explorer. We recommend using the latest Microsoft Edge, Google Chrome, of Firefox.
• Increase UNUSED_EXPR alarm impact for various cases:
  • Alarms occurring at the left operand of , operator: the , may be intended for something else
  • Alarms occurring at the brace body of an arrow function: return may be missing
  • The unused expression evaluates to a function: calling the function may be needed
  • The unused expression is a strict equality check: an assignment may be intended instead of comparison
• Filter-out UNUSED_EXPR alarms at JSON-like JavaScript files
• Filter-out UNUSED_EXPR alarms at top-level JSX expressions because they are often intended for TypeScript type testing

Bug Fixes

• The analysis is not retried when getting the commit information fails
• The invitation by both the username and email can be duplicate
• Analyzer may abnormally terminate when the argument array of React PropTypes.oneOf() is empty