Releases: apiaddicts/sonaropenapi-rules
Releases · apiaddicts/sonaropenapi-rules
Release list
1.4.1
[1.4.1] - 2026-06-04
Added
- Add OpenAPI language support without YAML and JSON conflicts.
Changed
- Bump plugin version to
1.4.1. - Update
sonaropenapi.versionto1.2.1. - Reference
openapi-front-endandopenapi-test-toolsdependencies via${sonaropenapi.version}property instead of hardcoded version.
Fixed
- OAR004 - ValidWso2ScopesRoles - Fixed false negative where
rolesdefined as a YAML/JSON array were not validated element by element. UpdatedAbstractPatternWso2ScopesCheck.visitScope()to iterate array elements viafieldNode.elements()and validate each one individually. Added test fixtures for array roles in v2, v3, v31 and v32 formats. - OAR014 - ResourceLevelWithinNonSuggestedRange - Removed upper bound threshold: rule now fires for all depths ≥ 4 (previously only fired for depths 4–5), aligning with Spectral behavior. Updated v2 test fixtures to mark depth-6 paths as noncompliant.
- OAR015 - ResourceLevelMaxAllowed - Updated depth calculation algorithm in
AbstractResourceLevelCheck.matchLevel(String path)to count only literal segments, explicitly excluding path parameters (e.g.{customerId}) and/mesegments — matching Spectral's algorithm exactly. Previously used apathParts − literalParamPairsformula that produced different results for paths starting with parameters, consecutive parameters, or containing/me. - OAR020 - ExpandParameterCheck - Fixed false negative where GET operations on non-
/examplespaths (e.g./pets,/orders) without aparametersblock were not reported. Changed default path strategy from include-only/examplesto exclude-all (empty exclude list), so the rule now applies to all collection GET endpoints. Added/mepath exclusion and health-check path exclusion (status,health,ping) invisitNode, aligning with Spectral's filter. Addedwithout-parameterstest cases for v2, v3, v31 and v32. - OAR021 - ExcludeParameterCheck - Same fix as OAR020 applied for
$excludeparameter. Changed default path strategy to exclude-all, added/meand health-check exclusions, addedwithout-parameterstest cases. - OAR028 - FilterParameterCheck - Rewritten to extend
AbstractQueryParameterCheck. Fires exactly once per GET operation when$filterquery parameter is absent; does not fire if$filteris present alongside other parameters; resolves$filterreferenced via$refto components. Covers ALL collection GET endpoints except/mepaths, terminal/{id}paths and health-check paths (status,health,ping). - OAR037 - StringFormatCheck - Fixed false negative where string schemas without a
formatfield were not reported. UpdatedisInvalidStringto also fire whenformat == null. - OAR038 - StandardCreateResponseCheck - POST 201 responses must have a schema whose properties are named
dataorerror, each with at least one sub-property. Fires with a distinct message when the property name is invalid vs. when sub-properties are missing. - OAR066 - SnakeCaseNamingConventionCheck - Fixed false positives on industry-standard property name prefixes. Skip properties whose names start with
@orx-. - OAR073 - RateLimitCheck - Extended default excluded paths from
/status, /health-checkto/status, /health, /health-check, /ping, /liveness, /readinessinDEFAULT_PATHS.
What's Changed
- Feature/125/openapi 3 2 by @mels-h in #105
- add oar048 documentation by @mels-h in #107
- Fix/118/yaml json conflicts by @mels-h in #106
- fix: cve alert with jackson-dataformat-yaml 2.18.6 by @mels-h in #109
- fix: cve alert with org-json 20231013 by @mels-h in #110
- fix: xxe alert with assertj-core 3.27.7 by @mels-h in #111
- fix: align OAR020, OAR021, OAR028, OAR051, OAR066 rules by @mels-h in #108
- Feature/175/lang openapi by @mels-h in #112
- Fix/168/oar004 014 015 by @mels-h in #113
- fix: oar017, oar020, oar021, oar037, oar038, oar066, oar073 rules by @mels-h in #114
- Fix/168/rule issues by @mels-h in #115
- Develop by @SebastianDT1 in #116
Full Changelog: 1.3.7...1.4.1
1.3.7
1.3.6
[1.3.6] - 2026-05-05
Fixed
- External `$ref` tests no longer require outbound internet access. Fixtures
are now served by a local HTTP server (`ExternalRefHttpServer`) on
`http://localhost:18089`, started in `BaseCheckTest`. Affected tests:
OAR031 (v2/v3), OAR094, OAR068, OAR086.
What's Changed
- fix: serve external $ref fixtures from a local HTTP server in tests by @rafael-goterris in #103
- Develop by @SebastianDT1 in #104
New Contributors
- @rafael-goterris made their first contribution in #103
Full Changelog: 1.3.5...1.3.6
1.3.5
[1.3.5] - 2026-04-08
Fixed
- OAR102 - SecondPartBasePathCheck Test
- OAR101 - FirstPartBasePathCheck Test
- OAR034 - StandardPagedResponseSchemaCheck Test
- OAR029 - StandardResponseSchemaCheck Test
- OAR083 - ForbiddenQueryParamsCheck Test
- OAR084 - ForbiddenFormatsInQueryCheck Test
- OAR043 - ParsingErrorCheck Test
- OAR028 - FilterParameterCheck Test
- OAR073 - RateLimitCheck Test
- OAR079 - PathParameter404Check Test
- AbstractSchemaCheck
- AbstractForbiddenQueryCheck
- AbstractPathResponseCheck
- VerbPathMatcher
What's Changed
- feat: add prerequisites section to README for OpenAPI plugin installa… by @mels-h in #101
- Fix/96/tests coverage by @mels-h in #100
- Develop by @mels-h in #102
Full Changelog: 1.3.4...1.3.5
1.3.4
Fixed
-
OAR029 - StandardResponseSchemaCheck Test
-
OAR080 - SecuritySchemasCheck Test
-
OAR112 - RegexCheck Test
-
OpenAPICustomPlugin Test
-
OpenAPICustomProfileDefinition Test
-
OpenAPICustomRuleRepository Test
-
OpenAPICustomRulesDefinition Test
What's Changed
- fix: Jacoco config for sonar by @SebastianDT1 in #93
- Fix/94/tests coverage by @mels-h in #94
- fix: OAR112 test with validation scenarios by @mels-h in #95
- fix: Sonar workflow add sonar cloud url by @SebastianDT1 in #97
- fix: add sonar.organization, sonar.host.url and sonar.projectKey to p… by @SebastianDT1 in #98
- fix: Workflow issue with secrets by @SebastianDT1 in #99
- Develop by @mels-h in #96
New Contributors
- @SebastianDT1 made their first contribution in #93
Full Changelog: 1.3.3...1.3.4
1.3.3
What's Changed
Full Changelog: 1.3.2...1.3.3
1.3.2
[1.3.2] - 2026-03-05
Fixed
- OAR031 - Examples
What's Changed
- adding new version 1.3.1 by @mels-h in #83
- Develop by @mels-h in #84
- fix: resolve nested schema validation, ref handling and tests by @mels-h in #88
- adding new version 1.3.2 by @mels-h in #89
- Develop by @mels-h in #90
Full Changelog: v1.3.1...1.3.2
1.3.1
[1.3.1] - 2026-02-19
Changed
- Resolved all SonarCloud issues
What's Changed
- Fix/56/sonar issues by @mels-h in #66
- Develop by @mels-h in #67
- Fix/56/sonar issues by @mels-h in #68
- Develop by @mels-h in #69
- Fix/56/sonar issues by @mels-h in #70
- Develop by @mels-h in #71
- Fix/56/sonar issues by @mels-h in #72
- Fix/56/sonar issues by @mels-h in #73
- Develop by @mels-h in #74
- add sonar exclusions by @mels-h in #75
- Develop by @mels-h in #76
- sonar exclusions for duplicated code by @mels-h in #77
- Develop by @mels-h in #78
- configure sonar exclusions and sources by @mels-h in #79
- Develop by @mels-h in #80
- fix: oar089 error message by @mels-h in #81
- Develop by @mels-h in #82
Full Changelog: v1.3.0...v1.3.1
1.3.0
[1.3.0] - 2026-01-05
Changed
- OAR104 - ResourcesByPostVerbCheck
Fixed
- OAR019 - SelectParameterCheck
- OAR020 - ExpandParameterCheck
What's Changed
- Fix/57/oar019 path by @mels-h in #60
- fix prevent oar020 for paths ending with params and tests by @mels-h in #61
- feat: add search to default excluded path patterns in oar104 by @mels-h in #63
- adding new version 1.3.0 by @mels-h in #64
- Develop by @mels-h in #62
Full Changelog: v1.2.5...v1.3.0
1.2.5
What's Changed
Full Changelog: v1.2.4...v1.2.5