|
Checker
|
Guideline
|
|---|
|
AVA.LIB.RAND.LEGACY.GEN
|
MSC02-J. Generate strong random numbers
|
|
FB.BAD_PRACTICE.FI_EMPTY
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_EXPLICIT_INVOCATION
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_FINALIZER_NULLS_FIELDS
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_FINALIZER_ONLY_NULLS_FIELDS
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_MISSING_SUPER_CALL
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_NULLIFY_SUPER
|
MET12-J. Do not use finalizers
|
|
FB.BAD_PRACTICE.FI_USELESS
|
MET12-J. Do not use finalizers
|
|
FB.MALICIOUS_CODE.EI_EXPOSE_REP
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
|
FB.MALICIOUS_CODE.EI_EXPOSE_REP2
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
|
FB.MALICIOUS_CODE.FI_PUBLIC_SHOULD_BE_PROTECTED
|
MET12-J. Do not use finalizers
|
|
FB.MALICIOUS_CODE.MS_SHOULD_BE_FINAL
|
OBJ10-J. Do not use public static nonfinal fields
|
|
FB.MALICIOUS_CODE.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
|
OBJ10-J. Do not use public static nonfinal fields
|
|
FB.MT_CORRECTNESS.IS2_INCONSISTENT_SYNC
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
FB.MT_CORRECTNESS.IS_FIELD_NOT_GUARDED
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
FB.MT_CORRECTNESS.STCAL_STATIC_CALENDAR_INSTANCE
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
FB.MT_CORRECTNESS.STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
|
JAVA.ALLOC.LEAK.NOTCLOSED
|
FIO04-J. Release resources when they are no longer needed
|
|
JAVA.ALLOC.LEAK.NOTSTORED
|
FIO04-J. Release resources when they are no longer needed
|
|
JAVA.ALLOC.LEAK.NOTSTORED
|
SER10-J. Avoid memory and resource leaks during serialization
|
|
JAVA.ALLOC.LEAK.NOTSTORED
|
MSC05-J. Do not exhaust heap space
|
|
JAVA.ARITH.FPEQUAL
|
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
|
|
JAVA.ARITH.OFLOW
|
NUM00-J. Detect or prevent integer overflow
|
|
JAVA.CAST.FTRUNC
|
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
|
|
JAVA.CAST.FTRUNC
|
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
|
|
JAVA.CLASS.ACCESS.BYPASS
|
SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
|
|
JAVA.CLASS.ACCESS.MODIFY
|
SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
|
|
JAVA.CLASS.CLONE.CNC
|
OBJ07-J. Sensitive classes must not let themselves be copied
|
|
JAVA.CLASS.CLONE.NF
|
OBJ07-J. Sensitive classes must not let themselves be copied
|
|
JAVA.CLASS.CLONE.SCNC
|
OBJ07-J. Sensitive classes must not let themselves be copied
|
|
JAVA.CLASS.ICSBS
|
OBJ08-J. Do not expose private members of an outer class from within a nested class
|
|
JAVA.CLASS.MCS
|
MET10-J. Follow the general contract when implementing the compareTo() method
|
|
JAVA.CLASS.SER.ND
|
SER01-J. Do not deviate from the proper signatures of serialization methods
|
|
JAVA.CLASS.SER.ND
|
SER03-J. Do not serialize unencrypted sensitive data
|
|
JAVA.CLASS.SER.ND
|
SER06-J. Make defensive copies of private mutable components during deserialization
|
|
JAVA.CLASS.SER.ND
|
SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
|
|
JAVA.CLASS.SER.ND
|
SER12-J. Prevent deserialization of untrusted data
|
|
JAVA.CLASS.SER.UIDM
|
SER00-J. Enable serialization compatibility during class evolution
|
|
JAVA.CLASS.UI
|
SER10-J. Avoid memory and resource leaks during serialization
|
|
JAVA.CLASS.UI
|
MSC05-J. Do not exhaust heap space
|
|
JAVA.COMPARE.CTO.ASSYM
|
MET08-J. Preserve the equality contract when overriding the equals() method
|
|
JAVA.COMPARE.EMPTYSTR
|
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
|
|
JAVA.COMPARE.EQ
|
EXP02-J. Do not use the Object.equals() method to compare two arrays
|
|
JAVA.COMPARE.EQ
|
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
|
|
JAVA.COMPARE.EQARRAY
|
EXP02-J. Do not use the Object.equals() method to compare two arrays
|
|
JAVA.COMPARE.EQARRAY
|
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
|
|
JAVA.CONCURRENCY.LOCK.DCL
|
LCK10-J. Use a correct form of the double-checked locking idiom
|
|
JAVA.CONCURRENCY.LOCK.ICS
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.LOCK.ISTR
|
LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
|
|
JAVA.CONCURRENCY.LOCK.SCTB
|
THI00-J. Do not invoke Thread.run()
|
|
JAVA.CONCURRENCY.LOCK.STATIC
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.STARVE.BLOCKING
|
LCK09-J. Do not perform operations that can block while holding a lock
|
|
JAVA.CONCURRENCY.SYNC.MSS
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.UG.FIELD
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.UG.METH
|
LCK05-J. Synchronize access to static fields that can be modified by untrusted code
|
|
JAVA.CONCURRENCY.UG.PARAM
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.VOLATILE
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
|
JAVA.CONCURRENCY.VOLATILE
|
VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
|
|
JAVA.CRYPTO.BASE64
|
MSC02-J. Generate strong random numbers
|
|
JAVA.CRYPTO.RA
|
MSC02-J. Generate strong random numbers
|
|
JAVA.CRYPTO.RCF
|
MSC02-J. Generate strong random numbers
|
|
JAVA.CRYPTO.RF
|
MSC02-J. Generate strong random numbers
|
|
JAVA.CRYPTO.WHAF
|
MSC02-J. Generate strong random numbers
|
|
JAVA.DEBUG.CALL
|
ERR09-J. Do not allow untrusted code to terminate the JVM
|
|
JAVA.DEBUG.LOG
|
ERR02-J. Prevent exceptions while logging data
|
|
JAVA.DEBUG.MEDF
|
ENV06-J. Production code must not contain debugging entry points
|
|
JAVA.DEEPNULL.DEREF
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.EFIELD
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.FIELD
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.PARAM.ACTUAL
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.PARAM.EACTUAL
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.RET.EMETH
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.DEEPNULL.RET.METH
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.FUNCS.IRV
|
EXP00-J. Do not ignore values returned by methods
|
|
JAVA.FUNCS.IRV
|
FIO02-J. Detect and handle file-related errors
|
|
JAVA.HARDCODED.PASSWD
|
MSC03-J. Never hard code sensitive information
|
|
JAVA.HARDCODED.SEED
|
MSC02-J. Generate strong random numbers
|
|
JAVA.IDEF.CTOEQ
|
MET08-J. Preserve the equality contract when overriding the equals() method
|
|
JAVA.IDEF.CTONOEQ
|
MET08-J. Preserve the equality contract when overriding the equals() method
|
|
JAVA.IDEF.EQUALSNOHC
|
MET09-J. Classes that define an equals() method must also define a hashCode() method
|
|
JAVA.IDEF.HCNOEQUALS
|
MET09-J. Classes that define an equals() method must also define a hashCode() method
|
|
JAVA.IDEF.NOEQUALS
|
MET08-J. Preserve the equality contract when overriding the equals() method
|
|
JAVA.INSEC.LDAP.POISON
|
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
|
|
JAVA.IO.INJ.ANDROID.MESSAGE
|
SER02-J. Sign then seal objects before sending them outside a trust boundary
|
|
JAVA.IO.INJ.ANDROID.MESSAGE
|
SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
|
|
JAVA.IO.INJ.CODE
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.COMMAND
|
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
|
|
JAVA.IO.INJ.COMMAND
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.DENIAL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.DLL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.SQL
|
IDS00-J. Prevent SQL injection
|
|
JAVA.IO.INJ.SQL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.XSS
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.INJ.XSS.EMWP
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.PERM
|
FIO01-J. Create files with appropriate access permissions
|
|
JAVA.IO.PERM
|
SEC01-J. Do not allow tainted variables in privileged blocks
|
|
JAVA.IO.PERM
|
ENV03-J. Do not grant dangerous combinations of permissions
|
|
JAVA.IO.PERM.ACCESS
|
FIO01-J. Create files with appropriate access permissions
|
|
JAVA.IO.PERM.ACCESS
|
SEC01-J. Do not allow tainted variables in privileged blocks
|
|
JAVA.IO.TAINT.ADDR
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.BUNDLE
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.CONTROL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.DEVICE
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.EVAL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.HTTP
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.LDAP.ATTR
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.LDAP.FILTER
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.LOG
|
IDS03-J. Do not log unsanitized user input
|
|
JAVA.IO.TAINT.LOG
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.MESSAGE
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.MESSAGE
|
SER02-J. Sign then seal objects before sending them outside a trust boundary
|
|
JAVA.IO.TAINT.MESSAGE
|
SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
|
|
JAVA.IO.TAINT.PATH
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.REFLECTION
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.REGEX
|
IDS08-J. Sanitize untrusted data included in a regular expression
|
|
JAVA.IO.TAINT.REGEX
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.RESOURCE
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.SESSION
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.TRUSTED
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.URL
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.XAML
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.XML
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.IO.TAINT.XPATH
|
IDS14-J. Do not trust the contents of hidden form fields
|
|
JAVA.LIB.RAND.FUNC
|
MSC02-J. Generate strong random numbers
|
|
JAVA.MATH.ABSRAND
|
NUM00-J. Detect or prevent integer overflow
|
|
JAVA.MATH.APPROX.E
|
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
|
|
JAVA.MATH.APPROX.PI
|
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
|
|
JAVA.MISC.SD.EXT
|
MSC03-J. Never hard code sensitive information
|
|
JAVA.NULL.DEREF
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.NULL.PARAM.ACTUAL
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.NULL.RET.ARRAY
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.NULL.RET.BOOL
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.NULL.RET.OPT
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.NULL.RET.UNCHECKED
|
EXP00-J. Do not ignore values returned by methods
|
|
JAVA.NULL.RET.UNCHECKED
|
FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
|
|
JAVA.STRUCT.DUPD
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.STRUCT.EXCP.BROAD
|
ERR07-J. Do not throw RuntimeException, Exception, or Throwable
|
|
JAVA.STRUCT.EXCP.EEH
|
ERR00-J. Do not suppress or ignore checked exceptions
|
|
JAVA.STRUCT.EXCP.GEH
|
ERR08-J. Do not catch NullPointerException or any of its ancestors
|
|
JAVA.STRUCT.EXCP.INAPP
|
ERR08-J. Do not catch NullPointerException or any of its ancestors
|
|
JAVA.STRUCT.SE.ASSERT
|
EXP06-J. Expressions used in assertions must not produce side effects
|
|
JAVA.STRUCT.UA
|
DCL00-J. Prevent class initialization cycles
|
|
JAVA.STRUCT.UA.DEFAULT
|
DCL00-J. Prevent class initialization cycles
|
|
JAVA.STRUCT.UPD
|
EXP01-J. Do not use a null in a case where an object is required
|
|
JAVA.STRUCT.UPED
|
EXP01-J. Do not use a null in a case where an object is required
|
