Checker | Guideline |
---|
BD-SECURITY-TDLOG | IDS03-J. Do not log unsanitized user input |
BD-SECURITY-TDSQL | IDS00-J. Prevent SQL injection |
BD.CO.ITMOD | DCL02-J. Do not modify the collection's elements during an enhanced for statement |
BD.CO.ITMOD | MSC06-J. Do not modify the underlying collection when an iteration is in progress |
BD.EXCEPT.NP | EXP01-J. Do not use a null in a case where an object is required |
BD.PB.ZERO | NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors |
BD.RES.LEAKS | FIO04-J. Release resources when they are no longer needed |
BD.RES.LEAKS | MSC04-J. Do not leak memory |
BD.SECURITY.SENS | FIO13-J. Do not log sensitive information outside a trust boundary |
BD.SECURITY.TDRFL | SEC02-J. Do not base security checks on untrusted sources |
BD.SECURITY.TDXML | IDS16-J. Prevent XML Injection |
BD.TRS.LOCK | LCK08-J. Ensure actively held locks are released on exceptional conditions |
BD.TRS.TSHL | LCK09-J. Do not perform operations that can block while holding a lock |
CODSTA.BP.ARM | SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields |
CODSTA.BP.EXIT | ERR09-J. Do not allow untrusted code to terminate the JVM |
CODSTA.EPC.AGBPT | OBJ03-J. Prevent heap pollution |
CODSTA.OIM.OVERRIDE | MET09-J. Classes that define an equals() method must also define a hashCode() method |
CODSTD.BP.NTX | ERR07-J. Do not throw RuntimeException, Exception, or Throwable |
EJB.MNDF | MET12-J. Do not use finalizers |
EXCEPT.ENFC | OBJ11-J. Be wary of letting constructors throw exceptions |
EXCEPT.NCNPE | ERR08-J. Do not catch NullPointerException or any of its ancestors |
EXCEPT.NTERR | ERR07-J. Do not throw RuntimeException, Exception, or Throwable |
GC.FCF | MET12-J. Do not use finalizers |
GC.FM | MET12-J. Do not use finalizers |
GC.IFF | MET12-J. Do not use finalizers |
GC.NCF | MET12-J. Do not use finalizers |
GLOBAL.ACD | DCL00-J. Prevent class initialization cycles |
HIBERNATE.LHII | FIO13-J. Do not log sensitive information outside a trust boundary |
INTER.COS | STR00-J. Don't form strings containing partial characters from variable-width encodings |
INTER.{CCL,CTLC} | STR02-J. Specify an appropriate locale when comparing locale-dependent data |
OOP.AHSM | MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface |
OOP.MUCOP | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
OOP.MUCOP | OBJ05-J. Do not return references to private mutable class members |
OOP.MUCOP | OBJ06-J. Defensively copy mutable inputs and mutable internal components |
OOP.OPM | MET04-J. Do not increase the accessibility of overridden or hidden methods |
OPT.CCR | FIO04-J. Release resources when they are no longer needed |
OPT.CCR | FIO14-J. Perform proper cleanup at program termination |
OPT.CIO | FIO04-J. Release resources when they are no longer needed |
OPT.CIO | FIO14-J. Perform proper cleanup at program termination |
OPT.CRWD | FIO14-J. Perform proper cleanup at program termination |
PB-NUM-FPLI | NUM09-J. Do not use floating-point variables as loop counters |
PB-RE-NMCD | EXP01-J. Do not use a null in a case where an object is required |
PB.API.DPRAPI | MET02-J. Do not use deprecated or obsolete classes or methods |
PB.API.OF | MET12-J. Do not use finalizers |
PB.API.VAFS | IDS06-J. Exclude unsanitized user input from format strings |
PB.CUB.ARCF | ERR04-J. Do not complete abruptly from a finally block |
PB.CUB.ARCF | ERR05-J. Do not let checked exceptions escape from a finally block |
PB.CUB.ATSF | ERR04-J. Do not complete abruptly from a finally block |
PB.CUB.ATSF | ERR05-J. Do not let checked exceptions escape from a finally block |
PB.CUB.UEIC | EXP02-J. Do not use the Object.equals() method to compare two arrays |
PB.CUB.UEIC | EXP03-J. Do not use the equality operators when comparing values of boxed primitives |
PB.LOGIC.CRRV | FIO08-J. Distinguish between characters or bytes read from a stream and -1 |
PB.NUM.AIC | NUM13-J. Avoid loss of precision when converting primitive integers to floating-point |
PB.NUM.BBDCC | NUM10-J. Do not construct BigDecimal objects from floating-point literals |
PB.NUM.CLP | NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data |
PB.NUM.NAN | NUM07-J. Do not attempt comparisons with NaN |
PB.NUM.UBD | NUM04-J. Do not use floating-point numbers if precise computation is required |
PB.NUM.{ICO,BSA,CACO} | NUM00-J. Detect or prevent integer overflow |
PB.TYPO.EB | MSC01-J. Do not use an empty infinite loop |
PB.USC.NASSIG | EXP00-J. Do not ignore values returned by methods |
PORT.ENV | ENV02-J. Do not trust the values of environment variables |
PORT.EXEC | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
PORT.EXEC | FIO07-J. Do not let external processes block on IO buffers |
SECURITY.BV.ACL | SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes |
SECURITY.EAB.CMP | OBJ09-J. Compare classes and not class names |
SECURITY.EAB.CPCL | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
SECURITY.EAB.CPCL | OBJ05-J. Do not return references to private mutable class members |
SECURITY.EAB.CPCL | OBJ06-J. Defensively copy mutable inputs and mutable internal components |
SECURITY.EAB.JVM | ERR09-J. Do not allow untrusted code to terminate the JVM |
SECURITY.EAB.MPT | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
SECURITY.EAB.MPT | OBJ05-J. Do not return references to private mutable class members |
SECURITY.EAB.MPT | OBJ06-J. Defensively copy mutable inputs and mutable internal components |
SECURITY.EAB.SMO | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
SECURITY.EAB.SMO | OBJ05-J. Do not return references to private mutable class members |
SECURITY.EAB.SMO | OBJ06-J. Defensively copy mutable inputs and mutable internal components |
SECURITY.EAB.SPFF | OBJ10-J. Do not use public static nonfinal fields |
SECURITY.ESD.ACW | ERR01-J. Do not allow exceptions to expose sensitive information |
SECURITY.ESD.CONSEN | FIO13-J. Do not log sensitive information outside a trust boundary |
SECURITY.ESD.PEO | FIO13-J. Do not log sensitive information outside a trust boundary |
SECURITY.ESD.SIF | SER03-J. Do not serialize unencrypted sensitive data |
SECURITY.IBA.ATF | FIO03-J. Remove temporary files before termination |
SECURITY.IBA.NATIW | JNI00-J. Define wrappers around native methods |
SECURITY.IBA.VPPD | IDS17-J. Prevent XML External Entity Attacks |
SECURITY.UEHL.LGE | ERR00-J. Do not suppress or ignore checked exceptions |
SECURITY.WSC.ACPST | ERR01-J. Do not allow exceptions to expose sensitive information |
SECURITY.WSC.AHCA | MSC03-J. Never hard code sensitive information |
SECURITY.WSC.CLONE | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
SECURITY.WSC.HCCK | MSC03-J. Never hard code sensitive information |
SECURITY.WSC.HCCS | MSC03-J. Never hard code sensitive information |
SECURITY.WSC.MCNC | OBJ07-J. Sensitive classes must not let themselves be copied |
SECURITY.WSC.SCF | SEC04-J. Protect sensitive operations with security manager checks |
SECURITY.WSC.SCSER | SER04-J. Do not allow serialization and deserialization to bypass the security manager |
SECURITY.WSC.SRD | MSC02-J. Generate strong random numbers |
SECURITY.WSC.USC | MSC00-J. Use SSLSocket rather than Socket for secure data exchange |
SERIAL.IRX | SER11-J. Prevent overwriting of externalizable objects |
SERIAL.ROWO | SER01-J. Do not deviate from the proper signatures of serialization methods |
SERIAL.RRSC | SER07-J. Do not use the default serialized form for classes with implementation-defined invariants |
SERVLET.CETS | ERR01-J. Do not allow exceptions to expose sensitive information |
TRS.ANF | THI02-J. Notify all waiting threads rather than a single thread |
TRS.AUTG | THI01-J. Do not invoke ThreadGroup methods |
TRS.CSTART | TSM02-J. Do not use background threads during class initialization |
TRS.CTRE | TSM01-J. Do not let the this reference escape during object construction |
TRS.DCL | LCK10-J. Use a correct form of the double-checked locking idiom |
TRS.IASF | LCK05-J. Synchronize access to static fields that can be modified by untrusted code |
TRS.ILI | MSC07-J. Prevent multiple instantiations of singleton objects |
TRS.IRUN | THI00-J. Do not invoke Thread.run() |
TRS.LORD | VNA00-J. Ensure visibility when accessing shared primitive variables |
TRS.LORD | LCK07-J. Avoid deadlock by requesting and releasing locks in the same order |
TRS.MRAV | VNA00-J. Ensure visibility when accessing shared primitive variables |
TRS.MRAV | VNA02-J. Ensure that compound operations on shared variables are atomic |
TRS.MRAV | VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic |
TRS.RLF | LCK08-J. Ensure actively held locks are released on exceptional conditions |
TRS.SCS | LCK01-J. Do not synchronize on objects that may be reused |
TRS.SOPF | LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code |
TRS.SSUG | VNA02-J. Ensure that compound operations on shared variables are atomic |
TRS.SSUG | VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic |
TRS.THRD | MET02-J. Do not use deprecated or obsolete classes or methods |
TRS.THRD | THI05-J. Do not use Thread.stop() to terminate threads |
TRS.TSHL | LCK09-J. Do not perform operations that can block while holding a lock |
TRS.UWIL | THI03-J. Always invoke wait() and await() methods inside a loop |
UC.EF | MET12-J. Do not use finalizers |
UC.FCSF | MET12-J. Do not use finalizers |
UC.UCATCH | ERR00-J. Do not suppress or ignore checked exceptions |