Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Checker

Guideline

AVA.LIB.RAND.LEGACY.GEN MSC02-J. Generate strong random numbers
FB.BAD_PRACTICE.FI_EMPTY MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_EXPLICIT_INVOCATION MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_FINALIZER_NULLS_FIELDS MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_FINALIZER_ONLY_NULLS_FIELDS MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_MISSING_SUPER_CALL MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_NULLIFY_SUPER MET12-J. Do not use finalizers
FB.BAD_PRACTICE.FI_USELESS MET12-J. Do not use finalizers
FB.MALICIOUS_CODE.EI_EXPOSE_REP OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
FB.MALICIOUS_CODE.EI_EXPOSE_REP2 OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
FB.MALICIOUS_CODE.FI_PUBLIC_SHOULD_BE_PROTECTED MET12-J. Do not use finalizers
FB.MALICIOUS_CODE.MS_SHOULD_BE_FINAL OBJ10-J. Do not use public static nonfinal fields
FB.MALICIOUS_CODE.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL OBJ10-J. Do not use public static nonfinal fields
FB.MT_CORRECTNESS.IS2_INCONSISTENT_SYNC VNA02-J. Ensure that compound operations on shared variables are atomic
FB.MT_CORRECTNESS.IS_FIELD_NOT_GUARDED VNA02-J. Ensure that compound operations on shared variables are atomic
FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE VNA02-J. Ensure that compound operations on shared variables are atomic
FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE VNA02-J. Ensure that compound operations on shared variables are atomic
FB.MT_CORRECTNESS.STCAL_STATIC_CALENDAR_INSTANCE VNA02-J. Ensure that compound operations on shared variables are atomic
FB.MT_CORRECTNESS.STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE VNA02-J. Ensure that compound operations on shared variables are atomic
JAVA.ALLOC.LEAK.NOTCLOSED FIO04-J. Release resources when they are no longer needed
JAVA.ALLOC.LEAK.NOTSTORED FIO04-J. Release resources when they are no longer needed
JAVA.ALLOC.LEAK.NOTSTORED SER10-J. Avoid memory and resource leaks during serialization
JAVA.ALLOC.LEAK.NOTSTORED MSC05-J. Do not exhaust heap space
JAVA.ARITH.FPEQUAL NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
JAVA.ARITH.OFLOW NUM00-J. Detect or prevent integer overflow
JAVA.CAST.FTRUNC NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
JAVA.CAST.FTRUNC NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
JAVA.CLASS.ACCESS.BYPASS SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
JAVA.CLASS.ACCESS.MODIFY SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
JAVA.CLASS.CLONE.CNC OBJ07-J. Sensitive classes must not let themselves be copied
JAVA.CLASS.CLONE.NF OBJ07-J. Sensitive classes must not let themselves be copied
JAVA.CLASS.CLONE.SCNC OBJ07-J. Sensitive classes must not let themselves be copied
JAVA.CLASS.ICSBS OBJ08-J. Do not expose private members of an outer class from within a nested class
JAVA.CLASS.MCS MET10-J. Follow the general contract when implementing the compareTo() method
JAVA.CLASS.SER.ND SER01-J. Do not deviate from the proper signatures of serialization methods
JAVA.CLASS.SER.ND SER03-J. Do not serialize unencrypted sensitive data
JAVA.CLASS.SER.ND SER06-J. Make defensive copies of private mutable components during deserialization
JAVA.CLASS.SER.ND SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
JAVA.CLASS.SER.ND SER12-J. Prevent deserialization of untrusted data
JAVA.CLASS.SER.UIDM SER00-J. Enable serialization compatibility during class evolution
JAVA.CLASS.UI SER10-J. Avoid memory and resource leaks during serialization
JAVA.CLASS.UI MSC05-J. Do not exhaust heap space
JAVA.COMPARE.CTO.ASSYM MET08-J. Preserve the equality contract when overriding the equals() method
JAVA.COMPARE.EMPTYSTR EXP03-J. Do not use the equality operators when comparing values of boxed primitives
JAVA.COMPARE.EQ EXP02-J. Do not use the Object.equals() method to compare two arrays
JAVA.COMPARE.EQ EXP03-J. Do not use the equality operators when comparing values of boxed primitives
JAVA.COMPARE.EQARRAY EXP02-J. Do not use the Object.equals() method to compare two arrays
JAVA.COMPARE.EQARRAY EXP03-J. Do not use the equality operators when comparing values of boxed primitives
JAVA.CONCURRENCY.LOCK.DCL LCK10-J. Use a correct form of the double-checked locking idiom
JAVA.CONCURRENCY.LOCK.ICS VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.LOCK.ISTR LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
JAVA.CONCURRENCY.LOCK.SCTB THI00-J. Do not invoke Thread.run()
JAVA.CONCURRENCY.LOCK.STATIC VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.STARVE.BLOCKING LCK09-J. Do not perform operations that can block while holding a lock
JAVA.CONCURRENCY.SYNC.MSS VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.UG.FIELD VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.UG.METH LCK05-J. Synchronize access to static fields that can be modified by untrusted code
JAVA.CONCURRENCY.UG.PARAM VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.VOLATILE VNA00-J. Ensure visibility when accessing shared primitive variables
JAVA.CONCURRENCY.VOLATILE VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
JAVA.CRYPTO.BASE64 MSC02-J. Generate strong random numbers
JAVA.CRYPTO.RA MSC02-J. Generate strong random numbers
JAVA.CRYPTO.RCF MSC02-J. Generate strong random numbers
JAVA.CRYPTO.RF MSC02-J. Generate strong random numbers
JAVA.CRYPTO.WHAF MSC02-J. Generate strong random numbers
JAVA.DEBUG.CALL ERR09-J. Do not allow untrusted code to terminate the JVM
JAVA.DEBUG.LOG ERR02-J. Prevent exceptions while logging data
JAVA.DEBUG.MEDF ENV06-J. Production code must not contain debugging entry points
JAVA.DEEPNULL.DEREF EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.EFIELD EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.FIELD EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.PARAM.ACTUAL EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.PARAM.EACTUAL EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.RET.EMETH EXP01-J. Do not use a null in a case where an object is required
JAVA.DEEPNULL.RET.METH EXP01-J. Do not use a null in a case where an object is required
JAVA.FUNCS.IRV EXP00-J. Do not ignore values returned by methods
JAVA.FUNCS.IRV FIO02-J. Detect and handle file-related errors
JAVA.HARDCODED.PASSWD MSC03-J. Never hard code sensitive information
JAVA.HARDCODED.SEED MSC02-J. Generate strong random numbers
JAVA.IDEF.CTOEQ MET08-J. Preserve the equality contract when overriding the equals() method
JAVA.IDEF.CTONOEQ MET08-J. Preserve the equality contract when overriding the equals() method
JAVA.IDEF.EQUALSNOHC MET09-J. Classes that define an equals() method must also define a hashCode() method
JAVA.IDEF.HCNOEQUALS MET09-J. Classes that define an equals() method must also define a hashCode() method
JAVA.IDEF.NOEQUALS MET08-J. Preserve the equality contract when overriding the equals() method
JAVA.INSEC.LDAP.POISON ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
JAVA.IO.INJ.ANDROID.MESSAGE SER02-J. Sign then seal objects before sending them outside a trust boundary
JAVA.IO.INJ.ANDROID.MESSAGE SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
JAVA.IO.INJ.CODE IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.COMMAND IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
JAVA.IO.INJ.COMMAND IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.DENIAL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.DLL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.SQL IDS00-J. Prevent SQL injection
JAVA.IO.INJ.SQL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.XSS IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.INJ.XSS.EMWP IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.PERM FIO01-J. Create files with appropriate access permissions
JAVA.IO.PERM SEC01-J. Do not allow tainted variables in privileged blocks
JAVA.IO.PERM ENV03-J. Do not grant dangerous combinations of permissions
JAVA.IO.PERM.ACCESS FIO01-J. Create files with appropriate access permissions
JAVA.IO.PERM.ACCESS SEC01-J. Do not allow tainted variables in privileged blocks
JAVA.IO.TAINT.ADDR IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.BUNDLE IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.CONTROL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.DEVICE IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.EVAL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.HTTP IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.LDAP.ATTR IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.LDAP.FILTER IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.LOG IDS03-J. Do not log unsanitized user input
JAVA.IO.TAINT.LOG IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.MESSAGE IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.MESSAGE SER02-J. Sign then seal objects before sending them outside a trust boundary
JAVA.IO.TAINT.MESSAGE SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
JAVA.IO.TAINT.PATH IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.REFLECTION IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.REGEX IDS08-J. Sanitize untrusted data included in a regular expression
JAVA.IO.TAINT.REGEX IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.RESOURCE IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.SESSION IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.TRUSTED IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.URL IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.XAML IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.XML IDS14-J. Do not trust the contents of hidden form fields
JAVA.IO.TAINT.XPATH IDS14-J. Do not trust the contents of hidden form fields
JAVA.LIB.RAND.FUNC MSC02-J. Generate strong random numbers
JAVA.MATH.ABSRAND NUM00-J. Detect or prevent integer overflow
JAVA.MATH.APPROX.E NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
JAVA.MATH.APPROX.PI NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
JAVA.MISC.SD.EXT MSC03-J. Never hard code sensitive information
JAVA.NULL.DEREF EXP01-J. Do not use a null in a case where an object is required
JAVA.NULL.PARAM.ACTUAL EXP01-J. Do not use a null in a case where an object is required
JAVA.NULL.RET.ARRAY EXP01-J. Do not use a null in a case where an object is required
JAVA.NULL.RET.BOOL EXP01-J. Do not use a null in a case where an object is required
JAVA.NULL.RET.OPT EXP01-J. Do not use a null in a case where an object is required
JAVA.NULL.RET.UNCHECKED EXP00-J. Do not ignore values returned by methods
JAVA.NULL.RET.UNCHECKED FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
JAVA.STRUCT.DUPD EXP01-J. Do not use a null in a case where an object is required
JAVA.STRUCT.EXCP.BROAD ERR07-J. Do not throw RuntimeException, Exception, or Throwable
JAVA.STRUCT.EXCP.EEH ERR00-J. Do not suppress or ignore checked exceptions
JAVA.STRUCT.EXCP.GEH ERR08-J. Do not catch NullPointerException or any of its ancestors
JAVA.STRUCT.EXCP.INAPP ERR08-J. Do not catch NullPointerException or any of its ancestors
JAVA.STRUCT.SE.ASSERT EXP06-J. Expressions used in assertions must not produce side effects
JAVA.STRUCT.UA DCL00-J. Prevent class initialization cycles
JAVA.STRUCT.UA.DEFAULT DCL00-J. Prevent class initialization cycles
JAVA.STRUCT.UPD EXP01-J. Do not use a null in a case where an object is required
JAVA.STRUCT.UPED EXP01-J. Do not use a null in a case where an object is required