SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 2

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CERT Rule

Related Guidelines

IDS00-J

CWE-116, Improper Encoding or Escaping of Output

IDS01-J

CWE-289, Authentication bypass by alternate name
CWE-180, Incorrect behavior order: Validate before canonicalize

IDS03-J

CWE-144, Improper neutralization of line delimiters
CWE-150, Improper neutralization of escape, meta, or control sequences
CWE-117, Improper Output Neutralization for Logs 

IDS04-J

CWE-409, Improper Handling of Highly Compressed Data (Data Amplification)

IDS06-J

CWE-134, Uncontrolled Format String

IDS07-J

CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")

IDS11-J

CWE-182, Collapse of Data into Unsafe Value

IDS16-J

CWE-116, Improper Encoding or Escaping of Output

IDS17-J

CWE-116, Improper Encoding or Escaping of Output

EXP00-J

CWE-252, Unchecked Return Value

EXP01-J

CWE-476, NULL Pointer Dereference

EXP02-J

CWE-595, Comparison of Object References Instead of Object Contents

EXP03-J

CWE-595, Comparison of Object References Instead of Object Contents
CWE-597, Use of Wrong Operator in String Comparison

NUM00-J

CWE-682, Incorrect Calculation
CWE-190, Integer Overflow or Wraparound
CWE-191, Integer Underflow (Wrap or Wraparound)

NUM02-J

CWE-369, Divide by Zero

NUM12-J

CWE-681, Incorrect Conversion between Numeric Types
CWE-197, Numeric Truncation Error

STR03-J

CWE-838, Inappropriate Encoding for Output Context

OBJ01-J

CWE-766, Critical Variable Declared Public

OBJ04-J

CWE-374, Passing Mutable Objects to an Untrusted Method
CWE-375, Returning a Mutable Object to an Untrusted Caller

OBJ05-J

CWE-375, Returning a Mutable Object to an Untrusted Caller

OBJ08-J

CWE-492, Use of Inner Class Containing Sensitive Data

OBJ09-J

CWE-486, Comparison of Classes by Name

OBJ10-J

CWE-493, Critical Public Variable without Final Modifier
CWE-500, Public Static Field Not Marked Final

MET01-J

CWE-617, Reachable Assertion

MET02-J

CWE-589, Call to Non-ubiquitous API

MET04-J

CWE-487, Reliance on Package-Level Scope

MET08-J

CWE-697, Insufficient Comparison

MET09-J

CWE-581, Object Model Violation: Just One of equals and hashcode Defined

MET10-J

CWE-573, Improper Following of Specification by Caller

MET12-J

CWE-586, Explicit call to Finalize()
CWE-583, finalize() Method Declared Public
CWE-568, finalize() Method without super.finalize()

ERR00-J

CWE-390, Detection of Error Condition without Action

ERR01-J

CWE-209, Information Exposure through an Error Message
CWE-497, Exposure of System Data to an Unauthorized Control Sphere
CWE-600, Uncaught Exception in Servlet

ERR03-J

CWE-460, Improper Cleanup on Thrown Exception

ERR04-J

CWE-459, Incomplete Cleanup
CWE-584, Return Inside finally Block

ERR05-J

CWE-248, Uncaught Exception
CWE-460, Improper Cleanup on Thrown Exception
CWE-584, Return inside finally Block
CWE-705, Incorrect Control Flow Scoping
CWE-754, Improper Check for Unusual or Exceptional Conditions 

ERR06-J

CWE-703, Improper Check or Handling of Exceptional Conditions
CWE-248, Uncaught Exception

ERR07-J

CWE-397, Declaration of Throws for Generic Exception

ERR09-J

CWE-382, J2EE Bad Practices: Use of System.exit()

VNA00-J

CWE-413, Improper Resource Locking
CWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-667, Improper Locking

VNA03-J

CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
CWE-366, Race Condition within a Thread
CWE-662, Improper Synchronization

VNA05-J

CWE-667, Improper Locking

LCK00-J

CWE-412. Unrestricted externally accessible lock

LCK05-J

CWE-820, Missing Synchronization

LCK06-J

CWE-667, Improper Locking

LCK07-J

CWE-833, Deadlock

LCK08-J

CWE-883, Deadlock

LCK10-J

CWE-609, Double-checked Locking

THI00-J

CWE-572, Call to Thread run() instead of start()

THI05-J

CWE-705, Incorrect Control Flow Scoping

TPS00-J

CWE-405, Asymmetric Resource Consumption (Amplification)
CWE-410, Insufficient Resource Pool

TPS03-J

CWE-392, Missing Report of Error Condition

FIO00-J

CWE-67, Improper Handling of Windows Device Names

FIO01-J

CWE-279, Incorrect Execution-Assigned Permissions
CWE-276, Incorrect Default Permissions
CWE-732, Incorrect Permission Assignment for Critical Resource

FIO03-J

CWE-377, Insecure Temporary File
CWE-459, 

Incomplete Cleanup

FIO04-J

CWE-404, Improper Resource Shutdown or Release
CWE-405, Asymmetric Resource Consumption (Amplification)
CWE-459, Incomplete Cleanup
CWE-770, Allocation of Resources without Limits or Throttling

FIO09-J

CWE-252, Unchecked Return Value

FIO10-J

CWE-135, Incorrect Calculation of Multi-byte String Length

FIO12-J

CWE-198, Use of Incorrect Byte Ordering

FIO13-J

CWE-359, Privacy Violation
CWE-532, Information Exposure through Log Files
CWE-533, Information Exposure through Server Log Files
CWE-542, Information Exposure through Cleanup Log Files

FIO14-J

CWE-705, Incorrect Control Flow Scoping

FIO16-J

CWE-171, Cleansing, Canonicalization, and Comparison Errors
CWE-647, Use of Non-canonical URL Paths for Authorization Decisions

SER00-J

CWE-589, Call to Non-ubiquitous API

SER01-J

CWE-502, Deserialization of Untrusted Data

SER02-J

CWE-319, Cleartext Transmission of Sensitive Information

SER03-J

CWE-499, Serializable Class Containing Sensitive Data
CWE-502, Deserialization of Untrusted Data

SER05-J

CWE-499, Serializable Class Containing Sensitive Data

SER06-J

CWE-502, Deserialization of Untrusted Data

SER07-J

CWE-502, "Deserialization of Untrusted Data"

SER08-J

CWE-250, Execution with Unnecessary Privileges

SER10-J

CWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion")
CWE-770, Allocation of Resources without Limits or Throttling

SER12-J

CWE-502, Deserialization of Untrusted Data

SER13-J

CWE-502, Deserialization of Untrusted Data

SEC00-J

CWE-266, Incorrect Privilege Assignment
CWE-272, Least Privilege Violation

SEC01-J

CWE-266, Incorrect Privilege Assignment
CWE-272, Least Privilege Violation
CWE-732, Incorrect Permission Assignment for Critical Resource

SEC02-J

CWE-302, Authentication Bypass by Assumed-Immutable Data
CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection")

SEC06-J

CWE-300, Channel Accessible by Non-endpoint (aka "Man-in-the-Middle")
CWE-319, Cleartext Transmission of Sensitive Information
CWE-347, Improper Verification of Cryptographic Signature
CWE-494, Download of Code without Integrity Check

ENV01-J

CWE-349, Acceptance of Extraneous Untrusted Data with Trusted Data

ENV03-J

CWE-732, Incorrect Permission Assignment for Critical Resource

JNI00-J

CWE-111, Direct Use of Unsafe JNI

MSC00-J

CWE-311, Failure to Encrypt Sensitive Data

MSC02-J

CWE-327, Use of a Broken or Risky Cryptographic Algorithm
CWE-330, Use of Insufficiently Random Values
CWE-332, Insufficient Entropy in PRNG
CWE-336, Same Seed in PRNG
CWE-337, Predictable Seed in PRNG

MSC03-J

CWE-259, Use of Hard-Coded Password
CWE-798, Use of Hard-Coded Credentials

MSC04-J

CWE-401, Improper Release of Memory before Removing Last Reference ("Memory Leak")

MSC05-J

CWE-400, Uncontrolled Resource Consumption ("Resource Exhaustion")
CWE-770, Allocation of Resources without Limits or Throttling

IDS50-J

CWE-116, Improper encoding or escaping of output

STR51-J

CWE-838. Inappropriate Encoding for Output Context