CERT Rule | Related Guidelines | |
|---|---|---|
| IDS00-J | CWE-116, Improper Encoding or Escaping of Output | |
| IDS01-J | CWE-289, Authentication bypass by alternate name | |
| IDS01-J | CWE-180, Incorrect behavior order: Validate before canonicalize | |
| IDS03-J | CWE-144, Improper neutralization of line delimiters | |
| IDS03-J | CWE-150, Improper neutralization of escape, meta, or control sequences | |
| IDS03-J | CWE-117, Improper Output Neutralization for Logs Logs | |
| IDS04-J | CWE-409, Improper Handling of Highly Compressed Data (Data Amplification) | |
| IDS06-J | CWE-134, Uncontrolled Format String | |
| IDS07-J | CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection") | |
| IDS11-J | CWE-182, Collapse of Data into Unsafe Value | |
| IDS16-J | CWE-116, Improper Encoding or Escaping of Output | |
| IDS17-J | CWE-116, Improper Encoding or Escaping of Output | |
| EXP00-J | CWE-252, Unchecked Return Value | |
| EXP01-J | CWE-476, NULL Pointer Dereference | |
| EXP02-J | CWE-595, Comparison of Object References Instead of Object Contents | |
| EXP03-J | CWE-595, Comparison of Object References Instead of Object Contents | |
| EXP03-J | CWE-597, Use of Wrong Operator in String Comparison | |
| NUM00-J | CWE-682, Incorrect Calculation | |
| NUM00-J | CWE-190, Integer Overflow or Wraparound | |
| NUM00-J | CWE-191, Integer Underflow (Wrap or Wraparound) | |
| NUM02-J | CWE-369, Divide by Zero | |
| NUM12-J | CWE-681, Incorrect Conversion between Numeric Types | |
| NUM12-J | CWE-197, Numeric Truncation Error | |
| STR03-J | CWE-838, Inappropriate Encoding for Output Context | |
| OBJ01-J | CWE-766, Critical Variable Declared Public | |
| OBJ04-J | CWE-374, Passing Mutable Objects to an Untrusted Method | |
| OBJ04-J | CWE-375, Returning a Mutable Object to an Untrusted Caller | |
| OBJ05-J | CWE-375, Returning a Mutable Object to an Untrusted Caller | |
| OBJ08-J | CWE-492, Use of Inner Class Containing Sensitive Data | |
| OBJ09-J | CWE-486, Comparison of Classes by Name | |
| OBJ10-J | CWE-493, Critical Public Variable without Final Modifier | |
| OBJ10-J | CWE-500, Public Static Field Not Marked Final | |
| MET01-J | CWE-617, Reachable Assertion | |
| MET02-J | CWE-589, Call to Non-ubiquitous API | |
| MET04-J | CWE-487, Reliance on Package-Level Scope | |
| MET08-J | CWE-697, Insufficient Comparison | |
| MET09-J | CWE-581, Object Model Violation: Just One of equals and hashcode Defined | |
| MET10-J | CWE-573, Improper Following of Specification by Caller | |
| MET12-J | CWE-586, Explicit call to Finalize()CWE-583, finalize() Method Declared Public | |
| MET12-J | CWE-568, finalize() Method without super.finalize() | |
| ERR00-J | CWE-390, Detection of Error Condition without Action | |
| ERR01-J | CWE-209, Information Exposure through an Error Message | |
| ERR01-J | CWE-497, Exposure of System Data to an Unauthorized Control Sphere | |
| ERR01-J | CWE-600, Uncaught Exception in Servlet | |
| ERR03-J | CWE-460, Improper Cleanup on Thrown Exception | |
| ERR04-J | CWE-459, Incomplete Cleanup | |
| ERR04-J | CWE-584, Return Inside finally Block | |
| ERR05-J | CWE-248, Uncaught Exception CWE-460, Improper Cleanup on Thrown Exception | |
| ERR05-J | CWE-584, Return inside finally Block | |
| ERR05-J | CWE-705, Incorrect Control Flow Scoping CWE-754, Improper Check for Unusual or Exceptional Conditions | |
| ERR06-J | CWE-703, Improper Check or Handling of Exceptional Conditions | |
| ERR06-J | CWE-248, Uncaught Exception | |
| ERR07-J | CWE-397, Declaration of Throws for Generic Exception | |
| ERR09-J | CWE-382, J2EE Bad Practices: Use of System.exit() | |
| VNA00-J | CWE-413, Improper Resource Locking | |
| VNA00-J | CWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context | |
| VNA00-J | CWE-667, Improper Locking | |
| VNA03-J | CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition") | |
| VNA03-J | CWE-366, Race Condition within a Thread | |
| VNA03-J | CWE-662, Improper Synchronization | |
| VNA05-J | CWE-667, Improper Locking | |
| LCK00-J | CWE-412. Unrestricted externally accessible lock | |
| LCK05-J | CWE-820, Missing Synchronization | |
| LCK06-J | CWE-667, Improper Locking | |
| LCK07-J | CWE-833, Deadlock | |
| LCK08-J | CWE-883, Deadlock | |
| LCK10-J | CWE-609, Double-checked Locking | |
| THI00-J | CWE-572, Call to Thread run() instead of start() | |
| THI05-J | CWE-705, Incorrect Control Flow Scoping | |
| TPS00-J | CWE-405, Asymmetric Resource Consumption (Amplification) | |
| TPS00-J | CWE-410, Insufficient Resource Pool | |
| TPS03-J | CWE-392, Missing Report of Error Condition | |
| FIO00-J | CWE-67, Improper Handling of Windows Device Names | |
| FIO01-J | CWE-279, Incorrect Execution-Assigned Permissions | |
| FIO01-J | CWE-276, Incorrect Default Permissions | |
| FIO01-J | CWE-732, Incorrect Permission Assignment for Critical Resource | |
| FIO03-J | CWE-377, Insecure Temporary File | |
| FIO03-J | CWE-459, Incomplete Cleanup | |
| FIO04-J | CWE-404, Improper Resource Shutdown or Release | |
| FIO04-J | CWE-405, Asymmetric Resource Consumption (Amplification) | |
| FIO04-J | CWE-459, Incomplete Cleanup | |
| FIO04-J | CWE-770, Allocation of Resources without Limits or Throttling | |
| FIO09-J | CWE-252, Unchecked Return Value | |
| FIO10-J | CWE-135, Incorrect Calculation of Multi-byte String Length | |
| FIO12-J | CWE-198, Use of Incorrect Byte Ordering | |
| FIO13-J | CWE-359, Privacy Violation | |
| FIO13-J | CWE-532, Information Exposure through Log Files | |
| FIO13-J | CWE-533, Information Exposure through Server Log Files | |
| FIO13-J | CWE-542, Information Exposure through Cleanup Log Files | |
| FIO14-J | CWE-705, Incorrect Control Flow Scoping | |
| FIO16-J | CWE-171, Cleansing, Canonicalization, and Comparison Errors | |
| FIO16-J | CWE-647, Use of Non-canonical URL Paths for Authorization Decisions | |
| SER00-J | CWE-589, Call to Non-ubiquitous API | |
| SER01-J | CWE-502, Deserialization of Untrusted Data | |
| SER02-J | CWE-319, Cleartext Transmission of Sensitive Information | |
| SER03-J | CWE-499, Serializable Class Containing Sensitive Data | |
| SER03-J | CWE-502, Deserialization of Untrusted Data | |
| SER05-J | CWE-499, Serializable Class Containing Sensitive Data | |
| SER06-J | CWE-502, Deserialization of Untrusted Data | |
| SER07-J | CWE-502, "Deserialization of Untrusted Data" | |
| SER08-J | CWE-250, Execution with Unnecessary Privileges | |
| SER10-J | CWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion") | |
| SER10-J | CWE-770, Allocation of Resources without Limits or Throttling | |
| SER12-J | CWE-502, Deserialization of Untrusted DataSER13-J | CWE-502, Deserialization of Untrusted Data |
| SEC00-J | CWE-266, Incorrect Privilege Assignment | |
| SEC00-J | CWE-272, Least Privilege Violation | |
| SEC01-J | CWE-266, Incorrect Privilege Assignment | |
| SEC01-J | CWE-272, Least Privilege Violation | |
| SEC01-J | CWE-732, Incorrect Permission Assignment for Critical Resource | |
| SEC02-J | CWE-302, Authentication Bypass by Assumed-Immutable Data | |
| SEC02-J | CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection") | |
| SEC06-J | CWE-300, Channel Accessible by Non-endpoint (aka "Man-in-the-Middle") | |
| SEC06-J | CWE-319, Cleartext Transmission of Sensitive Information | |
| SEC06-J | CWE-347, Improper Verification of Cryptographic Signature | |
| SEC06-J | CWE-494, Download of Code without Integrity Check | |
| ENV01-J | CWE-349, Acceptance of Extraneous Untrusted Data with Trusted Data | |
| ENV03-J | CWE-732, Incorrect Permission Assignment for Critical Resource | |
| JNI00-J | CWE-111, Direct Use of Unsafe JNI | |
| MSC00-J | CWE-311, Failure to Encrypt Sensitive Data | |
| MSC02-J | CWE-327, Use of a Broken or Risky Cryptographic Algorithm | |
| MSC02-J | CWE-330, Use of Insufficiently Random Values CWE-332, Insufficient Entropy in PRNG CWE-336, Same Seed in PRNG CWE-337, Predictable Seed in PRNG | |
| MSC03-J | CWE-259, Use of Hard-Coded Password | |
| MSC03-J | CWE-798, Use of Hard-Coded Credentials | |
| MSC04-J | CWE-401, Improper Release of Memory before Removing Last Reference ("Memory Leak") | |
| MSC05-J | CWE-400, Uncontrolled Resource Consumption ("Resource Exhaustion") | |
| MSC05-J | CWE-770, Allocation of Resources without Limits or Throttling | |
| IDS50-J | CWE-116, Improper encoding or escaping of output | |
| SEC58-J | CWE-502, Deserialization of Untrusted Data | |
| STR51-J | CWE-838. Inappropriate Encoding for Output Context |