Checker
|
Guideline
|
---|
BD-SECURITY-TDLOG
|
IDS03-J. Do not log unsanitized user input
|
BD-SECURITY-TDSQL
|
IDS00-J. Prevent SQL injection
|
BD.CO.ITMOD
|
DCL02-J. Do not modify the collection's elements during an enhanced for statement
|
BD.CO.ITMOD
|
MSC06-J. Do not modify the underlying collection when an iteration is in progress
|
BD.EXCEPT.NP
|
EXP01-J. Do not use a null in a case where an object is required
|
BD.PB.ZERO
|
NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
|
BD.RES.LEAKS
|
FIO04-J. Release resources when they are no longer needed
|
BD.RES.LEAKS
|
MSC04-J. Do not leak memory
|
BD.SECURITY.SENS
|
FIO13-J. Do not log sensitive information outside a trust boundary
|
BD.SECURITY.TDRFL
|
SEC02-J. Do not base security checks on untrusted sources
|
BD.SECURITY.TDXML
|
IDS16-J. Prevent XML Injection
|
BD.TRS.LOCK
|
LCK08-J. Ensure actively held locks are released on exceptional conditions
|
BD.TRS.TSHL
|
LCK09-J. Do not perform operations that can block while holding a lock
|
CODSTA.BP.ARM
|
SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
|
CODSTA.BP.EXIT
|
ERR09-J. Do not allow untrusted code to terminate the JVM
|
CODSTA.EPC.AGBPT
|
OBJ03-J. Prevent heap pollution
|
CODSTA.OIM.OVERRIDE
|
MET09-J. Classes that define an equals() method must also define a hashCode() method
|
CODSTD.BP.NTX
|
ERR07-J. Do not throw RuntimeException, Exception, or Throwable
|
EJB.MNDF
|
MET12-J. Do not use finalizers
|
EXCEPT.ENFC
|
OBJ11-J. Be wary of letting constructors throw exceptions
|
EXCEPT.NCNPE
|
ERR08-J. Do not catch NullPointerException or any of its ancestors
|
EXCEPT.NTERR
|
ERR07-J. Do not throw RuntimeException, Exception, or Throwable
|
GC.FCF
|
MET12-J. Do not use finalizers
|
GC.FM
|
MET12-J. Do not use finalizers
|
GC.IFF
|
MET12-J. Do not use finalizers
|
GC.NCF
|
MET12-J. Do not use finalizers
|
GLOBAL.ACD
|
DCL00-J. Prevent class initialization cycles
|
HIBERNATE.LHII
|
FIO13-J. Do not log sensitive information outside a trust boundary
|
INTER.COS
|
STR00-J. Don't form strings containing partial characters from variable-width encodings
|
INTER.{CCL,CTLC}
|
STR02-J. Specify an appropriate locale when comparing locale-dependent data
|
OOP.AHSM
|
MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface
|
OOP.MUCOP
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
OOP.MUCOP
|
OBJ05-J. Do not return references to private mutable class members
|
OOP.MUCOP
|
OBJ06-J. Defensively copy mutable inputs and mutable internal components
|
OOP.OPM
|
MET04-J. Do not increase the accessibility of overridden or hidden methods
|
OPT.CCR
|
FIO04-J. Release resources when they are no longer needed
|
OPT.CCR
|
FIO14-J. Perform proper cleanup at program termination
|
OPT.CIO
|
FIO04-J. Release resources when they are no longer needed
|
OPT.CIO
|
FIO14-J. Perform proper cleanup at program termination
|
OPT.CRWD
|
FIO14-J. Perform proper cleanup at program termination
|
PB-NUM-FPLI
|
NUM09-J. Do not use floating-point variables as loop counters
|
PB-RE-NMCD
|
EXP01-J. Do not use a null in a case where an object is required
|
PB.API.DPRAPI
|
MET02-J. Do not use deprecated or obsolete classes or methods
|
PB.API.OF
|
MET12-J. Do not use finalizers
|
PB.API.VAFS
|
IDS06-J. Exclude unsanitized user input from format strings
|
PB.CUB.ARCF
|
ERR04-J. Do not complete abruptly from a finally block
|
PB.CUB.ARCF
|
ERR05-J. Do not let checked exceptions escape from a finally block
|
PB.CUB.ATSF
|
ERR04-J. Do not complete abruptly from a finally block
|
PB.CUB.ATSF
|
ERR05-J. Do not let checked exceptions escape from a finally block
|
PB.CUB.UEIC
|
EXP02-J. Do not use the Object.equals() method to compare two arrays
|
PB.CUB.UEIC
|
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
|
PB.LOGIC.CRRV
|
FIO08-J. Distinguish between characters or bytes read from a stream and -1
|
PB.NUM.AIC
|
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
|
PB.NUM.BBDCC
|
NUM10-J. Do not construct BigDecimal objects from floating-point literals
|
PB.NUM.CLP
|
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
|
PB.NUM.NAN
|
NUM07-J. Do not attempt comparisons with NaN
|
PB.NUM.UBD
|
NUM04-J. Do not use floating-point numbers if precise computation is required
|
PB.NUM.{ICO,BSA,CACO}
|
NUM00-J. Detect or prevent integer overflow
|
PB.TYPO.EB
|
MSC01-J. Do not use an empty infinite loop
|
PB.USC.NASSIG
|
EXP00-J. Do not ignore values returned by methods
|
PORT.ENV
|
ENV02-J. Do not trust the values of environment variables
|
PORT.EXEC
|
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
|
PORT.EXEC
|
FIO07-J. Do not let external processes block on IO buffers
|
SECURITY.BV.ACL
|
SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes
|
SECURITY.EAB.CMP
|
OBJ09-J. Compare classes and not class names
|
SECURITY.EAB.CPCL
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
SECURITY.EAB.CPCL
|
OBJ05-J. Do not return references to private mutable class members
|
SECURITY.EAB.CPCL
|
OBJ06-J. Defensively copy mutable inputs and mutable internal components
|
SECURITY.EAB.JVM
|
ERR09-J. Do not allow untrusted code to terminate the JVM
|
SECURITY.EAB.MPT
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
SECURITY.EAB.MPT
|
OBJ05-J. Do not return references to private mutable class members
|
SECURITY.EAB.MPT
|
OBJ06-J. Defensively copy mutable inputs and mutable internal components
|
SECURITY.EAB.SMO
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
SECURITY.EAB.SMO
|
OBJ05-J. Do not return references to private mutable class members
|
SECURITY.EAB.SMO
|
OBJ06-J. Defensively copy mutable inputs and mutable internal components
|
SECURITY.EAB.SPFF
|
OBJ10-J. Do not use public static nonfinal fields
|
SECURITY.ESD.ACW
|
ERR01-J. Do not allow exceptions to expose sensitive information
|
SECURITY.ESD.CONSEN
|
FIO13-J. Do not log sensitive information outside a trust boundary
|
SECURITY.ESD.PEO
|
FIO13-J. Do not log sensitive information outside a trust boundary
|
SECURITY.ESD.SIF
|
SER03-J. Do not serialize unencrypted sensitive data
|
SECURITY.IBA.ATF
|
FIO03-J. Remove temporary files before termination
|
SECURITY.IBA.NATIW
|
JNI00-J. Define wrappers around native methods
|
SECURITY.IBA.VPPD
|
IDS17-J. Prevent XML External Entity Attacks
|
SECURITY.UEHL.LGE
|
ERR00-J. Do not suppress or ignore checked exceptions
|
SECURITY.WSC.ACPST
|
ERR01-J. Do not allow exceptions to expose sensitive information
|
SECURITY.WSC.AHCA
|
MSC03-J. Never hard code sensitive information
|
SECURITY.WSC.CLONE
|
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
|
SECURITY.WSC.HCCK
|
MSC03-J. Never hard code sensitive information
|
SECURITY.WSC.HCCS
|
MSC03-J. Never hard code sensitive information
|
SECURITY.WSC.MCNC
|
OBJ07-J. Sensitive classes must not let themselves be copied
|
SECURITY.WSC.SCF
|
SEC04-J. Protect sensitive operations with security manager checks
|
SECURITY.WSC.SCSER
|
SER04-J. Do not allow serialization and deserialization to bypass the security manager
|
SECURITY.WSC.SRD
|
MSC02-J. Generate strong random numbers
|
SECURITY.WSC.USC
|
MSC00-J. Use SSLSocket rather than Socket for secure data exchange
|
SERIAL.IRX
|
SER11-J. Prevent overwriting of externalizable objects
|
SERIAL.ROWO
|
SER01-J. Do not deviate from the proper signatures of serialization methods
|
SERIAL.RRSC
|
SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
|
SERVLET.CETS
|
ERR01-J. Do not allow exceptions to expose sensitive information
|
TRS.ANF
|
THI02-J. Notify all waiting threads rather than a single thread
|
TRS.AUTG
|
THI01-J. Do not invoke ThreadGroup methods
|
TRS.CSTART
|
TSM02-J. Do not use background threads during class initialization
|
TRS.CTRE
|
TSM01-J. Do not let the this reference escape during object construction
|
TRS.DCL
|
LCK10-J. Use a correct form of the double-checked locking idiom
|
TRS.IASF
|
LCK05-J. Synchronize access to static fields that can be modified by untrusted code
|
TRS.ILI
|
MSC07-J. Prevent multiple instantiations of singleton objects
|
TRS.IRUN
|
THI00-J. Do not invoke Thread.run()
|
TRS.LORD
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
TRS.LORD
|
LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
|
TRS.MRAV
|
VNA00-J. Ensure visibility when accessing shared primitive variables
|
TRS.MRAV
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
TRS.MRAV
|
VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
|
TRS.RLF
|
LCK08-J. Ensure actively held locks are released on exceptional conditions
|
TRS.SCS
|
LCK01-J. Do not synchronize on objects that may be reused
|
TRS.SOPF
|
LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
|
TRS.SSUG
|
VNA02-J. Ensure that compound operations on shared variables are atomic
|
TRS.SSUG
|
VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
|
TRS.THRD
|
MET02-J. Do not use deprecated or obsolete classes or methods
|
TRS.THRD
|
THI05-J. Do not use Thread.stop() to terminate threads
|
TRS.TSHL
|
LCK09-J. Do not perform operations that can block while holding a lock
|
TRS.UWIL
|
THI03-J. Always invoke wait() and await() methods inside a loop
|
UC.EF
|
MET12-J. Do not use finalizers
|
UC.FCSF
|
MET12-J. Do not use finalizers
|
UC.UCATCH
|
ERR00-J. Do not suppress or ignore checked exceptions
|