You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

CERT Rule

Related Guidelines

IDS00-JCWE-116, Improper Encoding or Escaping of Output
IDS01-JCWE-289, Authentication bypass by alternate name
IDS01-JCWE-180, Incorrect behavior order: Validate before canonicalize
IDS03-JCWE-144, Improper neutralization of line delimiters
IDS03-JCWE-150, Improper neutralization of escape, meta, or control sequences
IDS03-JCWE-117, Improper Output Neutralization for Logs
IDS04-JCWE-409, Improper Handling of Highly Compressed Data (Data Amplification)
IDS06-JCWE-134, Uncontrolled Format String
IDS07-JCWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")
IDS11-JCWE-182, Collapse of Data into Unsafe Value
IDS16-JCWE-116, Improper Encoding or Escaping of Output
IDS17-JCWE-116, Improper Encoding or Escaping of Output
EXP00-JCWE-252, Unchecked Return Value
EXP01-JCWE-476, NULL Pointer Dereference
EXP02-JCWE-595, Comparison of Object References Instead of Object Contents
EXP03-JCWE-595, Comparison of Object References Instead of Object Contents
EXP03-JCWE-597, Use of Wrong Operator in String Comparison
NUM00-JCWE-682, Incorrect Calculation
NUM00-JCWE-190, Integer Overflow or Wraparound
NUM00-JCWE-191, Integer Underflow (Wrap or Wraparound)
NUM02-JCWE-369, Divide by Zero
NUM12-JCWE-681, Incorrect Conversion between Numeric Types
NUM12-JCWE-197, Numeric Truncation Error
STR03-JCWE-838, Inappropriate Encoding for Output Context
OBJ01-JCWE-766, Critical Variable Declared Public
OBJ04-JCWE-374, Passing Mutable Objects to an Untrusted Method
OBJ04-JCWE-375, Returning a Mutable Object to an Untrusted Caller
OBJ05-JCWE-375, Returning a Mutable Object to an Untrusted Caller
OBJ08-JCWE-492, Use of Inner Class Containing Sensitive Data
OBJ09-JCWE-486, Comparison of Classes by Name
OBJ10-JCWE-493, Critical Public Variable without Final Modifier
OBJ10-JCWE-500, Public Static Field Not Marked Final
MET01-JCWE-617, Reachable Assertion
MET02-JCWE-589, Call to Non-ubiquitous API
MET04-JCWE-487, Reliance on Package-Level Scope
MET08-JCWE-697, Insufficient Comparison
MET09-JCWE-581, Object Model Violation: Just One of equals and hashcode Defined
MET10-JCWE-573, Improper Following of Specification by Caller
MET12-JCWE-586, Explicit call to Finalize()
MET12-JCWE-583, finalize() Method Declared Public
MET12-JCWE-568, finalize() Method without super.finalize()
ERR00-JCWE-390, Detection of Error Condition without Action
ERR01-JCWE-209, Information Exposure through an Error Message
ERR01-JCWE-497, Exposure of System Data to an Unauthorized Control Sphere
ERR01-JCWE-600, Uncaught Exception in Servlet
ERR03-JCWE-460, Improper Cleanup on Thrown Exception
ERR04-JCWE-459, Incomplete Cleanup
ERR04-JCWE-584, Return Inside finally Block
ERR05-JCWE-248, Uncaught Exception 
ERR05-JCWE-460, Improper Cleanup on Thrown Exception 
ERR05-JCWE-584, Return inside finally Block 
ERR05-JCWE-705, Incorrect Control Flow Scoping
ERR05-JCWE-754, Improper Check for Unusual or Exceptional Conditions 
ERR06-JCWE-703, Improper Check or Handling of Exceptional Conditions
ERR06-JCWE-248, Uncaught Exception
ERR07-JCWE-397, Declaration of Throws for Generic Exception
ERR09-JCWE-382, J2EE Bad Practices: Use of System.exit()
VNA00-JCWE-413, Improper Resource Locking
VNA00-JCWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context
VNA00-JCWE-667, Improper Locking
VNA03-JCWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
VNA03-JCWE-366, Race Condition within a Thread
VNA03-JCWE-662, Improper Synchronization
VNA05-JCWE-667, Improper Locking
LCK00-JCWE-412. Unrestricted externally accessible lock
LCK05-JCWE-820, Missing Synchronization
LCK06-JCWE-667, Improper Locking
LCK07-JCWE-833, Deadlock
LCK08-JCWE-883, Deadlock
LCK10-JCWE-609, Double-checked Locking
THI00-JCWE-572, Call to Thread run() instead of start()
THI05-JCWE-705, Incorrect Control Flow Scoping
TPS00-JCWE-405, Asymmetric Resource Consumption (Amplification)
TPS00-JCWE-410, Insufficient Resource Pool
TPS03-JCWE-392, Missing Report of Error Condition
FIO00-JCWE-67, Improper Handling of Windows Device Names
FIO01-JCWE-279, Incorrect Execution-Assigned Permissions
FIO01-JCWE-276, Incorrect Default Permissions
FIO01-JCWE-732, Incorrect Permission Assignment for Critical Resource
FIO03-JCWE-377, Insecure Temporary File
FIO03-JCWE-459,  Incomplete Cleanup
FIO04-JCWE-404, Improper Resource Shutdown or Release
FIO04-JCWE-405, Asymmetric Resource Consumption (Amplification)
FIO04-JCWE-459, Incomplete Cleanup
FIO04-JCWE-770, Allocation of Resources without Limits or Throttling
FIO09-JCWE-252, Unchecked Return Value
FIO10-JCWE-135, Incorrect Calculation of Multi-byte String Length
FIO12-JCWE-198, Use of Incorrect Byte Ordering
FIO13-JCWE-359, Privacy Violation
FIO13-JCWE-532, Information Exposure through Log Files
FIO13-JCWE-533, Information Exposure through Server Log Files
FIO13-JCWE-542, Information Exposure through Cleanup Log Files
FIO14-JCWE-705, Incorrect Control Flow Scoping
FIO16-JCWE-171, Cleansing, Canonicalization, and Comparison Errors
FIO16-JCWE-647, Use of Non-canonical URL Paths for Authorization Decisions
SER00-JCWE-589, Call to Non-ubiquitous API
SER01-JCWE-502, Deserialization of Untrusted Data
SER02-JCWE-319, Cleartext Transmission of Sensitive Information
SER03-JCWE-499, Serializable Class Containing Sensitive Data
SER03-JCWE-502, Deserialization of Untrusted Data
SER05-JCWE-499, Serializable Class Containing Sensitive Data
SER06-JCWE-502, Deserialization of Untrusted Data
SER07-JCWE-502, "Deserialization of Untrusted Data"
SER08-JCWE-250, Execution with Unnecessary Privileges
SER10-JCWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion")
SER10-JCWE-770, Allocation of Resources without Limits or Throttling
SER12-JCWE-502, Deserialization of Untrusted Data
SEC00-JCWE-266, Incorrect Privilege Assignment
SEC00-JCWE-272, Least Privilege Violation
SEC01-JCWE-266, Incorrect Privilege Assignment
SEC01-JCWE-272, Least Privilege Violation
SEC01-JCWE-732, Incorrect Permission Assignment for Critical Resource
SEC02-JCWE-302, Authentication Bypass by Assumed-Immutable Data
SEC02-JCWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection")
SEC06-JCWE-300, Channel Accessible by Non-endpoint (aka "Man-in-the-Middle")
SEC06-JCWE-319, Cleartext Transmission of Sensitive Information
SEC06-JCWE-347, Improper Verification of Cryptographic Signature
SEC06-JCWE-494, Download of Code without Integrity Check
ENV01-JCWE-349, Acceptance of Extraneous Untrusted Data with Trusted Data
ENV03-JCWE-732, Incorrect Permission Assignment for Critical Resource
JNI00-JCWE-111, Direct Use of Unsafe JNI
MSC00-JCWE-311, Failure to Encrypt Sensitive Data
MSC02-JCWE-327, Use of a Broken or Risky Cryptographic Algorithm
MSC02-JCWE-330, Use of Insufficiently Random Values
MSC02-JCWE-332, Insufficient Entropy in PRNG
MSC02-JCWE-336, Same Seed in PRNG
MSC02-JCWE-337, Predictable Seed in PRNG
MSC03-JCWE-259, Use of Hard-Coded Password
MSC03-JCWE-798, Use of Hard-Coded Credentials
MSC04-JCWE-401, Improper Release of Memory before Removing Last Reference ("Memory Leak")
MSC05-JCWE-400, Uncontrolled Resource Consumption ("Resource Exhaustion")
MSC05-JCWE-770, Allocation of Resources without Limits or Throttling
IDS50-JCWE-116, Improper encoding or escaping of output
SEC58-JCWE-502, Deserialization of Untrusted Data
STR51-JCWE-838. Inappropriate Encoding for Output Context
  • No labels