--- template5.4p0.conf 2021-03-29 10:00:20.945122500 -0400 +++ template6.0p0.conf 2021-03-29 10:00:17.709957300 -0400 @@ -1,7 +1,7 @@ # For emacs: -*- Shell-script -*- # ###################################################################### -# CodeSonar 5.4p0 Configuration File +# CodeSonar 6.0p0 Configuration File ###################################################################### # # CodeSonar will use preferences defined in this file when running @@ -219,6 +219,7 @@ # COMPILER_MODELS += arm-none-eabi-gcc.exe -> gcc # COMPILER_MODELS += armcc.exe -> armcc # COMPILER_MODELS += armcl.exe -> cl6x +# COMPILER_MODELS += armclang.exe -> armclang # COMPILER_MODELS += armcpp.exe -> armcc # COMPILER_MODELS += bcc32.exe -> borland # COMPILER_MODELS += c166.exe -> tasking @@ -271,7 +272,9 @@ # COMPILER_MODELS += iccarm.exe -> iccarm # COMPILER_MODELS += iccavr.exe -> iccavr # COMPILER_MODELS += iccm32c.exe -> iccm32c +# COMPILER_MODELS += iccrx.exe -> iccrx # COMPILER_MODELS += iccstm8.exe -> iccstm8 +# COMPILER_MODELS += iccv850.exe -> iccv850 # COMPILER_MODELS += mwccmcf.exe -> mwccmcf # COMPILER_MODELS += null-cc.exe -> xcc # COMPILER_MODELS += picc.exe -> picc @@ -287,6 +290,7 @@ # COMPILER_MODELS += arm-none-eabi-g++ -> gpp # COMPILER_MODELS += arm-none-eabi-gcc -> gcc # COMPILER_MODELS += armcc -> armcc +# COMPILER_MODELS += armclang -> armclang # COMPILER_MODELS += armcpp -> armcc # COMPILER_MODELS += c++ -> gpp # COMPILER_MODELS += cc -> cc @@ -315,24 +319,20 @@ # COMPILER_MODELS += tcc -> armcc # COMPILER_MODELS += tcpp -> armcc # -# On all EXCEPT Windows and OS X: +# On all EXCEPT Windows: # COMPILER_MODELS += QCC -> qcc # -# On Solaris, in addition to POSIX default models: -# COMPILER_MODELS += CC -> acpp -# -# To activate the Hi-Tech compiler model for Linux, Solaris, and OS -# X: +# To activate the Hi-Tech compiler model for Linux: # COMPILER_MODELS += picc -> picc # -# To activate the IAR compiler models for Linux, Solaris, and OS X: +# To activate the IAR compiler models for Linux: # COMPILER_MODELS += iccarm -> iar # COMPILER_MODELS += iccm32c -> iar # COMPILER_MODELS += icc430 -> iar # # To use the IAR compiler model for other IAR compilers, specify a # similar COMPILER_MODELS rule for your compiler executable name. -# For example, if you are using icc8051 on Linux, Solaris, or OS X: +# For example, if you are using icc8051 on Linux: # COMPILER_MODELS += icc8051 -> iar # # To activate the TI CodeComposer compiler models for non-Windows @@ -349,7 +349,7 @@ # COMPILER_MODELS += mcc18.exe -> mcc18 # # To activate the Freescale CodeWarrior for HC12 compiler model for -# Linux, Solaris, and OS X: +# Linux: # COMPILER_MODELS += chc12 -> chc12 # # To activate the Freescale CodeWarrior for HC12 compiler model for @@ -483,6 +483,7 @@ # DISABLED_COMPILERS += arm-none-eabi-gcc.exe # DISABLED_COMPILERS += armcc.exe # DISABLED_COMPILERS += armcl.exe +# DISABLED_COMPILERS += armclang.exe # DISABLED_COMPILERS += armcpp.exe # DISABLED_COMPILERS += bcc32.exe # DISABLED_COMPILERS += c166.exe @@ -535,7 +536,9 @@ # DISABLED_COMPILERS += iccarm.exe # DISABLED_COMPILERS += iccavr.exe # DISABLED_COMPILERS += iccm32c.exe +# DISABLED_COMPILERS += iccrx.exe # DISABLED_COMPILERS += iccstm8.exe +# DISABLED_COMPILERS += iccv850.exe # DISABLED_COMPILERS += mwccmcf.exe # DISABLED_COMPILERS += null-cc.exe # DISABLED_COMPILERS += picc.exe @@ -553,6 +556,7 @@ # DISABLED_COMPILERS += arm-none-eabi-g++ # DISABLED_COMPILERS += arm-none-eabi-gcc # DISABLED_COMPILERS += armcc +# DISABLED_COMPILERS += armclang # DISABLED_COMPILERS += armcpp # DISABLED_COMPILERS += c++ # DISABLED_COMPILERS += cc @@ -915,40 +919,20 @@ # - BUILD_BEHAVIOR: Governs the Build/Analysis # # Type -# - C/C++ analyses: Boost 'POSIX Extended Regular Expression' -# [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] -# - Java analyses: Regular expression string for -# java.util.regex.Pattern -# [doc/html/Preferences/https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html] +# C/C++ analyses: Boost 'POSIX Extended Regular Expression' +# [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] # # Behavior # For C and C++ analyses: If a file in a compilation command has a # path that matches the regular expression, that compilation will # be ignored. # -# For Java analyses: The regular expression is matched against all -# .class, .java, and Java archive files identified in the cs-bin- -# scan command (primary command argument, -sourcefile values, and -# -auxclasspath values). Matching files are excluded from the -# project, with consequences that depend on the file type as -# follows. -# - .java: The file and its corresponding .class file will not be -# analyzed. However, if the corresponding .class file is not also -# ignored it may still provide information for other classes that -# are analyzed. -# - .class: FindBugs will not analyze the class. If the -# corresponding .java file is not also ignored, it will be -# analyzed with PMD only. -# - archive: Julia will not analyze any part of the archive. Other -# handling for individual .class and .java files inside the -# archive is as described above. -# -# Notes -# For C and C++ analyses, this option cannot be used to ignore -# header files. Only top level files (e.g., .c and .cpp) can be -# ignored. CodeSonar users looking to discard warnings in certain -# include files might be interested in the WARNING_FILTER examples -# for discard path:, or the SYSTEM_INCLUDE_PATHS setting. +# Notes +# [C/C++ analyses only] This option cannot be used to ignore header +# files. Only top level files (e.g., .c and .cpp) can be ignored. +# CodeSonar users looking to discard warnings in certain include +# files might be interested in the WARNING_FILTER examples for +# discard path:, or the SYSTEM_INCLUDE_PATHS setting. # # For example, # IGNORED_COMPILATIONS += ^.*foo\.c$ @@ -966,11 +950,6 @@ # The forward slashes used as directory separators on other systems # do not require escaping: # IGNORED_COMPILATIONS += bar/foo\.c -# -# For Java analyses, this option can be used to ignore any -# combination of .class, .java, and Java archive files as described -# in the Behavior section. - # Parameter IGNORED_COMPILATION_COMMANDS # @@ -3526,6 +3505,7 @@ # WARNING_FILTER += discard class="Floating Point Domain Error" # WARNING_FILTER += discard class="Floating Point Range Error" # WARNING_FILTER += discard class="Format String Injection" +# WARNING_FILTER += discard class="Format String Type Error" # WARNING_FILTER += discard class="Format String" # WARNING_FILTER += discard class="Free Non-Heap Variable" # WARNING_FILTER += discard class="Free Null Pointer" @@ -3560,6 +3540,7 @@ # WARNING_FILTER += discard class="Null Test After Dereference" # WARNING_FILTER += discard class="Overlapping Memory Regions" # WARNING_FILTER += discard class="Plaintext Storage of Password" +# WARNING_FILTER += discard class="Plaintext Transmission of Password" # WARNING_FILTER += discard class="Pool Mismatch" # WARNING_FILTER += discard class="Raises FE_INVALID" # WARNING_FILTER += discard class="Redundant Condition" @@ -3568,6 +3549,7 @@ # WARNING_FILTER += discard class="SQL Injection" # WARNING_FILTER += discard class="Shift Amount Exceeds Bit Width" # WARNING_FILTER += discard class="Tainted Buffer Access" +# WARNING_FILTER += discard class="Tainted Environment Variable" # WARNING_FILTER += discard class="Try-lock that will never succeed" # WARNING_FILTER += discard class="Type Mismatch" # WARNING_FILTER += discard class="Type Overrun" @@ -3585,6 +3567,7 @@ # WARNING_FILTER += discard class="Use After Free" # WARNING_FILTER += discard class="Use of GetTempFileName" # WARNING_FILTER += discard class="Use of SO_REUSEADDR" +# WARNING_FILTER += discard class="Use of Weak Cryptographic Algorithm" # WARNING_FILTER += discard class="Use of crypt" # WARNING_FILTER += discard class="Use of drem" # WARNING_FILTER += discard class="Use of gamma" @@ -3599,262 +3582,189 @@ # WARNING_FILTER += discard class="sqrt on Negative Value" # # (Java warning classes) -# WARNING_FILTER += discard class="32 bit int shifted by an amount not in the range -31..31" -# WARNING_FILTER += discard class="A collection is added to itself" -# WARNING_FILTER += discard class="A known null value is checked to see if it is an instance of a type" -# WARNING_FILTER += discard class="A parameter is dead upon entry to a method but overwritten" -# WARNING_FILTER += discard class="A prepared statement is generated from a nonconstant String" -# WARNING_FILTER += discard class="A thread was created using the default empty run method" -# WARNING_FILTER += discard class="A volatile reference to an array doesn't treat the array elements as volatile" -# WARNING_FILTER += discard class="Absolute path traversal in servlet" -# WARNING_FILTER += discard class="An apparent infinite loop" -# WARNING_FILTER += discard class="An apparent infinite recursive loop" -# WARNING_FILTER += discard class="An increment to a volatile field isn't atomic" -# WARNING_FILTER += discard class="Apparent method/constructor confusion" -# WARNING_FILTER += discard class="Array formatted in useless way using format string" -# WARNING_FILTER += discard class="Array index is out of bounds" -# WARNING_FILTER += discard class="Array length is out of bounds" -# WARNING_FILTER += discard class="Array offset is out of bounds" -# WARNING_FILTER += discard class="Avoid Decimal Literals In Big Decimal Constructor" -# WARNING_FILTER += discard class="Avoid Thread Group" -# WARNING_FILTER += discard class="Bad attempt to compute absolute value of signed 32-bit hashcode" -# WARNING_FILTER += discard class="Bad attempt to compute absolute value of signed random integer" -# WARNING_FILTER += discard class="Bad comparison of int value with long constant" -# WARNING_FILTER += discard class="Bad comparison of nonnegative value with negative constant or zero" -# WARNING_FILTER += discard class="Bad comparison of signed byte" -# WARNING_FILTER += discard class="Bad constant value for month" -# WARNING_FILTER += discard class="Big Integer Instantiation" -# WARNING_FILTER += discard class="BigDecimal constructed from double that isn't represented precisely" -# WARNING_FILTER += discard class="Bitwise OR of signed byte value" -# WARNING_FILTER += discard class="Bitwise add of signed byte value" -# WARNING_FILTER += discard class="Boolean Instantiation" -# WARNING_FILTER += discard class="Broken Null Check" -# WARNING_FILTER += discard class="Call Super First" -# WARNING_FILTER += discard class="Call Super Last" -# WARNING_FILTER += discard class="Call to equals() comparing different interface types" -# WARNING_FILTER += discard class="Call to equals() comparing different types" -# WARNING_FILTER += discard class="Call to equals() comparing unrelated class and interface" -# WARNING_FILTER += discard class="Call to equals(null)" -# WARNING_FILTER += discard class="Call to static Calendar" -# WARNING_FILTER += discard class="Call to static DateFormat" -# WARNING_FILTER += discard class="Can't use reflection to check for presence of annotation without runtime retention" -# WARNING_FILTER += discard class="Check Result Set" -# WARNING_FILTER += discard class="Check Skip Result" -# WARNING_FILTER += discard class="Check for sign of bitwise operation (high bit)" -# WARNING_FILTER += discard class="Check to see if ((...) & 0) == 0" -# WARNING_FILTER += discard class="Class Cast Exception With To Array" -# WARNING_FILTER += discard class="Class defines equal(Object), should it be equals(Object)?" -# WARNING_FILTER += discard class="Class defines field that masks a superclass field" -# WARNING_FILTER += discard class="Class defines hashcode(), should it be hashCode()?" -# WARNING_FILTER += discard class="Class defines tostring(), should it be toString()?" -# WARNING_FILTER += discard class="Class overrides a method implemented in super class Adapter wrongly" -# WARNING_FILTER += discard class="Class's readObject() method is synchronized" -# WARNING_FILTER += discard class="Class's writeObject() method is synchronized but nothing else is" -# WARNING_FILTER += discard class="Classloaders should only be created inside doPrivileged block" -# WARNING_FILTER += discard class="Clone Method Must Be Public" -# WARNING_FILTER += discard class="Clone Method Must Implement Cloneable (Clone-Implementation)" -# WARNING_FILTER += discard class="Clone Method Return Type Must Match Class Name" -# WARNING_FILTER += discard class="Clone Throws Clone Not Supported Exception" -# WARNING_FILTER += discard class="Code checks for specific values returned by compareTo" -# WARNING_FILTER += discard class="Collections should not contain themselves" -# WARNING_FILTER += discard class="Comparing values with incompatible type qualifiers" -# WARNING_FILTER += discard class="Condition.await() not in loop" -# WARNING_FILTER += discard class="Constructor invokes Thread.start()" -# WARNING_FILTER += discard class="Covariant equals() method defined for enum" -# WARNING_FILTER += discard class="Covariant equals() method defined, Object.equals(Object) inherited" -# WARNING_FILTER += discard class="Creation of ScheduledThreadPoolExecutor with zero core threads" -# WARNING_FILTER += discard class="D'oh! A nonsensical method invocation" -# WARNING_FILTER += discard class="Dead store due to switch statement fall through to throw" -# WARNING_FILTER += discard class="Dead store due to switch statement fall through" -# WARNING_FILTER += discard class="Dead store of class literal" -# WARNING_FILTER += discard class="Deadly embrace of non-static inner class and thread local" -# WARNING_FILTER += discard class="Do Not Hard Code SD Card" -# WARNING_FILTER += discard class="Don't Call Thread Run" -# WARNING_FILTER += discard class="Don't Use Float Type For Loop Indices" -# WARNING_FILTER += discard class="Doomed attempt to append to an object output stream" -# WARNING_FILTER += discard class="Doomed test for equality to NaN" -# WARNING_FILTER += discard class="Double Checked Locking" -# WARNING_FILTER += discard class="Double.longBitsToDouble invoked on an int" -# WARNING_FILTER += discard class="Empty database password" -# WARNING_FILTER += discard class="Empty synchronized block" -# WARNING_FILTER += discard class="Enum field is public and mutable" -# WARNING_FILTER += discard class="Exception created and dropped rather than thrown" -# WARNING_FILTER += discard class="Field is a mutable Hashtable" -# WARNING_FILTER += discard class="Field is a mutable array" -# WARNING_FILTER += discard class="Field is a mutable collection which should be package protected" -# WARNING_FILTER += discard class="Field is a mutable collection" -# WARNING_FILTER += discard class="Field isn't final and can't be protected from malicious code" -# WARNING_FILTER += discard class="Field isn't final but should be refactored to be so" -# WARNING_FILTER += discard class="Field isn't final but should be" -# WARNING_FILTER += discard class="Field not guarded against concurrent access" -# WARNING_FILTER += discard class="Field only ever set to null" -# WARNING_FILTER += discard class="Field should be both final and package protected" -# WARNING_FILTER += discard class="Field should be moved out of an interface and made package protected" -# WARNING_FILTER += discard class="Field should be package protected" -# WARNING_FILTER += discard class="File.separator used for regular expression" -# WARNING_FILTER += discard class="Finalizer should be protected, not public" -# WARNING_FILTER += discard class="Format string placeholder incompatible with passed argument" -# WARNING_FILTER += discard class="Format string references missing argument" -# WARNING_FILTER += discard class="Futile attempt to change max pool size of ScheduledThreadPoolExecutor" -# WARNING_FILTER += discard class="HTTP Response splitting vulnerability" -# WARNING_FILTER += discard class="HTTP cookie formed from untrusted input" -# WARNING_FILTER += discard class="Hardcoded constant database password" -# WARNING_FILTER += discard class="Illegal format string" -# WARNING_FILTER += discard class="Impossible cast" -# WARNING_FILTER += discard class="Impossible downcast of toArray() result" -# WARNING_FILTER += discard class="Impossible downcast" -# WARNING_FILTER += discard class="Incompatible bitwise-and masks" -# WARNING_FILTER += discard class="Incompatible bitwise-or masks" -# WARNING_FILTER += discard class="Inconsistent synchronization" -# WARNING_FILTER += discard class="Incorrect combination of Math.max and Math.min" -# WARNING_FILTER += discard class="Incorrect lazy initialization and update of static field" -# WARNING_FILTER += discard class="Incorrect lazy initialization of static field" -# WARNING_FILTER += discard class="Integer multiply of result of integer remainder" -# WARNING_FILTER += discard class="Integral value cast to double and then passed to Math.ceil" -# WARNING_FILTER += discard class="Invalid syntax for regular expression" -# WARNING_FILTER += discard class="Invocation of equals() on an array, which is equivalent to ==" -# WARNING_FILTER += discard class="Invocation of hashCode on an array" -# WARNING_FILTER += discard class="Invocation of toString on an array" -# WARNING_FILTER += discard class="Invocation of toString on an unnamed array" -# WARNING_FILTER += discard class="Invokes run on a thread (did you mean to start it instead?)" -# WARNING_FILTER += discard class="JSP reflected cross site scripting vulnerability" -# WARNING_FILTER += discard class="JUnit assertion in run method will not be noticed by JUnit" -# WARNING_FILTER += discard class="Jumbled Incrementer" -# WARNING_FILTER += discard class="May expose internal representation by incorporating reference to mutable object" -# WARNING_FILTER += discard class="May expose internal representation by returning reference to mutable object" -# WARNING_FILTER += discard class="May expose internal static state by storing a mutable object into a static field" -# WARNING_FILTER += discard class="MessageFormat supplied where printf style format expected" -# WARNING_FILTER += discard class="Method assigns boolean literal in boolean expression" -# WARNING_FILTER += discard class="Method attempts to access a prepared statement parameter with index 0" -# WARNING_FILTER += discard class="Method attempts to access a result set field with index 0" -# WARNING_FILTER += discard class="Method call passes null for non-null parameter (deref all)" -# WARNING_FILTER += discard class="Method call passes null for non-null parameter" -# WARNING_FILTER += discard class="Method call passes null to a non-null parameter" -# WARNING_FILTER += discard class="Method calls Thread.sleep() with a lock held" -# WARNING_FILTER += discard class="Method defines a variable that obscures a field" -# WARNING_FILTER += discard class="Method does not check for null argument" -# WARNING_FILTER += discard class="Method does not release lock on all exception paths" -# WARNING_FILTER += discard class="Method does not release lock on all paths" -# WARNING_FILTER += discard class="Method doesn't override method in superclass due to wrong package for parameter" -# WARNING_FILTER += discard class="Method ignores return value" -# WARNING_FILTER += discard class="Method invoked that should be only be invoked inside a doPrivileged block" -# WARNING_FILTER += discard class="Method may return null, but is declared @Nonnull" -# WARNING_FILTER += discard class="Method must be private in order for serialization to work" -# WARNING_FILTER += discard class="Method relaxes nullness annotation on return value" -# WARNING_FILTER += discard class="Method spins on field" -# WARNING_FILTER += discard class="Method synchronizes on an updated field" -# WARNING_FILTER += discard class="Method tightens nullness annotation on parameter" -# WARNING_FILTER += discard class="Method with Optional return type returns explicit null" -# WARNING_FILTER += discard class="Mismatched notify()" -# WARNING_FILTER += discard class="Mismatched wait()" -# WARNING_FILTER += discard class="Misplaced Null Check" -# WARNING_FILTER += discard class="Monitor wait() called on Condition" -# WARNING_FILTER += discard class="More arguments are passed than are actually used in the format string" -# WARNING_FILTER += discard class="Mutable servlet field" -# WARNING_FILTER += discard class="Naked notify" -# WARNING_FILTER += discard class="No previous argument for format string" -# WARNING_FILTER += discard class="No relationship between generic parameter and method argument" -# WARNING_FILTER += discard class="Non-null field is not initialized" -# WARNING_FILTER += discard class="Non-virtual method call passes null for non-null parameter" -# WARNING_FILTER += discard class="Nonconstant string passed to execute or addBatch method on an SQL statement" -# WARNING_FILTER += discard class="Nonsensical self computation involving a field (e.g., x & x)" -# WARNING_FILTER += discard class="Nonsensical self computation involving a variable (e.g., x & x)" -# WARNING_FILTER += discard class="Null pointer dereference in method on exception path" -# WARNING_FILTER += discard class="Null pointer dereference" -# WARNING_FILTER += discard class="Null value is guaranteed to be dereferenced" -# WARNING_FILTER += discard class="Nullcheck of value previously dereferenced" -# WARNING_FILTER += discard class="Override Both Equals And Hashcode" -# WARNING_FILTER += discard class="Overwritten increment" -# WARNING_FILTER += discard class="Possible bad parsing of shift operation" -# WARNING_FILTER += discard class="Possible double check of field" -# WARNING_FILTER += discard class="Possible exposure of partially initialized object" -# WARNING_FILTER += discard class="Possible null pointer dereference in method on exception path" -# WARNING_FILTER += discard class="Possible null pointer dereference" -# WARNING_FILTER += discard class="Possibly incompatible element is stored in covariant array" -# WARNING_FILTER += discard class="Primitive array passed to function expecting a variable number of object arguments" -# WARNING_FILTER += discard class="Proper Clone Implementation" -# WARNING_FILTER += discard class="Public enum method unconditionally sets its field" -# WARNING_FILTER += discard class="Public static method may expose internal representation by returning array" -# WARNING_FILTER += discard class="Random value from 0 to 1 is coerced to the integer 0" -# WARNING_FILTER += discard class="Read of unwritten field" -# WARNING_FILTER += discard class="Relative path traversal in servlet" -# WARNING_FILTER += discard class="Repeated conditional tests" -# WARNING_FILTER += discard class="Return From Finally Block" -# WARNING_FILTER += discard class="Return value of putIfAbsent ignored, value passed to putIfAbsent reused" -# WARNING_FILTER += discard class="Reversed method arguments" -# WARNING_FILTER += discard class="Self assignment of field" -# WARNING_FILTER += discard class="Self assignment of local rather than assignment to field" -# WARNING_FILTER += discard class="Self comparison of field with itself" -# WARNING_FILTER += discard class="Self comparison of value with itself" -# WARNING_FILTER += discard class="Sequence of calls to concurrent abstraction may not be atomic" -# WARNING_FILTER += discard class="Servlet reflected cross site scripting vulnerability in error page" -# WARNING_FILTER += discard class="Servlet reflected cross site scripting vulnerability" -# WARNING_FILTER += discard class="Signature declares use of unhashable class in hashed construct" -# WARNING_FILTER += discard class="Static Calendar field" -# WARNING_FILTER += discard class="Static DateFormat" -# WARNING_FILTER += discard class="Static Thread.interrupted() method invoked on thread instance" -# WARNING_FILTER += discard class="Store of null value into field annotated @Nonnull" -# WARNING_FILTER += discard class="String index is out of bounds" -# WARNING_FILTER += discard class="Suspicious reference comparison" -# WARNING_FILTER += discard class="Synchronization on Boolean" -# WARNING_FILTER += discard class="Synchronization on boxed primitive values" -# WARNING_FILTER += discard class="Synchronization on boxed primitive" -# WARNING_FILTER += discard class="Synchronization on field in futile attempt to guard that field" -# WARNING_FILTER += discard class="Synchronization on getClass rather than class literal" -# WARNING_FILTER += discard class="Synchronization on interned String" -# WARNING_FILTER += discard class="Synchronization performed on Lock" -# WARNING_FILTER += discard class="Synchronization performed on util.concurrent instance" -# WARNING_FILTER += discard class="Synchronize and null check on the same field." -# WARNING_FILTER += discard class="TestCase declares a bad suite method" -# WARNING_FILTER += discard class="TestCase defines setUp that doesn't call super.setUp()" -# WARNING_FILTER += discard class="TestCase defines tearDown that doesn't call super.tearDown()" -# WARNING_FILTER += discard class="TestCase has no tests" -# WARNING_FILTER += discard class="TestCase implements a non-static suite method" -# WARNING_FILTER += discard class="The readResolve method must not be declared as a static method." -# WARNING_FILTER += discard class="The type of a supplied argument doesn't match format specifier" -# WARNING_FILTER += discard class="Uncallable method defined in anonymous class" -# WARNING_FILTER += discard class="Unconditional If Statement" -# WARNING_FILTER += discard class="Unconditional wait" -# WARNING_FILTER += discard class="Uninitialized read of field in constructor" -# WARNING_FILTER += discard class="Uninitialized read of field method called from constructor of superclass" -# WARNING_FILTER += discard class="Unnecessary type check done using instanceof operator" -# WARNING_FILTER += discard class="Unneeded use of currentThread() call, to call interrupted()" -# WARNING_FILTER += discard class="Unsynchronized get method, synchronized set method" -# WARNING_FILTER += discard class="Unwritten field" -# WARNING_FILTER += discard class="Use of class without a hashCode() method in a hashed data structure" -# WARNING_FILTER += discard class="Useless increment in return statement" -# WARNING_FILTER += discard class="Useless non-empty void method" -# WARNING_FILTER += discard class="Useless object created on stack" -# WARNING_FILTER += discard class="Useless object created" -# WARNING_FILTER += discard class="Useless/vacuous call to EasyMock method" -# WARNING_FILTER += discard class="Using monitor style wait methods on util.concurrent abstraction" -# WARNING_FILTER += discard class="Using notify() rather than notifyAll()" -# WARNING_FILTER += discard class="Using pointer equality to compare different types" -# WARNING_FILTER += discard class="Vacuous call to collections" -# WARNING_FILTER += discard class="Value annotated as carrying a type qualifier used where a value that must not carry that qualifier is required" -# WARNING_FILTER += discard class="Value annotated as never carrying a type qualifier used where value carrying that qualifier is required" -# WARNING_FILTER += discard class="Value is null and guaranteed to be dereferenced on exception path" -# WARNING_FILTER += discard class="Value that might carry a type qualifier is always used in a way prohibits it from having that type qualifier" -# WARNING_FILTER += discard class="Value that might not carry a type qualifier is always used in a way requires that type qualifier" -# WARNING_FILTER += discard class="Value without a type qualifier used where a value is required to have that qualifier" -# WARNING_FILTER += discard class="Very confusing method names" -# WARNING_FILTER += discard class="Wait not in loop" -# WARNING_FILTER += discard class="Wait with two locks held" -# WARNING_FILTER += discard class="\".\" or \"|\" used for regular expression" -# WARNING_FILTER += discard class="close() invoked on a value that is always null" -# WARNING_FILTER += discard class="compareTo()/compare() incorrectly handles float or double value" -# WARNING_FILTER += discard class="equals method always returns false" -# WARNING_FILTER += discard class="equals method always returns true" -# WARNING_FILTER += discard class="equals method compares class names rather than class objects" -# WARNING_FILTER += discard class="equals method overrides equals in superclass and may not be symmetric" -# WARNING_FILTER += discard class="equals() method defined that doesn't override Object.equals(Object)" -# WARNING_FILTER += discard class="equals() method defined that doesn't override equals(Object)" -# WARNING_FILTER += discard class="equals() used to compare array and nonarray" -# WARNING_FILTER += discard class="equals(...) used to compare incompatible arrays" -# WARNING_FILTER += discard class="hasNext method invokes next" -# WARNING_FILTER += discard class="instanceof will always return false" -# WARNING_FILTER += discard class="int value cast to float and then passed to Math.round" -# WARNING_FILTER += discard class="int value converted to long and used as absolute time" +# WARNING_FILTER += discard class="== Always Fails (Java)" +# WARNING_FILTER += discard class="== Always Fails Because Types Always Different (Java)" +# WARNING_FILTER += discard class="Abs on random (Java)" +# WARNING_FILTER += discard class="Accessing File in Permissive Mode (Java)" +# WARNING_FILTER += discard class="Ambiguous Call from Inner Class (Java)" +# WARNING_FILTER += discard class="Android Leak (Java)" +# WARNING_FILTER += discard class="Anonymous LDAP Authentication (Java)" +# WARNING_FILTER += discard class="Approximate e Constant (Java)" +# WARNING_FILTER += discard class="Approximate pi Constant (Java)" +# WARNING_FILTER += discard class="Array Parameter Empty (Java)" +# WARNING_FILTER += discard class="Assertion Contains Side Effects (Java)" +# WARNING_FILTER += discard class="Assignment in Conditional (Java)" +# WARNING_FILTER += discard class="Asymmetric compareTo (Java)" +# WARNING_FILTER += discard class="Bitwise AND on Boolean (Java)" +# WARNING_FILTER += discard class="Bitwise AND on Boolean Constant (Java)" +# WARNING_FILTER += discard class="Bitwise OR on Boolean (Java)" +# WARNING_FILTER += discard class="Bitwise OR on Boolean Constant (Java)" +# WARNING_FILTER += discard class="Blocking in Critical Section (Java)" +# WARNING_FILTER += discard class="Broad Throws Clause (Java)" +# WARNING_FILTER += discard class="Call Might Return Null (Java)" +# WARNING_FILTER += discard class="Cast: Integer to Floating Point (Java)" +# WARNING_FILTER += discard class="Cast: int Computation to long (Java)" +# WARNING_FILTER += discard class="Class Enables Debug Features (Java)" +# WARNING_FILTER += discard class="Closeable Not Closed (Java)" +# WARNING_FILTER += discard class="Closeable Not Stored (Java)" +# WARNING_FILTER += discard class="Code Injection (Java)" +# WARNING_FILTER += discard class="Command Injection (Java)" +# WARNING_FILTER += discard class="Comparison to Empty String (Java)" +# WARNING_FILTER += discard class="Cross Site Scripting (Java)" +# WARNING_FILTER += discard class="Cryptographic Algorithm with Risky Default Cipher (Java)" +# WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Cipher (Java)" +# WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Hash (Java)" +# WARNING_FILTER += discard class="DLL Injection (Java)" +# WARNING_FILTER += discard class="DOS Injection (Java)" +# WARNING_FILTER += discard class="Debug Call (Java)" +# WARNING_FILTER += discard class="Debug Warning (Java)" +# WARNING_FILTER += discard class="Defines equals but not hashCode (Java)" +# WARNING_FILTER += discard class="Defines hashCode but not equals (Java)" +# WARNING_FILTER += discard class="Deprecated Cryptography Provider (Java)" +# WARNING_FILTER += discard class="Double-Checked Locking (Java)" +# WARNING_FILTER += discard class="Empty Branch Statement (Java)" +# WARNING_FILTER += discard class="Empty Exception Handler (Java)" +# WARNING_FILTER += discard class="Empty jar File Archived (Java)" +# WARNING_FILTER += discard class="Empty zip File Archived (Java)" +# WARNING_FILTER += discard class="Exception Information Disclosure (Java)" +# WARNING_FILTER += discard class="Field Never Read (Java)" +# WARNING_FILTER += discard class="Field Never Written (Java)" +# WARNING_FILTER += discard class="Floating Point Equality (Java)" +# WARNING_FILTER += discard class="Fragment Injection (Java)" +# WARNING_FILTER += discard class="Generic Exception Handler (Java)" +# WARNING_FILTER += discard class="Hardcoded Filename (Java)" +# WARNING_FILTER += discard class="Hardcoded Password (Java)" +# WARNING_FILTER += discard class="Hardcoded Random Seed (Java)" +# WARNING_FILTER += discard class="Hostname in Condition (Java)" +# WARNING_FILTER += discard class="Ignored Return Value (Java)" +# WARNING_FILTER += discard class="Ignored Return Value for Pure Function (Java)" +# WARNING_FILTER += discard class="Impossible Client Side Locking (Java)" +# WARNING_FILTER += discard class="Inappropriate Exception Handler (Java)" +# WARNING_FILTER += discard class="Inappropriate Instanceof (Java)" +# WARNING_FILTER += discard class="Ineffective Cleansing of Fragment Taint (Java)" +# WARNING_FILTER += discard class="Inefficient Bitwise AND (Java)" +# WARNING_FILTER += discard class="Inefficient Bitwise OR (Java)" +# WARNING_FILTER += discard class="Inefficient Box-Unbox (Java)" +# WARNING_FILTER += discard class="Inefficient Instantiation (Java)" +# WARNING_FILTER += discard class="Inner Class Should be Static (Java)" +# WARNING_FILTER += discard class="Insecure Cookie (Java)" +# WARNING_FILTER += discard class="Insecure Key Derivation (Java)" +# WARNING_FILTER += discard class="Insecure Random Number Generator (Java)" +# WARNING_FILTER += discard class="Insecure Socket Factory (Java)" +# WARNING_FILTER += discard class="Insecure XSLT Execution (Java)" +# WARNING_FILTER += discard class="Insecure verifier Override for Hostname (Java)" +# WARNING_FILTER += discard class="Insecure verify Override for Certificate (Java)" +# WARNING_FILTER += discard class="Instanceof Always False (Java)" +# WARNING_FILTER += discard class="Instanceof Always True (Java)" +# WARNING_FILTER += discard class="JavaScript Enabled (Java)" +# WARNING_FILTER += discard class="JavaScript File Access from File URLs (Java)" +# WARNING_FILTER += discard class="LDAP Authentication Disabled (Java)" +# WARNING_FILTER += discard class="Lambda Parameter may be null (Java)" +# WARNING_FILTER += discard class="Method Enables Debug Features (Java)" +# WARNING_FILTER += discard class="Method Names Differ Only in Case (Java)" +# WARNING_FILTER += discard class="Method Should Not Return null (Java)" +# WARNING_FILTER += discard class="Missing Authentication Annotation (Java)" +# WARNING_FILTER += discard class="Missing Call to super (Java)" +# WARNING_FILTER += discard class="Missing Equals Override (Java)" +# WARNING_FILTER += discard class="Missing JavaScript Entry Point (Java)" +# WARNING_FILTER += discard class="Missing JavaScript Execution (Java)" +# WARNING_FILTER += discard class="Missing Serial Version Field (Java)" +# WARNING_FILTER += discard class="Missing isValidFragment Override (Java)" +# WARNING_FILTER += discard class="Mutable Enumeration (Java)" +# WARNING_FILTER += discard class="Non-Object compareTo Parameter (Java)" +# WARNING_FILTER += discard class="Non-overriding Method Signature (Java)" +# WARNING_FILTER += discard class="Nonserializable Field (Java)" +# WARNING_FILTER += discard class="Nonserializable Field Element (Java)" +# WARNING_FILTER += discard class="Nonserializable Outer Class (Java)" +# WARNING_FILTER += discard class="Null Parameter Dereference (Java)" +# WARNING_FILTER += discard class="Null Pointer Dereference (Java)" +# WARNING_FILTER += discard class="Password in Property File (Java)" +# WARNING_FILTER += discard class="Permissive File Mode (Java)" +# WARNING_FILTER += discard class="Possible XML External Entity Reference (Java)" +# WARNING_FILTER += discard class="Potential Infinite Recursion (Java)" +# WARNING_FILTER += discard class="Potential LDAP Poisoning (Java)" +# WARNING_FILTER += discard class="Redundant Call for Integral Argument (Java)" +# WARNING_FILTER += discard class="Redundant Call for String Argument (Java)" +# WARNING_FILTER += discard class="Redundant Condition (Java)" +# WARNING_FILTER += discard class="Redundant Implements Clause (Java)" +# WARNING_FILTER += discard class="Reflection Bypasses Member Accessibility (Java)" +# WARNING_FILTER += discard class="Reflection Injection (Java)" +# WARNING_FILTER += discard class="Reflection Modifies Member Accessibility (Java)" +# WARNING_FILTER += discard class="Return null Array (Java)" +# WARNING_FILTER += discard class="Return null Boolean (Java)" +# WARNING_FILTER += discard class="Return null Optional (Java)" +# WARNING_FILTER += discard class="Risky Cipher Algorithm (Java)" +# WARNING_FILTER += discard class="Risky Cipher Field (Java)" +# WARNING_FILTER += discard class="Risky Class Cast (Java)" +# WARNING_FILTER += discard class="Risky Cryptographic Algorithm (Java)" +# WARNING_FILTER += discard class="Risky Cryptographic Field (Java)" +# WARNING_FILTER += discard class="Risky JavaScript Interface (Java)" +# WARNING_FILTER += discard class="Risky array store (Java)" +# WARNING_FILTER += discard class="SQL Injection (Java)" +# WARNING_FILTER += discard class="Shadowed Identifier (Java)" +# WARNING_FILTER += discard class="Should Use == Instead of equals() (Java)" +# WARNING_FILTER += discard class="Should Use equals() Instead of == (Java)" +# WARNING_FILTER += discard class="Single-use Random Number Generator (Java)" +# WARNING_FILTER += discard class="Static Field Assigned Non-Static (Java)" +# WARNING_FILTER += discard class="Synchronization on Interned String (Java)" +# WARNING_FILTER += discard class="Synchronization on static (Java)" +# WARNING_FILTER += discard class="Synchronous Call to Thread Body (Java)" +# WARNING_FILTER += discard class="Tainted @Trusted Value (Java)" +# WARNING_FILTER += discard class="Tainted Bundle (Java)" +# WARNING_FILTER += discard class="Tainted Control (Java)" +# WARNING_FILTER += discard class="Tainted Data in Vulnerable Method (Java)" +# WARNING_FILTER += discard class="Tainted Expression Evaluation (Java)" +# WARNING_FILTER += discard class="Tainted HTTP Response (Java)" +# WARNING_FILTER += discard class="Tainted Hardware Device Property (Java)" +# WARNING_FILTER += discard class="Tainted LDAP Attribute (Java)" +# WARNING_FILTER += discard class="Tainted LDAP Filter (Java)" +# WARNING_FILTER += discard class="Tainted Log (Java)" +# WARNING_FILTER += discard class="Tainted Message (Java)" +# WARNING_FILTER += discard class="Tainted Network Address (Java)" +# WARNING_FILTER += discard class="Tainted Path (Java)" +# WARNING_FILTER += discard class="Tainted Regular Expression (Java)" +# WARNING_FILTER += discard class="Tainted Resource (Java)" +# WARNING_FILTER += discard class="Tainted Session (Java)" +# WARNING_FILTER += discard class="Tainted URL (Java)" +# WARNING_FILTER += discard class="Tainted XAML (Java)" +# WARNING_FILTER += discard class="Tainted XML (Java)" +# WARNING_FILTER += discard class="Tainted Xpath (Java)" +# WARNING_FILTER += discard class="Unchecked Parameter Dereference (Java)" +# WARNING_FILTER += discard class="Unexpected Serial Version Field (Java)" +# WARNING_FILTER += discard class="Universal JavaScript Access to File URLs (Java)" +# WARNING_FILTER += discard class="Unnecessary Field (Java)" +# WARNING_FILTER += discard class="Unnecessary Instantiation for GetClass (Java)" +# WARNING_FILTER += discard class="Unreachable Instruction (Java)" +# WARNING_FILTER += discard class="Unsafe Base64 Encoding (Java)" +# WARNING_FILTER += discard class="Untrusted Network Host (Java)" +# WARNING_FILTER += discard class="Unused Class (Java)" +# WARNING_FILTER += discard class="Unused Field (Java)" +# WARNING_FILTER += discard class="Unused Method (Java)" +# WARNING_FILTER += discard class="Unused Object (Java)" +# WARNING_FILTER += discard class="Unused Value: Actual Parameter (Java)" +# WARNING_FILTER += discard class="Unused Value: Variable (Java)" +# WARNING_FILTER += discard class="Unused Value: Write to Parameter (Java)" +# WARNING_FILTER += discard class="Use of Hardware ID (Java)" +# WARNING_FILTER += discard class="Use of Insecure verify for Certificate (Java)" +# WARNING_FILTER += discard class="Use of Insecure verify for Hostname (Java)" +# WARNING_FILTER += discard class="Useless Assignment (Java)" +# WARNING_FILTER += discard class="Useless Assignment to Default (Java)" +# WARNING_FILTER += discard class="Useless Class Cast (Java)" +# WARNING_FILTER += discard class="Useless Synchronization (Java)" +# WARNING_FILTER += discard class="Useless volatile Modifier (Java)" +# WARNING_FILTER += discard class="Weak Cryptographic Value (Java)" +# WARNING_FILTER += discard class="Weak Hash Algorithm (Java)" +# WARNING_FILTER += discard class="Weak Hash Algorithm Field (Java)" +# WARNING_FILTER += discard class="clone Non-cloneable (Java)" +# WARNING_FILTER += discard class="clone Subclass of Non-clonable (Java)" +# WARNING_FILTER += discard class="clone not final (Java)" +# WARNING_FILTER += discard class="compareTo in Non-Comparable Class (Java)" +# WARNING_FILTER += discard class="compareTo without equals (Java)" +# WARNING_FILTER += discard class="compareTo/equals mismatch (Java)" +# WARNING_FILTER += discard class="equals Always Fails (Java)" +# WARNING_FILTER += discard class="equals Parameter Should Be Object (Java)" +# WARNING_FILTER += discard class="equals on Array (Java)" +# WARNING_FILTER += discard class="toString on Array (Java)" # # The following checks are disabled by default. To enable checks # for a particular class, use the corresponding "allow" rule. @@ -4115,6 +4025,7 @@ # WARNING_FILTER += allow class="Use of ShellExecute" # WARNING_FILTER += allow class="Use of StrCatChainW" # WARNING_FILTER += allow class="Use of WinExec" +# WARNING_FILTER += allow class="Use of XML_ExternalEntityParserCreate" # WARNING_FILTER += allow class="Use of _exec" # WARNING_FILTER += allow class="Use of _spawn" # WARNING_FILTER += allow class="Use of abort" @@ -4177,474 +4088,45 @@ # WARNING_FILTER += allow class="chroot without chdir" # # (Java warning classes) -# WARNING_FILTER += allow class="Abstract Class Without Abstract Method" -# WARNING_FILTER += allow class="Abstract Class Without Any Method" -# WARNING_FILTER += allow class="Abstract Naming" -# WARNING_FILTER += allow class="Abstract class defines covariant compareTo() method" -# WARNING_FILTER += allow class="Abstract class defines covariant equals() method" -# WARNING_FILTER += allow class="Accessor Class Generation" -# WARNING_FILTER += allow class="Add Empty String" -# WARNING_FILTER += allow class="Adding elements of an entry set may fail due to reuse of Entry objects" -# WARNING_FILTER += allow class="Append Character With Char" -# WARNING_FILTER += allow class="Array Is Stored Directly" -# WARNING_FILTER += allow class="Assignment In Operand" -# WARNING_FILTER += allow class="Assignment To Non Final Static" -# WARNING_FILTER += allow class="At Least One Constructor" -# WARNING_FILTER += allow class="Avoid Accessibility Alteration" -# WARNING_FILTER += allow class="Avoid Array Loops" -# WARNING_FILTER += allow class="Avoid Assert As Identifier" -# WARNING_FILTER += allow class="Avoid Branching Statement As Last In Loop" -# WARNING_FILTER += allow class="Avoid Calling Finalize" -# WARNING_FILTER += allow class="Avoid Catching Generic Exception" -# WARNING_FILTER += allow class="Avoid Catching NPE" -# WARNING_FILTER += allow class="Avoid Catching Throwable" -# WARNING_FILTER += allow class="Avoid Constants Interface" -# WARNING_FILTER += allow class="Avoid Deeply Nested If Stmts" -# WARNING_FILTER += allow class="Avoid Dollar Signs" -# WARNING_FILTER += allow class="Avoid Duplicate Literals" -# WARNING_FILTER += allow class="Avoid Enum As Identifier" -# WARNING_FILTER += allow class="Avoid Field Name Matching Method Name" -# WARNING_FILTER += allow class="Avoid Field Name Matching Type Name" -# WARNING_FILTER += allow class="Avoid Final Local Variable" -# WARNING_FILTER += allow class="Avoid Instanceof Checks In Catch Clause" -# WARNING_FILTER += allow class="Avoid Instantiating Objects In Loops" -# WARNING_FILTER += allow class="Avoid Literals In If Condition" -# WARNING_FILTER += allow class="Avoid Losing Exception Information" -# WARNING_FILTER += allow class="Avoid Multiple Unary Operators" -# WARNING_FILTER += allow class="Avoid Prefixing Method Parameters" -# WARNING_FILTER += allow class="Avoid Protected Field In Final Class" -# WARNING_FILTER += allow class="Avoid Protected Method In Final Class Not Extending" -# WARNING_FILTER += allow class="Avoid Reassigning Parameters" -# WARNING_FILTER += allow class="Avoid Rethrowing Exception" -# WARNING_FILTER += allow class="Avoid String Buffer Field" -# WARNING_FILTER += allow class="Avoid Synchronized At Method Level" -# WARNING_FILTER += allow class="Avoid Throwing New Instance Of Same Exception" -# WARNING_FILTER += allow class="Avoid Throwing Null Pointer Exception" -# WARNING_FILTER += allow class="Avoid Throwing Raw Exception Types" -# WARNING_FILTER += allow class="Avoid Using Hard Coded IP" -# WARNING_FILTER += allow class="Avoid Using Native Code" -# WARNING_FILTER += allow class="Avoid Using Octal Values" -# WARNING_FILTER += allow class="Avoid Using Short Type" -# WARNING_FILTER += allow class="Avoid Using Volatile" -# WARNING_FILTER += allow class="Avoid printStackTrace" -# WARNING_FILTER += allow class="Bad Comparison" -# WARNING_FILTER += allow class="Bean Members Should Serialize" -# WARNING_FILTER += allow class="Boolean Get Method Name" -# WARNING_FILTER += allow class="Boolean Inversion" -# WARNING_FILTER += allow class="Boxed value is unboxed and then immediately reboxed" -# WARNING_FILTER += allow class="Boxing a primitive to compare" -# WARNING_FILTER += allow class="Boxing/unboxing to parse a primitive" -# WARNING_FILTER += allow class="Byte Instantiation" -# WARNING_FILTER += allow class="Call Super In Constructor" -# WARNING_FILTER += allow class="Certain swing methods needs to be invoked in Swing thread" -# WARNING_FILTER += allow class="Check for oddness that won't work for negative numbers" -# WARNING_FILTER += allow class="Check for sign of bitwise operation" -# WARNING_FILTER += allow class="Class Naming Conventions" -# WARNING_FILTER += allow class="Class With Only Private Constructors Should Be Final" -# WARNING_FILTER += allow class="Class defines clone() but doesn't implement Cloneable" -# WARNING_FILTER += allow class="Class defines compareTo(...) and uses Object.equals()" -# WARNING_FILTER += allow class="Class defines equals() and uses Object.hashCode()" -# WARNING_FILTER += allow class="Class defines equals() but not hashCode()" -# WARNING_FILTER += allow class="Class defines hashCode() and uses Object.equals()" -# WARNING_FILTER += allow class="Class defines hashCode() but not equals()" -# WARNING_FILTER += allow class="Class doesn't override equals in superclass" -# WARNING_FILTER += allow class="Class extends Servlet class and uses instance variables" -# WARNING_FILTER += allow class="Class extends Struts Action class and uses instance variables" -# WARNING_FILTER += allow class="Class implements Cloneable but does not define or use clone method" -# WARNING_FILTER += allow class="Class implements same interface as superclass" -# WARNING_FILTER += allow class="Class inherits equals() and uses Object.hashCode()" -# WARNING_FILTER += allow class="Class is Externalizable but doesn't define a void constructor" -# WARNING_FILTER += allow class="Class is Serializable but its superclass doesn't define a void constructor" -# WARNING_FILTER += allow class="Class is Serializable, but doesn't define serialVersionUID" -# WARNING_FILTER += allow class="Class is final but declares protected field" -# WARNING_FILTER += allow class="Class is not derived from an Exception, even though it is named as such" -# WARNING_FILTER += allow class="Class names should start with an upper case letter" -# WARNING_FILTER += allow class="Class names shouldn't shadow simple name of implemented interface" -# WARNING_FILTER += allow class="Class names shouldn't shadow simple name of superclass" -# WARNING_FILTER += allow class="Clone Method Must Implement Cloneable" -# WARNING_FILTER += allow class="Clone method may return null" -# WARNING_FILTER += allow class="Close Resource" -# WARNING_FILTER += allow class="Code contains a hard coded reference to an absolute pathname" -# WARNING_FILTER += allow class="Collapsible If Statements" -# WARNING_FILTER += allow class="Comment Content" -# WARNING_FILTER += allow class="Comment Default Access Modifier" -# WARNING_FILTER += allow class="Comment Required" -# WARNING_FILTER += allow class="Comment Size" -# WARNING_FILTER += allow class="Comparator doesn't implement Serializable" -# WARNING_FILTER += allow class="Compare Objects With Equals" -# WARNING_FILTER += allow class="Comparison of String objects using == or !=" -# WARNING_FILTER += allow class="Comparison of String parameter using == or !=" -# WARNING_FILTER += allow class="Complicated, subtle or wrong increment in for-loop" -# WARNING_FILTER += allow class="Computation of average could overflow" -# WARNING_FILTER += allow class="Condition has no effect due to the variable type" -# WARNING_FILTER += allow class="Condition has no effect" -# WARNING_FILTER += allow class="Confusing Ternary" -# WARNING_FILTER += allow class="Confusing method names" -# WARNING_FILTER += allow class="Consecutive Appends Should Reuse" -# WARNING_FILTER += allow class="Consecutive Literal Appends" -# WARNING_FILTER += allow class="Consider returning a zero length array rather than null" -# WARNING_FILTER += allow class="Consider using Locale parameterized version of invoked method" -# WARNING_FILTER += allow class="Constructor Calls Overridable Method" -# WARNING_FILTER += allow class="Could be refactored into a named static inner class" -# WARNING_FILTER += allow class="Could be refactored into a static inner class" -# WARNING_FILTER += allow class="Coupling Between Objects" -# WARNING_FILTER += allow class="Covariant array assignment to a field" -# WARNING_FILTER += allow class="Covariant array assignment to a local variable" -# WARNING_FILTER += allow class="Covariant array is returned from the method" -# WARNING_FILTER += allow class="Covariant compareTo() method defined" -# WARNING_FILTER += allow class="Covariant equals() method defined" -# WARNING_FILTER += allow class="Creates an empty jar file entry" -# WARNING_FILTER += allow class="Creates an empty zip file entry" -# WARNING_FILTER += allow class="Cyclomatic Complexity" -# WARNING_FILTER += allow class="Dataflow Anomaly Analysis" -# WARNING_FILTER += allow class="Dead store of null to local variable" -# WARNING_FILTER += allow class="Dead store to local variable that shadows field" -# WARNING_FILTER += allow class="Dead store to local variable" -# WARNING_FILTER += allow class="Default Label Not Last In Switch Stmt" -# WARNING_FILTER += allow class="Default Package" -# WARNING_FILTER += allow class="Dereference of the result of readLine() without nullcheck" -# WARNING_FILTER += allow class="Do Not Call Garbage Collection Explicitly" -# WARNING_FILTER += allow class="Do Not Call System Exit" -# WARNING_FILTER += allow class="Do Not Extend Java Lang Error" -# WARNING_FILTER += allow class="Do Not Throw Exception In Finally" -# WARNING_FILTER += allow class="Do Not Use Threads" -# WARNING_FILTER += allow class="Don't Import Java Lang" -# WARNING_FILTER += allow class="Don't Import Sun" -# WARNING_FILTER += allow class="Don't reuse entry objects in iterators" -# WARNING_FILTER += allow class="Don't use removeAll to clear a collection" -# WARNING_FILTER += allow class="Double assignment of field" -# WARNING_FILTER += allow class="Double assignment of local variable" -# WARNING_FILTER += allow class="Dubious catching of IllegalMonitorStateException" -# WARNING_FILTER += allow class="Duplicate Imports" -# WARNING_FILTER += allow class="Empty Catch Block" -# WARNING_FILTER += allow class="Empty Finalizer" -# WARNING_FILTER += allow class="Empty Finally Block" -# WARNING_FILTER += allow class="Empty If Stmt" -# WARNING_FILTER += allow class="Empty Initializer" -# WARNING_FILTER += allow class="Empty Method In Abstract Class Should Be Abstract" -# WARNING_FILTER += allow class="Empty Statement Block" -# WARNING_FILTER += allow class="Empty Statement Not In Loop" -# WARNING_FILTER += allow class="Empty Static Initializer" -# WARNING_FILTER += allow class="Empty Switch Statements" -# WARNING_FILTER += allow class="Empty Synchronized Block" -# WARNING_FILTER += allow class="Empty Try Block" -# WARNING_FILTER += allow class="Empty While Stmt" -# WARNING_FILTER += allow class="Empty finalizer should be deleted" -# WARNING_FILTER += allow class="Equals Null" -# WARNING_FILTER += allow class="Equals checks for incompatible operand" -# WARNING_FILTER += allow class="Equals method should not assume anything about the type of its argument" -# WARNING_FILTER += allow class="Exception As Flow Control" -# WARNING_FILTER += allow class="Exception is caught when Exception is not thrown" -# WARNING_FILTER += allow class="Excessive Class Length" -# WARNING_FILTER += allow class="Excessive Imports" -# WARNING_FILTER += allow class="Excessive Method Length" -# WARNING_FILTER += allow class="Excessive Parameter List" -# WARNING_FILTER += allow class="Excessive Public Count" -# WARNING_FILTER += allow class="Explicit garbage collection; extremely dubious except in benchmarking code" -# WARNING_FILTER += allow class="Explicit invocation of finalizer" -# WARNING_FILTER += allow class="Extends Object" -# WARNING_FILTER += allow class="Field Declarations Should Be At Start Of Class" -# WARNING_FILTER += allow class="Field names should start with a lower case letter" -# WARNING_FILTER += allow class="Field not initialized in constructor but dereferenced without null check" -# WARNING_FILTER += allow class="Fields of immutable classes should be final" -# WARNING_FILTER += allow class="Final Field Could Be Static" -# WARNING_FILTER += allow class="Finalize Does Not Call Super Finalize" -# WARNING_FILTER += allow class="Finalize Only Calls Super Finalize" -# WARNING_FILTER += allow class="Finalize Overloaded" -# WARNING_FILTER += allow class="Finalize Should Be Protected" -# WARNING_FILTER += allow class="Finalizer does not call superclass finalizer" -# WARNING_FILTER += allow class="Finalizer does nothing but call superclass finalizer" -# WARNING_FILTER += allow class="Finalizer nullifies superclass finalizer" -# WARNING_FILTER += allow class="Finalizer nulls fields" -# WARNING_FILTER += allow class="Finalizer only nulls fields" -# WARNING_FILTER += allow class="For Loop Should Be While Loop" -# WARNING_FILTER += allow class="For Loops Must Use Braces" -# WARNING_FILTER += allow class="Format string should use %n rather than \\n" -# WARNING_FILTER += allow class="Generics Naming" -# WARNING_FILTER += allow class="God Class" -# WARNING_FILTER += allow class="Guard Debug Logging" -# WARNING_FILTER += allow class="Guard Log Statement Java Util" -# WARNING_FILTER += allow class="Guard Log Statement" -# WARNING_FILTER += allow class="Huge string constants is duplicated across multiple class files" -# WARNING_FILTER += allow class="Idempotent Operations" -# WARNING_FILTER += allow class="If Else Stmts Must Use Braces" -# WARNING_FILTER += allow class="If Stmts Must Use Braces" -# WARNING_FILTER += allow class="Immediate dereference of the result of readLine()" -# WARNING_FILTER += allow class="Immutable Field" -# WARNING_FILTER += allow class="Import From Same Package" -# WARNING_FILTER += allow class="Inefficient Empty String Check" -# WARNING_FILTER += allow class="Inefficient String Buffering" -# WARNING_FILTER += allow class="Inefficient use of String.indexOf(String)" -# WARNING_FILTER += allow class="Inefficient use of String.lastIndexOf(String)" -# WARNING_FILTER += allow class="Inefficient use of keySet iterator instead of entrySet iterator" -# WARNING_FILTER += allow class="Initialization circularity" -# WARNING_FILTER += allow class="Instantiation To Get Class" -# WARNING_FILTER += allow class="Insufficient String Buffer Declaration" -# WARNING_FILTER += allow class="Integer Instantiation" -# WARNING_FILTER += allow class="Integer remainder modulo 1" -# WARNING_FILTER += allow class="Integral division result cast to double or float" -# WARNING_FILTER += allow class="Invocation of substring(0), which returns the original value" -# WARNING_FILTER += allow class="Iterator next() method can't throw NoSuchElementException" -# WARNING_FILTER += allow class="JUnit Assertions Should Include Message" -# WARNING_FILTER += allow class="JUnit Spelling" -# WARNING_FILTER += allow class="JUnit Static Suite" -# WARNING_FILTER += allow class="JUnit Test Contains Too Many Asserts" -# WARNING_FILTER += allow class="JUnit Tests Should Include Assert" -# WARNING_FILTER += allow class="JUnit Use Expected" -# WARNING_FILTER += allow class="JUnit4 Suites Should Use Suite Annotation" -# WARNING_FILTER += allow class="JUnit4 Test Should Use After Annotation" -# WARNING_FILTER += allow class="JUnit4 Test Should Use Before Annotation" -# WARNING_FILTER += allow class="JUnit4 Test Should Use Test Annotation" -# WARNING_FILTER += allow class="Law Of Demeter" -# WARNING_FILTER += allow class="Load of known null value" -# WARNING_FILTER += allow class="Local Home Naming Convention" -# WARNING_FILTER += allow class="Local Interface Session Naming Convention" -# WARNING_FILTER += allow class="Local Variable Could Be Final" -# WARNING_FILTER += allow class="Logger Is Not Static Final" -# WARNING_FILTER += allow class="Logic Inversion" -# WARNING_FILTER += allow class="Long Instantiation" -# WARNING_FILTER += allow class="Long Variable" -# WARNING_FILTER += allow class="Loose Coupling (Coupling)" -# WARNING_FILTER += allow class="Loose Coupling" -# WARNING_FILTER += allow class="Loose Package Coupling" -# WARNING_FILTER += allow class="MDB And Session Bean Naming Convention" -# WARNING_FILTER += allow class="Maps and sets of URLs can be performance hogs" -# WARNING_FILTER += allow class="Method Argument Could Be Final" -# WARNING_FILTER += allow class="Method Naming Conventions" -# WARNING_FILTER += allow class="Method Returns Internal Array" -# WARNING_FILTER += allow class="Method With Same Name As Enclosing Class" -# WARNING_FILTER += allow class="Method allocates a boxed primitive just to call toString" -# WARNING_FILTER += allow class="Method allocates an object, only to get the class object" -# WARNING_FILTER += allow class="Method calls Pattern.compile in a loop" -# WARNING_FILTER += allow class="Method calls prepareStatement in a loop" -# WARNING_FILTER += allow class="Method calls static Math class method on a constant value" -# WARNING_FILTER += allow class="Method checks to see if result of String.indexOf is positive" -# WARNING_FILTER += allow class="Method compiles the regular expression in a loop" -# WARNING_FILTER += allow class="Method concatenates strings using + in a loop" -# WARNING_FILTER += allow class="Method directly allocates a specific implementation of xml interfaces" -# WARNING_FILTER += allow class="Method discards result of readLine after checking if it is non-null" -# WARNING_FILTER += allow class="Method doesn't override method in superclass due to wrong package for parameter (intentional)" -# WARNING_FILTER += allow class="Method ignores exceptional return value" -# WARNING_FILTER += allow class="Method ignores results of InputStream.read()" -# WARNING_FILTER += allow class="Method ignores results of InputStream.skip()" -# WARNING_FILTER += allow class="Method ignores return value, is this OK?" -# WARNING_FILTER += allow class="Method invokes System.exit(...)" -# WARNING_FILTER += allow class="Method invokes dangerous method runFinalizersOnExit" -# WARNING_FILTER += allow class="Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead" -# WARNING_FILTER += allow class="Method invokes inefficient Number constructor; use static valueOf instead" -# WARNING_FILTER += allow class="Method invokes inefficient floating-point Number constructor; use static valueOf instead" -# WARNING_FILTER += allow class="Method invokes inefficient new String() constructor" -# WARNING_FILTER += allow class="Method invokes inefficient new String(String) constructor" -# WARNING_FILTER += allow class="Method invokes toString() method on a String" -# WARNING_FILTER += allow class="Method may fail to clean up stream or resource on checked exception" -# WARNING_FILTER += allow class="Method may fail to clean up stream or resource" -# WARNING_FILTER += allow class="Method may fail to close database resource on exception" -# WARNING_FILTER += allow class="Method may fail to close database resource" -# WARNING_FILTER += allow class="Method may fail to close stream on exception" -# WARNING_FILTER += allow class="Method may fail to close stream" -# WARNING_FILTER += allow class="Method might drop exception" -# WARNING_FILTER += allow class="Method might ignore exception" -# WARNING_FILTER += allow class="Method names should start with a lower case letter" -# WARNING_FILTER += allow class="Method uses the same code for two branches" -# WARNING_FILTER += allow class="Method uses the same code for two switch clauses" -# WARNING_FILTER += allow class="Method uses toArray() with zero-length array argument" -# WARNING_FILTER += allow class="Method with Boolean return type returns explicit null" -# WARNING_FILTER += allow class="Misleading Variable Name" -# WARNING_FILTER += allow class="Missing Break In Switch" -# WARNING_FILTER += allow class="Missing Static Method In Non Instantiatable Class" -# WARNING_FILTER += allow class="Missing serialVersionUID" -# WARNING_FILTER += allow class="Modified Cyclomatic Complexity" -# WARNING_FILTER += allow class="More Than One Logger" -# WARNING_FILTER += allow class="NPath Complexity" -# WARNING_FILTER += allow class="Ncss Constructor Count" -# WARNING_FILTER += allow class="Ncss Method Count" -# WARNING_FILTER += allow class="Ncss Type Count" -# WARNING_FILTER += allow class="Needless instantiation of class that only supplies static methods" -# WARNING_FILTER += allow class="Negating the result of compareTo()/compare()" -# WARNING_FILTER += allow class="No Package" -# WARNING_FILTER += allow class="NodeList.getLength() called in a loop" -# WARNING_FILTER += allow class="Non Case Label In Switch Statement" -# WARNING_FILTER += allow class="Non Static Initializer" -# WARNING_FILTER += allow class="Non Thread Safe Singleton" -# WARNING_FILTER += allow class="Non serializable object written to ObjectOutput" -# WARNING_FILTER += allow class="Non-Boolean argument formatted using %b format specifier" -# WARNING_FILTER += allow class="Non-serializable class has a serializable inner class" -# WARNING_FILTER += allow class="Non-serializable value stored into instance field of a serializable class" -# WARNING_FILTER += allow class="Non-transient non-serializable instance field in serializable class" -# WARNING_FILTER += allow class="Null Assignment" -# WARNING_FILTER += allow class="One Declaration Per Line" -# WARNING_FILTER += allow class="Only One Return" -# WARNING_FILTER += allow class="Optimizable To Array Call" -# WARNING_FILTER += allow class="Package Case" -# WARNING_FILTER += allow class="Parameter must be non-null but is marked as nullable" -# WARNING_FILTER += allow class="Position Literals First In Case Insensitive Comparisons" -# WARNING_FILTER += allow class="Position Literals First In Comparisons" -# WARNING_FILTER += allow class="Possible null pointer dereference due to return value of called method" -# WARNING_FILTER += allow class="Possible null pointer dereference on branch that might be infeasible" -# WARNING_FILTER += allow class="Potential lost logger changes due to weak reference in OpenJDK" -# WARNING_FILTER += allow class="Potentially ambiguous invocation of either an inherited or outer method" -# WARNING_FILTER += allow class="Potentially dangerous use of non-short-circuit logic" -# WARNING_FILTER += allow class="Premature Declaration" -# WARNING_FILTER += allow class="Preserve Stack Trace" -# WARNING_FILTER += allow class="Primitive value is boxed and then immediately unboxed" -# WARNING_FILTER += allow class="Primitive value is boxed then unboxed to perform primitive coercion" -# WARNING_FILTER += allow class="Primitive value is unboxed and coerced for ternary operator" -# WARNING_FILTER += allow class="Private method is never called" -# WARNING_FILTER += allow class="Private readResolve method not inherited by subclasses" -# WARNING_FILTER += allow class="Proper Logger" -# WARNING_FILTER += allow class="Questionable cast to abstract collection" -# WARNING_FILTER += allow class="Questionable cast to concrete collection" -# WARNING_FILTER += allow class="Questionable use of non-short-circuit logic" -# WARNING_FILTER += allow class="Random object created and used only once" -# WARNING_FILTER += allow class="Read of unwritten public or protected field" -# WARNING_FILTER += allow class="Redundant Field Initializer" -# WARNING_FILTER += allow class="Redundant comparison of non-null value to null" -# WARNING_FILTER += allow class="Redundant comparison of two null values" -# WARNING_FILTER += allow class="Redundant nullcheck of value known to be non-null" -# WARNING_FILTER += allow class="Redundant nullcheck of value known to be null" -# WARNING_FILTER += allow class="Reliance on default encoding" -# WARNING_FILTER += allow class="Remainder of 32-bit signed random integer" -# WARNING_FILTER += allow class="Remainder of hashCode could be negative" -# WARNING_FILTER += allow class="Remote Interface Naming Convention" -# WARNING_FILTER += allow class="Remote Session Interface Naming Convention" -# WARNING_FILTER += allow class="Replace Enumeration With Iterator" -# WARNING_FILTER += allow class="Replace Hashtable With Map" -# WARNING_FILTER += allow class="Replace Vector With List" -# WARNING_FILTER += allow class="Result of integer multiplication cast to long" -# WARNING_FILTER += allow class="Return Empty Array Rather Than Null" -# WARNING_FILTER += allow class="Return value of method without side effect is ignored" -# WARNING_FILTER += allow class="Rough value of known constant found" -# WARNING_FILTER += allow class="Self assignment of local variable" -# WARNING_FILTER += allow class="Serializable inner class" -# WARNING_FILTER += allow class="Short Class Name" -# WARNING_FILTER += allow class="Short Instantiation" -# WARNING_FILTER += allow class="Short Method Name" -# WARNING_FILTER += allow class="Short Variable" -# WARNING_FILTER += allow class="Should be a static inner class" -# WARNING_FILTER += allow class="Signature Declare Throws Exception (Strict-Exceptions)" -# WARNING_FILTER += allow class="Signature Declare Throws Exception" -# WARNING_FILTER += allow class="Simple Date Format Needs Locale" -# WARNING_FILTER += allow class="Simplified Ternary" -# WARNING_FILTER += allow class="Simplify Boolean Assertion" -# WARNING_FILTER += allow class="Simplify Boolean Expressions" -# WARNING_FILTER += allow class="Simplify Boolean Returns" -# WARNING_FILTER += allow class="Simplify Conditional" -# WARNING_FILTER += allow class="Simplify startsWith" -# WARNING_FILTER += allow class="Single Method Singleton" -# WARNING_FILTER += allow class="Singleton Class Returning New Instance" -# WARNING_FILTER += allow class="Singular Field" -# WARNING_FILTER += allow class="Static EJB Field Should Be Final" -# WARNING_FILTER += allow class="Static initializer creates instance before all static final fields assigned" -# WARNING_FILTER += allow class="Std Cyclomatic Complexity" -# WARNING_FILTER += allow class="Store of non serializable object into HttpSession" -# WARNING_FILTER += allow class="String Buffer Instantiation With Char" -# WARNING_FILTER += allow class="String Instantiation" -# WARNING_FILTER += allow class="String To String" -# WARNING_FILTER += allow class="Superclass uses subclass during initialization" -# WARNING_FILTER += allow class="Suspicious Constant Field Name" -# WARNING_FILTER += allow class="Suspicious Equals Method Name" -# WARNING_FILTER += allow class="Suspicious Hashcode Method Name" -# WARNING_FILTER += allow class="Suspicious Octal Escape" -# WARNING_FILTER += allow class="Suspicious reference comparison of Boolean values" -# WARNING_FILTER += allow class="Suspicious reference comparison to constant" -# WARNING_FILTER += allow class="Switch Density" -# WARNING_FILTER += allow class="Switch Stmts Should Have Default" -# WARNING_FILTER += allow class="Switch statement found where default case is missing" -# WARNING_FILTER += allow class="Switch statement found where one case falls through to the next case" -# WARNING_FILTER += allow class="System println" -# WARNING_FILTER += allow class="Test Class Without Test Cases" -# WARNING_FILTER += allow class="Test for floating point equality" -# WARNING_FILTER += allow class="The equals and hashCode methods of URL are blocking" -# WARNING_FILTER += allow class="The readResolve method must be declared with a return type of Object." -# WARNING_FILTER += allow class="Thread passed where Runnable expected" -# WARNING_FILTER += allow class="Too Few Branches For A Switch Statement" -# WARNING_FILTER += allow class="Too Many Fields" -# WARNING_FILTER += allow class="Too Many Methods" -# WARNING_FILTER += allow class="Too Many Static Imports" -# WARNING_FILTER += allow class="Transient field of class that isn't Serializable." -# WARNING_FILTER += allow class="Transient field that isn't set by deserialization." -# WARNING_FILTER += allow class="Unchecked type in generic call" -# WARNING_FILTER += allow class="Unchecked/unconfirmed cast of return value from method" -# WARNING_FILTER += allow class="Unchecked/unconfirmed cast" -# WARNING_FILTER += allow class="Uncommented Empty Constructor" -# WARNING_FILTER += allow class="Uncommented Empty Method Body" -# WARNING_FILTER += allow class="Uncommented Empty Method" -# WARNING_FILTER += allow class="Unnecessary Boolean Assertion" -# WARNING_FILTER += allow class="Unnecessary Case Change" -# WARNING_FILTER += allow class="Unnecessary Constructor" -# WARNING_FILTER += allow class="Unnecessary Conversion Temporary" -# WARNING_FILTER += allow class="Unnecessary Final Modifier" -# WARNING_FILTER += allow class="Unnecessary Fully Qualified Name" -# WARNING_FILTER += allow class="Unnecessary Local Before Return" -# WARNING_FILTER += allow class="Unnecessary Parentheses" -# WARNING_FILTER += allow class="Unnecessary Return" -# WARNING_FILTER += allow class="Unnecessary Wrapper Object Creation" -# WARNING_FILTER += allow class="Unread field" -# WARNING_FILTER += allow class="Unread field: should this field be static?" -# WARNING_FILTER += allow class="Unread public/protected field" -# WARNING_FILTER += allow class="Unsigned right shift cast to short/byte" -# WARNING_FILTER += allow class="Unsynchronized Static Date Formatter" -# WARNING_FILTER += allow class="Unused Formal Parameter" -# WARNING_FILTER += allow class="Unused Imports (type resolution)" -# WARNING_FILTER += allow class="Unused Imports" -# WARNING_FILTER += allow class="Unused Local Variable" -# WARNING_FILTER += allow class="Unused Modifier" -# WARNING_FILTER += allow class="Unused Null Check In Equals" -# WARNING_FILTER += allow class="Unused Private Field" -# WARNING_FILTER += allow class="Unused Private Method" -# WARNING_FILTER += allow class="Unused field" -# WARNING_FILTER += allow class="Unused public or protected field" -# WARNING_FILTER += allow class="Unusual equals method" -# WARNING_FILTER += allow class="Unwritten public or protected field" -# WARNING_FILTER += allow class="Usage of GetResource may be unsafe if class is extended" -# WARNING_FILTER += allow class="Use Array List Instead Of Vector" -# WARNING_FILTER += allow class="Use Arrays As List" -# WARNING_FILTER += allow class="Use Assert Equals Instead Of Assert True" -# WARNING_FILTER += allow class="Use Assert Null Instead Of Assert True" -# WARNING_FILTER += allow class="Use Assert Same Instead Of Assert True" -# WARNING_FILTER += allow class="Use Assert True Instead Of Assert Equals" -# WARNING_FILTER += allow class="Use Collection Is Empty" -# WARNING_FILTER += allow class="Use Concurrent Hash Map" -# WARNING_FILTER += allow class="Use Correct Exception Logging" -# WARNING_FILTER += allow class="Use Equals To Compare Strings" -# WARNING_FILTER += allow class="Use Index Of Char" -# WARNING_FILTER += allow class="Use Locale With Case Conversions" -# WARNING_FILTER += allow class="Use Notify All Instead Of Notify" -# WARNING_FILTER += allow class="Use Object For Clearer API" -# WARNING_FILTER += allow class="Use Proper Class Loader" -# WARNING_FILTER += allow class="Use Singleton" -# WARNING_FILTER += allow class="Use String Buffer For String Appends" -# WARNING_FILTER += allow class="Use String Buffer Length" -# WARNING_FILTER += allow class="Use Utility Class" -# WARNING_FILTER += allow class="Use Varargs" -# WARNING_FILTER += allow class="Use of identifier that is a keyword in later versions of Java" -# WARNING_FILTER += allow class="Use of member identifier that is a keyword in later versions of Java" -# WARNING_FILTER += allow class="Use the nextInt method of Random rather than nextDouble to generate a random integer" -# WARNING_FILTER += allow class="Useless Operation On Immutable" -# WARNING_FILTER += allow class="Useless Overriding Method" -# WARNING_FILTER += allow class="Useless Parentheses" -# WARNING_FILTER += allow class="Useless Qualified This" -# WARNING_FILTER += allow class="Useless String valueOf" -# WARNING_FILTER += allow class="Useless assignment in return statement" -# WARNING_FILTER += allow class="Useless control flow to next line" -# WARNING_FILTER += allow class="Useless control flow" -# WARNING_FILTER += allow class="Vacuous bit mask operation on integer value" -# WARNING_FILTER += allow class="Vacuous comparison of integer value" -# WARNING_FILTER += allow class="Value required to have type qualifier, but marked as unknown" -# WARNING_FILTER += allow class="Value required to not have type qualifier, but marked as unknown" -# WARNING_FILTER += allow class="Variable Naming Conventions" -# WARNING_FILTER += allow class="Very confusing method names (but perhaps intentional)" -# WARNING_FILTER += allow class="While Loops Must Use Braces" -# WARNING_FILTER += allow class="Write to static field from instance method" -# WARNING_FILTER += allow class="clone method does not call super.clone()" -# WARNING_FILTER += allow class="compareTo()/compare() returns Integer.MIN_VALUE" -# WARNING_FILTER += allow class="equals method fails for subtypes" -# WARNING_FILTER += allow class="equals() method does not check for null argument" -# WARNING_FILTER += allow class="instanceof will always return true" -# WARNING_FILTER += allow class="serialVersionUID isn't final" -# WARNING_FILTER += allow class="serialVersionUID isn't long" -# WARNING_FILTER += allow class="serialVersionUID isn't static" -# WARNING_FILTER += allow class="toString method may return null" +# WARNING_FILTER += allow class="Actual Parameter Element may be null (Java)" +# WARNING_FILTER += allow class="Android Message Injection (Java)" +# WARNING_FILTER += allow class="Android URL Injection (Java)" +# WARNING_FILTER += allow class="Certificate Added to Root Store (Java)" +# WARNING_FILTER += allow class="Deprecated Transfer Protocol (Java)" +# WARNING_FILTER += allow class="Deserializable Class (Java)" +# WARNING_FILTER += allow class="Deserializing Non-Serializable Class (Java)" +# WARNING_FILTER += allow class="Disabled Input Validation (Java)" +# WARNING_FILTER += allow class="Field Element may be null (deep) (Java)" +# WARNING_FILTER += allow class="Field Too Visible (Java)" +# WARNING_FILTER += allow class="Field may be null (deep) (Java)" +# WARNING_FILTER += allow class="Hardcoded IP Address (Java)" +# WARNING_FILTER += allow class="Inadequate Salt (Java)" +# WARNING_FILTER += allow class="Insecure Class Loader (Java)" +# WARNING_FILTER += allow class="Method Disables Security Setting (Java)" +# WARNING_FILTER += allow class="Method Should be final (Java)" +# WARNING_FILTER += allow class="Method Should be private (Java)" +# WARNING_FILTER += allow class="Missing synchronized Statement (Java)" +# WARNING_FILTER += allow class="Mutable Constant Field (Java)" +# WARNING_FILTER += allow class="Naming Style Violation (Java)" +# WARNING_FILTER += allow class="Null Pointer Dereference (deep) (Java)" +# WARNING_FILTER += allow class="Return Value may Contain null Element (Java)" +# WARNING_FILTER += allow class="Return Value may be null (Java)" +# WARNING_FILTER += allow class="Security Annotation Conflict (Java)" +# WARNING_FILTER += allow class="Sensitive Data Cached (Java)" +# WARNING_FILTER += allow class="Sensitive Data Written to External Storage (Java)" +# WARNING_FILTER += allow class="Sensitive Data Written to Local File (Java)" +# WARNING_FILTER += allow class="Serialization Not Disabled (Java)" +# WARNING_FILTER += allow class="Static Field Too Visible (Java)" +# WARNING_FILTER += allow class="Unchecked Parameter Dereference (deep) (Java)" +# WARNING_FILTER += allow class="Unchecked Parameter Element Dereference (deep) (Java)" +# WARNING_FILTER += allow class="Unguarded Field (Java)" +# WARNING_FILTER += allow class="Unguarded Method (Java)" +# WARNING_FILTER += allow class="Unguarded Parameter (Java)" +# WARNING_FILTER += allow class="Useless null Test (Java)" +# WARNING_FILTER += allow class="Useless null Test of Field (Java)" +# WARNING_FILTER += allow class="Useless null Test of Parameter (Java)" +# WARNING_FILTER += allow class="Useless null Test of Return Value (Java)" +# WARNING_FILTER += allow class="null Passed to Method (deep) (Java)" # # To enable additional buffer overrun checking, which can best be # described as better at finding buffer overruns involving pointer @@ -5585,7 +5067,7 @@ BAD_FUNCTION_RANK = 1.0 BAD_FUNCTION_SIGNIFICANCE = SECURITY -# Floating Point bad functions +## Floating Point bad functions BAD_FUNCTION_REGEX = ^_?_?gamma[fl]?$ BAD_FUNCTION_MESSAGE = Use of gamma BAD_FUNCTION_INFO = it is not portable. Use tgamma() or lgamma() instead @@ -5607,6 +5089,14 @@ BAD_FUNCTION_BASE_RANK = 1.0 BAD_FUNCTION_SIGNIFICANCE = STYLE +## For OWASP 2017 rule A4 +BAD_FUNCTION_REGEX = ^XML_ExternalEntityParserCreate$ +BAD_FUNCTION_MESSAGE = Use of XML_ExternalEntityParserCreate +BAD_FUNCTION_INFO = use is error prone. Can lead to inclusion of external entity references. +BAD_FUNCTION_CATEGORIES = BADFUNC.XML_EXTERNALENTITYPARSERCREATE;OWASP-2017:A4 +BAD_FUNCTION_BASE_RANK = 1.0 +BAD_FUNCTION_SIGNIFICANCE = SECURITY + # Parameter PLUGINS # # Purpose @@ -6054,7 +5544,7 @@ # A low value can result in slow web queries if the time between # applicable queries exceeds this value. A high value can result in # an extra process hanging around doing nothing on the analysis -# machine. The factory setting is 30 minutes ( = 1800 seconds). +# machine. # # The analysis log will not be finalized, and so the Analysis Log # [doc/html/GUI/GUI_Log_Analysis.html] page contents may continue @@ -6648,6 +6138,7 @@ # - Multiplication Overflow of Allocation Size # - Multiplication Overflow of Size # - Plaintext Storage of Password +# - Plaintext Transmission of Password # - Potential Timebomb # - SQL Injection # - Subtraction Underflow of Allocation Size @@ -6655,6 +6146,7 @@ # - Tainted Allocation Size # - Tainted Buffer Access # - Tainted Configuration Setting +# - Tainted Environment Variable # - Tainted Filename # - Tainted Network Address # - Tainted Write @@ -10117,80 +9609,235 @@ # Parameter FORMAT_STRING_CHECKER_CHECKED_FUNCS # # Purpose -# Used by Format String to specify exceptions to the statistical -# analysis: (position, regular expression) pairs such that calls to -# functions whose names match the specified regular expression must -# always have a format string argument in the specified position. +# Specifies function/argument combinations for Format String and +# Format String Type Error to check. # # Tags # - WARNING_SPECIAL_FUNCTIONS: Designates Specially-Treated # Functions # - WC_MISC.FMT: Used by Format String +# - WC_MISC.FMTTYPE: Used by Format String Type Error # # Type # A string of the form -# , +# , , , # where: -# - is an argument position (counting from 1) -# - is a Boost 'POSIX Extended Regular Expression' -# [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] +# - is the position of the format string argument +# (counting from 1). +# - is the position of the first "value" argument +# (counting from 1). +# - is the family of the function: one of { printf, +# wprintf, vprintf, vwprintf, printf_p, vprintf_p, wprintf_p, +# vwprintf_p, scanf, vscanf, wscanf, vwscanf, other }. +# - is the name of the function. # # Behavior -# Calling a function whose name matches without a format -# string in the 'th parameter position will always trigger a -# Format String warning, regardless of the settings of +# Calling a function whose name matches without a format +# string in the 'th parameter position will always trigger +# a Format String warning, regardless of the settings of # FORMAT_STRING_CHECKER_SAMPLE_SIZE and # FORMAT_STRING_CHECKER_RATIO. # -# If the Format String warning class is disabled, such as with a -# WARNING_FILTER rule, this parameter has no effect. -# -# Notes -# This parameter replaces the csonar_format_string_check() function -# previously available in the Extension API -# [doc/html/Extensions/Extensions.html]. -# +# If is printf or wprintf, the format string contents are +# checked against the function argument types. If something does +# not match, a Format String Type Error warning is issued. +# - All other families have no effect at this time. +# - Use the other family for functions that do not fit in any of +# the other families. + + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, __eprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, _cprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf, _cwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, printf, _cprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, wprintf, _cwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, _cprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf, _cwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, printf, _cprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, wprintf, _cwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, fprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wprintf, fwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, printf, _fprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, wprintf, _fwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, fprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wprintf, fwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, printf, _fprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, wprintf, _fwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, printf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf, wprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, printf, _printf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, wprintf, _wprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, printf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf, wprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, printf, _printf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, wprintf, _wprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, _scprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf, _scwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, printf, _scprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, wprintf, _scwprintf_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, printf, snprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, printf, _snprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, _snwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, printf, _snprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, wprintf, _snwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 5, printf, _snprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 5, wprintf, _snwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 6, printf, _snprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 6, wprintf, _snwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, sprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, swprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, printf, _sprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, wprintf, _swprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, wprintf, __swprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, printf, sprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, swprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, printf, _sprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, wprintf, _swprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf, _vcprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vwprintf, _vcwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vprintf, _vcprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vwprintf, _vcwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf, _vcprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vwprintf, _vcwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vprintf, _vcprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vwprintf, _vcwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vfprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vwprintf, vfwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vprintf, _vfprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vwprintf, _vfwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vfprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vwprintf, vfwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vprintf, _vfprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vwprintf, _vfwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf, vprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vwprintf, vwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vprintf, _vprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vwprintf, _vwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf, vprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vwprintf, vwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vprintf, _vprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vwprintf, _vwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf, _vscprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vwprintf, _vscwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vprintf, _vscprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 3, vwprintf, _vscwprintf_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vprintf, vsnprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vprintf, _vsnprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, _vsnwprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, vprintf, _vsnprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, vwprintf, _vsnwprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 5, printf, vsnprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 5, printf, _vsnprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 5, wprintf, _vsnwprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 6, printf, _vsnprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 4, 6, wprintf, _vsnwprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vsprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, vswprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vprintf, _vsprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, vwprintf, _vswprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 4, vwprintf, __vswprintf_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vprintf, vsprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, vswprintf_s +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, vprintf, _vsprintf_s_l +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 5, vwprintf, _vswprintf_s_l + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, wnsprintfA +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, wnsprintfW +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, wnsprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wprintf, wsprintfA +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wprintf, wsprintfW +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wprintf, wsprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, wvnsprintfA +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, wvnsprintfW +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, vwprintf, wvnsprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vwprintf, wvsprintfA +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vwprintf, wvsprintfW +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vwprintf, wvsprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vasprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, __asprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, asprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vdprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, dprintf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, obstack_vprintf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, obstack_printf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, scanf, __isoc99__cscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, scanf, _cscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wscanf, __isoc99_fwscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wscanf, fwscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, __isoc99_fscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, fscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wscanf, __isoc99_swscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, wscanf, swscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, __isoc99_sscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, sscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, __isoc99_fscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, scanf, fscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vscanf, __isoc99_vsscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vscanf, vsscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vscanf, __isoc99_vfscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vscanf, vfscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, scanf, __isoc99_scanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, scanf, scanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vscanf, __isoc99_vscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vscanf, vscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wscanf, __isoc99_wscanf +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wscanf, wscanf + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, printf, StringCchPrintfA +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, wprintf, StringCchPrintfW + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, printf, syslog +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, 3, vprintf, vsyslog + +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf_p, CHString::Format +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf_p, CHString::FormatV +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf_p, CString::Format +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf_p, CString::FormatV +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, wprintf_p, CHString::FormatMessageW +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, vprintf_p, CString::FormatMessageV -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^__eprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^_cprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^_swprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^_v?snw?printf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^fwprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^sn?wprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^v?w?printf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^v?[fs]printf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^vfwprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^v?snprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^vswprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^wnsprintf[AW]?$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^wsprintf[AW]?$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^wvsprintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^wvnsprintf[AW]?$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^(__isoc99_)?_cscanf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^(__isoc99_)?fw?scanf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^(__isoc99_)?sw?scanf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^(__isoc99_)?v?[fs]scanf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^(__isoc99_)?[vw]?scanf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, ^StringCchPrintf$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 2, ^v?syslog$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^CH?String::FormatV?$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^CHString::FormatMessageW$ -FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, ^CString::FormatMessageV?$ +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 1, 2, printf, DbgPrint +FORMAT_STRING_CHECKER_CHECKED_FUNCS += 3, 4, printf, DbgPrintEx # Parameter FORMAT_STRING_CHECKER_IGNORED_FUNCS # # Purpose -# Used by Format String to specify exceptions to the statistical -# analysis: (position, regular expression) pairs such that calls to -# functions whose names match the specified regular expression are -# never required to have a format string argument in the specified -# position. +# Used by Format String and Format String Type Error to specify +# function/argument combinations that the analysis will NOT check. # # Tags # - WARNING_SPECIAL_FUNCTIONS: Designates Specially-Treated # Functions # - WC_MISC.FMT: Used by Format String +# - WC_MISC.FMTTYPE: Used by Format String Type Error # # Type # A string of the form @@ -10201,14 +9848,25 @@ # [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] # # Behavior -# Calling a function whose name matches without a format -# string in the 'th parameter position will not trigger a -# Format String warning, regardless of the settings of -# FORMAT_STRING_CHECKER_SAMPLE_SIZE and -# FORMAT_STRING_CHECKER_RATIO. +# For Format String, this parameter specifies exceptions to both +# the statistical analysis and the individual checks specified by +# FORMAT_STRING_CHECKER_CHECKED_FUNCS. Calling a function whose +# name matches without a format string in the 'th +# parameter position will not trigger a Format String warning, +# regardless of the settings of FORMAT_STRING_CHECKER_SAMPLE_SIZE, +# FORMAT_STRING_CHECKER_RATIO, and +# FORMAT_STRING_CHECKER_CHECKED_FUNCS. +# +# For Format String Type Error, this parameter specifies exceptions +# to the individual checks specified by +# FORMAT_STRING_CHECKER_CHECKED_FUNCS. Calling a function whose +# name matches will not trigger a Format String Type Error +# warning, regardless of the setting of +# FORMAT_STRING_CHECKER_CHECKED_FUNCS. The value of the +# argument has no effect on this determination. # -# If the Format String warning class is disabled, such as with a -# WARNING_FILTER rule, this parameter has no effect. +# If both Format String and Format String Type Error are disabled, +# such as with a WARNING_FILTER rule, this parameter has no effect. # # Notes # This parameter replaces the csonar_ignore_format_string() @@ -13536,6 +13194,7 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis # # Type # a list of Java build options @@ -13569,6 +13228,7 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis # # Type # a list of Java build options @@ -13586,213 +13246,6 @@ JAVA_FLAGS_APPEND += -# Parameter JAVA_JULIA_ARGS -# -# Purpose -# Specifies default options to pass to Julia when it is invoked as -# part of the Java build/analysis -# [doc/html/Java_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of Julia options -# [doc/html/Java_Module/Building/JavaBuildOptions.html#julia_options]. -# -# Behavior -# The specified options will be prepended to the set of sub-options -# added after the --julia analyze or --julia retrieve-analysis -# option to cs-java-scan. -# -# Notes -# - To specify sub-options for use with --julia analyze only, use -# JAVA_JULIA_ANALYSIS_ARGS. -# - To specify options to pass to Julia when it is invoked as part -# of the C# build/analysis, use CSHARP_JULIA_ARGS or -# CSHARP_JULIA_ANALYSIS_ARGS. - -JAVA_JULIA_ARGS = - - -# Parameter JAVA_JULIA_ANALYSIS_ARGS -# -# Purpose -# Specify default options to pass to Julia analysis when it is is -# invoked as part of the Java build/analysis -# [doc/html/Java_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of Julia options -# [doc/html/Java_Module/Building/JavaBuildOptions.html#julia_options]. -# -# Behavior -# The specified options will be prepended to the set of sub-options -# added after the --julia analyze option to cs-java-scan. -# -# Notes -# - To specify sub-options for use with both --julia analyze and -# --julia retrieve-analysis, use JAVA_JULIA_ARGS. -# - To specify options to pass to Julia when it is invoked as part -# of the C# build/analysis, use CSHARP_JULIA_ARGS or -# CSHARP_JULIA_ANALYSIS_ARGS. - -JAVA_JULIA_ANALYSIS_ARGS = - - -# Parameter JAVA_ENABLE_FINDBUGS -# -# Purpose -# Specifies whether or not FindBugs will be run by default during -# Java analyses. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# { Yes, No } -# -# Behavior -# - Yes : FindBugs will be run during Java analyses, unless build -# option -disable-findbugs is specified (through -# JAVA_FLAGS_APPEND or JAVA_FLAGS_PREPEND). -# - No : FindBugs will not be run during Java analyses. -# - unspecified : FindBugs will not be run during Java analyses. - -JAVA_ENABLE_FINDBUGS = Yes - - -# Parameter JAVA_ENABLE_PMD -# -# Purpose -# Specifies whether or not PMD will be run by default during Java -# analyses. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# { Yes, No } -# -# Behavior -# - Yes : PMD will be run during Java analyses, unless build option -# -disable-pmd is specified (through JAVA_FLAGS_APPEND or -# JAVA_FLAGS_PREPEND). -# - No : PMD will not be run during Java analyses. -# - unspecified : PMD will not be run during Java analyses. - -JAVA_ENABLE_PMD = Yes - - -# Parameter CSHARP_FLAGS_PREPEND -# -# Purpose -# Modify the set of options being passed to the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of C# build options -# [doc/html/Csharp_Module/Building/CsharpBuildOptions.html] -# -# Behavior -# The specified options will be prepended to the set of options -# passed to the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. -# -# Notes -# The += operator will actually prepend to this preference (in all -# cases except for other parameters with names of the form -# *_PREPEND, the += operator appends). This means that if you -# specify two CSHARP_FLAGS_PREPEND+= settings, the options in the -# second rule will be prepended to the options in the first -# setting. - -CSHARP_FLAGS_PREPEND += - - -# Parameter CSHARP_FLAGS_APPEND -# -# Purpose -# Modify the set of options being passed to the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of C# build options -# [doc/html/Csharp_Module/Building/CsharpBuildOptions.html] -# -# Behavior -# The specified options will be appended to the set of options -# passed to the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. - -CSHARP_FLAGS_APPEND += - - -# Parameter CSHARP_JULIA_ARGS -# -# Purpose -# Specifies default options to pass to Julia when it is invoked as -# part of the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of Julia options -# [doc/html/Csharp_Module/Building/CsharpBuildOptions.html#julia_options]. -# -# Behavior -# The specified options will be prepended to the set of options -# added after the --julia analyze or --julia retrieve-analysis -# option to cs-dotnet-scan. -# -# Notes -# - To specify sub-options for use with --julia analyze only, use -# CSHARP_JULIA_ANALYSIS_ARGS. -# - To specify options to pass to Julia when it is invoked as part -# of the Java build/analysis, use JAVA_JULIA_ARGS or -# JAVA_JULIA_ANALYSIS_ARGS. - -CSHARP_JULIA_ARGS = - - -# Parameter CSHARP_JULIA_ANALYSIS_ARGS -# -# Purpose -# Specify default options to pass to Julia analysis when it is is -# invoked as part of the C# build/analysis -# [doc/html/Csharp_Module/Building/Building.html]. -# -# Tags -# - BUILD_BEHAVIOR: Governs the Build/Analysis -# -# Type -# a list of Julia options -# [doc/html/Csharp_Module/Building/CsharpBuildOptions.html#julia_options]. -# -# Behavior -# The specified options will be prepended to the set of options -# added after the --julia analyze option to cs-dotnet-scan. -# -# Notes -# - To specify sub-options for use with both --julia analyze and -# --julia retrieve-analysis, use CSHARP_JULIA_ARGS. -# - To specify options to pass to Julia when it is invoked as part -# of the Java build/analysis, use JAVA_JULIA_ARGS or -# JAVA_JULIA_ANALYSIS_ARGS. - -CSHARP_JULIA_ANALYSIS_ARGS = - # Parameter MAX_POINTER_ANALYSIS_PASSES # @@ -14471,6 +13924,9 @@ UNFINISHED_CODE_TAGS += \\bug UNFINISHED_CODE_TAGS += @bug UNFINISHED_CODE_TAGS += XXX +UNFINISHED_CODE_TAGS += BUG +UNFINISHED_CODE_TAGS += LATER +UNFINISHED_CODE_TAGS += HACK # Parameter BAD_MACRO_CLASS # Parameter BAD_MACRO_NAME @@ -14614,6 +14070,13 @@ BAD_MACRO_BASE_RANK = 1.0 BAD_MACRO_SIGNIFICANCE = STYLE +BAD_MACRO_CLASS = Use of Weak Cryptographic Algorithm +BAD_MACRO_NAME = ^(CALG_3DES|CALG_3DES_112|CALG_DES|CALG_DESX|CALG_MD2|CALG_MD4|CALG_MD5|CALG_HUGHES_MD5|CALG_RC2|CALG_RC4|CALG_RC5)$ +BAD_MACRO_INFO = is a weak cryptographic algorithm +BAD_MACRO_CATEGORIES = BADMACRO.WEAK_CRYPTO;CWE:327 +BAD_MACRO_BASE_RANK = 1.0 +BAD_MACRO_SIGNIFICANCE = SECURITY + # Parameter SIDE_EFFECT_FREE_FUNCTIONS # # Purpose @@ -15442,3 +14905,503 @@ # WARNING_FILTER += allow class="Essential Type Diagnostic" file=problemfile.c ESSENTIAL_TYPE_DIAGNOSTIC_ENABLED = No + + +# Parameter UNDER_BY_ONE +# +# Purpose +# Specifies whether or not to report Buffer Underrun and Type +# Underrun warnings when there is a guard that almost contradicts +# the warning, but not quite, but simultaneously there is not +# evidence that the index can take on the dangerous value. +# +# Tags +# - WARNING_TUNING: Fine Tuning for Warnings +# - WC_LANG.MEM.BU: Used by Buffer Underrun +# - WC_LANG.MEM.TU: Used by Type Underrun +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : More Buffer Underrun and Type Underrun warnings will be +# reported. Most of them might be false positives, but some may +# be useful. +# - No : Do not report Buffer Underrun and Type Underrun warnings +# when guards nearly-contradict the possibility. +# +# Notes +# In the following example, suppose that unknown_value() is some +# untainted value that the analysis isn't sure about. Then a Type +# Underrun warning will be reported only if UNDER_BY_ONE=Yes: +# void f(){ +# int x = unknown_value(); +# int A[10]; +# if( x > -2 ) A[x] = 42; +# } + +UNDER_BY_ONE = No + + +# Parameter UNSIGNED_BRACKET_INEQUALITY +# +# Purpose +# Specifies whether or not CodeSonar will infer that unsigned +# comparison against an upper bound also implies a lower bound of +# zero. +# +# Tags +# - WARNING_TUNING: Fine Tuning for Warnings +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : Conditions such as x < 10U or x <= 10U will imply that x +# >= 0 along with the upper bound on x. +# - No : Conditions such as x < 10U will only result in an upper +# bound on x. +# +# Notes +# +# Because many of the abstractions used by the analysis are based +# on rational numbers and not modular arithmetic, setting this to +# Yes can result in inconsistencies if "x" is interpreted as a +# signed integer elsewhere. In general, setting this to Yes tends +# to cause false positives and false negatives but may fix some +# specific false negatives. + +UNSIGNED_BRACKET_INEQUALITY = No + + +# Parameter FORMAT_STRING_WARN_ON_SIGN_MISMATCH +# +# Purpose +# Specifies whether or not a Format String Type Error warning +# should be issued when the sign of the type of an argument does +# not match the sign of the format string specifier. +# +# Tags +# - WARNING_TUNING: Fine Tuning for Warnings +# - WC_MISC.FMTTYPE: Used by Format String Type Error +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : Warn if the signedness of an argument does not match the +# argument's signedeness. +# - No : Do not issue any warnings if the signedness does not +# match. +# +# Notes +# Format String Type Error warnings will only be issued in the +# following code if FORMAT_STRING_WARN_ON_SIGN_MISMATCH=Yes. +# void f(){ +# printf( "%u\n", 42 ); +# printf( "%x\n", 42 ); +# printf( "%d\n", 42U ); +# } + +FORMAT_STRING_WARN_ON_SIGN_MISMATCH = No + + +# Parameter FORMAT_STRING_WARN_ON_EQUAL_SIZE +# +# Purpose +# Specifies whether or not a Format String Type Error warning +# should be issued when the integer kind of the type of an argument +# does not match the integer kind of the format string specifier, +# but the two integer kinds have equal sizes. +# +# Tags +# - WARNING_TUNING: Fine Tuning for Warnings +# - WC_MISC.FMTTYPE: Used by Format String Type Error +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : Warn if integer kinds differ, even if they have the same +# size. +# - No : Consider distinct integer kinds with the same size as +# binary compatible. +# +# Notes +# On ABIs where int and long have the same size, Format String Type +# Error warnings will only be issued in the following code if +# FORMAT_STRING_WARN_ON_EQUAL_SIZE=Yes. +# void f(){ +# assert( sizeof(int) == sizeof(long) ); +# printf( "%d\n", 42L ); +# printf( "%ld\n", 42 ); +# } +# +# A setting of Yes is useful for codebases intended to portable to +# multiple architectures. For example, the code above works +# correctly on a 32-bit Linux ABI but works incorrectly on a 64-bit +# Linux ABI. With a setting of No, CodeSonar would only issue a +# warning when the compiler is targeting the 64-bit Linux ABI. With +# a setting of Yes, CodeSonar would issue a warning regardless of +# which ABI the compiler is targeting for that particular analysis. +# +# If a code base is only intended to run on one kind of hardware-- +# ever--then set this to No. + +FORMAT_STRING_WARN_ON_EQUAL_SIZE = No + + +# Parameter JAVA_ANALYSIS_FRAMEWORK +# +# Purpose +# Inform the Java build/analysis +# [doc/html/Java_Module/Building/Building.html] about the runtime +# environment of the analyzed application. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# { java1, java2, java3, java4, java5, java6, java7, java8, java9, +# java10, java11, java12, java13, java14, androidAPI1, androidAPI2, +# androidAPI3, androidAPI4, androidAPI5, androidAPI6, androidAPI7, +# androidAPI8, androidAPI9, androidAPI10, androidAPI11, +# androidAPI12, androidAPI13, androidAPI14, androidAPI15, +# androidAPI16, androidAPI17, androidAPI18, androidAPI19, +# androidAPI20, androidAPI21, androidAPI22, androidAPI23, +# androidAPI24, androidAPI25, androidAPI26, androidAPI27, +# androidAPI28 } +# +# Behavior +# If a value is specified for JAVA_ANALYSIS_FRAMEWORK, CodeSonar +# will analyze the application with respect to the corresponding +# runtime environment. The affects the set of classes that will be +# treated as available in the runtime environment, the inheritance +# relationships of those classes, and the class semantics. +# +# If no value is specified, CodeSonar will attempt to infer the +# appropriate runtime environment from the class versions of +# analyzed classes. + +JAVA_ANALYSIS_FRAMEWORK = + + +# Parameter JAVA_ANALYSIS_ENTRY_POINTS_MODE +# +# Purpose +# Specifies how the Java build/analysis +# [doc/html/Java_Module/Building/Building.html] will determine the +# application's entry points: the methods that can be invoked by +# the runtime environment and that should be considered starting +# points of the analysis. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# { ALL_ENTRIES, ONLY_EXPLICIT_ENTRIES, ONLY_STANDARD_ENTRIES, +# LIBRARY, ALL_METHODS } +# +# Behavior +# - ALL_ENTRIES : treat all public and protected methods and +# constructors as entry points. +# - ONLY_EXPLICIT_ENTRIES: treat methods and constructors as entry +# points if and only if they are annotated as @EntryPoint. +# - ONLY_STANDARD_ENTRIES : only consider default entry points like +# main methods, Swing event handlers, and Android event handlers. +# - LIBRARY : treat all public and protected methods and +# constructors as entry points, and assume that non-final classes +# might be redefined in the future. +# - ALL_METHODS : treat all public, protected and private methods +# and constructors as entry points. + +JAVA_ANALYSIS_ENTRY_POINTS_MODE = ALL_ENTRIES + + +# Parameter JAVA_ANALYSIS_ENABLE_ASSERTIONS +# +# Purpose +# Specifies whether or not the Java build/analysis +# [doc/html/Java_Module/Building/Building.html] will treat +# assertion statements as if they are executed. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : The analysis will treat assertion statements as if they +# are executed. Warnings can be reported in assertion code, and +# assertion side effects are considered by the analysis. +# - No : The analysis will proceed as if all assertions have been +# removed. Warnings will not be reported for any assertion code, +# and side effects from assertions will not be accounted for. + +JAVA_ANALYSIS_ENABLE_ASSERTIONS = No + + +# Parameter JAVA_ANALYSIS_TIMEOUT +# +# Purpose +# Specifies a timeout (in seconds) for the overall Java +# build/analysis [doc/html/Java_Module/Building/Building.html]. +# +# Behavior +# - integer N : if the Java Build/Analysis hasn't finished after N +# seconds, it will halt with an error message. No analysis +# results are produced in this case. +# +# Tags +# - TIME_LIMIT: Analysis Time Limits +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# non-negative integer +# +# Notes +# The factory setting of 10800 correponds to 3 hours. + +JAVA_ANALYSIS_TIMEOUT = 10800 + + +# Parameter JAVA_ANALYSIS_ADVANCED_INJECTION +# +# Purpose +# Specifies whether or not the Java build/analysis +# [doc/html/Java_Module/Building/Building.html] will perform +# advanced checking for injection-related issues. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# - WC_JAVA.IO.INJ.CODE: Used by Code Injection (Java) +# - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) +# - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) +# - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) +# - WC_JAVA.IO.INJ.XSS: Used by Cross Site Scripting (Java) +# - WC_JAVA.IO.TAINT.ADDR: Used by Tainted Network Address (Java) +# - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) +# - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) +# - WC_JAVA.IO.TAINT.DEVICE: Used by Tainted Hardware Device +# Property (Java) +# - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation +# (Java) +# - WC_JAVA.IO.TAINT.HTTP: Used by Tainted HTTP Response (Java) +# - WC_JAVA.IO.TAINT.LDAP.ATTR: Used by Tainted LDAP Attribute +# (Java) +# - WC_JAVA.IO.TAINT.LDAP.FILTER: Used by Tainted LDAP Filter +# (Java) +# - WC_JAVA.IO.TAINT.LOG: Used by Tainted Log (Java) +# - WC_JAVA.IO.TAINT.MESSAGE: Used by Tainted Message (Java) +# - WC_JAVA.IO.TAINT.PATH: Used by Tainted Path (Java) +# - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection +# (Java) +# - WC_JAVA.IO.TAINT.REGEX: Used by Tainted Regular Expression +# (Java) +# - WC_JAVA.IO.TAINT.RESOURCE: Used by Tainted Resource (Java) +# - WC_JAVA.IO.TAINT.SESSION: Used by Tainted Session (Java) +# - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.URL: Used by Tainted URL (Java) +# - WC_JAVA.IO.TAINT.XAML: Used by Tainted XAML (Java) +# - WC_JAVA.IO.TAINT.XML: Used by Tainted XML (Java) +# - WC_JAVA.IO.TAINT.XPATH: Used by Tainted Xpath (Java) +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : Advanced checking for injection-related issues is +# performed. This requires more resources than the No setting, +# but provides results that account for the flow of tainted data +# within the program. +# +# - No : Only basic checking is performed for these warning +# classes. This has a lower resource cost than the Yes setting +# but may miss some vulnerabilities. +# +# Notes +# Setting this to Yes will generally produce more false positives +# than setting to No. + +JAVA_ANALYSIS_ADVANCED_INJECTION = No + + +# Parameter JAVA_ANALYSIS_JVM_OPTIONS +# +# Purpose +# Specify options to the JVM that will execute the Java +# build/analysis [doc/html/Java_Module/Building/Building.html]. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# string +# +# Behavior +# The whole value of this parameter will be prepended to the list +# of JVM arguments that is used to start the Java analysis JVM. To +# specify multiple options, separate them with a space. +# +# Notes +# A list of the available JVM options is available in the Oracle +# java command line documentation +# [doc/html/Preferences/https://docs.oracle.com/en/java/javase/11/tools/java.html], +# in section "Standard Options for Java". + +JAVA_ANALYSIS_JVM_OPTIONS = + + +# Parameter JAVA_LAUNCHER_JVM_OPTIONS +# +# Purpose +# Customize the execution of the JVM that will execute the Java +# build/analysis [doc/html/Java_Module/Building/Building.html] +# launcher. +# +# Tags +# - BUILD_BEHAVIOR: Governs the Build/Analysis +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# string +# +# Behavior +# The whole value of this parameter will be prepended to the list +# of JVM arguments that is used to start the java analysis launcher +# JVM. To specify multiple options, separate them with a space. +# +# Notes +# A list of the available JVM options is available in the Oracle +# java command line documentation +# [doc/html/Preferences/https://docs.oracle.com/en/java/javase/11/tools/java.html], +# in section "Standard Options for Java". + +JAVA_LAUNCHER_JVM_OPTIONS = + + +# Parameter JAVA_ANALYSIS_MAX_MEMORY +# +# Purpose +# In combination with JAVA_ANALYSIS_MEMORY_MANAGEMENT, specifies +# the maximum amount of memory that the Java build/analysis +# [doc/html/Java_Module/Building/Building.html] can use in +# megabytes (MiB). +# +# Tags +# - ANALYSIS_BOUND: Analysis resource/effort limit +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# , where is a non-negative integer. +# +# Behavior +# The specified value is interpreted as an upper bound on memory. +# +# - When JAVA_ANALYSIS_MEMORY_MANAGEMENT=ADAPTIVE or +# JAVA_ANALYSIS_MEMORY_MANAGEMENT=SIMPLE, the specified value +# contributes to determining the memory limit specified when +# invoking the JVM for the Java build/analysis. +# - When JAVA_ANALYSIS_MEMORY_MANAGEMENT=NONE, the specified value +# has no effect. +# +# See JAVA_ANALYSIS_MEMORY_MANAGEMENT for more information. + +JAVA_ANALYSIS_MAX_MEMORY = 16384 + + +# Parameter JAVA_LAUNCHER_MEMORY +# +# Purpose +# Specifies the maximum amount of memory that the Java +# build/analysis [doc/html/Java_Module/Building/Building.html] +# launcher can use in megabytes (MiB). +# +# Tags +# - ANALYSIS_BOUND: Analysis resource/effort limit +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# , where is a non-negative integer. +# +# Behavior +# The specified value is interpreted as an upper bound on memory. + + + +# Parameter JAVA_ANALYSIS_MEMORY_MANAGEMENT +# +# Purpose +# In combination with JAVA_ANALYSIS_MAX_MEMORY, specifies how the +# Java build/analysis [doc/html/Java_Module/Building/Building.html] +# will manage its memory limit. +# +# Tags +# - ANALYSIS_BOUND: Analysis resource/effort limit +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# { ADAPTIVE, NONE, SIMPLE } +# +# Behavior +# - ADAPTIVE : The JVM that executes the analysis is passed +# argument -Xmx , where is the lower of the value +# specified for JAVA_ANALYSIS_MAX_MEMORY and the amount of memory +# currently available on the system. +# - NONE : No -Xmx option is passed to the JVM that executes the +# analysis. Memory management and garbage collection are +# completely handled by the Java runtime and the operating +# system. The value of JAVA_ANALYSIS_MAX_MEMORY is ignored. +# - SIMPLE: The JVM that executes the analysis is passed argument +# -Xmx , where is the value specified for +# JAVA_ANALYSIS_MAX_MEMORY. +# +# Notes +# Setting this to ADAPTIVE usually leads to easier recovery in case +# of out of memory errors. + +JAVA_ANALYSIS_MEMORY_MANAGEMENT = ADAPTIVE + + +# Parameter JAVA_ANALYSIS_JVM_CONCURRENCY +# +# Purpose +# Specifies the number of CPUs that the JVM executing the Java +# analysis is allowed to use. +# +# Tags +# - ANALYSIS_BOUND: Analysis resource/effort limit +# - JAVA: Specific to the Java Build/Analysis +# +# Type +# integer in the range 1.., where is the total +# number of cores on the analysis machine. +# +# Behavior +# If JAVA_ANALYSIS_JVM_CONCURRENCY is set with +# JAVA_ANALYSIS_JVM_CONCURRENCY=, the active processor count +# of the JVM executing the Java analysis will be set to . +# +# If JAVA_ANALYSIS_JVM_CONCURRENCY is not set, the number of +# active processors to use is computed using the total number of +# cores available on the analysis machine and the settings of +# parameters ANALYSIS_SLAVES, MAX_ANALYSIS_SLAVES, and +# REQUEST_REMOTE_ANALYSIS_SLAVES, as follows. +# - if REQUEST_REMOTE_ANALYSIS_SLAVES=No and ANALYSIS_SLAVES=Auto, +# =min(min(, 8), MAX_ANALYSIS_SLAVES) +# - otherwise, if REQUEST_REMOTE_ANALYSIS_SLAVES=No, +# =min(ANALYSIS_SLAVES, MAX_ANALYSIS_SLAVES) +# - otherwise, =min(min(, 4), MAX_ANALYSIS_SLAVES) +# +# Notes +# A value between 4 and 8 is recommended. + + +JAVA_ANALYSIS_JVM_CONCURRENCY=