Java Warning Classes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

The CodeSonar Java analysis is suitable for Java source and binaries targeting the following.

Java 1.1-22.

Android API 15-28

Important Note: CodeSonar projects are built from Java bytecode (.class or archive files). However, CodeSonar will only analyze those parts of the project for which corresponding source code (.java files) is also available, because warning reports are not useful or comprehensible without source information.

The Java warning classes can be divided into four groups.

Warning classes that are enabled by default.

Warning classes that are disabled by default, may involve complex triggering contexts, and are based on checks that are generally cost-intensive and produce many warnings.
We refer to this group as (disabled) deep Java warning classes.

You can enable all these classes with the java_deep preset.
The deep and pedantic sets are disjoint: no warning class is characterized as both deep and pedantic.

Warning classes that are disabled by default, describe issues that some users may consider safe to ignore, and are based on checks that are generally lightweight and may produce many warnings.
We refer to this group as disabled pedantic Java warning classes.

You can enable all these classes with the java_pendantic preset.
The deep and pedantic sets are disjoint: no warning class is characterized as both deep and pedantic.

Warning classes whose significance is 'security'. This is considered a fourth group in order to ensure that every Java warning class is in at least one group. In particular, there are Java warning classes that are disabled by default but considered neither deep nor pendantic, but all such classes are in the security group.
We refer to this group as Java security warning classes.

You can enable all these classes with the java_security preset.
A Java warning class that is disabled by default will always belong to at least one of {security, deep, pedantic}. However, it cannot belong to all three since the deep and pedantic sets are disjoint.
There are also security warning classes that are enabled by default.

There are several configuration presets that are specific to the Java analysis, as well as a number of presets that apply across all analyzed source languages.

Preset	Notes
java_complete	Enables all Java warning classes
java_security, java_deep, java_pedantic	Enable the security, deep, and pedantic Java warning classes, respectively.
certjava	Enable all warning classes associated with rules and recommendations in the SEI CERT Oracle Coding Standard for Java.

Preset

Notes

java_complete

Enables all Java warning classes

java_security, java_deep, java_pedantic

Enable the security, deep, and pedantic Java warning classes, respectively.

certjava

Enable all warning classes associated with rules and recommendations in the SEI CERT Oracle Coding Standard for Java.

CodeSonar will perform checks for warnings in these classes by default. If there are classes on this list for which you do not wish to see warnings, use WARNING_FILTER discard rules to instruct CodeSonar accordingly.

Class Name	Mnemonic
== Always Fails Because Types Always Different (Java)	JAVA.REDUNDANT.EQF.TYPE
Abs on random (Java)	JAVA.MATH.ABSRAND
Accessing File in Permissive Mode (Java)	JAVA.IO.PERM.ACCESS
Ambiguous Call from Inner Class (Java)	JAVA.CLASS.ACIC
Android Leak (Java)	JAVA.ALLOC.LEAK.ANDROID
Anonymous LDAP Authentication (Java)	JAVA.INSEC.LDAP.ANON
Approximate e Constant (Java)	JAVA.MATH.APPROX.E
Approximate pi Constant (Java)	JAVA.MATH.APPROX.PI
Array Parameter Empty (Java)	JAVA.FUNCS.APE
Assertion Contains Side Effects (Java)	JAVA.STRUCT.SE.ASSERT
Assignment in Conditional (Java)	JAVA.STRUCT.CONDASSIG
Asymmetric compareTo (Java)	JAVA.COMPARE.CTO.ASSYM
Bitwise AND on Boolean (Java)	JAVA.STRUCT.BW.AND
Bitwise AND on Boolean Constant (Java)	JAVA.STRUCT.BW.ANDC
Bitwise OR on Boolean (Java)	JAVA.STRUCT.BW.OR
Bitwise OR on Boolean Constant (Java)	JAVA.STRUCT.BW.ORC
Blocking in Critical Section (Java)	JAVA.CONCURRENCY.STARVE.BLOCKING
Broad Throws Clause (Java)	JAVA.STRUCT.EXCP.BROAD
Call Might Return Null (Java)	JAVA.NULL.RET.UNCHECKED
Cast: Integer to Floating Point (Java)	JAVA.CAST.FTRUNC
Cast: int Computation to long (Java)	JAVA.ARITH.OFLOW
Class Enables Debug Features (Java)	JAVA.DEBUG.CEDF
Clone Call to Super is Missing (Java)	JAVA.CLASS.CLONE.CCSM
Closeable Not Closed (Java)	JAVA.ALLOC.LEAK.NOTCLOSED
Closeable Not Stored (Java)	JAVA.ALLOC.LEAK.NOTSTORED
Code Injection (Java)	JAVA.IO.INJ.CODE
Command Injection (Java)	JAVA.IO.INJ.COMMAND
Comparison to Class Names (Java)	JAVA.COMPARE.EQUALS.CN
Comparison to Empty String (Java)	JAVA.COMPARE.EMPTYSTR
Cross Site Scripting (Java)	JAVA.IO.INJ.XSS
Cross Site Scripting In Error Message Web Page (Java)	JAVA.IO.INJ.XSS.EMWP
Cryptographic Algorithm with Risky Default Cipher (Java)	JAVA.CRYPTO.CADRC
Cryptographic Algorithm with Weak Cipher (Java)	JAVA.CRYPTO.CARC
Cryptographic Algorithm with Weak Hash (Java)	JAVA.CRYPTO.CAWH
DLL Injection (Java)	JAVA.IO.INJ.DLL
DOS Injection (Java)	JAVA.IO.INJ.DENIAL
Debug Call (Java)	JAVA.DEBUG.CALL
Debug Warning (Java)	JAVA.DEBUG.LOG
Defines equals but not hashCode (Java)	JAVA.IDEF.EQUALSNOHC
Defines hashCode but not equals (Java)	JAVA.IDEF.HCNOEQUALS
Deprecated Cryptography Provider (Java)	JAVA.CRYPTO.DEPRECATED
Direct Thread Usage in Http Servlet (Java)	JAVA.INSEC.HTTP.DTU
Double-Checked Locking (Java)	JAVA.CONCURRENCY.LOCK.DCL
Empty Branch Statement (Java)	JAVA.STRUCT.EBS
Empty Exception Handler (Java)	JAVA.STRUCT.EXCP.EEH
Empty jar File Archived (Java)	JAVA.STRUCT.ARCHIVE.EJF
Empty zip File Archived (Java)	JAVA.STRUCT.ARCHIVE.EZF
Exception Information Disclosure (Java)	JAVA.DEBUG.ID
Execution After Redirect (Java)	JAVA.INSEC.EAR
Explicit Finalize (Java)	JAVA.FUNCS.EF
Field Never Read (Java)	JAVA.STRUCT.URFIELD
Field Never Written (Java)	JAVA.STRUCT.UWFIELD
Floating Point Equality (Java)	JAVA.ARITH.FPEQUAL
Format String Injection (Java)	JAVA.IO.INJ.FMT
Fragment Injection (Java)	JAVA.IO.INJ.FRAGMENT
Generic Exception Handler (Java)	JAVA.STRUCT.EXCP.GEH
Hardcoded Cryptographic Key (Java)	JAVA.HARDCODED.KEY
Hardcoded Filename (Java)	JAVA.HARDCODED.FNAME
Hardcoded Password (Java)	JAVA.HARDCODED.PASSWD
Hardcoded Random Seed (Java)	JAVA.HARDCODED.SEED
Hostname in Condition (Java)	JAVA.INSEC.HIC
Ignored Return Value (Java)	JAVA.FUNCS.IRV
Ignored Return Value for Pure Function (Java)	JAVA.FUNCS.IRV.PURE
Impossible Client Side Locking (Java)	JAVA.CONCURRENCY.LOCK.ICS
Impossible reference comparison (Java)	JAVA.REDUNDANT.EQF
Inappropriate Exception Handler (Java)	JAVA.STRUCT.EXCP.INAPP
Inappropriate Instanceof (Java)	JAVA.CLASS.IOF.BAD
Ineffective Cleansing of Fragment Taint (Java)	JAVA.IO.TAINT.IC.FRAGMENT
Inefficient Bitwise AND (Java)	JAVA.STRUCT.BW.ANDI
Inefficient Bitwise OR (Java)	JAVA.STRUCT.BW.ORI
Inefficient Box-Unbox (Java)	JAVA.CLASS.BUB
Inefficient Instantiation (Java)	JAVA.CLASS.UI
Inner Class Should be Static (Java)	JAVA.CLASS.ICSBS
Insecure Cookie (Java)	JAVA.LIB.HTTP.COOKIE
Insecure Key Derivation (Java)	JAVA.CRYPTO.KEY
Insecure Random Number Generator (Java)	JAVA.LIB.RAND.FUNC
Insecure Socket Factory (Java)	JAVA.INSEC.SF
Insecure XSLT Execution (Java)	JAVA.LIB.XML.INSEC_XSLT
Insecure verifier Override for Hostname (Java)	JAVA.INSEC.HVO
Insecure verify Override for Certificate (Java)	JAVA.INSEC.CVO
Instanceof Always False (Java)	JAVA.CLASS.IOF.F
Instanceof Always True (Java)	JAVA.CLASS.IOF.T
JavaScript Enabled (Java)	JAVA.JS.JSE
JavaScript File Access from File URLs (Java)	JAVA.JS.FAFU
LDAP Authentication Disabled (Java)	JAVA.INSEC.LDAP.DA
Lambda Parameter may be null (Java)	JAVA.NULL.PARAM.LAMBDA
Legacy Random Generator (Java)	JAVA.LIB.RAND.LEGACY.GEN
Method Enables Debug Features (Java)	JAVA.DEBUG.MEDF
Method Names Differ Only in Case (Java)	JAVA.ID.CASE.METHOD
Method Should Not Return null (Java)	JAVA.NULL.RET.NONNULL
Missing Authentication Annotation (Java)	JAVA.INSEC.MAA
Missing Call to super (Java)	JAVA.CLASS.MCS
Missing Equals Override (Java)	JAVA.IDEF.NOEQUALS
Missing JavaScript Entry Point (Java)	JAVA.JS.MEP
Missing JavaScript Execution (Java)	JAVA.JS.ME
Missing Required Cryptographic Step (Java)	JAVA.CRYPTO.MRCS
Missing Serial Version Field (Java)	JAVA.CLASS.SER.UIDM
Missing isValidFragment Override (Java)	JAVA.CLASS.OR.ISVALIDFRAGMENT
Mutable Enumeration (Java)	JAVA.TYPE.ME
Mutable Public Static Final Array (Java)	JAVA.TYPE.MPSFA
Non-Object compareTo Parameter (Java)	JAVA.COMPARE.CTO.NONOBJ
Non-overriding Method Signature (Java)	JAVA.ID.BADOVERRIDE
Nonserializable Field (Java)	JAVA.CLASS.SER.FNON
Nonserializable Field Element (Java)	JAVA.CLASS.SER.ENON
Nonserializable Outer Class (Java)	JAVA.CLASS.SER.OCNON
Null Parameter Dereference (Java)	JAVA.NULL.PARAM.ACTUAL
Null Pointer Dereference (Java)	JAVA.NULL.DEREF
Open Redirect (Java)	JAVA.IO.TAINT.HTTP.OR
Password in Property File (Java)	JAVA.HARDCODED.PASSWD.FILE
Permissive File Mode (Java)	JAVA.IO.PERM
Possible XML External Entity Reference (Java)	JAVA.LIB.XML.XXE
Potential Infinite Recursion (Java)	JAVA.FUNCS.INFREC
Potential LDAP Poisoning (Java)	JAVA.INSEC.LDAP.POISON
Redundant Call for Integral Argument (Java)	JAVA.FUNCS.RED.INT
Redundant Call for String Argument (Java)	JAVA.FUNCS.RED.STR
Redundant Condition (Java)	JAVA.STRUCT.RC
Redundant Implements Clause (Java)	JAVA.CLASS.RI
Reflection Bypasses Member Accessibility (Java)	JAVA.CLASS.ACCESS.BYPASS
Reflection Injection (Java)	JAVA.IO.TAINT.REFLECTION
Reflection Modifies Member Accessibility (Java)	JAVA.CLASS.ACCESS.MODIFY
Return null Array (Java)	JAVA.NULL.RET.ARRAY
Return null Boolean (Java)	JAVA.NULL.RET.BOOL
Return null Optional (Java)	JAVA.NULL.RET.OPT
Risky Cipher Algorithm (Java)	JAVA.CRYPTO.RCA
Risky Cipher Field (Java)	JAVA.CRYPTO.RCF
Risky Class Cast (Java)	JAVA.CLASS.CAST
Risky Cryptographic Algorithm (Java)	JAVA.CRYPTO.RA
Risky Cryptographic Field (Java)	JAVA.CRYPTO.RF
Risky JavaScript Interface (Java)	JAVA.JS.RI
Risky array store (Java)	JAVA.CLASS.CAST.ARRSTORE
SQL Injection (Java)	JAVA.IO.INJ.SQL
Shadowed Identifier (Java)	JAVA.ID.SHADOW
Should Use == Instead of equals() (Java)	JAVA.COMPARE.EQUALS
Should Use equals() Instead of == (Java)	JAVA.COMPARE.EQ
Single-use Random Number Generator (Java)	JAVA.LIB.RAND.NEW
Static Field Assigned Non-Static (Java)	JAVA.CLASS.STATICMOD
Synchronization on Interned String (Java)	JAVA.CONCURRENCY.LOCK.ISTR
Synchronization on static (Java)	JAVA.CONCURRENCY.LOCK.STATIC
Synchronous Call to Thread Body (Java)	JAVA.CONCURRENCY.LOCK.SCTB
Tainted @Trusted Value (Java)	JAVA.IO.TAINT.TRUSTED
Tainted Allocation Size (Java)	JAVA.IO.TAINT.SIZE
Tainted Bundle (Java)	JAVA.IO.TAINT.BUNDLE
Tainted Control (Java)	JAVA.IO.TAINT.CONTROL
Tainted Data in Vulnerable Method (Java)	JAVA.IO.TAINT.VULN
Tainted Expression Evaluation (Java)	JAVA.IO.TAINT.EVAL
Tainted HTTP Response (Java)	JAVA.IO.TAINT.HTTP
Tainted Hardware Device Property (Java)	JAVA.IO.TAINT.DEVICE
Tainted LDAP Attribute (Java)	JAVA.IO.TAINT.LDAP.ATTR
Tainted LDAP Filter (Java)	JAVA.IO.TAINT.LDAP.FILTER
Tainted Log (Java)	JAVA.IO.TAINT.LOG
Tainted Message (Java)	JAVA.IO.TAINT.MESSAGE
Tainted Network Address (Java)	JAVA.IO.TAINT.ADDR
Tainted Path (Java)	JAVA.IO.TAINT.PATH
Tainted Regular Expression (Java)	JAVA.IO.TAINT.REGEX
Tainted Resource (Java)	JAVA.IO.TAINT.RESOURCE
Tainted Session (Java)	JAVA.IO.TAINT.SESSION
Tainted URL (Java)	JAVA.IO.TAINT.URL
Tainted XAML (Java)	JAVA.IO.TAINT.XAML
Tainted XML (Java)	JAVA.IO.TAINT.XML
Tainted Xpath (Java)	JAVA.IO.TAINT.XPATH
Unchecked Parameter Dereference (Java)	JAVA.STRUCT.UPD
Unexpected Serial Version Field (Java)	JAVA.CLASS.SER.UIDU
Universal JavaScript Access to File URLs (Java)	JAVA.JS.UAFU
Unnecessary Field (Java)	JAVA.STRUCT.UNFLD
Unnecessary Instantiation for GetClass (Java)	JAVA.CLASS.UIGC
Unreachable Instruction (Java)	JAVA.STRUCT.UC.INSTR
Unsafe Session Expiration Time (Java)	JAVA.INSEC.USET
Untrusted Network Host (Java)	JAVA.IO.UT.HOST
Unused Class (Java)	JAVA.STRUCT.UUCLASS
Unused Field (Java)	JAVA.STRUCT.UUFIELD
Unused Method (Java)	JAVA.STRUCT.UUMETH
Unused Object (Java)	JAVA.STRUCT.UUOBJ
Unused Value: Actual Parameter (Java)	JAVA.STRUCT.UUVAL.ACTUAL
Unused Value: Variable (Java)	JAVA.STRUCT.UUVAL.VAR
Unused Value: Write to Parameter (Java)	JAVA.STRUCT.UUVAL.PARAM
Use of Hardware ID (Java)	JAVA.IO.HWID
Use of Insecure verify for Certificate (Java)	JAVA.INSEC.CVU
Use of Insecure verify for Hostname (Java)	JAVA.INSEC.HVU
Use of Same Seed (Java)	JAVA.INSEC.SS
Useless Assignment (Java)	JAVA.STRUCT.UA
Useless Assignment to Default (Java)	JAVA.STRUCT.UA.DEFAULT
Useless Class Cast (Java)	JAVA.CLASS.CAST.USELESS
Useless Synchronization (Java)	JAVA.CONCURRENCY.LOCK.USELESS
Useless volatile Modifier (Java)	JAVA.CONCURRENCY.VOLATILE
Weak Cryptographic Value (Java)	JAVA.CRYPTO.VALUE
Weak Hash Algorithm (Java)	JAVA.CRYPTO.WHA
Weak Hash Algorithm Field (Java)	JAVA.CRYPTO.WHAF
Weak Initialization Vector Field (Java)	JAVA.CRYPTO.WIVF
Weak Initialization Vector Value (Java)	JAVA.CRYPTO.WIV
clone Non-cloneable (Java)	JAVA.CLASS.CLONE.CNC
clone not final (Java)	JAVA.CLASS.CLONE.NF
compareTo in Non-Comparable Class (Java)	JAVA.COMPARE.CTO.NONCOMP
compareTo without equals (Java)	JAVA.IDEF.CTONOEQ
compareTo/equals mismatch (Java)	JAVA.IDEF.CTOEQ
equals Always Fails (Java)	JAVA.REDUNDANT.EQUALSF
equals Parameter Should Be Object (Java)	JAVA.IDEF.EQUALS.NONOBJ
equals on Array (Java)	JAVA.COMPARE.EQARRAY
toString on Array (Java)	JAVA.TYPE.ARRAYTOSTRING

Class Name

Mnemonic

== Always Fails Because Types Always Different (Java)

JAVA.REDUNDANT.EQF.TYPE

Abs on random (Java)

JAVA.MATH.ABSRAND

Accessing File in Permissive Mode (Java)

JAVA.IO.PERM.ACCESS

Ambiguous Call from Inner Class (Java)

JAVA.CLASS.ACIC

Android Leak (Java)

JAVA.ALLOC.LEAK.ANDROID

Anonymous LDAP Authentication (Java)

JAVA.INSEC.LDAP.ANON

Approximate e Constant (Java)

JAVA.MATH.APPROX.E

Approximate pi Constant (Java)

JAVA.MATH.APPROX.PI

Array Parameter Empty (Java)

JAVA.FUNCS.APE

Assertion Contains Side Effects (Java)

JAVA.STRUCT.SE.ASSERT

Assignment in Conditional (Java)

JAVA.STRUCT.CONDASSIG

Asymmetric compareTo (Java)

JAVA.COMPARE.CTO.ASSYM

Bitwise AND on Boolean (Java)

JAVA.STRUCT.BW.AND

Bitwise AND on Boolean Constant (Java)

JAVA.STRUCT.BW.ANDC

Bitwise OR on Boolean (Java)

JAVA.STRUCT.BW.OR

Bitwise OR on Boolean Constant (Java)

JAVA.STRUCT.BW.ORC

Blocking in Critical Section (Java)

JAVA.CONCURRENCY.STARVE.BLOCKING

Broad Throws Clause (Java)

JAVA.STRUCT.EXCP.BROAD

Call Might Return Null (Java)

JAVA.NULL.RET.UNCHECKED

Cast: Integer to Floating Point (Java)

JAVA.CAST.FTRUNC

Cast: int Computation to long (Java)

JAVA.ARITH.OFLOW

Class Enables Debug Features (Java)

JAVA.DEBUG.CEDF

Clone Call to Super is Missing (Java)

JAVA.CLASS.CLONE.CCSM

Closeable Not Closed (Java)

JAVA.ALLOC.LEAK.NOTCLOSED

Closeable Not Stored (Java)

JAVA.ALLOC.LEAK.NOTSTORED

Code Injection (Java)

JAVA.IO.INJ.CODE

Command Injection (Java)

JAVA.IO.INJ.COMMAND

Comparison to Class Names (Java)

JAVA.COMPARE.EQUALS.CN

Comparison to Empty String (Java)

JAVA.COMPARE.EMPTYSTR

Cross Site Scripting (Java)

JAVA.IO.INJ.XSS

Cross Site Scripting In Error Message Web Page (Java)

JAVA.IO.INJ.XSS.EMWP

Cryptographic Algorithm with Risky Default Cipher (Java)

JAVA.CRYPTO.CADRC

Cryptographic Algorithm with Weak Cipher (Java)

JAVA.CRYPTO.CARC

Cryptographic Algorithm with Weak Hash (Java)

Defines equals but not hashCode (Java)

JAVA.IDEF.EQUALSNOHC

Defines hashCode but not equals (Java)

JAVA.IDEF.HCNOEQUALS

Deprecated Cryptography Provider (Java)

JAVA.CRYPTO.DEPRECATED

Direct Thread Usage in Http Servlet (Java)

JAVA.INSEC.HTTP.DTU

Double-Checked Locking (Java)

JAVA.CONCURRENCY.LOCK.DCL

Empty Branch Statement (Java)

JAVA.STRUCT.EBS

Empty Exception Handler (Java)

JAVA.STRUCT.EXCP.EEH

Empty jar File Archived (Java)

JAVA.STRUCT.ARCHIVE.EJF

Empty zip File Archived (Java)

JAVA.STRUCT.ARCHIVE.EZF

Exception Information Disclosure (Java)

JAVA.DEBUG.ID

Execution After Redirect (Java)

JAVA.INSEC.EAR

Explicit Finalize (Java)

JAVA.FUNCS.EF

Field Never Read (Java)

JAVA.STRUCT.URFIELD

Field Never Written (Java)

JAVA.STRUCT.UWFIELD

Floating Point Equality (Java)

JAVA.ARITH.FPEQUAL

Format String Injection (Java)

JAVA.IO.INJ.FMT

Fragment Injection (Java)

JAVA.IO.INJ.FRAGMENT

Generic Exception Handler (Java)

JAVA.STRUCT.EXCP.GEH

Hardcoded Cryptographic Key (Java)

JAVA.HARDCODED.KEY

Hardcoded Filename (Java)

JAVA.HARDCODED.FNAME

Hardcoded Password (Java)

JAVA.HARDCODED.PASSWD

Hardcoded Random Seed (Java)

JAVA.HARDCODED.SEED

Hostname in Condition (Java)

JAVA.INSEC.HIC

Ignored Return Value (Java)

JAVA.FUNCS.IRV

Ignored Return Value for Pure Function (Java)

JAVA.FUNCS.IRV.PURE

Impossible Client Side Locking (Java)

JAVA.CONCURRENCY.LOCK.ICS

Impossible reference comparison (Java)

JAVA.REDUNDANT.EQF

Inappropriate Exception Handler (Java)

JAVA.STRUCT.EXCP.INAPP

Inappropriate Instanceof (Java)

JAVA.CLASS.IOF.BAD

Ineffective Cleansing of Fragment Taint (Java)

JAVA.IO.TAINT.IC.FRAGMENT

Inefficient Bitwise AND (Java)

JAVA.STRUCT.BW.ANDI

Inefficient Bitwise OR (Java)

JAVA.STRUCT.BW.ORI

Inefficient Box-Unbox (Java)

JAVA.CLASS.BUB

Inefficient Instantiation (Java)

JAVA.CLASS.UI

Inner Class Should be Static (Java)

JAVA.CLASS.ICSBS

Insecure Cookie (Java)

JAVA.LIB.HTTP.COOKIE

Insecure Key Derivation (Java)

JAVA.CRYPTO.KEY

Insecure Random Number Generator (Java)

JAVA.LIB.RAND.FUNC

Insecure Socket Factory (Java)

JAVA.INSEC.SF

Insecure XSLT Execution (Java)

JAVA.LIB.XML.INSEC_XSLT

Insecure verifier Override for Hostname (Java)

JAVA.INSEC.HVO

Insecure verify Override for Certificate (Java)

JAVA.INSEC.CVO

Instanceof Always False (Java)

JAVA.CLASS.IOF.F

Instanceof Always True (Java)

JAVA.CLASS.IOF.T

JavaScript Enabled (Java)

JAVA.JS.JSE

JavaScript File Access from File URLs (Java)

JAVA.JS.FAFU

LDAP Authentication Disabled (Java)

JAVA.INSEC.LDAP.DA

Lambda Parameter may be null (Java)

JAVA.NULL.PARAM.LAMBDA

Legacy Random Generator (Java)

JAVA.LIB.RAND.LEGACY.GEN

Method Enables Debug Features (Java)

JAVA.DEBUG.MEDF

Method Names Differ Only in Case (Java)

JAVA.ID.CASE.METHOD

Method Should Not Return null (Java)

JAVA.NULL.RET.NONNULL

Missing Authentication Annotation (Java)

JAVA.INSEC.MAA

Missing Call to super (Java)

JAVA.CLASS.MCS

Missing Equals Override (Java)

JAVA.IDEF.NOEQUALS

Missing JavaScript Entry Point (Java)

JAVA.JS.MEP

Missing JavaScript Execution (Java)

JAVA.JS.ME

Missing Required Cryptographic Step (Java)

JAVA.CRYPTO.MRCS

Missing Serial Version Field (Java)

JAVA.CLASS.SER.UIDM

Missing isValidFragment Override (Java)

JAVA.CLASS.OR.ISVALIDFRAGMENT

Mutable Enumeration (Java)

JAVA.TYPE.ME

Mutable Public Static Final Array (Java)

JAVA.TYPE.MPSFA

Non-Object compareTo Parameter (Java)

JAVA.COMPARE.CTO.NONOBJ

Non-overriding Method Signature (Java)

JAVA.ID.BADOVERRIDE

Nonserializable Field (Java)

JAVA.CLASS.SER.FNON

Nonserializable Field Element (Java)

JAVA.CLASS.SER.ENON

Nonserializable Outer Class (Java)

JAVA.CLASS.SER.OCNON

Null Parameter Dereference (Java)

JAVA.NULL.PARAM.ACTUAL

Null Pointer Dereference (Java)

JAVA.NULL.DEREF

Open Redirect (Java)

JAVA.IO.TAINT.HTTP.OR

Password in Property File (Java)

JAVA.HARDCODED.PASSWD.FILE

Permissive File Mode (Java)

JAVA.IO.PERM

Possible XML External Entity Reference (Java)

JAVA.LIB.XML.XXE

Potential Infinite Recursion (Java)

JAVA.FUNCS.INFREC

Potential LDAP Poisoning (Java)

JAVA.INSEC.LDAP.POISON

Redundant Call for Integral Argument (Java)

JAVA.FUNCS.RED.INT

Redundant Call for String Argument (Java)

JAVA.FUNCS.RED.STR

Redundant Condition (Java)

JAVA.STRUCT.RC

Redundant Implements Clause (Java)

JAVA.CLASS.RI

Reflection Bypasses Member Accessibility (Java)

JAVA.CLASS.ACCESS.BYPASS

Reflection Injection (Java)

JAVA.IO.TAINT.REFLECTION

Reflection Modifies Member Accessibility (Java)

JAVA.CLASS.ACCESS.MODIFY

Return null Array (Java)

JAVA.NULL.RET.ARRAY

Return null Boolean (Java)

JAVA.NULL.RET.BOOL

Return null Optional (Java)

JAVA.NULL.RET.OPT

Risky Cipher Algorithm (Java)

JAVA.CRYPTO.RCA

Risky Cipher Field (Java)

JAVA.CRYPTO.RCF

Risky Class Cast (Java)

JAVA.CLASS.CAST

Risky Cryptographic Algorithm (Java)

JAVA.CRYPTO.RA

Risky Cryptographic Field (Java)

JAVA.CRYPTO.RF

Risky JavaScript Interface (Java)

JAVA.JS.RI

Risky array store (Java)

JAVA.CLASS.CAST.ARRSTORE

SQL Injection (Java)

JAVA.IO.INJ.SQL

Shadowed Identifier (Java)

JAVA.ID.SHADOW

Should Use == Instead of equals() (Java)

JAVA.COMPARE.EQUALS

Should Use equals() Instead of == (Java)

JAVA.COMPARE.EQ

Single-use Random Number Generator (Java)

JAVA.LIB.RAND.NEW

Static Field Assigned Non-Static (Java)

JAVA.CLASS.STATICMOD

Synchronization on Interned String (Java)

JAVA.CONCURRENCY.LOCK.ISTR

Synchronization on static (Java)

JAVA.CONCURRENCY.LOCK.STATIC

Synchronous Call to Thread Body (Java)

JAVA.CONCURRENCY.LOCK.SCTB

Tainted @Trusted Value (Java)

JAVA.IO.TAINT.TRUSTED

Tainted Allocation Size (Java)

JAVA.IO.TAINT.SIZE

Tainted Bundle (Java)

JAVA.IO.TAINT.BUNDLE

Tainted Control (Java)

JAVA.IO.TAINT.CONTROL

Tainted Data in Vulnerable Method (Java)

JAVA.IO.TAINT.VULN

Tainted Expression Evaluation (Java)

JAVA.IO.TAINT.EVAL

Tainted HTTP Response (Java)

JAVA.IO.TAINT.HTTP

Tainted Hardware Device Property (Java)

JAVA.IO.TAINT.DEVICE

Tainted LDAP Attribute (Java)

JAVA.IO.TAINT.LDAP.ATTR

Tainted LDAP Filter (Java)

JAVA.IO.TAINT.LDAP.FILTER

Tainted Log (Java)

JAVA.IO.TAINT.LOG

Tainted Message (Java)

JAVA.IO.TAINT.MESSAGE

Tainted Network Address (Java)

JAVA.IO.TAINT.ADDR

Tainted Path (Java)

JAVA.IO.TAINT.PATH

Tainted Regular Expression (Java)

JAVA.IO.TAINT.REGEX

Tainted Resource (Java)

JAVA.IO.TAINT.RESOURCE

Tainted Session (Java)

JAVA.IO.TAINT.SESSION

Unchecked Parameter Dereference (Java)

JAVA.STRUCT.UPD

Unexpected Serial Version Field (Java)

JAVA.CLASS.SER.UIDU

Universal JavaScript Access to File URLs (Java)

JAVA.JS.UAFU

Unnecessary Field (Java)

JAVA.STRUCT.UNFLD

Unnecessary Instantiation for GetClass (Java)

JAVA.CLASS.UIGC

Unreachable Instruction (Java)

JAVA.STRUCT.UC.INSTR

Unsafe Session Expiration Time (Java)

JAVA.INSEC.USET

Untrusted Network Host (Java)

Unused Value: Actual Parameter (Java)

JAVA.STRUCT.UUVAL.ACTUAL

Unused Value: Variable (Java)

JAVA.STRUCT.UUVAL.VAR

Unused Value: Write to Parameter (Java)

JAVA.STRUCT.UUVAL.PARAM

Use of Hardware ID (Java)

JAVA.IO.HWID

Use of Insecure verify for Certificate (Java)

JAVA.INSEC.CVU

Use of Insecure verify for Hostname (Java)

JAVA.INSEC.HVU

Use of Same Seed (Java)

JAVA.INSEC.SS

Useless Assignment (Java)

JAVA.STRUCT.UA

Useless Assignment to Default (Java)

JAVA.STRUCT.UA.DEFAULT

Useless Class Cast (Java)

JAVA.CLASS.CAST.USELESS

Useless Synchronization (Java)

JAVA.CONCURRENCY.LOCK.USELESS

Useless volatile Modifier (Java)

JAVA.CONCURRENCY.VOLATILE

Weak Cryptographic Value (Java)

JAVA.CRYPTO.VALUE

Weak Hash Algorithm (Java)

JAVA.CRYPTO.WHA

Weak Hash Algorithm Field (Java)

JAVA.CRYPTO.WHAF

Weak Initialization Vector Field (Java)

JAVA.CRYPTO.WIVF

Weak Initialization Vector Value (Java)

JAVA.CRYPTO.WIV

clone Non-cloneable (Java)

JAVA.CLASS.CLONE.CNC

clone not final (Java)

JAVA.CLASS.CLONE.NF

compareTo in Non-Comparable Class (Java)

JAVA.COMPARE.CTO.NONCOMP

compareTo without equals (Java)

JAVA.IDEF.CTONOEQ

compareTo/equals mismatch (Java)

JAVA.IDEF.CTOEQ

equals Always Fails (Java)

JAVA.REDUNDANT.EQUALSF

equals Parameter Should Be Object (Java)

JAVA.IDEF.EQUALS.NONOBJ

equals on Array (Java)

JAVA.COMPARE.EQARRAY

toString on Array (Java)

JAVA.TYPE.ARRAYTOSTRING

Reporting for these classes is disabled by default. See individual warning class documentation pages for enabling instructions: the requirements vary depending on the class.

Class Name	Mnemonic	Security/Deep/Pedantic
Actual Parameter Element may be null (Java)	JAVA.DEEPNULL.PARAM.EACTUAL	deep
Android Message Injection (Java)	JAVA.IO.INJ.ANDROID.MESSAGE	deep, security
Android URL Injection (Java)	JAVA.IO.INJ.ANDROID.URL	deep, security
Certificate Added to Root Store (Java)	JAVA.INSEC.CERT.RS	security
Deprecated Transfer Protocol (Java)	JAVA.INSEC.DTP	security
Deserializable Class (Java)	JAVA.CLASS.SER.DESER	security
Deserializing Non-Serializable Class (Java)	JAVA.CLASS.SER.DNS	security
Field Element may be null (deep) (Java)	JAVA.DEEPNULL.EFIELD	deep
Field Too Visible (Java)	JAVA.CLASS.VIS.FIELD	pedantic
Field may be null (deep) (Java)	JAVA.DEEPNULL.FIELD	deep
Hardcoded IP Address (Java)	JAVA.HARDCODED.IP	security
Inadequate Salt (Java)	JAVA.CRYPTO.SALT	security
Insecure Class Loader (Java)	JAVA.CLASS.ICL	pedantic
Method Disables Security Setting (Java)	JAVA.INSEC.MDSS	security
Method Should be final (Java)	JAVA.CLASS.METH.NF	pedantic
Method Should be private (Java)	JAVA.CLASS.VIS.METH.PRIV	pedantic
Missing synchronized Statement (Java)	JAVA.CONCURRENCY.SYNC.MSS	deep
Mutable Constant Field (Java)	JAVA.TYPE.MCF	pedantic
Naming Style Violation (Java)	JAVA.ID.STYLE	pedantic
Null Pointer Dereference (deep) (Java)	JAVA.DEEPNULL.DEREF	deep
Return Value may Contain null Element (Java)	JAVA.DEEPNULL.RET.EMETH	deep
Return Value may be null (Java)	JAVA.DEEPNULL.RET.METH	deep
Security Annotation Conflict (Java)	JAVA.INSEC.SAC	security
Sensitive Data Cached (Java)	JAVA.MISC.SD.CACHE	deep, security
Sensitive Data Written to External Storage (Java)	JAVA.MISC.SD.EXT	deep, security
Sensitive Data Written to Local File (Java)	JAVA.MISC.SD.FILE	deep, security
Serialization Not Disabled (Java)	JAVA.CLASS.SER.ND	pedantic
Static Field Too Visible (Java)	JAVA.CLASS.VIS.SFIELD	pedantic
Unchecked Parameter Dereference (deep) (Java)	JAVA.STRUCT.DUPD	deep
Unchecked Parameter Element Dereference (deep) (Java)	JAVA.STRUCT.UPED	deep
Unguarded Field (Java)	JAVA.CONCURRENCY.UG.FIELD	deep
Unguarded Method (Java)	JAVA.CONCURRENCY.UG.METH	deep
Unguarded Parameter (Java)	JAVA.CONCURRENCY.UG.PARAM	deep
Unsafe Base64 Encoding (Java)	JAVA.CRYPTO.BASE64	security
Useless null Test (Java)	JAVA.DEEPNULL.UTEST	deep
Useless null Test of Field (Java)	JAVA.DEEPNULL.UTEST.FIELD	deep
Useless null Test of Parameter (Java)	JAVA.DEEPNULL.UTEST.PARAM	deep
Useless null Test of Return Value (Java)	JAVA.DEEPNULL.UTEST.RV	deep
clone Subclass of Non-clonable (Java)	JAVA.CLASS.CLONE.SCNC	pedantic
null Passed to Method (deep) (Java)	JAVA.DEEPNULL.PARAM.ACTUAL	deep

Class Name

Mnemonic

Security/Deep/Pedantic

Actual Parameter Element may be null (Java)

JAVA.DEEPNULL.PARAM.EACTUAL

deep

Android Message Injection (Java)

JAVA.IO.INJ.ANDROID.MESSAGE

deep, security

Android URL Injection (Java)

JAVA.IO.INJ.ANDROID.URL

deep, security