CWE IDs: Java
| ID | Checker name and description |
|---|---|
| 20 |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code |
| 22 |
SV.PATH Path and file name injection SV.PATH.INJ File injection |
| 73 |
SV.TMPFILE Temporary file path tampering |
| 74 |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| 78 |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments |
| 79 |
SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| 89 |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 90 |
SV.LDAP Unvalidated user input is used as LDAP filter |
| 94 |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 103 |
SV.STRUTS.VALIDMET Struts Forms: validate method |
| 105 |
SV.STRUTS.NOTVALID Struts Forms: inconsistent validate |
| 113 |
SV.HTTP_SPLIT Http Response Splitting |
| 114 |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| 117 |
SV.LOG_FORGING Log Forging |
| 129 |
SV.DOS.ARRINDEX Tainted index used for array access |
| 190 |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| 200 |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| 226 |
SV.STRUTS.NOTRESET Struts Forms: inconsistent reset SV.STRUTS.RESETMET Struts Forms: reset method |
| 245 |
SV.UMC.JDBC Application should avoid calling to DriverManager.getConnection() directly |
| 246 |
SV.SOCKETS Bad practices: use of sockets |
| 248 |
JD.UNCAUGHT Uncaught exception |
| 259 |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password |
| 269 |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| 287 |
SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.LDAP.ANON Incorrect authentication |
| 295 |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| 306 |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function |
| 311 |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 315 |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 326 |
SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| 327 |
SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| 330 |
SV.RANDOM Use of insecure Random number generator |
| 352 |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| 374 |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| 382 |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| 383 |
SV.UMC.THREADS Bad practices: use of thread management |
| 384 |
SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| 391 |
ECC.EMPTY Empty catch clause RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| 396 |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| 400 |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation |
| 404 |
RLK.FIELD Possible leak of system resource stored in a field RLK.IN Input stream is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SWT SWT object is not disposed on exit |
| 426 |
SV.EXEC.PATH Untrusted Search Path |
| 434 |
SV.DATA.FILE A potentially harmful file could be uploaded and automatically processed |
| 459 |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| 472 |
SV.EMAIL Unchecked e-mail |
| 476 |
ANDROID.NPE Dereference of a null value in an Android application NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) REDUN.NULL Usage of variable instead of null constant RNU.THIS Compare this and null but this cannot be null |
| 486 |
CMP.CLASS Comparing by classname |
| 489 |
SV.UMD.MAIN Leftover debug code - main method |
| 493 |
SV.EXPOSE.FIELD Static field may be changed by malicious code |
| 497 |
SV.IL.DEV Design information leakage |
| 500 |
SV.STRUTS.STATIC Struts Forms: static fields |
| 501 |
SV.DATA.BOUND Untrusted Data leaks into trusted storage |
| 502 |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| 522 |
SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| 548 |
SV.IL.FILE File Name Leaking |
| 567 |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| 568 |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() |
| 570 |
REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| 571 |
REDUN.EQ Suspicious equals() called with same expression on both sides |
| 576 |
UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| 580 |
SV.CLONE.SUP Class implements 'clone' method but does not implement Cloneable |
| 581 |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| 583 |
SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| 595 |
CMP.OBJ Comparing objects with == |
| 611 |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| 614 |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 732 |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| 759 |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt |
| 772 |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| 807 |
SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. |
| 829 |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.SCRIPT Script Execution |
| 862 |
SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization |
| 918 |
SV.SSRF.URI URI based on invalidated user input. |
| 1004 |
SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag |
| 1032 |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.FINRET Return inside finally JD.UNCAUGHT Uncaught exception SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| 1035 |
SV.STRUTS.VER Usage of vulnerable Apache Struts version |
Support Summary:
- 66 rules