CWE IDs: Java
| ID | Checker name and description |
|---|---|
| CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag |
SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag |
| CWE-1032: Security Misconfiguration |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.FINRET Return inside finally JD.UNCAUGHT Uncaught exception SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| CWE-1035: Usage of vulnerable Apache Struts version |
SV.STRUTS.VER Usage of vulnerable Apache Struts version |
| CWE-103: Struts: Incomplete validate() Method Definition |
SV.STRUTS.VALIDMET Struts Forms: validate method |
| CWE-105: Struts: Form Field Without Validator |
SV.STRUTS.NOTVALID Struts Forms: inconsistent validate |
| CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
SV.HTTP_SPLIT Http Response Splitting |
| CWE-114: Process Control |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| CWE-117: Improper Output Neutralization for Logs |
SV.LOG_FORGING Log Forging |
| CWE-129: Improper Validation of Array Index |
SV.DOS.ARRINDEX Tainted index used for array access |
| CWE-190: Integer Overflow or Wraparound |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| CWE-20: Improper Input Validation |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code |
| CWE-226: Sensitive Information Uncleared Before Release |
SV.STRUTS.NOTRESET Struts Forms: inconsistent reset SV.STRUTS.RESETMET Struts Forms: reset method |
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
SV.PATH Path and file name injection SV.PATH.INJ File injection |
| CWE-245: J2EE Bad Practices: Direct Management of Connections |
SV.UMC.JDBC Application should avoid calling to DriverManager.getConnection() directly |
| CWE-246: J2EE Bad Practices: Direct Use of Sockets |
SV.SOCKETS Bad practices: use of sockets |
| CWE-248: Uncaught Exception |
JD.UNCAUGHT Uncaught exception |
| CWE-259: Use of Hard-coded Password |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password |
| CWE-269: Improper Privilege Management |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| CWE-287: Incorrect Authentication |
SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.LDAP.ANON Incorrect authentication |
| CWE-295: Improper Certificate Validation |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| CWE-306: Missing Authentication for Critical Function |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function |
| CWE-311: Missing Encryption of Sensitive Data |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| CWE-315: Cleartext Storage of Sensitive Information in a Cookie |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| CWE-326: Inadequate Encryption Strength |
SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| CWE-330: Use of Insufficiently Random Values |
SV.RANDOM Use of insecure Random number generator |
| CWE-352: Cross-Site Request Forgery (CSRF) |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| CWE-374: Passing Mutable Objects to an Untrusted Method |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| CWE-382: J2EE Bad Practices: Use of System.exit() |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| CWE-383: J2EE Bad Practices: Direct Use of Threads |
SV.UMC.THREADS Bad practices: use of thread management |
| CWE-384: Session Fixation |
SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| CWE-391: Unchecked Error Condition |
ECC.EMPTY Empty catch clause RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| CWE-396: Declaration of Catch for Generic Exception |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| CWE-400: Uncontrolled Resource Consumption |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation |
| CWE-404: Improper Resource Shutdown or Release |
RLK.FIELD Possible leak of system resource stored in a field RLK.IN Input stream is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SWT SWT object is not disposed on exit |
| CWE-426: Untrusted Search Path |
SV.EXEC.PATH Untrusted Search Path |
| CWE-434: Unrestricted Upload of File with Dangerous Type |
SV.DATA.FILE A potentially harmful file could be uploaded and automatically processed |
| CWE-459: Incomplete Cleanup |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| CWE-472: External Control of Assumed-Immutable Web Parameter |
SV.EMAIL Unchecked e-mail |
| CWE-476: NULL Pointer Dereference |
ANDROID.NPE Dereference of a null value in an Android application NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) REDUN.NULL Usage of variable instead of null constant RNU.THIS Compare this and null but this cannot be null |
| CWE-486: Comparison of Classes by Name |
CMP.CLASS Comparing by classname |
| CWE-489: Leftover Debug Code |
SV.UMD.MAIN Leftover debug code - main method |
| CWE-493: Critical Public Variable Without Final Modifier |
SV.EXPOSE.FIELD Static field may be changed by malicious code |
| CWE-497: Exposure of System Data to an Unauthorized Control Sphere |
SV.IL.DEV Design information leakage |
| CWE-500: Public Static Field Not Marked Final |
SV.STRUTS.STATIC Struts Forms: static fields |
| CWE-501: Trust Boundary Violation |
SV.DATA.BOUND Untrusted Data leaks into trusted storage |
| CWE-502: Deserialization of Untrusted Data |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| CWE-522: Insufficiently Protected Credentials |
SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| CWE-548: Information Exposure Through Directory Listing |
SV.IL.FILE File Name Leaking |
| CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CWE-568: finalize() Method Without super.finalize() |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() |
| CWE-570: Expression is Always False |
REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| CWE-571: Expression is Always True |
REDUN.EQ Suspicious equals() called with same expression on both sides |
| CWE-576: EJB Bad Practices: Use of Java I/O |
UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| CWE-580: clone() Method Without super.clone() |
SV.CLONE.SUP Class implements 'clone' method but does not implement Cloneable |
| CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| CWE-583: finalize() Method Declared Public |
SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| CWE-595: Comparison of Object References Instead of Object Contents |
CMP.OBJ Comparing objects with == |
| CWE-611: Improper Restriction of XML External Entity Reference |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| CWE-732: Incorrect Permission Assignment for Critical Resource |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| CWE-73: External Control of File Name or Path |
SV.TMPFILE Temporary file path tampering |
| CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| CWE-759: Use of a One-Way Hash without a Salt |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt |
| CWE-772: Missing Release of Resource after Effective Lifetime |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments |
| CWE-79: Improper Neutralization of Input During Web Page Generation |
SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| CWE-807: Reliance on Untrusted Inputs in a Security Decision |
SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. |
| CWE-829: Inclusion of Functionality from Untrusted Control Sphere |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.SCRIPT Script Execution |
| CWE-862: Missing Authorization |
SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
SV.LDAP Unvalidated user input is used as LDAP filter |
| CWE-918: Server-Side Request Forgery (SSRF) |
SV.SSRF.URI URI based on invalidated user input. |
| CWE-94: Improper Control of Generation of Code ('Code Injection') |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 20 |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code |
| 22 |
SV.PATH Path and file name injection SV.PATH.INJ File injection |
| 73 |
SV.TMPFILE Temporary file path tampering |
| 74 |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| 78 |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments |
| 79 |
SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| 89 |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 90 |
SV.LDAP Unvalidated user input is used as LDAP filter |
| 94 |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 103 |
SV.STRUTS.VALIDMET Struts Forms: validate method |
| 105 |
SV.STRUTS.NOTVALID Struts Forms: inconsistent validate |
| 113 |
SV.HTTP_SPLIT Http Response Splitting |
| 114 |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| 117 |
SV.LOG_FORGING Log Forging |
| 129 |
SV.DOS.ARRINDEX Tainted index used for array access |
| 190 |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| 200 |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| 226 |
SV.STRUTS.NOTRESET Struts Forms: inconsistent reset SV.STRUTS.RESETMET Struts Forms: reset method |
| 245 |
SV.UMC.JDBC Application should avoid calling to DriverManager.getConnection() directly |
| 246 |
SV.SOCKETS Bad practices: use of sockets |
| 248 |
JD.UNCAUGHT Uncaught exception |
| 259 |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password |
| 269 |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| 287 |
SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.LDAP.ANON Incorrect authentication |
| 295 |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| 306 |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function |
| 311 |
SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 315 |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 326 |
SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| 327 |
SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| 330 |
SV.RANDOM Use of insecure Random number generator |
| 352 |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| 374 |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| 382 |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| 383 |
SV.UMC.THREADS Bad practices: use of thread management |
| 384 |
SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| 391 |
ECC.EMPTY Empty catch clause RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| 396 |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| 400 |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation |
| 404 |
RLK.FIELD Possible leak of system resource stored in a field RLK.IN Input stream is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SWT SWT object is not disposed on exit |
| 426 |
SV.EXEC.PATH Untrusted Search Path |
| 434 |
SV.DATA.FILE A potentially harmful file could be uploaded and automatically processed |
| 459 |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| 472 |
SV.EMAIL Unchecked e-mail |
| 476 |
ANDROID.NPE Dereference of a null value in an Android application NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) REDUN.NULL Usage of variable instead of null constant RNU.THIS Compare this and null but this cannot be null |
| 486 |
CMP.CLASS Comparing by classname |
| 489 |
SV.UMD.MAIN Leftover debug code - main method |
| 493 |
SV.EXPOSE.FIELD Static field may be changed by malicious code |
| 497 |
SV.IL.DEV Design information leakage |
| 500 |
SV.STRUTS.STATIC Struts Forms: static fields |
| 501 |
SV.DATA.BOUND Untrusted Data leaks into trusted storage |
| 502 |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| 522 |
SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| 548 |
SV.IL.FILE File Name Leaking |
| 567 |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| 568 |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() |
| 570 |
REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| 571 |
REDUN.EQ Suspicious equals() called with same expression on both sides |
| 576 |
UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| 580 |
SV.CLONE.SUP Class implements 'clone' method but does not implement Cloneable |
| 581 |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| 583 |
SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| 595 |
CMP.OBJ Comparing objects with == |
| 611 |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| 614 |
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| 732 |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| 759 |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt |
| 772 |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| 807 |
SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. |
| 829 |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.SCRIPT Script Execution |
| 862 |
SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization |
| 918 |
SV.SSRF.URI URI based on invalidated user input. |
| 1004 |
SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag |
| 1032 |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.FINRET Return inside finally JD.UNCAUGHT Uncaught exception SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| 1035 |
SV.STRUTS.VER Usage of vulnerable Apache Struts version |
Support Summary:
- 66 rules