CERT Java IDs mapped Klocwork Java checkers

The following mapping of CERT Java IDs to Klocwork Java checkers is a community-developed mapping.

Rule Checker name and description
DCL02-J(L3)

JD.UNMOD   Modification of unmodifiable collection

ENV03-J(L1)

SV.CLEXT.POLICY   Class extends 'java.security.Policy'

ENV06-J(L1)

JAVA.DEBUG.ENTRY   Production code must not contain debugging entry points

ERR01-J(L3)

SV.IL.DEV   Design information leakage

ERR03-J(L3)

SV.HTTP_SPLIT   Http Response Splitting

SV.SSRF.URI   URI based on invalidated user input.

ERR04-J(L3)

JD.FINRET   Return inside finally

ERR05-J(L3)

JD.UNCAUGHT   Uncaught exception

ERR07-J(L2)

EXC.BROADTHROWS   Method has an overly broad throws declaration

ERR08-J(L1)

JD.CATCH   Catching runtime exception

ERR09-J(L3)

SV.UMC.EXIT   The System.exit() and Runtime.exit() method calls should not be used in servlets code

UMC.EXIT   The System.exit() method call is unwanted

EXP00-J(L2)

RI.IGNOREDCALL   The value returned by a method called on immutable object is ignored

RR.IGNORED   The returned value is ignored

EXP01-J(L3)

NPE.COND   Null pointer dereference where null comes from condition

NPE.CONST   Null pointer dereference where null comes from constant

NPE.RET   Dereference of a null value which is returned from a method

NPE.RET.UTIL   Dereference of a null value which is returned from a map or a collection

NPE.STAT   Null pointer dereference of a return value (statistical)

REDUN.EQNULL   Suspicious equals() called with expression and null (never true)

EXP02-J(L2)

JD.EQ.ARR   Calling 'equals' on array

EXP03-J(L2)

CMP.OBJ   Comparing objects with ==

FIO01-J(L3)

SV.PERMS.HOME   File created in user home directory, without setting permissions

SV.PERMS.WIDE   Too wide permissions

FIO03-J(L2)

SV.DOS.TMPFILEDEL   Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT   Leaving temporary file

FIO04-J(L3)

RLK.AWT   AWT object is not disposed on exit

RLK.FIELD   Possible leak of system resource stored in a field

RLK.HIBERNATE   Hibernate object is not closed on exit

RLK.IMAGEIO   ImageIO stream is not closed on exit

RLK.IN   Input stream is not closed on exit

RLK.JNDI   JNDI context is not closed on exit

RLK.JPA   {3} object is not closed on exit.

RLK.MAIL   Java mail object is not closed on exit

RLK.MICRO   Java Microedition connection is not closed on exit

RLK.NIO   NIO object is not closed on exit

RLK.OUT   Output stream is not closed on exit

RLK.SOCK   Socket is not closed on exit

RLK.SQLCON   Sql connection is not closed on exit

RLK.SQLOBJ   Sql object is not closed on exit

RLK.SWT   SWT object is not disposed on exit

RLK.ZIP   Zip file is not closed on exit

FIO13-J(L3)

SV.IL.SESSION   Logging of session id

FIO16-J(L3)

SV.EXEC.PATH   Untrusted Search Path

SV.PATH   Path and file name injection

SV.PATH.INJ   File injection

SV.TMPFILE   Temporary file path tampering

IDS00-J(L1)

SV.DATA.DB   Data injection

SV.SQL   Sql Injection

SV.SQL.DBSOURCE   Unchecked information from the database is used in SQL statements

IDS01-J(L1)

SV.TAINT   Tainted data

SV.TAINT_NATIVE   Tainted data goes to native code

SV.XSS.DB   Cross Site Scripting (Stored XSS)

SV.XSS.REF   Cross Site Scripting (Reflected XSS)

IDS03-J(L2)

SV.LOG_FORGING   Log Forging

IDS07-J(L1)

SV.EXEC   Process Injection

SV.EXEC.DIR   Process Injection. Working Directory

SV.EXEC.ENV   Process Injection. Environment Variables

SV.EXEC.LOCAL   Process Injection. Local Arguments

SV.EXEC.PATH   Untrusted Search Path

IDS16-J(L1)

JAVA.SV.XML.INVALID   XML is not validated before being unmarshalled to a Java object

IDS17-J(L2)

SV.XXE.DBF   Possibility for XML External Entity attack

SV.XXE.SF   Possibility for XML External Entity attack

SV.XXE.SPF   Possibility for XML External Entity attack

SV.XXE.TF   Possibility for XML External Entity attack

SV.XXE.XIF   Possibility for XML External Entity attack

SV.XXE.XRF   Possibility for XML External Entity attack

JNI00-J(L3)

JAVA.NATIVE.PUBLIC   Define wrappers around native methods

JNI01-J(L1)

SV.LOADLIB.INJ   Untrusted call to 'loadLibrary' method

LCK05-J(L3)

SV.SHARED.VAR   Unsynchronized access to static variable from servlet

LCK07-J(L3)

JD.LOCK   Lock without unlock

LCK09-J(L3)

JD.LOCK.NOTIFY   Method 'notify' called with locks held

JD.LOCK.SLEEP   Method 'sleep' called with locks held

JD.LOCK.WAIT   Method 'wait' called with locks held

LCK10-J(L3)

JD.SYNC.DCL   Double-checked locking

MET01-J(L2)

JAVA.ASSERT.ARG   Never use assertions to validate method arguments

MET09-J(L3)

EHC.EQ   Class defines hashCode() but does not define equals()

EHC.HASH   Class defines equals() but does not define hashCode()

MET12-J(L2)

FIN.EMPTY   Empty finalize() method should be removed

FIN.NOSUPER   Implementation of the finalize() method should call super.finalize()

JD.UMC.FINALIZE   Explicit call to method 'Object.finalize'

JD.UMC.RUNFIN   runFinalizersOnExit() is called

SV.EXPOSE.FIN   Method finalize() should have protected access modifier, not public

MSC00-J(L2)

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

MSC01-J(L3)

JAVA.INF.LOOP.EMPTY   Do not use an empty infinite loop

MSC02-J(L1)

SV.RANDOM   Use of insecure Random number generator

MSC03-J(L1)

SV.PASSWD.HC   Hardcoded Password

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN   Plain-text Password

SV.PASSWD.PLAIN.HC   Plain-text Password

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

MSC05-J(L3)

JD.INF.ALLOC   Allocation within infinite loop

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.INT_OVF   Tainted data may lead to Integer Overflow

MSC06-J(L3)

JD.CONCUR   Possible ConcurrentModificationException

MSC11-J(L2)

SV.IL.SESSION   Logging of session id

SV.IL.SESSION.CLIENT   HttpServletRequest.getRequestedSessionId method should not be used.

SV.SESSION.FIXATION.COOKIE   Cookies should not be vulnerable to session fixation

SV.SPRING.FIXATION   Session fixation protection is disabled

NUM00-J(L3)

SV.INT_OVF   Tainted data may lead to Integer Overflow

NUM07-J(L3)

JAVA.COMPARE.NAN   Do not attempt comparisons with NaN

NUM09-J(L2)

JAVA.LOOP.CTR.FLOAT   Do not use floating-point variables as loop counters

NUM10-J(L2)

JAVA.BIGDEC.FLOAT   Do not construct BigDecimal objects from floating-point literals

OBJ01-J(L1)

SV.EXPOSE.FIELD   Static field may be changed by malicious code

SV.EXPOSE.IFIELD   Instance field should be made final

SV.EXPOSE.MUTABLEFIELD   Static mutable field can be accessed by malicious code

SV.STRUTS.PRIVATE   Struts Forms: non-private fields

SV.STRUTS.STATIC   Struts Forms: static fields

OBJ04-J(L2)

SV.EXPOSE.RET   Internal representation may be exposed

SV.EXPOSE.STORE   Method stores reference to mutable object

OBJ05-J(L1)

SV.EXPOSE.RET   Internal representation may be exposed

SV.EXPOSE.STORE   Method stores reference to mutable object

OBJ09-J(L2)

CMP.CLASS   Comparing by classname

OBJ10-J(L2)

SV.EXPOSE.FIELD   Static field may be changed by malicious code

SV.STRUTS.STATIC   Struts Forms: static fields

OBJ11-J(L1)

JAVA.CTOR.EXCEPT   Be wary of letting constructors throw exceptions

JAVA.FINAL.STATIC.VAR   Use of nonfinal static variable

SEC00-J(L2)

SV.PRIVILEGE.MISSING   Method invoked should not be inside doPrivileged block

SEC03-J(L1)

SV.CLASSLOADER.INJ   Class Loader URL Injection

SV.CLEXT.CLLOADER   Class extends 'java.lang.ClassLoader'

SV.CLLOADER   Direct use of Classloader

SER01-J(L1)

SV.SERIAL.SIG   Methods readObject() and writeObject() in serializable classes should have correct signature

SER03-J(L2)

SV.SERIAL.NOFINAL   Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOWRITE   Method writeObject() should be defined for a serializable class

SER05-J(L1)

JAVA.SERIALIZE.INNER   Do not serialize instances of inner classes

SER06-J(L3)

SV.SERIAL.NOFINAL   Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOREAD   Method readObject() should be defined for a serializable class

SER09-J(L3)

SV.SERIAL.OVERRIDE   Do not invoke overridable methods from the readObject() method

SER12-J(L2)

SV.SERIAL.NOFINAL   Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOREAD   Method readObject() should be defined for a serializable class

THI00-J(L3)

JD.THREAD.RUN   Explicit call to a 'Thread.run' method

THI01-J(L3)

JAVA.THREADGROUP   Do not invoke ThreadGroup methods

THI03-J(L3)

JAVA.WAIT.IN.LOOP   Always invoke wait() and await() methods inside a loop

VNA00-J(L2)

SV.SHARED.VAR   Unsynchronized access to static variable from servlet

VNA01-J(L3)

SV.SHARED.VAR   Unsynchronized access to static variable from servlet

VNA02-J(L2)

SV.SHARED.VAR   Unsynchronized access to static variable from servlet