CERT IDs: Java

JD.UNMOD  Modification of unmodifiable collection

SV.CLEXT.POLICY  Class extends 'java.security.Policy'

JAVA.DEBUG.ENTRY  Production code must not contain debugging entry points

SV.IL.DEV  Design information leakage

SV.HTTP_SPLIT  Http Response Splitting

SV.SSRF.URI  URI based on invalidated user input.

JD.FINRET  Return inside finally

JD.UNCAUGHT  Uncaught exception

EXC.BROADTHROWS  Method has an overly broad throws declaration

JD.CATCH  Catching runtime exception

SV.UMC.EXIT  The System.exit() and Runtime.exit() method calls should not be used in servlets code

UMC.EXIT  The System.exit() method call is unwanted

RI.IGNOREDCALL  The value returned by a method called on immutable object is ignored

RR.IGNORED  The returned value is ignored

NPE.COND  Null pointer dereference where null comes from condition

NPE.CONST  Null pointer dereference where null comes from constant

NPE.RET  Dereference of a null value which is returned from a method

NPE.RET.UTIL  Dereference of a null value which is returned from a map or a collection

NPE.STAT  Null pointer dereference of a return value (statistical)

REDUN.EQNULL  Suspicious equals() called with expression and null (never true)

JD.EQ.ARR  Calling 'equals' on array

CMP.OBJ  Comparing objects with ==

SV.PERMS.HOME  File created in user home directory, without setting permissions

SV.PERMS.WIDE  Too wide permissions

SV.DOS.TMPFILEDEL  Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT  Leaving temporary file

RLK.AWT  AWT object is not disposed on exit

RLK.FIELD  Possible leak of system resource stored in a field

RLK.HIBERNATE  Hibernate object is not closed on exit

RLK.IMAGEIO  ImageIO stream is not closed on exit

RLK.IN  Input stream is not closed on exit

RLK.JNDI  JNDI context is not closed on exit

RLK.JPA  {3} object is not closed on exit.

RLK.MAIL  Java mail object is not closed on exit

RLK.MICRO  Java Microedition connection is not closed on exit

RLK.NIO  NIO object is not closed on exit

RLK.OUT  Output stream is not closed on exit

RLK.SOCK  Socket is not closed on exit

RLK.SQLCON  Sql connection is not closed on exit

RLK.SQLOBJ  Sql object is not closed on exit

RLK.SWT  SWT object is not disposed on exit

RLK.ZIP  Zip file is not closed on exit

SV.IL.SESSION  Logging of session id

SV.EXEC.PATH  Untrusted Search Path

SV.PATH  Path and file name injection

SV.PATH.INJ  File injection

SV.TMPFILE  Temporary file path tampering

SV.DATA.DB  Data injection

SV.SQL  Sql Injection

SV.SQL.DBSOURCE  Unchecked information from the database is used in SQL statements

SV.TAINT  Tainted data

SV.TAINT_NATIVE  Tainted data goes to native code

SV.XSS.DB  Cross Site Scripting (Stored XSS)

SV.XSS.REF  Cross Site Scripting (Reflected XSS)

SV.LOG_FORGING  Log Forging

SV.EXEC  Process Injection

SV.EXEC.DIR  Process Injection. Working Directory

SV.EXEC.ENV  Process Injection. Environment Variables

SV.EXEC.LOCAL  Process Injection. Local Arguments

SV.EXEC.PATH  Untrusted Search Path

JAVA.SV.XML.INVALID  XML is not validated before being unmarshalled to a Java object

SV.XXE.DBF  Possibility for XML External Entity attack

SV.XXE.SF  Possibility for XML External Entity attack

SV.XXE.SPF  Possibility for XML External Entity attack

SV.XXE.TF  Possibility for XML External Entity attack

SV.XXE.XIF  Possibility for XML External Entity attack

SV.XXE.XRF  Possibility for XML External Entity attack

JAVA.NATIVE.PUBLIC  Define wrappers around native methods

SV.LOADLIB.INJ  Untrusted call to 'loadLibrary' method

SV.SHARED.VAR  Unsynchronized access to static variable from servlet

JD.LOCK  Lock without unlock

JD.LOCK.NOTIFY  Method 'notify' called with locks held

JD.LOCK.SLEEP  Method 'sleep' called with locks held

JD.LOCK.WAIT  Method 'wait' called with locks held

JD.SYNC.DCL  Double-checked locking

JAVA.ASSERT.ARG  Never use assertions to validate method arguments

EHC.EQ  Class defines hashCode() but does not define equals()

EHC.HASH  Class defines equals() but does not define hashCode()

FIN.EMPTY  Empty finalize() method should be removed

FIN.NOSUPER  Implementation of the finalize() method should call super.finalize()

JD.UMC.FINALIZE  Explicit call to method 'Object.finalize'

JD.UMC.RUNFIN  runFinalizersOnExit() is called

SV.EXPOSE.FIN  Method finalize() should have protected access modifier, not public

SV.WEAK.TLS  Weak SSL/TLS protocols should not be used.

JAVA.INF.LOOP.EMPTY  Do not use an empty infinite loop

SV.RANDOM  Use of insecure Random number generator

SV.PASSWD.HC  Hardcoded Password

SV.PASSWD.HC.EMPTY  Empty Password

SV.PASSWD.PLAIN  Plain-text Password

SV.PASSWD.PLAIN.HC  Plain-text Password

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

JD.INF.ALLOC  Allocation within infinite loop

SV.DOS.ARRSIZE  Tainted size used for array allocation

SV.INT_OVF  Tainted data may lead to Integer Overflow

JD.CONCUR  Possible ConcurrentModificationException

SV.IL.SESSION  Logging of session id

SV.IL.SESSION.CLIENT  HttpServletRequest.getRequestedSessionId method should not be used.

SV.SESSION.FIXATION.COOKIE  Cookies should not be vulnerable to session fixation

SV.SPRING.FIXATION  Session fixation protection is disabled

SV.INT_OVF  Tainted data may lead to Integer Overflow

JAVA.COMPARE.NAN  Do not attempt comparisons with NaN

JAVA.LOOP.CTR.FLOAT  Do not use floating-point variables as loop counters

JAVA.BIGDEC.FLOAT  Do not construct BigDecimal objects from floating-point literals

SV.EXPOSE.FIELD  Static field may be changed by malicious code

SV.EXPOSE.IFIELD  Instance field should be made final

SV.EXPOSE.MUTABLEFIELD  Static mutable field can be accessed by malicious code

SV.STRUTS.PRIVATE  Struts Forms: non-private fields

SV.STRUTS.STATIC  Struts Forms: static fields

SV.EXPOSE.RET  Internal representation may be exposed

SV.EXPOSE.STORE  Method stores reference to mutable object

SV.EXPOSE.RET  Internal representation may be exposed

SV.EXPOSE.STORE  Method stores reference to mutable object

CMP.CLASS  Comparing by classname

SV.EXPOSE.FIELD  Static field may be changed by malicious code

SV.STRUTS.STATIC  Struts Forms: static fields

JAVA.CTOR.EXCEPT  Be wary of letting constructors throw exceptions

JAVA.FINAL.STATIC.VAR  Use of nonfinal static variable

SV.PRIVILEGE.MISSING  Method invoked should not be inside doPrivileged block

SV.CLASSLOADER.INJ  Class Loader URL Injection

SV.CLEXT.CLLOADER  Class extends 'java.lang.ClassLoader'

SV.CLLOADER  Direct use of Classloader

SV.SERIAL.SIG  Methods readObject() and writeObject() in serializable classes should have correct signature

SV.SERIAL.NOFINAL  Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOWRITE  Method writeObject() should be defined for a serializable class

JAVA.SERIALIZE.INNER  Do not serialize instances of inner classes

SV.SERIAL.NOFINAL  Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOREAD  Method readObject() should be defined for a serializable class

SV.SERIAL.OVERRIDE  Do not invoke overridable methods from the readObject() method

SV.SERIAL.NOFINAL  Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOREAD  Method readObject() should be defined for a serializable class

JD.THREAD.RUN  Explicit call to a 'Thread.run' method

JAVA.THREADGROUP  Do not invoke ThreadGroup methods

JAVA.WAIT.IN.LOOP  Always invoke wait() and await() methods inside a loop

SV.SHARED.VAR  Unsynchronized access to static variable from servlet

SV.SHARED.VAR  Unsynchronized access to static variable from servlet

SV.SHARED.VAR  Unsynchronized access to static variable from servlet