CERT IDs: Java
The following mapping of CERT Java IDs to Klocwork Java checkers is a community-developed mapping.
| Rule | Checker name and description |
|---|---|
| CERT DCL02-J (L3): Do not modify the collection's elements during an enhanced for statement |
JD.UNMOD Modification of unmodifiable collection |
| CERT DCL02-J (L3): 拡張 for 文の実行中にループ本体の要素を更新しない |
JD.UNMOD Modification of unmodifiable collection |
| CERT ENV03-J (L1): Do not grant dangerous combinations of permissions |
SV.CLEXT.POLICY Class extends 'java.security.Policy' |
| CERT ENV03-J (L1): 危険な組み合わせのパーミッションを割り当てない |
SV.CLEXT.POLICY Class extends 'java.security.Policy' |
| CERT ENV06-J (L1): Production code must not contain debugging entry points |
JAVA.DEBUG.ENTRY Production code must not contain debugging entry points |
| CERT ENV06-J (L1): 本番コードにはデバッグエントリポイントを含めない |
JAVA.DEBUG.ENTRY Production code must not contain debugging entry points |
| CERT ERR01-J (L3): Do not allow exceptions to expose sensitive information |
SV.IL.DEV Design information leakage |
| CERT ERR01-J (L3): センシティブな情報を例外によって外部に漏えいしない |
SV.IL.DEV Design information leakage |
| CERT ERR03-J (L3): Restore prior object state on method failure |
SV.HTTP_SPLIT Http Response Splitting SV.SSRF.URI URI based on invalidated user input. |
| CERT ERR03-J (L3): メソッドが処理に失敗した場合はオブジェクトの状態を元に戻す |
SV.HTTP_SPLIT Http Response Splitting SV.SSRF.URI URI based on invalidated user input. |
| CERT ERR04-J (L3): Do not complete abruptly from a finally block |
JD.FINRET Return inside finally |
| CERT ERR04-J (L3): finally ブロックの処理を途中で終了しない |
JD.FINRET Return inside finally |
| CERT ERR05-J (L3): Do not let checked exceptions escape from a finally block |
JD.UNCAUGHT Uncaught exception |
| CERT ERR05-J (L3): チェック例外を finally ブロックの外に伝播させない |
JD.UNCAUGHT Uncaught exception |
| CERT ERR07-J (L2): Do not throw RuntimeException |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| CERT ERR07-J (L2): RuntimeException |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| CERT ERR08-J (L1): Do not catch NullPointerException or any of its ancestors |
JD.CATCH Catching runtime exception |
| CERT ERR08-J (L1): NullPointerException およびその親クラスの例外をキャッチしない |
JD.CATCH Catching runtime exception |
| CERT ERR09-J (L3): Do not allow untrusted code to terminate the JVM |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| CERT ERR09-J (L3): 信頼できないコードにJVMを終了させない |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| CERT EXP00-J (L2): Do not ignore values returned by methods |
RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RR.IGNORED The returned value is ignored |
| CERT EXP00-J (L2): メソッドの返り値を無視しない |
RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RR.IGNORED The returned value is ignored |
| CERT EXP01-J (L3): Do not use a null in a case where an object is required |
NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| CERT EXP01-J (L3): オブジェクトが必要な場合は null を使用しない |
NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| CERT EXP02-J (L2): 2つの配列を比較するのに Object.equals() メソッドを使用しない |
JD.EQ.ARR Calling 'equals' on array |
| CERT EXP02-J (L2): Do not use the Object.equals() method to compare two arrays |
JD.EQ.ARR Calling 'equals' on array |
| CERT EXP03-J (L2): Do not use the equality operators when comparing values of boxed primitives |
CMP.OBJ Comparing objects with == |
| CERT EXP03-J (L2): ボクシングされたプリミティブ型の値の比較に等値演算子を使わない |
CMP.OBJ Comparing objects with == |
| CERT FIO01-J (L3): Create files with appropriate access permissions |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| CERT FIO01-J (L3): 適切なパーミッションを設定してファイルを作成する |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| CERT FIO03-J (L2): Remove temporary files before termination |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| CERT FIO03-J (L2): 一時ファイルはプログラムの終了前に削除する |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| CERT FIO04-J (L3): Release resources when they are no longer needed |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| CERT FIO04-J (L3): 不要になったリソースは解放する |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| CERT FIO13-J (L3): Do not log sensitive information outside a trust boundary |
SV.IL.SESSION Logging of session id |
| CERT FIO13-J (L3): センシティブな情報を信頼境界の外に記録しない |
SV.IL.SESSION Logging of session id |
| CERT FIO16-J (L3): Canonicalize path names before validating them |
SV.EXEC.PATH Untrusted Search Path SV.PATH Path and file name injection SV.PATH.INJ File injection SV.TMPFILE Temporary file path tampering |
| CERT FIO16-J (L3): パス名は検証する前に正規化する |
SV.EXEC.PATH Untrusted Search Path SV.PATH Path and file name injection SV.PATH.INJ File injection SV.TMPFILE Temporary file path tampering |
| CERT IDS00-J (L1): Prevent SQL injection |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| CERT IDS00-J (L1): SQL インジェクションを防ぐ |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| CERT IDS01-J (L1): Normalize strings before validating them |
SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| CERT IDS01-J (L1): 文字列は検査するまえに標準化する |
SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| CERT IDS03-J (L2): Do not log unsanitized user input |
SV.LOG_FORGING Log Forging |
| CERT IDS03-J (L2): ユーザ入力を無害化せずにログに保存しない |
SV.LOG_FORGING Log Forging |
| CERT IDS07-J (L1): Runtime.exec() メソッドに渡された信頼できないデータを無害化する |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.EXEC.PATH Untrusted Search Path |
| CERT IDS07-J (L1): Sanitize untrusted data passed to the Runtime.exec() method |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.EXEC.PATH Untrusted Search Path |
| CERT IDS16-J (L1): Prevent XML Injection |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| CERT IDS16-J (L1): XML インジェクションを防ぐ |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| CERT IDS17-J (L2): Prevent XML External Entity Attacks |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| CERT IDS17-J (L2): XML の外部エンティティ攻撃を防ぐ |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| CERT JNI00-J (L3): Define wrappers around native methods |
JAVA.NATIVE.PUBLIC Define wrappers around native methods |
| CERT JNI00-J (L3): ネイティブメソッドにはラッパーを定義する |
JAVA.NATIVE.PUBLIC Define wrappers around native methods |
| CERT JNI01-J (L1): Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| CERT JNI01-J (L1): 直近の呼出し元のクラスローダーのインスタンス(loadLibrary)を使ってタスクを実行する標準APIを安全に呼出す |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| CERT LCK05-J (L3): Synchronize access to static fields that can be modified by untrusted code |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT LCK05-J (L3): 信頼できないコードによって変更されうる static フィールドへのアクセスは同期する |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT LCK07-J (L3): Avoid deadlock by requesting and releasing locks in the same order |
JD.LOCK Lock without unlock |
| CERT LCK07-J (L3): デッドロックを回避するためにロックは同一順序で要求および解放する |
JD.LOCK Lock without unlock |
| CERT LCK09-J (L3): Do not perform operations that can block while holding a lock |
JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| CERT LCK09-J (L3): 途中で待機状態になる可能性のある操作をロックを保持したまま実行しない |
JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| CERT LCK10-J (L3): Use a correct form of the double-checked locking idiom |
JD.SYNC.DCL Double-checked locking |
| CERT LCK10-J (L3): 正しいダブルチェックロック手法を使う |
JD.SYNC.DCL Double-checked locking |
| CERT MET01-J (L2): Never use assertions to validate method arguments |
JAVA.ASSERT.ARG Never use assertions to validate method arguments |
| CERT MET01-J (L2): メソッド引数の検証には決してアサートを使用しない |
JAVA.ASSERT.ARG Never use assertions to validate method arguments |
| CERT MET09-J (L3): Classes that define an equals() method must also define a hashCode() method |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| CERT MET09-J (L3): equals() メソッドを実装するクラスでは hashCode() メソッドも実装する |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| CERT MET12-J (L2): Do not use finalizers |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| CERT MET12-J (L2): ファイナライザは使わない |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| CERT MSC00-J (L2): Use SSLSocket rather than Socket for secure data exchange |
SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| CERT MSC00-J (L2): セキュアなデータ交換には Socket クラスではなく SSLSocket クラスを使用する |
SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| CERT MSC01-J (L3): Do not use an empty infinite loop |
JAVA.INF.LOOP.EMPTY Do not use an empty infinite loop |
| CERT MSC01-J (L3): 空の無限ループを使用しない |
JAVA.INF.LOOP.EMPTY Do not use an empty infinite loop |
| CERT MSC02-J (L1): Generate strong random numbers |
SV.RANDOM Use of insecure Random number generator |
| CERT MSC02-J (L1): 高品質の乱数を生成する |
SV.RANDOM Use of insecure Random number generator |
| CERT MSC03-J (L1): Never hard code sensitive information |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| CERT MSC03-J (L1): センシティブな情報をハードコードしない |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| CERT MSC05-J (L3): Do not exhaust heap space |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow |
| CERT MSC05-J (L3): ヒープメモリを使い果たさない |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow |
| CERT MSC06-J (L3): Do not modify the underlying collection when an iteration is in progress |
JD.CONCUR Possible ConcurrentModificationException |
| CERT MSC06-J (L3): 繰り返し処理中に基となるコレクションを変更しない |
JD.CONCUR Possible ConcurrentModificationException |
| CERT MSC11-J (L2): Do not let session information leak within a servlet |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| CERT MSC11-J (L2): servlet 内のセッション情報をリークさせない |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| CERT NUM00-J (L3): Detect or prevent integer overflow |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| CERT NUM00-J (L3): 整数オーバーフローを検出あるいは防止する |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| CERT NUM07-J (L3): Do not attempt comparisons with NaN |
JAVA.COMPARE.NAN Do not attempt comparisons with NaN |
| CERT NUM07-J (L3): NaN と比較しようとしない |
JAVA.COMPARE.NAN Do not attempt comparisons with NaN |
| CERT NUM09-J (L2): Do not use floating-point variables as loop counters |
JAVA.LOOP.CTR.FLOAT Do not use floating-point variables as loop counters |
| CERT NUM09-J (L2): 浮動小数点変数をループカウンターとして使用しない |
JAVA.LOOP.CTR.FLOAT Do not use floating-point variables as loop counters |
| CERT NUM10-J (L2): Do not construct BigDecimal objects from floating-point literals |
JAVA.BIGDEC.FLOAT Do not construct BigDecimal objects from floating-point literals |
| CERT NUM10-J (L2): 浮動小数点リテラルから BigDecimal オブジェクトを構築しない |
JAVA.BIGDEC.FLOAT Do not construct BigDecimal objects from floating-point literals |
| CERT OBJ01-J (L1): Limit accessibility of fields |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.STRUTS.PRIVATE Struts Forms: non-private fields SV.STRUTS.STATIC Struts Forms: static fields |
| CERT OBJ01-J (L1): フィールドへのアクセスを制限する |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.STRUTS.PRIVATE Struts Forms: non-private fields SV.STRUTS.STATIC Struts Forms: static fields |
| CERT OBJ04-J (L2): Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| CERT OBJ04-J (L2): 信頼できないコードにインスタンスを安全に渡すため、可変クラスにはコピー機能を実装する |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| CERT OBJ05-J (L1): Do not return references to private mutable class members |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| CERT OBJ05-J (L1): privateな可変クラスメンバへ参照を返さない |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| CERT OBJ09-J (L2): Compare classes and not class names |
CMP.CLASS Comparing by classname |
| CERT OBJ09-J (L2): クラス名を比較するのではなくクラスを比較する |
CMP.CLASS Comparing by classname |
| CERT OBJ10-J (L2): Do not use public static nonfinal fields |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.STRUTS.STATIC Struts Forms: static fields |
| CERT OBJ10-J (L2): public staticのfinal宣言していないフィールドを使わない |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.STRUTS.STATIC Struts Forms: static fields |
| CERT OBJ11-J (L1): Be wary of letting constructors throw exceptions |
JAVA.CTOR.EXCEPT Be wary of letting constructors throw exceptions JAVA.FINAL.STATIC.VAR Use of nonfinal static variable |
| CERT OBJ11-J (L1): コンストラクターが例外をスローすることに注意する |
JAVA.CTOR.EXCEPT Be wary of letting constructors throw exceptions JAVA.FINAL.STATIC.VAR Use of nonfinal static variable |
| CERT SEC00-J (L2): Do not allow privileged blocks to leak sensitive information across a trust boundary |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| CERT SEC00-J (L2): センシティブな情報を特権ブロックから信頼境界を越えて漏えいさせない |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| CERT SEC03-J (L1): Do not load trusted classes after allowing untrusted code to load arbitrary classes |
SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.CLLOADER Direct use of Classloader |
| CERT SEC03-J (L1): 信頼できないコードに任意のクラスのロードを許可した後で信頼するクラスをロードしない |
SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.CLLOADER Direct use of Classloader |
| CERT SER01-J (L1): Do not deviate from the proper signatures of serialization methods |
SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| CERT SER01-J (L1): シリアライズに関連するメソッドは正しいシグネチャで実装する |
SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| CERT SER03-J (L2): Do not serialize unencrypted sensitive data |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class |
| CERT SER03-J (L2): 暗号化されていないセンシティブなデータをシリアライズしない |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class |
| CERT SER05-J (L1): Do not serialize instances of inner classes |
JAVA.SERIALIZE.INNER Do not serialize instances of inner classes |
| CERT SER05-J (L1): 内部クラスのインスタンスをシリアル化しない |
JAVA.SERIALIZE.INNER Do not serialize instances of inner classes |
| CERT SER06-J (L3): Make defensive copies of private mutable components during deserialization |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| CERT SER06-J (L3): 復元時には private 宣言された可変コンポーネントはディフェンシブコピーする |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| CERT SER09-J (L3): Do not invoke overridable methods from the readObject() method |
SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method |
| CERT SER09-J (L3): オーバーライド可能なメソッドを readObject() メソッドから呼び出さない |
SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method |
| CERT SER12-J (L2): Prevent deserialization of untrusted data |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| CERT SER12-J (L2): 信頼できないデータの復元はしない |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| CERT THI00-J (L3): Do not invoke Thread.run() |
JD.THREAD.RUN Explicit call to a 'Thread.run' method |
| CERT THI00-J (L3): Thread.run() メソッドを直接呼び出さない |
JD.THREAD.RUN Explicit call to a 'Thread.run' method |
| CERT THI01-J (L3): Do not invoke ThreadGroup methods |
JAVA.THREADGROUP Do not invoke ThreadGroup methods |
| CERT THI01-J (L3): ThreadGroup メソッドを呼び出さない |
JAVA.THREADGROUP Do not invoke ThreadGroup methods |
| CERT THI03-J (L3): Always invoke wait() and await() methods inside a loop |
JAVA.WAIT.IN.LOOP Always invoke wait() and await() methods inside a loop |
| CERT THI03-J (L3): wait() メソッドと await() メソッドは必ずループ内で呼び出す |
JAVA.WAIT.IN.LOOP Always invoke wait() and await() methods inside a loop |
| CERT VNA00-J (L2): Ensure visibility when accessing shared primitive variables |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT VNA00-J (L2): 共有プリミティブ型変数の可視性を確保する |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT VNA01-J (L3): Ensure visibility of shared references to immutable objects |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT VNA01-J (L3): 不変オブジェクトへの共有参照の可視性を確保する |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT VNA02-J (L2): Ensure that compound operations on shared variables are atomic |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| CERT VNA02-J (L2): 共有変数への複合操作のアトミック性を確保する |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| DCL02-J (L3) |
JD.UNMOD Modification of unmodifiable collection |
| ENV03-J (L1) |
SV.CLEXT.POLICY Class extends 'java.security.Policy' |
| ENV06-J (L1) |
JAVA.DEBUG.ENTRY Production code must not contain debugging entry points |
| ERR01-J (L3) |
SV.IL.DEV Design information leakage |
| ERR03-J (L3) |
SV.HTTP_SPLIT Http Response Splitting SV.SSRF.URI URI based on invalidated user input. |
| ERR04-J (L3) |
JD.FINRET Return inside finally |
| ERR05-J (L3) |
JD.UNCAUGHT Uncaught exception |
| ERR07-J (L2) |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| ERR08-J (L1) |
JD.CATCH Catching runtime exception |
| ERR09-J (L3) |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
| EXP00-J (L2) |
RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RR.IGNORED The returned value is ignored |
| EXP01-J (L3) |
NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
| EXP02-J (L2) |
JD.EQ.ARR Calling 'equals' on array |
| EXP03-J (L2) |
CMP.OBJ Comparing objects with == |
| Exception |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| FIO01-J (L3) |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| FIO03-J (L2) |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| FIO04-J (L3) |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
| FIO13-J (L3) |
SV.IL.SESSION Logging of session id |
| FIO16-J (L3) |
SV.EXEC.PATH Untrusted Search Path SV.PATH Path and file name injection SV.PATH.INJ File injection SV.TMPFILE Temporary file path tampering |
| IDS00-J (L1) |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| IDS01-J (L1) |
SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| IDS03-J (L2) |
SV.LOG_FORGING Log Forging |
| IDS07-J (L1) |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.EXEC.PATH Untrusted Search Path |
| IDS16-J (L1) |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
| IDS17-J (L2) |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| JNI00-J (L3) |
JAVA.NATIVE.PUBLIC Define wrappers around native methods |
| JNI01-J (L1) |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
| LCK05-J (L3) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| LCK07-J (L3) |
JD.LOCK Lock without unlock |
| LCK09-J (L3) |
JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| LCK10-J (L3) |
JD.SYNC.DCL Double-checked locking |
| MET01-J (L2) |
JAVA.ASSERT.ARG Never use assertions to validate method arguments |
| MET09-J (L3) |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
| MET12-J (L2) |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
| MSC00-J (L2) |
SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| MSC01-J (L3) |
JAVA.INF.LOOP.EMPTY Do not use an empty infinite loop |
| MSC02-J (L1) |
SV.RANDOM Use of insecure Random number generator |
| MSC03-J (L1) |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
| MSC05-J (L3) |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow |
| MSC06-J (L3) |
JD.CONCUR Possible ConcurrentModificationException |
| MSC11-J (L2) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
| NUM00-J (L3) |
SV.INT_OVF Tainted data may lead to Integer Overflow |
| NUM07-J (L3) |
JAVA.COMPARE.NAN Do not attempt comparisons with NaN |
| NUM09-J (L2) |
JAVA.LOOP.CTR.FLOAT Do not use floating-point variables as loop counters |
| NUM10-J (L2) |
JAVA.BIGDEC.FLOAT Do not construct BigDecimal objects from floating-point literals |
| OBJ01-J (L1) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.STRUTS.PRIVATE Struts Forms: non-private fields SV.STRUTS.STATIC Struts Forms: static fields |
| OBJ04-J (L2) |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| OBJ05-J (L1) |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| OBJ09-J (L2) |
CMP.CLASS Comparing by classname |
| OBJ10-J (L2) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.STRUTS.STATIC Struts Forms: static fields |
| OBJ11-J (L1) |
JAVA.CTOR.EXCEPT Be wary of letting constructors throw exceptions JAVA.FINAL.STATIC.VAR Use of nonfinal static variable |
| SEC00-J (L2) |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
| SEC03-J (L1) |
SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.CLLOADER Direct use of Classloader |
| SER01-J (L1) |
SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| SER03-J (L2) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class |
| SER05-J (L1) |
JAVA.SERIALIZE.INNER Do not serialize instances of inner classes |
| SER06-J (L3) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| SER09-J (L3) |
SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method |
| SER12-J (L2) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
| THI00-J (L3) |
JD.THREAD.RUN Explicit call to a 'Thread.run' method |
| THI01-J (L3) |
JAVA.THREADGROUP Do not invoke ThreadGroup methods |
| THI03-J (L3) |
JAVA.WAIT.IN.LOOP Always invoke wait() and await() methods inside a loop |
| Throwable をスローしない |
EXC.BROADTHROWS Method has an overly broad throws declaration |
| VNA00-J (L2) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| VNA01-J (L3) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| VNA02-J (L2) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
| or Throwable |
EXC.BROADTHROWS Method has an overly broad throws declaration |