CERT Java IDs mapped Klocwork Java checkers
The following mapping of CERT Java IDs to Klocwork Java checkers is a community-developed mapping.
Rule | Checker name and description |
---|---|
DCL02-J(L3) |
JD.UNMOD Modification of unmodifiable collection |
ENV03-J(L1) |
SV.CLEXT.POLICY Class extends 'java.security.Policy' |
ENV06-J(L1) |
JAVA.DEBUG.ENTRY Production code must not contain debugging entry points |
ERR01-J(L3) |
SV.IL.DEV Design information leakage |
ERR03-J(L3) |
SV.HTTP_SPLIT Http Response Splitting SV.SSRF.URI URI based on invalidated user input. |
ERR04-J(L3) |
JD.FINRET Return inside finally |
ERR05-J(L3) |
JD.UNCAUGHT Uncaught exception |
ERR07-J(L2) |
EXC.BROADTHROWS Method has an overly broad throws declaration |
ERR08-J(L1) |
JD.CATCH Catching runtime exception |
ERR09-J(L3) |
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code UMC.EXIT The System.exit() method call is unwanted |
EXP00-J(L2) |
RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RR.IGNORED The returned value is ignored |
EXP01-J(L3) |
NPE.COND Null pointer dereference where null comes from condition NPE.CONST Null pointer dereference where null comes from constant NPE.RET Dereference of a null value which is returned from a method NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection NPE.STAT Null pointer dereference of a return value (statistical) REDUN.EQNULL Suspicious equals() called with expression and null (never true) |
EXP02-J(L2) |
JD.EQ.ARR Calling 'equals' on array |
EXP03-J(L2) |
CMP.OBJ Comparing objects with == |
FIO01-J(L3) |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
FIO03-J(L2) |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
FIO04-J(L3) |
RLK.AWT AWT object is not disposed on exit RLK.FIELD Possible leak of system resource stored in a field RLK.HIBERNATE Hibernate object is not closed on exit RLK.IMAGEIO ImageIO stream is not closed on exit RLK.IN Input stream is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.MAIL Java mail object is not closed on exit RLK.MICRO Java Microedition connection is not closed on exit RLK.NIO NIO object is not closed on exit RLK.OUT Output stream is not closed on exit RLK.SOCK Socket is not closed on exit RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit RLK.SWT SWT object is not disposed on exit RLK.ZIP Zip file is not closed on exit |
FIO13-J(L3) |
SV.IL.SESSION Logging of session id |
FIO16-J(L3) |
SV.EXEC.PATH Untrusted Search Path SV.PATH Path and file name injection SV.PATH.INJ File injection SV.TMPFILE Temporary file path tampering |
IDS00-J(L1) |
SV.DATA.DB Data injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
IDS01-J(L1) |
SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
IDS03-J(L2) |
SV.LOG_FORGING Log Forging |
IDS07-J(L1) |
SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.EXEC.PATH Untrusted Search Path |
IDS16-J(L1) |
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object |
IDS17-J(L2) |
SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
JNI00-J(L3) |
JAVA.NATIVE.PUBLIC Define wrappers around native methods |
JNI01-J(L1) |
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method |
LCK05-J(L3) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
LCK07-J(L3) |
JD.LOCK Lock without unlock |
LCK09-J(L3) |
JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
LCK10-J(L3) |
JD.SYNC.DCL Double-checked locking |
MET01-J(L2) |
JAVA.ASSERT.ARG Never use assertions to validate method arguments |
MET09-J(L3) |
EHC.EQ Class defines hashCode() but does not define equals() EHC.HASH Class defines equals() but does not define hashCode() |
MET12-J(L2) |
FIN.EMPTY Empty finalize() method should be removed FIN.NOSUPER Implementation of the finalize() method should call super.finalize() JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public |
MSC00-J(L2) |
SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
MSC01-J(L3) |
JAVA.INF.LOOP.EMPTY Do not use an empty infinite loop |
MSC02-J(L1) |
SV.RANDOM Use of insecure Random number generator |
MSC03-J(L1) |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored |
MSC05-J(L3) |
JD.INF.ALLOC Allocation within infinite loop SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow |
MSC06-J(L3) |
JD.CONCUR Possible ConcurrentModificationException |
MSC11-J(L2) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled |
NUM00-J(L3) |
SV.INT_OVF Tainted data may lead to Integer Overflow |
NUM07-J(L3) |
JAVA.COMPARE.NAN Do not attempt comparisons with NaN |
NUM09-J(L2) |
JAVA.LOOP.CTR.FLOAT Do not use floating-point variables as loop counters |
NUM10-J(L2) |
JAVA.BIGDEC.FLOAT Do not construct BigDecimal objects from floating-point literals |
OBJ01-J(L1) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.STRUTS.PRIVATE Struts Forms: non-private fields SV.STRUTS.STATIC Struts Forms: static fields |
OBJ04-J(L2) |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
OBJ05-J(L1) |
SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
OBJ09-J(L2) |
CMP.CLASS Comparing by classname |
OBJ10-J(L2) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.STRUTS.STATIC Struts Forms: static fields |
OBJ11-J(L1) |
JAVA.CTOR.EXCEPT Be wary of letting constructors throw exceptions JAVA.FINAL.STATIC.VAR Use of nonfinal static variable |
SEC00-J(L2) |
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block |
SEC03-J(L1) |
SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.CLLOADER Direct use of Classloader |
SER01-J(L1) |
SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
SER03-J(L2) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class |
SER05-J(L1) |
JAVA.SERIALIZE.INNER Do not serialize instances of inner classes |
SER06-J(L3) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
SER09-J(L3) |
SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method |
SER12-J(L2) |
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class |
THI00-J(L3) |
JD.THREAD.RUN Explicit call to a 'Thread.run' method |
THI01-J(L3) |
JAVA.THREADGROUP Do not invoke ThreadGroup methods |
THI03-J(L3) |
JAVA.WAIT.IN.LOOP Always invoke wait() and await() methods inside a loop |
VNA00-J(L2) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
VNA01-J(L3) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |
VNA02-J(L2) |
SV.SHARED.VAR Unsynchronized access to static variable from servlet |