Java checker reference

Checker name Description Default severity Enabled by default? Tunable?
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name 1 True Yes
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data 3 True Yes
ANDROID.NPE Dereference of a null value in an Android application 4 True Yes
ANDROID.RLK.MEDIAPLAYER Media player is not released on exit 1 True Yes
ANDROID.RLK.MEDIARECORDER Media recorder is not released on exit 1 True Yes
ANDROID.RLK.SQLCON Sql connection is not closed on exit 1 True Yes
ANDROID.RLK.SQLOBJ Sql object is not closed on exit 1 True Yes
ANDROID.UF.BITMAP Usage of recycled bitmap 2 True Yes
ANDROID.UF.CAMERA Usage of released camera 2 True Yes
ANDROID.UF.MEDIAPLAYER Usage of released media player 2 True Yes
ANDROID.UF.MEDIARECORDER Usage of released media recorder 2 True Yes
CMP.CLASS Comparing by classname 4 False No
CMPF.FLOAT Equality checks on floating point types should be avoided 4 True No
CMP.OBJ Comparing objects with == 4 True No
CMP.STR Comparing strings with == 4 True No
COV.CMP Method compareTo() should have signature 'public int compareTo(Object)' 4 True No
ECC.EMPTY Empty catch clause 4 True No
EHC.EQ Class defines hashCode() but does not define equals() 4 True No
EHC.HASH Class defines equals() but does not define hashCode() 4 True No
ESCMP.EMPTYSTR Inefficient empty string comparison 4 True No
EXC.BROADTHROWS Method has an overly broad throws declaration 4 True No
FIN.EMPTY Empty finalize() method should be removed 3 True No
FIN.NOSUPER Implementation of the finalize() method should call super.finalize() 3 True No
FSC.PRT Class and its superclass have protected fields with the same name 4 False No
FSC.PRV Class and its superclass have private fields with the same name 4 False No
FSC.PUB Class and its superclass have public fields with the same name 4 False No
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. 3 True Yes
JAVA.SV.XML.INVALID XML is not validated before being unmarshalled to a Java object 2 True Yes
JD.BITCMP Using non short-circuit logic in expression 3 True No
JD.BITMASK Possible error in bit operations 3 True No
JD.BITR Redundant expression 3 True No
JD.CALL.WRONGSTATIC Call to static method via instance reference 4 True No
JD.CAST.COL.MIGHT Possible ClassCastException for collection 4 False No
JD.CAST.COL.MUST ClassCastException for collection 4 True No
JD.CAST.DOWNCAST Possible ClassCastException for subtypes 4 True No
JD.CAST.KEY Suspicious key type used to retrieve an element from collection 4 True No
JD.CAST.SUSP.MIGHT Possible ClassCastException for different types 4 True No
JD.CAST.SUSP.MUST ClassCastException for different types 4 True No
JD.CAST.UPCAST Possible ClassCastException for subtypes 4 True No
JD.CATCH Catching runtime exception 4 True No
JD.CONCUR Possible ConcurrentModificationException 3 True No
JD.EQ.ARR Calling 'equals' on array 4 True No
JD.EQ.UTA Calling 'equals' on incompatible types (array and non-array) 4 True No
JD.EQ.UTC Calling equals on incompatible types 4 True No
JD.FINRET Return inside finally 4 True No
JD.IFBAD Redundant 'if' statement 3 True No
JD.IFEMPTY Redundant 'if' statement. Unfinished code 3 True No
JD.INF.ALLOC Allocation within infinite loop 4 True No
JD.INF.AREC Apparent infinite recursion 4 True No
JD.INST.TRUE Redundant 'instanceof' condition 4 True No
JD.LIST.ADD Container added to itself 4 True No
JD.LOCK Lock without unlock 2 True Yes
JD.LOCK.NOTIFY Method 'notify' called with locks held 4 True No
JD.LOCK.SLEEP Method 'sleep' called with locks held 4 True No
JD.LOCK.WAIT Method 'wait' called with locks held 4 True No
JD.METHOD.CBS Method can be static 4 False No
JD.NEXT Possible 'NoSuchElementException' 4 True Yes
JD.OVER Mismatched override 4 True No
JD.RC.EXPR.CHECK Test expression is always true 4 True No
JD.RC.EXPR.DEAD Redundant check causing dead code 4 False No
JD.ST.POS Incorrect check for method 'indexOf' 4 True No
JD.SYNC.DCL Double-checked locking 4 True No
JD.SYNC.IN Inconsistent synchronization 4 True No
JD.THREAD.RUN Explicit call to a 'Thread.run' method 4 True No
JD.UMC.FINALIZE Explicit call to method 'Object.finalize' 3 True No
JD.UMC.RUNFIN runFinalizersOnExit() is called 3 True No
JD.UMC.WAIT Wait called on incorrect object 4 True No
JD.UNCAUGHT Uncaught exception 4 True No
JD.UN.MET Unused non-private method 4 False No
JD.UNMOD Modification of unmodifiable collection 2 True Yes
JD.UN.PMET Unused private method 3 True No
JD.VNU Variable was never read after being assigned 4 True No
JD.VNU.NULL Variable was never read after null being assigned 4 True No
MNA.CAP Method name should start with non-capital letter 4 True No
MNA.CNS Method name is same as constructor name but it is not a constructor 4 True No
MNA.SUS Suspicious method name 4 True No
NPE.COND Null pointer dereference where null comes from condition 1 True Yes
NPE.CONST Null pointer dereference where null comes from constant 1 True Yes
NPE.RET Dereference of a null value which is returned from a method 1 True Yes
NPE.RET.UTIL Dereference of a null value which is returned from a map or a collection 1 True Yes
NPE.STAT Null pointer dereference of a return value (statistical) 4 False Yes
REDUN.DEF Assignment of expression to itself 4 True No
REDUN.EQ Suspicious equals() called with same expression on both sides 4 True No
REDUN.EQNULL Suspicious equals() called with expression and null (never true) 4 True No
REDUN.FINAL Redundant 'final' modifier 4 True No
REDUN.NULL Usage of variable instead of null constant 4 True No
REDUN.OP Suspicious operation with same expression on both sides 4 True No
RI.IGNOREDCALL The value returned by a method called on immutable object is ignored 4 True No
RI.IGNOREDNEW Newly created object is ignored 4 True No
RLK.AWT AWT object is not disposed on exit 1 True Yes
RLK.FIELD Possible leak of system resource stored in a field 4 True No
RLK.HIBERNATE Hibernate object is not closed on exit 1 True Yes
RLK.IMAGEIO ImageIO stream is not closed on exit 1 True Yes
RLK.IN Input stream is not closed on exit 1 True Yes
RLK.JNDI JNDI context is not closed on exit 1 True Yes
RLK.JPA {3} object is not closed on exit. 1 True Yes
RLK.MAIL Java mail object is not closed on exit 1 True Yes
RLK.MICRO Java Microedition connection is not closed on exit 1 True Yes
RLK.NIO NIO object is not closed on exit 1 True Yes
RLK.OUT Output stream is not closed on exit 1 True Yes
RLK.SOCK Socket is not closed on exit 1 True Yes
RLK.SQLCON Sql connection is not closed on exit 1 True Yes
RLK.SQLOBJ Sql object is not closed on exit 1 True Yes
RLK.SWT SWT object is not disposed on exit 1 True Yes
RLK.ZIP Zip file is not closed on exit 1 True Yes
RNU.THIS Compare this and null but this cannot be null 4 True No
RR.IGNORED The returned value is ignored 4 True No
RTC.CALL Type cast is redundant 4 True No
SPRING.AUTHC.ABSENT No configuration for a critical resource 2 False No
SPRING.AUTHC.MISSING Missing authentication for critical function 2 True No
SPRING.AUTHZ.ABSENT No configuration for protected resource 2 False No
SPRING.AUTHZ.MISSING Missing Authorization 2 True No
STRCON.LOOP Using append for string in a loop 4 True No
SV.AUTH.BYPASS.MIGHT Incorrect Authentication 2 True Yes
SV.AUTH.BYPASS.MUST Incorrect Authentication 2 True Yes
SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm 3 True Yes
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm 3 True Yes
SV.CERT.INVALID Certificate must be validated by constructing certification path. 1 True Yes
SV.CLASSDEF.INJ Runtime Class Definition Injection 2 True Yes
SV.CLASSLOADER.INJ Class Loader URL Injection 2 True Yes
SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' 4 False No
SV.CLEXT.POLICY Class extends 'java.security.Policy' 4 False No
SV.CLLOADER Direct use of Classloader 4 False No
SV.CLONE.SUP Class implements 'clone' method but does not implement Cloneable 4 False No
SV.CSRF.GET CSRF Token in GET request 4 False Yes
SV.CSRF.ORIGIN Request handler without an origin check 4 False Yes
SV.CSRF.TOKEN State changing request handler without a CSRF check 4 False Yes
SV.DATA.BOUND Untrusted Data leaks into trusted storage 3 True Yes
SV.DATA.DB Data injection 2 True Yes
SV.DATA.FILE A potentially harmful file could be uploaded and automatically processed 4 True Yes
SV.DOS.ARRINDEX Tainted index used for array access 3 True Yes
SV.DOS.ARRSIZE Tainted size used for array allocation 3 True Yes
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM 3 True Yes
SV.DOS.TMPFILEEXIT Leaving temporary file 3 True Yes
SV.ECV Empty certificate validation 4 False No
SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. 2 False No
SV.EMAIL Unchecked e-mail 2 True Yes
SV.EXEC Process Injection 2 True Yes
SV.EXEC.DIR Process Injection. Working Directory 2 True Yes
SV.EXEC.ENV Process Injection. Environment Variables 2 True Yes
SV.EXEC.LOCAL Process Injection. Local Arguments 3 True Yes
SV.EXEC.PATH Untrusted Search Path 4 True No
SV.EXPOSE.FIELD Static field may be changed by malicious code 4 False No
SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public 4 False No
SV.EXPOSE.IFIELD Instance field should be made final 4 False No
SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code 4 False No
SV.EXPOSE.RET Internal representation may be exposed 4 False No
SV.EXPOSE.STORE Method stores reference to mutable object 4 False No
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt 3 True No
SV.HTTP_SPLIT Http Response Splitting 2 True Yes
SV.IL.DEV Design information leakage 3 True Yes
SV.IL.FILE File Name Leaking 3 True Yes
SV.IL.SESSION Logging of session id 3 True Yes
SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. 4 True Yes
SV.INT_OVF Tainted data may lead to Integer Overflow 2 True Yes
SV.LDAP Unvalidated user input is used as LDAP filter 2 True Yes
SV.LDAP.ANON Incorrect authentication 4 True Yes
SV.LOADLIB.INJ Untrusted call to 'loadLibrary' method 4 True No
SV.LOG_FORGING Log Forging 3 True Yes
SV.PASSWD.HC Hardcoded Password 2 True Yes
SV.PASSWD.HC.EMPTY Empty Password 2 True Yes
SV.PASSWD.HC.MINLEN Minimum 15 character length Hardcoded Password 2 True Yes
SV.PASSWD.PLAIN Plain-text Password 2 True Yes
SV.PASSWD.PLAIN.HC Plain-text Password 2 True Yes
SV.PATH Path and file name injection 3 True Yes
SV.PATH.INJ File injection 3 True Yes
SV.PERMS.HOME File created in user home directory, without setting permissions 2 True Yes
SV.PERMS.WIDE Too wide permissions 4 True Yes
SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block 4 True No
SV.RANDOM Use of insecure Random number generator 4 True No
SV.SCRIPT Script Execution 2 True Yes
SV.SENSITIVE.DATA Unencrypted sensitive data is written 2 True Yes
SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored 2 True No
SV.SERIAL.INON Interface extends 'Serializable' 4 False No
SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final 4 False No
SV.SERIAL.NON Class implements 'Serializable' 4 False No
SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class 4 False No
SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class 4 False No
SV.SERIAL.OVERRIDE Do not invoke overridable methods from the readObject() method 4 True No
SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature 4 False No
SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation 4 True Yes
SV.SHARED.VAR Unsynchronized access to static variable from servlet 4 True No
SV.SOCKETS Bad practices: use of sockets 4 False No
SV.SPRING.FIXATION Session fixation protection is disabled 2 True Yes
SV.SQL Sql Injection 2 True Yes
SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements 3 True Yes
SV.SSRF.URI URI based on invalidated user input. 4 True Yes
SV.STRBUF.CLEAN String buffer not cleaned 3 False Yes
SV.STRUTS.NOTRESET Struts Forms: inconsistent reset 4 False No
SV.STRUTS.NOTVALID Struts Forms: inconsistent validate 4 False No
SV.STRUTS.PRIVATE Struts Forms: non-private fields 4 False No
SV.STRUTS.RESETMET Struts Forms: reset method 4 False No
SV.STRUTS.STATIC Struts Forms: static fields 4 False No
SV.STRUTS.VALIDMET Struts Forms: validate method 4 False No
SV.STRUTS.VER Usage of vulnerable Apache Struts version 2 True No
SV.TAINT Tainted data 3 False Yes
SV.TAINT_NATIVE Tainted data goes to native code 3 True Yes
SV.TMPFILE Temporary file path tampering 3 True Yes
SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code 4 False No
SV.UMC.JDBC Application should avoid calling to DriverManager.getConnection() directly 4 False No
SV.UMC.THREADS Bad practices: use of thread management 4 False No
SV.UMD.MAIN Leftover debug code - main method 4 False No
SV.USE.POLICY Direct use methods of Policy 4 False No
SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm 3 True No
SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm 3 True Yes
SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm 3 True Yes
SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm 3 True Yes
SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm 3 True Yes
SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm 3 True Yes
SV.WEAK.TLS Weak SSL/TLS protocols should not be used. 2 True Yes
SV.XPATH Unvalidated user input is used as an XPath expression 2 True Yes
SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag 4 True Yes
SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol 1 True Yes
SV.XSS.DB Cross Site Scripting (Stored XSS) 2 True Yes
SV.XSS.REF Cross Site Scripting (Reflected XSS) 2 True Yes
SV.XXE.DBF Possibility for XML External Entity attack 4 True No
SV.XXE.SF Possibility for XML External Entity attack 4 True No
SV.XXE.SPF Possibility for XML External Entity attack 4 True No
SV.XXE.TF Possibility for XML External Entity attack 4 True No
SV.XXE.XIF Possibility for XML External Entity attack 4 True No
SV.XXE.XRF Possibility for XML External Entity attack 4 True No
SYNCH.NESTED Synchronized method calls another synchronized method with the same lock held 4 True No
SYNCH.NESTEDS Synchronized static method calls another synchronized static method with the same lock held 4 True No
UC.BOOLB Unnecessary creation of new Boolean object from a boolean expression 4 True No
UC.BOOLS Unnecessary creation of new Boolean object from a string expression 4 True No
UC.STRS Unnecessary creation of new String object from a string expression 4 True No
UC.STRV Unnecessary creation of empty String object 4 True No
UF.IMAGEIO Usage of closed ImageIO stream 2 True Yes
UF.IN Usage of closed input stream 2 True Yes
UF.JNDI Usage of closed JNDI context 2 True Yes
UF.MAIL Usage of closed Java mail object 2 True Yes
UF.MICRO Usage of closed Java Microedition connection 2 True Yes
UF.NIO Usage of closed NIO object 2 True Yes
UF.OUT Usage of closed output stream 2 True Yes
UF.SOCK Usage of closed socket 2 True Yes
UF.SQLCON Usage of closed SQL connection 2 True Yes
UF.SQLOBJ Usage of closed SQL object 2 True Yes
UF.ZIP Usage of closed zip file 2 True Yes
UMC.EXIT The System.exit() method call is unwanted 4 False No
UMC.GC The System.gc() method call is unwanted 4 False No
UMC.SYSERR Debug print using System.err method calls is unwanted 4 False No
UMC.SYSOUT Debug print using System.out method calls is unwanted 4 False No
UMC.TOSTRING Unnecessary toString() method called for a String argument 4 True No