DISA STIG version 4 IDs mapped to Klocwork Java checkers

SV.DOS.TMPFILEDEL   Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT   Leaving temporary file

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.PASSWD.HC.EMPTY   Empty Password

SV.EXPOSE.FIELD   Static field may be changed by malicious code

SV.EXPOSE.FIN   Method finalize() should have protected access modifier, not public

SV.EXPOSE.IFIELD   Instance field should be made final

SV.EXPOSE.MUTABLEFIELD   Static mutable field can be accessed by malicious code

SV.EXPOSE.RET   Internal representation may be exposed

SV.EXPOSE.STORE   Method stores reference to mutable object

SV.LOG_FORGING   Log Forging

SV.LOG_FORGING   Log Forging

SV.EMAIL   Unchecked e-mail

UMC.SYSERR   Debug print using System.err method calls is unwanted

UMC.SYSOUT   Debug print using System.out method calls is unwanted

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN   Plain-text Password

SV.PASSWD.PLAIN   Plain-text Password

SV.ECV   Empty certificate validation

SV.PASSWD.PLAIN   Plain-text Password

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

JD.NEXT   Possible 'NoSuchElementException'

JD.SYNC.IN   Inconsistent synchronization

SV.SHARED.VAR   Unsynchronized access to static variable from servlet

SV.STRUTS.STATIC   Struts Forms: static fields

SV.UMC.THREADS   Bad practices: use of thread management

RLK.NIO   NIO object is not closed on exit

RLK.SOCK   Socket is not closed on exit

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.RANDOM   Use of insecure Random number generator

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.CLEXT.POLICY   Class extends 'java.security.Policy'

SV.USE.POLICY   Direct use methods of Policy

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.UMC.EXIT   The System.exit() and Runtime.exit() method calls should not be used in servlets code

SV.IL.DEV   Design information leakage

SV.IL.FILE   File Name Leaking

SV.STRBUF.CLEAN   String buffer not cleaned

SV.STRUTS.NOTRESET   Struts Forms: inconsistent reset

ANDROID.LIFECYCLE.SV.GETEXTRA   Unvalidated external data

SV.HTTP_SPLIT   Http Response Splitting

SV.XSS.DB   Cross Site Scripting (Stored XSS)

SV.XSS.REF   Cross Site Scripting (Reflected XSS)

SV.CSRF.GET   CSRF Token in GET request

SV.CSRF.ORIGIN   Request handler without an origin check

SV.CSRF.TOKEN   State changing request handler without a CSRF check

SV.CLASSDEF.INJ   Runtime Class Definition Injection

SV.CLASSLOADER.INJ   Class Loader URL Injection

SV.CLEXT.CLLOADER   Class extends 'java.lang.ClassLoader'

SV.EXEC   Process Injection

SV.EXEC.DIR   Process Injection. Working Directory

SV.EXEC.ENV   Process Injection. Environment Variables

SV.EXEC.LOCAL   Process Injection. Local Arguments

SV.PATH   Path and file name injection

SV.PATH.INJ   File injection

SV.SCRIPT   Script Execution

SV.SERIAL.INON   Interface extends 'Serializable'

SV.SERIAL.NON   Class implements 'Serializable'

SV.SERIAL.NOREAD   Method readObject() should be defined for a serializable class

SV.SERIAL.NOWRITE   Method writeObject() should be defined for a serializable class

SV.SERIAL.SIG   Methods readObject() and writeObject() in serializable classes should have correct signature

ANDROID.LIFECYCLE.SV.FRAGMENTINJ   Unvalidated fragment class name

CMP.CLASS   Comparing by classname

SV.DATA.BOUND   Untrusted Data leaks into trusted storage

SV.DATA.DB   Data injection

SV.LDAP   Unvalidated user input is used as LDAP filter

SV.STRUTS.NOTVALID   Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET   Struts Forms: validate method

SV.TAINT   Tainted data

SV.XPATH   Unvalidated user input is used as an XPath expression

SV.SQL   Sql Injection

SV.SQL.DBSOURCE   Unchecked information from the database is used in SQL statements

ANDROID.LIFECYCLE.SV.FRAGMENTINJ   Unvalidated fragment class name

CMP.CLASS   Comparing by classname

SV.DATA.BOUND   Untrusted Data leaks into trusted storage

SV.DATA.DB   Data injection

SV.LDAP   Unvalidated user input is used as LDAP filter

SV.STRUTS.NOTVALID   Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET   Struts Forms: validate method

SV.TAINT   Tainted data

SV.XPATH   Unvalidated user input is used as an XPath expression

SV.INT_OVF   Tainted data may lead to Integer Overflow

JD.INF.AREC   Apparent infinite recursion

JD.LOCK   Lock without unlock

JD.LOCK.NOTIFY   Method 'notify' called with locks held

JD.LOCK.SLEEP   Method 'sleep' called with locks held

JD.LOCK.WAIT   Method 'wait' called with locks held

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.PASSWD.HC   Hardcoded Password

JD.THREAD.RUN   Explicit call to a 'Thread.run' method

JD.UMC.FINALIZE   Explicit call to method 'Object.finalize'

JD.UMC.RUNFIN   runFinalizersOnExit() is called

MNA.CAP   Method name should start with non-capital letter

MNA.CNS   Method name is same as constructor name but it is not a constructor

MNA.SUS   Suspicious method name

ECC.EMPTY   Empty catch clause

EXC.BROADTHROWS   Method has an overly broad throws declaration

JD.CATCH   Catching runtime exception

JD.UNCAUGHT   Uncaught exception

RI.IGNOREDCALL   The value returned by a method called on immutable object is ignored

RI.IGNOREDNEW   Newly created object is ignored

RR.IGNORED   The returned value is ignored

SV.PASSWD.HC   Hardcoded Password

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.UMC.EXIT   The System.exit() and Runtime.exit() method calls should not be used in servlets code