DISA STIG version 5 IDs mapped to Klocwork Java checkers

This article maps DISA Security Technical Implementation Guide version 5 IDs to Klocwork Java checkers. For more information about DISA STIG, see the STIG web site.

Rule Checker name and description
V-222388 (APSC-DV-000060)

SV.DOS.TMPFILEDEL   Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT   Leaving temporary file

V-222396 (APSC-DV-000160)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222397 (APSC-DV-000170)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222425 (APSC-DV-000460)

SPRING.AUTHC.ABSENT   No configuration for a critical resource

SPRING.AUTHC.MISSING   Missing authentication for critical function

SPRING.AUTHZ.ABSENT   No configuration for protected resource

SPRING.AUTHZ.MISSING   Missing Authorization

SV.AUTH.BYPASS.MIGHT   Incorrect Authentication

SV.AUTH.BYPASS.MUST   Incorrect Authentication

V-222427 (APSC-DV-000480)

SV.EXPOSE.FIELD   Static field may be changed by malicious code

SV.EXPOSE.FIN   Method finalize() should have protected access modifier, not public

SV.EXPOSE.IFIELD   Instance field should be made final

SV.EXPOSE.MUTABLEFIELD   Static mutable field can be accessed by malicious code

SV.EXPOSE.RET   Internal representation may be exposed

SV.EXPOSE.STORE   Method stores reference to mutable object

V-222430 (APSC-DV-000510)

SPRING.AUTHC.ABSENT   No configuration for a critical resource

SPRING.AUTHC.MISSING   Missing authentication for critical function

SPRING.AUTHZ.ABSENT   No configuration for protected resource

SPRING.AUTHZ.MISSING   Missing Authorization

SV.CLEXT.POLICY   Class extends 'java.security.Policy'

SV.PRIVILEGE.MISSING   Method invoked should not be inside doPrivileged block

SV.USE.POLICY   Direct use methods of Policy

V-222444 (APSC-DV-000650)

SV.LOG_FORGING   Log Forging

V-222501 (APSC-DV-001290)

SV.LOG_FORGING   Log Forging

V-222515 (APSC-DV-001460)

SV.EMAIL   Unchecked e-mail

SV.SSRF.URI   URI based on invalidated user input.

UMC.SYSERR   Debug print using System.err method calls is unwanted

UMC.SYSOUT   Debug print using System.out method calls is unwanted

V-222536 (APSC-DV-001680)

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.HC.MINLEN   Minimum 15 character length Hardcoded Password

V-222542 (APSC-DV-001740)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.PASSWD.HC   Hardcoded Password

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN.HC   Plain-text Password

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222542 (APSC-DV-001740))

SV.PASSWD.PLAIN   Plain-text Password

V-222543 (APSC-DV-001750)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.PASSWD.HC   Hardcoded Password

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN   Plain-text Password

SV.PASSWD.PLAIN.HC   Plain-text Password

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222550 (APSC-DV-001810)

SV.CERT.INVALID   Certificate must be validated by constructing certification path.

SV.ECV.TRUSTMANAGER   Unsafe implementation of the interface X509TrustManager.

V-222551 (APSC-DV-001820)

SPRING.AUTHC.ABSENT   No configuration for a critical resource

SPRING.AUTHC.MISSING   Missing authentication for critical function

SPRING.AUTHZ.ABSENT   No configuration for protected resource

SPRING.AUTHZ.MISSING   Missing Authorization

SV.AUTH.BYPASS.MIGHT   Incorrect Authentication

SV.AUTH.BYPASS.MUST   Incorrect Authentication

SV.PERMS.HOME   File created in user home directory, without setting permissions

SV.PERMS.WIDE   Too wide permissions

V-222554 (APSC-DV-001850)

SV.PASSWD.PLAIN   Plain-text Password

V-222555 (APSC-DV-001860)

JAVA.SV.EMAIL.HOST   Sending e-mails to Host without validation.

SV.AUTH.HASH.MIGHT   Use of weak cryptographic algorithm

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.ECV   Empty certificate validation

SV.ECV.TRUSTMANAGER   Unsafe implementation of the interface X509TrustManager.

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.KEYS.AES   Insufficient key length in Cryptographic Algorithm

SV.WEAK.KEYS.DH   Insufficient key length in Cryptographic Algorithm

SV.WEAK.KEYS.DSA   Insufficient key length in Cryptographic Algorithm

SV.WEAK.KEYS.EC   Insufficient key length in Cryptographic Algorithm

SV.WEAK.KEYS.RSA   Insufficient key length in Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

SV.XSS.COOKIE   Sensitive cookie without setHttpOnly flag

SV.XSS.COOKIE.SECURE   Sensitive cookie without Secure protocol

V-222567 (APSC-DV-001995)

JD.NEXT   Possible 'NoSuchElementException'

JD.SYNC.IN   Inconsistent synchronization

SV.SHARED.VAR   Unsynchronized access to static variable from servlet

SV.STRUTS.STATIC   Struts Forms: static fields

SV.UMC.THREADS   Bad practices: use of thread management

V-222568 (APSC-DV-002000)

RLK.NIO   NIO object is not closed on exit

RLK.SOCK   Socket is not closed on exit

V-222571 (APSC-DV-002030)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222572 (APSC-DV-002040)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222577 (APSC-DV-002230)

SV.IL.SESSION   Logging of session id

SV.IL.SESSION.CLIENT   HttpServletRequest.getRequestedSessionId method should not be used.

SV.SESSION.FIXATION.COOKIE   Cookies should not be vulnerable to session fixation

SV.SPRING.FIXATION   Session fixation protection is disabled

SV.XSS.COOKIE   Sensitive cookie without setHttpOnly flag

SV.XSS.COOKIE.SECURE   Sensitive cookie without Secure protocol

V-222578 (APSC-DV-002240)

SV.IL.SESSION   Logging of session id

SV.IL.SESSION.CLIENT   HttpServletRequest.getRequestedSessionId method should not be used.

SV.SESSION.FIXATION.COOKIE   Cookies should not be vulnerable to session fixation

SV.SPRING.FIXATION   Session fixation protection is disabled

SV.XSS.COOKIE   Sensitive cookie without setHttpOnly flag

SV.XSS.COOKIE.SECURE   Sensitive cookie without Secure protocol

V-222583 (APSC-DV-002290)

SV.RANDOM   Use of insecure Random number generator

V-222585 (APSC-DV-002310)

ANDROID.RLK.SQLOBJ   Sql object is not closed on exit

RLK.HIBERNATE   Hibernate object is not closed on exit

RLK.JNDI   JNDI context is not closed on exit

RLK.JPA   {3} object is not closed on exit.

RLK.SQLCON   Sql connection is not closed on exit

RLK.SQLOBJ   Sql object is not closed on exit

SV.DOS.TMPFILEDEL   Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT   Leaving temporary file

V-222589 (APSC-DV-002350)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222590 (APSC-DV-002360)

SV.CLEXT.POLICY   Class extends 'java.security.Policy'

SV.USE.POLICY   Direct use methods of Policy

V-222594 (APSC-DV-002400)

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.UMC.EXIT   The System.exit() and Runtime.exit() method calls should not be used in servlets code

V-222596 (APSC-DV-002440)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.PASSWD.HC   Hardcoded Password

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN   Plain-text Password

SV.PASSWD.PLAIN.HC   Plain-text Password

SV.RANDOM   Use of insecure Random number generator

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.SERIAL.NOFINAL   Methods readObject() and writeObject() in serializable classes should be final

SV.SERIAL.NOREAD   Method readObject() should be defined for a serializable class

SV.SERIAL.NOWRITE   Method writeObject() should be defined for a serializable class

SV.SERIAL.SIG   Methods readObject() and writeObject() in serializable classes should have correct signature

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222600 (APSC-DV-002480)

SV.IL.DEV   Design information leakage

SV.IL.FILE   File Name Leaking

SV.STRBUF.CLEAN   String buffer not cleaned

SV.STRUTS.NOTRESET   Struts Forms: inconsistent reset

V-222602 (APSC-DV-002490)

ANDROID.LIFECYCLE.SV.GETEXTRA   Unvalidated external data

SV.HTTP_SPLIT   Http Response Splitting

SV.XSS.COOKIE   Sensitive cookie without setHttpOnly flag

SV.XSS.DB   Cross Site Scripting (Stored XSS)

SV.XSS.REF   Cross Site Scripting (Reflected XSS)

V-222603 (APSC-DV-002500)

SV.CSRF.GET   CSRF Token in GET request

SV.CSRF.ORIGIN   Request handler without an origin check

SV.CSRF.TOKEN   State changing request handler without a CSRF check

V-222604 (APSC-DV-002510)

SV.CLASSDEF.INJ   Runtime Class Definition Injection

SV.CLASSLOADER.INJ   Class Loader URL Injection

SV.CLEXT.CLLOADER   Class extends 'java.lang.ClassLoader'

SV.EMAIL   Unchecked e-mail

SV.EXEC   Process Injection

SV.EXEC.DIR   Process Injection. Working Directory

SV.EXEC.ENV   Process Injection. Environment Variables

SV.EXEC.LOCAL   Process Injection. Local Arguments

SV.PATH   Path and file name injection

SV.PATH.INJ   File injection

SV.SCRIPT   Script Execution

SV.SERIAL.INON   Interface extends 'Serializable'

SV.SERIAL.NON   Class implements 'Serializable'

SV.SERIAL.NOREAD   Method readObject() should be defined for a serializable class

SV.SERIAL.NOWRITE   Method writeObject() should be defined for a serializable class

SV.SERIAL.SIG   Methods readObject() and writeObject() in serializable classes should have correct signature

V-222606 (APSC-DV-002530)

ANDROID.LIFECYCLE.SV.FRAGMENTINJ   Unvalidated fragment class name

ANDROID.LIFECYCLE.SV.GETEXTRA   Unvalidated external data

CMP.CLASS   Comparing by classname

SV.CLASSDEF.INJ   Runtime Class Definition Injection

SV.CLASSLOADER.INJ   Class Loader URL Injection

SV.DATA.BOUND   Untrusted Data leaks into trusted storage

SV.DATA.DB   Data injection

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.EMAIL   Unchecked e-mail

SV.EXEC   Process Injection

SV.EXEC.DIR   Process Injection. Working Directory

SV.EXEC.ENV   Process Injection. Environment Variables

SV.HTTP_SPLIT   Http Response Splitting

SV.INT_OVF   Tainted data may lead to Integer Overflow

SV.LDAP   Unvalidated user input is used as LDAP filter

SV.PATH   Path and file name injection

SV.PATH.INJ   File injection

SV.SCRIPT   Script Execution

SV.SQL   Sql Injection

SV.SSRF.URI   URI based on invalidated user input.

SV.STRUTS.NOTVALID   Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET   Struts Forms: validate method

SV.TAINT   Tainted data

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.XPATH   Unvalidated user input is used as an XPath expression

SV.XSS.REF   Cross Site Scripting (Reflected XSS)

V-222607 (APSC-DV-002540)

SV.SQL   Sql Injection

SV.SQL.DBSOURCE   Unchecked information from the database is used in SQL statements

V-222608 (APSC-DV-002550)

SV.XPATH   Unvalidated user input is used as an XPath expression

SV.XXE.DBF   Possibility for XML External Entity attack

SV.XXE.SF   Possibility for XML External Entity attack

SV.XXE.SPF   Possibility for XML External Entity attack

SV.XXE.TF   Possibility for XML External Entity attack

SV.XXE.XIF   Possibility for XML External Entity attack

SV.XXE.XRF   Possibility for XML External Entity attack

V-222609 (APSC-DV-002560)

ANDROID.LIFECYCLE.SV.FRAGMENTINJ   Unvalidated fragment class name

ANDROID.LIFECYCLE.SV.GETEXTRA   Unvalidated external data

CMP.CLASS   Comparing by classname

SV.CLASSDEF.INJ   Runtime Class Definition Injection

SV.CLASSLOADER.INJ   Class Loader URL Injection

SV.DATA.BOUND   Untrusted Data leaks into trusted storage

SV.DATA.DB   Data injection

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.EMAIL   Unchecked e-mail

SV.EXEC   Process Injection

SV.EXEC.DIR   Process Injection. Working Directory

SV.EXEC.ENV   Process Injection. Environment Variables

SV.HTTP_SPLIT   Http Response Splitting

SV.INT_OVF   Tainted data may lead to Integer Overflow

SV.LDAP   Unvalidated user input is used as LDAP filter

SV.PATH   Path and file name injection

SV.PATH.INJ   File injection

SV.SCRIPT   Script Execution

SV.SQL   Sql Injection

SV.SSRF.URI   URI based on invalidated user input.

SV.STRUTS.NOTVALID   Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET   Struts Forms: validate method

SV.TAINT   Tainted data

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.XPATH   Unvalidated user input is used as an XPath expression

SV.XSS.REF   Cross Site Scripting (Reflected XSS)

V-222612 (APSC-DV-002590)

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.INT_OVF   Tainted data may lead to Integer Overflow

SV.TAINT_NATIVE   Tainted data goes to native code

V-222625 (APSC-DV-002950)

JD.INF.AREC   Apparent infinite recursion

JD.LOCK   Lock without unlock

JD.LOCK.NOTIFY   Method 'notify' called with locks held

JD.LOCK.SLEEP   Method 'sleep' called with locks held

JD.LOCK.WAIT   Method 'wait' called with locks held

V-222641 (APSC-DV-003100)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

V-222642 (APSC-DV-003110)

SV.PASSWD.HC   Hardcoded Password

SV.PASSWD.HC.EMPTY   Empty Password

SV.PASSWD.PLAIN   Plain-text Password

SV.PASSWD.PLAIN.HC   Plain-text Password

V-222653 (APSC-DV-003215)

JD.THREAD.RUN   Explicit call to a 'Thread.run' method

JD.UMC.FINALIZE   Explicit call to method 'Object.finalize'

JD.UMC.RUNFIN   runFinalizersOnExit() is called

MNA.CAP   Method name should start with non-capital letter

MNA.CNS   Method name is same as constructor name but it is not a constructor

MNA.SUS   Suspicious method name

V-222656 (APSC-DV-003235)

ECC.EMPTY   Empty catch clause

EXC.BROADTHROWS   Method has an overly broad throws declaration

JD.CATCH   Catching runtime exception

JD.UNCAUGHT   Uncaught exception

RI.IGNOREDCALL   The value returned by a method called on immutable object is ignored

RI.IGNOREDNEW   Newly created object is ignored

RR.IGNORED   The returned value is ignored

V-222662 (APSC-DV-003280)

SV.PASSWD.HC   Hardcoded Password

V-222667 (APSC-DV-003320)

SV.DOS.ARRINDEX   Tainted index used for array access

SV.DOS.ARRSIZE   Tainted size used for array allocation

SV.TAINT_NATIVE   Tainted data goes to native code

SV.TMPFILE   Temporary file path tampering

SV.UMC.EXIT   The System.exit() and Runtime.exit() method calls should not be used in servlets code

V-254803 (APSC-DV-002010)

SV.AUTH.HASH.MUST   Use of weak cryptographic algorithm

SV.HASH.NO_SALT   Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA   Unencrypted sensitive data is written

SV.SENSITIVE.OBJ   Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT   Use of a Broken or Risky Cryptographic Algorithm

SV.WEAK.TLS   Weak SSL/TLS protocols should not be used.

Support Summary:

  • 38 findings