DISA STIG version 5 IDs: Java
This article maps DISA Security Technical Implementation Guide version 5 IDs to Klocwork Java checkers. For more information about DISA STIG, see the STIG web site.
| Rule | Checker name and description |
|---|---|
| V-222388 [APSC-DV-000060](CAT 2) |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222396 [APSC-DV-000160](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222397 [APSC-DV-000170](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222397 [APSC-DV-000170](CAT 2)V-254803 [APSC-DV-002010](CAT 2) |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt |
| V-222425 [APSC-DV-000460] (CAT 1) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication |
| V-222427 [APSC-DV-000480](CAT 2) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| V-222430 [APSC-DV-000510] (CAT 1) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block SV.USE.POLICY Direct use methods of Policy |
| V-222444 [APSC-DV-000650](CAT 2) |
SV.LOG_FORGING Log Forging |
| V-222501 [APSC-DV-001290](CAT 2) |
SV.LOG_FORGING Log Forging |
| V-222515 [APSC-DV-001460](CAT 2) |
SV.EMAIL Unchecked e-mail SV.SSRF.URI URI based on invalidated user input. UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| V-222536 [APSC-DV-001680] (CAT 1) |
SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.HC.MINLEN Minimum 15 character length Hardcoded Password |
| V-222542 [APSC-DV-001740] (CAT 1) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222543 [APSC-DV-001750] (CAT 1) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222550 [APSC-DV-001810] (CAT 1) |
SV.CERT.INVALID Certificate must be validated by constructing certification path. SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| V-222551 [APSC-DV-001820] (CAT 1) |
SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| V-222551 [APSC-DV-001820] (Cat 1) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication |
| V-222554 [APSC-DV-001850] (CAT 1) |
SV.PASSWD.PLAIN Plain-text Password |
| V-222555 [APSC-DV-001860] (CAT 1) |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222567 [APSC-DV-001995](CAT 2) |
JD.NEXT Possible 'NoSuchElementException' JD.SYNC.IN Inconsistent synchronization SV.SHARED.VAR Unsynchronized access to static variable from servlet SV.STRUTS.STATIC Struts Forms: static fields SV.UMC.THREADS Bad practices: use of thread management |
| V-222568 [APSC-DV-002000](CAT 2) |
RLK.NIO NIO object is not closed on exit RLK.SOCK Socket is not closed on exit |
| V-222571 [APSC-DV-002030](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222572 [APSC-DV-002040](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222577 [APSC-DV-002230] (CAT 1) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222578 [APSC-DV-002240] (CAT 1) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222583 [APSC-DV-002290](CAT 2) |
SV.RANDOM Use of insecure Random number generator |
| V-222585 [APSC-DV-002310] (CAT 1) |
ANDROID.RLK.SQLOBJ Sql object is not closed on exit RLK.HIBERNATE Hibernate object is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222589 [APSC-DV-002350](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222590 [APSC-DV-002360](CAT 2) |
SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.USE.POLICY Direct use methods of Policy |
| V-222594 [APSC-DV-002400](CAT 2) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-222596 [APSC-DV-002440] (CAT 1) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.RANDOM Use of insecure Random number generator SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm |
| V-222596 [APSC-DV-002440] (CAT 1) V-222396 [APSC-DV-000160](CAT 2) |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt |
| V-222600 [APSC-DV-002480](CAT 2) |
SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking SV.STRBUF.CLEAN String buffer not cleaned SV.STRUTS.NOTRESET Struts Forms: inconsistent reset |
| V-222602 [APSC-DV-002490] (CAT 1) |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.HTTP_SPLIT Http Response Splitting SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222603 [APSC-DV-002500](CAT 2) |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| V-222604 [APSC-DV-002510] (CAT 1) |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SERIAL.INON Interface extends 'Serializable' SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NON Class implements 'Serializable' SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| V-222606 [APSC-DV-002530](CAT 2) |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222607 [APSC-DV-002540] (CAT 1) |
SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| V-222608 [APSC-DV-002550] (CAT 1) |
SV.XPATH Unvalidated user input is used as an XPath expression SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| V-222609 [APSC-DV-002560] (CAT 1) |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222612 [APSC-DV-002590] (CAT 1) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow SV.TAINT_NATIVE Tainted data goes to native code |
| V-222625 [APSC-DV-002950](CAT 2) |
JD.INF.AREC Apparent infinite recursion JD.LOCK Lock without unlock JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| V-222641 [APSC-DV-003100](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222642 [APSC-DV-003110] (CAT 1) |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| V-222653 [APSC-DV-003215](CAT 3) |
JD.THREAD.RUN Explicit call to a 'Thread.run' method JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called MNA.CAP Method name should start with non-capital letter MNA.CNS Method name is same as constructor name but it is not a constructor MNA.SUS Suspicious method name |
| V-222656 [APSC-DV-003235](CAT 2) |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.UNCAUGHT Uncaught exception RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| V-222662 [APSC-DV-003280] (CAT 1) |
SV.PASSWD.HC Hardcoded Password |
| V-222667 [APSC-DV-003320](CAT 2) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-254803 [APSC-DV-002010](CAT 2) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
Support Summary:
- 38 findings