SV.CLEXT.CLLOADER occurs when a class extends java.lang.ClassLoader. The error is not applicable to interfaces.

Vulnerability and risk

Allowing implementations of Classloader could lead to a security and/or permissions breach.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Do not extend ClassLoader. If you must extend ClassLoader, it is better to use SecureClassLoader.

Example 1

  public class SV_CLEXT_CLLOADER_Sample_1 extends ClassLoader {

SV.CLEXT.CLLOADER is reported for class declaration on line 8: Class 'com.klocwork.jdefects.checkers.ast.samples.SV_CLEXT_CLLOADER_Sample_1' extends 'java.lang.ClassLoader'.