This error appears when the program attempts to load classes by means of the classloader.

Vulnerability and risk

Loading classed directly using a custom classloader can allow malicious code into the system.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Use a known secure classloader.

Example 1

10    public void loadMyClass(String maliciousClass) {
11      ClassLoader cLoader = ClassLoader
12          .getSystemClassLoader();
13      try {
14        cLoader.loadClass(maliciousClass);
15      } catch (ClassNotFoundException e) {
16        // TODO Auto-generated catch block
17        e.printStackTrace();
18      }
19    }

SV.CLLOADER is reported for call on line 14: Classloader is used directly 'loadClass'