This error is reported when a class extends org.apache.struts.action.ActionForm and defines a static field which is not final.

Vulnerability and risk

Non-final static fields can create race-conditions, because can be changed by different instances of the form at the same time, or between time of check and time of use (TOCTOU).

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Avoid using non-final static fields. Make fields final or non-static. If you make a field final, make sure the object it contains is immutable. If the value of this field depends on a request, it should not be static, because it will be possible to create some exposure by creating a malicious form. If it does not depend on a request, it should be made final.

Example 1

 public class SV_STRUTS_STATIC_Sample_1 extends ActionForm {
     private String birthdayString;
     protected Date birthday;
     private static SimpleDateFormat dateConvertor;
     public ActionErrors validate(ActionMapping map,
                                  HttpServletRequest req) {
         ActionErrors errors = new ActionErrors();
         if (dateConvertor == null) {
             dateConvertor = new SimpleDateFormat(req
         try {
             birthday = dateConvertor.parse(birthdayString);
         } catch (ParseException e) {
                        new ActionMessage("Bad date"));
         return super.validate(map, req);
     public String getBirthday() {
         return birthdayString;
     public void setBirthday(String birthday) {
         this.birthdayString = birthday;

SV.STRUTS.STATIC is reported for field declaration on line 22: Struts: Static form field variables 'dateConvertor' should be final