Test Page

Recently Updated

Rules versus Recommendations (Java)
Sep 04, 2025 • updated by David Svoboda • view change
Rule: Priority and Levels
Sep 03, 2025 • updated by David Svoboda • view change
Rec.: Priority and Levels
Sep 03, 2025 • updated by David Svoboda • view change
IDS06-J. Exclude unsanitized user input from format strings
Sep 02, 2025 • updated by Hiromi Kinoshita • view change
IDS01-J. Normalize strings before validating them
Sep 02, 2025 • updated by Hiromi Kinoshita • view change
IDS03-J. Do not log unsanitized user input
Aug 25, 2025 • updated by Hiromi Kinoshita • view change
Deprecations
Aug 18, 2025 • updated by David Svoboda • view change
ThreadSafe
Aug 13, 2025 • updated by David Svoboda • view change
Parasoft
Aug 13, 2025 • updated by David Svoboda • view change
Findbugs
Aug 13, 2025 • updated by David Svoboda • view change
SpotBugs
Aug 13, 2025 • updated by David Svoboda • view change
Coverity
Aug 13, 2025 • updated by David Svoboda • view change
Fortify
Aug 13, 2025 • updated by David Svoboda • view change
PVS-Studio
Aug 13, 2025 • updated by David Svoboda • view change
Pmd
Aug 13, 2025 • updated by David Svoboda • view change
The Checker Framework
Aug 13, 2025 • updated by David Svoboda • view change
Klocwork
Aug 13, 2025 • updated by David Svoboda • view change
SonarQube
Aug 13, 2025 • updated by David Svoboda • view change
CodeSonar
Aug 13, 2025 • updated by David Svoboda • view change
Eclipse
Aug 13, 2025 • updated by David Svoboda • view change
THI00-J. Do not invoke Thread.run()
Aug 13, 2025 • updated by Jill Britton • view change
THI01-J. Do not invoke ThreadGroup methods
Aug 13, 2025 • updated by Jill Britton • view change
THI01-J. Do not invoke ThreadGroup methods
Aug 11, 2025 • updated by Admin • view change
THI00-J. Do not invoke Thread.run()
Aug 11, 2025 • updated by Admin • view change
ENV02-J. Do not trust the values of environment variables
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 49. Miscellaneous (MSC)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 18. Concurrency (CON)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 15. Platform Security (SEC)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 13. Input Output (FIO)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 07. Exceptional Behavior (ERR)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 06. Methods (MET)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 05. Object Orientation (OBJ)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 04. Characters and Strings (STR)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 03. Numeric Types and Operations (NUM)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 02. Expressions (EXP)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 01. Declarations and Initialization (DCL)
Aug 07, 2025 • updated by David Svoboda • view change
Rec. 00. Input Validation and Data Sanitization (IDS)
Aug 07, 2025 • updated by David Svoboda • view change
Rule or Rec. EE. Risk Assessments
Aug 07, 2025 • updated by David Svoboda • view change
Rule 49. Miscellaneous (MSC)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 17. Java Native Interface (JNI)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 16. Runtime Environment (ENV)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 15. Platform Security (SEC)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 14. Serialization (SER)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 13. Input Output (FIO)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 12. Thread-Safety Miscellaneous (TSM)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 11. Thread Pools (TPS)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 10. Thread APIs (THI)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 09. Locking (LCK)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 08. Visibility and Atomicity (VNA)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 07. Exceptional Behavior (ERR)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 06. Methods (MET)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 05. Object Orientation (OBJ)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 04. Characters and Strings (STR)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 03. Numeric Types and Operations (NUM)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 02. Expressions (EXP)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 01. Declarations and Initialization (DCL)
Aug 07, 2025 • updated by David Svoboda • view change
Rule 00. Input Validation and Data Sanitization (IDS)
Aug 07, 2025 • updated by David Svoboda • view change
FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
Aug 06, 2025 • updated by David Svoboda • view change
IDS16-J. Prevent XML Injection
Aug 06, 2025 • updated by David Svoboda • view change
MET00-J. Validate method arguments
Aug 06, 2025 • updated by David Svoboda • view change
NUM09-J. Do not use floating-point variables as loop counters
Aug 06, 2025 • updated by David Svoboda • view change
MSC11-J. Do not let session information leak within a servlet
Aug 06, 2025 • updated by David Svoboda • view change
MSC10-J. Do not use OAuth 2.0 implicit grant (unmodified) for authentication
Aug 06, 2025 • updated by David Svoboda • view change
MSC09-J. For OAuth, ensure (a) [relying party receiving user's ID in last step] is same as (b) [relying party the access token was granted to].
Aug 06, 2025 • updated by David Svoboda • view change
MSC08-J. Do not store nonserializable objects as attributes in an HTTP session
Aug 06, 2025 • updated by David Svoboda • view change
MSC07-J. Prevent multiple instantiations of singleton objects
Aug 06, 2025 • updated by David Svoboda • view change
MSC06-J. Do not modify the underlying collection when an iteration is in progress
Aug 06, 2025 • updated by David Svoboda • view change
MSC05-J. Do not exhaust heap space
Aug 06, 2025 • updated by David Svoboda • view change
MSC04-J. Do not leak memory
Aug 06, 2025 • updated by David Svoboda • view change
MSC03-J. Never hard code sensitive information
Aug 06, 2025 • updated by David Svoboda • view change
MSC02-J. Generate strong random numbers
Aug 06, 2025 • updated by David Svoboda • view change
MSC01-J. Do not use an empty infinite loop
Aug 06, 2025 • updated by David Svoboda • view change
MSC00-J. Use SSLSocket rather than Socket for secure data exchange
Aug 06, 2025 • updated by David Svoboda • view change
JNI04-J. Do not assume that Java strings are null-terminated
Aug 06, 2025 • updated by David Svoboda • view change
JNI03-J. Do not use direct pointers to Java objects in JNI code
Aug 06, 2025 • updated by David Svoboda • view change
JNI02-J. Do not assume object references are constant or unique
Aug 06, 2025 • updated by David Svoboda • view change
JNI01-J. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary)
Aug 06, 2025 • updated by David Svoboda • view change
JNI00-J. Define wrappers around native methods
Aug 06, 2025 • updated by David Svoboda • view change
ENV06-J. Production code must not contain debugging entry points
Aug 06, 2025 • updated by David Svoboda • view change
ENV05-J. Do not deploy an application that can be remotely monitored
Aug 06, 2025 • updated by David Svoboda • view change
ENV04-J. Do not disable bytecode verification
Aug 06, 2025 • updated by David Svoboda • view change
ENV03-J. Do not grant dangerous combinations of permissions
Aug 06, 2025 • updated by David Svoboda • view change
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
Aug 06, 2025 • updated by David Svoboda • view change
ENV00-J. Do not sign code that performs only unprivileged operations
Aug 06, 2025 • updated by David Svoboda • view change
SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader
Aug 06, 2025 • updated by David Svoboda • view change
SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
Aug 06, 2025 • updated by David Svoboda • view change
SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
Aug 06, 2025 • updated by David Svoboda • view change
SEC04-J. Protect sensitive operations with security manager checks
Aug 06, 2025 • updated by David Svoboda • view change
SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes
Aug 06, 2025 • updated by David Svoboda • view change
SEC02-J. Do not base security checks on untrusted sources
Aug 06, 2025 • updated by David Svoboda • view change
SEC01-J. Do not allow tainted variables in privileged blocks
Aug 06, 2025 • updated by David Svoboda • view change
SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary
Aug 06, 2025 • updated by David Svoboda • view change
SER12-J. Prevent deserialization of untrusted data
Aug 06, 2025 • updated by David Svoboda • view change
SER11-J. Prevent overwriting of externalizable objects
Aug 06, 2025 • updated by David Svoboda • view change
SER10-J. Avoid memory and resource leaks during serialization
Aug 06, 2025 • updated by David Svoboda • view change
SER09-J. Do not invoke overridable methods from the readObject() method
Aug 06, 2025 • updated by David Svoboda • view change
SER08-J. Minimize privileges before deserializing from a privileged context
Aug 06, 2025 • updated by David Svoboda • view change
SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
Aug 06, 2025 • updated by David Svoboda • view change
SER06-J. Make defensive copies of private mutable components during deserialization
Aug 06, 2025 • updated by David Svoboda • view change
SER05-J. Do not serialize instances of inner classes
Aug 06, 2025 • updated by David Svoboda • view change
SER04-J. Do not allow serialization and deserialization to bypass the security manager
Aug 06, 2025 • updated by David Svoboda • view change
SER03-J. Do not serialize unencrypted sensitive data
Aug 06, 2025 • updated by David Svoboda • view change
SER02-J. Sign then seal objects before sending them outside a trust boundary
Aug 06, 2025 • updated by David Svoboda • view change
SER01-J. Do not deviate from the proper signatures of serialization methods
Aug 06, 2025 • updated by David Svoboda • view change
SER00-J. Enable serialization compatibility during class evolution
Aug 06, 2025 • updated by David Svoboda • view change
FIO16-J. Canonicalize path names before validating them
Aug 06, 2025 • updated by David Svoboda • view change
FIO15-J. Do not reset a servlet's output stream after committing it
Aug 06, 2025 • updated by David Svoboda • view change
FIO14-J. Perform proper cleanup at program termination
Aug 06, 2025 • updated by David Svoboda • view change
FIO13-J. Do not log sensitive information outside a trust boundary
Aug 06, 2025 • updated by David Svoboda • view change
FIO12-J. Provide methods to read and write little-endian data
Aug 06, 2025 • updated by David Svoboda • view change
FIO10-J. Ensure the array is filled when using read() to fill an array
Aug 06, 2025 • updated by David Svoboda • view change
FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
Aug 06, 2025 • updated by David Svoboda • view change
FIO08-J. Distinguish between characters or bytes read from a stream and -1
Aug 06, 2025 • updated by David Svoboda • view change
FIO07-J. Do not let external processes block on IO buffers
Aug 06, 2025 • updated by David Svoboda • view change
FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
Aug 06, 2025 • updated by David Svoboda • view change
FIO04-J. Release resources when they are no longer needed
Aug 06, 2025 • updated by David Svoboda • view change
FIO03-J. Remove temporary files before termination
Aug 06, 2025 • updated by David Svoboda • view change
FIO02-J. Detect and handle file-related errors
Aug 06, 2025 • updated by David Svoboda • view change
FIO01-J. Create files with appropriate access permissions
Aug 06, 2025 • updated by David Svoboda • view change
FIO00-J. Do not operate on files in shared directories
Aug 06, 2025 • updated by David Svoboda • view change
TSM03-J. Do not publish partially initialized objects
Aug 06, 2025 • updated by David Svoboda • view change
TSM02-J. Do not use background threads during class initialization
Aug 06, 2025 • updated by David Svoboda • view change
TSM01-J. Do not let the this reference escape during object construction
Aug 06, 2025 • updated by David Svoboda • view change
TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
Aug 06, 2025 • updated by David Svoboda • view change
TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools
Aug 06, 2025 • updated by David Svoboda • view change
TPS03-J. Ensure that tasks executing in a thread pool do not fail silently
Aug 06, 2025 • updated by David Svoboda • view change
TPS02-J. Ensure that tasks submitted to a thread pool are interruptible
Aug 06, 2025 • updated by David Svoboda • view change
TPS01-J. Do not execute interdependent tasks in a bounded thread pool
Aug 06, 2025 • updated by David Svoboda • view change
TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts
Aug 06, 2025 • updated by David Svoboda • view change
THI05-J. Do not use Thread.stop() to terminate threads
Aug 06, 2025 • updated by David Svoboda • view change
THI04-J. Ensure that threads performing blocking operations can be terminated
Aug 06, 2025 • updated by David Svoboda • view change
THI03-J. Always invoke wait() and await() methods inside a loop
Aug 06, 2025 • updated by David Svoboda • view change
THI02-J. Notify all waiting threads rather than a single thread
Aug 06, 2025 • updated by David Svoboda • view change
THI01-J. Do not invoke ThreadGroup methods
Aug 06, 2025 • updated by David Svoboda • view change
THI00-J. Do not invoke Thread.run()
Aug 06, 2025 • updated by David Svoboda • view change
LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
Aug 06, 2025 • updated by David Svoboda • view change
LCK10-J. Use a correct form of the double-checked locking idiom
Aug 06, 2025 • updated by David Svoboda • view change
LCK09-J. Do not perform operations that can block while holding a lock
Aug 06, 2025 • updated by David Svoboda • view change
LCK08-J. Ensure actively held locks are released on exceptional conditions
Aug 06, 2025 • updated by David Svoboda • view change
LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
Aug 06, 2025 • updated by David Svoboda • view change
LCK06-J. Do not use an instance lock to protect shared static data
Aug 06, 2025 • updated by David Svoboda • view change
LCK05-J. Synchronize access to static fields that can be modified by untrusted code
Aug 06, 2025 • updated by David Svoboda • view change
LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
Aug 06, 2025 • updated by David Svoboda • view change
LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects
Aug 06, 2025 • updated by David Svoboda • view change
LCK02-J. Do not synchronize on the class object returned by getClass()
Aug 06, 2025 • updated by David Svoboda • view change
LCK01-J. Do not synchronize on objects that may be reused
Aug 06, 2025 • updated by David Svoboda • view change
LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
Aug 06, 2025 • updated by David Svoboda • view change
VNA05-J. Ensure atomicity when reading and writing 64-bit values
Aug 06, 2025 • updated by David Svoboda • view change
VNA04-J. Ensure that calls to chained methods are atomic
Aug 06, 2025 • updated by David Svoboda • view change
VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
Aug 06, 2025 • updated by David Svoboda • view change
VNA02-J. Ensure that compound operations on shared variables are atomic
Aug 06, 2025 • updated by David Svoboda • view change
VNA01-J. Ensure visibility of shared references to immutable objects
Aug 06, 2025 • updated by David Svoboda • view change
VNA00-J. Ensure visibility when accessing shared primitive variables
Aug 06, 2025 • updated by David Svoboda • view change
ERR09-J. Do not allow untrusted code to terminate the JVM
Aug 06, 2025 • updated by David Svoboda • view change
ERR08-J. Do not catch NullPointerException or any of its ancestors
Aug 06, 2025 • updated by David Svoboda • view change
ERR07-J. Do not throw RuntimeException, Exception, or Throwable
Aug 06, 2025 • updated by David Svoboda • view change
ERR06-J. Do not throw undeclared checked exceptions
Aug 06, 2025 • updated by David Svoboda • view change
ERR05-J. Do not let checked exceptions escape from a finally block
Aug 06, 2025 • updated by David Svoboda • view change
ERR04-J. Do not complete abruptly from a finally block
Aug 06, 2025 • updated by David Svoboda • view change
ERR03-J. Restore prior object state on method failure
Aug 06, 2025 • updated by David Svoboda • view change
ERR02-J. Prevent exceptions while logging data
Aug 06, 2025 • updated by David Svoboda • view change
ERR01-J. Do not allow exceptions to expose sensitive information
Aug 06, 2025 • updated by David Svoboda • view change
ERR00-J. Do not suppress or ignore checked exceptions
Aug 06, 2025 • updated by David Svoboda • view change
MET13-J. Do not assume that reassigning method arguments modifies the calling environment
Aug 06, 2025 • updated by David Svoboda • view change
MET12-J. Do not use finalizers
Aug 06, 2025 • updated by David Svoboda • view change
MET11-J. Ensure that keys used in comparison operations are immutable
Aug 06, 2025 • updated by David Svoboda • view change
MET10-J. Follow the general contract when implementing the compareTo() method
Aug 06, 2025 • updated by David Svoboda • view change
MET09-J. Classes that define an equals() method must also define a hashCode() method
Aug 06, 2025 • updated by David Svoboda • view change
MET08-J. Preserve the equality contract when overriding the equals() method
Aug 06, 2025 • updated by David Svoboda • view change
MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface
Aug 06, 2025 • updated by David Svoboda • view change
MET06-J. Do not invoke overridable methods in clone()
Aug 06, 2025 • updated by David Svoboda • view change
MET05-J. Ensure that constructors do not call overridable methods
Aug 06, 2025 • updated by David Svoboda • view change
MET04-J. Do not increase the accessibility of overridden or hidden methods
Aug 06, 2025 • updated by David Svoboda • view change
MET03-J. Methods that perform a security check must be declared private or final
Aug 06, 2025 • updated by David Svoboda • view change
MET02-J. Do not use deprecated or obsolete classes or methods
Aug 06, 2025 • updated by David Svoboda • view change
MET01-J. Never use assertions to validate method arguments
Aug 06, 2025 • updated by David Svoboda • view change
OBJ14-J. Do not use an object that has been freed.
Aug 06, 2025 • updated by David Svoboda • view change
OBJ13-J. Ensure that references to mutable objects are not exposed
Aug 06, 2025 • updated by David Svoboda • view change
OBJ12-J. Respect object-based annotations
Aug 06, 2025 • updated by David Svoboda • view change
OBJ11-J. Be wary of letting constructors throw exceptions
Aug 06, 2025 • updated by David Svoboda • view change
OBJ10-J. Do not use public static nonfinal fields
Aug 06, 2025 • updated by David Svoboda • view change
OBJ09-J. Compare classes and not class names
Aug 06, 2025 • updated by David Svoboda • view change
OBJ08-J. Do not expose private members of an outer class from within a nested class
Aug 06, 2025 • updated by David Svoboda • view change
OBJ07-J. Sensitive classes must not let themselves be copied
Aug 06, 2025 • updated by David Svoboda • view change
OBJ06-J. Defensively copy mutable inputs and mutable internal components
Aug 06, 2025 • updated by David Svoboda • view change
OBJ05-J. Do not return references to private mutable class members
Aug 06, 2025 • updated by David Svoboda • view change
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
Aug 06, 2025 • updated by David Svoboda • view change
OBJ03-J. Prevent heap pollution
Aug 06, 2025 • updated by David Svoboda • view change
OBJ02-J. Preserve dependencies in subclasses when changing superclasses
Aug 06, 2025 • updated by David Svoboda • view change
OBJ01-J. Limit accessibility of fields
Aug 06, 2025 • updated by David Svoboda • view change
STR04-J. Use compatible character encodings when communicating string data between JVMs
Aug 06, 2025 • updated by David Svoboda • view change
STR03-J. Do not encode noncharacter data as a string
Aug 06, 2025 • updated by David Svoboda • view change
STR02-J. Specify an appropriate locale when comparing locale-dependent data
Aug 06, 2025 • updated by David Svoboda • view change
STR01-J. Do not assume that a Java char fully represents a Unicode code point
Aug 06, 2025 • updated by David Svoboda • view change
STR00-J. Don't form strings containing partial characters from variable-width encodings
Aug 06, 2025 • updated by David Svoboda • view change
NUM14-J. Use shift operators correctly
Aug 06, 2025 • updated by David Svoboda • view change
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
Aug 06, 2025 • updated by David Svoboda • view change
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
Aug 06, 2025 • updated by David Svoboda • view change
NUM11-J. Do not compare or inspect the string representation of floating-point values
Aug 06, 2025 • updated by David Svoboda • view change
NUM10-J. Do not construct BigDecimal objects from floating-point literals
Aug 06, 2025 • updated by David Svoboda • view change
NUM08-J. Check floating-point inputs for exceptional values
Aug 06, 2025 • updated by David Svoboda • view change
NUM07-J. Do not attempt comparisons with NaN
Aug 06, 2025 • updated by David Svoboda • view change
NUM04-J. Do not use floating-point numbers if precise computation is required
Aug 06, 2025 • updated by David Svoboda • view change
NUM03-J. Use integer types that can fully represent the possible range of unsigned data
Aug 06, 2025 • updated by David Svoboda • view change
NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
Aug 06, 2025 • updated by David Svoboda • view change
NUM01-J. Do not perform bitwise and arithmetic operations on the same data
Aug 06, 2025 • updated by David Svoboda • view change
NUM00-J. Detect or prevent integer overflow
Aug 06, 2025 • updated by David Svoboda • view change
EXP07-J. Prevent loss of useful data due to weak references
Aug 06, 2025 • updated by David Svoboda • view change
EXP06-J. Expressions used in assertions must not produce side effects
Aug 06, 2025 • updated by David Svoboda • view change
EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
Aug 06, 2025 • updated by David Svoboda • view change
EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
Aug 06, 2025 • updated by David Svoboda • view change
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
Aug 06, 2025 • updated by David Svoboda • view change
EXP02-J. Do not use the Object.equals() method to compare two arrays
Aug 06, 2025 • updated by David Svoboda • view change
EXP01-J. Do not use a null in a case where an object is required
Aug 06, 2025 • updated by David Svoboda • view change
EXP00-J. Do not ignore values returned by methods
Aug 06, 2025 • updated by David Svoboda • view change
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Aug 06, 2025 • updated by David Svoboda • view change
DCL01-J. Do not reuse public identifiers from the Java Standard Library
Aug 06, 2025 • updated by David Svoboda • view change
DCL00-J. Prevent class initialization cycles
Aug 06, 2025 • updated by David Svoboda • view change
IDS17-J. Prevent XML External Entity Attacks
Aug 06, 2025 • updated by David Svoboda • view change
IDS15-J. Do not allow sensitive information to leak outside a trust boundary
Aug 06, 2025 • updated by David Svoboda • view change
IDS14-J. Do not trust the contents of hidden form fields
Aug 06, 2025 • updated by David Svoboda • view change
IDS11-J. Perform any string modifications before validation
Aug 06, 2025 • updated by David Svoboda • view change
IDS08-J. Sanitize untrusted data included in a regular expression
Aug 06, 2025 • updated by David Svoboda • view change
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
Aug 06, 2025 • updated by David Svoboda • view change
IDS06-J. Exclude unsanitized user input from format strings
Aug 06, 2025 • updated by David Svoboda • view change
IDS04-J. Safely extract files from ZipInputStream
Aug 06, 2025 • updated by David Svoboda • view change
IDS03-J. Do not log unsanitized user input
Aug 06, 2025 • updated by David Svoboda • view change
IDS01-J. Normalize strings before validating them
Aug 06, 2025 • updated by David Svoboda • view change
IDS00-J. Prevent SQL injection
Aug 06, 2025 • updated by David Svoboda • view change
SER12-J. Prevent deserialization of untrusted data
Aug 06, 2025 • updated by Valery • view change
PVS-Studio_V
Aug 06, 2025 • updated by Valery • view change
STR51-J. Use the charset encoder and decoder classes when more control over the encoding process is required
Jul 28, 2025 • updated by Yozo TODA • view change
NUM00-J. Detect or prevent integer overflow
Jul 28, 2025 • updated by Hiromi Kinoshita • view change
NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
Jul 28, 2025 • updated by Hiromi Kinoshita • view change
MET01-J. Never use assertions to validate method arguments
Jul 24, 2025 • updated by Jill Britton • view change
MSC01-J. Do not use an empty infinite loop
Jul 24, 2025 • updated by Jill Britton • view change
JNI00-J. Define wrappers around native methods
Jul 24, 2025 • updated by Jill Britton • view change
ENV06-J. Production code must not contain debugging entry points
Jul 24, 2025 • updated by Jill Britton • view change
SER05-J. Do not serialize instances of inner classes
Jul 24, 2025 • updated by Jill Britton • view change
THI03-J. Always invoke wait() and await() methods inside a loop
Jul 24, 2025 • updated by Jill Britton • view change
OBJ11-J. Be wary of letting constructors throw exceptions
Jul 24, 2025 • updated by Jill Britton • view change
NUM10-J. Do not construct BigDecimal objects from floating-point literals
Jul 24, 2025 • updated by Jill Britton • view change
NUM09-J. Do not use floating-point variables as loop counters
Jul 24, 2025 • updated by Jill Britton • view change
NUM07-J. Do not attempt comparisons with NaN
Jul 24, 2025 • updated by Jill Britton • view change
Klocwork_V
Jul 24, 2025 • updated by Jill Britton • view change
NUM00-J. Detect or prevent integer overflow
Jun 11, 2025 • updated by Valery • view change
LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
Jun 11, 2025 • updated by Valery • view change
FIO04-J. Release resources when they are no longer needed
Jun 11, 2025 • updated by Valery • view change
MSC03-J. Never hard code sensitive information
Jun 11, 2025 • updated by Valery • view change
LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects
Jun 11, 2025 • updated by Valery • view change
ENV03-J. Do not grant dangerous combinations of permissions
Jun 10, 2025 • updated by Admin • view change
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Jun 09, 2025 • updated by Yozo TODA • view change
DCL02-J. Do not modify the collection's elements during an enhanced for statement
May 11, 2025 • commented by Hiromi Kinoshita
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Apr 22, 2025 • commented by David Svoboda
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Apr 22, 2025 • commented by Hiromi Kinoshita
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Apr 21, 2025 • commented by David Svoboda
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Apr 20, 2025 • commented by Hiromi Kinoshita
LCK08-J. Ensure actively held locks are released on exceptional conditions
Apr 03, 2025 • commented by David Svoboda
LCK08-J. Ensure actively held locks are released on exceptional conditions
Apr 03, 2025 • commented by Judit Knoll
DUMMY ENV03-J
Mar 13, 2025 • updated by David Svoboda • view change
button_arrow_right.png
Mar 13, 2025 • attached by David Svoboda
button_arrow_up.png
Mar 13, 2025 • attached by David Svoboda
button_arrow_left.png
Mar 13, 2025 • attached by David Svoboda
CodeSonar_V
Mar 10, 2025 • updated by Amy Gale • view change
VNA00-J. Ensure visibility when accessing shared primitive variables
Mar 10, 2025 • updated by Amy Gale • view change
SER12-J. Prevent deserialization of untrusted data
Mar 10, 2025 • updated by Amy Gale • view change
SER00-J. Enable serialization compatibility during class evolution
Mar 10, 2025 • updated by Amy Gale • view change
SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
Mar 10, 2025 • updated by Amy Gale • view change
MSC05-J. Do not exhaust heap space
Mar 10, 2025 • updated by Amy Gale • view change
MET08-J. Preserve the equality contract when overriding the equals() method
Mar 10, 2025 • updated by Amy Gale • view change
LCK09-J. Do not perform operations that can block while holding a lock
Mar 10, 2025 • updated by Amy Gale • view change
LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
Mar 10, 2025 • updated by Amy Gale • view change
IDS14-J. Do not trust the contents of hidden form fields
Mar 10, 2025 • updated by Amy Gale • view change
IDS08-J. Sanitize untrusted data included in a regular expression
Mar 10, 2025 • updated by Amy Gale • view change
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
Mar 10, 2025 • updated by Amy Gale • view change
ERR09-J. Do not allow untrusted code to terminate the JVM
Mar 10, 2025 • updated by Amy Gale • view change
ERR00-J. Do not suppress or ignore checked exceptions
Mar 10, 2025 • updated by Amy Gale • view change
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
Mar 10, 2025 • updated by Amy Gale • view change
MET12-J. Do not use finalizers
Mar 10, 2025 • updated by Amy Gale • view change
MET10-J. Follow the general contract when implementing the compareTo() method
Mar 10, 2025 • updated by Amy Gale • view change
FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
Mar 10, 2025 • updated by Amy Gale • view change
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
Mar 10, 2025 • updated by Amy Gale • view change
LCK10-J. Use a correct form of the double-checked locking idiom
Mar 05, 2025 • updated by Jill Britton • view change
LCK09-J. Do not perform operations that can block while holding a lock
Mar 05, 2025 • updated by Jill Britton • view change
LCK05-J. Synchronize access to static fields that can be modified by untrusted code
Mar 05, 2025 • updated by Jill Britton • view change
VNA02-J. Ensure that compound operations on shared variables are atomic
Mar 05, 2025 • updated by Jill Britton • view change
VNA01-J. Ensure visibility of shared references to immutable objects
Mar 05, 2025 • updated by Jill Britton • view change
VNA00-J. Ensure visibility when accessing shared primitive variables
Mar 05, 2025 • updated by Jill Britton • view change
ERR09-J. Do not allow untrusted code to terminate the JVM
Mar 05, 2025 • updated by Jill Britton • view change
ERR08-J. Do not catch NullPointerException or any of its ancestors
Mar 05, 2025 • updated by Jill Britton • view change
ERR07-J. Do not throw RuntimeException, Exception, or Throwable
Mar 05, 2025 • updated by Jill Britton • view change
ERR05-J. Do not let checked exceptions escape from a finally block
Mar 05, 2025 • updated by Jill Britton • view change
ERR04-J. Do not complete abruptly from a finally block
Mar 05, 2025 • updated by Jill Britton • view change
ERR03-J. Restore prior object state on method failure
Mar 05, 2025 • updated by Jill Britton • view change
ERR01-J. Do not allow exceptions to expose sensitive information
Mar 05, 2025 • updated by Jill Britton • view change
MET12-J. Do not use finalizers
Mar 05, 2025 • updated by Jill Britton • view change
MET09-J. Classes that define an equals() method must also define a hashCode() method
Mar 05, 2025 • updated by Jill Britton • view change
OBJ10-J. Do not use public static nonfinal fields
Mar 05, 2025 • updated by Jill Britton • view change
OBJ09-J. Compare classes and not class names
Mar 05, 2025 • updated by Jill Britton • view change
OBJ05-J. Do not return references to private mutable class members
Mar 05, 2025 • updated by Jill Britton • view change
OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
Mar 05, 2025 • updated by Jill Britton • view change
OBJ01-J. Limit accessibility of fields
Mar 05, 2025 • updated by Jill Britton • view change
NUM00-J. Detect or prevent integer overflow
Mar 05, 2025 • updated by Jill Britton • view change
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
Mar 05, 2025 • updated by Jill Britton • view change
EXP02-J. Do not use the Object.equals() method to compare two arrays
Mar 05, 2025 • updated by Jill Britton • view change
EXP01-J. Do not use a null in a case where an object is required
Mar 05, 2025 • updated by Jill Britton • view change
EXP00-J. Do not ignore values returned by methods
Mar 05, 2025 • updated by Jill Britton • view change
DCL02-J. Do not modify the collection's elements during an enhanced for statement
Mar 05, 2025 • updated by Jill Britton • view change
IDS17-J. Prevent XML External Entity Attacks
Mar 05, 2025 • updated by Jill Britton • view change
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
Mar 05, 2025 • updated by Jill Britton • view change
IDS01-J. Normalize strings before validating them
Mar 05, 2025 • updated by Jill Britton • view change
MSC61-J. Do not use insecure or weak cryptographic algorithms
Feb 24, 2025 • updated by Valery • view change
FIO01-J. Create files with appropriate access permissions
Feb 13, 2025 • updated by Valery • view change
VNA02-J. Ensure that compound operations on shared variables are atomic
Jan 31, 2025 • updated by Amy Gale • view change
SER10-J. Avoid memory and resource leaks during serialization
Jan 31, 2025 • updated by Amy Gale • view change
SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
Jan 31, 2025 • updated by Amy Gale • view change
SER03-J. Do not serialize unencrypted sensitive data
Jan 31, 2025 • updated by Amy Gale • view change
SER02-J. Sign then seal objects before sending them outside a trust boundary
Jan 31, 2025 • updated by Amy Gale • view change
SER01-J. Do not deviate from the proper signatures of serialization methods
Jan 31, 2025 • updated by Amy Gale • view change
SEC01-J. Do not allow tainted variables in privileged blocks
Jan 31, 2025 • updated by Amy Gale • view change
OBJ10-J. Do not use public static nonfinal fields
Jan 31, 2025 • updated by Amy Gale • view change
OBJ08-J. Do not expose private members of an outer class from within a nested class
Jan 31, 2025 • updated by Amy Gale • view change
OBJ07-J. Sensitive classes must not let themselves be copied
Jan 31, 2025 • updated by Amy Gale • view change
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
Jan 31, 2025 • updated by Amy Gale • view change
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
Jan 31, 2025 • updated by Amy Gale • view change
NUM00-J. Detect or prevent integer overflow
Jan 31, 2025 • updated by Amy Gale • view change
MSC02-J. Generate strong random numbers
Jan 31, 2025 • updated by Amy Gale • view change
MET53-J. Ensure that the clone() method calls super.clone()
Jan 31, 2025 • updated by Amy Gale • view change
MET09-J. Classes that define an equals() method must also define a hashCode() method
Jan 31, 2025 • updated by Amy Gale • view change
LCK05-J. Synchronize access to static fields that can be modified by untrusted code
Jan 31, 2025 • updated by Amy Gale • view change
IDS03-J. Do not log unsanitized user input
Jan 31, 2025 • updated by Amy Gale • view change
IDS00-J. Prevent SQL injection
Jan 31, 2025 • updated by Amy Gale • view change
FIO04-J. Release resources when they are no longer needed
Jan 31, 2025 • updated by Amy Gale • view change

Space shortcuts

Page tree

Recently Updated