Rules
| Content by Label | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Risk Assessment Summary
Rule | Severity | Likelihood | Detectable | Repairable |
|---|
Recommendations
MSC00-J. Eliminate class initialization cycles
MSC02-J. Avoid cyclic dependencies between packages
MSC03-J. Prefer using URIs to URLs
MSC04-J. Prefer using Iterators over Enumerations
MSC05-J. Carefully design interfaces before releasing them
MSC06-J. Do not mix generic with non-generic raw types in new code
MSC07-J. Library methods should validate their parameters
MSC08-J. Finish every set of statements associated with a case label with a break statement
MSC09-J. Do not assume infinite heap space
MSC10-J. Perform loss less conversion of String to given encoding and back
MSC11-J. Limit the lifetime of sensitive data
MSC12-J. Do not use insecure or weak cryptographic algorithms
Rules
MSC30-J. Generate truly random numbers
MSC31-J. Never hardcode sensitive information
MSC32-J. Prevent OS Command Injection
MSC33-J. Prevent against SQL Injection
MSC34-J. Prevent XML Injection
MSC35-J. Prevent XPath Injection
MSC36-J. Understand how escape characters are interpreted when String literals are compiled
MSC37-J. Make sensitive classes noncloneable
MSC38-J. Do not modify the underlying collection when an iteration is in progress
MSC39-J. Sanitize before processing or storing user input
MSC40-J. Account for supplementary and combining characters in globalized code
MSC41-J. Validate strings after performing normalization
MSC42-J. Do not delete non-character code points
MSC43-J. Prevent XML external entity attacks
MSC44-J. Properly encode or escape output
MSC45-J. Do not base critical decisions on IP addresses or DNS lookups
MSC46-J. Do not use Object.equals() to compare cryptographic keys
Risk Assessment Summary
Recommendations
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level | |
|---|---|---|---|---|---|---|
| MSC00-J | Medium | Likely low | unlikely No | medium No | P2 P6 | L3 L2 |
| MSC01-J | Low | low Unlikely | unlikely Yes | high Yes | P1 P3 | L3 |
| MSC02-J | High | Probable low | probable No | medium No | P4 P6 | L3 L2 |
| MSC03-J | High | low Probable | probable No | medium No | P4 P6 | L3 L2 |
| MSC04-J | Low | low Unlikely | unlikely No | medium No | P2 P1 | L3 |
| MSC05-J | Low | Probable low | probable No | high No | P2 | L3 |
| MSC06-J | Low | Probable low | probable No | medium No | P4 P2 | L3 |
| MSC07-J | medium Low | probable Unlikely | high Yes | P4 | L3 | |
MSC08- J | medium | unlikely | low | P6 | L2 | |
MSC09- J | low | probable | medium | P4 | L3 |
Rules
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC30- J | high | probable | medium | P12 | L1 |
MSC31- J | high | probable | medium | P12 | L1 |
MSC32- J | high | probable | medium | P12 | L1 |
MSC33- J | medium | probable | high | P4 | L3 |
MSC34- J | medium | probable | medium | P8 | L2 |
MSC35- J | medium | probable | medium | P8 | L2 |
MSC36- J | low | unlikely | high | P1 | L3 |
MSC37- J | medium | probable | medium | P8 | L2 |
MSC38- J | low | probable | medium | P4 | L3 |
| No | P2 | L3 |
...
SER37-J. Do not deserialize from a privileged context The CERT Sun Microsystems Secure Coding Standard for Java MSC00-J. Eliminate class initialization cycles