Audit: Biometric authentication should always be used with a cryptographic objectJAVA-A1030Audit: XMLReader may be vulnerable to XXE attacksJAVA-A1060Non-constant string passed to `execute` or `addBatch` method on an SQL statementJAVA-S0082Audit: `DocumentBuilder` may be vulnerable to XXE attacksJAVA-A1052Prepared statements must not be generated from dynamically created stringsJAVA-S0083Spring password storage must use a strong hashing functionJAVA-S1018`equals` method does not handle null valued operandsJAVA-S0110Reference to mutable object which is returned may expose internal representation of dataJAVA-S0132Nullable parameters should be checked for null before useJAVA-E1067Reference to externally mutable object stored as internal stateJAVA-S0133Servlets should not use mutable fields without synchronizationJAVA-E0128Audit: Broadcasting intents without specifying a target package or receiver permission may be a security riskJAVA-A1023Prepared statements must not be generated from dynamically created stringsJAVA-S1016XMLStreamReaders must be secureJAVA-S1009`equals` method does not handle null valued operandsJAVA-E0110`StringBuffer`/`StringBuilder` constructors should not be passed characters as the first argumentJAVA-E1023Cipher does not support integrity verificationJAVA-S1005XSSRequestWrapper must not be usedJAVA-S1007Custom hashing algorithms must not be usedJAVA-S1008NullCipher must not be used outside of testsJAVA-S1010Sockets must be secureJAVA-S1011A TrustManager/HostnameVerifier that accepts all certificates is a security riskJAVA-S1002Disabling escaping of special characters in templates is a security riskJAVA-S1025LDAP object deserialization is a security riskJAVA-S1026Audit: log4j version used could lead to remote code executionJAVA-A1022Loops must terminate by some meansJAVA-S0024LDAP connections should be authenticatedJAVA-S1020SSLContext instances should not be constructed using "SSL"JAVA-A1059Audit: Thread.sleep() call may be at risk of DoS attackJAVA-A1056Spring sessions must not be retained across user loginsJAVA-S1017Audit: MongoDB queries using operators like `$where` may be a security riskJAVA-A1054Possible null accessJAVA-E1083Possible null access due to exception handlingJAVA-E1084Arguments to `Collections.nCopies()` should be in the correct orderJAVA-E1090Unsynchronized lazy initialization of static value detectedJAVA-E1053Avoid throwing `null`JAVA-E1097Methods annotated as non-nullable should not return null valuesJAVA-E1095`Hashtable/ConcurrentHashMap.contains()` checks for whether a value exists, not keysJAVA-E1098Insecure RandomUtil implementations must not be usedJAVA-S1036Spring component introduces unmanaged stateJAVA-S1060Request handler method accepts persistent object as argumentJAVA-S1061SAML comment parsing should be disabledJAVA-S1062`getRequestSessionId` should not be usedJAVA-S1063Audit: User input should not directly be used in network callsJAVA-A1034Audit: Web views should not have access to filesJAVA-A1028Audit: Enabling JavaScript within a web view is a security riskJAVA-A1029Audit: File can be modified or read by any userJAVA-A1038Audit: Hibernate query may be vulnerable to injection attacksJAVA-A1040Audit: Prepared query may be susceptible to injection attacksJAVA-A1041Audit: SQL query may be susceptible to injection attacksJAVA-A1042Audit: `Runtime.exec()` call may be susceptible to injection attacksJAVA-A1057Audit: Amazon SimpleDB queries should not be susceptible to injection attacksJAVA-A1058Audit: File is set as world readable or writableJAVA-A1039Local variable is never written toJAVA-E1064Non-final static fields should not be publicJAVA-S1050Loops must terminate by some meansJAVA-E1046Thread instances should not be used to call static methods of ThreadJAVA-E1062Private field is never initializedJAVA-E1065NullPointerException should not be caughtJAVA-E1070removeAll should not be used to clear a collectionJAVA-P1005`@RequestMapping` must restrict the allowed HTTP methodsJAVA-S1065SecureRandom seeds must not be predictableJAVA-S1031SMTP configurations should check SSL certificates for authenticityJAVA-S1033Paths in chained `antMatchers` invocations are not ordered by specificityJAVA-S1064Persistent objects should not be returned from methodsJAVA-S1066Audit: Setting bean properties with unsanitized input may be a security riskJAVA-A1027Audit: Including request data within HTML response strings may lead to XSS attacksJAVA-A1035JWTs should be checked for authenticity and integrityJAVA-S1048Avoid catching assertions in testsJAVA-W1076Invalid values for `java.time` constants will always throw a `DateTimeException`JAVA-E1099Injected fields should not be assigned in injection constructorsJAVA-W1079Incorrect main method signature detectedJAVA-E1105Deprecated `HttpClient` implementations should not be usedJAVA-S1067Iterator `next` method must throw `NoSuchElementException`JAVA-S0146`synchronized` block is emptyJAVA-W0151For loop appears to check one variable and increment anotherJAVA-S0214Boolean expression LHS/RHS with bitwise OR will never be equal to a constant RHS/LHSJAVA-E1073Random instances should be reusedJAVA-W1015Do not synchronize on the result of `getClass()`JAVA-E1021For loop appears to check one variable and increment anotherJAVA-E0214Using week year (YYYY) in place of year (yyyy) may produce incorrect resultsJAVA-E1006`@SpringBootApplication`/`@ComponentScan` annotations must not be used in the default packageJAVA-E1009Consumed streams must not be reusedJAVA-E1019Unsupported JDK-internal APIs should not be usedJAVA-E1030Inefficient use of `toArray` with non-zero sized array argumentJAVA-P0335Iterator `next` method should throw `NoSuchElementException`JAVA-W0146Map compute methods cannot be used to create null valued entriesJAVA-W1011Audit: Unsafe Jackson deserialization configurations should not be usedJAVA-A1024Audit: Double checked locking is not safeJAVA-E1018Static methods should be accessed using the class instanceJAVA-W1029Static fields of the parent class should not be accessed through child class instancesJAVA-W1030`equals()` method parameters should not be marked with `@NotNull` or equivalent annotationsJAVA-W1028Basic authorization is a security riskJAVA-S1019Sealed class/interface permitted types need not be listed if they are declared in the same fileJAVA-W1031Boxed Boolean values should not be used in conditional expressionsJAVA-E1054@NoAllocation annotated methods should not create new objectsJAVA-E1059Conditions should not contain assignmentsJAVA-W1034`ZoneId.of()` should be passed a valid timezone identifierJAVA-E1092Iterators should not be invalidated while in scopeJAVA-E1085`@Inject` detected on a final fieldJAVA-W1071Detected use of the `Date` APIJAVA-W1072`Instant` should not be passed unsupported temporal unit typesJAVA-E1094Multiple `@Inject` constructors foundJAVA-W1074Mutable data passed in to nonpublic field may be externally modifiableJAVA-E1086`Class.isInstance()` should not be called on a `Class` objectJAVA-E1091Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-E1051Public fields should not be synchronized onJAVA-E1061`readResolve` must return `Object`JAVA-E1032Unused private field detectedJAVA-W1025Detected synchronization on string literalJAVA-E1081Method can be declared staticJAVA-W1057`TimeZone.getTimeZone` should be passed correct timezone IDsJAVA-E1093`Iterable<Path>` is errorprone and should be replaced with `Collection<Path>`JAVA-E1096Use of `@Nonnull`, `@CheckForNull`, or `@Nullable` detected on primitive declarationJAVA-W1063Do not call hashCode directly on an array classJAVA-E1044String.indexOf's arguments should not be reversedJAVA-E1089Abstract or default method annotated with `@Inject`JAVA-W1075`serialVersionUID` should be correctly declaredJAVA-E1042Double assignment of variable detectedJAVA-E1063Constructor must not be marked with nullable annotationsJAVA-W1070Switch case without appropriate control flow breakJAVA-A1068Redundant boolean literalJAVA-W1064`ZoneId.of("Z")` should be replaced with `ZoneOffset.UTC`JAVA-W1085Multiple variables declared on the same lineJAVA-C1003Loop conditions should be true at least onceJAVA-E1045Redundant type checkJAVA-W1021Type names must begin with an uppercase letterJAVA-C1001Wrong argument order in test assertionsJAVA-C1002`Double`/`Float` comparison with `NaN` will always return `false`JAVA-E1031Custom serialization method is declared with an incorrect signatureJAVA-E1033Serializable class with non-serializable superclass and no default constructor detectedJAVA-E1034Wrong argument type for Collection remove methodJAVA-E1036Collection type is unsafely downcast to a concrete classJAVA-E1037Annotation check will always return falseJAVA-E1039Interface is unimplementableJAVA-E1041Enum fields should not be mutableJAVA-E1069The `%` operator has higher precedence than the `*` operatorJAVA-E1080Missing enum elements in switch casesJAVA-E1082Inefficient `OutputStream` implementationJAVA-P1002Mutable fields should not directly be returnedJAVA-S1049Type parameter shadows another typeJAVA-W1017Variable is checked for `null` twiceJAVA-W1068Zip entries should not be emptyJAVA-W1023`toString()` may not work as expected for array typesJAVA-W1027Classes that contain only static members should not be instantiatedJAVA-W1035Local variables should not be assigned in return statementsJAVA-W1037Anonymous classes should not contain unused non-overridden methodsJAVA-W1039Overly generic exceptions should not be thrownJAVA-W1042`instanceof` check with a known null value will always return falseJAVA-W1044Interface only declares static final fieldsJAVA-W1059Static field accessed before being writtenJAVA-W1060`@Expensive`/`@WorkerThread` annotated method should not override unannotated super methodJAVA-W1061Wrong thread for swing method invocationJAVA-W1062Concrete collection type used in method declarationJAVA-W1065Method returning collection/array type returns `null` insteadJAVA-W1066Redundant cast of return valueJAVA-W1067Primitive values don't need to be compared with `Object.equals()`JAVA-W1080Inject annotations on abstract class constructors have no effectJAVA-W1084Methods should not have different nullability than their super methodsJAVA-E1100Returned `Future`s should not be ignoredJAVA-W1087Unnecessary imports detectedJAVA-W1069Use `assertNull`/`NotNull` instead of `assertEquals`/`notEquals` to assert nullityJAVA-W1091`@Deprecated` should not be applied to local variables or parametersJAVA-W1082`readResolve` should be protected for non-final classesJAVA-W1097Use `existsById` instead of `findById` to check for the existence of an entityJAVA-W1090`switch` statements with only 2 branches should be `if` statements insteadJAVA-W1086@VisibleForTesting/@TestOnly annotated methods/constructors should not be used in non-test codeJAVA-A1067`getClass` should not be used with enums whose members have custom bodiesJAVA-E1106Avoid using deprecated `Thread` methodsJAVA-E1107`String.substring()` call with single `0` index foundJAVA-W1077Avoid using a single unescaped `.` as a regex patternJAVA-W1078Synchronization performed on a concurrency primitive objectJAVA-E0321Abstract class constructors should not be publicJAVA-W1094Closeable values should not be injected via `@Provides` annotated methodsJAVA-E1103CacheLoader implementation `load` method should not return `null`JAVA-E1104`BigDecimal.equals()` may produce unintended resultsJAVA-W1083Catch blocks should be reachableJAVA-W1092Avoid assertions within `Runnable`sJAVA-W1096Calls to assertion chain methods should be terminated with an assertionJAVA-E1109`readObject` should not be synchronizedJAVA-W1093Avoid using `ThreadGroup` methodsJAVA-E1108Absolute paths should not be hard codedJAVA-W0406JUnit5 test classes and methods should be package-privateJAVA-W1058Method superfluously delegates to parent class methodJAVA-W1016Type bound extends final typeJAVA-W1018For loop can be converted into a foreach loopJAVA-W1089Test files should contain testsJAVA-W1088Attempt to close a null value detectedJAVA-S0250Value is always nullJAVA-S0249Maps and Sets of URLs can be performance hogsJAVA-S0057Impossible downcast of `toArray()` result detectedJAVA-S0386`IllegalMonitorStateException`s should not be handledJAVA-S0040Database resource may not be closed on returnJAVA-S0326Possible database resource leak detectedJAVA-S0327`readLine()` result is read without a null checkJAVA-S0220Possibly null fields should not be synchronized onJAVA-E1060Incorrect combination of `Math.max` and `Math.min`JAVA-S0080Stream does not appear to be closed after useJAVA-S0268Clone method does not invoke super methodJAVA-S0048Static initializer creates instance before all static final fields are assignedJAVA-S0267Value is guaranteed to be accessed while null after an exception is thrownJAVA-S0266Stream may be left unclosedJAVA-S0269No relationship between the generic parameter of the called method and its argumentJAVA-S0421Sequence of operations on a concurrent abstraction may not be atomicJAVA-S0447`System.runFinalizersOnExit`/`Runtime.runFinalizersOnExit` are unsafe and must not be usedJAVA-E0061Class extends Servlet class and uses instance variablesJAVA-S0370Synchronization performed on a util.concurrent `Lock` objectJAVA-S0321Overwriting a method parameter will not modify the original objectJAVA-S0352Waiting with two locks held is likely to cause a deadlockJAVA-E0139`wait`/`notify` called without synchronization on an objectJAVA-E0288Cookies must not be insecureJAVA-S1003Avoid using `equals` to compare against `null`JAVA-E0051Incorrect combination of `Math.max` and `Math.min`JAVA-E0080`IllegalMonitorStateException`s should not be handledJAVA-E0040Self assignment of local variable detectedJAVA-E0291Clone method does not invoke super methodJAVA-E0048Finalizers must not be explicitly invokedJAVA-E0094`readLine` result is read without a null checkJAVA-E0220Method attempts to access a result set field with index 0JAVA-E0343Method attempts to set a prepared statement parameter with index 0JAVA-E0344Impossible downcast of `toArray` result detectedJAVA-E0386Invalid regex syntax must not be usedJAVA-E0394Iterator `hasNext` should not invoke `next`JAVA-E0409A syntax error was foundJAVA-E1000Bad short-circuiting null checkJAVA-E1003Methods must not unconditionally call themselvesJAVA-E1017Indices must not be out of boundsJAVA-E1020`Optional` values must never be `null`JAVA-E1022Whitespace characters must always be escapedJAVA-E1029Maps and Sets of URLs can be performance hogsJAVA-P0057`Pattern.compile()` should not be called in a loopJAVA-P0331Overly permissive CORS policies are a security riskJAVA-S1000Servlet does not sanitize path names from HTTP requestsJAVA-S1001CBC and ECB modes are insecureJAVA-S1004Insecure encryption algorithm detectedJAVA-S1012RSA without padding is insecureJAVA-S1013RSA keys must be at least 2048 bits longJAVA-S1014Blowfish keys must be at least 128 bits longJAVA-S1015Finalizer method should be protected, not public or privateJAVA-W0089Insecure hash algorithm usage with passwords detectedJAVA-S1006Database password field is emptyJAVA-S0014Method with `Optional` return type must not return `null`JAVA-S0031Method does not check if an argument is nullJAVA-S0109Prepared statements should not be created within a loopJAVA-S0329Local variable that shadows field is written to but not read fromJAVA-S0353Class extends Servlet class and uses instance variablesJAVA-E0370Switch blocks must not contain statement labelsJAVA-E1005Insecure network protocols must not be usedJAVA-S1021Nullable value stored to non-null fieldJAVA-E1071Collections should not contain themselvesJAVA-E1076Prepared statements should not be created within a loopJAVA-P1003Storing an externally mutable value into a private static field may expose internal stateJAVA-S0134Public static method returns freely modifiable array that may expose internal stateJAVA-S0131`BigDecimal` constructed from `double` may be impreciseJAVA-S0008Inefficient use of keySet iterator instead of entrySet iteratorJAVA-S0361`System.exit()` should only be invoked within application entry pointsJAVA-S0060`Thread` passed where `Runnable` expectedJAVA-S0056`toString` invoked on a string value is uselessJAVA-S0064`Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-S0066`Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-S0067`Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-S0068Use `""` instead of `new String()` to create empty stringsJAVA-S0063Inefficient use of `String` constructorJAVA-S0062Increment of volatile field is not atomicJAVA-S0028Adding elements of an entry set may fail due to reuse of `Entry` objectsJS0425Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-S0065Repeated conditional test on the same variable detectedJAVA-S0034Elements accessed from volatile reference to an array are not volatileJAVA-S0027Method may ignore exceptionsJAVA-S0052Invocation of `equals()` on an array, which is equivalent to `==`JAVA-S0348Use of member identifier that is a keyword in later Java versionsJAVA-S0050Fields of immutable classes should be finalJAVA-E0055Collections should not be added to themselvesJAVA-E1077Array elements should match the runtime type of the arrayJAVA-E1079String concatenation using `+` within loops is costly and should be replaced by a `StringBuffer`/`StringBuilder`JAVA-P1006Imprecise redefinition of library constantJAVA-W1033Empty catch clauses may hide exceptionsJAVA-E0052Boxed primitives should not be synchronized onJAVA-E0150`Thread.sleep()` should not be called while a lock is heldJAVA-E0410Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-E0135Elements accessed from volatile reference to an array are not volatileJAVA-E0027Invocation of `equals` on an array, which is equivalent to `==`JAVA-E0348Use of identifier that is a keyword in later Java versionsJAVA-W0050Finalizers are deprecated since Java 9JAVA-W0088`equals` always returns `false`JAVA-W0107Unsafe usage of `getResource`JAVA-E0029Monitor `wait` must not be used on a `Condition`JAVA-E0078`equals` always returns `true`JAVA-W0106C style array declaration syntax must not be usedJAVA-C1000Increment of volatile field is not atomicJAVA-E0028Arguments of binary expressions must not be duplicatedJAVA-E0034`Thread` passed where `Runnable` expectedJAVA-E0056Use `""` instead of `new String()` to create empty stringsJAVA-P0063`equals` method defined for enumerationJAVA-E0096`equals` method is overloaded but not overriddenJAVA-E0098`equals` method inherits parent class implementation instead of overriding `Object.equals`JAVA-E0099`compareTo`/`compare` returns `Integer.MIN_VALUE`JAVA-E0112Classes should not have the same name as any of their superclasses or implemented interfacesJAVA-E0169Return value of `InputStream.read()` should not be ignoredJAVA-E0183Return value of `InputStream.skip` should not be ignoredJAVA-E0184Constructor of non-final class starts a threadJAVA-E0208Increment/decrement performed during assignment expression to same variable will be lostJAVA-E0396Shift amounts outside the valid range may produce unexpected resultsJAVA-E0399Oddness check using `x % 2 == 1` will not work for negative numbersJAVA-E0405Arguments to String.format must match the provided format stringJAVA-E1001`toString` invoked on a string value is uselessJAVA-P0064Jump statements must not be used within `finally` blocksJAVA-E1007Case insensitive regex does not properly handle Unicode inputJAVA-E1010Objects should not be compared to themselves within assertionsJAVA-E1012Optional values must be checked before being accessedJAVA-E1013`Iterable` objects must not return `this` in `iterator()` methodJAVA-E1015`setUp` and `tearDown` methods must be properly annotatedJAVA-E1028Inefficient use of `String` constructorJAVA-P0062Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-P0065`Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-P0066`Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-P0067`Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-P0068Non-null boxed types are inefficientJAVA-P1000Use `String.replace()` instead of `String.replaceAll()` for simple text patternsJAVA-P1001`Thread` with empty `run` method is uselessJAVA-W0084`BigDecimal` constructed from `double` may be impreciseJAVA-W0008Maximum pool size of `ScheduledThreadPoolExecutor` cannot be changedJAVA-W0012Empty catch clauses may hide exceptionsJAVA-W0052`System.exit()` should only be invoked within application entry pointsJAVA-W0060`equals` checks for incompatible operandJAVA-W0095Class doesn't override `equals` from superclassJAVA-W0100Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-W0135Possibly useful method return value is ignoredJAVA-W0243References should not be compared with `==`/`!=`JAVA-W0280File path does not match declared packageJAVA-W1001Exceptions must not be thrown in finalizersJAVA-W1002Collection and array length checks must be sensibleJAVA-W1005Fields must not shadow other fields with the same name from super classesJAVA-W1007JUnit test class overrides `setUp` but does not invoke `super.setUp()`JAVA-S0337`@OverridingMethodsMustInvokeSuper` annotation in super method is ignored by overriding methodJAVA-S0001A call has been made to an unsupported methodJAVA-S0013`Boolean` method may return `null`JAVA-S0030Empty zip file entries should not be createdJAVA-S0038Empty jar file entries should not be createdJAVA-S0039Class implements `Cloneable` but has not overridden the `clone` methodJAVA-S0046Class defines `clone` but does not inherit from `Cloneable`JAVA-S0047Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-S0153Synchronization on a nonfinal field is dangerous and error-proneJAVA-S0154Value assigned is overwritten due to switch fall throughJAVA-S0197`Random` object is used only once, then discardedJAVA-S0301Assertion possibly occurs in a non-test threadJAVA-S0336JUnit test class overrides `tearDown` but does not invoke `super.tearDown()`JAVA-S0338Arrays are not equal to non-array valuesJAVA-S0347`equals` can't be used to compare arrays of different typesJAVA-S0349Wait/notify must not be called on a Thread objectJAVA-E1004Overwriting a method parameter will not modify the original objectJAVA-E0352Inefficient use of keySet iterator instead of entrySet iteratorJAVA-P0361Malformed JavaDoc commentJAVA-D1007`Duration.withNanos()` may not produce correct resultsJAVA-E1087Parameter tag has no descriptionJAVA-D1005JavaDoc tags should not be emptyJAVA-D1006Unmatched Parameter tag foundJAVA-D1004Getter and setter method synchronization does not matchJAVA-E1074Thread.currentThread() should not be used to call Thread's static methodsJAVA-W1038Non-thread-safe date/time fields should not be public and staticJAVA-E1024Call to unsupported method detectedJAVA-E1048Private fields which are only set to null should be removedJAVA-E1066Random value in range 0 to 1 is coerced to integer 0JAVA-E1068Calling String.indexOf() with a single character string is inefficientJAVA-P1004Expensive methods should not be invoked from performance critical threadsJAVA-P1007Object should not be passed where a generic type is expectedJAVA-W1036Bitwise operations should not be checked for signJAVA-W1043Negating the result of `compareTo`/`compare` may have unexpected resultsJAVA-W1048Boxed primitives will be unboxed and coerced to a common type in ternary operationJAVA-W1055Class overrides `compareTo()` but not `equals()`JAVA-W1056Downcast may flip integer sign in comparator methodJAVA-E1102Primitive value is boxed, then unboxed to perform primitive coercionJAVA-W1081Class overrides `TestCase` but has no test methodsJAVA-S0341Primitives do not need to be boxed for comparisonJAVA-W1050Object appears to have been created for no reasonJAVA-S0235Class is not an Exception/Throwable, even though it is named as suchJAVA-S0182Private method is never calledJAVA-S0324`Object.getClass` does not need to be invoked on an instantiated objectJAVA-W0077Method uses the same code for two switch clausesJAVA-S0412Useless control flow detectedJAVA-W1047Useless unboxing of a valueJAVA-W1052Protected fields in a final class are uselessJAVA-W0417Format strings should use `%n` instead of `\\n`JAVA-W0379The default case should be last within a switch blockJAVA-W1010Private method is never calledJAVA-W0324Method uses the same code for multiple branchesJAVA-W0411Getter/setter names must be appropriateJAVA-E1014Class overrides `hashCode` but not `equals`JAVA-W0117Finalizer nulls fieldsJAVA-W0087Empty finalizer methods should be deletedJAVA-W0090Class is not an Exception/Throwable, even though it is named as suchJAVA-W0182Method uses the same code for two switch clausesJAVA-W0412Exception classes must be named appropriatelyJAVA-W1000Methods must not be emptyJAVA-W1004Method and field names must be dissimilarJAVA-W1006Hashcode must be implemented along with EqualsJAVA-W0116Float precision math may be impreciseJAVA-S0041Class is Serializable, but doesn't define `serialVersionUID`JAVA-S0193Case conversion may not work as expected for international characters without specifying the encodingJAVA-S0069Serializable class with non-serializable super class having no void constructor detectedJAVA-S0192Useless increment in return statementJAVA-S0356Float comparison with `NaN` will always failJAVA-S0364Method superfluously delegates to parent class methodJAVA-S0415Floating point values should not be compared with relational operators in comparison methodsJAVA-W1032Undocumented class foundJAVA-D1000Undocumented constructor foundJAVA-D1002Undocumented declaration foundJAVA-D1003Non-static nested class foundJAVA-W1019Local variable is assigned null value and not read afterJAVA-W1040Needless boxing of a primitive only to call `toString`JAVA-W1049Boxing a value is redundant if it is immediately unboxedJAVA-W1051Undocumented method foundJAVA-D1001Function with cyclomatic complexity higher than threshold foundJAVA-R1000
Java logoJava/
JAVA-S1021

Insecure network protocols must not be usedJAVA-S1021

Critical severityCritical
Security categorySecurity
a02, cwe-200, cwe-319, security, owasp-top-10

Insecure network protocols such as HTTP or FTP which do not make use of TLS/SSL can allow Man in the Middle (MitM) attacks to occur.

Use secure protocols whenever possible.

Clear-text protocols lack both encryption and verification features, and as such can allow attackers to easily intercept and/or manipulate data sent over them.

The risks of using such protocols are numerous, including but not limited to:

  • Sensitive data leakage - any authentication data sent through an insecure protocol can be read by the attacker.
  • Phishing attacks - The attacker could pose as the server the client intended to talk to, or could impersonate a client in their communications to the server.
  • Client side attacks - The attacker could send the client malicious data or code to be executed.
  • Server side attacks - The attacker could modify requests from the client and attach malicious data or code that would be executed by the server.
  • Data loss- The attacker could corrupt the data in the request, leading to data loss or server side data corruption.

Additionally, HTTP as a protocol is deprecated by all major browsers.

Bad Practice

// These are from the Apache Commons Net library:

TelnetClient telnet = new TelnetClient();

FTPClient ftpClient = new FTPClient();

SMTPClient smtpClient = new SMTPClient();

Use SSH instead of Telnet. The JSch library is a good option to use here:

JSch jsch = new JSch();

Instead of FTP, use SFTP, SCP or FTPS. JSch supports both SFTP and SCP protocols as well as SSH.

Apache provides a client implementation for FTPS:

FTPSClient client = new FTPSClient(implicit); // the connection can be implicit or explicit.
client.connect(...);
if (!implicit && client.execTLS()) {
    // ... Explicit mode.
} else {
    // ... Implicit mode.
}

Note that implicit FTP is deprecated. Prefer explicit mode unless the connection is required to be implicit (here's an explanation of this).

Use Apache's SMTPSClient to make secure SMTP connections:

SMTPSClient client = new SMTPSClient(true);
client.connect(...);
if (!implicit && client.execTLS()) {
    // ... Explicit mode.
} else {
    // ... Implicit mode.
}

Use proper encryption when creating HTTPS connections.

Exceptions

This issue will not be raised if a loopback connection (to 127.0.0.1 or localhost) is found to be made after creating the client.

Additionally, connections which are designed to operate within a private and secure environment such as a VPN may use unencrypted protocols.

While this is not ideal you may ignore this issue in such cases at your discretion.

References