The following rules can be enabled in CQA mode:

BD.API.EQNULL - Make sure implementation of Object.equals(Object) properly handles null values 
BD.API.EQREFL - Make sure implementation of Object.equals(Object) is reflexive 
BD.CO.ITMOD - Do not modify collection while iterating over it 
BD.EXCEPT.NP - Avoid NullPointerException 
BD.OPT.INEFCOL - Avoid inefficient removal of Collection elements 
BD.OPT.INEFMAPRM - Avoid inefficient removal of Map entries 
BD.OPT.INEFMAP - Avoid inefficient iteration over Map entries 
BD.PB.ARRAYINP - Avoid unvalidated input in array indexes 
BD.PB.ARRAY - Avoid accessing arrays out of bounds 
BD.PB.BADSHIFT - Avoid incorrect shift operations 
BD.PB.CC - Avoid conditions that always evaluate to the same value 
BD.PB.DEREF - Do not check for null after dereferencing 
BD.PB.EXCEPT - Always catch exceptions 
BD.PB.GETPERM - Method getPermission() is supposed to be invoked when user-defined class loaders are applied 
BD.PB.INFREC - Avoid infinite recursion 
BD.PB.NOTEXPLINIT - Avoid use before explicit initialization 
BD.PB.NOTINITCTOR - Avoid use of fields before initialization in constructors and static initializers 
BD.PB.PBIOS - Prevent external processes from blocking on input and output streams 
BD.PB.POVR - Avoid overwriting method parameters before each use 
BD.PB.RECFUN - Methods shall not call themselves, either directly or indirectly 
BD.PB.SBONE - Ensure proper usage of StringBuilder/StringBuffer objects 
BD.PB.STRNULL - Do not append null value to strings 
BD.PB.SWITCH - Avoid switch with unreachable branches 
BD.PB.VOVR - Avoid unused values 
BD.PB.ZERO - Avoid division by zero 
BD.RES.FREE - Do not use resources that have been freed 
BD.RES.LEAKS - Ensure resources are deallocated 
BD.SECURITY.BUFEXP - Do not expose data wrapped by a buffer to untrusted code 
BD.SECURITY.CANPATH - Path should be standardized before validation 
BD.SECURITY.CUSTOM - Prevent security vulnerability (custom rule) 
BD.SECURITY.EACM - Encapsulate arguments of dangerous methods with a validation method 
BD.SECURITY.PRIVIL - Avoid operating on tainted data in privileged blocks 
BD.SECURITY.REMTMP - Remove temporary files before termination 
BD.SECURITY.SENS - Prevent exposure of sensitive data 
BD.SECURITY.SSSD - Safely serialize sensitive data 
BD.SECURITY.TDCMD - Protect against Command injection 
BD.SECURITY.TDDIG - Protect against Jakarta Digester injection 
BD.SECURITY.TDENV - Protect against Environment injection 
BD.SECURITY.TDFILES - Protect against File contents injection 
BD.SECURITY.TDFNAMES - Protect against File names injection 
BD.SECURITY.TDINPUT - Exclude unsanitized user input from format strings 
BD.SECURITY.TDJXPATH - Protect against JXPath injection 
BD.SECURITY.TDLDAP - Protect against LDAP injection 
BD.SECURITY.TDLIB - Protect against Library injection 
BD.SECURITY.TDLOG - Protect against log forging 
BD.SECURITY.TDNET - Protect against network resource injection 
BD.SECURITY.TDRESP - Protect against HTTP response splitting 
BD.SECURITY.TDRFL - Protect against Reflection injection 
BD.SECURITY.TDSQL - Protect against SQL injection 
BD.SECURITY.TDXML - Protect against XML data injection 
BD.SECURITY.TDXPATH - Protect against XPath injection 
BD.SECURITY.TDXSS - Protect against XSS vulnerabilities 
BD.SECURITY.VPPD - Validate all dangerous data 
BD.SECURITY.XMLVAL - Validate untrusted XML using schema or DTD before reading 
BD.TRS.DIFCS - Variable should be used in context of single critical section 
BD.TRS.DLOCK - Avoid double locking 
BD.TRS.LOCK - Do not abandon unreleased locks 
BD.TRS.ORDER - Do not acquire locks in different order 
BD.TRS.TSHL - Do not use blocking methods while holding a lock 
BEAN.BLNC - Use appropriate signatures for listener method names in JavaBean classes 
BEAN.EQUALS - Override 'Object.equals()' in JavaBean classes 
BEAN.JDBC - Do not use JDBC code in JavaBean classes 
BEAN.NFM - Define get and set methods for each instance field 
BEAN.SERIALIZABLE - Ensure that JavaBean classes implement 'java.io.Serializable' 
CDD.DFI - Avoid duplicated field initialization in constructors 
CDD.DUPC - Avoid code duplication 
CDD.DUPI - Avoid duplicate import statements 
CDD.DUPM - Avoid method duplication 
CDD.DUPS - Avoid string literal duplication 
CDD.DUPT - Avoid class duplication 
CODSTA.BP.ABCL - Avoid "break" and/or "continue" with labels 
CODSTA.BP.AMRO - Avoid declaring methods that return 'Object' 
CODSTA.BP.ARM - Avoid using reflection methods 
CODSTA.BP.ARN - Avoid returning "null" for arrays and certain types 
CODSTA.BP.AULS - Avoid label statements 
CODSTA.BP.AUML - Avoid using multiple loggers, use logging levels instead 
CODSTA.BP.AWRT - Avoid using wildcards in method return types 
CODSTA.BP.BLK - Provide a '{}' block for conditional statements 
CODSTA.BP.BLOCK - Avoid unnecessary nested blocks 
CODSTA.BP.CFNF - Declare fields with uppercase character names as "final" 
CODSTA.BP.CMUTA - Avoid 'public' or 'protected' constructors for immutable classes 
CODSTA.BP.CONTINUE - Do not use "break" and/or "continue" statements 
CODSTA.BP.CS - Place constants on the appropriate side of comparisons 
CODSTA.BP.DLSF - Declare loggers as "static final" fields 
CODSTA.BP.EXIT - Do not call 'System.exit()' 
CODSTA.BP.FPF - Declare all formal parameters as "final" 
CODSTA.BP.FQNIC - Reference interface constants with their declaring interface names 
CODSTA.BP.HTV - Avoid using 'Hashtable' and 'Vector' 
CODSTA.BP.IMPTD - Avoid or enforce usage of '*' form of import statements 
CODSTA.BP.NRVA - Avoid passing non-reifiable types to varargs methods 
CODSTA.BP.NTX - Avoid declaring methods to throw general or unchecked Exception types 
CODSTA.BP.OCMA - Ensure overloaded constructors and methods share the same accessibility 
CODSTA.BP.PCF - Ensure that a class which has only "private" constructors is declared as "final" 
CODSTA.BP.PPAC - Do not define "public" or "protected" members in anonymous classes 
CODSTA.EPC.AFP - Do not make assignments to method parameters 
CODSTA.EPC.AGBPT - Avoid conversions from parameterized types to raw types 
CODSTA.EPC.CLNC - Do not use constructors in the 'clone()' method 
CODSTA.EPC.COMT - Avoid using the conditional operator with mismatched numeric types 
CODSTA.EPC.IBS - Use "int" instead of "byte" or "short" and "double" instead of "float" for variable declarations 
CODSTA.EPC.MSF - Do not use too many non-"final" "static" fields 
CODSTA.EPC.NCAC - Do not call an "abstract" method from a constructor in an "abstract" class 
CODSTA.EPC.NCE - Do not catch exception types which are too general or are unchecked exceptions 
CODSTA.EPC.NCNFC - Do not call methods that might cause unexpected NullPointerExceptions during constructor execution 
CODSTA.EPC.OVERLOAD - Use overloading judiciously 
CODSTA.EPC.SCLONE - Call 'super.clone()' in all 'clone()' methods 
CODSTA.EPC.STA - Avoid using the same type argument for multiple method arguments 
CODSTA.EPC.UST - Use 'StringTokenizer' instead of 'indexOf()' and 'substring()' for String parsing 
CODSTA.EPC.WSIM - Do not write to static fields from non-static methods 
CODSTA.OIM.AMMO - Do not override non "abstract" methods of a parent class with "abstract" methods 
CODSTA.OIM.CLONE2 - Use the 'clone()' method only to implement 'Cloneable' interface 
CODSTA.OIM.CLONET - Ensure 'clone()' method of non-final Cloneable class declared to throw 'CloneNotSupportedException' 
CODSTA.OIM.CLONE - Declare 'clone() throws CloneNotSupportedException' for Cloneable class 
CODSTA.OIM.DVOM - Define a "static" 'valueOf()' method for "enum" types which override 'toString()' 
CODSTA.OIM.OTOSM - Override 'toString()' 
CODSTA.OIM.OVERRIDE - Override 'Object.hashCode()' when you override 'Object.equals()' and vice versa 
CODSTA.OIM.OVOTS - Do not override 'toString()' in enum types 
CODSTA.ORG.AMOC - Do not have more than one type in each file 
CODSTA.ORG.DCI - Define constants in an "interface" 
CODSTA.ORG.DINT - Do not make method calls to internal classes from non-internal classes 
CODSTA.ORG.FO - Order class elements appropriately 
CODSTA.ORG.IMP - Avoid importing specific classes or packages 
CODSTA.ORG.OGM - Organize methods by name 
CODSTA.ORG.ORCU - Order compilation unit elements appropriately 
CODSTA.ORG.ORFIM - Place 'finalize()' methods between "public" and "protected" methods 
CODSTA.ORG.ORIMP - Present "import" statements in alphabetical order 
CODSTA.ORG.PML - Place the 'main()' method last 
CODSTA.ORG.UNDPN - Ensure all types have a non default package name 
CODSTA.POD.ACIAP - Avoid constant interface anti-pattern 
CODSTA.POD.ASM - Avoid "static" methods when the declaring class is a parameter type 
CODSTA.POD.AUVT - Use less specific types to accomplish loose coupling 
CODSTA.POD.CHAIN - Use chain constructors in classes with multiple constructors 
CODSTA.POD.CIOC - Avoid chains of "instanceof" comparisons 
CODSTA.POD.DCTOR - Define a no argument constructor whenever possible 
CODSTA.POD.IASM - Do not access static members indirectly 
CODSTA.POD.ISACF - Do not define constants in interfaces 
CODSTA.POD.SMC - Avoid "switch" statements with too many or too few "case" statements 
CODSTA.POD.UET - Use "enum" types instead of a series of "static final" constants 
CODSTA.POD.UPT - Enforce or avoid the use of parameterized types 
CODSTA.READ.ABUB - Do not rely on automatic boxing and unboxing of primitive types 
CODSTA.READ.ACCS - Do not use complicated conditional expressions in control structures 
CODSTA.READ.AEFS - Avoid or enforce usage of enhanced "for" loops 
CODSTA.READ.AFD - Access and set fields directly in the declaring type instead of using getter and setter methods 
CODSTA.READ.AFQN - Do not use fully qualified type names 
CODSTA.READ.AIC - Avoid anonymous inner classes 
CODSTA.READ.ANL - Avoid using negative logic in if-else statement 
CODSTA.READ.ASIS - Avoid static import statements 
CODSTA.READ.AUTS - Avoid unnecessary calls to 'toString()' 
CODSTA.READ.CCB - Comment the ends of control structures 
CODSTA.READ.CEB - Comment empty blocks 
CODSTA.READ.CID - Avoid using increment or decrement operators in nested expressions 
CODSTA.READ.CLV - Comment local variables 
CODSTA.READ.CTA - Always call 'Collection.toArray()' with an empty constant array argument 
CODSTA.READ.CX - Enforce or avoid usage of conditional operators 
CODSTA.READ.DOWHILE - Avoid using "do-while" statements 
CODSTA.READ.DUN - Do not use too many negation operators '!' in a single method 
CODSTA.READ.DVCU - Declare variables as close as possible to where they are used 
CODSTA.READ.ECSC - Explicitly call one of the superclass' constructors from all constructors 
CODSTA.READ.FF - Declare "private" constant fields "final" 
CODSTA.READ.FLV - Declare constant local variables "final" 
CODSTA.READ.HBE - Avoid using Hexadecimal binary exponents 
CODSTA.READ.LONG - Avoid having a lower-case "l" or the number "1" at the end of a "long" integer constant 
CODSTA.READ.MTBS - Minimize "try" block size 
CODSTA.READ.MVOS - Do not declare multiple variables in one statement 
CODSTA.READ.NEA - Avoid nested assignments or assignments embedded in other expressions 
CODSTA.READ.NMUC - Declare never-modified collections as "unmodifiable" for clarity 
CODSTA.READ.NSI - Avoid non-static initializers 
CODSTA.READ.PCIF - Declare "for" loops with an initializer, conditional, and updater statements 
CODSTA.READ.PCTOR - Do not declare "public" constructors in non-public classes 
CODSTA.READ.PDBB - Put declarations only at the beginning of blocks 
CODSTA.READ.PFL - Enforce use of "for" or "while" loops 
CODSTA.READ.SIE - Use 'isEmpty()' for Collections and Maps instead of comparing 'size()' to 0 
CODSTA.READ.UATS - Avoid or enforce the use of "this" and "super" expressions 
CODSTA.READ.UBL - Avoid create integer values from binary notation using Integer.parseInt() methods 
CODSTA.READ.ULIT - Use underscore characters (_) in numerical literal 
CODSTA.READ.USN - Avoid literal constants 
CODSTA.READ.VDT - Do not declare multiple variables of different types in one statement 
CODSTA.READ.VIFS - Limit the number of initialization and update statements in "for" loops 
DBC.CPT - Do not include a postcondition saying that "$result!=null" in methods which can return null 
DBC.IGM - Provide an '@invariant' contract for all getter methods 
DBC.IMNR - Do not invoke a method on a reference that is not guaranteed to be non-null 
DBC.IPAN - Include a '@pre != null' tag for each parameter that is dereferenced before being checked for null 
DBC.PKGC - Provide an '@invariant' contract for all package-private classes 
DBC.PKGMPOST - Provide a '@post' contract for all package-private methods 
DBC.PKGMPRE - Provide a '@pre' contract for all package-private methods 
DBC.PRIC - Provide an '@invariant' contract for all "private" classes 
DBC.PRIMPOST - Provide a '@post' contract for all "private" methods 
DBC.PRIMPRE - Provide a '@pre' contract for all "private" methods 
DBC.PROC - Provide an '@invariant' contract for all "protected" classes 
DBC.PROMPOST - Provide a '@post' contract for all "protected" methods 
DBC.PROMPRE - Provide a '@pre' contract for all "protected" methods 
DBC.PUBC - Provide an '@invariant' contract for all "public" classes 
DBC.PUBMPOST - Provide a '@post' contract for all "public" methods 
DBC.PUBMPRE - Provide a '@pre' contract for all "public" methods 
DBC.RCC - Avoid rechecking @pre and @post conditions 
DBC.SYNTAX - Use correct syntax in the DbC contracts 
ECLIPSE.IPMF - Avoid exporting "internal" packages in MANIFEST.MF 
ECLIPSE.PCMF - Ensure "Export-Package" and "Provide-Package" match in MANIFEST.MF for Eclipse 3.0 compatibility 
ECLIPSE.SMF - Avoid missing "Eclipse-AutoStart" entry in MANIFEST.MF 
EJB.ABCS - Do not use Servlet code in EJB classes 
EJB.ABFG - Do not use Entity Beans as fine-grained objects 
EJB.ACL - Do not access, use, or create a class loader within a bean class 
EJB.ADCB - Do not use EJB code in java swing or servlet classes 
EJB.AIEBC - Avoid excessive inter-entity bean communication 
EJB.AJDBC - Do not use JDBC code inside of EJB classes 
EJB.AMSC - Do not access or modify security configuration objects 
EJB.AOTO - Avoid one-to-one mapping between session beans and entity beans 
EJB.AUS - Do not use sockets in EJBs 
EJB.CDP - Declare bean classes "public" 
EJB.CNDA - Do not declare bean classes as "abstract" 
EJB.CNDF - Do not declare bean classes as "final" 
EJB.CRTE - Declare 'ejbCreate()' methods "public", but neither "static" nor "final" 
EJB.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role 
EJB.EJB3.AIA - Avoid ignored or invalid annotations 
EJB.EJB3.AISE - Avoid IllegalStateException when using transactions 
EJB.EJB3.BMN - Do not start business method names with "ejb" 
EJB.EJB3.CMF - Use proper formatting for lifecycle callback methods 
EJB.EJB3.CPIM - Call 'InvocationContext.proceed()' from @AroundInvoke methods 
EJB.EJB3.EAII - Do not expose @AroundInvoke method in business interface 
EJB.EJB3.IDA - Avoid improper use of @Id annotation 
EJB.EJB3.IDCS - Ensure @IdClass is Serializable and defines "equals()" and "hashCode()" methods 
EJB.EJB3.MDBS - Do not extend other @MessageDriven beans from a @MessageDriven bean 
EJB.EJB3.MDML - Ensure @MessageDriven beans specify a MessageListener 
EJB.EJB3.MTM - Do not declare multiple "@Timeout" methods 
EJB.EJB3.PCUN - Always specify "unitName" with @PersistenceContext 
EJB.EJB3.PERMIT - Avoid EJB 3 methods without security annotations 
EJB.EJB3.RLI - Do not declare an interface both @Local and @Remote 
EJB.EJB3.RMSB - Specify a @Remove method for @Stateful beans 
EJB.EJB3.SIVS - Ensure instance variables of @Stateful beans are Serializable 
EJB.EJB3.SRBM - Ensure parameters and return type of remote business methods are Serializable 
EJB.EJB3.ULI - Access beans through a local interface 
EJB.EJBLOAD - Do not call finder methods in the 'ejbLoad()' 
EJB.FNDM - Declare finder methods "public" and neither "final" nor "static" 
EJB.IECM - Implement one or more 'ejbCreate()' methods in bean classes 
EJB.IEPM - Implement one or more 'ejbPostCreate()' methods in EntityBean classes 
EJB.JIO - Do not use types from the "java.io" package within bean classes 
EJB.LNL - Avoid loading native libraries in a Bean class 
EJB.MDBC - Implement a no-argument 'ejbCreate()' method for all Message-driven bean classes 
EJB.MEC - Define a matching 'ejbPostCreate()' method for each 'ejbCreate' method in entity bean classes 
EJB.MNDF - Do not define 'finalize()' method in bean classes 
EJB.MRE - Throw 'java.rmi.RemoteException' in the methods of remote interface and remote home interface 
EJB.NFDC - Declare a "public" constructor that takes no parameters in bean classes 
EJB.NFS - Declare all "static" fields in EJB bean classes "final" 
EJB.PCRTE - Declare 'ejbPostCreate()' "public" and neither "static" nor "final" 
EJB.RILH - Do not throw 'java.rmi.RemoteException' in a bean's local interface and local home interface 
EJB.RR - Do not declare entity beans as remote 
EJB.RTC - Make the return type "void" for SessionBeans or MessageDrivenBeans' 'ejbCreate()' methods 
EJB.RTP - Make the return type "void" for the 'ejbPostCreate()' method 
EJB.RT - Make finder methods' return type the primary key or a collection of primary keys 
EJB.RUH - Reuse EJB homes 
EJB.SMSN - Do not set or create a new SecurityManager in EJBs 
EJB.STD - Ensure EJB beans include necessary methods and EJB bean and interface classes follow the name format 
EJB.TCE - Throw 'javax.ejb.CreateException' in create methods of remote home or local home interfaces 
EJB.TFE - Throw 'javax.ejb.FinderException' in finder methods of remote home or local home interfaces 
EJB.THISARG - Avoid passing the "this" reference as an argument 
EJB.THISRET - Do not return "this" 
EJB.THREAD - Avoid starting, stopping, or managing threads in any way in bean classes 
EJB.UCIC - Cache reusable JNDI resources to minimize the use of expensive operations 
EJB.USF - Use a Session Facade to manage access to entity beans 
EJB.UVO - Use Value Objects to reduce the granularity of calls to the server 
EXCEPT.AEFC - Do not abuse exceptions as flow control statements 
EXCEPT.AIOC - Do not use instanceof in a catch block to check the exception type 
EXCEPT.CATO - Catch all "Throwable" objects which may be thrown in the body of certain methods 
EXCEPT.CDUPL - Avoid catch clauses with the same content 
EXCEPT.CLFIN - Avoid using finally block for closing resource only 
EXCEPT.CTE - Always chain thrown exceptions 
EXCEPT.EPNFC - Do not throw exceptions from constructors of "public" non-"final" classes 
EXCEPT.HCB - Do not hide 'catch' blocks 
EXCEPT.IMMEX - Declare all fields of user-defined 'Exception' as "final" 
EXCEPT.MTE - Do not declare any thrown exceptions in the 'main()' method 
EXCEPT.NCERR - Do not catch the 'java.lang.Error' object 
EXCEPT.NCNPE - Do not catch 'NullPointerException' 
EXCEPT.NFE - Ensure that the 'parse' methods of the numeric classes do not throw unhandled "NumberFormatExceptions" 
EXCEPT.NTERR - Do not throw exception types which are too general or are unchecked exceptions 
EXCEPT.NTNPE - Do not throw 'NullPointerException' 
EXCEPT.RTERR - Rethrow certain exceptions if they are caught 
EXCEPT.TEFEC - Do not throw exceptions from the constructors of exception classes 
EXCEPT.TRY - Place "try/catch/finally" blocks outside of loops 
EXCEPT.TSCE - Exception messages must meet minimum character requirement 
FORMAT.APAREN - Use '()' to separate complex expressions 
FORMAT.ASPACE - Ensure proper spacing in array references 
FORMAT.ATS - Do not place empty whitespace at the end of a line 
FORMAT.BLBC - Put a blank line before each C-style comment 
FORMAT.BLCD - Enforce number of blank line(s) before type declarations 
FORMAT.BLSIM - Enforce number of blank line(s) to separate "imports" from different packages 
FORMAT.CBRACE - Place a closing brace on its own line 
FORMAT.CMS - Place a single space character or no space character after type casting 
FORMAT.DOT - Do not leave spaces between qualified names and method invocations 
FORMAT.DUT - Use spaces instead of tabs (or tabs instead of spaces) 
FORMAT.FCB - Enforce the position of '{' brace 
FORMAT.FCN - Place the type that has the same name as the file as the first type 
FORMAT.IAD - Declare arrays with '[]' brackets after the array type and before the variable name(s) 
FORMAT.IND - Enforce number of space(s) for indentation 
FORMAT.LL - Limit the maximum length of a line 
FORMAT.MO - Enforce the order of annotations and modifiers 
FORMAT.MSP - Place a single space character or no space character between a method name and the opening "(" parenthesis 
FORMAT.NSAB - Do not place statements on the same line as the '{' opening brace 
FORMAT.OSPL - Write one statement per line 
FORMAT.SAC - Enforce number of space character(s) after every comma 
FORMAT.SAOP - Enforce number of space character(s) on each side of an assignment operator 
FORMAT.SAP - Enforce number of space character(s) after the opening parenthesis "(" of a conditional statement 
FORMAT.SAS - Enforce number of space character(s) after every semicolon 
FORMAT.SAUOP - Enforce number of space character(s) between a prefixed unary operator and its operand 
FORMAT.SBOP - Enforce number of space character(s) on each side of a bitwise operator 
FORMAT.SBUOP - Enforce number of space character(s) between a postfixed unary operator and its operand 
FORMAT.SCOP - Enforce number of space character(s) before and after the "?" conditional operator 
FORMAT.SC - Enforce number of space character(s) between a conditional statement and the opening "(" parenthesis 
FORMAT.SLOP - Enforce number of space character(s) on each side of a logical operator 
FORMAT.SROP - Enforce number of space character(s) on each side of a relational operator 
FORMAT.TCOMMA - Avoid or enforce the use of trailing commas in array initializers 
FORMAT.TC - Avoid using trailing comments 
FORMAT.TE - Use the preferred formatting for conditional expressions 
FORMAT.TNL - Make sure all files are terminated with a newline character 
FORMAT.U2BL - Enforce number of blank line(s) between major sections 
FORMAT.UP - Avoid unnecessary parentheses 
GC.AUTP - Do not use unnecessary temporaries when converting primitive types to String 
GC.DUD - Avoid using 'Date[]', use 'long[]' instead 
GC.FCF - Call 'super.finalize()' from 'finalize()' 
GC.FM - Do not use 'finalize()' methods to unregister listeners 
GC.GCB - Reuse calls to 'getClipBounds()' 
GC.GC - Do not explicitly call 'System.gc()' or 'Runtime.gc()' 
GC.IFF - Call 'super.finalize()' in the "finally" block of 'finalize()' methods 
GC.MML - Be cautious when calling methods which may cause memory leaks 
GC.NCF - Do not call 'finalize()' explicitly 
GC.OSTM - Prevent potential memory leaks in ObjectOutputStreams by calling 'reset()' 
GC.RCO - Reuse immutable constant objects to conserve memory 
GC.STV - Avoid "static" collections or maps; they can grow without bounds 
HIBERNATE.CAR - Call 'addClass()' instead of 'addResource()' to add a mapping to a 'Configuration' 
HIBERNATE.CHS - Close Hibernate Sessions in "finally" blocks 
HIBERNATE.CSF - Close all 'SessionFactory' objects 
HIBERNATE.GSIM - Include getter and setter methods and an id field for any object mapped to a column in a database table 
HIBERNATE.IDC - Declare a no-argument constructor for Hibernate persistent classes 
HIBERNATE.LHII - Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files 
HIBERNATE.OHCE - Override the 'equals' and 'hashCode' methods for mapped Hibernate objects 
HIBERNATE.PIDS - Declare the setter method for the Hibernate identifier 'private' 
HIBERNATE.RBT - Roll back any active transactions in 'catch' blocks 
HIBERNATE.SLM - Call 'setLockMode()' before executing a Hibernate Query 
HIBERNATE.UGNQ - Use mapped, named HQL queries instead of writing queries in Java code 
HIBERNATE.UNP - Use named parameters in HQL queries 
HIBERNATE.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files 
INIT.AAI - Do not use array initializers 
INIT.AULI - Ensure that the "if" check for lazy initialization uses the correct operator 
INIT.CLIB - Do not put code other than initialization code in lazy initialization blocks 
INIT.DIA - Use diamond to invoke the constructor of a generic class 
INIT.IC - Do not use initialization circularities for fields 
INIT.LV - Initialize all local variables explicitly at the declaration statement 
INIT.NFS - Do not use non-final "static" fields during the initialization 
INIT.SFA - Do not initialize "static" "final" variables with non "final" "static" variables 
INIT.SF - Use explicit initializations/Do not initialize "static" fields to default values 
INIT.SICUI - Do not use a "static" initializer that creates an instance of the current class before all "static final" fields are assigned 
INTER.CCL - Provide 'Locale' argument when invoking 'String' conversion methods 
INTER.CLO - Do not use single characters with logic operators in an Internationalized environment 
INTER.COS - Do not use String concatenation in an Internationalized environment 
INTER.CTLC - Do not call 'Character.toLowerCase(char)' or 'Character.toUpperCase(char)' in an internationalized environment 
INTER.DTS - Do not call 'toString()' or 'String.valueOf()' on Date objects in an Internationalized environment 
INTER.ITT - Isolate translatable text in resource bundles in an Internationalized environment 
INTER.NCL - Use "static final" constants for single character literals in an Internationalized environment 
INTER.NTS - Do not call 'toString()' or 'String.valueOf()' on numeric values in an Internationalized environment 
INTER.PN - Do not call the 'parse' methods of the 'Number' types in an Internationalized environment 
INTER.SCT - Do not call 'String.compareTo()' in an Internationalized environment 
INTER.SDFL - Provide a 'Locale' argument when instantiating 'SimpleDateFormat' objects 
INTER.SEO - Avoid calling methods and constructors which do not allow you to specify a character encoding option 
INTER.SE - Do not call 'String.equals()' in an Internationalized environment 
INTER.SIO - Do not call 'String.indexOf()' or 'String.lastIndexOf()' in an Internationalized environment 
INTER.ST - Do not use 'StringTokenizer' in an Internationalized environment 
INTER.TTS - Do not call 'toString()' or 'String.valueOf()' on Time objects in an Internationalized environment 
INTER.UNLS - Avoid unnecessary "$NON-NLS" and "NOI18N" comments 
JAVADOC.BT - Avoid unsupported '@' tags and other tags that should not be used in Javadoc comments 
JAVADOC.CRN - Always include a description of whether or not a method can return null in the Javadoc 
JAVADOC.DPMT - Avoid unused Javadoc tags 
JAVADOC.ECTF - Enforce custom Javadoc tags for fields 
JAVADOC.ECTM - Enforce custom Javadoc tags for methods/annotation member types 
JAVADOC.ECTT - Enforce custom Javadoc tags for types 
JAVADOC.JNJD - Do not insert non-Javadoc comments between Javadoc comments and declarations 
JAVADOC.MAJDT - Use the '@author' Javadoc tag in declaration Javadoc comments 
JAVADOC.MDJT - Include a meaningful description in Javadoc tags 
JAVADOC.MISFORMAT - Avoid misformatted Javadoc tags 
JAVADOC.MRDC - Use the '@return' Javadoc tag in method Javadoc comments 
JAVADOC.MVJDT - Use the '@version' tag in type Javadoc comments 
JAVADOC.ORDER - Order Javadoc tags appropriately 
JAVADOC.PARAM - Use the '@param' Javadoc tag for each parameter of methods 
JAVADOC.PJDC - Provide Javadoc comments and descriptions for types 
JAVADOC.PJDF - Provide Javadoc comments and descriptions for fields 
JAVADOC.PJDM - Provide Javadoc comments and descriptions for methods 
JAVADOC.SINGLE - Enforce restraint on number of lines used for Javadoc comments 
JAVADOC.SMJT - Use the '@concurrency' Javadoc tag on "synchronized" methods and blocks 
JAVADOC.SPELL - Avoid misspelling words in Javadoc comments and string literals 
JAVADOC.SRRP - Specify 'RUNTIME' as the retention policy when using the '@Documented' annotation 
JAVADOC.THROW - Use the '@throws' or '@exception' Javadoc tag in methods 
JAVADOC.TSMJT - Provide a Javadoc comment for 'toString()' methods 
JAVADOC.TSOL - Ensure that certain Javadoc tags only span one line 
JAVADOC.VMCR - Avoid using the '@return' Javadoc tag on "void" methods 
JDBC.BRSA - Ensure index is valid in JDBC method invocation 
JDBC.CDBC - Close JDBC connections in "finally" blocks 
JDBC.COCO - Close JDBC objects in the correct order 
JDBC.DSLV - Reuse data sources for JDBC connections 
JDBC.ODBIL - Do not open or close JDBC connections in loops 
JDBC.RRWD - Close JDBC resources in "finally" blocks 
JDBC.SCSF - Do not store database connection objects in "static" fields 
JDBC.UDS - Use javax.sql.DataSource to get the database connection 
JDBC.UPSC - Use "PreparedStatements" correctly 
JDBC.URSF - Use instance of RowSetFactory to create a RowSet object 
JUNIT.AEAT - Use assertEquals instead of assertTrue 
JUNIT.AHLOD - Do not hard code the location to data used by a unit test 
JUNIT.ANAT - Use assertNull instead of assertTrue when checking null references 
JUNIT.ANBA - Avoid negating boolean parameters to assertTrue() or assertFalse() 
JUNIT.ASAT - Use assertSame instead of assertTrue when checking reference equality 
JUNIT.ASSERT - Include a message string in JUnit assertions 
JUNIT.AST - Do not include assertion statements in threads other than the main thread 
JUNIT.CBA - Avoid calling 'assert' methods in catch blocks 
JUNIT.CSUPER - Call the superclass' 'setUp' and 'tearDown' methods in the 'setUp' and 'tearDown' methods of JUnit test classes 
JUNIT.CSUTD - Ensure that 'setUp()' and 'tearDown()' methods are implemented correctly 
JUNIT.DIR - Place each test class in the same location as the class that it tests 
JUNIT.ETCTA - Avoid extending 'TestCase' in test classes which contain the '@Test' annotation 
JUNIT.FAIL - Use the fail() method instead of forcing a failed condition using the assertTrue(false) or assertFalse(true) method 
JUNIT.FICB - Do not invoke the 'fail()' method in a 'catch' block in a JUnit test method 
JUNIT.ISMTC - Do not implement the 'suite()' method in JUnit test classes 
JUNIT.MAIN - Ensure that JUnit classes have a main() allowing them to be executed in isolation 
JUNIT.OSIC - Do not use the constructor to set up test cases 
JUNIT.OSUM - Override the 'setUp()' method or define a '@Before' method 
JUNIT.OTDM - Override the 'tearDown()' method or define an '@After' method 
JUNIT.SIA - Ensure JUnit test cases include assertion methods 
JUNIT.SIFN - Set all fields which are initialized in the 'setUp()' method to "null" in the 'tearDown()' method 
JUNIT.SUITE - Make 'suite()' methods "public" and "static" 
JUNIT.TATC - Use '@Test' annotation instead of extending 'TestCase' 
JUNIT.TCWNT - Include at least one test method in each 'TestCase' class 
JUNIT.TEST - Make sure all methods have at least one JUnit test method 
JUNIT.UPJT - Include an appropriate Javadoc tag in the Javadoc for JUnit test methods 
JUNIT.UPSS - Use the correct signature for the 'suite()' method in JUnit test classes 
METRIC.CBO - Coupling Between Objects 
METRIC.CC - McCabe Cyclomatic Complexity 
METRIC.CLLOCRIF - Ratio of Comments to Number of Logical Lines in files 
METRIC.CLLOCRIM - Ratio of Comments to Number of Logical Lines in methods 
METRIC.CLLOCRIT - Ratio of Comments to Number of Logical Lines in types 
METRIC.DIF - Nested If Statements 
METRIC.ECC - Essential Cyclomatic Complexity 
METRIC.FO - Fan Out 
METRIC.HDIFM - Halstead Difficulty 
METRIC.HEFM - Halstead Effort 
METRIC.HICM - Halstead Intelligent Content 
METRIC.HLENM - Halstead Program Length 
METRIC.HLEVM - Halstead Program Level 
METRIC.HNOBM - Halstead Number of Bugs 
METRIC.HTTPM - Halstead Time to Program 
METRIC.HVOCM - Halstead Program Vocabulary 
METRIC.HVOLM - Halstead Program Volume 
METRIC.IDOC - Inheritance Depth of Class 
METRIC.LCOM - Lack of Cohesion 
METRIC.MCC - Modified Cyclomatic Complexity 
METRIC.MI - Maintainability Index 
METRIC.NBD - Nested Blocks Depth 
METRIC.NOBLIF - Number of Blank Lines in Files 
METRIC.NOBLIM - Number of Blank Lines in Methods 
METRIC.NOBLIT - Number of Blank Lines in Types 
METRIC.NOCLIF - Number of Comment Lines in Files 
METRIC.NOCLIM - Number of Comment Lines in Methods 
METRIC.NOCLIT - Number of Comment Lines in Types 
METRIC.NOC - Number of Classes 
METRIC.NOF - Number of Files 
METRIC.NOLLOCIF - Number of Logical Lines in Files 
METRIC.NOLLOCIM - Number of Logical Lines in Methods 
METRIC.NOLLOCIT - Number of Logical Lines in Types 
METRIC.NOMIT - Number of Methods in Types 
METRIC.NOPAR - Number of Parameters of Methods 
METRIC.NOPLIF - Number of Physical Lines in Files 
METRIC.NOPLIM - Number of Physical Lines in Methods 
METRIC.NOPLIT - Number of Physical Lines in Types 
METRIC.NOPRIVMIT - Number of Private Members of Types 
METRIC.NOPROTMIT - Number of Protected Members of Types 
METRIC.NOPUBMIT - Number of Public Members of Types 
METRIC.NORET - Number of Returns in Methods 
METRIC.NOSLIF - Number of Source Lines in Files 
METRIC.NOSLIM - Number of Source Lines in Methods 
METRIC.NOSLIT - Number of Source Lines in Types 
METRIC.NOT - Number of Types 
METRIC.RFC - Response for Class 
METRIC.SCC - Strict Cyclomatic Complexity 
METRICS.CTNL - DEPRECATED: Number of lines in "class" or "interface" 
METRICS.ECLM - DEPRECATED: Number of statement lines in a method 
METRICS.ECLT - DEPRECATED: Number of statement lines in a "class" or "interface" 
METRICS.ID - DEPRECATED: "class" or "interface" inheritance level 
METRICS.NOFT - DEPRECATED: Number of fields 
METRICS.NOMCML - DEPRECATED: Number of comment lines in a method 
METRICS.NOM - DEPRECATED: Number of methods 
METRICS.NOTCML - DEPRECATED: Number of comment lines in a "class" or "interface" 
METRICS.NPKGF - DEPRECATED: Number of package-private fields 
METRICS.NPKGM - DEPRECATED: Number of package-private methods 
METRICS.NPRIF - DEPRECATED: Number of "private" fields 
METRICS.NPRIM - DEPRECATED: Number of "private" methods 
METRICS.NPROF - DEPRECATED: Number of "protected" fields 
METRICS.NPROM - DEPRECATED: Number of "protected" methods 
METRICS.NPUBF - DEPRECATED: Number of "public" fields 
METRICS.NPUBM - DEPRECATED: Number of "public" methods 
METRICS.NSTMT - DEPRECATED: Number of statements in a method 
METRICS.PAR - DEPRECATED: Number of parameters 
METRICS.PJDC - DEPRECATED: Percentage of Javadoc comments (%) 
METRICS.TNLM - DEPRECATED: Number of lines in a method 
METRICS.TNMC - DEPRECATED: Number of method calls 
METRICS.TRET - DEPRECATED: Number of "return" statements 
METRICS.VG - DEPRECATED: Cyclomatic Complexity 
METRIC.WMC - Weighted Methods of Class 
MOBILE.ACFM - Avoid accessing same fields and methods multiple times 
MOBILE.AMA - Avoid using 'getter' and 'setter' methods 
MOBILE.ANDROID.AOSM - Always override 'onSaveInstanceState()' 
MOBILE.ANDROID.WUP - Make sure that widgets aren't updated too often 
MOBILE.APTA - Avoid using array of primtive wrapper objects 
MOBILE.AUEF - Avoid using enhanced "for" loop to walk through a "java.lang.Iterable" object 
MOBILE.AUI - Avoid declaring "interface" types 
MOBILE.DARRAY - Avoid multiple dimension arrays 
MOBILE.ENUM - Avoid using enums 
MOBILE.FLOATER - Avoid using floats 
MOBILE.J2ME.ACII - Do not use anonymous classes as interface implementors 
MOBILE.J2ME.ARLL - Do not use an array length in a loop condition expression 
MOBILE.J2ME.CIPA - Avoid constant initializations of primitive arrays that exceed a certain size 
MOBILE.J2ME.EAOF - Do not access a field excessively 
MOBILE.J2ME.EURP - Ensure methods use return parameters instead of returning new objects 
MOBILE.J2ME.OOME - Catch 'OutOfMemoryError' for large array allocations 
NAMING.ANNS - Follow class name conventions defined for annotations 
NAMING.CVN - Use conventional variable names 
NAMING.DJLO - Do not declare types with the same name as types in the Java platform 
NAMING.DSN - Avoid using dollar signs in names 
NAMING.ECN - Ensure class names reflect classes which they extend 
NAMING.EXTENDS - Follow class name conventions defined for base classes 
NAMING.GETA - Follow a naming convention for getter methods 
NAMING.GETB - Follow a naming convention for "boolean" getter methods 
NAMING.ID - Avoid using potential Java keywords as identifiers 
NAMING.IFV - Use all uppercase letters for the names of fields in an "interface" 
NAMING.IMPLS - Follow class name conventions defined for implemented interfaces 
NAMING.IRB - Use 'is...' only for naming methods that return a "boolean" 
NAMING.LLI - Follow limits for the lengths of type, method, field, parameter, and variable names 
NAMING.NACL - Use a naming convention for "abstract" classes 
NAMING.NAC - Use a naming convention for array and collection variables 
NAMING.NA - Use a naming convention for annotations 
NAMING.NCL - Use a naming convention for classes 
NAMING.NENUM - Use a naming convention for enum type declarations 
NAMING.NE - Use a naming convention for exceptions 
NAMING.NFL - Use a naming convention for "final" local variables 
NAMING.NIF - Use a naming convention for non-"static" fields 
NAMING.NITF - Use a naming convention for interfaces 
NAMING.NLV - Use a naming convention for local variables 
NAMING.NMP - Use a naming convention for method parameters 
NAMING.NM - Use a naming convention for non-"static" methods 
NAMING.NPH - Use a naming convention for type parameters 
NAMING.NSF - Use a naming convention for non-"final" "static" fields 
NAMING.NSM - Use a naming convention for "static" methods 
NAMING.NTEST - Use a naming convention for JUnit test classes 
NAMING.PKG - Use a naming convention for "package" names 
NAMING.RPKG - Do not use a package name that is reserved by Sun 
NAMING.SETA - Follow a naming convention for setter methods 
NAMING.SINGLETON - Use a naming convention for singleton classes 
NAMING.THAC - Use a naming convention for tag handlers and associated classes 
NAMING.UHN - Use Hungarian notation for variables 
NAMING.USF - Do not use lowercase letters in "final" "static" field names 
NAMING.UUVN - Do not use variable names which differ only in case 
OOP.ACECC - Do not extend concrete classes in "abstract" classes 
OOP.ACST - Avoid casts to types which are more specific than necessary 
OOP.AF - Avoid "public"/"protected"/package-private fields 
OOP.AHF - Do not hide inherited fields 
OOP.AHSM - Do not hide inherited "static" member methods 
OOP.AOA - Add the "@Override" annotation to overriding methods 
OOP.AOCM - Always override certain methods when extending certain types 
OOP.ASFI - Redeclare a class with only "abstract" methods and "static final" fields as an "interface" 
OOP.AUASI - Do not implement or extend annotations 
OOP.AUO - Do not use an object to access "static" fields or methods 
OOP.CIMOM - Do not declare a method in an interface which conflicts with a 'protected' method of 'Object' 
OOP.CQS - Ensure methods are either a command(change state) or a query(get state) 
OOP.HIF - Do not hide fields and local variables declared in enclosing scopes 
OOP.HMF - Do not give method local variables and parameters the same name as class fields 
OOP.ICIF - Avoid inner classes in interfaces 
OOP.IDOM - Avoid declaring methods inherited from class "Object" in an interface 
OOP.IIAC - Avoid implementing interfaces only to access constants 
OOP.IIN - Implement interface methods non-trivially or declare them "abstract" 
OOP.INSOF - Use "instanceof" only on interfaces 
OOP.LEVEL - Avoid more than two levels of nested inner classes 
OOP.MFP - Give "finalize()" methods "protected" access 
OOP.MI - Avoid interfaces with no fields or methods (marker interfaces) 
OOP.MUCOP - Provide mutable classes with copy functionality 
OOP.NAM - Avoid "abstract" classes without "abstract" methods 
OOP.NOMA - Declare methods in "abstract" classes with empty bodies "abstract" 
OOP.NPAC - Do not declare "public" or package-private constructors in "abstract" classes 
OOP.OPM - Do not override an instance "private" method 
OOP.PIFC - Do not use "protected" access for members of "final" classes 
OOP.PMPC - Ensure 'public' classes have at least one 'public' or 'protected' member 
OOP.PSDF - Do not declare "private" or "static" methods as "final" 
OOP.RI - Do not declare a class as implementing an interface if a superclass already implements that interface 
OOP.RSFC - Avoid referencing a class' subclasses from itself 
OOP.SNGL - Use a naming convention for singleton classes 
OOP.SVHM - Specify which version of potentially ambiguous methods you wish to call for method calls in inner classes 
OOP.THRECL - Use getContextClassLoader() instead of getClassLoader() 
OPT.AAM - Change non-"private" members to "private" in anonymous classes 
OPT.AAS - Use abbreviated assignment operators 
OPT.ACDO - Do not use the 'new String(String)' constructor 
OPT.AGC - Do not get the 'Class' object through new object instantiation 
OPT.ANIPW - Avoid new instantiations of primitive wrapper objects, whose values are cached 
OPT.AUMO - Avoid unnecessary Map operations 
OPT.BR - Simplify "boolean" returns 
OPT.CCR - Close all "java.io.Closeable" resources in a "finally" block 
OPT.CEIL - Avoid putting constant expressions inside loops 
OPT.CEL - Do not call methods in loop condition statements 
OPT.CIO - Close input and output resources in "finally" blocks 
OPT.CLL - Check the logging level before calling potentially expensive logging operations 
OPT.CPTS - Do not convert a value to a String by concatenating the empty String 
OPT.CRSG - Avoid duplicate calls to the "get" methods of "ResultSet" 
OPT.CRWD - Close resources as early as possible 
OPT.CTLV - Do not use a "private" field that is accessed in only one method; change it to a local variable 
OPT.DIC - Define initial capacities for 'ArrayList', 'HashMap', 'HashSet', 'Hashtable', 'Vector' and 'WeakHashMap' 
OPT.EES - Use 'String.length() == 0' instead of 'String.equals("")' 
OPT.EIC - Use 'equalsIgnoreCase()' instead of calls to 'toLowerCase()' or 'toUpperCase()' 
OPT.EOIL - Avoid calling expensive operations in the body of a loop 
OPT.ICDPC - When calling "Math.ceil()", do not pass in an integer that has been cast to a floating point type 
OPT.ICGA - Avoid accessing members which will require synthetic accessor methods 
OPT.ILUG - Do not iterate through Lists using the 'get()' method 
OPT.IRB - Use 'System.arraycopy()' instead of using a loop to copy arrays 
OPT.ISC - Do not instantiate a class which contains only static fields and methods 
OPT.LIOL - Move invariants outside of loops wherever possible 
OPT.LOOP - Do not instantiate variables in a loop body 
OPT.MAF - Make getter and setter methods for instance fields "final" 
OPT.MUNC - Avoid unnecessary comparisons to "null" 
OPT.NCIO - Avoid 'null' check before 'instanceof' 
OPT.NIVND - Use the 'nextInt()' method to generate a random integer 
OPT.NIW - Avoid creating new instances of BigInteger and BigDecimal 
OPT.NSF - Declare "final" fields with a known compile time value as "static" 
OPT.PCTS - Use 'charAt()' instead of 'startsWith()' for one character comparisons 
OPT.PRIM - Do not instantiate the wrapper classes for primitive types 
OPT.SBL - Avoid converting StringBuffer or StringBuilder to String to check length 
OPT.SBS - Use 'StringBuilder' instead of 'StringBuffer' when synchronization is not required 
OPT.SB - Specify an initial 'StringBuffer' capacity 
OPT.SDLS - Avoid using synchronized data structures for local variables 
OPT.SI - Declare member classes "static" if possible 
OPT.SRA - Avoid using 'String.replaceAll()' with literal values 
OPT.STCA - Do not call ''String.toCharArray()'' unnecessarily 
OPT.STRBUF - Simplify methods that return strings that are always concatenated 
OPT.STR - Use single quotes instead of double quotes for single character string concatenation 
OPT.STS - Avoid unnecessary calls to 'String' methods 
OPT.SWIF - Avoid use of if statements if they can be replaced with switch statements 
OPT.SYN - Do not call a synchronized method inside of a loop 
OPT.TOARRAY - Use collection size for target array in 'toArray()' 
OPT.UEQ - Do not compare boolean variables with "true" 
OPT.UISO - Avoid unnecessary "instanceof" evaluations 
OPT.UMATH - Do not call the methods from 'java.lang.Math' if the result is a constant which can be easily determined 
OPT.UNC - Avoid unnecessary casting 
OPT.USB - Use 'StringBuffer' instead of 'String' when concatenating strings 
OPT.USCL - Avoid questionable uses of non-short-circuit logic 
OPT.USC - Use 'String' instead of 'StringBuffer' for constant strings 
OPT.USV - Use 'stack' variables whenever possible 
PB.API.AECC - Avoid extending certain classes (custom rule) 
PB.API.APPG - Avoid 'put, 'putAll' and 'get' methods of 'java.util.Properties' objects 
PB.API.APT - Avoid using certain packages or types 
PB.API.CMMT - Ensure that the types passed to "Collection" and "Map" methods match the types in those data structures 
PB.API.DANNOT - Add the "@Deprecated" annotation to the declarations of deprecated members 
PB.API.DNCSS - Do not call 'setSize()' in 'ComponentListener.componentResized()' 
PB.API.DPRAPI - Do not use deprecated APIs 
PB.API.ECMC - Do not extend "Collection" and "Map" classes 
PB.API.EHM - Do not extend 'java.util.HashMap' or 'java.util.Hashtable' 
PB.API.EJF - Do not create an empty JarFile entry or an empty ZipFile entry 
PB.API.EQNL - Avoid calling 'equals(null)' 
PB.API.HNCN - Do not call the 'next' method from the 'hasNext' method of an Iterator 
PB.API.IUMS - Do not use "URL" objects in "Collections" or "Maps" 
PB.API.KOEH - Ensure that all types which are used as keys in Sets and Maps override the 'equals()' and 'hashCode()' methods 
PB.API.MASP - Assign "protected" accessibility to 'readResolve()' and 'writeReplace()' methods in serializable classes 
PB.API.MOHK - Avoid using objects with dangerous implementations of 'equals()' or 'hashCode()' as keys in hashed data structures 
PB.API.NDC - Do not define direct or indirect subclasses of 'Error' and 'Throwable' 
PB.API.OF - Do not overload the 'finalize()' method 
PB.API.REP - Avoid using "." as a regular expression in 'String.replaceAll()' and 'String.replaceFirst()' 
PB.API.SBCC - Do not pass a 'char' to the 'StringBuffer(int)' constructor 
PB.API.UNI - Avoid improper casting of the results of the 'next' methods in the 'java.util.Random' class 
PB.API.URL - Avoid using the 'equals()' and 'hashCode()' methods of "java.net.URL" 
PB.API.VAFS - Ensure the correct number of arguments for varargs methods with format strings 
PB.API.VENDOR - Update values which may be using to compare with vendor properties 
PB.CLOSE - Unrestricted lock resource 
PB.CUB.ADE - Avoid dangling "else" statements 
PB.CUB.AIPQ - Avoid using 'iterator()' with PriorityQueue and PriorityBlockingQueue 
PB.CUB.AMCO - Avoid using multiple '!' or '~' unary operators 
PB.CUB.APAM - Avoid passing arrays as arguments to methods that take non-array parameters 
PB.CUB.ARCF - Avoid using 'return's inside 'finally blocks if thare are other 'return's inside the try-catch block 
PB.CUB.ATSF - Do not exit "finally" blocks abruptly 
PB.CUB.AWP - Avoid confusing assignments to constructor arguments 
PB.CUB.CILB - Do not put code other than logging code inside logging blocks 
PB.CUB.CNVC - Avoid improper concatenation of characters with numbers 
PB.CUB.CTOR - Do not call non-"final", non-"static" and non-"private" methods from constructors 
PB.CUB.CWRITE - Avoid usage of File.canWrite() method because it may returns true even if directory is not writable 
PB.CUB.DCP - Do not use the "+" string concatenation operator to concatenate numbers; use it only to add numbers 
PB.CUB.EBI - Avoid erroneously placing statements outside blocks 
PB.CUB.EOOM - Avoid errors in overriding methods of "java.lang.Object" 
PB.CUB.FLVA - Do not assign loop control variables in the body of a "for" loop 
PB.CUB.IMC - Ensure overriding methods are not unintended covariants due to parameter type differences 
PB.CUB.IMM - Ensure "static" "final" fields are immutable 
PB.CUB.ISF - Inspect "private" "static" fields which may have mistakenly been declared "static" 
PB.CUB.MAIN - Use the method name 'main()' only for the entry point method 
PB.CUB.OE - Avoid suspicious octal escapes 
PB.CUB.OSM - Ensure overloaded methods in superclass are overridden when overriding a method in subclass 
PB.CUB.OVAM - Avoid overloading varargs methods 
PB.CUB.PSFA - Avoid using "public static final" array fields 
PB.CUB.RMO - Avoid referencing mutable fields 
PB.CUB.SAC - Do not use "char" arrays in "String" concatenations 
PB.CUB.SBC - Do not use a "switch" statement with a bad "case" 
PB.CUB.SRAD - Specify @Retention for annotation type declarations 
PB.CUB.STRCC - Parenthesize complex expressions in 'print()' or 'println()' statements 
PB.CUB.TOCTOU - Avoid Time-of-check Time-of-use (TOCTOU) Race Condition 
PB.CUB.TOS - Avoid invoking 'toString()' on array variables 
PB.CUB.TVOM - Avoid type variable parameters when calling overloaded methods 
PB.CUB.UEIC - Do not use '==' or '!=' to compare objects 
PB.EAR - Ensure that non-"void" methods have a return value other than empty arrays and "null" 
PB.LOGIC.AIL - Avoid infinite loops 
PB.LOGIC.AMOI - Avoid using the wrong index variable to access an array or List element 
PB.LOGIC.AOBO - Avoid off-by-one errors in loop conditions 
PB.LOGIC.AULV - Avoid loop variables which are not used in the condition of the loop 
PB.LOGIC.CPI - Do not check whether the result of "String.indexOf()" is positive or non-positive 
PB.LOGIC.CRRV - Check the return value of methods which read or skip input 
PB.LOGIC.DJNCR - Do not discard the result of a call to "readLine()" after checking that the return value is non-null 
PB.LOGIC.EQLC - Use 'getClass()' or "instanceof" within 'equals()' and 'compareTo()' method implementations 
PB.LOGIC.EQUS - Do not call 'equals()' methods that always return false 
PB.LOGIC.ESO - Avoid calling 'equals()' with same object 
PB.LOGIC.FLRC - Avoid infinite recursive method calls 
PB.LOGIC.INDEX - Avoid bugs in the usage of loop variables 
PB.LOGIC.JI - Do not increment or decrement on the same variable over multiple nested "for" loop statements 
PB.LOGIC.LLM - Ensure that the logging level checked matches the level of the called logging method 
PB.LOGIC.OAMC - Ensure that the objects used within a loop's condition are properly accessed within the loop's body 
PB.LOGIC.OOR - Avoid out of range comparisons 
PB.LOGIC.ROM - Make sure that methods are invoked on the correct object 
PB.LOGIC.SG - Ensure get/set methods are accessing the correct variables 
PB.NAECS - Include a 'case' statement for each constant of an 'enum' type in 'switch' statements 
PB.NUM.AIC - Avoid implicit casts from integer data types to floating point data types 
PB.NUM.BBDCC - Do not pass floating point values to the 'BigDecimal' constructor 
PB.NUM.BSA - Do not use an integer outside the range of [0, 31] as the amount of a shift 
PB.NUM.CACO - Avoid using compound assignment operators in cases which may cause overflow 
PB.NUM.CLP - Do not cast primitive data types to lower precision 
PB.NUM.CMP - Don't use subtraction in this method 
PB.NUM.DCF - Do not compare floating point types 
PB.NUM.FPLI - Do not use floating point variables as loop indices 
PB.NUM.ICO - Avoid calculations which result in overflow or NaN 
PB.NUM.IDCD - Do not assign the result of an integer division to a floating point variable 
PB.NUM.IMOF - Avoid casting the result of an integer multiplication to "long" 
PB.NUM.IOF - Use unsigned right shift instead of division when overflow is possible 
PB.NUM.NAN - Avoid comparisons to Double.NaN or Float.NaN 
PB.NUM.NIA - Do not initialize array dimensions with negative numbers 
PB.NUM.UBD - Do not use "float" and "double" if exact answers are required 
PB.NUM.UCM - Avoid passing integer values to 'Math.round()' 
PB.OCSF - Ensure that exactly one type has the same name as the file name 
PB.PCSF - Ensure that the type that has the same name as the file is declared "public" 
PB.PDCL - Place "default" as the last case of the "switch" statement 
PB.PDS - Provide "default:" for each "switch" statement 
PB.RE.ACTI - Do not add a collection to itself 
PB.RE.AMFSL - Avoid modifying fixed-size Collections 
PB.RE.AQA - Avoid calling the 'add()' method of a Queue 
PB.RE.ASE - Avoid possible ArrayStoreExceptions 
PB.RE.CAI - Always check parameters before use in array access 
PB.RE.CIOR - Check the return value of calls to 'String.indexOf()' before passing this value to other "String" methods 
PB.RE.CTNSE - Ensure 'Iterator.next()' method implementations throw 'NoSuchElementException' 
PB.RE.IDRL - Check whether or not "readLine()" returned null before dereferencing the return value 
PB.RE.IIAE - Make sure the IllegalArgumentException message matches the code logic 
PB.RE.IOSS - Use the "fromIndex" argument of 'indexOf()' when necessary 
PB.RE.ISEM - Do not call 'String.equals(constant)' or 'String.equalsIgnoreCase(constant)' 
PB.RE.JLAY - Avoid using methods add() from JLayer class 
PB.RE.NCMD - Ensure that dereferenced variables match variables which were previously checked for "null" 
PB.RE.NXRE - Do not define direct or indirect subclasses of 'RuntimeException' 
PB.RE.PNPD - Avoid dereferencing null objects 
PB.RE.RCODE - When used HttpURLConnection always check return value from the getResponseCode() methods before call getInputStream() 
PB.RE.VRNULL - Avoid methods returning "null" value 
PB.TYPO.AECB - Avoid "try", "catch" and "finally" blocks with empty bodies 
PB.TYPO.ASI - Avoid assignment within a condition 
PB.TYPO.BW - Avoid unnecessary self computation 
PB.TYPO.CSI - Ensure that the correct "super" method is invoked 
PB.TYPO.DAV - Avoid assigning same variable in the fall-through switch case 
PB.TYPO.EB - Avoid control statements with empty bodies 
PB.TYPO.IMO - Ensure the overriding method name does not have a typo 
PB.TYPO.NAMING - Do not give methods and fields the same name as the enclosing class or each other 
PB.TYPO.RSK - Avoid having more than one "getter" or "setter" method for the same field 
PB.TYPO.TLS - Ensure "switch" statements do not contain typos 
PB.TYPO.UOL - Do not use octal integer literals 
PB.TYPO.WT - Ensure that arguments passed to Java wrapper classes do not contain typos 
PB.USC.AES - Avoid empty statements 
PB.USC.CC - Avoid conditional expressions that always evaluate to a constant value 
PB.USC.EC - Avoid empty classes 
PB.USC.EPC - Do not define empty "public" constructors in classes with no other constructors 
PB.USC.NACC - Avoid classes with no accessible members 
PB.USC.NASSIG - Ensure method and constructor return values are used 
PB.USC.OI - Avoid increment and decrement statements which have no effect 
PB.USC.RTE - Do not catch exceptions only to rethrow them 
PB.USC.SAFL - Avoid self assignments/initializations to fields and/or local variables 
PB.USC.UIF - Avoid unreachable "else if" and "else" cases 
PB.USC.UNARY - Do not use the unary operator '+' 
PORT.CTSP - Avoid calling 'Thread.setPriority()' 
PORT.DNHCP - Do not hard code an absolute pathname when calling a constructor from the 'File' class 
PORT.ENV - Do not use the non-portable 'System.getenv()' method 
PORT.EXEC - Do not use 'Runtime.exec()' 
PORT.HCNA - Do not hard-code IP addresses and port numbers 
PORT.LNSP - Do not hard code '\n' or '\r' as a line separator 
PORT.NATV - Do not use user-defined "native" methods 
PORT.PEER - Do not use "java.awt.peer.*" interfaces directly 
PORT.PSC - Use "File.pathSeparator" or "File.pathSeparatorChar" instead of the corresponding literals 
PROPS.BSPV - Avoid adding extra white spaces to the end of property values 
PROPS.DUPN - Avoid duplicated property names 
PROPS.DUPV - Avoid duplicated property values 
PROPS.EMN - Avoid empty property names 
PROPS.EMV - Avoid empty property values 
PROPS.EQOP - Always use the '=' operator 
PROPS.FM - Follow the limit for number of property entries 
PROPS.HCLS - Avoid hard-coded line separators in property values 
PROPS.IARG - Avoid misusing arguments in property values 
PROPS.ICK - Avoid incomplete property entries 
PROPS.IVCC - Avoid misusing the line continuation character '\' 
PROPS.MENTRY - Avoid unmatched property entries in resources with different locales 
PROPS.MLN - Avoid splitting property names into multiple lines 
PROPS.NAME - Use a naming convention for property names 
PROPS.PLAIN - Password information should not be included in properties file in plaintext 
PROPS.SPELL - Avoid misspelling words in comments and property values 
PROPS.TENTRY - Ensure that property entries are localized correctly 
SECURITY.BV.ACL - Do not access the class loader in a web component 
SECURITY.BV.ADT - Inspect usage of 'Date', 'Time' objects and 'System.currentTimeMillis()' method invocations 
SECURITY.BV.AUG - Inspect usage of 'getName()' from 'java.lang.Class' object 
SECURITY.BV.CQRO - Use "read-only" AccessMode for Castor queries 
SECURITY.BV.DSSM - Do not set custom security managers outside of the 'main' method 
SECURITY.BV.ENFL - Ensure all sensitive method invocations are logged 
SECURITY.BV.NSF - Do not call 'Socket.setSocketImplFactory()' or 'URL.setURLStreamHandlerFactory()' in a web component 
SECURITY.BV.PCFM - Wrap "privileged" method invocations in "final" methods 
SECURITY.BV.PCPM - Wrap "privileged" method invocations in "private" methods 
SECURITY.BV.PDLC - Avoid using dynamically loaded classes in "privileged" code blocks 
SECURITY.BV.SYSP - Do not access or set System properties 
SECURITY.DRC.THR - Do not use threads in web components 
SECURITY.EAB.ACWC - Avoid calling specified methods from web components and EJBs 
SECURITY.EAB.AWT - Do not use AWT classes in Web components 
SECURITY.EAB.CBA - Do not pass byte arrays to ObjectOutputStream in the 'writeObject()' method 
SECURITY.EAB.CMP - Do not compare Class objects by name 
SECURITY.EAB.CPCL - Enforce returning a defensive copy in 'clone()' methods 
SECURITY.EAB.JVM - Do not stop the JVM in a web component 
SECURITY.EAB.LDP - Limit the number of "AccessController.doPrivileged" calls per class 
SECURITY.EAB.MPT - Do not pass user-given mutable objects directly to certain types 
SECURITY.EAB.OROM - Implement 'readObject()' and 'writeObject()' for all 'Serializable' classes 
SECURITY.EAB.PCL - Limit the number of lines in "privileged" code blocks 
SECURITY.EAB.SF - Do not declare "static" fields in web components 
SECURITY.EAB.SIS - Do not change the input streams of 'java.lang.System' in a web component 
SECURITY.EAB.SMO - Do not store user-given mutable objects directly into variables 
SECURITY.EAB.SPFF - Inspect 'static' fields which may have intended to be declared 'static final' 
SECURITY.ESD.ACW - Avoid writing to Consoles 
SECURITY.ESD.CONSEN - Do not log confidential or sensitive information 
SECURITY.ESD.CSD - Clear sensitive data after use 
SECURITY.ESD.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information 
SECURITY.ESD.PLC - Avoid storing sensitive data in plaintext in a cookie 
SECURITY.ESD.RA - Avoid methods that might expose internal representations by returning arrays or other mutable fields 
SECURITY.ESD.SDM - Store sensitive data in mutable objects 
SECURITY.ESD.SIF - Inspect instance fields of serializable objects to make sure they will not expose sensitive information 
SECURITY.ESD.SIO - Avoid calling print methods of 'System.err' or 'System.out' 
SECURITY.ESD.SNFD - Do not expose data with a 'FileNotFound' exception 
SECURITY.ESD.SPI - Do not interrogate or modify security policy information in a web component 
SECURITY.ESD.TFP - Declare "transient" fields "private" 
SECURITY.ESD.TSPF - Avoid "transient" fields in serialPersistentFields array
SECURITY.IBA.AEAF - Do not extend from the Struts classes 'ActionForm' and 'DynaActionForm' 
SECURITY.IBA.ATF - Avoid temporary files 
SECURITY.IBA.AUSS - Avoid using "SELECT *" in SQL queries 
SECURITY.IBA.CDBV - Canonicalize all data before validation 
SECURITY.IBA.CSVFV - Always call 'super.validate()' from validation methods in 'ActionForm' classes 
SECURITY.IBA.EDPM - Encapsulate constructor arguments with a validation function 
SECURITY.IBA.NATIW - Use wrapper methods to secure native methods 
SECURITY.IBA.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement' 
SECURITY.IBA.VRD - Encapsulate all redirect and forward URLs with a validation function 
SECURITY.IBA.XPIJ - Avoid XPath injection when evaluating XPath queries 
SECURITY.UEC.ADS - Ensure that 'axis.development.system' is set to "false" in Axis 'server-config.wsdd' files 
SECURITY.UEC.AELQ - Ensure that 'axis.enableListQuery' is set to "false" in Axis 'server-config.wsdd' files 
SECURITY.UEC.DSL - Ensure that 'axis.disableServiceList' is set to "true" in Axis 'server-config.wsdd' files 
SECURITY.UEC.DSR - Avoid defining multiple security roles with the same name in 'web.xml' files 
SECURITY.UEC.EDAR - Ensure that the 'Encrypt' directive is specified for each 'items' tag in Axis2 configuration files 
SECURITY.UEC.FMCD - Ensure that each filter mapped in a 'web.xml' file has a corresponding definition 
SECURITY.UEC.HTTPS - Use 'https' instead of 'http' for the 'transportReceiver' and 'transportSender' in 'axis2.xml' configuration files 
SECURITY.UEC.ISOS - Ensure that 'InflowSecurity' and 'OutflowSecurity' parameters are specified in Axis2 configuration files 
SECURITY.UEC.LCA - Include an appropriate '<login-config>' element to specify the type of authentication to be performed in 'web.xml' files 
SECURITY.UEC.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files 
SECURITY.UEC.PTPT - Avoid using plain text passwords in Axis 'wsdd' files 
SECURITY.UEC.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long 
SECURITY.UEC.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long 
SECURITY.UEC.RAJ - Restrict access to JSPs in 'web.xml' files by including a security constraint for '*.jsp' files 
SECURITY.UEC.REST - Ensure that "REST" is disabled in 'axis2.xml' configuration files 
SECURITY.UEC.SDAR - Ensure that the 'Signature' directive is specified for each 'items' tag in Axis2 configuration files 
SECURITY.UEC.SEP - Always specify error pages in web.xml 
SECURITY.UEC.SLID - Ensure Session-ID Length is sufficient 
SECURITY.UEC.SMM - Avoid using the SOAP Monitor module 
SECURITY.UEC.SRCD - Ensure that each security role referenced in a 'web.xml' file has a corresponding definition 
SECURITY.UEC.TDAR - Ensure that the 'Timestamp' directive is specified for each 'items' tag in Axis2 configuration files 
SECURITY.UEC.UDC - Ensure that all constrained resources are protected with a '<user-data-constraint>' element in 'web.xml' files 
SECURITY.UEC.UTAX - Avoid using plain text passwords in Axis2 configuration files 
SECURITY.UEC.WCMC - Ensure SOAP messages are encrypted in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WCMI - Ensure SOAP messages are digitally signed in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WCMT - Avoid misconfiguring timestamps in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WCMWS - Ensure WS-Security is enabled in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WCUTS - Avoid unsigned timestamps in WebSphere 'ibm-webservicesclient-ext.xmi' files 
SECURITY.UEC.WELC - Ensure all web content directories have a "welcome file" 
SECURITY.UEC.WMC - Ensure SOAP messages are encrypted in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEC.WMI - Ensure SOAP messages are digitally signed in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEC.WMT - Avoid misconfiguring timestamps in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEC.WMWS - Ensure WS-Security is enabled in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEC.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEC.WSS - Ensure that the Rampart WS-Security module is enabled in Axis2 configuration files 
SECURITY.UEC.WUTS - Avoid unsigned timestamps in WebSphere 'ibm-webservices-ext.xmi' files 
SECURITY.UEHL.LGE - Ensure all exceptions are either logged with a standard logger or rethrown 
SECURITY.WSC.ACDP - Avoid using anonymous "privileged" classes when invoking "AccessController.doPrivileged()" 
SECURITY.WSC.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects 
SECURITY.WSC.AHCA - Avoid hard-coding the arguments to certain methods 
SECURITY.WSC.AMA - Avoid constructors and overriding methods which are more accessible than those of their super classes 
SECURITY.WSC.APIBS - Inspect usage of standard API calls that bypass security 
SECURITY.WSC.ARXML - Avoid turning raw text into xml 
SECURITY.WSC.ASAPI - Inspect usage of scripting API 
SECURITY.WSC.AUIC - Do not use inner classes 
SECURITY.WSC.BP - Allow only certain providers to be specified for the 'Security.addProvider()' method 
SECURITY.WSC.CACM - Keep all access control methods centralized to enforce consistency 
SECURITY.WSC.CAM - Keep all authentication methods centralized to enforce consistency 
SECURITY.WSC.CAP - Always clone array parameters which are stored to fields 
SECURITY.WSC.CFM - Only call "final" methods from specified code blocks in non-"final" classes 
SECURITY.WSC.CIFC - Only "clone()" instances of "final" classes 
SECURITY.WSC.CKTS - Avoid using cryptographic keys which are too short 
SECURITY.WSC.CLI - Inspect instantiations of 'ClassLoader' objects 
SECURITY.WSC.CLONE - Make your 'clone()' method "final" for security 
SECURITY.WSC.CLO - Do not override any 'ClassLoader' method except 'findClass()' 
SECURITY.WSC.CL - Do not define custom class loaders 
SECURITY.WSC.CMO - Do not pass mutable objects to 'ObjectOutputStream' in the 'writeObject()' method 
SECURITY.WSC.DCSM - Do not define custom 'SecurityManager's 
SECURITY.WSC.DNSL - Avoid DNS lookups for decision making 
SECURITY.WSC.DSER - Make your classes nondeserializeable 
SECURITY.WSC.ENPP - Ensure arguments passed to certain methods come from predefined methods list 
SECURITY.WSC.FIMU - Make immutable classes final 
SECURITY.WSC.FXMLP - Ensure that Secure Processing is used 
SECURITY.WSC.HCCK - Avoid using hard-coded cryptographic keys 
SECURITY.WSC.HCCS - Avoid passing hardcoded usernames/passwords/URLs to database connection methods 
SECURITY.WSC.ICA - Avoid using insecure algorithms for cryptography 
SECURITY.WSC.INIVF - Make immutable classes final 
SECURITY.WSC.INNER - Make all member classes "private" 
SECURITY.WSC.ISL - Always call 'HttpSession.invalidate()' before 'LoginContext.login()' 
SECURITY.WSC.IVR - Avoid non-random "byte[]" when using IvParameterSpec 
SECURITY.WSC.MCNC - Make your classes noncloneable 
SECURITY.WSC.PACC - Call access control methods to enforce consistency 
SECURITY.WSC.PAC - Call authentication methods to enforce consistency 
SECURITY.WSC.PAF - Declare subclasses of 'PrivilegedAction', 'PrivilegedExceptionAction', and 'PrivilegedActionException' "final" 
SECURITY.WSC.PBPSF - Declare subclasses of 'Permission' and 'BasicPermission' "final" 
SECURITY.WSC.PPKG - Ensure that all Permissions, PrivilegedActions, and PrivilegedActionExceptions are declared in the same package 
SECURITY.WSC.PRMF - Declare the 'run()' method of 'PrivilegedAction' and 'PrivilegedExceptionAction' implementations "final" 
SECURITY.WSC.PSFC - Do not declare fields as "public" "static" "final" 'Collection' or 'Map' objects 
SECURITY.WSC.RDM - Inspect 'Random' objects or 'Math.random()' methods that could indicate areas where malicious code has been placed 
SECURITY.WSC.SCF - Enforce 'SecurityManager' checks before setting or getting fields 
SECURITY.WSC.SCLONE - Enforce 'SecurityManager' checks in methods of 'Cloneable' classes 
SECURITY.WSC.SCSER - Enforce 'SecurityManager' checks in methods of 'Serializable' classes 
SECURITY.WSC.SCSM - Ensure 'SecurityManager' check in constructor of "public" non-"final" sensitive type 
SECURITY.WSC.SER - Make your classes nonserializeable 
SECURITY.WSC.SL - Avoid string literals except in constant declarations and calls to System.out or System.err's 'print' or 'println' methods 
SECURITY.WSC.SMSTR - Ensure 'SecurityManager' checks before 'Socket' transfers or retrievals 
SECURITY.WSC.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()' 
SECURITY.WSC.SSM - Ensure that an appropriate security manager is set 
SECURITY.WSC.SSP - Do not call 'System.setProperty()' in a web component 
SECURITY.WSC.SS - Do not use sockets in web components 
SECURITY.WSC.STREP - Use library methods for string replacements of special characters in HTML and XML 
SECURITY.WSC.UMAIN - Avoid 'main()' methods because they may allow unauthorized access to classes 
SECURITY.WSC.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies 
SECURITY.WSC.USC - Use the SSL-enabled version of classes when possible 
SECURITY.WSC.UWM - Use wrapper methods instead of calling dangerous or problematic methods directly (custom rule) 
SECURITY.WSC.VJFS - Always verify JarFile signatures 
SECURITY.WSC.ZOIS - Inspect usage of scripting API 
SERIAL.DUID - Create a 'serialVersionUID' for all 'Serializable' classes 
SERIAL.ENNAC - Avoid classes that implement 'Externalizable' but do not define a no-argument constructor 
SERIAL.EZEE - Implement Externalizable instead of Serializable 
SERIAL.FT - Avoid declaring "transient" fields in non-serializable classes 
SERIAL.IRX - Avoid re-initializing fields in the 'readExternal()' method of 'Externalizable' classes 
SERIAL.MRWD - Ensure the return type of 'readResolve()' and 'writeReplace()' methods are 'java.lang.Object' 
SERIAL.NSFSC - Ensure Serializable classes are correct 
SERIAL.OC - Ensure outer class is serializable if its inner class is serializable 
SERIAL.ROWO - Ensure that the 'readObject()' and 'writeObject()' methods have the correct signature 
SERIAL.RRSC - Define a "readResolve" method for all instances of Serializable types 
SERIAL.RWAF - Ensure that all fields are assigned by the 'readObject()' method and written by the 'writeObject()' method 
SERIAL.SCBNP - Always declare writeObject and readObject methods for Serializable subclasses of non-Serializable parents 
SERIAL.SNNAC - Avoid serializable classes that extend a superclass without a zero-argument constructor 
SERIAL.SNSO - Do not store non-serializable objects as HttpSession attributes 
SERIAL.SPF - Declare 'serialPersistentFields' "private static final" 
SERIAL.SRLZ - Do not declare SerialVersionUID in classes that do not implement Serializable 
SERIAL.SROS - Do not declare the 'readObject()' method as "synchronized" 
SERVLET.AJDBC - Do not use JDBC code in Servlet classes 
SERVLET.BINS - Do not use 'java.beans.Beans.instantiate()' 
SERVLET.CETS - Catch all exceptions which may be thrown within Servlet methods 
SERVLET.DSN - Avoid multiple '<servlet>' elements with the same '<servlet-name>' in a 'web.xml' file 
SERVLET.IF - Do not define instance fields in Servlet classes 
SERVLET.LML - Avoid using collections without size limit in servlets 
SERVLET.MDC - Declare a "public" constructor that takes no parameters 
SERVLET.NMS - Follow a limit for the number of mappings for each servlet in a 'web.xml' file 
SERVLET.NSIS - Do not create static variables in a servlet 
SERVLET.NSSS - Do not use static variables in servlets without synchronization 
SERVLET.SCM - Ensure that all servlets have a corresponding mapping in 'web.xml' files 
SERVLET.SDTD - Specify an appropriate schema or DTD file for 'web.xml' files 
SERVLET.SOP - Minimize usage of System.out and System.err in Servlets 
SERVLET.SSN - Ensure that all '<servlet>' elements contain a single non-empty '<servlet-name>' element in 'web.xml' files 
SERVLET.STM - Do not use 'SingleThreadModel' in Servlet classes 
SERVLET.SYN - Minimize synchronization in Servlets 
SERVLET.UCO - Use a Context Object to manage HTTP request parameters 
SPRING.ACARG - Avoid constructor injection 
SPRING.ATCFG - Follow configuration class conventions 
SPRING.DESC - Use ''description'' tag in configuration file headers 
SPRING.IDNAME - Avoid using ''name'' and ''id'' simultaneously 
SPRING.IMPORTSRES - Avoid using relative ''../'' path reference to parent files 
SPRING.JDBCTEMPLATE - Avoid using native JDBC 
SPRING.LOCAL - Use ''local'' property attribute in local scope 
SPRING.PREFTYPE - Prefer ''type'' over ''index'' for constructor argument matching 
SPRING.PROPLIMIT - Follow convention for bean properties 
SPRING.SPRNAM - Use naming conventions for spring beans 
SPRING.USEID - Use ids as bean identifiers 
STRUTS.ACDA - Avoid accessing a database from Action Classes 
STRUTS.ACJC - Avoid accessing a JSP page from Action Classes 
STRUTS.AIV - Specify an @input attribute if '<action>' element has validation in 'struts-config.xml' files 
STRUTS.AMFB - Specify a '<form-bean>' for each named '<action>' element in 'struts-config.xml' files 
STRUTS.APSN - Avoid @prefix, @suffix, and @attribute for unnamed '<action>' elements in 'struts-config.xml' 
STRUTS.ARP - Avoid using relative paths for attributes in 'struts-config.xml' files 
STRUTS.DFV - Avoid duplicated forms in the 'validation.xml' 
STRUTS.DLGF - Avoid local and global forwards with the same name in 'struts-config.xml' files 
STRUTS.EV - Ensure validators are enabled in the 'struts-config.xml' 
STRUTS.FIELDS - Provide an appropriate getter and setter method for each field in a form bean 
STRUTS.FORM - Include only getter and setter methods in form beans 
STRUTS.FWD - Specify a non-empty name and path for each '<forward>' element in 'struts-config.xml' files 
STRUTS.IACM - Avoid calling methods of Action Classes 
STRUTS.INST - Do not declare instance variables in Struts Action classes 
STRUTS.MFBSN - Avoid defining multiple form beans with the same name in 'struts-config.xml' files 
STRUTS.MLFF - Specify a valid 'maxlength' value for each form field in Struts validation files 
STRUTS.MLVP - Use the 'minlength' validator for password fields in 'validation.xml' 
STRUTS.NTFB - Specify a name and type for each form bean in 'struts-config.xml' files 
STRUTS.PFS - Ensure that the @path attribute of '<action>' and '<forward>' elements begins with '/' in 'struts-config.xml' files 
STRUTS.PLUGIN - Ensure Plugins are added in the 'struts-config.xml' 
STRUTS.PMAC - Avoid public methods in Action Classes 
STRUTS.PTE - Specify a non-empty path and type for each '<exception>' element in 'struts-config.xml' files 
STRUTS.RSS - Ensure that the 'scope' attribute is set to either "request" or "session" for actions and exceptions in 'struts-config.xml' files 
STRUTS.SCDTD - Use a Struts DTD for validation in 'struts-config.xml' files 
STRUTS.STRUTS2.S2DAFV - Avoid duplicated field validators 
STRUTS.STRUTS2.S2DVF - Avoid duplicated validation files 
STRUTS.STRUTS2.S2DV - Avoid duplicated validators 
STRUTS.STRUTS2.S2NA - Ensure each validation file has a corresponding Action 
STRUTS.TAFP - Specify a valid 'type' attribute for each '<form-property>' element in 'struts-config.xml' files 
STRUTS.VPI - Enable the Struts Validator plug-in in all 'struts-config.xml' files 
TRS.AIL - Do not use Atomic variables when always accessed in synchronized manner 
TRS.ANF - Do not use 'notify()'; use 'notifyAll()' instead so that all waiting threads will be notified 
TRS.ATI - Avoid accidental use of "Thread.interrupted()" 
TRS.AUTG - Do not use variables of the unsafe type 'java.lang.ThreadGroup' 
TRS.AUTY - Do not use 'Thread.yield()' because it may behave differently under different Virtual Machines 
TRS.CDF - Avoid invoking methods using "static" 'Calendar', 'DateFormat', or 'SimpleDateFormat' 
TRS.CHM - Use ConcurrentHashMap instead of Hashtable and "synchronizedMap" wrapped HashMap when possible 
TRS.CIET - Do not catch InterruptedException except in classes extending Thread 
TRS.CLQ - Use ConcurrentLinkedQueue instead of Vector and synchronizedList when possible 
TRS.CMA - Avoid compound synchronized collection accesses which violate atomicity 
TRS.CSFS - Do not cause deadlocks by calling a "synchronized" method from a "synchronized" method 
TRS.CSTART - Do not call the "start" method of threads from inside a constructor 
TRS.CTRE - Do not let "this" reference escape during construction 
TRS.DCL - Avoid unsafe implementations of the "double-checked locking" pattern 
TRS.DOPQ - Do not use DiscardOldestPolicy with PriorityBlockingQueue 
TRS.GSD - Do not use "getState" except for debugging purposes 
TRS.IASF - Inspect accesses to "static" fields which may require synchronization 
TRS.ILI - Make lazy initializations thread-safe 
TRS.IMSE - Do not catch 'IllegalMonitorStateException' since this exception likely indicates a design flaw 
TRS.IRET - Implement Runnable instead of extending Thread 
TRS.IRUN - Do not call the 'run()' method directly on classes extending 'java.lang.Thread' or implementing 'java.lang.Runnable' 
TRS.LORD - Ensure that nested locks are ordered correctly 
TRS.MRAV - Access related Atomic variables in a synchronized block 
TRS.MRUN - Give subclasses of Thread a 'run()' method so they can run as separate threads 
TRS.NAME - Ensure threads are named 
TRS.NSM - Use "synchronized" blocks instead of making the whole method declaration "synchronized" 
TRS.NSYN - Ensure 'wait()', 'notify()' and 'notifyAll()' are invoked on an object that is clearly synchronized in its enclosing method scope 
TRS.OSNS - Avoid overriding synchronized methods with non-synchronized methods 
TRS.RLF - Release Locks in a "finally" block 
TRS.RUN - Use synchronization on methods that implement 'Runnable.run()' 
TRS.SCS - Do not synchronize on constant Strings 
TRS.SNSM - Do not mix "static" and non-"static" "synchronized" methods 
TRS.SOL - Do not perform synchronization using the "synchronized" keyword on implementations of "java.util.concurrent.locks.Lock" 
TRS.SOPF - Do not synchronize on "public" fields since doing so may cause deadlocks 
TRS.SOUF - Do not synchronize on non-"final" fields since doing so makes it difficult to guarantee mutual exclusion 
TRS.SSCI - Manually synchronize on 'synchronized' collections when iterating over them 
TRS.SSDF - Synchronize access to "static" SimpleDataFormats 
TRS.SSUG - Make the get method for a field synchronized if the set method is synchronized 
TRS.STR - Do not perform synchronization nor call semaphore methods on an Object's 'this' reference 
TRS.THRD - Avoid calling unsafe deprecated methods of 'Thread' and 'Runtime' 
TRS.TSHL - Do not call 'Thread.sleep()' while holding a lock since doing so can cause poor performance and deadlocks 
TRS.UACS - Avoid unsynchronized accesses of "Collections.synchronized" wrapped Collections 
TRS.UCM - Use unsynchronized Collections/Maps only when safe 
TRS.USL - Use the same locking object to access variables 
TRS.UT - Do not start a thread without specifying a 'run()' method 
TRS.UWIL - Call 'wait()' and 'await()' only inside a loop that tests the liveness condition 
TRS.UWNA - Use 'wait()' and 'notifyAll()' instead of polling loops 
TRS.WOC - Use the correct method calls on "java.util.concurrent.locks.Condition" objects 
TRS.WOS - Do not make the "writeObject()" method synchronized if no other method is synchronized 
UC.AAI - Avoid unnecessary modifiers in an "interface" 
UC.ACC - Remove commented out Java code 
UC.AEEO - Ensure that classes do not explicitly extend 'java.lang.Object' 
UC.AESTAT - Avoid empty static and non-static initializers 
UC.AMAMI - Do not override "abstract" methods of a parent class with "abstract" methods 
UC.ARTD - Avoid redundant throw clauses 
UC.AUL - Avoid unused labels 
UC.AURCO - Avoid collection objects that are never read 
UC.AURV - Avoid local variables that are never read 
UC.BCMP - Avoid unnecessary "boolean" comparisons 
UC.DIEB - Avoid duplicate code in 'if' branches 
UC.DIL - Do not explicitly "import" the java.lang.* "package" 
UC.EF - Avoid empty 'finalize()' methods 
UC.FCSF - Avoid redundant 'finalize()' methods which only call the superclass' 'finalize()' method 
UC.FMFC - Avoid redundant "final" keywords in method declarations in "final" classes 
UC.PF - Avoid unused "private" fields 
UC.PIMPORT - Do not import classes from the package that contains the current class 
UC.PM - Avoid unused "private" methods 
UC.RSKE - Avoid redundant 'static' keywords in enum type declarations 
UC.SNE - Avoid empty "synchronized" statements 
UC.SO - Avoid methods that only call the overridden implementation (superclass implementation) 
UC.UCATCH - Use a caught exception in the "catch" block 
UC.UCIF - Avoid unnecessary 'if' statements 
UC.UES - Avoid unnecessary "else" statements 
UC.UIMPORT - Avoid unused "import" statements 
UC.UPC - Avoid unused "private" classes or interfaces 
UC.UP - Avoid unused parameters 
UC.VR - Avoid unnecessary "return" statement at the end of "void" methods 
XML.DLTH - Avoid debug levels which are too high in Tomcat's 'server.xml' 
XML.WF - Ensure that XML files are well-formatted


  • No labels