In this section:

Overview

Test configurations define how your code is analyzed and tested, including which static analysis rules are enabled, which tests to run, and other analysis parameters. Jtest ships with built-in test configurations, but users can create and store their own test configurations in the DTP server (see the DTP documentation for details).

User-defined test configurations that are stored in DTP can be downloaded from the DTP server and stored in the [INSTALL_DIR]/configs/user directory as *.properties files. 

Running a Test Configuration

You can specify which configuration will be run in one of the following ways:

  • Run jtestcli with the -config switch and specify a built-in, user-defined or  DTP-hosted  test configuration:

    -config "builtin://Recommended Rules"
    -config "user://Foo Configuration"
    -config "dtp://Foo Team Configuration" 
    -config "dtp://FooTeamConfig.properties"

    (info)Alternatively, you can add the prefix of the Parasoft tool you are using to specify a DTP-hosted test configuration:

    -config "jtest.dtp://Foo Team Configuration" 

    You can also provide a path or URL to the test configuration .properties file:

    -config "C:\Devel\Configs\FooConfig.properties"
    -config "http://foo.bar.com/configs/FoodConfig.properties"


    For example, your command line may resemble the following:

    jtestcli -config "user://Configuration Name"

  • In the .properties file, specify the default configuration that will be run when the -config option is not used:

    jtest.config=user://Configuration Name

Ant and Maven Pattern

If you use Ant or Maven, you can specify the test configuration with the following pattern:

<config>user://Configuration Name</config>

Settings Property Pattern

jtest.config=user://Configuration Name

Viewing Available Test Configurations

Use the -listconfigs switch to print the available test configurations. 

Use arguments to filter configurations; the use of "*" expressions is supported

  • -listconfigs - prints all available configurations
  • -listconfigs builtin - prints all built-in configurations

  • -listconfigs builtin*Secure* - prints all built-in configurations that contain "secure" in the name

Built-in Test Configurations

The following table includes the test configurations shipped in the [INSTALL]/configs/builtin directory.

Static Analysis

This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.

Built-in Test ConfigurationDescription
Code SmellsRules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html) by Kent Beck and Martin Fowler.
Critical Rules

Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration.

Demo ConfigurationIncludes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases.
Find Duplicated CodeApplies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues.
Find Memory ProblemsIncludes rules for finding memory management issues in the code.
Find Unused CodeIncludes rules for identifying unused/dead code.
Flow Analysis StandardDetects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option.
Flow Analysis AggressiveIncludes rules for deep flow analysis of code. Significant amount of time may be required to run this configuration.
Flow Analysis FastIncludes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported.
Internationalize CodeApplies static code analysis to expose code that is likely to impede internationalization efforts.
MetricsComputes values for  several code metrics. 
Recommended Rules

The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration.

TDDThe TDD (Test Driven Development) configuration includes rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html), rules that check whether the JUnit test classes are comprehensive for the tested class, and rules from the Critical Rules (Must Have) Test Configuration.
Thread Safe ProgrammingRules that uncover code which will be dangerous to run in multi-threaded environments— as well as help prevent common threading problems such as deadlocks, race conditions, a missed notification, infinite loops, and data corruption.
Unit Test AssistantIncludes rules that help you improve the quality of your unit tests. We recommend using this test configuration in the CQA mode.
Unit Testing Best PracticesHelps you enforce unit testing best practices and ensure that assertions are made in your unit tests

Security Compliance Pack

This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to Jtest's rules.

(info) Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.

Displaying compliance results on DTP

Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals. See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage.

Built-in Test ConfigurationDescription
CWE 3.2

Includes rules that find issues identified in the CWE standard v3.2.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE-SANS Top 25 2011

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE-SANS standard.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE SANS Top 25 2011 + On the Cusp

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE-SANS standard or included on the CWE - On the Cusp list.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP Top 10 - 2017

Includes rules that find issues identified in OWASP’s Top 10 standard.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

PCI DSS 3.2Includes rules that find issues identified in PCI Data Security Standard  version 3.2.
CERT for JavaIncludes rules that find issues identified in the CERT standard.
UL 2900 Includes rules that find issues identified in the UL-2900 standard.

Unit Testing and Collecting Coverage

This group includes test configurations that allow you to run and collect coverage data for unit tests.

Built-in Test ConfigurationDescription
Calculate Application CoverageProcesses the application coverage data to generate a coverage.xml file. See Application Coverage.
Unit TestsIncludes the unit test execution data in the generated report file

Compliance Packs Rule Mapping

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE SANS Top 25 2011 Mapping

CWE IDCWE NameParasoft Rule ID(s)
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE.89.UPS
  • CWE.89.TDSQL
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE.78.TDENV
CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')N/A
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE.79.TDXSS
  • CWE.79.EACM,
  • CWE.79.VPPD
  • CWE.79.CDBV
  • CWE.79.TDRESP
CWE-306 Missing Authentication for Critical Function
  • CWE.306.CAM
  • CWE.306.SSM
  • CWE.306.UOSC
  • CWE.306.USC
CWE-862Missing Authorization
  • CWE.862.PERMIT
  • CWE.862.LCA
CWE-798Use of Hard-coded Credentials
  • CWE.798.HCCS
  • CWE.798.PCCF
  • CWE.798.UPWD
  • CWE.798.PTPT
  • CWE.798.PWDXML
  • CWE.798.WPWD
  • CWE.798.UTAX
  • CWE.798.WCPWD
CWE-311Missing Encryption of Sensitive Data
  • CWE.311.PEO
  • CWE.311.HTTPS
  • CWE.311.USC
  • CWE.311.SENS
  • CWE.311.CONSEN
CWE-434Unrestricted Upload of File with Dangerous Type
  • CWE.434.TDFNAMES
CWE-807Reliance on Untrusted Inputs in a Security Decision
  • CWE.807.PLC
  • CWE.807.UOSC
  • CWE.807.HGRSI
CWE-250Execution with Unnecessary Privileges
  • CWE.250.LDP
  • CWE.250.PCL
CWE-352Cross-Site Request Forgery (CSRF)
  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.EACM
  • CWE.352.UOSC
  • CWE.352.TDRESP
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE.22.TDFNAMES
CWE-494Download of Code Without Integrity Check
  • CWE.494.USC
CWE-863Incorrect Authorization
  • CWE.863.DSR
  • CWE.863.SRCD
CWE-829Inclusion of Functionality from Untrusted Control Sphere
  • CWE.829.TDXPATH
  • CWE.829.TDFILES
  • CWE.829.TDFNAMES
  • CWE.829.TDLIB
CWE-732Incorrect Permission Assignment for Critical Resource
  • CWE.1004.SCHTTP
CWE-676Use of Potentially Dangerous Function
  • CWE.676.SRD
CWE-327Use of a Broken or Risky Cryptographic Algorithm
  • CWE.327.AISSAJAVA
  • CWE.327.ICA
  • CWE.327.SRD
  • CWE.327.ACMD
  • CWE.327.AUNC
  • CWE.327.AISSAXML
CWE-131Incorrect Calculation of Buffer Size
  • CWE.131.ARRAY
CWE-307Improper Restriction of Excessive Authentication Attempts
  • CWE.307.PBFA
CWE-601URL Redirection to Untrusted Site ('Open Redirect')
  • CWE.601.TDNET
  • CWE.601.TDRESP
  • CWE.601.UCO
CWE-134Use of Externally-Controlled Format String
  • CWE.134.TDINPUT
CWE-190Integer Overflow or Wraparound
  • CWE.190.IOF
  • CWE.190.BSA
  • CWE.190.ICO
  • CWE.190.CACO
  • CWE.190.INTOVERF
CWE-759Use of a One-Way Hash without a Salt
  • CWE.759.MDSALT

CWE SANS On the Cusp Mapping

CWE IDCWE NameParasoft Rule ID(s)
CWE-129Improper Validation of Array Index
  • CWE.129.CAI
  • CWE.129.ARRAY
  • CWE.129.ARRAYINP
CWE-330Use of Insufficiently Random Values
  • CWE.336.ENPP
  • CWE.338.SRD
CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE.362.DCL
  • CWE.366.TSH
  • CWE.367.TOCTOU
CWE-681Incorrect Conversion between Numeric Types
  • CWE.681.IDCD
  • CWE.681.CLP
CWE-476NULL Pointer Dereference
  • CWE.476.NP
  • CWE.476.DEREF
CWE-772Missing Release of Resource after Effective Lifetime
  • CWE.772.LEAKS
  • CWE.772.CLOSE
  • CWE.401.LML
CWE-209Information Exposure Through an Error Message
  • CWE.209.PEO
  • CWE.209.ACPST
  • CWE.209.SENS
  • CWE.209.SIO

CWE 3.2 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-5

J2EE Misconfiguration: Data Transmission
Without Encryption

  • CWE.5.PLAIN

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

  • CWE.6.SLID

CWE-7

J2EE Misconfiguration: Missing Custom Error
Page

  • CWE.7.SEP

CWE-8

J2EE Misconfiguration: Entity Bean Declared
Remote

  • CWE.8.RR

CWE-9

J2EE Misconfiguration: Weak Access
Permissions for EJB Methods

  • CWE.9.DPANY

CWE-15

External Control of System or Configuration Setting

  • CWE.15.SYSP
  • CWE.15.UCO

CWE-22

Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-77

Improper Neutralization of Special Elements
used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-78

Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection')

  • CWE.78.TDENV

CWE-79

Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting')

  • CWE.79.TDXSS
  • CWE.79.EACM
  • CWE.79.VPPD
  • CWE.79.CDBV
  • CWE.79.TDRESP

CWE-80

Improper Neutralization of Script-Related
HTML Tags in a Web Page (Basic XSS)

  • CWE.80.ARXML
  • CWE.80.TDXML
  • CWE.80.TDDIG

CWE-81

Improper Neutralization of Script in an Error
Message Web Page

  • CWE.81.ARXML

CWE-89

Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection')

  • CWE.89.UPS
  • CWE.89.TDSQL

CWE-90

Improper Neutralization of Special Elements
used in an LDAP Query ('LDAP Injection')

  • CWE.90.TDLDAP

CWE-91

XML Injection (aka Blind XPath Injection)

  • CWE.91.TDXML

CWE-99

Improper Control of Resource Identifiers
('Resource Injection')

  • CWE.99.TDNET

CWE-102

Struts: Duplicate Validation Forms

  • CWE.102.DFV

CWE-103

Struts: Incomplete validate() Method
Definition

  • CWE.103.CSVFV

CWE-104

Struts: Form Bean Does Not Extend
Validation Class

  • CWE.104.AEAF

CWE-106

Struts: Plug-in Framework not in Use

  • CWE.106.PLUGIN

CWE-109

Struts: Validator Turned Off

  • CWE.109.EV

CWE-111

Direct Use of Unsafe JNI

  • CWE.111.NATV
  • CWE.111.NATIW
  • CWE.111.APIBS

CWE-113

Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP Response Splitting')

  • CWE.113.TDRESP

CWE-114

Process Control

  • CWE.114.TDLIB
  • CWE.114.APIBS

CWE-117

Improper Output Neutralization for Logs

  • CWE.117.TDLOG

CWE-129

Improper Validation of Array Index

  • CWE.129.CAI
  • CWE.129.ARRAY
  • CWE.129.ARRAYINP

CWE-131

Incorrect Calculation of Buffer Size

  • CWE.131.ARRAY

CWE-134

Use of Externally-Controlled Format String

  • CWE.134.TDINPUT

CWE-180

Incorrect Behavior Order: Validate Before
Canonicalize

CWE.180.SSM

CWE.180.TDRESP

CWE.180.TDXSS

CWE-185Incorrect Regular ExpressionCWE.185.REP

CWE-190

Integer Overflow or Wraparound

  • CWE.190.IOF
  • CWE.190.BSA
  • CWE.190.ICO
  • CWE.190.CACO
  • CWE.190.INTOVERF

CWE-191

Integer Underflow (Wrap or Wraparound)

  • CWE.191.BSA
  • CWE.191.INTOVERF

CWE-193

Off-by-one Error

  • CWE.193.AOBO

CWE-209

Information Exposure Through an Error
Message

  • CWE.209.PEO
  • CWE.209.ACPST
  • CWE.209.SENS
  • CWE.209.SIO

CWE-213

Intentional Information Exposure

  • WE.213.CONSEN

CWE-215

Information Exposure Through Debug
Information

  • CWE.215.EWSSEC

CWE-245

J2EE Bad Practices: Direct Management of
Connections

  • CWE.245.JDBCTEMPLATE

CWE-246

J2EE Bad Practices: Direct Use of Sockets

  • CWE.246.AUS
  • CWE.246.SS
  • CWE.246.NSF

CWE-250

Execution with Unnecessary Privileges

  • CWE.250.LDP
  • CWE.250.PCL

CWE-25

2 Unchecked Return Value

  • CWE.252.CRRV
  • CWE.252.CHECKRET

CWE-256

Unprotected Storage of Credentials

  • CWE.256.PLAIN
  • CWE.256.PWDPROP
  • CWE.256.TDPASSWD
  • CWE.256.PWDXML
  • CWE.256.UPWD
  • CWE.256.PCCF
  • CWE.256.PTPT
  • CWE.256.UTAX
  • CWE.256.WCPWD
  • CWE.256.WPWD

CWE-258

Empty Password in Configuration File

  • CWE.258.PWDPROP

CWE-260

Password in Configuration File

  • CWE.260.UTAX

CWE-261

Weak Cryptography for Passwords

  • CWE.261.CKTS

CWE-291

Reliance on IP Address for Authentication

  • CWE.291.DNSL

CWE-295

Improper Certificate Validation

  • CWE.295.HV

CWE-297

Improper Validation of Certificate with Host
Mismatch

  • CWE.297.VSI

CWE-306

Missing Authentication for Critical Function

  • CWE.306.CAM
  • CWE.306.SSM
  • CWE.306.UOSC
  • CWE.306.USC

CWE-307

Improper Restriction of Excessive
Authentication Attempts

  • CWE.307.PBFA

CWE-309

Use of Password System for Primary
Authentication

  • CWE.309.MLVP

CWE-311

Missing Encryption of Sensitive Data

  • CWE.311.PEO
  • CWE.311.HTTPS
  • CWE.311.USC
  • CWE.311.SENS
  • CWE.311.CONSEN
CWE-312Cleartext Storage of Sensitive Information
  • CWE.312.PWDPROP

CWE-313

Cleartext Storage in a File or on Disk

  • CWE.313.PLAIN

CWE-315

Cleartext Storage of Sensitive Information in a Cookie

  • CWE.315.PLC

CWE-319

Cleartext Transmission of Sensitive
Information

  • CWE.319.TDSQL
  • CWE.319.HCNA

CWE-321

Use of Hard-coded Cryptographic Key

  • CWE.321.HCCK

CWE-325

Missing Required Cryptographic Step

  • CWE.325.SIKG
  • CWE.325.MCMDU

CWE-327

Use of a Broken or Risky Cryptographic
Algorithm

  • CWE.327.AISSAJAVA
  • CWE.327.ICA
  • CWE.327.SRD
  • CWE.327.ACMD
  • CWE.327.AUNC
  • CWE.327.AISSAXML

CWE-329

Not Using a Random IV with CBC Mode

  • CWE.329.ENPP
  • CWE.329.IVR

CWE-336

Same Seed in Pseudo-Random Number
Generator (PRNG)

  • CWE.336.ENPP

CWE-337

Predictable Seed in Pseudo-Random
Number Generator (PRNG)

  • CWE.337.ENPP

CWE-338

Use of Cryptographically Weak
Pseudo-Random Number Generator (PRNG)

  • CWE.338.SRD

CWE-345

Insufficient Verification of Data Authenticity

  • CWE.345.TDENV

CWE-347

Improper Verification of Cryptographic
Signature

  • CWE.347.VJFS

CWE-350

Reliance on Reverse DNS Resolution for a
Security-Critical Action

  • CWE.350.DNSL

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.EACM
  • CWE.352.UOSC
  • CWE.352.TDRESP

CWE-359

Exposure of Private Information ('Privacy
Violation')

  • CWE.359.CONSEN

CWE-362

Concurrent Execution using Shared
Resource with Improper Synchronization
('Race Condition')

  • CWE.362.DCL

CWE-366

Race Condition within a Thread

  • CWE.366.TSHL

CWE-367

Time-of-check Time-of-use (TOCTOU) Race
Condition

  • CWE.367.TOCTOU

CWE-369

Divide By Zero

  • CWE.369.ZERO

CWE-375

Returning a Mutable Object to an Untrusted
Caller

  • CWE.375.RA

CWE-377

Insecure Temporary File

  • CWE.377.ATF

CWE-382

J2EE Bad Practices: Use of System.exit()

  • CWE.382.EXIT
  • CWE.382.JVM

CWE-383

J2EE Bad Practices: Direct Use of Threads

  • CWE.383.THR

CWE-384

Session Fixation

  • CWE.384.ISL

CWE-390

Detection of Error Condition Without Action

  • CWE.390.LGE

CWE-391

Unchecked Error Condition

  • CWE.391.AECB

CWE-395

Use of NullPointerException Catch to Detect
NULL Pointer Dereference

  • CWE.395.NCNPE

CWE-396

Declaration of Catch for Generic Exception

  • CWE.396.NCE

CWE-397

Declaration of Throws for Generic Exception

  • CWE.397.NTX
  • CWE.397.NTERR

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.DMDS

CWE-401

Improper Release of Memory Before
Removing Last Reference

  • CWE.401.LML

CWE-404

Improper Resource Shutdown or Release

  • CWE.404.COCO
  • CWE.404.CRWD
  • CWE.404.ODBIL

CWE-413

Improper Resource Locking

  • CWE.413.LORD

CWE-416

Use After Free

  • CWE.416.FREE

CWE-434

Unrestricted Upload of File with Dangerous
Type

  • CWE.434.TDFNAMES

CWE-457

Use of Uninitialized Variable

  • CWE.457.NOTINITCTOR
  • CWE.457.UIRC

CWE-459

Incomplete Cleanup

  • CWE.459.LEAKS

CWE-470

Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')

  • CWE.470.TDRFL
  • CWE.470.APIBS

CWE-476

NULL Pointer Dereference

  • CWE.476.NP
  • CWE.476.DEREF

CWE-477

Use of Obsolete Function

  • CWE.477.DPRAPI

CWE-478

Missing Default Case in Switch Statement

  • CWE.478.PDS

CWE-481

Assigning instead of Comparing

  • CWE.481.ASI

CWE-483

Incorrect Block Delimitation

  • CWE.483.BLK
  • CWE.483.EBI
  • CWE.483.EB

CWE-484

Omitted Break Statement in Switch

  • CWE.484.SBC
  • CWE.484.DAV

CWE-486

Comparison of Classes by Name

  • CWE.486.CMP
  • CWE.486.AUG

CWE-487

Reliance on Package-level Scope

  • CWE.487.AF

CWE-491

Public cloneable() Method Without Final
('Object Hijack')

  • CWE.491.CLONE

CWE-494

Download of Code Without Integrity Check

  • CWE.494.USC

CWE-495

Private Data Structure Returned From A
Public Method

  • CWE.495.RA

CWE-496

Public Data Assigned to Private Array-Typed
Field

  • CWE.496.CAP

CWE-497

Exposure of System Data to an Unauthorized
Control Sphere

  • CWE.497.SENS
  • CWE.497.ACW
  • CWE.497.PEO

CWE-499

Serializable Class Containing Sensitive Data

  • CWE.499.SIF
  • CWE.499.SER

CWE-500

Public Static Field Not Marked Final

  • CWE.500.SPFF
  • CWE.500.FIMU

CWE-502

Deserialization of Untrusted Data

  • CWE.502.SC
  • CWE.502.RWAF
  • CWE.502.SSSD
  • CWE.502.MASP
  • CWE.502.DSER
  • CWE.502.AUXD

CWE-506

Embedded Malicious Code

  • CWE.506.HCCK

CWE-511

Logic/Time Bomb

  • CWE.511.RDM
  • CWE.511.EXEC

CWE-521

Weak Password Requirements

  • CWE.521.MLVP

CWE-523

Unprotected Transport of Credentials

  • CWE.523.USC

CWE-532

Information Exposure Through Log Files

  • CWE.532.CONSEN

CWE-543

Use of Singleton Pattern Without
Synchronization in a Multithreaded Context

  • CWE.543.IASF
  • CWE.543.ILI

CWE-546

Suspicious Comment

  • CWE.546.TODOJAVA
  • CWE.546.TODOPROP
  • CWE.546.TODOXML

CWE-555

J2EE Misconfiguration: Plaintext Password in
Configuration File

  • CWE.555.UPWD
  • CWE.555.PWDXML

CWE-561

Dead Code

  • CWE.561.CC
  • CWE.561.DEREF
  • CWE.561.SWITCH
  • CWE.561.PM

CWE-563

Assignment to Variable without Use

  • CWE.563.UPPF
  • CWE.563.VOVR
  • CWE.563.PM
  • CWE.563.AURV
  • CWE.563.UP
  • CWE.563.POVR
  • CWE.563.PF
  • CWE.563.UCIF

CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key

  • CWE.566.AUSS

CWE-568

finalize() Method Without super.finalize()

  • CWE.568.FCF

CWE-570

Expression is Always False

  • CWE.570.CC
  • CWE.570.UCIF

CWE-571

Expression is Always True

  • CWE.571.CC
  • CWE.571.UCIF

CWE-572

Call to Thread run() instead of start()

  • CWE.572.IRUN

CWE-576

EJB Bad Practices: Use of Java I/O

  • CWE.576.JIO

CWE-577

EJB Bad Practices: Use of Sockets

  • CWE.577.AUS

CWE-578

EJB Bad Practices: Use of Class Loader

  • CWE.578.ACL

CWE-579

J2EE Bad Practices: Non-serializable Object
Stored in Session

  • CWE.579.ONS
  • CWE.579.SNSO

CWE-580

clone() Method Without super.clone()

  • CWE.580.SCLONE

CWE-581

Object Model Violation: Just One of Equals
and Hashcode Defined

  • CWE.581.OVERRIDE

CWE-582

Array Declared Public, Final, and Static

  • CWE.582.PSFA
  • CWE.582.IMM

CWE-583

finalize() Method Declared Public

  • CWE.583.MFP

CWE-584

Return Inside Finally Block

  • CWE.584.ARCF

CWE-585

Empty Synchronized Block

  • CWE.585.SNE

CWE-586

Explicit Call to Finalize()

  • CWE.586.NCF

CWE-594

J2EE Framework: Saving Unserializable
Objects to Disk

  • CWE.594.SIVS

CWE-595

Comparison of Object References Instead of
Object Contents

  • CWE.595.UEIC

CWE-600

Uncaught Exception in Servlet

  • CWE.600.CETS

CWE-601

URL Redirection to Untrusted Site ('Open
Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP
  • CWE.601.UCO

CWE-605

Multiple Binds to the Same Port

  • CWE.605.HCNA

CWE-607

Public Static Final Field References Mutable
Object

  • CWE.607.RMO
  • CWE.607.IMM

CWE-609

Double-Checked Locking

  • CWE.609.DCL

CWE-611

Improper Restriction of XML External Entity
Reference ('XXE')

  • CWE.611.DXXE

CWE-613

Insufficient Session Expiration

  • CWE.613.STTL
  • CWE.613.RUIM

CWE-614

Sensitive Cookie in HTTPS Session Without
'Secure' Attribute

  • CWE.614.UOSC

CWE-643

Improper Neutralization of Data within XPath
Expressions ('XPath Injection')

  • CWE.643.TDXPATH
  • CWE.643.TDJXPATH

CWE-644

Improper Neutralization of HTTP Headers for
Scripting Syntax

  • CWE.644.TDRESP

CWE-647

Use of Non-Canonical URL Paths for
Authorization Decisions

  • CWE.647.CDBV

CWE-652

Improper Neutralization of Data within
XQuery Expressions ('XQuery Injection')

  • CWE.652.TDXPATH
  • CWE.652.XPIJ

CWE-662

Improper Synchronization

  • CWE.662.TOCTOU
  • CWE.662.DIFCS

CWE-665

Improper Initialization

  • CWE.665.NOTEXPLINIT

CWE-667

Improper Locking

  • CWE.667.CLOSE
  • CWE.667.LOCK

CWE-674

Uncontrolled Recursion

  • CWE.674.FLRC
  • CWE.674.LOCK

CWE-676

Use of Potentially Dangerous Function

  • CWE.676.SRD

CWE-680

Integer Overflow to Buffer Overflow

  • CWE.680.BSA

CWE-681

Incorrect Conversion between Numeric
Types

  • CWE.681.IDCD
  • CWE.681.CLP

CWE-690

Unchecked Return Value to NULL Pointer
Dereference

  • CWE.690.EAR

CWE-691

Insufficient Control Flow Management

  • CWE.691.ANL
  • CWE.691.AES

CWE-704

Incorrect Type Conversion or Cast

  • CWE.704.AGBPT
  • CWE.704.CPTS

CWE-749

Exposed Dangerous Method or Function

  • CWE.749.DPPM
  • CWE.749.DPAM
  • CWE.749.SPAM

CWE-755

Improper Handling of Exceptional Conditions

  • CWE.755.CIET

CWE-759

Use of a One-Way Hash without a Salt

  • CWE.759.MDSALT

CWE-764

Multiple Locks of a Critical Resource

  • CWE.764.DLOCK

CWE-772

Missing Release of Resource after Effective
Lifetime

  • CWE.772.LEAKS
  • CWE.772.CLOSE

CWE-778

Insufficient Logging

  • CWE.778.ENFL

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HCCS
  • CWE.798.PCCF
  • CWE.798.UPWD
  • CWE.798.PTPT
  • CWE.798.PWDXML
  • CWE.798.WPWD
  • CWE.798.UTAX
  • CWE.798.WCPWD

CWE-807

Reliance on Untrusted Inputs in a Security
Decision

  • CWE.807.PLC
  • CWE.807.UOSC
  • CWE.807.HGRSI

CWE-829

Inclusion of Functionality from Untrusted
Control Sphere

  • CWE.829.TDXPATH
  • CWE.829.TDFILES
  • CWE.829.TDFNAMES
  • CWE.829.TDLIB

CWE-832

Unlock of a Resource that is not Locked

  • CWE.832.LORD
  • CWE.832.RLF

CWE-833

Deadlock

  • CWE.833.RLF
  • CWE.833.STR
  • CWE.833.UWNA
  • CWE.833.CSFS
  • CWE.833.TSHL
  • CWE.833.ORDER

CWE-835

Loop with Unreachable Exit Condition
('Infinite Loop')

  • CWE.835.AIL
  • CWE.835.PCIF

CWE-836

Use of Password Hash Instead of Password
for Authentication

  • CWE.836.PLAIN

CWE-862

Missing Authorization

  • CWE.862.PERMIT
  • CWE.862.LCA

CWE-863

Incorrect Authorization

  • CWE.863.DSR
  • CWE.863.SRCD

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

  • CWE.1004.SCHTTP

Creating Custom Rules

Use RuleWizard to create custom rules. See the RuleWizard User Guide for information about RuleWizard capabilities and usage.

To use the rule, it needs to be enabled in a test configuration and the custom rule file must be located in one of the following directories:

  • [INSTALL_DIR]\rules\user\
  • [DOCUMENTS DIR]\Parasoft\[tool_name]\rules where [DOCUMENTS DIR] refers to the "My Documents" directory on Windows.

  • No labels