The following rules can be enabled in CQA mode:
BD.API.ARGWRITE - Do not rely on the write() method to output integers outside the range 0 to 255
BD.API.EQNULL - Make sure implementation of Object.equals(Object) properly handles null values
BD.API.EQREFL - Make sure implementation of Object.equals(Object) is reflexive
BD.CO.ITMOD - Do not modify collection while iterating over it
BD.EXCEPT.NP - Avoid NullPointerException
BD.OPT.INEFCOL - Avoid inefficient removal of Collection elements
BD.OPT.INEFMAP - Avoid inefficient iteration over Map entries
BD.OPT.INEFMAPRM - Avoid inefficient removal of Map entries
BD.PB.ARRAY - Avoid accessing arrays out of bounds
BD.PB.ARRAYINP - Avoid unvalidated input in array indexes
BD.PB.BADSHIFT - Avoid incorrect shift operations
BD.PB.CC - Avoid conditions that always evaluate to the same value
BD.PB.CHECKRET - Consistently check the returned value of non-void methods
BD.PB.DEREF - Do not check for null after dereferencing
BD.PB.EXCEPT - Always catch exceptions
BD.PB.GETPERM - Method getPermission() is supposed to be invoked when user-defined class loaders are applied
BD.PB.INFREC - Avoid infinite recursion
BD.PB.INTOVERF - Avoid integer overflows
BD.PB.MULBUF - Do not create multiple buffered wrappers on a single byte or character stream
BD.PB.NOTEXPLINIT - Avoid use before explicit initialization
BD.PB.NOTINITCTOR - Avoid use of fields before initialization in constructors and static initializers
BD.PB.PBIOS - Prevent external processes from blocking on input and output streams
BD.PB.POVR - Avoid overwriting method parameters before each use
BD.PB.RECFUN - Methods shall not call themselves, either directly or indirectly
BD.PB.REVOBJ - Restore prior object state on method failure
BD.PB.SBONE - Ensure proper usage of StringBuilder/StringBuffer objects
BD.PB.STRNULL - Do not append null value to strings
BD.PB.SWITCH - Avoid switch with unreachable branches
BD.PB.VOVR - Avoid unused values
BD.PB.VREADOBJ - Do not invoke overridable methods from the readObject() method
BD.PB.ZERO - Avoid division by zero
BD.RES.FREE - Do not use resources that have been freed
BD.RES.LEAKS - Ensure resources are deallocated
BD.SECURITY.BUFEXP - Do not expose data wrapped by a buffer to untrusted code
BD.SECURITY.CANPATH - Path should be standardized before validation
BD.SECURITY.CUSTOM - Prevent security vulnerability (custom rule)
BD.SECURITY.EACM - Encapsulate arguments of dangerous methods with a validation method
BD.SECURITY.FPEXC - Check floating-point inputs for exceptional values
BD.SECURITY.LOG - Avoid passing unvalidated binary data to log methods
BD.SECURITY.PRIVIL - Avoid operating on tainted data in privileged blocks
BD.SECURITY.REMTMP - Remove temporary files before termination
BD.SECURITY.SENS - Prevent exposure of sensitive data
BD.SECURITY.SIGCLASS - Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
BD.SECURITY.SSSD - Safely serialize sensitive data
BD.SECURITY.TDALLOC - Validate potentially tainted data before it is used to determine the size of memory allocation
BD.SECURITY.TDCMD - Protect against Command injection
BD.SECURITY.TDCODE - Validate potentially tainted data before it is used in methods that generate code
BD.SECURITY.TDDIG - Protect against Jakarta Digester injection
BD.SECURITY.TDENV - Protect against Environment injection
BD.SECURITY.TDFILES - Protect against File contents injection
BD.SECURITY.TDFNAMES - Protect against File names injection
BD.SECURITY.TDINPUT - Exclude unsanitized user input from format strings
BD.SECURITY.TDJXPATH - Protect against JXPath injection
BD.SECURITY.TDLDAP - Protect against LDAP injection
BD.SECURITY.TDLIB - Protect against Library injection
BD.SECURITY.TDLOG - Protect against log forging
BD.SECURITY.TDNET - Protect against network resource injection
BD.SECURITY.TDPASSWD - Protect against using unprotected credentials
BD.SECURITY.TDRESP - Protect against HTTP response splitting
BD.SECURITY.TDRFL - Protect against Reflection injection
BD.SECURITY.TDSESSION - Do not store untrusted data in HTTP session
BD.SECURITY.TDSQL - Protect against SQL injection
BD.SECURITY.TDXML - Protect against XML data injection
BD.SECURITY.TDXPATH - Protect against XPath injection
BD.SECURITY.TDXSS - Protect against XSS vulnerabilities
BD.SECURITY.VPPD - Validate all dangerous data
BD.SECURITY.XMLVAL - Validate untrusted XML using schema or DTD before reading
BD.TRS.DIFCS - Variable should be used in context of single critical section
BD.TRS.DLOCK - Avoid double locking
BD.TRS.INSTLOCK - Do not use an instance lock to protect shared static data
BD.TRS.LOCK - Do not abandon unreleased locks
BD.TRS.ORDER - Do not acquire locks in different order
BD.TRS.TSHL - Do not use blocking methods while holding a lock
BEAN.BLNC - Use appropriate signatures for listener method names in JavaBean classes
BEAN.EQUALS - Override 'Object.equals()' in JavaBean classes
BEAN.JDBC - Do not use JDBC code in JavaBean classes
BEAN.NFM - Define get and set methods for each instance field
BEAN.SERIALIZABLE - Ensure that JavaBean classes implement 'java.io.Serializable'
CDD.DFI - Avoid duplicated field initialization in constructors
CDD.DUPC - Avoid code duplication
CDD.DUPI - Avoid duplicate import statements
CDD.DUPM - Avoid method duplication
CDD.DUPS - Avoid string literal duplication
CDD.DUPT - Avoid class duplication
CODSTA.BP.ABCL - Avoid "break" and/or "continue" with labels
CODSTA.BP.AMRO - Avoid declaring methods that return 'Object'
CODSTA.BP.ARM - Avoid using reflection methods
CODSTA.BP.ARN - Avoid returning "null" for arrays and certain types
CODSTA.BP.AULS - Avoid label statements
CODSTA.BP.AUML - Avoid using multiple loggers, use logging levels instead
CODSTA.BP.AWRT - Avoid using wildcards in method return types
CODSTA.BP.BLK - Provide a '{}' block for conditional statements
CODSTA.BP.BLOCK - Avoid unnecessary nested blocks
CODSTA.BP.CFNF - Declare fields with uppercase character names as "final"
CODSTA.BP.CMUTA - Avoid 'public' or 'protected' constructors for immutable classes
CODSTA.BP.CONTINUE - Do not use "break" and/or "continue" statements
CODSTA.BP.CS - Place constants on the appropriate side of comparisons
CODSTA.BP.DLSF - Declare loggers as "static final" fields
CODSTA.BP.EXIT - Do not call methods which terminates Java Virtual Machine
CODSTA.BP.FPF - Declare all formal parameters as "final"
CODSTA.BP.FQNIC - Reference interface constants with their declaring interface names
CODSTA.BP.HTV - Avoid using 'Hashtable' and 'Vector'
CODSTA.BP.IMPTD - Avoid or enforce usage of '*' form of import statements
CODSTA.BP.NRVA - Avoid passing non-reifiable types to varargs methods
CODSTA.BP.NTX - Avoid declaring methods to throw general or unchecked Exception types
CODSTA.BP.OCMA - Ensure overloaded constructors and methods share the same accessibility
CODSTA.BP.PCF - Ensure that a class which has only "private" constructors is declared as "final"
CODSTA.BP.PPAC - Do not define "public" or "protected" members in anonymous classes
CODSTA.EPC.AFP - Do not make assignments to method parameters
CODSTA.EPC.AGBPT - Avoid conversions from parameterized types to raw types
CODSTA.EPC.CLNC - Do not use constructors in the 'clone()' method
CODSTA.EPC.COMT - Avoid using the conditional operator with mismatched numeric types
CODSTA.EPC.IBS - Use "int" instead of "byte" or "short" and "double" instead of "float" for variable declarations
CODSTA.EPC.MSF - Do not use too many non-"final" "static" fields
CODSTA.EPC.NCAC - Do not call an "abstract" method from a constructor in an "abstract" class
CODSTA.EPC.NCE - Do not catch exception types which are too general or are unchecked exceptions
CODSTA.EPC.NCNFC - Do not call methods that might cause unexpected NullPointerExceptions during constructor execution
CODSTA.EPC.OVERLOAD - Use overloading judiciously
CODSTA.EPC.SCLONE - Call 'super.clone()' in all 'clone()' methods
CODSTA.EPC.STA - Avoid using the same generic type variable for multiple method arguments
CODSTA.EPC.UST - Use 'StringTokenizer' instead of 'indexOf()' and 'substring()' for String parsing
CODSTA.EPC.WSIM - Do not write to static fields from non-static methods
CODSTA.OIM.AMMO - Do not override non "abstract" methods of a parent class with "abstract" methods
CODSTA.OIM.CLONE - Declare 'clone() throws CloneNotSupportedException' for Cloneable class
CODSTA.OIM.CLONE2 - Use the 'clone()' method only to implement 'Cloneable' interface
CODSTA.OIM.CLONET - Ensure 'clone()' method of non-final Cloneable class declared to throw 'CloneNotSupportedException'
CODSTA.OIM.DVOM - Define a "static" 'valueOf()' method for "enum" types which override 'toString()'
CODSTA.OIM.OTOSM - Override 'toString()'
CODSTA.OIM.OVERRIDE - Override 'Object.hashCode()' when you override 'Object.equals()' and vice versa
CODSTA.OIM.OVOTS - Do not override 'toString()' in enum types
CODSTA.ORG.AMOC - Do not have more than one type in each file
CODSTA.ORG.ASSERT - Do not use assertions in production code
CODSTA.ORG.DCI - Define constants in an "interface"
CODSTA.ORG.DINT - Do not make method calls to internal classes from non-internal classes
CODSTA.ORG.FO - Order class elements appropriately
CODSTA.ORG.IMP - Avoid importing specific classes or packages
CODSTA.ORG.OGM - Organize methods by name
CODSTA.ORG.ORCU - Order compilation unit elements appropriately
CODSTA.ORG.ORFIM - Place 'finalize()' methods between "public" and "protected" methods
CODSTA.ORG.ORIMP - Present "import" statements in alphabetical order
CODSTA.ORG.PML - Place the 'main()' method last
CODSTA.ORG.TODOJAVA - Ensure that comments do not contain task tags
CODSTA.ORG.TODOPROP - Ensure that comments do not contain task tags
CODSTA.ORG.TODOXML - Ensure that comments do not contain task tags
CODSTA.ORG.UNDPN - Ensure all types have a non default package name
CODSTA.POD.ACIAP - Avoid constant interface anti-pattern
CODSTA.POD.ASM - Avoid "static" methods when the declaring class is a parameter type
CODSTA.POD.AUVT - Use less specific types to accomplish loose coupling
CODSTA.POD.CHAIN - Use chain constructors in classes with multiple constructors
CODSTA.POD.CIOC - Avoid chains of "instanceof" comparisons
CODSTA.POD.DCTOR - Define a no argument constructor whenever possible
CODSTA.POD.IASM - Do not access static members indirectly
CODSTA.POD.ISACF - Do not define constants in interfaces
CODSTA.POD.SMC - Avoid "switch" statements with too many or too few "case" statements
CODSTA.POD.UET - Use "enum" types instead of a series of "static final" constants
CODSTA.POD.UPT - Enforce or avoid the use of parameterized types
CODSTA.READ.ABUB - Do not rely on automatic boxing and unboxing of primitive types
CODSTA.READ.ACCS - Do not use complicated conditional expressions in control structures
CODSTA.READ.AEFS - Avoid or enforce usage of enhanced "for" loops
CODSTA.READ.AFD - Access and set fields directly in the declaring type instead of using getter and setter methods
CODSTA.READ.AFQN - Do not use fully qualified type names
CODSTA.READ.AIC - Avoid anonymous inner classes
CODSTA.READ.ANL - Avoid using negative logic in if-else statement
CODSTA.READ.ASIS - Avoid static import statements
CODSTA.READ.AUTS - Avoid unnecessary calls to 'toString()'
CODSTA.READ.CCB - Comment the ends of control structures
CODSTA.READ.CEB - Comment empty blocks
CODSTA.READ.CID - Avoid using increment or decrement operators in nested expressions
CODSTA.READ.CLV - Comment local variables
CODSTA.READ.CTA - Always call 'Collection.toArray()' with an empty constant array argument
CODSTA.READ.CX - Enforce or avoid usage of conditional operators
CODSTA.READ.DOWHILE - Avoid using "do-while" statements
CODSTA.READ.DUN - Do not use too many negation operators '!' in a single method
CODSTA.READ.DVCU - Declare variables as close as possible to where they are used
CODSTA.READ.ECSC - Explicitly call one of the superclass' constructors from all constructors
CODSTA.READ.FF - Declare "private" constant fields "final"
CODSTA.READ.FLV - Declare constant local variables "final"
CODSTA.READ.HBE - Avoid using Hexadecimal binary exponents
CODSTA.READ.LONG - Avoid having a lower-case "l" or the number "1" at the end of a "long" integer constant
CODSTA.READ.MTBS - Minimize "try" block size
CODSTA.READ.MVOS - Do not declare multiple variables in one statement
CODSTA.READ.NEA - Avoid nested assignments or assignments embedded in other expressions
CODSTA.READ.NMUC - Declare never-modified collections as "unmodifiable" for clarity
CODSTA.READ.NSI - Avoid non-static initializers
CODSTA.READ.PCIF - Declare "for" loops with an initializer, conditional, and updater statements
CODSTA.READ.PCTOR - Do not declare "public" constructors in non-public classes
CODSTA.READ.PDBB - Put declarations only at the beginning of blocks
CODSTA.READ.PFL - Enforce use of "for" or "while" loops
CODSTA.READ.SIE - Use 'isEmpty()' for Collections and Maps instead of comparing 'size()' to 0
CODSTA.READ.UATS - Avoid or enforce the use of "this" and "super" expressions
CODSTA.READ.UBL - Avoid create integer values from binary notation using Integer.parseInt() methods
CODSTA.READ.ULIT - Use underscore characters (_) in numerical literal
CODSTA.READ.USN - Avoid literal constants
CODSTA.READ.VDT - Do not declare multiple variables of different types in one statement
CODSTA.READ.VIFS - Limit the number of initialization and update statements in "for" loops
CWE.1004.SCHTTP - Mark cookies as HttpOnly
CWE.102.DFV - Avoid duplicated forms in the 'validation.xml'
CWE.103.CSVFV - Always call 'super.validate()' from validation methods in 'ActionForm' classes
CWE.104.AEAF - Do not extend from the Struts classes 'ActionForm' and 'DynaActionForm'
CWE.106.PLUGIN - Ensure Plugins are added in the 'struts-config.xml'
CWE.109.EV - Ensure validators are enabled in the 'struts-config.xml'
CWE.111.NATIW - Use wrapper methods to secure native methods
CWE.111.NATV - Do not use user-defined "native" methods
CWE.113.TDRESP - Protect against HTTP response splitting
CWE.114.APIBS - Inspect usage of standard API calls that bypass security
CWE.114.TDLIB - Protect against Library injection
CWE.117.TDLOG - Protect against log forging
CWE.119.ARRAY - Avoid accessing arrays out of bounds
CWE.119.ARRAYINP - Avoid unvalidated input in array indexes
CWE.119.BSA - Do not use an integer outside the range of
CWE.119.BUSSB - Prevent external processes from blocking on output or error streams
CWE.119.FREE - Do not use resources that have been freed
CWE.125.ARRAY - Avoid accessing arrays out of bounds
CWE.125.ARRAYINP - Avoid unvalidated input in array indexes
CWE.129.ARRAY - Avoid accessing arrays out of bounds
CWE.129.ARRAYINP - Avoid unvalidated input in array indexes
CWE.129.CAI - Always check parameters before use in array access
CWE.131.ARRAY - Avoid accessing arrays out of bounds
CWE.134.TDINPUT - Exclude unsanitized user input from format strings
CWE.15.SYSP - Do not access or set System properties
CWE.15.UCO - Use a Context Object to manage HTTP request parameters
CWE.185.REP - Avoid using "." as a regular expression in 'String.replaceAll()' and 'String.replaceFirst()'
CWE.190.BSA - Do not use an integer outside the range of
CWE.190.CACO - Avoid using compound assignment operators in cases which may cause overflow
CWE.190.CLP - Do not cast primitive data types to lower precision
CWE.190.ICO - Avoid calculations which result in overflow or NaN
CWE.190.INTOVERF - Avoid integer overflows
CWE.190.IOF - Use unsigned right shift instead of division when overflow is possible
CWE.191.BSA - Do not use an integer outside the range of
CWE.191.INTOVERF - Avoid integer overflows
CWE.193.AOBO - Avoid off-by-one errors in loop conditions
CWE.20.AEAF - Do not extend from the Struts classes 'ActionForm' and 'DynaActionForm'
CWE.20.APIBS - Inspect usage of standard API calls that bypass security
CWE.20.ARRAY - Avoid accessing arrays out of bounds
CWE.20.ARRAYINP - Avoid unvalidated input in array indexes
CWE.20.ARXML - Process XML and HTML with a library instead of raw text
CWE.20.ASAPI - Prevent the scripting API from executing untrusted code
CWE.20.BSA - Do not use an integer outside the range of
CWE.20.BUSSB - Prevent external processes from blocking on output or error streams
CWE.20.CACO - Avoid using compound assignment operators in cases which may cause overflow
CWE.20.CAI - Always check parameters before use in array access
CWE.20.CDBV - Canonicalize all data before validation
CWE.20.CLP - Do not cast primitive data types to lower precision
CWE.20.CSVFV - Always call 'super.validate()' from validation methods in 'ActionForm' classes
CWE.20.DCEMSL - Avoid untrusted input when logging messages with Seam Logging API
CWE.20.DFV - Avoid duplicated forms in the 'validation.xml'
CWE.20.EACM - Encapsulate arguments of dangerous methods with a validation method
CWE.20.EV - Ensure validators are enabled in the 'struts-config.xml'
CWE.20.FREE - Do not use resources that have been freed
CWE.20.ICO - Avoid calculations which result in overflow or NaN
CWE.20.INTOVERF - Avoid integer overflows
CWE.20.IOF - Use unsigned right shift instead of division when overflow is possible
CWE.20.NATIW - Use wrapper methods to secure native methods
CWE.20.NATV - Do not use user-defined "native" methods
CWE.20.PLUGIN - Ensure Plugins are added in the 'struts-config.xml'
CWE.20.SYSP - Do not access or set System properties
CWE.20.TDCMD - Protect against Command injection
CWE.20.TDCODE - Validate potentially tainted data before it is used in methods that generate code
CWE.20.TDDIG - Protect against Jakarta Digester injection
CWE.20.TDINPUT - Exclude unsanitized user input from format strings
CWE.20.TDJXPATH - Protect against JXPath injection
CWE.20.TDLDAP - Protect against LDAP injection
CWE.20.TDLIB - Protect against Library injection
CWE.20.TDLOG - Protect against log forging
CWE.20.TDNET - Protect against network resource injection
CWE.20.TDRESP - Protect against HTTP response splitting
CWE.20.TDRFL - Protect against Reflection injection
CWE.20.TDSQL - Protect against SQL injection
CWE.20.TDXML - Protect against XML data injection
CWE.20.TDXPATH - Protect against XPath injection
CWE.20.TDXSS - Protect against XSS vulnerabilities
CWE.20.UCO - Use a Context Object to manage HTTP request parameters
CWE.20.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement'
CWE.20.VPPD - Validate all dangerous data
CWE.20.VRD - Encapsulate all redirect and forward URLs with a validation function
CWE.20.XPIJ - Avoid XPath injection when evaluating XPath queries
CWE.200.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects
CWE.200.CONSEN - Do not log confidential or sensitive information
CWE.200.EWSSEC - Avoid debug information from Spring Security framework to logs
CWE.200.FT - Avoid declaring "transient" fields in non-serializable classes
CWE.200.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
CWE.200.SENS - Prevent exposure of sensitive data
CWE.200.SIO - Avoid calling print methods of 'System.err' or 'System.out'
CWE.209.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects
CWE.209.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
CWE.209.SENS - Prevent exposure of sensitive data
CWE.209.SIO - Avoid calling print methods of 'System.err' or 'System.out'
CWE.212.FT - Avoid declaring "transient" fields in non-serializable classes
CWE.213.CONSEN - Do not log confidential or sensitive information
CWE.215.EWSSEC - Avoid debug information from Spring Security framework to logs
CWE.22.TDFNAMES - Protect against File names injection
CWE.245.JDBCTEMPLATE - Avoid using native JDBC
CWE.246.AUS - Do not use sockets in EJBs
CWE.246.NSF - Do not call 'Socket.setSocketImplFactory()' or 'URL.setURLStreamHandlerFactory()' in a web component
CWE.246.SS - Do not use sockets in web components
CWE.250.LDP - Limit the number of "AccessController.doPrivileged" calls per class
CWE.250.PCL - Limit the number of lines in "privileged" code blocks
CWE.252.CHECKRET - Consistently check the returned value of non-void methods
CWE.252.CRRV - Check the return value of methods which read or skip input
CWE.256.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
CWE.256.PLAIN - Password information should not be included in properties file in plaintext
CWE.256.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
CWE.256.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.256.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.256.TDPASSWD - Protect against using unprotected credentials
CWE.256.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
CWE.256.UTAX - Avoid using plain text passwords in Axis2 configuration files
CWE.256.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
CWE.256.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
CWE.258.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.260.UTAX - Avoid using plain text passwords in Axis2 configuration files
CWE.261.CKTS - Avoid using cryptographic keys which are too short
CWE.269.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role
CWE.269.LDP - Limit the number of "AccessController.doPrivileged" calls per class
CWE.269.PCL - Limit the number of lines in "privileged" code blocks
CWE.287.CAM - Keep all authentication methods centralized to enforce consistency
CWE.287.CKTS - Avoid using cryptographic keys which are too short
CWE.287.DNSL - Avoid DNS lookups for decision making
CWE.287.HCCK - Avoid using hard-coded cryptographic keys
CWE.287.HCCS - Avoid passing hardcoded usernames/passwords/URLs to database connection methods
CWE.287.HV - Ensure the HostnameVerifier.verify() method validates the certificate
CWE.287.MLVP - Use the 'minlength' validator for password fields in 'validation.xml'
CWE.287.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
CWE.287.PLAIN - Password information should not be included in properties file in plaintext
CWE.287.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
CWE.287.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.287.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.287.SSM - Ensure that an appropriate security manager is set
CWE.287.TDPASSWD - Protect against using unprotected credentials
CWE.287.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
CWE.287.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
CWE.287.USC - Use the SSL-enabled version of classes when possible
CWE.287.UTAX - Avoid using plain text passwords in Axis2 configuration files
CWE.287.VSI - Properly validate server identity
CWE.287.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
CWE.287.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
CWE.295.HV - Ensure the HostnameVerifier.verify() method validates the certificate
CWE.297.VSI - Properly validate server identity
CWE.306.CAM - Keep all authentication methods centralized to enforce consistency
CWE.306.SSM - Ensure that an appropriate security manager is set
CWE.306.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
CWE.306.USC - Use the SSL-enabled version of classes when possible
CWE.309.MLVP - Use the 'minlength' validator for password fields in 'validation.xml'
CWE.311.HTTPS - Use 'https' instead of 'http' for the 'transportReceiver' and 'transportSender' in 'axis2.xml' configuration files
CWE.311.PLAIN - Password information should not be included in properties file in plaintext
CWE.311.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.311.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.311.SENS - Prevent exposure of sensitive data
CWE.311.USC - Use the SSL-enabled version of classes when possible
CWE.312.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.313.PLAIN - Password information should not be included in properties file in plaintext
CWE.315.PLC - Avoid storing sensitive data in plaintext in a cookie
CWE.319.HCNA - Do not hard-code IP addresses and port numbers
CWE.321.HCCK - Avoid using hard-coded cryptographic keys
CWE.325.MCMDU - MessageDigest objects must process the data with the 'update' method
CWE.325.SIKG - Initialize KeyGenerator instances
CWE.326.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
CWE.326.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
CWE.326.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
CWE.326.CKTS - Avoid using cryptographic keys which are too short
CWE.326.ICA - Avoid using insecure algorithms for cryptography
CWE.326.MDSALT - Use hash functions with a salt
CWE.326.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
CWE.327.ACMD - Avoid using custom MessageDigest implementations
CWE.327.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
CWE.327.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
CWE.327.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
CWE.327.ICA - Avoid using insecure algorithms for cryptography
CWE.327.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
CWE.328.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
CWE.328.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
CWE.328.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
CWE.328.ICA - Avoid using insecure algorithms for cryptography
CWE.328.MDSALT - Use hash functions with a salt
CWE.328.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
CWE.329.ENPP - Ensure arguments passed to certain methods come from predefined methods list
CWE.329.IVR - Avoid non-random "byte
CWE.336.ENPP - Ensure arguments passed to certain methods come from predefined methods list
CWE.337.ENPP - Ensure arguments passed to certain methods come from predefined methods list
CWE.338.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
CWE.347.VJFS - Always verify JarFile signatures
CWE.350.DNSL - Avoid DNS lookups for decision making
CWE.352.DCSRFJAVA - Do not disable CSRF protection
CWE.352.DCSRFXML - Do not disable CSRF protection
CWE.352.EACM - Encapsulate arguments of dangerous methods with a validation method
CWE.352.REQMAP - Ensure that methods annotated with @RequestMapping specify the HTTP request method they call
CWE.352.TDRESP - Protect against HTTP response splitting
CWE.352.TDXSS - Protect against XSS vulnerabilities
CWE.352.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
CWE.352.VPPD - Validate all dangerous data
CWE.359.CONSEN - Do not log confidential or sensitive information
CWE.362.DCL - Avoid unsafe implementations of the "double-checked locking" pattern
CWE.366.TSHL - Do not use blocking methods while holding a lock
CWE.367.TOCTOU - Avoid Time-of-check Time-of-use (TOCTOU) Race Condition
CWE.369.ZERO - Avoid division by zero
CWE.375.RA - Avoid methods that might expose internal representations by returning arrays or other mutable fields
CWE.377.ATF - Avoid temporary files
CWE.382.EXIT - Do not call methods which terminates Java Virtual Machine
CWE.382.JVM - Do not stop the JVM in a web component
CWE.383.THR - Do not use threads in web components
CWE.384.ISL - Always call 'HttpSession.invalidate()' before 'LoginContext.login()'
CWE.390.LGE - Ensure all exceptions are either logged with a standard logger or rethrown
CWE.391.AECB - Avoid "try", "catch" and "finally" blocks with empty bodies
CWE.395.NCNPE - Do not catch 'NullPointerException'
CWE.396.NCE - Do not catch exception types which are too general or are unchecked exceptions
CWE.397.NTERR - Do not throw exception types which are too general or are unchecked exceptions
CWE.397.NTX - Avoid declaring methods to throw general or unchecked Exception types
CWE.401.LML - Avoid using collections without size limit in servlets
CWE.404.COCO - Close JDBC objects in the correct order
CWE.404.CRWD - Close resources as early as possible
CWE.404.ODBIL - Do not open or close JDBC connections in loops
CWE.413.LORD - Ensure that nested locks are ordered correctly
CWE.416.FREE - Do not use resources that have been freed
CWE.426.PBRTE - Always specify absolute paths to execute commands
CWE.434.TDFNAMES - Protect against File names injection
CWE.456.LV - Initialize all local variables explicitly at the declaration statement
CWE.457.NOTEXPLINIT - Avoid use before explicit initialization
CWE.457.NOTINITCTOR - Avoid use of fields before initialization in constructors and static initializers
CWE.457.NP - Avoid NullPointerException
CWE.459.LEAKS - Ensure resources are deallocated
CWE.470.APIBS - Inspect usage of standard API calls that bypass security
CWE.470.TDRFL - Protect against Reflection injection
CWE.476.DEREF - Do not check for null after dereferencing
CWE.476.NP - Avoid NullPointerException
CWE.477.DPRAPI - Do not use deprecated APIs
CWE.478.PDS - Provide "default:" for each "switch" statement
CWE.481.ASI - Avoid assignment within a condition
CWE.483.BLK - Provide a '{}' block for conditional statements
CWE.483.EB - Avoid control statements with empty bodies
CWE.483.EBI - Avoid erroneously placing statements outside blocks
CWE.484.DAV - Avoid assigning same variable in the fall-through switch case
CWE.484.SBC - Do not use a "switch" statement with a bad "case"
CWE.486.AUG - Inspect usage of 'getName()' from 'java.lang.Class' object
CWE.486.CMP - Do not compare Class objects by name
CWE.487.AF - Avoid "public"/"protected"/package-private fields
CWE.491.CLONE - Make your 'clone()' method "final" for security
CWE.495.RA - Avoid methods that might expose internal representations by returning arrays or other mutable fields
CWE.496.CAP - Always clone array parameters which are stored to fields
CWE.497.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
CWE.497.SENS - Prevent exposure of sensitive data
CWE.499.SER - Make your classes nonserializeable
CWE.499.SIF - Inspect instance fields of serializable objects to make sure they will not expose sensitive information
CWE.500.SPFF - Inspect 'static' fields which may have intended to be declared 'static final'
CWE.501.TDSESSION - Do not store untrusted data in HTTP session
CWE.502.AUXD - Avoid parsing untrusted data with XMLDecoder
CWE.502.MASP - Assign 'protected' accessibility to 'readResolve()' and 'writeReplace()' methods in serializable classes
CWE.502.RWAF - Ensure that all fields are assigned by the 'readObject()' method and written out by the 'writeObject()' method
CWE.502.SC - Disable LDAP deserialization
CWE.502.SSSD - Safely serialize sensitive data
CWE.502.VOBD - Validate objects before deserialization
CWE.506.HCCK - Avoid using hard-coded cryptographic keys
CWE.511.RDM - Inspect 'Random' objects or 'Math.random()' methods that could indicate areas where malicious code has been placed
CWE.521.MLVP - Use the 'minlength' validator for password fields in 'validation.xml'
CWE.522.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
CWE.522.PLAIN - Password information should not be included in properties file in plaintext
CWE.522.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
CWE.522.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.522.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.522.TDPASSWD - Protect against using unprotected credentials
CWE.522.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
CWE.522.USC - Use the SSL-enabled version of classes when possible
CWE.522.UTAX - Avoid using plain text passwords in Axis2 configuration files
CWE.522.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
CWE.522.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
CWE.523.USC - Use the SSL-enabled version of classes when possible
CWE.532.CONSEN - Do not log confidential or sensitive information
CWE.543.IASF - Inspect accesses to "static" fields which may require synchronization
CWE.543.ILI - Make lazy initializations thread-safe
CWE.546.TODOJAVA - Ensure that comments do not contain task tags
CWE.546.TODOPROP - Ensure that comments do not contain task tags
CWE.546.TODOXML - Ensure that comments do not contain task tags
CWE.555.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.555.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
CWE.561.CC - Avoid conditions that always evaluate to the same value
CWE.561.DEREF - Do not check for null after dereferencing
CWE.561.PM - Avoid unused "private" methods
CWE.561.SWITCH - Avoid switch with unreachable branches
CWE.563.AURV - Avoid local variables that are never read
CWE.563.PF - Avoid unused "private" fields
CWE.563.POVR - Avoid overwriting method parameters before each use
CWE.563.UP - Avoid unused parameters
CWE.563.VOVR - Avoid unused values
CWE.566.AUSS - Avoid using "SELECT *" in SQL queries
CWE.568.FCF - Call 'super.finalize()' from 'finalize()'
CWE.570.CC - Avoid conditions that always evaluate to the same value
CWE.570.UCIF - Avoid unnecessary 'if' statements
CWE.571.CC - Avoid conditions that always evaluate to the same value
CWE.571.UCIF - Avoid unnecessary 'if' statements
CWE.572.IRUN - Do not call the 'run()' method directly on classes extending 'java.lang.Thread' or implementing 'java.lang.Runnable'
CWE.576.JIO - Do not use types from the "java.io" package within bean classes
CWE.577.AUS - Do not use sockets in EJBs
CWE.578.ACL - Do not access, use, or create a class loader within a bean class
CWE.579.SNSO - Do not store non-serializable objects as HttpSession attributes
CWE.580.SCLONE - Call 'super.clone()' in all 'clone()' methods
CWE.581.OVERRIDE - Override 'Object.hashCode()' when you override 'Object.equals()' and vice versa
CWE.582.IMM - Ensure "static" "final" fields are immutable
CWE.582.PSFA - Avoid using "public static final" array fields
CWE.583.MFP - Give "finalize()" methods "protected" access
CWE.584.ARCF - Avoid using 'return's inside 'finally blocks if thare are other 'return's inside the try-catch block
CWE.585.SNE - Avoid empty "synchronized" statements
CWE.586.NCF - Do not call 'finalize()' explicitly
CWE.594.SIVS - Ensure instance variables of @Stateful beans are Serializable
CWE.595.UEIC - Do not use '==' or '!=' to compare objects
CWE.6.SLID - Ensure Session-ID Length is sufficient
CWE.600.CETS - Catch all exceptions which may be thrown within Servlet methods
CWE.601.TDNET - Protect against network resource injection
CWE.601.TDRESP - Protect against HTTP response splitting
CWE.601.UCO - Use a Context Object to manage HTTP request parameters
CWE.601.VRD - Encapsulate all redirect and forward URLs with a validation function
CWE.605.HCNA - Do not hard-code IP addresses and port numbers
CWE.607.IMM - Ensure "static" "final" fields are immutable
CWE.607.RMO - Avoid referencing mutable fields
CWE.609.DCL - Avoid unsafe implementations of the "double-checked locking" pattern
CWE.611.DXXE - Disable XML external entity injection
CWE.611.XMLVAL - Validate untrusted XML using schema or DTD before reading
CWE.613.RUIM - Ensure proper session expiration
CWE.613.STTL - Ensure that sessions are configured to time out in 'web.xml' files
CWE.614.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
CWE.617.ASSERT - Do not use assertions in production code
CWE.643.TDJXPATH - Protect against JXPath injection
CWE.643.TDXPATH - Protect against XPath injection
CWE.644.TDRESP - Protect against HTTP response splitting
CWE.647.CDBV - Canonicalize all data before validation
CWE.652.TDXPATH - Protect against XPath injection
CWE.652.XPIJ - Avoid XPath injection when evaluating XPath queries
CWE.662.DIFCS - Variable should be used in context of single critical section
CWE.665.NOTEXPLINIT - Avoid use before explicit initialization
CWE.665.NOTINITCTOR - Avoid use of fields before initialization in constructors and static initializers
CWE.667.CLOSE - Unrestricted lock resource
CWE.667.LOCK - Do not abandon unreleased locks
CWE.674.FLRC - Avoid infinite recursive method calls
CWE.676.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
CWE.680.BSA - Do not use an integer outside the range of
CWE.681.CLP - Do not cast primitive data types to lower precision
CWE.681.IDCD - Do not assign the result of an integer division to a floating point variable
CWE.690.EAR - Ensure that non-"void" methods have a return value other than empty arrays and "null"
CWE.691.ANL - Avoid using negative logic in if-else statement
CWE.7.SEP - Always specify error pages in web.xml
CWE.704.AGBPT - Avoid conversions from parameterized types to raw types
CWE.704.CPTS - Do not convert a value to a String by concatenating the empty String
CWE.732.SCHTTP - Mark cookies as HttpOnly
CWE.755.CIET - Do not catch InterruptedException except in classes extending Thread
CWE.759.MDSALT - Use hash functions with a salt
CWE.764.DLOCK - Avoid double locking
CWE.77.TDCMD - Protect against Command injection
CWE.770.ISTART - Do not call the 'start()' method directly on Thread class instances
CWE.771.LEAKS - Ensure resources are deallocated
CWE.772.CLOSE - Unrestricted lock resource
CWE.772.LEAKS - Ensure resources are deallocated
CWE.778.ENFL - Ensure all sensitive method invocations are logged
CWE.78.TDCMD - Protect against Command injection
CWE.787.ARRAY - Avoid accessing arrays out of bounds
CWE.787.ARRAYINP - Avoid unvalidated input in array indexes
CWE.79.CDBV - Canonicalize all data before validation
CWE.79.EACM - Encapsulate arguments of dangerous methods with a validation method
CWE.79.TDRESP - Protect against HTTP response splitting
CWE.79.TDXSS - Protect against XSS vulnerabilities
CWE.79.VPPD - Validate all dangerous data
CWE.798.HCCS - Avoid passing hardcoded usernames/passwords/URLs to database connection methods
CWE.798.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
CWE.798.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
CWE.798.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
CWE.798.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
CWE.798.UTAX - Avoid using plain text passwords in Axis2 configuration files
CWE.798.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
CWE.798.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
CWE.8.RR - Do not declare entity beans as remote
CWE.80.ARXML - Process XML and HTML with a library instead of raw text
CWE.80.TDDIG - Protect against Jakarta Digester injection
CWE.80.TDXML - Protect against XML data injection
CWE.806.BUSSB - Prevent external processes from blocking on output or error streams
CWE.807.HGRSI - Avoid using the 'getRequestedSessionId' method from the 'HttpServletRequest' class
CWE.807.PLC - Avoid storing sensitive data in plaintext in a cookie
CWE.807.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
CWE.81.ARXML - Process XML and HTML with a library instead of raw text
CWE.829.TDFILES - Protect against File contents injection
CWE.829.TDFNAMES - Protect against File names injection
CWE.829.TDLIB - Protect against Library injection
CWE.829.TDXPATH - Protect against XPath injection
CWE.83.ARXML - Process XML and HTML with a library instead of raw text
CWE.832.LORD - Ensure that nested locks are ordered correctly
CWE.833.CSFS - Do not cause deadlocks by calling a "synchronized" method from a "synchronized" method
CWE.833.ORDER - Do not acquire locks in different order
CWE.833.RLF - Release Locks in a "finally" block
CWE.833.STR - Do not perform synchronization nor call semaphore methods on an Object's 'this' reference
CWE.833.TSHL - Do not use blocking methods while holding a lock
CWE.833.UWNA - Use 'wait()' and 'notifyAll()' instead of polling loops
CWE.835.AIL - Avoid infinite loops
CWE.835.PCIF - Declare "for" loops with an initializer, conditional, and updater statements
CWE.836.PLAIN - Password information should not be included in properties file in plaintext
CWE.838.SEO - Avoid calling methods and constructors which do not allow you to specify a character encoding option
CWE.841.PERMIT - Avoid EJB 3 methods without security annotations
CWE.862.LCA - Include an appropriate '<login-config>' element to specify the type of authentication to be performed in 'web.xml' files
CWE.862.PERMIT - Avoid EJB 3 methods without security annotations
CWE.863.DSR - Avoid defining multiple security roles with the same name in 'web.xml' files
CWE.863.SRCD - Ensure that each security role referenced in a 'web.xml' file has a corresponding definition
CWE.89.TDSQL - Protect against SQL injection
CWE.89.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement'
CWE.9.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role
CWE.90.TDLDAP - Protect against LDAP injection
CWE.91.TDXML - Protect against XML data injection
CWE.94.ASAPI - Prevent the scripting API from executing untrusted code
CWE.94.DCEMSL - Avoid untrusted input when logging messages with Seam Logging API
CWE.94.TDCODE - Validate potentially tainted data before it is used in methods that generate code
CWE.95.TDCODE - Validate potentially tainted data before it is used in methods that generate code
CWE.99.TDNET - Protect against network resource injection
DBC.CPT - Do not include a postcondition saying that "$result!=null" in methods which can return null
DBC.IGM - Provide an '@invariant' contract for all getter methods
DBC.IMNR - Do not invoke a method on a reference that is not guaranteed to be non-null
DBC.IPAN - Include a '@pre != null' tag for each parameter that is dereferenced before being checked for null
DBC.PKGC - Provide an '@invariant' contract for all package-private classes
DBC.PKGMPOST - Provide a '@post' contract for all package-private methods
DBC.PKGMPRE - Provide a '@pre' contract for all package-private methods
DBC.PRIC - Provide an '@invariant' contract for all "private" classes
DBC.PRIMPOST - Provide a '@post' contract for all "private" methods
DBC.PRIMPRE - Provide a '@pre' contract for all "private" methods
DBC.PROC - Provide an '@invariant' contract for all "protected" classes
DBC.PROMPOST - Provide a '@post' contract for all "protected" methods
DBC.PROMPRE - Provide a '@pre' contract for all "protected" methods
DBC.PUBC - Provide an '@invariant' contract for all "public" classes
DBC.PUBMPOST - Provide a '@post' contract for all "public" methods
DBC.PUBMPRE - Provide a '@pre' contract for all "public" methods
DBC.RCC - Avoid rechecking @pre and @post conditions
DBC.SYNTAX - Use correct syntax in the DbC contracts
ECLIPSE.IPMF - Avoid exporting "internal" packages in MANIFEST.MF
ECLIPSE.PCMF - Ensure "Export-Package" and "Provide-Package" match in MANIFEST.MF for Eclipse 3.0 compatibility
ECLIPSE.SMF - Avoid missing "Eclipse-AutoStart" entry in MANIFEST.MF
EJB.EJB3.AIA - Avoid ignored or invalid annotations
EJB.EJB3.AISE - Avoid IllegalStateException when using transactions
EJB.EJB3.BMN - Do not start business method names with "ejb"
EJB.EJB3.CMF - Improper signature of the annotated method in EJB bean
EJB.EJB3.CPIM - Call 'InvocationContext.proceed()' from @AroundInvoke methods
EJB.EJB3.EAII - Do not expose @AroundInvoke method in business interface
EJB.EJB3.IDA - Avoid improper use of @Id annotation
EJB.EJB3.IDCS - Ensure @IdClass is Serializable and defines "equals()" and "hashCode()" methods
EJB.EJB3.MDBS - Do not extend other @MessageDriven beans from a @MessageDriven bean
EJB.EJB3.MDML - Ensure @MessageDriven beans specify a MessageListener
EJB.EJB3.MTM - Do not declare multiple "@Timeout" methods
EJB.EJB3.PCUN - Always specify "unitName" with @PersistenceContext
EJB.EJB3.PERMIT - Avoid EJB 3 methods without security annotations
EJB.EJB3.RLI - Do not declare an interface both @Local and @Remote
EJB.EJB3.RMSB - Specify a @Remove method for @Stateful beans
EJB.EJB3.SIVS - Ensure instance variables of @Stateful beans are Serializable
EJB.EJB3.SRBM - Ensure parameters and return type of remote business methods are Serializable
EJB.EJB3.ULI - Access beans through a local interface
EJB.ABCS - Do not use Servlet code in EJB classes
EJB.ABFG - Do not use Entity Beans as fine-grained objects
EJB.ACL - Do not access, use, or create a class loader within a bean class
EJB.ADCB - Do not use EJB code in java swing or servlet classes
EJB.AIEBC - Avoid excessive inter-entity bean communication
EJB.AJDBC - Do not use JDBC code inside of EJB classes
EJB.AMSC - Do not access or modify security configuration objects
EJB.AOTO - Avoid one-to-one mapping between session beans and entity beans
EJB.AUS - Do not use sockets in EJBs
EJB.CDP - Declare bean classes "public"
EJB.CNDA - Do not declare bean classes as "abstract"
EJB.CNDF - Do not declare bean classes as "final"
EJB.CRTE - Declare 'ejbCreate()' methods "public", but neither "static" nor "final"
EJB.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role
EJB.EJBLOAD - Do not call finder methods in the 'ejbLoad()'
EJB.FNDM - Declare finder methods "public" and neither "final" nor "static"
EJB.IECM - Implement one or more 'ejbCreate()' methods in bean classes
EJB.IEPM - Implement one or more 'ejbPostCreate()' methods in EntityBean classes
EJB.JIO - Do not use types from the "java.io" package within bean classes
EJB.LNL - Avoid loading native libraries in a Bean class
EJB.MDBC - Implement a no-argument 'ejbCreate()' method for all Message-driven bean classes
EJB.MEC - Define a matching 'ejbPostCreate()' method for each 'ejbCreate' method in entity bean classes
EJB.MNDF - Do not define 'finalize()' method in bean classes
EJB.MRE - Throw 'java.rmi.RemoteException' in the methods of remote interface and remote home interface
EJB.NFDC - Declare a "public" constructor that takes no parameters in bean classes
EJB.NFS - Declare all "static" fields in EJB bean classes "final"
EJB.PCRTE - Declare 'ejbPostCreate()' "public" and neither "static" nor "final"
EJB.RILH - Do not throw 'java.rmi.RemoteException' in a bean's local interface and local home interface
EJB.RR - Do not declare entity beans as remote
EJB.RT - The return type of EJB finder methods should be the primary key or a collection of primary keys
EJB.RTC - Make the return type "void" for SessionBeans or MessageDrivenBeans' 'ejbCreate()' methods
EJB.RTP - Make the return type "void" for the 'ejbPostCreate()' method
EJB.RUH - Reuse EJB homes
EJB.SMSN - Do not set or create a new SecurityManager in EJBs
EJB.STD - Ensure EJB beans include necessary methods and EJB bean and interface classes follow the name format
EJB.TCE - Throw 'javax.ejb.CreateException' in create methods of remote home or local home interfaces
EJB.TFE - Throw 'javax.ejb.FinderException' in finder methods of remote home or local home interfaces
EJB.THISARG - Avoid passing the "this" reference as an argument
EJB.THISRET - Do not return "this"
EJB.THREAD - Avoid starting, stopping, or managing threads in any way in bean classes
EJB.UCIC - Cache reusable JNDI resources to minimize the use of expensive operations
EJB.USF - Use a Session Facade to manage access to entity beans
EJB.UVO - Use Value Objects to reduce the granularity of calls to the server
EXCEPT.AEFC - Do not abuse exceptions as flow control statements
EXCEPT.AIOC - Do not use instanceof in a catch block to check the exception type
EXCEPT.CATO - Catch all "Throwable" objects which may be thrown in the body of certain methods
EXCEPT.CDUPL - Avoid catch clauses with the same content
EXCEPT.CLFIN - Avoid using finally block for closing resource only
EXCEPT.CTE - Always chain thrown exceptions
EXCEPT.EPNFC - Do not throw exceptions from constructors of "public" non-"final" classes
EXCEPT.HCB - Do not hide 'catch' blocks
EXCEPT.IMMEX - Declare all fields of user-defined 'Exception' as "final"
EXCEPT.MTE - Do not declare any thrown exceptions in the 'main()' method
EXCEPT.NCERR - Do not catch the 'java.lang.Error' object
EXCEPT.NCNPE - Do not catch 'NullPointerException'
EXCEPT.NFE - Ensure that the 'parse' methods of the numeric classes do not throw unhandled "NumberFormatExceptions"
EXCEPT.NTERR - Do not throw exception types which are too general or are unchecked exceptions
EXCEPT.NTNPE - Do not throw 'NullPointerException'
EXCEPT.RTERR - Rethrow certain exceptions if they are caught
EXCEPT.TEFEC - Do not throw exceptions from the constructors of exception classes
EXCEPT.TRY - Place "try/catch/finally" blocks outside of loops
EXCEPT.TSCE - Exception messages must meet minimum character requirement
FORMAT.APAREN - Use '()' to separate complex expressions
FORMAT.ASPACE - Ensure proper spacing in array references
FORMAT.ATS - Do not place empty whitespace at the end of a line
FORMAT.BLBC - Put a blank line before each C-style comment
FORMAT.BLCD - Enforce number of blank line(s) before type declarations
FORMAT.BLSIM - Enforce number of blank line(s) to separate "imports" from different packages
FORMAT.CBRACE - Place a closing brace on its own line
FORMAT.CMS - Place a single space character or no space character after type casting
FORMAT.DOT - Do not leave spaces between qualified names and method invocations
FORMAT.DUT - Use spaces instead of tabs (or tabs instead of spaces)
FORMAT.FCB - Enforce the position of '{' brace
FORMAT.FCN - Place the type that has the same name as the file as the first type
FORMAT.IAD - Declare arrays with '
FORMAT.IND - Enforce number of space(s) for indentation
FORMAT.LL - Limit the maximum length of a line
FORMAT.MCH - Include a meaningful file header comment in every source file
FORMAT.MO - Enforce the order of annotations and modifiers
FORMAT.MSP - Place a single space character or no space character between a method name and the opening "(" parenthesis
FORMAT.NSAB - Do not place statements on the same line as the '{' opening brace
FORMAT.OSPL - Write one statement per line
FORMAT.SAC - Enforce number of space character(s) after every comma
FORMAT.SAOP - Enforce number of space character(s) on each side of an assignment operator
FORMAT.SAP - Enforce number of space character(s) after the opening parenthesis "(" of a conditional statement
FORMAT.SAS - Enforce number of space character(s) after every semicolon
FORMAT.SAUOP - Enforce number of space character(s) between a prefixed unary operator and its operand
FORMAT.SBOP - Enforce number of space character(s) on each side of a bitwise operator
FORMAT.SBUOP - Enforce number of space character(s) between a postfixed unary operator and its operand
FORMAT.SC - Enforce number of space character(s) between a conditional statement and the opening "(" parenthesis
FORMAT.SCOP - Enforce number of space character(s) before and after the "?" conditional operator
FORMAT.SLOP - Enforce number of space character(s) on each side of a logical operator
FORMAT.SROP - Enforce number of space character(s) on each side of a relational operator
FORMAT.TC - Avoid using trailing comments
FORMAT.TCOMMA - Avoid or enforce the use of trailing commas in array initializers
FORMAT.TE - Use the preferred formatting for conditional expressions
FORMAT.TNL - Make sure all files are terminated with a newline character
FORMAT.U2BL - Enforce number of blank line(s) between major sections
FORMAT.UP - Avoid unnecessary parentheses
GC.AUTP - Do not use unnecessary temporaries when converting primitive types to String
GC.DUD - Avoid using 'Date
GC.FCF - Call 'super.finalize()' from 'finalize()'
GC.FM - Do not use 'finalize()' methods to unregister listeners
GC.GC - Do not explicitly call 'System.gc()' or 'Runtime.gc()'
GC.GCB - Reuse calls to 'getClipBounds()'
GC.IFF - Call 'super.finalize()' in the "finally" block of 'finalize()' methods
GC.MML - Be cautious when calling methods which may cause memory leaks
GC.NCF - Do not call 'finalize()' explicitly
GC.OSTM - Prevent potential memory leaks in ObjectOutputStreams by calling 'reset()'
GC.RCO - Reuse immutable constant objects to conserve memory
GC.STV - Avoid "static" collections or maps; they can grow without bounds
HIBERNATE.CAR - Call 'addClass()' instead of 'addResource()' to add a mapping to a 'Configuration'
HIBERNATE.CHS - Close Hibernate Sessions in "finally" blocks
HIBERNATE.CSF - Close all 'SessionFactory' objects
HIBERNATE.GSIM - Include getter and setter methods and an id field for any object mapped to a column in a database table
HIBERNATE.IDC - Declare a no-argument constructor for Hibernate persistent classes
HIBERNATE.LHII - Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files
HIBERNATE.OHCE - Override the 'equals' and 'hashCode' methods for mapped Hibernate objects
HIBERNATE.PIDS - Declare the setter method for the Hibernate identifier 'private'
HIBERNATE.RBT - Roll back any active transactions in 'catch' blocks
HIBERNATE.SLM - Call 'setLockMode()' before executing a Hibernate Query
HIBERNATE.UGNQ - Use mapped, named HQL queries instead of writing queries in Java code
HIBERNATE.UNP - Use named parameters in HQL queries
HIBERNATE.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
INIT.AAI - Do not use array initializers
INIT.AULI - Ensure that the "if" check for lazy initialization uses the correct operator
INIT.CLIB - Do not put code other than initialization code in lazy initialization blocks
INIT.DIA - Use diamond to invoke the constructor of a generic class
INIT.IC - Do not use initialization circularities for fields
INIT.LV - Initialize all local variables explicitly at the declaration statement
INIT.NFS - Do not use non-final "static" fields during the initialization
INIT.SF - Use explicit initializations/Do not initialize "static" fields to default values
INIT.SFA - Do not initialize "static" "final" variables with non "final" "static" variables
INIT.SICUI - Do not use a "static" initializer that creates an instance of the current class before all "static final" fields are assigned
INTER.CCL - Use the optional java.util.Locale parameter
INTER.CLO - Do not use single characters with logic operators in an Internationalized environment
INTER.COS - Do not use String concatenation in an Internationalized environment
INTER.CTLC - Do not call 'Character.toLowerCase(char)' or 'Character.toUpperCase(char)' in an internationalized environment
INTER.DTS - Do not call 'toString()' or 'String.valueOf()' on Date objects in an Internationalized environment
INTER.ITT - Isolate translatable text in resource bundles in an Internationalized environment
INTER.NCL - Use "static final" constants for single character literals in an Internationalized environment
INTER.NTS - Do not call 'toString()' or 'String.valueOf()' on numeric values in an Internationalized environment
INTER.PN - Do not call the 'parse' methods of the 'Number' types in an Internationalized environment
INTER.SCT - Do not call 'String.compareTo()' in an Internationalized environment
INTER.SDFL - Provide a 'Locale' argument when instantiating 'SimpleDateFormat' objects
INTER.SE - Do not call 'String.equals()' in an Internationalized environment
INTER.SEO - Avoid calling methods and constructors which do not allow you to specify a character encoding option
INTER.SIO - Do not call 'String.indexOf()' or 'String.lastIndexOf()' in an Internationalized environment
INTER.ST - Do not use 'StringTokenizer' in an Internationalized environment
INTER.TTS - Do not call 'toString()' or 'String.valueOf()' on Time objects in an Internationalized environment
INTER.UNLS - Avoid unnecessary "$NON-NLS" and "NOI18N" comments
JAVADOC.BT - Avoid unsupported '@' tags and other tags that should not be used in Javadoc comments
JAVADOC.CRN - Always include a description of whether or not a method can return null in the Javadoc
JAVADOC.DPMT - Avoid unused Javadoc tags
JAVADOC.ECTF - Enforce custom Javadoc tags for fields
JAVADOC.ECTM - Enforce custom Javadoc tags for methods/annotation member types
JAVADOC.ECTT - Enforce custom Javadoc tags for types
JAVADOC.JNJD - Do not insert non-Javadoc comments between Javadoc comments and declarations
JAVADOC.MAJDT - Use the '@author' Javadoc tag in declaration Javadoc comments
JAVADOC.MDJT - Include a meaningful description in Javadoc tags
JAVADOC.MISFORMAT - Avoid misformatted Javadoc tags
JAVADOC.MRDC - Use the '@return' Javadoc tag in method Javadoc comments
JAVADOC.MVJDT - Use the '@version' tag in type Javadoc comments
JAVADOC.ORDER - Order Javadoc tags appropriately
JAVADOC.PARAM - Use the '@param' Javadoc tag for each parameter of methods
JAVADOC.PJDC - Provide Javadoc comments and descriptions for types
JAVADOC.PJDF - Provide Javadoc comments and descriptions for fields
JAVADOC.PJDM - Provide Javadoc comments and descriptions for methods
JAVADOC.SINGLE - Enforce restraint on number of lines used for Javadoc comments
JAVADOC.SMJT - Use the '@concurrency' Javadoc tag on "synchronized" methods and blocks
JAVADOC.SPELL - Avoid misspelling words in Javadoc comments and string literals
JAVADOC.SRRP - Specify 'RUNTIME' as the retention policy when using the '@Documented' annotation
JAVADOC.THROW - Use the '@throws' or '@exception' Javadoc tag in methods
JAVADOC.TSMJT - Provide a Javadoc comment for 'toString()' methods
JAVADOC.TSOL - Ensure that certain Javadoc tags only span one line
JAVADOC.VMCR - Avoid using the '@return' Javadoc tag on "void" methods
JDBC.BRSA - Ensure index is valid in JDBC method invocation
JDBC.CDBC - Close JDBC connections in "finally" blocks
JDBC.COCO - Close JDBC objects in the correct order
JDBC.DSLV - Reuse data sources for JDBC connections
JDBC.ODBIL - Do not open or close JDBC connections in loops
JDBC.RRWD - Close JDBC resources in "finally" blocks
JDBC.SCSF - Do not store database connection objects in "static" fields
JDBC.UDS - Use javax.sql.DataSource to get the database connection
JDBC.UPSC - Use "PreparedStatements" correctly
JDBC.URSF - Use instance of RowSetFactory to create a RowSet object
JUNIT.AEAT - Prefer assertEquals and assertNotEquals over assertTrue and assertFalse
JUNIT.AHLOD - Do not hard code the location to data used by a unit test
JUNIT.ANAT - Prefer assertNull and assertNotNull over assertTrue and assertFalse
JUNIT.ANBA - Avoid negating boolean parameters to assertTrue() or assertFalse()
JUNIT.ASAT - Prefer assertSame and assertNotSame over assertTrue and assertFalse
JUNIT.ASSERT - Include a message string in JUnit assertions
JUNIT.AST - Do not include assertion statements in threads other than the main thread
JUNIT.AUL - Avoid using loops in JUnit tests
JUNIT.CBA - Avoid calling 'assert' methods in catch blocks
JUNIT.CSUPER - Call the superclass' 'setUp' and 'tearDown' methods in the 'setUp' and 'tearDown' methods of JUnit test classes
JUNIT.CSUTD - Ensure that 'setUp()' and 'tearDown()' methods are implemented correctly
JUNIT.DIR - Place each test class in the same location as the class that it tests
JUNIT.ETCTA - Avoid extending 'TestCase' in test classes which contain the '@Test' annotation
JUNIT.FAIL - Use the fail() method instead of forcing a failed condition using the assertTrue(false) or assertFalse(true) method
JUNIT.FICB - Do not invoke the 'fail()' method in a 'catch' block in a JUnit test method
JUNIT.IGNORE - Ensure that JUnit 5 test classes that use @Ignore are annotated with @ExtendWith(IgnoreCondition.class) or @EnableJUnit4MigrationSupport
JUNIT.ISMTC - Do not implement the 'suite()' method in JUnit test classes
JUNIT.MAIN - Ensure that JUnit classes have a main() allowing them to be executed in isolation
JUNIT.OSIC - Do not use the constructor to set up test cases
JUNIT.OSUM - Ensure that a setup method is defined in the test class
JUNIT.OTDM - Ensure that a cleanup method is defined in the test class
JUNIT.RPL5 - Do not use JUnit 4 annotations when migrating tests to JUnit 5
JUNIT.SIA - Ensure JUnit test cases include assertion methods
JUNIT.SIFN - Set all fields which are initialized in the 'setUp()' method to "null" in the 'tearDown()' method
JUNIT.SUITE - Make 'suite()' methods "public" and "static"
JUNIT.TATC - Use '@Test' annotation instead of extending 'TestCase'
JUNIT.TCWNT - Include at least one test method in each 'TestCase' class
JUNIT.TDIR - Do not use the TemporaryFolder Rule in JUnit 5 tests
JUNIT.TEST - Make sure all methods have at least one JUnit test method
JUNIT.UPJT - Include an appropriate Javadoc tag in the Javadoc for JUnit test methods
JUNIT.UPSS - Use the correct signature for the 'suite()' method in JUnit test classes
METRICS.CTNL - DEPRECATED: Number of lines in "class" or "interface"
METRICS.ECLM - DEPRECATED: Number of statement lines in a method
METRICS.ECLT - DEPRECATED: Number of statement lines in a "class" or "interface"
METRICS.ID - DEPRECATED: "class" or "interface" inheritance level
METRICS.NOFT - DEPRECATED: Number of fields
METRICS.NOM - DEPRECATED: Number of methods
METRICS.NOMCML - DEPRECATED: Number of comment lines in a method
METRICS.NOTCML - DEPRECATED: Number of comment lines in a "class" or "interface"
METRICS.NPKGF - DEPRECATED: Number of package-private fields
METRICS.NPKGM - DEPRECATED: Number of package-private methods
METRICS.NPRIF - DEPRECATED: Number of "private" fields
METRICS.NPRIM - DEPRECATED: Number of "private" methods
METRICS.NPROF - DEPRECATED: Number of "protected" fields
METRICS.NPROM - DEPRECATED: Number of "protected" methods
METRICS.NPUBF - DEPRECATED: Number of "public" fields
METRICS.NPUBM - DEPRECATED: Number of "public" methods
METRICS.NSTMT - DEPRECATED: Number of statements in a method
METRICS.PAR - DEPRECATED: Number of parameters
METRICS.PJDC - DEPRECATED: Percentage of Javadoc comments (%)
METRICS.TNLM - DEPRECATED: Number of lines in a method
METRICS.TNMC - DEPRECATED: Number of method calls
METRICS.TRET - DEPRECATED: Number of "return" statements
METRICS.VG - DEPRECATED: Cyclomatic Complexity
MOBILE.ANDROID.AOSM - Always override 'onSaveInstanceState()'
MOBILE.ANDROID.WUP - Make sure that widgets aren't updated too often
MOBILE.J2ME.ACII - Do not use anonymous classes as interface implementors
MOBILE.J2ME.ARLL - Do not use an array length in a loop condition expression
MOBILE.J2ME.CIPA - Avoid constant initializations of primitive arrays that exceed a certain size
MOBILE.J2ME.EAOF - Do not access a field excessively
MOBILE.J2ME.EURP - Ensure methods use return parameters instead of returning new objects
MOBILE.J2ME.OOME - Catch 'OutOfMemoryError' for large array allocations
MOBILE.ACFM - Avoid accessing same fields and methods multiple times
MOBILE.AMA - Avoid using 'getter' and 'setter' methods
MOBILE.APTA - Avoid using array of primtive wrapper objects
MOBILE.AUEF - Avoid using enhanced "for" loop to walk through a "java.lang.Iterable" object
MOBILE.AUI - Avoid declaring "interface" types
MOBILE.DARRAY - Avoid multiple dimension arrays
MOBILE.ENUM - Avoid using enums
MOBILE.FLOATER - Avoid using floats
NAMING.ANNS - Follow class name conventions defined for annotations
NAMING.CVN - Use conventional variable names
NAMING.DJLO - Do not declare types with the same name as types in the Java platform
NAMING.DSN - Avoid using dollar signs in names
NAMING.ECN - Ensure class names reflect classes which they extend
NAMING.EXTENDS - Follow class name conventions defined for base classes
NAMING.GETA - Follow a naming convention for getter methods
NAMING.GETB - Follow a naming convention for "boolean" getter methods
NAMING.ID - Avoid using potential Java keywords as identifiers
NAMING.IFV - Use all uppercase letters for the names of fields in an "interface"
NAMING.IMPLS - Follow class name conventions defined for implemented interfaces
NAMING.IRB - Use 'is...' only for naming methods that return a "boolean"
NAMING.LLI - Follow limits for the lengths of type, method, field, parameter, and variable names
NAMING.NA - Use a naming convention for annotations
NAMING.NAC - Use a naming convention for array and collection variables
NAMING.NACL - Use a naming convention for "abstract" classes
NAMING.NCL - Use a naming convention for classes
NAMING.NE - Use a naming convention for exceptions
NAMING.NENUM - Use a naming convention for enum type declarations
NAMING.NFL - Use a naming convention for "final" local variables
NAMING.NIF - Use a naming convention for non-"static" fields
NAMING.NITF - Use a naming convention for interfaces
NAMING.NLV - Use a naming convention for local variables
NAMING.NM - Use a naming convention for non-"static" methods
NAMING.NMP - Use a naming convention for method parameters
NAMING.NPH - Use a naming convention for type parameters
NAMING.NSF - Use a naming convention for non-"final" "static" fields
NAMING.NSM - Use a naming convention for "static" methods
NAMING.NTEST - Use a naming convention for JUnit test classes
NAMING.PKG - Use a naming convention for "package" names
NAMING.RPKG - Do not use a package name that is reserved by Sun
NAMING.SETA - Follow a naming convention for setter methods
NAMING.SINGLETON - Use a naming convention for singleton classes
NAMING.THAC - Use a naming convention for tag handlers and associated classes
NAMING.UHN - Use Hungarian notation for variables
NAMING.USF - Do not use lowercase letters in "final" "static" field names
NAMING.UUVN - Do not use variables with identical names or names that differ only in case
OOP.ACECC - Do not extend concrete classes in "abstract" classes
OOP.ACST - Avoid casts to types which are more specific than necessary
OOP.AF - Avoid "public"/"protected"/package-private fields
OOP.AHF - Do not hide inherited fields
OOP.AHSM - Do not hide inherited "static" member methods
OOP.AOA - Add the "@Override" annotation to overriding methods
OOP.AOCM - Always override certain methods when extending certain types
OOP.ASFI - Redeclare a class with only "abstract" methods and "static final" fields as an "interface"
OOP.AUASI - Do not implement or extend annotations
OOP.AUO - Do not use an object to access "static" fields or methods
OOP.CIMOM - Do not declare a method in an interface which conflicts with a 'protected' method of 'Object'
OOP.CQS - Ensure methods are either a command(change state) or a query(get state)
OOP.HIF - Do not hide fields and local variables declared in enclosing scopes
OOP.HMF - Do not give method local variables and parameters the same name as class fields
OOP.ICIF - Avoid inner classes in interfaces
OOP.IDOM - Avoid declaring methods inherited from class "Object" in an interface
OOP.IIAC - Avoid implementing interfaces only to access constants
OOP.IIN - Implement interface methods non-trivially or declare them "abstract"
OOP.INSOF - Use "instanceof" only on interfaces
OOP.LEVEL - Avoid more than two levels of nested inner classes
OOP.MFP - Give "finalize()" methods "protected" access
OOP.MI - Avoid interfaces with no fields or methods (marker interfaces)
OOP.MUCOP - Provide mutable classes with copy functionality
OOP.NAM - Avoid "abstract" classes without "abstract" methods
OOP.NOMA - Declare methods in "abstract" classes with empty bodies "abstract"
OOP.NPAC - Do not declare "public" or package-private constructors in "abstract" classes
OOP.OPM - Do not override an instance "private" method
OOP.PIFC - Do not use "protected" access for members of "final" classes
OOP.PMPC - Ensure 'public' classes have at least one 'public' or 'protected' member
OOP.PSDF - Do not declare "private" or "static" methods as "final"
OOP.RI - Do not declare a class as implementing an interface if a superclass already implements that interface
OOP.RSFC - Avoid referencing a class' subclasses from itself
OOP.SNGL - Use a naming convention for singleton classes
OOP.SVHM - Specify which version of potentially ambiguous methods you wish to call for method calls in inner classes
OOP.THRECL - Use getContextClassLoader() instead of getClassLoader()
OPT.AAM - Change non-"private" members to "private" in anonymous classes
OPT.AAS - Use abbreviated assignment operators
OPT.ACDO - Do not use the 'new String(String)' constructor
OPT.AGC - Do not get the 'Class' object through new object instantiation
OPT.ANIPW - Avoid new instantiations of primitive wrapper objects, whose values are cached
OPT.AUMO - Avoid unnecessary Map operations
OPT.BR - Simplify "boolean" returns
OPT.CCR - Close all "java.io.Closeable" resources in a "finally" block
OPT.CEIL - Avoid putting constant expressions inside loops
OPT.CEL - Do not call methods in loop condition statements
OPT.CIO - Close input and output resources in "finally" blocks
OPT.CLL - Check the logging level before calling potentially expensive logging operations
OPT.CPTS - Do not convert a value to a String by concatenating the empty String
OPT.CRSG - Avoid duplicate calls to the "get" methods of "ResultSet"
OPT.CRWD - Close resources as early as possible
OPT.CTLV - Do not use a "private" field that is accessed in only one method; change it to a local variable
OPT.DIC - Define initial capacities for 'ArrayList', 'HashMap', 'HashSet', 'Hashtable', 'Vector' and 'WeakHashMap'
OPT.EES - Use 'String.length() == 0' instead of 'String.equals("")'
OPT.EIC - Use 'equalsIgnoreCase()' instead of calls to 'toLowerCase()' or 'toUpperCase()'
OPT.EOIL - Avoid calling expensive operations in the body of a loop
OPT.ICDPC - When calling "Math.ceil()", do not pass in an integer that has been cast to a floating point type
OPT.ICGA - Avoid accessing members which will require synthetic accessor methods
OPT.ILUG - Do not iterate through Lists using the 'get()' method
OPT.IRB - Use 'System.arraycopy()' instead of using a loop to copy arrays
OPT.ISC - Do not instantiate a class which contains only static fields and methods
OPT.LIOL - Move invariants outside of loops wherever possible
OPT.LOOP - Do not instantiate variables in a loop body
OPT.MAF - Make getter and setter methods for instance fields "final"
OPT.MUNC - Avoid unnecessary comparisons to "null"
OPT.NCIO - Avoid 'null' check before 'instanceof'
OPT.NIVND - Use the 'nextInt()' method to generate a random integer
OPT.NIW - Avoid creating new instances of BigInteger and BigDecimal
OPT.NSF - Declare "final" fields with a known compile time value as "static"
OPT.PCTS - Use 'charAt()' instead of 'startsWith()' for one character comparisons
OPT.PRIM - Do not instantiate the wrapper classes for primitive types
OPT.SB - Specify an initial 'StringBuffer' capacity
OPT.SBL - Avoid converting StringBuffer or StringBuilder to String to check length
OPT.SBS - Use 'StringBuilder' instead of 'StringBuffer' when synchronization is not required
OPT.SDLS - Avoid using synchronized data structures for local variables
OPT.SI - Declare member classes "static" if possible
OPT.SRA - Avoid using 'String.replaceAll()' with literal values
OPT.STCA - Do not call ''String.toCharArray()'' unnecessarily
OPT.STR - Use single quotes instead of double quotes for single character string concatenation
OPT.STRBUF - Simplify methods that return strings that are always concatenated
OPT.STS - Avoid unnecessary calls to 'String' methods
OPT.SWIF - Avoid use of if statements if they can be replaced with switch statements
OPT.SYN - Do not call a synchronized method inside of a loop
OPT.TOARRAY - Use collection size for target array in 'toArray()'
OPT.UEQ - Do not compare boolean variables with "true"
OPT.UISO - Avoid unnecessary "instanceof" evaluations
OPT.UMATH - Do not call the methods from 'java.lang.Math' if the result is a constant which can be easily determined
OPT.UNC - Avoid unnecessary casting
OPT.USB - Use 'StringBuffer' instead of 'String' when concatenating strings
OPT.USC - Use 'String' instead of 'StringBuffer' for constant strings
OPT.USCL - Avoid questionable uses of non-short-circuit logic
OPT.USV - Use 'stack' variables whenever possible
OWASP2017.A1.TDCMD - Protect against Command injection
OWASP2017.A1.TDDIG - Protect against Jakarta Digester injection
OWASP2017.A1.TDENV - Protect against Environment injection
OWASP2017.A1.TDINPUT - Exclude unsanitized user input from format strings
OWASP2017.A1.TDJXPATH - Protect against JXPath injection
OWASP2017.A1.TDLDAP - Protect against LDAP injection
OWASP2017.A1.TDLOG - Protect against log forging
OWASP2017.A1.TDNET - Protect against network resource injection
OWASP2017.A1.TDRFL - Protect against Reflection injection
OWASP2017.A1.TDSQL - Protect against SQL injection
OWASP2017.A1.TDXPATH - Protect against XPath injection
OWASP2017.A1.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement'
OWASP2017.A10.ENFL - Ensure all sensitive method invocations are logged
OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown
OWASP2017.A2.HGRSI - Avoid using the 'getRequestedSessionId' method from the 'HttpServletRequest' class
OWASP2017.A2.ISL - Always call 'HttpSession.invalidate()' before 'LoginContext.login()'
OWASP2017.A2.RUIM - Ensure proper session expiration
OWASP2017.A2.STTL - Ensure that sessions are configured to time out in 'web.xml' files
OWASP2017.A2.TDPASSWD - Protect against using unprotected credentials
OWASP2017.A3.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
OWASP2017.A3.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
OWASP2017.A3.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
OWASP2017.A3.CONSEN - Do not log confidential or sensitive information
OWASP2017.A3.ENPP - Ensure arguments passed to certain methods come from predefined methods list
OWASP2017.A3.HCCK - Avoid using hard-coded cryptographic keys
OWASP2017.A3.HCNA - Do not hard-code IP addresses and port numbers
OWASP2017.A3.HTTPS - Use 'https' instead of 'http' for the 'transportReceiver' and 'transportSender' in 'axis2.xml' configuration files
OWASP2017.A3.HV - Ensure the HostnameVerifier.verify() method validates the certificate
OWASP2017.A3.ICA - Avoid using insecure algorithms for cryptography
OWASP2017.A3.IVR - Avoid non-random "byte
OWASP2017.A3.MCMDU - MessageDigest objects must process the data with the 'update' method
OWASP2017.A3.MDSALT - Use hash functions with a salt
OWASP2017.A3.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
OWASP2017.A3.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
OWASP2017.A3.SENS - Prevent exposure of sensitive data
OWASP2017.A3.SIKG - Initialize KeyGenerator instances
OWASP2017.A3.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
OWASP2017.A3.SSSD - Safely serialize sensitive data
OWASP2017.A3.USC - Use the SSL-enabled version of classes when possible
OWASP2017.A3.VJFS - Always verify JarFile signatures
OWASP2017.A3.VSI - Properly validate server identity
OWASP2017.A4.DXXE - Disable XML external entity injection
OWASP2017.A5.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role
OWASP2017.A5.TDFNAMES - Protect against File names injection
OWASP2017.A6.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects
OWASP2017.A6.AECB - Avoid "try", "catch" and "finally" blocks with empty bodies
OWASP2017.A6.DCSRFJAVA - Do not disable CSRF protection
OWASP2017.A6.DCSRFXML - Do not disable CSRF protection
OWASP2017.A6.EWSSEC - Avoid debug information from Spring Security framework to logs
OWASP2017.A6.NCE - Do not catch exception types which are too general or are unchecked exceptions
OWASP2017.A6.NCNPE - Do not catch 'NullPointerException'
OWASP2017.A6.NTERR - Do not throw exception types which are too general or are unchecked exceptions
OWASP2017.A6.NTX - Avoid declaring methods to throw general or unchecked Exception types
OWASP2017.A6.PLAIN - Password information should not be included in properties file in plaintext
OWASP2017.A6.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
OWASP2017.A6.RR - Do not declare entity beans as remote
OWASP2017.A6.SEP - Always specify error pages in web.xml
OWASP2017.A6.SIO - Avoid calling print methods of 'System.err' or 'System.out'
OWASP2017.A6.SLID - Ensure Session-ID Length is sufficient
OWASP2017.A6.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
OWASP2017.A7.CDBV - Canonicalize all data before validation
OWASP2017.A7.TDRESP - Protect against HTTP response splitting
OWASP2017.A7.TDXSS - Protect against XSS vulnerabilities
OWASP2017.A8.AUXD - Avoid parsing untrusted data with XMLDecoder
OWASP2017.A8.DUID - Create a 'serialVersionUID' for all 'Serializable' classes
OWASP2017.A8.OROM - Implement 'readObject()' and 'writeObject()' for all 'Serializable' classes
OWASP2017.A8.RRSC - Define a "readResolve" method for all instances of Serializable types
OWASP2017.A8.RWAF - Ensure that all fields are assigned by the 'readObject()' method and written out by the 'writeObject()' method
OWASP2017.A8.SC - Disable LDAP deserialization
OWASP2017.A8.SCBNP - Always declare writeObject and readObject methods for Serializable subclasses of non-Serializable parents
OWASP2017.A8.SROS - Do not declare the 'readObject()' method as "synchronized"
OWASP2017.A8.VOBD - Validate objects before deserialization
PB.API.AECC - Avoid extending certain classes (custom rule)
PB.API.APPG - Avoid 'put, 'putAll' and 'get' methods of 'java.util.Properties' objects
PB.API.APT - Avoid using certain packages or types
PB.API.CMMT - Ensure that the types passed to "Collection" and "Map" methods match the types in those data structures
PB.API.DANNOT - Add the "@Deprecated" annotation to the declarations of deprecated members
PB.API.DNCSS - Do not call 'setSize()' in 'ComponentListener.componentResized()'
PB.API.DPRAPI - Do not use deprecated APIs
PB.API.ECMC - Do not extend "Collection" and "Map" classes
PB.API.EHM - Do not extend 'java.util.HashMap' or 'java.util.Hashtable'
PB.API.EJF - Do not create an empty JarFile entry or an empty ZipFile entry
PB.API.EQNL - Avoid calling 'equals(null)'
PB.API.HNCN - Do not call the 'next' method from the 'hasNext' method of an Iterator
PB.API.IUMS - Do not use "URL" objects in "Collections" or "Maps"
PB.API.KOEH - Ensure that all types which are used as keys in Sets and Maps override the 'equals()' and 'hashCode()' methods
PB.API.MASP - Assign 'protected' accessibility to 'readResolve()' and 'writeReplace()' methods in serializable classes
PB.API.MOHK - Avoid using objects with dangerous implementations of 'equals()' or 'hashCode()' as keys in hashed data structures
PB.API.NDC - Do not define direct or indirect subclasses of 'Error' and 'Throwable'
PB.API.OF - Do not overload the 'finalize()' method
PB.API.REP - Avoid using "." as a regular expression in 'String.replaceAll()' and 'String.replaceFirst()'
PB.API.SBCC - Do not pass a 'char' to the 'StringBuffer(int)' constructor
PB.API.UNI - Avoid improper casting of the results of the 'next' methods in the 'java.util.Random' class
PB.API.URL - Avoid using the 'equals()' and 'hashCode()' methods of "java.net.URL"
PB.API.VAFS - Ensure the correct number of arguments for varargs methods with format strings
PB.API.VENDOR - Update values which may be using to compare with vendor properties
PB.CUB.ADE - Avoid dangling "else" statements
PB.CUB.AIPQ - Avoid using 'iterator()' with PriorityQueue and PriorityBlockingQueue
PB.CUB.AMCO - Avoid using multiple '!' or '~' unary operators
PB.CUB.APAM - Avoid passing arrays as arguments to methods that take non-array parameters
PB.CUB.ARCF - Avoid using 'return's inside 'finally blocks if thare are other 'return's inside the try-catch block
PB.CUB.ATSF - Do not exit "finally" blocks abruptly
PB.CUB.AWP - Avoid confusing assignments to constructor arguments
PB.CUB.CILB - Do not put code other than logging code inside logging blocks
PB.CUB.CNVC - Avoid improper concatenation of characters with numbers
PB.CUB.CTOR - Do not call non-"final", non-"static" and non-"private" methods from constructors
PB.CUB.CWRITE - Avoid usage of File.canWrite() method because it may returns true even if directory is not writable
PB.CUB.DCP - Do not use the "+" string concatenation operator to concatenate numbers; use it only to add numbers
PB.CUB.EBI - Avoid erroneously placing statements outside blocks
PB.CUB.EOOM - Avoid errors in overriding methods of "java.lang.Object"
PB.CUB.FLVA - Do not assign loop control variables in the body of a "for" loop
PB.CUB.IMC - Ensure overriding methods are not unintended covariants due to parameter type differences
PB.CUB.IMM - Ensure "static" "final" fields are immutable
PB.CUB.ISF - Inspect "private" "static" fields which may have mistakenly been declared "static"
PB.CUB.MAIN - Use the method name 'main()' only for the entry point method
PB.CUB.OE - Avoid suspicious octal escapes
PB.CUB.OSM - Ensure overloaded methods in superclass are overridden when overriding a method in subclass
PB.CUB.OVAM - Avoid overloading varargs methods
PB.CUB.PSFA - Avoid using "public static final" array fields
PB.CUB.RMO - Avoid referencing mutable fields
PB.CUB.SAC - Do not use "char" arrays in "String" concatenations
PB.CUB.SBC - Do not use a "switch" statement with a bad "case"
PB.CUB.SRAD - Specify @Retention for annotation type declarations
PB.CUB.STRCC - Parenthesize complex expressions in 'print()' or 'println()' statements
PB.CUB.TOCTOU - Avoid Time-of-check Time-of-use (TOCTOU) Race Condition
PB.CUB.TOS - Avoid invoking 'toString()' on array variables
PB.CUB.TVOM - Avoid type variable parameters when calling overloaded methods
PB.CUB.UEIC - Do not use '==' or '!=' to compare objects
PB.LOGIC.AIL - Avoid infinite loops
PB.LOGIC.AMOI - Avoid using the wrong index variable to access an array or List element
PB.LOGIC.AOBO - Avoid off-by-one errors in loop conditions
PB.LOGIC.AULV - Avoid loop variables which are not used in the condition of the loop
PB.LOGIC.CPI - Do not check whether the result of "String.indexOf()" is positive or non-positive
PB.LOGIC.CRRV - Check the return value of methods which read or skip input
PB.LOGIC.DJNCR - Do not discard the result of a call to "readLine()" after checking that the return value is non-null
PB.LOGIC.EQLC - Use 'getClass()' or "instanceof" within 'equals()' and 'compareTo()' method implementations
PB.LOGIC.EQUS - Do not call 'equals()' methods that always return false
PB.LOGIC.ESO - Avoid calling 'equals()' with same object
PB.LOGIC.FLRC - Avoid infinite recursive method calls
PB.LOGIC.INDEX - Avoid bugs in the usage of loop variables
PB.LOGIC.JI - Do not increment or decrement on the same variable over multiple nested "for" loop statements
PB.LOGIC.LLM - Ensure that the logging level checked matches the level of the called logging method
PB.LOGIC.OAMC - Ensure that the objects used within a loop's condition are properly accessed within the loop's body
PB.LOGIC.OOR - Avoid out of range comparisons
PB.LOGIC.ROM - Make sure that methods are invoked on the correct object
PB.LOGIC.SG - Ensure get/set methods are accessing the correct variables
PB.NUM.AIC - Avoid implicit casts from integer data types to floating point data types
PB.NUM.BBDCC - Do not pass floating point values to the 'BigDecimal' constructor
PB.NUM.BSA - Do not use an integer outside the range of
PB.NUM.CACO - Avoid using compound assignment operators in cases which may cause overflow
PB.NUM.CLP - Do not cast primitive data types to lower precision
PB.NUM.CMP - Possible integer overflow in a compare or compareTo method
PB.NUM.DCF - Do not compare floating point types
PB.NUM.FPLI - Do not use floating point variables as loop indices
PB.NUM.ICO - Avoid calculations which result in overflow or NaN
PB.NUM.IDCD - Do not assign the result of an integer division to a floating point variable
PB.NUM.IMOF - Avoid casting the result of an integer multiplication to "long"
PB.NUM.IOF - Use unsigned right shift instead of division when overflow is possible
PB.NUM.NAN - Avoid comparisons to Double.NaN or Float.NaN
PB.NUM.NIA - Do not initialize array dimensions with negative numbers
PB.NUM.UBD - Do not use "float" and "double" if exact answers are required
PB.NUM.UCM - Avoid passing integer values to 'Math.round()'
PB.RE.ACTI - Do not add a collection to itself
PB.RE.AMFSL - Avoid modifying fixed-size Collections
PB.RE.AQA - Avoid calling the 'add()' method of a Queue
PB.RE.ASE - Avoid possible ArrayStoreExceptions
PB.RE.CAI - Always check parameters before use in array access
PB.RE.CIOR - Check the return value of calls to 'String.indexOf()' before passing this value to other "String" methods
PB.RE.CTNSE - Ensure 'Iterator.next()' method implementations throw 'NoSuchElementException'
PB.RE.IDRL - Check whether or not "readLine()" returned null before dereferencing the return value
PB.RE.IIAE - Make sure the IllegalArgumentException message matches the code logic
PB.RE.IOSS - Use the "fromIndex" argument of 'indexOf()' when necessary
PB.RE.ISEM - Do not call 'String.equals(constant)' or 'String.equalsIgnoreCase(constant)'
PB.RE.JLAY - Avoid using methods add() from JLayer class
PB.RE.NCMD - Ensure that dereferenced variables match variables which were previously checked for "null"
PB.RE.NXRE - Do not define direct or indirect subclasses of 'RuntimeException'
PB.RE.PNPD - Avoid dereferencing null objects
PB.RE.RCODE - When used HttpURLConnection always check return value from the getResponseCode() methods before call getInputStream()
PB.RE.VRNULL - Avoid methods returning "null" value
PB.TYPO.AECB - Avoid "try", "catch" and "finally" blocks with empty bodies
PB.TYPO.ASI - Avoid assignment within a condition
PB.TYPO.BW - Avoid unnecessary self computation
PB.TYPO.CSI - Ensure that the correct "super" method is invoked
PB.TYPO.DAV - Avoid assigning same variable in the fall-through switch case
PB.TYPO.EB - Avoid control statements with empty bodies
PB.TYPO.IMO - Ensure the overriding method name does not have a typo
PB.TYPO.NAMING - Do not give methods and fields the same name as the enclosing class or each other
PB.TYPO.RSK - Avoid having more than one "getter" or "setter" method for the same field
PB.TYPO.TLS - Ensure "switch" statements do not contain typos
PB.TYPO.UOL - Do not use octal integer literals
PB.TYPO.WT - Ensure that arguments passed to Java wrapper classes do not contain typos
PB.USC.AES - Avoid empty statements
PB.USC.CC - Avoid conditional expressions that always evaluate to a constant value
PB.USC.EC - Avoid empty classes
PB.USC.EPC - Do not define empty "public" constructors in classes with no other constructors
PB.USC.NACC - Avoid classes with no accessible members
PB.USC.NASSIG - Ensure method and constructor return values are used
PB.USC.OI - Avoid increment and decrement statements which have no effect
PB.USC.RTE - Do not catch exceptions only to rethrow them
PB.USC.SAFL - Avoid self assignments/initializations to fields and/or local variables
PB.USC.UIF - Avoid unreachable "else if" and "else" cases
PB.USC.UNARY - Do not use the unary operator '+'
PB.CLOSE - Unrestricted lock resource
PB.EAR - Ensure that non-"void" methods have a return value other than empty arrays and "null"
PB.IKICO - Ensure that keys used in comparison operations are immutable
PB.NAECS - Include a 'case' statement for each constant of an 'enum' type in 'switch' statements
PB.OCSF - Ensure that exactly one type has the same name as the file name
PB.PCSF - Ensure that the type that has the same name as the file is declared "public"
PB.PDCL - Place "default" as the last case of the "switch" statement
PB.PDS - Provide "default:" for each "switch" statement
PCIDSS32.651.TDCMD - Protect against Command injection
PCIDSS32.651.TDDIG - Protect against Jakarta Digester injection
PCIDSS32.651.TDENV - Protect against Environment injection
PCIDSS32.651.TDINPUT - Exclude unsanitized user input from format strings
PCIDSS32.651.TDJXPATH - Protect against JXPath injection
PCIDSS32.651.TDLDAP - Protect against LDAP injection
PCIDSS32.651.TDLOG - Protect against log forging
PCIDSS32.651.TDNET - Protect against network resource injection
PCIDSS32.651.TDRFL - Protect against Reflection injection
PCIDSS32.651.TDSQL - Protect against SQL injection
PCIDSS32.651.TDXML - Protect against XML data injection
PCIDSS32.651.TDXPATH - Protect against XPath injection
PCIDSS32.651.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement'
PCIDSS32.651.XPIJ - Avoid XPath injection when evaluating XPath queries
PCIDSS32.6510.DNSL - Avoid DNS lookups for decision making
PCIDSS32.6510.HGRSI - Avoid using the 'getRequestedSessionId' method from the 'HttpServletRequest' class
PCIDSS32.6510.ISL - Always call 'HttpSession.invalidate()' before 'LoginContext.login()'
PCIDSS32.6510.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
PCIDSS32.6510.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
PCIDSS32.6510.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
PCIDSS32.6510.RUIM - Ensure proper session expiration
PCIDSS32.6510.STTL - Ensure that sessions are configured to time out in 'web.xml' files
PCIDSS32.6510.TDPASSWD - Protect against using unprotected credentials
PCIDSS32.6510.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
PCIDSS32.6510.UPWD - Avoid storing unencrypted Hibernate usernames and passwords in 'web.xml' files
PCIDSS32.6510.UTAX - Avoid using plain text passwords in Axis2 configuration files
PCIDSS32.6510.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
PCIDSS32.6510.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
PCIDSS32.653.ACMD - Avoid using custom MessageDigest implementations
PCIDSS32.653.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
PCIDSS32.653.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
PCIDSS32.653.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
PCIDSS32.653.CKTS - Avoid using cryptographic keys which are too short
PCIDSS32.653.ICA - Avoid using insecure algorithms for cryptography
PCIDSS32.653.MDSALT - Use hash functions with a salt
PCIDSS32.653.PLAIN - Password information should not be included in properties file in plaintext
PCIDSS32.653.PLC - Avoid storing sensitive data in plaintext in a cookie
PCIDSS32.653.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
PCIDSS32.653.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
PCIDSS32.654.CONSEN - Do not log confidential or sensitive information
PCIDSS32.654.HCCK - Avoid using hard-coded cryptographic keys
PCIDSS32.654.HTTPS - Use 'https' instead of 'http' for the 'transportReceiver' and 'transportSender' in 'axis2.xml' configuration files
PCIDSS32.654.MCMDU - MessageDigest objects must process the data with the 'update' method
PCIDSS32.654.SIKG - Initialize KeyGenerator instances
PCIDSS32.654.USC - Use the SSL-enabled version of classes when possible
PCIDSS32.655.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects
PCIDSS32.655.AECB - Avoid "try", "catch" and "finally" blocks with empty bodies
PCIDSS32.655.ARCF - Avoid using 'return's inside 'finally blocks if thare are other 'return's inside the try-catch block
PCIDSS32.655.CETS - Catch all exceptions which may be thrown within Servlet methods
PCIDSS32.655.CHECKRET - Consistently check the returned value of non-void methods
PCIDSS32.655.CRRV - Check the return value of methods which read or skip input
PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown
PCIDSS32.655.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
PCIDSS32.655.SENS - Prevent exposure of sensitive data
PCIDSS32.655.SEP - Always specify error pages in web.xml
PCIDSS32.655.SIO - Avoid calling print methods of 'System.err' or 'System.out'
PCIDSS32.657.CDBV - Canonicalize all data before validation
PCIDSS32.657.TDRESP - Protect against HTTP response splitting
PCIDSS32.657.TDXSS - Protect against XSS vulnerabilities
PCIDSS32.658.AUSS - Avoid using "SELECT *" in SQL queries
PCIDSS32.658.CAM - Keep all authentication methods centralized to enforce consistency
PCIDSS32.658.DPANY - Avoid granting access permission for EJB methods to the 'ANYONE' role
PCIDSS32.658.DSR - Avoid defining multiple security roles with the same name in 'web.xml' files
PCIDSS32.658.LCA - Include an appropriate '<login-config>' element to specify the type of authentication to be performed in 'web.xml' files
PCIDSS32.658.MLVP - Use the 'minlength' validator for password fields in 'validation.xml'
PCIDSS32.658.PERMIT - Avoid EJB 3 methods without security annotations
PCIDSS32.658.SRCD - Ensure that each security role referenced in a 'web.xml' file has a corresponding definition
PCIDSS32.658.SSM - Ensure that an appropriate security manager is set
PCIDSS32.658.TDFNAMES - Protect against File names injection
PCIDSS32.659.EACM - Encapsulate arguments of dangerous methods with a validation method
PCIDSS32.659.VPPD - Validate all dangerous data
PORT.CTSP - Avoid calling 'Thread.setPriority()'
PORT.DNHCP - Do not hard code an absolute pathname when calling a constructor from the 'File' class
PORT.ENV - Do not use the non-portable 'System.getenv()' method
PORT.EXEC - Do not use 'Runtime.exec()'
PORT.HCNA - Do not hard-code IP addresses and port numbers
PORT.LNSP - Do not hard code '\n' or '\r' as a line separator
PORT.NATV - Do not use user-defined "native" methods
PORT.PEER - Do not use "java.awt.peer.*" interfaces directly
PORT.PSC - Use "File.pathSeparator" or "File.pathSeparatorChar" instead of the corresponding literals
PROPS.BSPV - Avoid adding extra white spaces to the end of property values
PROPS.DUPN - Avoid duplicated property names
PROPS.DUPV - Avoid duplicated property values
PROPS.EMN - Avoid empty property names
PROPS.EMV - Avoid empty property values
PROPS.EQOP - Always use the '=' operator
PROPS.FM - Follow the limit for number of property entries
PROPS.HCLS - Avoid hard-coded line separators in property values
PROPS.IARG - Avoid misusing arguments in property values
PROPS.ICK - Avoid incomplete property entries
PROPS.IVCC - Avoid misusing the line continuation character '\'
PROPS.MENTRY - Avoid unmatched property entries in resources with different locales
PROPS.MLN - Avoid splitting property names into multiple lines
PROPS.NAME - Use a naming convention for property names
PROPS.PLAIN - Password information should not be included in properties file in plaintext
PROPS.SPELL - Avoid misspelling words in comments and property values
PROPS.TENTRY - Ensure that property entries are localized correctly
SECURITY.BV.ACL - Do not access the class loader in a web component
SECURITY.BV.ADT - Inspect usage of 'Date', 'Time' objects and 'System.currentTimeMillis()' method invocations
SECURITY.BV.AUG - Inspect usage of 'getName()' from 'java.lang.Class' object
SECURITY.BV.CQRO - Use "read-only" AccessMode for Castor queries
SECURITY.BV.DSSM - Do not set custom security managers outside of the 'main' method
SECURITY.BV.ENFL - Ensure all sensitive method invocations are logged
SECURITY.BV.NSF - Do not call 'Socket.setSocketImplFactory()' or 'URL.setURLStreamHandlerFactory()' in a web component
SECURITY.BV.PCFM - Wrap "privileged" method invocations in "final" methods
SECURITY.BV.PCPM - Wrap "privileged" method invocations in "private" methods
SECURITY.BV.PDLC - Avoid using dynamically loaded classes in "privileged" code blocks
SECURITY.BV.SYSP - Do not access or set System properties
SECURITY.DRC.THR - Do not use threads in web components
SECURITY.EAB.ACWC - Avoid calling specified methods from web components and EJBs
SECURITY.EAB.AWT - Do not use AWT classes in Web components
SECURITY.EAB.CBA - Do not pass byte arrays to ObjectOutputStream in the 'writeObject()' method
SECURITY.EAB.CMP - Do not compare Class objects by name
SECURITY.EAB.CPCL - Enforce returning a defensive copy in 'clone()' methods
SECURITY.EAB.JVM - Do not stop the JVM in a web component
SECURITY.EAB.LDP - Limit the number of "AccessController.doPrivileged" calls per class
SECURITY.EAB.MPT - Do not pass user-given mutable objects directly to certain types
SECURITY.EAB.OROM - Implement 'readObject()' and 'writeObject()' for all 'Serializable' classes
SECURITY.EAB.PCL - Limit the number of lines in "privileged" code blocks
SECURITY.EAB.SF - Do not declare "static" fields in web components
SECURITY.EAB.SIS - Do not change the input streams of 'java.lang.System' in a web component
SECURITY.EAB.SMO - Do not store user-given mutable objects directly into variables
SECURITY.EAB.SPFF - Inspect 'static' fields which may have intended to be declared 'static final'
SECURITY.ESD.ACW - Avoid writing to Consoles
SECURITY.ESD.CONSEN - Do not log confidential or sensitive information
SECURITY.ESD.CSD - Clear sensitive data after use
SECURITY.ESD.PEO - Do not pass exception messages into output in order to prevent the application from leaking sensitive information
SECURITY.ESD.PLC - Avoid storing sensitive data in plaintext in a cookie
SECURITY.ESD.RA - Avoid methods that might expose internal representations by returning arrays or other mutable fields
SECURITY.ESD.SDM - Store sensitive data in mutable objects
SECURITY.ESD.SIF - Inspect instance fields of serializable objects to make sure they will not expose sensitive information
SECURITY.ESD.SIO - Avoid calling print methods of 'System.err' or 'System.out'
SECURITY.ESD.SNFD - Do not expose data with a 'FileNotFound' exception
SECURITY.ESD.SPI - Do not interrogate or modify security policy information in a web component
SECURITY.ESD.TFP - Declare "transient" fields "private"
SECURITY.ESD.TSPF - Avoid "transient" fields in serialPersistentFields array
SECURITY.IBA.AEAF - Do not extend from the Struts classes 'ActionForm' and 'DynaActionForm'
SECURITY.IBA.ATF - Avoid temporary files
SECURITY.IBA.AUSS - Avoid using "SELECT *" in SQL queries
SECURITY.IBA.AUXD - Avoid parsing untrusted data with XMLDecoder
SECURITY.IBA.CDBV - Canonicalize all data before validation
SECURITY.IBA.CSVFV - Always call 'super.validate()' from validation methods in 'ActionForm' classes
SECURITY.IBA.DXXE - Disable XML external entity injection
SECURITY.IBA.EDPM - Encapsulate constructor arguments with a validation function
SECURITY.IBA.NATIW - Use wrapper methods to secure native methods
SECURITY.IBA.RUIM - Ensure proper session expiration
SECURITY.IBA.SC - Disable LDAP deserialization
SECURITY.IBA.UPS - Use 'prepareCall' or 'prepareStatement' instead of 'createStatement'
SECURITY.IBA.VRD - Encapsulate all redirect and forward URLs with a validation function
SECURITY.IBA.XPIJ - Avoid XPath injection when evaluating XPath queries
SECURITY.UEC.ADS - Ensure that 'axis.development.system' is set to "false" in Axis 'server-config.wsdd' files
SECURITY.UEC.AELQ - Ensure that 'axis.enableListQuery' is set to "false" in Axis 'server-config.wsdd' files
SECURITY.UEC.DSL - Ensure that 'axis.disableServiceList' is set to "true" in Axis 'server-config.wsdd' files
SECURITY.UEC.DSR - Avoid defining multiple security roles with the same name in 'web.xml' files
SECURITY.UEC.EDAR - Ensure that the 'Encrypt' directive is specified for each 'items' tag in Axis2 configuration files
SECURITY.UEC.FMCD - Ensure that each filter mapped in a 'web.xml' file has a corresponding definition
SECURITY.UEC.HTTPS - Use 'https' instead of 'http' for the 'transportReceiver' and 'transportSender' in 'axis2.xml' configuration files
SECURITY.UEC.ISOS - Ensure that 'InflowSecurity' and 'OutflowSecurity' parameters are specified in Axis2 configuration files
SECURITY.UEC.LCA - Include an appropriate '<login-config>' element to specify the type of authentication to be performed in 'web.xml' files
SECURITY.UEC.PCCF - Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
SECURITY.UEC.PTPT - Avoid using plain text passwords in Axis 'wsdd' files
SECURITY.UEC.PWDPROP - Ensure that passwords are not stored as plaintext and are sufficiently long
SECURITY.UEC.PWDXML - Ensure that passwords are not stored as plaintext and are sufficiently long
SECURITY.UEC.RAJ - Restrict access to JSPs in 'web.xml' files by including a security constraint for '*.jsp' files
SECURITY.UEC.REST - Ensure that "REST" is disabled in 'axis2.xml' configuration files
SECURITY.UEC.SDAR - Ensure that the 'Signature' directive is specified for each 'items' tag in Axis2 configuration files
SECURITY.UEC.SEP - Always specify error pages in web.xml
SECURITY.UEC.SLID - Ensure Session-ID Length is sufficient
SECURITY.UEC.SMM - Avoid using the SOAP Monitor module
SECURITY.UEC.SRCD - Ensure that each security role referenced in a 'web.xml' file has a corresponding definition
SECURITY.UEC.STTL - Ensure that sessions are configured to time out in 'web.xml' files
SECURITY.UEC.TDAR - Ensure that the 'Timestamp' directive is specified for each 'items' tag in Axis2 configuration files
SECURITY.UEC.UDC - Ensure that all constrained resources are protected with a '<user-data-constraint>' element in 'web.xml' files
SECURITY.UEC.UTAX - Avoid using plain text passwords in Axis2 configuration files
SECURITY.UEC.WCMC - Ensure SOAP messages are encrypted in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WCMI - Ensure SOAP messages are digitally signed in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WCMT - Avoid misconfiguring timestamps in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WCMWS - Ensure WS-Security is enabled in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WCPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WCUTS - Avoid unsigned timestamps in WebSphere 'ibm-webservicesclient-ext.xmi' files
SECURITY.UEC.WELC - Ensure all web content directories have a "welcome file"
SECURITY.UEC.WMC - Ensure SOAP messages are encrypted in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEC.WMI - Ensure SOAP messages are digitally signed in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEC.WMT - Avoid misconfiguring timestamps in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEC.WMWS - Ensure WS-Security is enabled in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEC.WPWD - Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEC.WSS - Ensure that the Rampart WS-Security module is enabled in Axis2 configuration files
SECURITY.UEC.WUTS - Avoid unsigned timestamps in WebSphere 'ibm-webservices-ext.xmi' files
SECURITY.UEHL.DCEMSL - Avoid untrusted input when logging messages with Seam Logging API
SECURITY.UEHL.LGE - Ensure all exceptions are either logged with a standard logger or rethrown
SECURITY.WSC.ACDP - Avoid using anonymous "privileged" classes when invoking "AccessController.doPrivileged()"
SECURITY.WSC.ACMD - Avoid using custom MessageDigest implementations
SECURITY.WSC.ACPST - Do not call the 'printStackTrace()' method of "Throwable" objects
SECURITY.WSC.AHCA - Avoid hard-coding the arguments to certain methods
SECURITY.WSC.AISSAJAVA - Avoid using insecure cryptographic algorithms for data encryption with Spring
SECURITY.WSC.AISSAXML - Avoid using insecure cryptographic algorithms in Spring XML configurations
SECURITY.WSC.AMA - Avoid constructors and overriding methods which are more accessible than those of their super classes
SECURITY.WSC.APIBS - Inspect usage of standard API calls that bypass security
SECURITY.WSC.ARXML - Process XML and HTML with a library instead of raw text
SECURITY.WSC.ASAPI - Prevent the scripting API from executing untrusted code
SECURITY.WSC.AUIC - Do not use inner classes
SECURITY.WSC.AUNC - Avoid using the javax.crypto.NullCipher class in non-test classes
SECURITY.WSC.BP - Allow only certain providers to be specified for the 'Security.addProvider()' method
SECURITY.WSC.BUSSB - Prevent external processes from blocking on output or error streams
SECURITY.WSC.CACM - Keep all access control methods centralized to enforce consistency
SECURITY.WSC.CAM - Keep all authentication methods centralized to enforce consistency
SECURITY.WSC.CAP - Always clone array parameters which are stored to fields
SECURITY.WSC.CFM - Only call "final" methods from specified code blocks in non-"final" classes
SECURITY.WSC.CIFC - Only "clone()" instances of "final" classes
SECURITY.WSC.CKTS - Avoid using cryptographic keys which are too short
SECURITY.WSC.CL - Do not define custom class loaders
SECURITY.WSC.CLI - Inspect instantiations of 'ClassLoader' objects
SECURITY.WSC.CLO - Do not override any 'ClassLoader' method except 'findClass()'
SECURITY.WSC.CLONE - Make your 'clone()' method "final" for security
SECURITY.WSC.CMO - Do not pass mutable objects to 'ObjectOutputStream' in the 'writeObject()' method
SECURITY.WSC.DCSM - Do not define custom 'SecurityManager's
SECURITY.WSC.DNSL - Avoid DNS lookups for decision making
SECURITY.WSC.DSER - Make your classes nondeserializeable
SECURITY.WSC.ENPP - Ensure arguments passed to certain methods come from predefined methods list
SECURITY.WSC.EWSSEC - Avoid debug information from Spring Security framework to logs
SECURITY.WSC.FIMU - Make immutable classes final
SECURITY.WSC.FXMLP - Ensure that Secure Processing is used
SECURITY.WSC.HCCK - Avoid using hard-coded cryptographic keys
SECURITY.WSC.HCCS - Avoid passing hardcoded usernames/passwords/URLs to database connection methods
SECURITY.WSC.HGRSI - Avoid using the 'getRequestedSessionId' method from the 'HttpServletRequest' class
SECURITY.WSC.HV - Ensure the HostnameVerifier.verify() method validates the certificate
SECURITY.WSC.ICA - Avoid using insecure algorithms for cryptography
SECURITY.WSC.INIVF - Defend against partially initialized instances of non-final classes
SECURITY.WSC.INNER - Make all member classes "private"
SECURITY.WSC.ISL - Always call 'HttpSession.invalidate()' before 'LoginContext.login()'
SECURITY.WSC.IVR - Avoid non-random "byte
SECURITY.WSC.MCMDU - MessageDigest objects must process the data with the 'update' method
SECURITY.WSC.MCNC - Make your classes noncloneable
SECURITY.WSC.MDSALT - Use hash functions with a salt
SECURITY.WSC.PAC - Call authentication methods to enforce consistency
SECURITY.WSC.PACC - Call access control methods to enforce consistency
SECURITY.WSC.PAF - Declare subclasses of 'PrivilegedAction', 'PrivilegedExceptionAction', and 'PrivilegedActionException' "final"
SECURITY.WSC.PBPSF - Declare subclasses of 'Permission' and 'BasicPermission' "final"
SECURITY.WSC.PBRTE - Always specify absolute paths to execute commands
SECURITY.WSC.PPKG - Ensure that all Permissions, PrivilegedActions, and PrivilegedActionExceptions are declared in the same package
SECURITY.WSC.PRMF - Declare the 'run()' method of 'PrivilegedAction' and 'PrivilegedExceptionAction' implementations "final"
SECURITY.WSC.PSFC - Do not declare fields as "public" "static" "final" 'Collection' or 'Map' objects
SECURITY.WSC.RDM - Inspect 'Random' objects or 'Math.random()' methods that could indicate areas where malicious code has been placed
SECURITY.WSC.SCF - Enforce 'SecurityManager' checks before setting or getting fields
SECURITY.WSC.SCHTTP - Mark cookies as HttpOnly
SECURITY.WSC.SCLONE - Enforce 'SecurityManager' checks in methods of 'Cloneable' classes
SECURITY.WSC.SCSER - Enforce 'SecurityManager' checks in methods of 'Serializable' classes
SECURITY.WSC.SCSM - Ensure 'SecurityManager' check in constructor of "public" non-"final" sensitive type
SECURITY.WSC.SER - Make your classes nonserializeable
SECURITY.WSC.SIKG - Initialize KeyGenerator instances
SECURITY.WSC.SL - Avoid string literals except in constant declarations and calls to System.out or System.err's 'print' or 'println' methods
SECURITY.WSC.SMSTR - Ensure 'SecurityManager' checks before 'Socket' transfers or retrievals
SECURITY.WSC.SRD - Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
SECURITY.WSC.SS - Do not use sockets in web components
SECURITY.WSC.SSM - Ensure that an appropriate security manager is set
SECURITY.WSC.SSP - Do not call 'System.setProperty()' in a web component
SECURITY.WSC.STREP - Use library methods for string replacements of special characters in HTML and XML
SECURITY.WSC.UMAIN - Avoid 'main()' methods because they may allow unauthorized access to classes
SECURITY.WSC.UOSC - Use the ''getSecure()'' and ''setSecure()'' methods to enforce the use of secure cookies
SECURITY.WSC.USC - Use the SSL-enabled version of classes when possible
SECURITY.WSC.UWM - Use wrapper methods instead of calling dangerous or problematic methods directly (custom rule)
SECURITY.WSC.VJFS - Always verify JarFile signatures
SECURITY.WSC.VSI - Properly validate server identity
SECURITY.WSC.ZOIS - Inspect usage of scripting API
SERIAL.DUID - Create a 'serialVersionUID' for all 'Serializable' classes
SERIAL.ENNAC - Avoid classes that implement 'Externalizable' but do not define a no-argument constructor
SERIAL.EZEE - Implement Externalizable instead of Serializable
SERIAL.FT - Avoid declaring "transient" fields in non-serializable classes
SERIAL.IRX - Avoid re-initializing fields in the 'readExternal()' method of 'Externalizable' classes
SERIAL.MRWD - Ensure the return type of 'readResolve()' and 'writeReplace()' methods are 'java.lang.Object'
SERIAL.NSFSC - Ensure Serializable classes are correct
SERIAL.OC - Ensure outer class is serializable if its inner class is serializable
SERIAL.ROWO - Ensure that the 'readObject()' and 'writeObject()' methods have the correct signature
SERIAL.RRSC - Define a "readResolve" method for all instances of Serializable types
SERIAL.RWAF - Ensure that all fields are assigned by the 'readObject()' method and written out by the 'writeObject()' method
SERIAL.SCBNP - Always declare writeObject and readObject methods for Serializable subclasses of non-Serializable parents
SERIAL.SNNAC - Avoid serializable classes that extend a superclass without a zero-argument constructor
SERIAL.SNSO - Do not store non-serializable objects as HttpSession attributes
SERIAL.SPF - Declare 'serialPersistentFields' "private static final"
SERIAL.SRLZ - Do not declare SerialVersionUID in classes that do not implement Serializable
SERIAL.SROS - Do not declare the 'readObject()' method as "synchronized"
SERIAL.VOBD - Validate objects before deserialization
SERVLET.AJDBC - Do not use JDBC code in Servlet classes
SERVLET.BINS - Do not use 'java.beans.Beans.instantiate()'
SERVLET.CETS - Catch all exceptions which may be thrown within Servlet methods
SERVLET.DSN - Avoid multiple '<servlet>' elements with the same '<servlet-name>' in a 'web.xml' file
SERVLET.IF - Do not define instance fields in Servlet classes
SERVLET.LML - Avoid using collections without size limit in servlets
SERVLET.MDC - Declare a "public" constructor that takes no parameters
SERVLET.NMS - Follow a limit for the number of mappings for each servlet in a 'web.xml' file
SERVLET.NSIS - Do not create static variables in a servlet
SERVLET.NSSS - Do not use static variables in servlets without synchronization
SERVLET.SCM - Ensure that all servlets have a corresponding mapping in 'web.xml' files
SERVLET.SDTD - Specify an appropriate schema or DTD file for 'web.xml' files
SERVLET.SOP - Minimize usage of System.out and System.err in Servlets
SERVLET.SSN - Ensure that all '<servlet>' elements contain a single non-empty '<servlet-name>' element in 'web.xml' files
SERVLET.STM - Do not use 'SingleThreadModel' in Servlet classes
SERVLET.SYN - Minimize synchronization in Servlets
SERVLET.UCO - Use a Context Object to manage HTTP request parameters
SPRING.ACARG - Avoid constructor injection
SPRING.ATCFG - Follow configuration class conventions
SPRING.DCSRFJAVA - Do not disable CSRF protection
SPRING.DCSRFXML - Do not disable CSRF protection
SPRING.DESC - Use ''description'' tag in configuration file headers
SPRING.IDNAME - Avoid using ''name'' and ''id'' simultaneously
SPRING.IMPORTSRES - Avoid using relative ''../'' path reference to parent files
SPRING.JDBCTEMPLATE - Avoid using native JDBC
SPRING.LOCAL - Use ''local'' property attribute in local scope
SPRING.PREFTYPE - Prefer ''type'' over ''index'' for constructor argument matching
SPRING.PROPLIMIT - Follow convention for bean properties
SPRING.REQMAP - Ensure that methods annotated with @RequestMapping specify the HTTP request method they call
SPRING.SPRNAM - Use naming conventions for spring beans
SPRING.USEID - Use ids as bean identifiers
STRUTS.STRUTS2.S2DAFV - Avoid duplicated field validators
STRUTS.STRUTS2.S2DV - Avoid duplicated validators
STRUTS.STRUTS2.S2DVF - Avoid duplicated validation files
STRUTS.STRUTS2.S2NA - Ensure each validation file has a corresponding Action
STRUTS.ACDA - Avoid accessing a database from Action Classes
STRUTS.ACJC - Avoid accessing a JSP page from Action Classes
STRUTS.AIV - Specify an @input attribute if '<action>' element has validation in 'struts-config.xml' files
STRUTS.AMFB - Specify a '<form-bean>' for each named '<action>' element in 'struts-config.xml' files
STRUTS.APSN - Avoid @prefix, @suffix, and @attribute for unnamed '<action>' elements in 'struts-config.xml'
STRUTS.ARP - Avoid using relative paths for attributes in 'struts-config.xml' files
STRUTS.DFV - Avoid duplicated forms in the 'validation.xml'
STRUTS.DLGF - Avoid local and global forwards with the same name in 'struts-config.xml' files
STRUTS.EV - Ensure validators are enabled in the 'struts-config.xml'
STRUTS.FIELDS - Provide an appropriate getter and setter method for each field in a form bean
STRUTS.FORM - Include only getter and setter methods in form beans
STRUTS.FWD - Specify a non-empty name and path for each '<forward>' element in 'struts-config.xml' files
STRUTS.IACM - Avoid calling methods of Action Classes
STRUTS.INST - Do not declare instance variables in Struts Action classes
STRUTS.MFBSN - Avoid defining multiple form beans with the same name in 'struts-config.xml' files
STRUTS.MLFF - Specify a valid 'maxlength' value for each form field in Struts validation files
STRUTS.MLVP - Use the 'minlength' validator for password fields in 'validation.xml'
STRUTS.NTFB - Specify a name and type for each form bean in 'struts-config.xml' files
STRUTS.PFS - Ensure that the @path attribute of '<action>' and '<forward>' elements begins with '/' in 'struts-config.xml' files
STRUTS.PLUGIN - Ensure Plugins are added in the 'struts-config.xml'
STRUTS.PMAC - Avoid public methods in Action Classes
STRUTS.PTE - Specify a non-empty path and type for each '<exception>' element in 'struts-config.xml' files
STRUTS.RSS - Ensure that the 'scope' attribute is set to either "request" or "session" for actions and exceptions in 'struts-config.xml' files
STRUTS.SCDTD - Use a Struts DTD for validation in 'struts-config.xml' files
STRUTS.TAFP - Specify a valid 'type' attribute for each '<form-property>' element in 'struts-config.xml' files
STRUTS.VPI - Enable the Struts Validator plug-in in all 'struts-config.xml' files
TRS.AIL - Do not use Atomic variables when always accessed in synchronized manner
TRS.ANF - Do not use 'notify()'; use 'notifyAll()' instead so that all waiting threads will be notified
TRS.ATI - Avoid accidental use of "Thread.interrupted()"
TRS.AUTG - Do not use variables of the unsafe type 'java.lang.ThreadGroup'
TRS.AUTY - Do not use 'Thread.yield()' because it may behave differently under different Virtual Machines
TRS.CDF - Avoid invoking methods using "static" 'Calendar', 'DateFormat', or 'SimpleDateFormat'
TRS.CHM - Use ConcurrentHashMap instead of Hashtable and "synchronizedMap" wrapped HashMap when possible
TRS.CIET - Do not catch InterruptedException except in classes extending Thread
TRS.CLQ - Use ConcurrentLinkedQueue instead of Vector and synchronizedList when possible
TRS.CMA - Avoid compound synchronized collection accesses which violate atomicity
TRS.CSFS - Do not cause deadlocks by calling a "synchronized" method from a "synchronized" method
TRS.CSTART - Do not call the "start" method of threads from inside a constructor
TRS.CTRE - Do not let "this" reference escape during construction
TRS.DCL - Avoid unsafe implementations of the "double-checked locking" pattern
TRS.DOPQ - Do not use DiscardOldestPolicy with PriorityBlockingQueue
TRS.GSD - Do not use "getState" except for debugging purposes
TRS.IASF - Inspect accesses to "static" fields which may require synchronization
TRS.ILI - Make lazy initializations thread-safe
TRS.IMSE - Do not catch 'IllegalMonitorStateException' since this exception likely indicates a design flaw
TRS.IRET - Implement Runnable instead of extending Thread
TRS.IRUN - Do not call the 'run()' method directly on classes extending 'java.lang.Thread' or implementing 'java.lang.Runnable'
TRS.ISTART - Do not call the 'start()' method directly on Thread class instances
TRS.LORD - Ensure that nested locks are ordered correctly
TRS.MRAV - Access related Atomic variables in a synchronized block
TRS.MRUN - Give subclasses of Thread a 'run()' method so they can run as separate threads
TRS.NAME - Ensure threads are named
TRS.NSM - Use "synchronized" blocks instead of making the whole method declaration "synchronized"
TRS.NSYN - Ensure 'wait()', 'notify()' and 'notifyAll()' are invoked on an object that is clearly synchronized in its enclosing method scope
TRS.OSNS - Avoid overriding synchronized methods with non-synchronized methods
TRS.RLF - Release Locks in a "finally" block
TRS.RUN - Use synchronization on methods that implement 'Runnable.run()'
TRS.SCS - Do not synchronize on constant Strings
TRS.SGC - Do not synchronize on the class object returned by the 'getClass' method
TRS.SNSM - Do not mix "static" and non-"static" "synchronized" methods
TRS.SOBC - Do not synchronize on a collection view if the backing collection is accessible
TRS.SOL - Do not perform synchronization using the "synchronized" keyword on implementations of "java.util.concurrent.locks.Lock"
TRS.SOPF - Do not synchronize on "public" fields since doing so may cause deadlocks
TRS.SOUF - Do not synchronize on non-"final" fields since doing so makes it difficult to guarantee mutual exclusion
TRS.SSCI - Manually synchronize on 'synchronized' collections when iterating over them
TRS.SSDF - Synchronize access to "static" SimpleDataFormats
TRS.SSUG - Make the get method for a field synchronized if the set method is synchronized
TRS.STR - Do not perform synchronization nor call semaphore methods on an Object's 'this' reference
TRS.THRD - Avoid calling unsafe deprecated methods of 'Thread' and 'Runtime'
TRS.TSHL - Do not call 'Thread.sleep()' while holding a lock since doing so can cause poor performance and deadlocks
TRS.UACS - Avoid unsynchronized accesses of "Collections.synchronized" wrapped Collections
TRS.UCM - Use unsynchronized Collections/Maps only when safe
TRS.USL - Use the same locking object to access variables
TRS.UT - Do not start a thread without specifying a 'run()' method
TRS.UWIL - Call 'wait()' and 'await()' only inside a loop that tests the liveness condition
TRS.UWNA - Use 'wait()' and 'notifyAll()' instead of polling loops
TRS.WOC - Use the correct method calls on "java.util.concurrent.locks.Condition" objects
TRS.WOS - Do not make the "writeObject()" method synchronized if no other method is synchronized
UC.AAI - Avoid unnecessary modifiers in an "interface"
UC.ACC - Remove commented out Java code
UC.AEEO - Ensure that classes do not explicitly extend 'java.lang.Object'
UC.AESTAT - Avoid empty static and non-static initializers
UC.AMAMI - Do not override "abstract" methods of a parent class with "abstract" methods
UC.ARTD - Avoid redundant throw clauses
UC.AUL - Avoid unused labels
UC.AURCO - Avoid collection objects that are never read
UC.AURV - Avoid local variables that are never read
UC.BCMP - Avoid unnecessary "boolean" comparisons
UC.DIEB - Avoid duplicate code in 'if' branches
UC.DIL - Do not explicitly "import" the java.lang.* "package"
UC.EF - Avoid empty 'finalize()' methods
UC.FCSF - Avoid redundant 'finalize()' methods which only call the superclass' 'finalize()' method
UC.FMFC - Avoid redundant "final" keywords in method declarations in "final" classes
UC.PF - Avoid unused "private" fields
UC.PIMPORT - Do not import classes from the package that contains the current class
UC.PM - Avoid unused "private" methods
UC.RSKE - Avoid redundant 'static' keywords in enum type declarations
UC.SNE - Avoid empty "synchronized" statements
UC.SO - Avoid methods that only call the overridden implementation (superclass implementation)
UC.UCATCH - Use a caught exception in the "catch" block
UC.UCIF - Avoid unnecessary 'if' statements
UC.UES - Avoid unnecessary "else" statements
UC.UIMPORT - Avoid unused "import" statements
UC.UP - Avoid unused parameters
UC.UPC - Avoid unused "private" classes or interfaces
UC.VR - Avoid unnecessary "return" statement at the end of "void" methods
XML.DLTH - Avoid debug levels which are too high in Tomcat's 'server.xml'
XML.WF - Ensure that XML files are well-formatted
