Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Tags

Credentials should not be hard-coded
Vulnerability
Components should not be vulnerable to intent redirection
Vulnerability
XML parsers should not allow inclusion of arbitrary files
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
A secure password should be used when connecting to a database
Vulnerability
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
"wait" should not be called when multiple locks are held
Bug
"PreparedStatement" and "ResultSet" methods should be called with valid indices
Bug
Files opened in append mode should not be used with ObjectOutputStream
Bug
"wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
Methods "wait(...)", "notify()" and "notifyAll()" should not be called on Thread instances
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Recursion should not be infinite
Bug
Loops should not be infinite
Bug
Double-checked locking should not be used
Bug
Resources should be closed
Bug
Hard-coded secrets are security-sensitive
Security Hotspot
Hard-coded passwords are security-sensitive
Security Hotspot
Methods returns should not be invariant
Code Smell
"ThreadGroup" should not be used
Code Smell
"clone" should not be overridden
Code Smell
Assertions should be complete
Code Smell
Tests should include assertions
Code Smell
Silly bit operations should not be performed
Code Smell
Child class fields should not shadow parent class fields
Code Smell
JUnit test cases should call super methods
Code Smell
TestCases should contain tests
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
Methods and field names should not be the same or differ only by capitalization
Code Smell
Switch cases should end with an unconditional "break" statement
Code Smell
"switch" statements should not contain non-case labels
Code Smell
Future keywords should not be used as names
Code Smell
Counter Mode initialization vectors should not be reused
Vulnerability
Thread suspensions should not be vulnerable to Denial of Service attacks
Vulnerability
A new session should be created during user authentication
Vulnerability
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Passwords should not be stored in plain-text or with a fast hashing algorithm
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
"SecureRandom" seeds should not be predictable
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Basic authentication should not be used
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
"HttpServletRequest.getRequestedSessionId()" should not be used
Vulnerability
Hashes should include an unpredictable salt
Vulnerability
Calls to methods should not trigger an IllegalArgumentException
Bug
Unsupported methods should not be called on some collection implementations
Bug
Cast operations should not trigger a ClassCastException
Bug
Members ignored during record serialization should not be used
Bug
Map "computeIfAbsent()" and "computeIfPresent()" should not be used to add "null" values.
Bug
Regex lookahead assertions should not be contradictory
Bug
Back references in regular expressions should only refer to capturing groups that are matched before the reference
Bug
Regex boundaries should not be used in a way that can never be matched
Bug
Regex patterns following a possessive quantifier should not always fail
Bug
Regular expressions should be syntactically valid
Bug
Assertions comparing incompatible types should not be made
Bug
JUnit5 inner test classes should be annotated with @Nested
Bug
Only one method invocation is expected when testing checked exceptions
Bug
Assertion methods should not be used within the try block of a try-catch catching an Error
Bug
Getters and setters should access the expected fields
Bug
Zero should not be a possible denominator
Bug
Locks should be released on all paths
Bug
"runFinalizersOnExit" should not be called
Bug
"ScheduledThreadPoolExecutor" should not have 0 core threads
Bug
"Random" objects should be reused
Bug
The signature of "finalize()" should match that of "Object.finalize()"
Bug
Jump statements should not occur in "finally" blocks
Bug
"super.finalize()" should be called at the end of "Object.finalize()" implementations
Bug
Using slow regular expressions is security-sensitive
Security Hotspot
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Accessing Android external storage is security-sensitive
Security Hotspot
Receiving intents is security-sensitive
Security Hotspot
Broadcasting intents is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using unsafe Jackson deserialization configuration is security-sensitive
Security Hotspot
Setting JavaBean properties is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Mocking all non-private methods of a class should be avoided
Code Smell
Empty lines should not be tested with regex MULTILINE flag
Code Smell
Methods setUp() and tearDown() should be correctly annotated starting with JUnit4
Code Smell
Class members annotated with "@VisibleForTesting" should not be accessed from production code
Code Smell
"String#replace" should be preferred to "String#replaceAll"
Code Smell
Derived exceptions should not hide their parents' catch blocks
Code Smell
String offset-based methods should be preferred for finding substrings from offsets
Code Smell
"default" clauses should be last
Code Smell
"equals" method parameters should not be marked "@Nonnull"
Code Smell
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
Factory method injection should be used in "@Configuration" classes
Code Smell
"static" base class members should not be accessed via derived types
Code Smell
Instance methods should not write to "static" fields
Code Smell
"indexOf" checks should not be for positive numbers
Code Smell
Method overrides should not change contracts
Code Smell
Whitespace and control characters in literals should be explicit
Code Smell
Null should not be returned from a "Boolean" method
Code Smell
Classes should not access their own subclasses during initialization
Code Smell
"Object.wait(...)" and "Condition.await(...)" should be called inside a "while" loop
Code Smell
IllegalMonitorStateException should not be caught
Code Smell
JUnit assertions should not be used in "run" methods
Code Smell
Class names should not shadow interfaces or superclasses
Code Smell
"Cloneables" should implement "clone"
Code Smell
Try-with-resources should be used
Code Smell
"readResolve" methods should be inheritable
Code Smell
"for" loop increment clauses should modify the loops' counters
Code Smell
Fields in a "Serializable" class should either be transient or serializable
Code Smell
Package declaration should match source file directory
Code Smell
Generic wildcard types should not be used in return types
Code Smell
"switch" statements should have "default" clauses
Code Smell
Execution of the Garbage Collector should be triggered only by the JVM
Code Smell
Constants should not be defined in interfaces
Code Smell
String literals should not be duplicated
Code Smell
Methods should not be empty
Code Smell
"Object.finalize()" should remain protected (versus public) when overriding
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Constant names should comply with a naming convention
Code Smell
The Object.finalize() method should not be overridden
Code Smell
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
XML operations should not be vulnerable to injection attacks
Vulnerability
JSON operations should not be vulnerable to injection attacks
Vulnerability
XML signatures should be validated securely
Vulnerability
XML parsers should not be vulnerable to Denial of Service attacks
Vulnerability
XML parsers should not load external schemas
Vulnerability
Mobile database encryption keys should not be disclosed
Vulnerability
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Authorizations should be based on strong decisions
Vulnerability
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Collections should not be modified while they are iterated
Bug
Equals method should be overridden in records containing array fields
Bug
Reflection should not be used to increase accessibility of records' fields
Bug
AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
Bug
The regex escape sequence \cX should only be used with characters in the @-_ range
Bug
Regular expressions should not overflow the stack
Bug
Tests method should not be annotated with competing annotations
Bug
Assertions should not be used in production code
Bug
DateTimeFormatters should not use mismatched year and week numbers
Bug
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Case insensitive Unicode regular expressions should enable the "UNICODE_CASE" flag
Bug
Assertions should not compare an object to itself
Bug
Regex alternatives should not be redundant
Bug
Alternatives in regular expressions should be grouped when used with anchors
Bug
AssertJ methods setting the assertion context should come before an assertion
Bug
AssertJ configuration should be applied
Bug
JUnit5 test classes and methods should not be silently ignored
Bug
"ThreadLocal" variables should be cleaned up when no longer used
Bug
Strings and Boxed types should be compared using "equals()"
Bug
InputSteam.read() implementation should not return a signed byte
Bug
"compareTo" should not be overloaded
Bug
"iterator" should not return "this"
Bug
Map values should not be replaced unconditionally
Bug
Week Year ("YYYY") should not be used for date formatting
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
Consumed Stream pipelines should not be reused
Bug
Intermediate Stream methods should not be left unused
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Optional value should only be accessed after calling isPresent()
Bug
Overrides should match their parent class methods in synchronization
Bug
Value-based classes should not be used for locking
Bug
Expressions used in "assert" should not produce side effects
Bug
"volatile" variables should not be used with compound operators
Bug
"getClass" should not be used for synchronization
Bug
Min and max used in combination should not always return the same value
Bug
Assignment of lazy-initialized members should be the last step with double-checked locking
Bug
"String" calls should not go beyond their bounds
Bug
Raw byte values should not be used in bitwise operations in combination with shifts
Bug
Getters and setters should be synchronized in pairs
Bug
Non-thread-safe fields should not be static
Bug
"null" should not be used with "Optional"
Bug
Unary prefix operators should not be repeated
Bug
"=+" should not be used instead of "+="
Bug
"read" and "readLine" return values should be used
Bug
Inappropriate regular expressions should not be used
Bug
Conditionally executed code should be reachable
Bug
"notifyAll" should be used
Bug
Blocks should be synchronized on "private final" fields
Bug
Non-serializable objects should not be stored in "HttpSession" objects
Bug
"wait", "notify" and "notifyAll" should only be called when a lock is obviously held on an object
Bug
Null pointers should not be dereferenced
Bug
Loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Non-public methods should not be "@Transactional"
Bug
Servlets should not have mutable instance fields
Bug
"toString()" and "clone()" methods should not return null
Bug
".equals()" should not be used to test the values of "Atomic" classes
Bug
Return values from functions without side effects should not be ignored
Bug
Child class methods named for parent class methods should be overrides
Bug
Inappropriate "Collection" calls should not be made
Bug
Silly equality checks should not be made
Bug
Dissimilar primitive wrappers should not be used with the ternary operator without explicit casting
Bug
"InterruptedException" should not be ignored
Bug
Classes extending java.lang.Thread should override the "run" method
Bug
"Double.longBitsToDouble" should not be used for "int"
Bug
Values should not be uselessly incremented
Bug
Silly String operations should not be made
Bug
Non-serializable classes should not be written
Bug
"hashCode" and "toString" should not be called on array instances
Bug
Collections should not be passed as arguments to their own methods
Bug
"BigDecimal(double)" should not be used
Bug
Invalid "Date" values should not be used
Bug
Reflection should not be used to check non-runtime annotations
Bug
Custom serialization method signatures should meet requirements
Bug
"Externalizable" classes should have no-arguments constructors
Bug
Classes should not be compared by name
Bug
Related "if/else if" statements should not have the same condition
Bug
Synchronization should not be done on instances of value-based classes
Bug
"Iterator.hasNext()" should not call "Iterator.next()"
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
"StringBuilder" and "StringBuffer" should not be instantiated with a character
Bug
Methods should not be named "tostring", "hashcode" or "equal"
Bug
"Thread.run()" should not be called directly
Bug
"equals" method overrides should accept "Object" parameters
Bug
The Object.finalize() method should not be called
Bug
Enabling file access for WebViews is security-sensitive
Security Hotspot
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Using unencrypted files in mobile applications is security-sensitive
Security Hotspot
Using biometric authentication without a cryptographic solution is security-sensitive
Security Hotspot
Using unencrypted databases in mobile applications is security-sensitive
Security Hotspot
Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
Security Hotspot
Using long-term access keys is security-sensitive
Security Hotspot
Allowing user enumeration is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Disabling auto-escaping in template engines is security-sensitive
Security Hotspot
Allowing deserialization of LDAP objects is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Hash-based collections with known capacity should be initialized with the proper related static method.
Code Smell
Character classes in regular expressions should not contain only one character
Code Smell
Superfluous curly brace quantifiers should be avoided
Code Smell
Non-capturing groups without quantifier should not be used
Code Smell
Deprecated annotations should include explanations
Code Smell
Regular expressions should not contain empty groups
Code Smell
Regular expressions should not contain multiple spaces
Code Smell
Reusable resources should be initialized at construction time of Lambda functions
Code Smell
Credentials Provider should be set explicitly when creating a new "AwsClient"
Code Smell
Region should be set explicitly when creating a new "AwsClient"
Code Smell
Restricted Identifiers should not be used as Identifiers
Code Smell
Redundant constructors/methods should be avoided in records
Code Smell
Records should be used instead of ordinary classes when representing immutable data structure
Code Smell
"Stream.toList()" method should be used instead of "collectors" when unmodifiable list needed
Code Smell
Operator "instanceof" should be used instead of "A.class.isInstance()"
Code Smell
String multiline concatenation should be replaced with Text Blocks
Code Smell
Single-character alternations in regular expressions should be replaced with character classes
Code Smell
Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
Code Smell
Constructors of an "abstract" class should not be declared "public"
Code Smell
Similar tests should be grouped in a single Parameterized test
Code Smell
Tests should be stable
Code Smell
Test methods should not contain too many assertions
Code Smell
AssertJ "assertThatThrownBy" should not be used alone
Code Smell
Character classes in regular expressions should not contain the same character twice
Code Smell
Names of regular expressions named groups should be used
Code Smell
Regexes containing characters subject to normalization should use the CANON_EQ flag
Code Smell
Regular expressions should not be too complicated
Code Smell
JUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
Code Smell
Only one method invocation is expected when testing runtime exceptions
Code Smell
Exception testing via JUnit ExpectedException rule should not be mixed with other assertions
Code Smell
"@Deprecated" code marked for removal should never be used
Code Smell
Vararg method arguments should not be confusing
Code Smell
Whitespace for text block indent should be consistent
Code Smell
'List.remove()' should not be used in ascending 'for' loops
Code Smell
Collection constructors should not be used as java.util.function.Function
Code Smell
"else" statements should be clearly matched with an "if"
Code Smell
"Class.forName()" should not load JDBC 4.0+ drivers
Code Smell
Java features should be preferred to Guava
Code Smell
Nullness of parameters should be guaranteed
Code Smell
"Integer.toHexString" should not be used to build hexadecimal strings
Code Smell
Asserts should not be used to check the parameters of a public method
Code Smell
Assignments should not be redundant
Code Smell
Methods should not have identical implementations
Code Smell
"java.nio.Files#delete" should be preferred
Code Smell
Unused "private" classes should be removed
Code Smell
"Stream.peek" should be used with caution
Code Smell
"Map.get" and value test should be replaced with single method call
Code Smell
"@RequestMapping" methods should not be "private"
Code Smell
Raw types should not be used
Code Smell
"Arrays.stream" should be used for primitive arrays
Code Smell
Printf-style format strings should be used correctly
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Ternary operators should not be nested
Code Smell
"writeObject" should not be the only "synchronized" code in a class
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Static fields should not be updated in constructors
Code Smell
"Thread.sleep" should not be used in tests
Code Smell
"entrySet()" should be iterated when both the key and value are needed
Code Smell
"DateUtils.truncate" from Apache Commons Lang library should not be used
Code Smell
Multiline blocks should be enclosed in curly braces
Code Smell
"readObject" should not be "synchronized"
Code Smell
"Preconditions" and logging arguments should not require evaluation
Code Smell
Boolean expressions should not be gratuitous
Code Smell
"Lock" objects should not be "synchronized"
Code Smell
Classes with only "static" methods should not be instantiated
Code Smell
"Threads" should not be used where "Runnables" are expected
Code Smell
Inner class calls to super class methods should be unambiguous
Code Smell
Unused type parameters should be removed
Code Smell
Parameters should be passed in the correct order
Code Smell
"ResultSet.isLast()" should not be used
Code Smell
"static" members should be accessed statically
Code Smell
Silly math should not be performed
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Exceptions should be either logged or rethrown but not both
Code Smell
Objects should not be created only to "getClass"
Code Smell
Constructors should not be used to instantiate "String", "BigInteger", "BigDecimal" and primitive-wrapper classes
Code Smell
"URL.hashCode" and "URL.equals" should be avoided
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
"Object.wait(...)" should never be called on objects that implement "java.util.concurrent.locks.Condition"
Code Smell
A field should not duplicate the name of its containing class
Code Smell
JUnit4 @Ignored and JUnit5 @Disabled annotations should be used to disable tests and should provide a rationale
Code Smell
Anonymous inner classes containing only one method should become lambdas
Code Smell
"switch" statements should not have too many "case" clauses
Code Smell
"for" loop stop conditions should be invariant
Code Smell
Sections of code should not be commented out
Code Smell
Non-constructor methods should not have the same name as the enclosing class
Code Smell
Exception types should not be tested using "instanceof" in catch blocks
Code Smell
Classes from "sun.*" packages should not be used
Code Smell
Throwable and Error should not be caught
Code Smell
Unused method parameters should be removed
Code Smell
Only static class initializers should be used
Code Smell
Empty arrays and collections should be returned instead of null
Code Smell
"@Override" should be used on overriding and implementing methods
Code Smell
Enumeration should not be implemented
Code Smell
Synchronized classes Vector, Hashtable, Stack and StringBuffer should not be used
Code Smell
Unused "private" methods should be removed
Code Smell
Try-catch blocks should not be nested
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated elements should have both the annotation and the Javadoc tag
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
Generic exceptions should never be thrown
Code Smell
Labels should not be used
Code Smell
Utility classes should not have public constructors
Code Smell
Local variables should not shadow class fields
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Nested blocks of code should not be left empty
Code Smell
Methods should not have too many parameters
Code Smell
Unused "private" fields should be removed
Code Smell
Collapsible "if" statements should be merged
Code Smell
Unused labels should be removed
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
OS commands should not be vulnerable to argument injection attacks
Vulnerability
"ActiveMQConnectionFactory" should not be vulnerable to malicious code deserialization
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Exceptions should not be thrown from servlet methods
Vulnerability
Return values should not be ignored when they contain the operation status code
Bug
Repeated patterns in regular expressions should not match the empty string
Bug
AssertJ assertions "allMatch" and "doesNotContains" should also test for emptiness
Bug
Double Brace Initialization should not be used
Bug
Non-primitive fields should not be "volatile"
Bug
"toArray" should be passed an array of the proper type
Bug
Neither "Math.abs" nor negation should be used on numbers that could be "MIN_VALUE"
Bug
The value returned from a stream read should be checked
Bug
"@NonNull" values should not be set to null
Bug
"Iterator.next()" methods should throw "NoSuchElementException"
Bug
"compareTo" results should not be checked for specific values
Bug
Math operands should be cast before assignment
Bug
Ints and longs should not be shifted by zero or more than their number of bits-1
Bug
"compareTo" should not return "Integer.MIN_VALUE"
Bug
Boxing and unboxing should not be immediately reversed
Bug
"equals(Object obj)" should test argument type
Bug
"Serializable" inner classes of non-serializable classes should be "static"
Bug
The non-serializable super class of a "Serializable" class should have a no-argument constructor
Bug
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
"equals(Object obj)" and "hashCode()" should be overridden in pairs
Bug
Disclosing fingerprints from web application technologies is security-sensitive
Security Hotspot
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Regular expression quantifiers and character classes should be used concisely
Code Smell
AWS region should not be set with a hardcoded String
Code Smell
Lambdas should not invoke other lambdas synchronously
Code Smell
Consumer Builders should be used
Code Smell
'serialVersionUID' field should not be set to '0L' in records
Code Smell
Permitted types of a sealed class should be omitted if they are declared in the same file
Code Smell
Switch arrow labels should not use redundant keywords
Code Smell
Text blocks should not be used in complex expressions
Code Smell
Pattern Matching for "instanceof" operator should be used instead of simple "instanceof" + cast
Code Smell
Call to Mockito method "verify", "when" or "given" should be simplified
Code Smell
Character classes should be preferred over reluctant quantifiers in regular expressions
Code Smell
Consecutive AssertJ "assertThat" statements should be chained
Code Smell
Chained AssertJ assertions should be simplified to the corresponding dedicated assertion
Code Smell
Exception testing via JUnit @Test annotation should be avoided
Code Smell
Escape sequences should not be used in text blocks
Code Smell
Simple string literal should be used for single line strings
Code Smell
Avoid using boxed "Boolean" types directly in boolean expressions
Code Smell
Type parameters should not shadow other type parameters
Code Smell
The upper bound of type variables and wildcards should not be "final"
Code Smell
"read(byte[],int,int)" should be overridden
Code Smell
An iteration on a Collection should be performed on the type handled by the Collection
Code Smell
"StandardCharsets" constants should be preferred
Code Smell
"@CheckForNull" or "@Nullable" should not be used on primitive types
Code Smell
Composed "@RequestMapping" variants should be preferred
Code Smell
"write(byte[],int,int)" should be overridden
Code Smell
Functional Interfaces should be as specialised as possible
Code Smell
Null checks should not be used with "instanceof"
Code Smell
"close()" calls should not be redundant
Code Smell
"ThreadLocal.withInitial" should be preferred
Code Smell
"Stream" call chains should be simplified when possible
Code Smell
Packages containing only "package-info.java" should be removed
Code Smell
Arrays should not be created for varargs parameters
Code Smell
Jump statements should not be redundant
Code Smell
Test classes should comply with a naming convention
Code Smell
Loggers should be named for their enclosing classes
Code Smell
Methods should not return constants
Code Smell
"private" methods called only by inner classes should be moved to those classes
Code Smell
"enum" fields should not be publicly mutable
Code Smell
Abstract methods should not be redundant
Code Smell
Arrays should not be copied using loops
Code Smell
Static non-final field names should comply with a naming convention
Code Smell
JUnit rules should be used
Code Smell
Nested "enum"s should not be declared static
Code Smell
"catch" clauses should do more than rethrow
Code Smell
Mutable fields should not be "public static"
Code Smell
The diamond operator ("<>") should be used
Code Smell
"finalize" should not set fields to "null"
Code Smell
Subclasses that add fields should override "equals"
Code Smell
Catches should be combined
Code Smell
Methods of "Random" that return floating point values should not be used in random integer generation
Code Smell
Parsing should be used to convert "Strings" to primitives
Code Smell
Classes should not be empty
Code Smell
Fields in non-serializable classes should not be "transient"
Code Smell
Boolean checks should not be inverted
Code Smell
Redundant casts should not be used
Code Smell
"@Deprecated" code should not be used
Code Smell
"toString()" should never be called on a String object
Code Smell
Annotation repetitions should not be wrapped
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Strings should not be concatenated using '+' in a loop
Code Smell
Maps with keys that are enum values should be replaced with EnumMap
Code Smell
Lambdas should be replaced with method references
Code Smell
Parentheses should be removed from a single lambda input parameter when its type is inferred
Code Smell
Abstract classes without fields should be converted to interfaces
Code Smell
Lambdas containing only one statement should not nest this statement in a block
Code Smell
"Collections.EMPTY_LIST", "EMPTY_MAP", and "EMPTY_SET" should not be used
Code Smell
Local variables should not be declared and then immediately returned or thrown
Code Smell
Unused local variables should be removed
Code Smell
Private fields only used as local variables in methods should become local variables
Code Smell
"public static" fields should be constant
Code Smell
Loops should not contain more than a single "break" or "continue" statement
Code Smell
Declarations should use Java collection interfaces such as "List" rather than specific implementation classes such as "LinkedList"
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
The default unnamed package should not be used
Code Smell
"equals(Object obj)" should be overridden along with the "compareTo(T obj)" method
Code Smell
Package names should comply with a naming convention
Code Smell
Nested code blocks should not be used
Code Smell
Array designators "[]" should be on the type, not the variable
Code Smell
Array designators "[]" should be located after the type in method signatures
Code Smell
Type parameter names should comply with a naming convention
Code Smell
Overriding methods should do more than simply call the same method in the super class
Code Smell
Classes that override "clone" should be "Cloneable" and call "super.clone()"
Code Smell
Public constants and fields initialized at declaration should be "static final" rather than merely "final"
Code Smell
Local variable and method parameter names should comply with a naming convention
Code Smell
Exception classes should be immutable
Code Smell
Field names should comply with a naming convention
Code Smell
Primitive wrappers should not be instantiated only for "toString" or "compareTo" calls
Code Smell
Case insensitive string comparisons should be made without intermediate upper or lower casing
Code Smell
Collection.isEmpty() should be used to test for emptiness
Code Smell
String.valueOf() should not be appended to a String
Code Smell
Interface names should comply with a naming convention
Code Smell
"throws" declarations should not be superfluous
Code Smell
Unnecessary imports should be removed
Code Smell
Return of boolean expressions should not be wrapped into an "if-then-else" statement
Code Smell
Boolean literals should not be redundant
Code Smell
Modifiers should be declared in the correct order
Code Smell
Empty statements should be removed
Code Smell
Class variable fields should not have public accessibility
Code Smell
URIs should not be hardcoded
Code Smell
Class names should comply with a naming convention
Code Smell
Method names should comply with a naming convention
Code Smell
The Singleton design pattern should be used with care
Code Smell
Methods should not perform too many tasks (aka Brain method)
Code Smell
Classes should not depend on an excessive number of classes (aka Monster Class)
Code Smell
Comma-separated labels should be used in Switch with colon case
Code Smell
JUnit5 test classes and methods should have default package visibility
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
Annotated Mockito objects should be initialized
Bug
Custom resources should be closed
Bug
Threads should not be started in constructors
Code Smell
"main" should not "throw" anything
Code Smell
Track lack of copyright and license headers
Code Smell
Octal values should not be used
Code Smell
Exit methods should not be called
Code Smell
HTTP response headers should not be vulnerable to injection attacks
Vulnerability
Members of Spring components should be injected
Vulnerability
Classes should not be loaded dynamically
Vulnerability
Equality operators should not be used in "for" loop termination conditions
Code Smell
"Bean Validation" (JSR 380) should be properly configured
Code Smell
Spring beans should be considered by "@ComponentScan"
Code Smell
Number patterns should be regular
Code Smell
Lazy initialization of "static" fields should be "synchronized"
Code Smell
Wildcard imports should not be used
Code Smell
Modulus results should not be checked for direct equality
Code Smell
Comparators should be "Serializable"
Code Smell
"Serializable" classes should have a "serialVersionUID"
Code Smell
"switch" statements and expressions should not be nested
Code Smell
Constructors should only call non-overridable methods
Code Smell
Methods should not be too complex
Code Smell
Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Control structures should use curly braces
Code Smell
Expressions should not be too complex
Code Smell
Mockito argument matchers should be used on all parameters
Bug
Spring "@Controller" classes should not use "@Scope"
Bug
Constructor injection should be used instead of field injection
Bug
Classes that don't define "hashCode()" should not be used in hashes
Bug
Floating point numbers should not be tested for equality
Bug
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Limited dependence should be placed on operator precedence
Code Smell
Types used as keys in Maps should implement Comparable
Code Smell
Custom getter method should not be used to override record's getter behavior
Code Smell
Tests should use fixed data instead of randomized data
Code Smell
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
Lambdas should not have too many lines
Code Smell
"@EnableAutoConfiguration" should be fine-tuned
Code Smell
Enum values should be compared with "=="
Code Smell
Spring components should use constructor injection
Code Smell
Regex patterns should not be created needlessly
Code Smell
Track uses of disallowed constructors
Code Smell
Java 8's "Files.exists" should not be used
Code Smell
"Optional" should not be used for parameters
Code Smell
Tests should be kept in a dedicated source directory
Code Smell
"this" should not be exposed from constructors
Code Smell
Classes should not have too many "static" imports
Code Smell
Escaped Unicode characters should not be used
Code Smell
Inner classes should not have too many lines of code
Code Smell
Inner classes which do not reference their owning classes should be "static"
Code Smell
"deleteOnExit" should not be used
Code Smell
Public methods should not contain selector arguments
Code Smell
Java parser failure
Code Smell
Track uses of disallowed methods
Code Smell
Types should be used in lambdas
Code Smell
"java.time" classes should be used for dates and times
Code Smell
Primitives should not be boxed just for "String" conversion
Code Smell
The names of methods with boolean return values should start with "is" or "has"
Code Smell
Files should contain only one top-level class or interface each
Code Smell
Classes should not have too many fields
Code Smell
The ternary operator should not be used
Code Smell
Standard functional interfaces should not be redefined
Code Smell
"NullPointerException" should not be caught
Code Smell
"NullPointerException" should not be explicitly thrown
Code Smell
Classes should not have too many methods
Code Smell
Methods should not have too many lines
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Classes and enums with private members should have a constructor
Code Smell
Track comments matching a regular expression
Code Smell
Statements should be on separate lines
Code Smell
Classes should not be coupled to too many other classes (Single Responsibility Principle)
Code Smell
"java.lang.Error" should not be extended
Code Smell
Anonymous classes should not have too many lines
Code Smell
Public types, methods and fields (API) should be documented with Javadoc
Code Smell
Exception handlers should preserve the original exceptions
Code Smell
Checked exceptions should not be thrown
Code Smell
Public methods should throw at most one checked exception
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Methods should not have too many return statements
Code Smell
Magic numbers should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
JEE applications should not "getClassLoader"
Bug
Math should not be performed on floats
Bug
"equals" methods should be symmetric and work for subclasses
Bug
Literal suffixes should be upper case
Code Smell
Unicode-aware versions of character classes should be preferred
Code Smell
Use Java 12 "switch" expression
Code Smell
"serialVersionUID" should not be declared blindly
Code Smell
"Stream.collect()" calls should not be redundant
Code Smell
Local constants should follow naming conventions for constants
Code Smell
Unit tests should throw exceptions
Code Smell
Test methods should comply with a naming convention
Code Smell
Value-based objects should not be serialized
Code Smell
Default annotation parameter values should not be passed as arguments
Code Smell
Method parameters should be declared with base types
Code Smell
Fields should not be initialized to default values
Code Smell
Multiple loops over the same set should be combined
Code Smell
Classes without "public" constructors should be "final"
Code Smell
Unnecessary semicolons should be omitted
Code Smell
Literal boolean values and nulls should not be used in assertions
Code Smell
Test assertions should include messages
Code Smell
Private mutable members should not be stored or returned directly
Code Smell
Redundant modifiers should not be used
Code Smell
"private" and "final" methods that don't access instance data should be "static"
Code Smell
Files should not be empty
Code Smell
Collection methods with O(n) performance should be used carefully
Code Smell
"Exception" should not be caught when not required by called methods
Code Smell
"collect" should be used with "Streams" instead of "list::add"
Code Smell
Switches should be used for sequences of simple "String" tests
Code Smell
"final" classes should not have "protected" members
Code Smell
Underscores should be used to make large numbers readable
Code Smell
"Serializable" inner classes of "Serializable" classes should be static
Code Smell
Member variable visibility should be specified
Code Smell
Classes and methods that rely on the default system encoding should not be used
Code Smell
Simple class names should be used
Code Smell
Variables should not be declared before they are relevant
Code Smell
Extensions and implementations should not be redundant
Code Smell
"==" and "!=" should not be used when "equals" is overridden
Code Smell
An abstract class should have both abstract and concrete methods
Code Smell
Sets with elements that are enum values should be replaced with EnumSet
Code Smell
String operations should not rely on the default system locale
Code Smell
Comments should not be located at the end of lines of code
Code Smell
Track uses of "CHECKSTYLE:OFF" suppression comments
Code Smell
Loggers should be "private static final" and should share a naming convention
Code Smell
Track uses of "NOPMD" suppression comments
Code Smell
Packages should have a javadoc file 'package-info.java'
Code Smell
The members of an interface or class declaration should appear in a pre-defined order
Code Smell
Abstract class names should comply with a naming convention
Code Smell
Strings literals should be placed on the left side when checking for equality
Code Smell
Files should contain an empty newline at the end
Code Smell
Source code should be indented consistently
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
Close curly brace and the next "else", "catch" and "finally" keywords should be on two different lines
Code Smell
Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line
Code Smell
An open curly brace should be located at the beginning of a line
Code Smell
An open curly brace should be located at the end of a line
Code Smell
Tabulation characters should not be used
Code Smell
Functions should not be defined with a variable number of arguments
Code Smell
Local-Variable Type Inference should be used
Code Smell
Migrate your tests from JUnit4 to the new JUnit5 annotations
Code Smell
Track uses of disallowed classes
Code Smell
Track uses of "@SuppressWarnings" annotations
Code Smell

XML parsers should not be vulnerable to XXE attacks

Vulnerability

BlockerSonarSource default severity
click to learn more

cwe
symbolic-execution

Why is this an issue?

XML standard allows the use of entities, declared in the DOCTYPE of the document, which can be internal or external.

When parsing the XML file, the content of the external entities is retrieved from an external storage such as the file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or server-side request forgery (SSRF) vulnerabilities.

It’s recommended to limit resolution of external entities by using one of these solutions:

If DOCTYPE is not necessary, completely disable all DOCTYPE declarations.
If external entities are not necessary, completely disable their declarations.
If external entities are necessary then:
- Use XML processor features, if available, to authorize only required protocols (eg: https).
- And use an entity resolver (and optionally an XML Catalog) to resolve only trusted entities.

Noncompliant code example

For DocumentBuilder, SAXParser, XMLInput, Transformer and Schema JAPX factories:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant

SAXParserFactory factory = SAXParserFactory.newInstance(); // Noncompliant

XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant

TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();  // Noncompliant

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);  // Noncompliant

For Dom4j library:

SAXReader xmlReader = new SAXReader(); // Noncompliant

For Jdom2 library:

SAXBuilder builder = new SAXBuilder(); // Noncompliant

Compliant solution

For DocumentBuilder, SAXParser, XMLInput, Transformer and Schema JAPX factories:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or completely disable external entities declarations:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// or prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
// or disable entity expansion but keep in mind that this doesn't prevent fetching external entities
// and this solution is not correct for OpenJDK < 13 due to a bug: https://bugs.openjdk.java.net/browse/JDK-8206132
factory.setExpandEntityReferences(false);


SAXParserFactory factory = SAXParserFactory.newInstance();
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or completely disable external entities declarations:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// or prohibit the use of all protocols by external entities:
SAXParser parser = factory.newSAXParser(); // Noncompliant
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

XMLInputFactory factory = XMLInputFactory.newInstance();
// to be compliant, completely disable DOCTYPE declaration:
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// or completely disable external entities declarations:
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
// or prohibit the use of all protocols by external entities:
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
// to be compliant, prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or prohibit the use of all protocols by external entities:
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

For Dom4j library:

SAXReader xmlReader = new SAXReader();
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

For Jdom2 library:

SAXBuilder builder = new SAXBuilder();
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

Resources

OWASP Top 10 2021 Category A5 - Security Misconfiguration
Oracle Java Documentation - XML External Entity Injection Attack
OWASP Top 10 2017 Category A4 - XML External Entities (XXE)
OWASP XXE Prevention Cheat Sheet
MITRE, CWE-611 - Information Exposure Through XML External Entity Reference
MITRE, CWE-827 - Improper Control of Document Type Definition

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted