SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
 
Tags
    Impact
      Clean code attribute
        1. Functions should not be defined with a variable number of arguments

           Code Smell
        2. Return values should not be ignored when they contain the operation status code

           Bug
        3. Equality operators should not be used in "for" loop termination conditions

           Code Smell
        4. Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression

           Code Smell
        5. Limited dependence should be placed on operator precedence

           Code Smell
        6. Literal suffixes should be upper case

           Code Smell
        7. When a defaultFinisher is passed to a Gatherer factory, use the overload that does not take a finisher

           Code Smell
        8. Sensitive information should not be logged in production builds

           Vulnerability
        9. WebViews should not be vulnerable to cross-app scripting attacks

           Vulnerability
        10. Privileged prompts should not be vulnerable to injection attacks

           Vulnerability
        11. Don't provide an initializer for a stateless stream gatherer

           Code Smell
        12. Gatherer.ofSequential() should be used to build sequential gathers

           Code Smell
        13. "ClassBuilder.withMethodBody" should be preferred to "ClassBuilder.withMethod"

           Code Smell
        14. "transformClass" method should be used instead of "build" when transforming a class

           Code Smell
        15. Class name should be omitted when unchanged by class transform

           Code Smell
        16. Comments should start with the appropriate number of slashes

           Code Smell
        17. Types of unused record components should be removed from pattern matching

           Code Smell
        18. Markdown, HTML and Javadoc tags should be consistent

           Code Smell
        19. Unused exception parameter should use the unnamed variable pattern

           Code Smell
        20. Unnamed variable declarations should use the "var" identifier

           Code Smell
        21. Processing persistent unique identifiers is security-sensitive

           Security Hotspot
        22. Exposing native code through JavaScript interfaces is security-sensitive

           Security Hotspot
        23. Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

           Code Smell
        24. Methods returning "Page" or "Slice" must take "Pageable" as an input parameter

           Code Smell
        25. @EventListener methods should have one parameter at most

           Bug
        26. "@Scheduled" annotation should only be applied to no-arg methods

           Bug
        27. @InitBinder methods should have void return type

           Code Smell
        28. "@Cache*" annotations should only be applied on concrete classes

           Code Smell
        29. @Cacheable and @CachePut should not be combined

           Code Smell
        30. Injecting data into static fields is not supported by Spring

           Code Smell
        31. Use appropriate @DirtiesContext modes

           Code Smell
        32. "String.isEmpty()" should be used to test for emptiness

           Code Smell
        33. Circular dependencies between classes across packages should be resolved

           Code Smell
        34. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        35. Circular dependencies between classes in the same package should be resolved

           Code Smell
        36. Consumed Stream pipelines should not be reused

           Bug
        37. Bluetooth should be configured to use low power

           Code Smell
        38. Motion Sensor should not use gyroscope

           Code Smell
        39. Use when instead of a single if inside a pattern match body

           Code Smell
        40. "String.indexOf" should be used with correct ranges

           Bug
        41. Use Fused Location to optimize battery power

           Code Smell
        42. "Math.clamp" should be used with correct ranges

           Bug
        43. Use batch Processing in JDBC

           Code Smell
        44. Constant parameters in a "PreparedStatement" should not be set more than once

           Code Smell
        45. Virtual threads should not run tasks that include synchronized code

           Bug
        46. SQL queries should retrieve only necessary fields

           Code Smell
        47. Avoid using "FetchType.EAGER"

           Code Smell
        48. "setDaemon", "setPriority" and "getThreadGroup" should not be invoked on virtual threads

           Bug
        49. High frame rates should not be used

           Code Smell
        50. Exact alarms should not be abused

           Code Smell
        51. Proper Sensor Resource Management

           Code Smell
        52. Use built-in "Math.clamp" methods

           Code Smell
        53. Virtual threads should be used for tasks that include heavy blocking operations

           Bug
        54. Use switch instead of if-else chain to compare a variable against multiple cases

           Code Smell
        55. Use record pattern instead of explicit field access

           Code Smell
        56. Reverse view should be used instead of reverse copy in read-only cases

           Code Smell
        57. Reverse iteration should utilize reversed view

           Code Smell
        58. Set appropriate Status Codes on HTTP responses

           Bug
        59. Beans in "@Configuration" class should have different names

           Bug
        60. SpEL expression should have a valid syntax

           Bug
        61. "@PathVariable" annotation should be present if a path variable is used

           Bug
        62. "@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false

           Bug
        63. Superfluous "@ResponseBody" annotations should be removed

           Code Smell
        64. "@Controller" should be replaced with "@RestController"

           Code Smell
        65. Non-singleton Spring beans should not be injected into singleton beans

           Code Smell
        66. "@Qualifier" should not be used on "@Bean" methods

           Bug
        67. Bean names should adhere to the naming conventions

           Code Smell
        68. "@Autowired" should be used when multiple constructors are provided

           Code Smell
        69. "@Autowired" should only be used on a single constructor

           Bug
        70. Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot

           Bug
        71. Nullable injected fields and parameters should provide a default value

           Bug
        72. Optional REST parameters should have an object type

           Code Smell
        73. Field dependency injection should be avoided

           Code Smell
        74. Async methods should return void or Future

           Bug
        75. Methods with Spring proxy should not be called via "this"

           Code Smell
        76. Model attributes should follow the Java identifier naming convention

           Bug
        77. "@Value" annotation should inject property or SpEL expression

           Code Smell
        78. Redundant nullability annotations should be removed

           Code Smell
        79. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        80. The Singleton design pattern should be used with care

           Code Smell
        81. Environment variables should not be defined from untrusted input

           Vulnerability
        82. Methods should not perform too many tasks (aka Brain method)

           Code Smell
        83. Classes should not depend on an excessive number of classes (aka Monster Class)

           Code Smell
        84. Hash-based collections with known capacity should be initialized with the proper related static method.

           Code Smell
        85. Accessing an array element should not trigger an ArrayIndexOutOfBoundsException

           Bug
        86. Credentials should not be hard-coded

           Vulnerability
        87. Counter Mode initialization vectors should not be reused

           Vulnerability
        88. Hard-coded secrets are security-sensitive

           Security Hotspot
        89. Collections should not be modified while they are iterated

           Bug
        90. Calls to methods should not trigger an exception

           Bug
        91. Types used as keys in Maps should implement Comparable

           Code Smell
        92. XML operations should not be vulnerable to injection attacks

           Vulnerability
        93. JSON operations should not be vulnerable to injection attacks

           Vulnerability
        94. Character classes in regular expressions should not contain only one character

           Code Smell
        95. Superfluous curly brace quantifiers should be avoided

           Code Smell
        96. Non-capturing groups without quantifier should not be used

           Code Smell
        97. Thread suspensions should not be vulnerable to Denial of Service attacks

           Vulnerability
        98. Components should not be vulnerable to intent redirection

           Vulnerability
        99. XML signatures should be validated securely

           Vulnerability
        100. XML parsers should not be vulnerable to Denial of Service attacks

           Vulnerability
        101. XML parsers should not load external schemas

           Vulnerability
        102. XML parsers should not allow inclusion of arbitrary files

           Vulnerability
        103. Enabling file access for WebViews is security-sensitive

           Security Hotspot
        104. Enabling JavaScript support for WebViews is security-sensitive

           Security Hotspot
        105. Deprecated annotations should include explanations

           Code Smell
        106. Regular expression quantifiers and character classes should be used concisely

           Code Smell
        107. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        108. Regular expressions should not contain empty groups

           Code Smell
        109. Regular expressions should not contain multiple spaces

           Code Smell
        110. Unsupported methods should not be called on some collection implementations

           Bug
        111. Cast operations should not trigger a ClassCastException

           Bug
        112. Mobile database encryption keys should not be disclosed

           Vulnerability
        113. Using unencrypted files in mobile applications is security-sensitive

           Security Hotspot
        114. Using biometric authentication without a cryptographic solution is security-sensitive

           Security Hotspot
        115. Using unencrypted databases in mobile applications is security-sensitive

           Security Hotspot
        116. Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

           Security Hotspot
        117. Applications should not create session cookies from untrusted input

           Vulnerability
        118. Using long-term access keys is security-sensitive

           Security Hotspot
        119. AWS region should not be set with a hardcoded String

           Code Smell
        120. Lambdas should not invoke other lambdas synchronously

           Code Smell
        121. Consumer Builders should be used

           Code Smell
        122. Reusable resources should be initialized at construction time of Lambda functions

           Code Smell
        123. Credentials Provider should be set explicitly when creating a new "AwsClient"

           Code Smell
        124. Region should be set explicitly when creating a new "AwsClient"

           Code Smell
        125. 'serialVersionUID' field should not be set to '0L' in records

           Code Smell
        126. Equals method should be overridden in records containing array fields

           Bug
        127. Permitted types of a sealed class should be omitted if they are declared in the same file

           Code Smell
        128. Reflection should not be used to increase accessibility of records' fields

           Bug
        129. Restricted Identifiers should not be used as Identifiers

           Code Smell
        130. Local-Variable Type Inference should be used

           Code Smell
        131. Custom getter method should not be used to override record's getter behavior

           Code Smell
        132. Members ignored during record serialization should not be used

           Bug
        133. Comma-separated labels should be used in Switch with colon case

           Code Smell
        134. Redundant constructors/methods should be avoided in records

           Code Smell
        135. Records should be used instead of ordinary classes when representing immutable data structure

           Code Smell
        136. Switch arrow labels should not use redundant keywords

           Code Smell
        137. "Stream.toList()" method should be used instead of "collectors" when unmodifiable list needed

           Code Smell
        138. Text blocks should not be used in complex expressions

           Code Smell
        139. Operator "instanceof" should be used instead of "A.class.isInstance()"

           Code Smell
        140. Pattern Matching for "instanceof" operator should be used instead of simple "instanceof" + cast

           Code Smell
        141. Reflection should not be vulnerable to injection attacks

           Vulnerability
        142. String multiline concatenation should be replaced with Text Blocks

           Code Smell
        143. Map "computeIfAbsent()" and "computeIfPresent()" should not be used to add "null" values.

           Bug
        144. AssertJ assertions with "Consumer" arguments should contain assertion inside consumers

           Bug
        145. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        146. Mockito argument matchers should be used on all parameters

           Bug
        147. The regex escape sequence \cX should only be used with characters in the @-_ range

           Bug
        148. Call to Mockito method "verify", "when" or "given" should be simplified

           Code Smell
        149. Single-character alternations in regular expressions should be replaced with character classes

           Code Smell
        150. Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string

           Code Smell
        151. Regex lookahead assertions should not be contradictory

           Bug
        152. Back references in regular expressions should only refer to capturing groups that are matched before the reference

           Bug
        153. Regular expressions should not overflow the stack

           Bug
        154. Regex boundaries should not be used in a way that can never be matched

           Bug
        155. Regex patterns following a possessive quantifier should not always fail

           Bug
        156. Constructors of an "abstract" class should not be declared "public"

           Code Smell
        157. Annotated Mockito objects should be initialized

           Bug
        158. Tests should use fixed data instead of randomized data

           Code Smell
        159. Similar tests should be grouped in a single Parameterized test

           Code Smell
        160. Tests should be stable

           Code Smell
        161. Spring's ModelAndViewAssert assertions should be used instead of other assertions

           Code Smell
        162. Mocking all non-private methods of a class should be avoided

           Code Smell
        163. Tests method should not be annotated with competing annotations

           Bug
        164. Test methods should not contain too many assertions

           Code Smell
        165. Assertions should not be used in production code

           Bug
        166. AssertJ "assertThatThrownBy" should not be used alone

           Code Smell
        167. DateTimeFormatters should not use mismatched year and week numbers

           Bug
        168. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        169. A new session should be created during user authentication

           Vulnerability
        170. Character classes in regular expressions should not contain the same character twice

           Code Smell
        171. Unicode Grapheme Clusters should be avoided inside regex character classes

           Bug
        172. Unicode-aware versions of character classes should be preferred

           Code Smell
        173. Case insensitive Unicode regular expressions should enable the "UNICODE_CASE" flag

           Bug
        174. Assertions should not compare an object to itself

           Bug
        175. Names of regular expressions named groups should be used

           Code Smell
        176. Character classes should be preferred over reluctant quantifiers in regular expressions

           Code Smell
        177. Regular expressions should be syntactically valid

           Bug
        178. Regex alternatives should not be redundant

           Bug
        179. Regexes containing characters subject to normalization should use the CANON_EQ flag

           Code Smell
        180. Consecutive AssertJ "assertThat" statements should be chained

           Code Smell
        181. Using slow regular expressions is security-sensitive

           Security Hotspot
        182. Alternatives in regular expressions should be grouped when used with anchors

           Bug
        183. Empty lines should not be tested with regex MULTILINE flag

           Code Smell
        184. Assertions comparing incompatible types should not be made

           Bug
        185. Regular expressions should not be too complicated

           Code Smell
        186. Repeated patterns in regular expressions should not match the empty string

           Bug
        187. AssertJ assertions "allMatch" and "doesNotContain" should also test for emptiness

           Bug
        188. Chained AssertJ assertions should be simplified to the corresponding dedicated assertion

           Code Smell
        189. AssertJ methods setting the assertion context should come before an assertion

           Bug
        190. AssertJ configuration should be applied

           Bug
        191. Methods setUp() and tearDown() should be correctly annotated starting with JUnit4

           Code Smell
        192. JUnit5 test classes and methods should not be silently ignored

           Bug
        193. Authorizations should be based on strong decisions

           Vulnerability
        194. Allowing user enumeration is security-sensitive

           Security Hotspot
        195. Class members annotated with "@VisibleForTesting" should not be accessed from production code

           Code Smell
        196. Migrate your tests from JUnit4 to the new JUnit5 annotations

           Code Smell
        197. JUnit5 inner test classes should be annotated with @Nested

           Bug
        198. JUnit5 test classes and methods should have default package visibility

           Code Smell
        199. JUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion

           Code Smell
        200. Only one method invocation is expected when testing checked exceptions

           Bug
        201. Assertion methods should not be used within the try block of a try-catch catching an Error

           Bug
        202. Only one method invocation is expected when testing runtime exceptions

           Code Smell
        203. Exception testing via JUnit @Test annotation should be avoided

           Code Smell
        204. Exception testing via JUnit ExpectedException rule should not be mixed with other assertions

           Code Smell
        205. "@Deprecated" code marked for removal should never be used

           Code Smell
        206. Allowing requests with excessive content length is security-sensitive

           Security Hotspot
        207. Disclosing fingerprints from web application technologies is security-sensitive

           Security Hotspot
        208. OpenSAML2 should be configured to prevent authentication bypass

           Vulnerability
        209. Vararg method arguments should not be confusing

           Code Smell
        210. Escape sequences should not be used in text blocks

           Code Smell
        211. Whitespace for text block indent should be consistent

           Code Smell
        212. Simple string literal should be used for single line strings

           Code Smell
        213. JWT should be signed and verified with strong cipher algorithms

           Vulnerability
        214. Lambdas should not have too many lines

           Code Smell
        215. Cipher algorithms should be robust

           Vulnerability
        216. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        217. Server hostnames should be verified during SSL/TLS connections

           Vulnerability
        218. Server-side templates should not be vulnerable to injection attacks

           Vulnerability
        219. Insecure temporary file creation methods should not be used

           Vulnerability
        220. Using publicly writable directories is security-sensitive

           Security Hotspot
        221. 'List.remove()' should not be used in ascending 'for' loops

           Code Smell
        222. Avoid using boxed "Boolean" types directly in boolean expressions

           Code Smell
        223. "String#replace" should be preferred to "String#replaceAll"

           Code Smell
        224. Passwords should not be stored in plaintext or with a fast hashing algorithm

           Vulnerability
        225. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        226. Using clear-text protocols is security-sensitive

           Security Hotspot
        227. Collection constructors should not be used as java.util.function.Function

           Code Smell
        228. Accessing Android external storage is security-sensitive

           Security Hotspot
        229. Receiving intents is security-sensitive

           Security Hotspot
        230. Broadcasting intents is security-sensitive

           Security Hotspot
        231. "ActiveMQConnectionFactory" should not be vulnerable to malicious code deserialization

           Vulnerability
        232. "else" statements should be clearly matched with an "if"

           Code Smell
        233. Disabling auto-escaping in template engines is security-sensitive

           Security Hotspot
        234. Use Java 14 "switch" expression

           Code Smell
        235. "ThreadLocal" variables should be cleaned up when no longer used

           Bug
        236. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        237. HTTP request redirections should not be open to forging attacks

           Vulnerability
        238. Logging should not be vulnerable to injection attacks

           Vulnerability
        239. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        240. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        241. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        242. "Bean Validation" (JSR 380) should be properly configured

           Code Smell
        243. Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

           Security Hotspot
        244. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        245. Type parameters should not shadow other type parameters

           Code Smell
        246. Strings and Boxed types should be compared using "equals()"

           Bug
        247. Derived exceptions should not hide their parents' catch blocks

           Code Smell
        248. The upper bound of type variables and wildcards should not be "final"

           Code Smell
        249. "read(byte[],int,int)" should be overridden

           Code Smell
        250. "serialVersionUID" should not be declared blindly

           Code Smell
        251. "Class.forName()" should not load JDBC 4.0+ drivers

           Code Smell
        252. An iteration on a Collection should be performed on the type handled by the Collection

           Code Smell
        253. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        254. Configuring loggers is security-sensitive

           Security Hotspot
        255. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        256. Java features should be preferred to Guava

           Code Smell
        257. "StandardCharsets" constants should be preferred

           Code Smell
        258. Persistent entities should not be used as arguments of "@RequestMapping" methods

           Vulnerability
        259. "@CheckForNull" or "@Nullable" should not be used on primitive types

           Code Smell
        260. String offset-based methods should be preferred for finding substrings from offsets

           Code Smell
        261. Spring beans should be considered by "@ComponentScan"

           Code Smell
        262. "@EnableAutoConfiguration" should be fine-tuned

           Code Smell
        263. "@SpringBootApplication" and "@ComponentScan" should not be used in the default package

           Bug
        264. "HttpSecurity" URL patterns should be correctly ordered

           Vulnerability
        265. Enum values should be compared with "=="

           Code Smell
        266. Using unsafe Jackson deserialization configuration is security-sensitive

           Security Hotspot
        267. "default" clauses should be last

           Code Smell
        268. InputSteam.read() implementation should not return a signed byte

           Bug
        269. Setting JavaBean properties is security-sensitive

           Security Hotspot
        270. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        271. Disabling CSRF protections is security-sensitive

           Security Hotspot
        272. Composed "@RequestMapping" variants should be preferred

           Code Smell
        273. "equals" method parameters should not be marked "@Nonnull"

           Code Smell
        274. Nullness of parameters should be guaranteed

           Code Smell
        275. Allowing deserialization of LDAP objects is security-sensitive

           Security Hotspot
        276. LDAP connections should be authenticated

           Vulnerability
        277. Cryptographic keys should be robust

           Vulnerability
        278. "Integer.toHexString" should not be used to build hexadecimal strings

           Code Smell
        279. Weak SSL/TLS protocols should not be used

           Vulnerability
        280. "compareTo" should not be overloaded

           Bug
        281. "write(byte[],int,int)" should be overridden

           Code Smell
        282. "iterator" should not return "this"

           Bug
        283. Secure random number generators should not output predictable values

           Vulnerability
        284. Spring components should use constructor injection

           Code Smell
        285. Functional Interfaces should be as specialised as possible

           Code Smell
        286. Getters and setters should access the expected fields

           Bug
        287. Asserts should not be used to check the parameters of a public method

           Code Smell
        288. "Stream.collect()" calls should not be redundant

           Code Smell
        289. Regex patterns should not be created needlessly

           Code Smell
        290. Null checks should not be used with "instanceof"

           Code Smell
        291. Local constants should follow naming conventions for constants

           Code Smell
        292. Assignments should not be redundant

           Code Smell
        293. Methods should not have identical implementations

           Code Smell
        294. Map values should not be replaced unconditionally

           Bug
        295. "close()" calls should not be redundant

           Code Smell
        296. "ThreadLocal.withInitial" should be preferred

           Code Smell
        297. "java.nio.Files#delete" should be preferred

           Code Smell
        298. Searching OS commands in PATH is security-sensitive

           Security Hotspot
        299. "Stream" call chains should be simplified when possible

           Code Smell
        300. Packages containing only "package-info.java" should be removed

           Code Smell
        301. Collection contents should be used

           Code Smell
        302. Track uses of disallowed constructors

           Code Smell
        303. Week Year ("YYYY") should not be used for date formatting

           Bug
        304. Unused "private" classes should be removed

           Code Smell
        305. Exceptions should not be created without being thrown

           Bug
        306. Collection sizes and array length comparisons should make sense

           Bug
        307. A conditionally executed single line should be denoted by indentation

           Code Smell
        308. Conditionals should start on new lines

           Code Smell
        309. Consumed Stream pipelines should not be reused

           Bug
        310. Intermediate Stream methods should not be left unused

           Bug
        311. Number patterns should be regular

           Code Smell
        312. All branches in a conditional structure should not have exactly the same implementation

           Bug
        313. Arrays should not be created for varargs parameters

           Code Smell
        314. "Stream.peek" should be used with caution

           Code Smell
        315. "Map.get" and value test should be replaced with single method call

           Code Smell
        316. Cognitive Complexity of methods should not be too high

           Code Smell
        317. "@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects

           Bug
        318. Allowing both safe and unsafe HTTP methods is security-sensitive

           Security Hotspot
        319. "@RequestMapping" methods should not be "private"

           Code Smell
        320. Spring "@Controller" classes should not use "@Scope"

           Bug
        321. Members of Spring components should be injected

           Code Smell
        322. Raw types should not be used

           Code Smell
        323. Java 8's "Files.exists" should not be used

           Code Smell
        324. Track uses of disallowed classes

           Code Smell
        325. Unit tests should throw exceptions

           Code Smell
        326. Optional value should only be accessed after calling isPresent()

           Bug
        327. Database queries should not be vulnerable to injection attacks

           Vulnerability
        328. "Arrays.stream" should be used for primitive arrays

           Code Smell
        329. Jump statements should not be redundant

           Code Smell
        330. Double Brace Initialization should not be used

           Bug
        331. Test methods should comply with a naming convention

           Code Smell
        332. Test classes should comply with a naming convention

           Code Smell
        333. "Optional" should not be used for parameters

           Code Smell
        334. Overrides should match their parent class methods in synchronization

           Bug
        335. Custom resources should be closed

           Bug
        336. Zero should not be a possible denominator

           Bug
        337. Methods returns should not be invariant

           Code Smell
        338. Format strings should be used correctly

           Code Smell
        339. Value-based objects should not be serialized

           Code Smell
        340. Value-based classes should not be used for locking

           Bug
        341. Loggers should be named for their enclosing classes

           Code Smell
        342. Assertion arguments should be passed in the correct order

           Code Smell
        343. Tests should be kept in a dedicated source directory

           Code Smell
        344. Methods should not return constants

           Code Smell
        345. "private" methods called only by inner classes should be moved to those classes

           Code Smell
        346. "this" should not be exposed from constructors

           Code Smell
        347. Ternary operators should not be nested

           Code Smell
        348. Expressions used in "assert" should not produce side effects

           Bug
        349. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        350. Cipher Block Chaining IVs should be unpredictable

           Vulnerability
        351. Constructor injection should be used instead of field injection

           Bug
        352. Factory method injection should be used in "@Configuration" classes

           Code Smell
        353. Default annotation parameter values should not be passed as arguments

           Code Smell
        354. "static" base class members should not be accessed via derived types

           Code Smell
        355. Method parameters should be declared with base types

           Code Smell
        356. "volatile" variables should not be used with compound operators

           Bug
        357. Non-primitive fields should not be "volatile"

           Bug
        358. "getClass" should not be used for synchronization

           Bug
        359. "enum" fields should not be publicly mutable

           Code Smell
        360. Min and max used in combination should not always return the same value

           Bug
        361. Assignment of lazy-initialized members should be the last step with double-checked locking

           Bug
        362. "StringBuilder" data should be used

           Code Smell
        363. Fields should not be initialized to default values

           Code Smell
        364. Multiple loops over the same set should be combined

           Code Smell
        365. "wait" should not be called when multiple locks are held

           Bug
        366. "writeObject" should not be the only "synchronized" code in a class

           Code Smell
        367. Indexes to passed to "String" operations should be within the string's bounds

           Bug
        368. Abstract methods should not be redundant

           Code Smell
        369. Raw byte values should not be used in bitwise operations in combination with shifts

           Bug
        370. ".isEmpty" should be used to test for the emptiness of StringBuffers/Builders

           Code Smell
        371. JEE applications should not "getClassLoader"

           Bug
        372. Classes should not have too many "static" imports

           Code Smell
        373. Arguments to "append" should not be concatenated

           Code Smell
        374. "Collection.toArray()" should be passed an array of the proper type

           Bug
        375. "ThreadGroup" should not be used

           Code Smell
        376. Arrays and lists should not be copied using loops

           Code Smell
        377. Reflection should not be used to increase accessibility of classes, methods, or fields

           Code Smell
        378. Static fields should not be updated in constructors

           Code Smell
        379. Static non-final field names should comply with a naming convention

           Code Smell
        380. "clone" should not be overridden

           Code Smell
        381. Classes without "public" constructors should be "final"

           Code Smell
        382. Escaped Unicode characters should not be used

           Code Smell
        383. Inner classes should not have too many lines of code

           Code Smell
        384. Assertions should be complete

           Code Smell
        385. Unnecessary semicolons should be omitted

           Code Smell
        386. "Thread.sleep" should not be used in tests

           Code Smell
        387. JUnit rules should be used

           Code Smell
        388. Getters and setters should be synchronized in pairs

           Bug
        389. Non-thread-safe fields should not be static

           Bug
        390. "entrySet()" should be iterated when both the key and value are needed

           Code Smell
        391. "null" should not be used with "Optional"

           Bug
        392. Nested "enum"s should not be declared static

           Code Smell
        393. Unary prefix operators should not be repeated

           Bug
        394. Non-existent operators like "=+" should not be used

           Bug
        395. XML parsers should not be vulnerable to XXE attacks

           Vulnerability
        396. "catch" clauses should do more than rethrow

           Code Smell
        397. "DateUtils.truncate" from Apache Commons Lang library should not be used

           Code Smell
        398. Literal boolean values and nulls should not be used in assertions

           Code Smell
        399. Tests should include assertions

           Code Smell
        400. Test assertions should include messages

           Code Smell
        401. Instance methods should not write to "static" fields

           Code Smell
        402. "PreparedStatement" and "ResultSet" methods should be called with valid indices

           Bug
        403. Inner classes which do not reference their owning classes should be "static"

           Code Smell
        404. Threads should not be started in constructors

           Code Smell
        405. "indexOf" checks should not be for positive numbers

           Code Smell
        406. Files opened in append mode should not be used with "ObjectOutputStream"

           Bug
        407. Multiline blocks should be enclosed in curly braces

           Code Smell
        408. "read" and "readLine" return values should be used

           Bug
        409. "Math.abs" and negation should not be used on numbers that could be "MIN_VALUE"

           Bug
        410. "readObject" should not be "synchronized"

           Code Smell
        411. The value returned from a stream read should be checked

           Bug
        412. Classes should not be loaded dynamically

           Vulnerability
        413. Basic authentication should not be used

           Vulnerability
        414. Inappropriate regular expressions should not be used

           Bug
        415. Method overrides should not change contracts

           Code Smell
        416. "@NonNull" values should not be set to null

           Bug
        417. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        418. "Preconditions" and logging arguments should not require evaluation

           Code Smell
        419. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        420. Boolean expressions should not be gratuitous

           Code Smell
        421. Conditionally executed code should be reachable

           Bug
        422. Whitespace and control characters in literals should be explicit

           Code Smell
        423. "null" should not be returned from a "Boolean" method

           Code Smell
        424. "notifyAll()" should be preferred over "notify()"

           Bug
        425. Blocks should be synchronized on "private final" fields

           Bug
        426. Lazy initialization of "static" fields should be "synchronized"

           Code Smell
        427. Synchronizing on a "Lock" object should be avoided

           Code Smell
        428. Non-serializable objects should not be stored in "javax.servlet.http.HttpSession" instances

           Bug
        429. Classes with only "static" methods should not be instantiated

           Code Smell
        430. "Thread" should not be used where a "Runnable" argument is expected

           Code Smell
        431. Unnecessary bit operations should not be performed

           Code Smell
        432. Classes should not access their own subclasses during class initialization

           Bug
        433. Inner class calls to super class methods should be unambiguous

           Code Smell
        434. Child class fields should not shadow parent class fields

           Code Smell
        435. Mutable fields should not be "public static"

           Code Smell
        436. Private mutable members should not be stored or returned directly

           Code Smell
        437. Redundant modifiers should not be used

           Code Smell
        438. Unused type parameters should be removed

           Code Smell
        439. "private" and "final" methods that don't access instance data should be "static"

           Code Smell
        440. Files should not be empty

           Code Smell
        441. "deleteOnExit" should not be used

           Code Smell
        442. Public methods should not contain selector arguments

           Code Smell
        443. The diamond operator ("<>") should be used

           Code Smell
        444. "wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held

           Bug
        445. Printf-style format strings should not lead to unexpected behavior at runtime

           Bug
        446. "Object.wait(...)" and "Condition.await(...)" should be called inside a "while" loop

           Code Smell
        447. "Object.wait()", "Object.notify()" and "Object.notifyAll()" should only be called from synchronized code

           Bug
        448. "Iterator.next()" methods should throw "NoSuchElementException"

           Bug
        449. Java parser failure

           Code Smell
        450. Null pointers should not be dereferenced

           Bug
        451. Using non-standard cryptographic algorithms is security-sensitive

           Security Hotspot
        452. "HttpServletRequest.getRequestedSessionId()" should not be used

           Vulnerability
        453. Track uses of disallowed methods

           Code Smell
        454. Loop conditions should be true at least once

           Bug
        455. A "for" loop update clause should move the counter in the right direction

           Bug
        456. Collection methods with O(n) performance should be used carefully

           Code Smell
        457. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        458. Methods "wait(...)", "notify()" and "notifyAll()" should not be called on Thread instances

           Bug
        459. "IllegalMonitorStateException" should not be caught

           Code Smell
        460. Parameters should be passed in the correct order

           Code Smell
        461. "ResultSet.isLast()" should not be used

           Code Smell
        462. Methods with Spring proxying annotations should be public

           Bug
        463. Methods should not call same-class methods with incompatible "@Transactional" values

           Bug
        464. Servlets should not have mutable instance fields

           Bug
        465. "toString()" and "clone()" methods should not return null

           Bug
        466. Locks should be released on all paths

           Bug
        467. "Exception" should not be caught when not required by called methods

           Code Smell
        468. Types should be used in lambdas

           Code Smell
        469. "static" members should be accessed statically

           Code Smell
        470. Wildcard imports should not be used

           Code Smell
        471. ".equals()" should not be used to test the values of "Atomic" classes

           Bug
        472. "collect" should be used with "Streams" instead of "list::add"

           Code Smell
        473. Return values from functions without side effects should not be ignored

           Bug
        474. "compareTo" results should not be checked for specific values

           Bug
        475. Modulus results should not be checked for direct equality

           Code Smell
        476. Switches should be used for sequences of simple "String" tests

           Code Smell
        477. Recursion should not be infinite

           Bug
        478. Loops should not be infinite

           Bug
        479. JUnit test cases should call super methods

           Code Smell
        480. TestCases should contain tests

           Code Smell
        481. JUnit assertions should not be used in "run" methods

           Code Smell
        482. Do not perform unnecessary mathematical operations

           Code Smell
        483. Math operands should be cast before assignment

           Bug
        484. Ints and longs should not be shifted by zero or more than their number of bits-1

           Bug
        485. Short-circuit logic should be used in boolean contexts

           Code Smell
        486. Child class methods named for parent class methods should be overrides

           Bug
        487. Class names should not shadow interfaces or superclasses

           Code Smell
        488. Inappropriate "Collection" calls should not be made

           Bug
        489. Double-checked locking should not be used

           Bug
        490. "compareTo" should not return "Integer.MIN_VALUE"

           Bug
        491. Classes named like "Exception" should extend "Exception" or a subclass

           Code Smell
        492. "finalize" should not set fields to "null"

           Code Smell
        493. Math should not be performed on floats

           Bug
        494. "equals" methods should be symmetric and work for subclasses

           Bug
        495. Subclasses that add fields to classes that override "equals" should also override "equals"

           Code Smell
        496. Unnecessary equality checks should not be made

           Bug
        497. "Cloneables" should implement "clone"

           Code Smell
        498. "final" classes should not have "protected" members

           Code Smell
        499. Dissimilar primitive wrappers should not be used with the ternary operator without explicit casting

           Bug
        500. Unnecessary boxing and unboxing should be avoided

           Bug
        501. "runFinalizersOnExit" should not be called

           Bug
        502. Underscores should be used to make large numbers readable

           Code Smell
        503. Catches should be combined

           Code Smell
        504. "java.time" classes should be used for dates and times

           Code Smell
        505. "InterruptedException" and "ThreadDeath" should not be ignored

           Bug
        506. Classes that don't define "hashCode()" should not be used in hashes

           Bug
        507. Methods of "Random" that return floating point values should not be used in random integer generation

           Code Smell
        508. Exceptions should be either logged or rethrown but not both

           Code Smell
        509. Classes extending java.lang.Thread should provide a specific "run" behavior

           Bug
        510. Objects should not be created only to invoke "getClass"

           Code Smell
        511. Primitives should not be boxed just for "String" conversion

           Code Smell
        512. Parsing should be used to convert "Strings" to primitives

           Code Smell
        513. Constructors should not be used to instantiate "String", "BigInteger", "BigDecimal" and primitive-wrapper classes

           Code Smell
        514. "Double.longBitsToDouble" should take "long" as argument

           Bug
        515. Values should not be uselessly incremented

           Bug
        516. "ScheduledThreadPoolExecutor" should not have 0 core threads

           Bug
        517. String operations with predictable outcomes should be avoided

           Bug
        518. "Random" objects should be reused

           Bug
        519. "writeObject" argument must implement "Serializable"

           Bug
        520. "hashCode" and "toString" should not be called on array instances

           Bug
        521. A secure password should be used when connecting to a database

           Vulnerability
        522. Collections should not be passed as arguments to their own methods

           Bug
        523. "URL.hashCode" and "URL.equals" should be avoided

           Code Smell
        524. "BigDecimal(double)" should not be used

           Bug
        525. Invalid "Date" values should not be used

           Bug
        526. Reflection should not be used to check non-runtime annotations

           Bug
        527. "equals(Object obj)" should test the argument's type

           Bug
        528. "main" should not "throw" anything

           Code Smell
        529. Resources should be closed

           Bug
        530. Classes should not be empty

           Code Smell
        531. Try-with-resources should be used

           Code Smell
        532. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        533. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        534. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        535. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        536. Formatting SQL queries is security-sensitive

           Security Hotspot
        537. OS commands should not be vulnerable to command injection attacks

           Vulnerability
        538. Hard-coded passwords are security-sensitive

           Security Hotspot
        539. "Serializable" inner classes of non-serializable outer classes should be "static"

           Bug
        540. Fields in non-serializable classes should not be "transient"

           Code Smell
        541. Comparators should be "Serializable"

           Code Smell
        542. "readResolve" methods should be inheritable

           Code Smell
        543. Custom serialization methods should have required signatures

           Bug
        544. "Externalizable" classes should have no-arguments constructors

           Bug
        545. "Serializable" inner classes of "Serializable" classes should be static

           Code Smell
        546. "Serializable" classes should have a "serialVersionUID"

           Code Smell
        547. The non-serializable super class of a "Serializable" class should have a no-argument constructor

           Bug
        548. Password hashing functions should use an unpredictable salt

           Vulnerability
        549. The names of methods with boolean return values should start with "is" or "has"

           Code Smell
        550. Member variable visibility should be specified

           Code Smell
        551. Files should contain only one top-level class or interface each

           Code Smell
        552. "for" loop increment clauses should modify the loops' counters

           Code Smell
        553. Exceptions should not be thrown from servlet methods

           Vulnerability
        554. Fields in a "Serializable" class should either be transient or serializable

           Code Smell
        555. Classes and methods that rely on the default system encoding should not be used

           Code Smell
        556. Simple class names should be used

           Code Smell
        557. Variables should not be declared before they are relevant

           Code Smell
        558. Boolean checks should not be inverted

           Code Smell
        559. Extensions and implementations should not be redundant

           Code Smell
        560. Redundant casts should not be used

           Code Smell
        561. "@Deprecated" code should not be used

           Code Smell
        562. Classes should not be compared by name

           Bug
        563. Two branches in a conditional structure should not have exactly the same implementation

           Code Smell
        564. Related "if/else if" statements should not have the same condition

           Bug
        565. Synchronization should not be done on instances of value-based classes

           Bug
        566. "toString()" should never be called on a String object

           Code Smell
        567. Unused assignments should be removed

           Code Smell
        568. "Iterator.hasNext()" should not call "Iterator.next()"

           Bug
        569. Methods and field names should not be the same or differ only by capitalization

           Code Smell
        570. "Object.wait" should not be called on objects that implement "java.util.concurrent.locks.Condition"

           Code Smell
        571. "switch" statements and expressions should not be nested

           Code Smell
        572. Classes should not have too many fields

           Code Smell
        573. The ternary operator should not be used

           Code Smell
        574. Identical expressions should not be used on both sides of a binary operator

           Bug
        575. Loops with at most one iteration should be refactored

           Bug
        576. Standard functional interfaces should not be redefined

           Code Smell
        577. Annotation repetitions should not be wrapped

           Code Smell
        578. A field should not duplicate the name of its containing class

           Code Smell
        579. Constructors should only call non-overridable methods

           Code Smell
        580. "==" and "!=" should not be used when "equals" is overridden

           Code Smell
        581. "NullPointerException" should not be caught

           Code Smell
        582. "NullPointerException" should not be explicitly thrown

           Code Smell
        583. An abstract class should have both abstract and concrete methods

           Code Smell
        584. Multiple variables should not be declared on the same line

           Code Smell
        585. Variables should not be self-assigned

           Bug
        586. Strings should not be concatenated using '+' in a loop

           Code Smell
        587. Sets with elements that are enum values should be replaced with EnumSet

           Code Smell
        588. Maps with keys that are enum values should use the EnumMap implementation

           Code Smell
        589. Lambdas should be replaced with method references

           Code Smell
        590. Parentheses should be removed from a single lambda parameter when its type is inferred

           Code Smell
        591. Abstract classes without fields should be converted to interfaces

           Code Smell
        592. JUnit4 @Ignored and JUnit5 @Disabled annotations should be used to disable tests and should provide a rationale

           Code Smell
        593. Anonymous inner classes containing only one method should become lambdas

           Code Smell
        594. Lambdas containing only one statement should not nest this statement in a block

           Code Smell
        595. Package declaration should match source file directory

           Code Smell
        596. "Collections.EMPTY_LIST", "EMPTY_MAP", and "EMPTY_SET" should not be used

           Code Smell
        597. Methods should not be too complex

           Code Smell
        598. Local variables should not be declared and then immediately returned or thrown

           Code Smell
        599. Unused local variables should be removed

           Code Smell
        600. "switch" statements should not have too many "case" clauses

           Code Smell
        601. Generic wildcard types should not be used in return types

           Code Smell
        602. Track lack of copyright and license headers

           Code Smell
        603. Private fields only used as local variables in methods should become local variables

           Code Smell
        604. String operations should not rely on the default system locale

           Code Smell
        605. Classes should not have too many methods

           Code Smell
        606. "public static" fields should be constant

           Code Smell
        607. Comments should not be located at the end of lines of code

           Code Smell
        608. Methods should not have too many lines

           Code Smell
        609. Loops should not contain more than a single "break" or "continue" statement

           Code Smell
        610. Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply

           Code Smell
        611. Declarations should use Java collection interfaces such as "List" rather than specific implementation classes such as "LinkedList"

           Code Smell
        612. "StringBuilder" and "StringBuffer" should not be instantiated with a character

           Bug
        613. Track uses of "CHECKSTYLE:OFF" suppression comments

           Code Smell
        614. Octal values should not be used

           Code Smell
        615. Using hardcoded IP addresses is security-sensitive

           Security Hotspot
        616. Loggers should be "private static final" and should share a naming convention

           Code Smell
        617. Track uses of "NOPMD" suppression comments

           Code Smell
        618. "switch" statements should have "default" clauses

           Code Smell
        619. Track uses of "@SuppressWarnings" annotations

           Code Smell
        620. "switch" statements should have at least 3 "case" clauses

           Code Smell
        621. Track uses of "NOSONAR" comments

           Code Smell
        622. Switch cases should end with an unconditional "break" statement

           Code Smell
        623. "for" loop stop conditions should be invariant

           Code Smell
        624. A "while" loop should be used instead of a "for" loop

           Code Smell
        625. "if ... else if" constructs should end with "else" clauses

           Code Smell
        626. Classes and enums with private members should have a constructor

           Code Smell
        627. Sections of code should not be commented out

           Code Smell
        628. Floating point numbers should not be tested for equality

           Bug
        629. Track comments matching a regular expression

           Code Smell
        630. Packages should have a javadoc file 'package-info.java'

           Code Smell
        631. Method parameters, caught exceptions and foreach variables' initial values should not be ignored

           Bug
        632. Non-constructor methods should not have the same name as the enclosing class

           Code Smell
        633. Methods should not be named "tostring", "hashcode" or "equal"

           Bug
        634. The default unnamed package should not be used

           Code Smell
        635. Statements should be on separate lines

           Code Smell
        636. "switch" statements should not contain non-case labels

           Code Smell
        637. "Thread.run()" should not be called directly

           Bug
        638. Execution of the Garbage Collector should be triggered only by the JVM

           Code Smell
        639. Interfaces should not solely consist of constants

           Code Smell
        640. The members of an interface or class declaration should appear in a pre-defined order

           Code Smell
        641. "equals(Object obj)" should be overridden along with the "compareTo(T obj)" method

           Code Smell
        642. Control structures should use curly braces

           Code Smell
        643. "equals(Object obj)" and "hashCode()" should be overridden in pairs

           Bug
        644. "equals" method overrides should accept "Object" parameters

           Bug
        645. Classes should not be coupled to too many other classes

           Code Smell
        646. Package names should comply with a naming convention

           Code Smell
        647. Nested code blocks should not be used

           Code Smell
        648. Array designators "[]" should be on the type, not the variable

           Code Smell
        649. Array designators "[]" should be located after the type in method signatures

           Code Smell
        650. "java.lang.Error" should not be extended

           Code Smell
        651. Exception types should not be tested using "instanceof" in catch blocks

           Code Smell
        652. String literals should not be duplicated

           Code Smell
        653. Classes from "sun.*" packages should not be used

           Code Smell
        654. Future keywords should not be used as names

           Code Smell
        655. Type parameter names should comply with a naming convention

           Code Smell
        656. Anonymous classes should not have too many lines

           Code Smell
        657. Methods should not be empty

           Code Smell
        658. Overriding methods should do more than simply call the same method in the super class

           Code Smell
        659. Classes that override "clone" should be "Cloneable" and call "super.clone()"

           Code Smell
        660. Throwable and Error should not be caught

           Code Smell
        661. Abstract class names should comply with a naming convention

           Code Smell
        662. Public types, methods and fields (API) should be documented with Javadoc

           Code Smell
        663. The signature of "finalize()" should match that of "Object.finalize()"

           Bug
        664. "Object.finalize()" should remain protected (versus public) when overriding

           Code Smell
        665. Unused method parameters should be removed

           Code Smell
        666. Only static class initializers should be used

           Code Smell
        667. Public constants and fields initialized at declaration should be "static final" rather than merely "final"

           Code Smell
        668. Local variable and method parameter names should comply with a naming convention

           Code Smell
        669. Empty arrays and collections should be returned instead of null

           Code Smell
        670. Exception handlers should preserve the original exceptions

           Code Smell
        671. Exception classes should have final fields

           Code Smell
        672. Exceptions should not be thrown in finally blocks

           Code Smell
        673. Checked exceptions should not be thrown

           Code Smell
        674. "@Override" should be used on overriding and implementing methods

           Code Smell
        675. Public methods should throw at most one checked exception

           Code Smell
        676. Field names should comply with a naming convention

           Code Smell
        677. Primitive wrappers should not be instantiated only for "toString" or "compareTo" calls

           Code Smell
        678. Case insensitive string comparisons should be made without intermediate upper or lower casing

           Code Smell
        679. "Collection.isEmpty()" should be used to test for emptiness

           Code Smell
        680. "String.valueOf()" should not be appended to a "String"

           Code Smell
        681. "switch case" clauses should not have too many lines of code

           Code Smell
        682. "Enumeration" should not be implemented

           Code Smell
        683. Constant names should comply with a naming convention

           Code Smell
        684. Synchronized classes "Vector", "Hashtable", "Stack" and "StringBuffer" should not be used

           Code Smell
        685. Exit methods should not be called

           Code Smell
        686. Unused "private" methods should be removed

           Code Smell
        687. Jump statements should not occur in "finally" blocks

           Bug
        688. Methods should not have too many return statements

           Code Smell
        689. Try-catch blocks should not be nested

           Code Smell
        690. Interface names should comply with a naming convention

           Code Smell
        691. Track uses of "TODO" tags

           Code Smell
        692. Track uses of "FIXME" tags

           Code Smell
        693. Deprecated code should be removed

           Code Smell
        694. Strings literals should be placed on the left side when checking for equality

           Code Smell
        695. Exceptions in "throws" clauses should not be superfluous

           Code Smell
        696. Files should end with a newline

           Code Smell
        697. Unnecessary imports should be removed

           Code Smell
        698. Return of boolean expressions should not be wrapped into an "if-then-else" statement

           Code Smell
        699. Boolean literals should not be redundant

           Code Smell
        700. Modifiers should be declared in the correct order

           Code Smell
        701. Deprecated elements should have both the annotation and the Javadoc tag

           Code Smell
        702. Assignments should not be made from within sub-expressions

           Code Smell
        703. Source code should be indented consistently

           Code Smell
        704. Generic exceptions should never be thrown

           Code Smell
        705. Labels should not be used

           Code Smell
        706. Utility classes should not have public constructors

           Code Smell
        707. Local variables should not shadow class fields

           Code Smell
        708. Empty statements should be removed

           Code Smell
        709. "super.finalize()" should be called at the end of "Object.finalize()" implementations

           Bug
        710. The "Object.finalize()" method should not be overridden

           Code Smell
        711. The "Object.finalize()" method should not be called

           Bug
        712. Redundant pairs of parentheses should be removed

           Code Smell
        713. A close curly brace should be located at the beginning of a line

           Code Smell
        714. Close curly brace and the next "else", "catch" and "finally" keywords should be on two different lines

           Code Smell
        715. Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line

           Code Smell
        716. An open curly brace should be located at the beginning of a line

           Code Smell
        717. An open curly brace should be located at the end of a line

           Code Smell
        718. Class variable fields should not have public accessibility

           Code Smell
        719. Inheritance tree of classes should not be too deep

           Code Smell
        720. Magic numbers should not be used

           Code Smell
        721. Nested blocks of code should not be left empty

           Code Smell
        722. URIs should not be hardcoded

           Code Smell
        723. Methods should not have too many parameters

           Code Smell
        724. Unused "private" fields should be removed

           Code Smell
        725. Expressions should not be too complex

           Code Smell
        726. Mergeable "if" statements should be combined

           Code Smell
        727. Unused labels should be removed

           Code Smell
        728. Standard outputs should not be used directly to log anything

           Code Smell
        729. Tabulation characters should not be used

           Code Smell
        730. Files should not have too many lines of code

           Code Smell
        731. Lines should not be too long

           Code Smell
        732. Class names should comply with a naming convention

           Code Smell
        733. Method names should comply with a naming convention

           Code Smell

        Hard-coded secrets are security-sensitive

        responsibility - trustworthy
        security
        Security Hotspot
        • cwe
        • cert

        Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

        In the past, it has led to the following vulnerabilities:

        • CVE-2022-25510
        • CVE-2021-42635

        Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

        This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

        Ask Yourself Whether

        • The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
        • The secret is used in a production environment.
        • Application re-distribution is required before updating the secret.

        There would be a risk if you answered yes to any of those questions.

        Recommended Secure Coding Practices

        • Store the secret in a configuration file that is not pushed to the code repository.
        • Use your cloud provider’s service for managing secrets.
        • If a secret has been disclosed through the source code: revoke it and create a new one.

        Sensitive Code Example

        private static final String MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";
        
        public static void main(String[] args) {
          MyClass.callMyService(MY_SECRET);
        }
        

        Compliant Solution

        Using AWS Secrets Manager:

        import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
        import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
        
        public static void main(String[] args) {
          SecretsManagerClient secretsClient = ...
          MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET");
        }
        
        public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
          GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
            .secretId(secretName)
            .build();
        
          GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
          String secret = valueResponse.secretString();
          // do something with the secret
          MyClass.callMyService(secret);
        }
        

        Using Azure Key Vault Secret:

        import com.azure.identity.DefaultAzureCredentialBuilder;
        
        import com.azure.security.keyvault.secrets.SecretClient;
        import com.azure.security.keyvault.secrets.SecretClientBuilder;
        import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
        
        public static void main(String[] args) throws InterruptedException, IllegalArgumentException {
          String keyVaultName = System.getenv("KEY_VAULT_NAME");
          String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";
        
          SecretClient secretClient = new SecretClientBuilder()
            .vaultUrl(keyVaultUri)
            .credential(new DefaultAzureCredentialBuilder().build())
            .buildClient();
        
          MyClass.doSomething(secretClient, "MY_SERVICE_SECRET");
        }
        
        public static void doSomething(SecretClient secretClient, String secretName) {
          KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
          String secret = retrievedSecret.getValue(),
        
          // do something with the secret
          MyClass.callMyService(secret);
        }
        

        See

        • OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
        • OWASP - Top 10 2017 Category A2 - Broken Authentication
        • CWE - CWE-798 - Use of Hard-coded Credentials
        • OWASP - Mobile Top 10 2024 Category M1 - Improper Credential Usage
        • MSC - MSC03-J - Never hard code sensitive information
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.5
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.5

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use