Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Tags

Impact

Clean code attribute

Functions should not be defined with a variable number of arguments
Code Smell
Return values should not be ignored when they contain the operation status code
Bug
Equality operators should not be used in "for" loop termination conditions
Code Smell
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Limited dependence should be placed on operator precedence
Code Smell
Literal suffixes should be upper case
Code Smell
Processing persistent unique identifiers is security-sensitive
Security Hotspot
Exposing Java objects through JavaScript interfaces is security-sensitive
Security Hotspot
Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract
Code Smell
Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
Code Smell
@EventListener methods should have one parameter at most
Bug
"@Scheduled" annotation should only be applied to no-arg methods
Bug
@InitBinder methods should have void return type
Code Smell
"@Cache*" annotations should only be applied on concrete classes
Code Smell
@Cacheable and @CachePut should not be combined
Code Smell
Injecting data into static fields is not supported by Spring
Code Smell
Use appropriate @DirtiesContext modes
Code Smell
"String.isEmpty()" should be used to test for emptiness
Code Smell
Circular dependencies between classes across packages should be resolved
Code Smell
Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Circular dependencies between classes in the same package should be resolved
Code Smell
Consumed Stream pipelines should not be reused
Bug
Bluetooth should be configured to use low power
Code Smell
Motion Sensor should not use gyroscope
Code Smell
Use when instead of a single if inside a pattern match body
Code Smell
"String.indexOf" should be used with correct ranges
Bug
Use Fused Location to optimize battery power
Code Smell
"Math.clamp" should be used with correct ranges
Bug
Use batch Processing in JDBC
Code Smell
Constant parameters in a "PreparedStatement" should not be set more than once
Code Smell
Virtual threads should not run tasks that include synchronized code
Bug
SQL queries should retrieve only necessary fields
Code Smell
Avoid using "FetchType.EAGER"
Code Smell
"setDaemon", "setPriority" and "getThreadGroup" should not be invoked on virtual threads
Bug
High frame rates should not be used
Code Smell
Exact alarms should not be abused
Code Smell
Proper Sensor Resource Management
Code Smell
Use built-in "Math.clamp" methods
Code Smell
Virtual threads should be used for tasks that include heavy blocking operations
Bug
Use switch instead of if-else chain to compare a variable against multiple cases
Code Smell
Use record pattern instead of explicit field access
Code Smell
Reverse view should be used instead of reverse copy in read-only cases
Code Smell
Reverse iteration should utilize reversed view
Code Smell
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Qualifier" should not be used on "@Bean" methods
Bug
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
Optional REST parameters should have an object type
Code Smell
Field dependency injection should be avoided
Code Smell
Async methods should return void or Future
Bug
Methods with Spring proxy should not be called via "this"
Code Smell
Model attributes should follow the Java identifier naming convention
Bug
"@Value" annotation should inject property or SpEL expression
Code Smell
Redundant nullability annotations should be removed
Code Smell
Accessing files should not lead to filesystem oracle attacks
Vulnerability
The Singleton design pattern should be used with care
Code Smell
Environment variables should not be defined from untrusted input
Vulnerability
Methods should not perform too many tasks (aka Brain method)
Code Smell
Classes should not depend on an excessive number of classes (aka Monster Class)
Code Smell
Hash-based collections with known capacity should be initialized with the proper related static method.
Code Smell
Accessing an array element should not trigger an ArrayIndexOutOfBoundsException
Bug
Credentials should not be hard-coded
Vulnerability
Counter Mode initialization vectors should not be reused
Vulnerability
Hard-coded secrets are security-sensitive
Security Hotspot
Collections should not be modified while they are iterated
Bug
Calls to methods should not trigger an exception
Bug
Types used as keys in Maps should implement Comparable
Code Smell
XML operations should not be vulnerable to injection attacks
Vulnerability
JSON operations should not be vulnerable to injection attacks
Vulnerability
Character classes in regular expressions should not contain only one character
Code Smell
Superfluous curly brace quantifiers should be avoided
Code Smell
Non-capturing groups without quantifier should not be used
Code Smell
Thread suspensions should not be vulnerable to Denial of Service attacks
Vulnerability
Components should not be vulnerable to intent redirection
Vulnerability
XML signatures should be validated securely
Vulnerability
XML parsers should not be vulnerable to Denial of Service attacks
Vulnerability
XML parsers should not load external schemas
Vulnerability
XML parsers should not allow inclusion of arbitrary files
Vulnerability
Enabling file access for WebViews is security-sensitive
Security Hotspot
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Deprecated annotations should include explanations
Code Smell
Regular expression quantifiers and character classes should be used concisely
Code Smell
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Regular expressions should not contain empty groups
Code Smell
Regular expressions should not contain multiple spaces
Code Smell
Unsupported methods should not be called on some collection implementations
Bug
Cast operations should not trigger a ClassCastException
Bug
Mobile database encryption keys should not be disclosed
Vulnerability
Using unencrypted files in mobile applications is security-sensitive
Security Hotspot
Using biometric authentication without a cryptographic solution is security-sensitive
Security Hotspot
Using unencrypted databases in mobile applications is security-sensitive
Security Hotspot
Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
Security Hotspot
Applications should not create session cookies from untrusted input
Vulnerability
Using long-term access keys is security-sensitive
Security Hotspot
AWS region should not be set with a hardcoded String
Code Smell
Lambdas should not invoke other lambdas synchronously
Code Smell
Consumer Builders should be used
Code Smell
Reusable resources should be initialized at construction time of Lambda functions
Code Smell
Credentials Provider should be set explicitly when creating a new "AwsClient"
Code Smell
Region should be set explicitly when creating a new "AwsClient"
Code Smell
'serialVersionUID' field should not be set to '0L' in records
Code Smell
Equals method should be overridden in records containing array fields
Bug
Permitted types of a sealed class should be omitted if they are declared in the same file
Code Smell
Reflection should not be used to increase accessibility of records' fields
Bug
Restricted Identifiers should not be used as Identifiers
Code Smell
Local-Variable Type Inference should be used
Code Smell
Custom getter method should not be used to override record's getter behavior
Code Smell
Members ignored during record serialization should not be used
Bug
Comma-separated labels should be used in Switch with colon case
Code Smell
Redundant constructors/methods should be avoided in records
Code Smell
Records should be used instead of ordinary classes when representing immutable data structure
Code Smell
Switch arrow labels should not use redundant keywords
Code Smell
"Stream.toList()" method should be used instead of "collectors" when unmodifiable list needed
Code Smell
Text blocks should not be used in complex expressions
Code Smell
Operator "instanceof" should be used instead of "A.class.isInstance()"
Code Smell
Pattern Matching for "instanceof" operator should be used instead of simple "instanceof" + cast
Code Smell
Reflection should not be vulnerable to injection attacks
Vulnerability
String multiline concatenation should be replaced with Text Blocks
Code Smell
Map "computeIfAbsent()" and "computeIfPresent()" should not be used to add "null" values.
Bug
AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
Bug
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
Mockito argument matchers should be used on all parameters
Bug
The regex escape sequence \cX should only be used with characters in the @-_ range
Bug
Call to Mockito method "verify", "when" or "given" should be simplified
Code Smell
Single-character alternations in regular expressions should be replaced with character classes
Code Smell
Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
Code Smell
Regex lookahead assertions should not be contradictory
Bug
Back references in regular expressions should only refer to capturing groups that are matched before the reference
Bug
Regular expressions should not overflow the stack
Bug
Regex boundaries should not be used in a way that can never be matched
Bug
Regex patterns following a possessive quantifier should not always fail
Bug
Constructors of an "abstract" class should not be declared "public"
Code Smell
Annotated Mockito objects should be initialized
Bug
Tests should use fixed data instead of randomized data
Code Smell
Similar tests should be grouped in a single Parameterized test
Code Smell
Tests should be stable
Code Smell
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
Mocking all non-private methods of a class should be avoided
Code Smell
Tests method should not be annotated with competing annotations
Bug
Test methods should not contain too many assertions
Code Smell
Assertions should not be used in production code
Bug
AssertJ "assertThatThrownBy" should not be used alone
Code Smell
DateTimeFormatters should not use mismatched year and week numbers
Bug
OS commands should not be vulnerable to argument injection attacks
Vulnerability
A new session should be created during user authentication
Vulnerability
Character classes in regular expressions should not contain the same character twice
Code Smell
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Unicode-aware versions of character classes should be preferred
Code Smell
Case insensitive Unicode regular expressions should enable the "UNICODE_CASE" flag
Bug
Assertions should not compare an object to itself
Bug
Names of regular expressions named groups should be used
Code Smell
Character classes should be preferred over reluctant quantifiers in regular expressions
Code Smell
Regular expressions should be syntactically valid
Bug
Regex alternatives should not be redundant
Bug
Regexes containing characters subject to normalization should use the CANON_EQ flag
Code Smell
Consecutive AssertJ "assertThat" statements should be chained
Code Smell
Using slow regular expressions is security-sensitive
Security Hotspot
Alternatives in regular expressions should be grouped when used with anchors
Bug
Empty lines should not be tested with regex MULTILINE flag
Code Smell
Assertions comparing incompatible types should not be made
Bug
Regular expressions should not be too complicated
Code Smell
Repeated patterns in regular expressions should not match the empty string
Bug
AssertJ assertions "allMatch" and "doesNotContains" should also test for emptiness
Bug
Chained AssertJ assertions should be simplified to the corresponding dedicated assertion
Code Smell
AssertJ methods setting the assertion context should come before an assertion
Bug
AssertJ configuration should be applied
Bug
Methods setUp() and tearDown() should be correctly annotated starting with JUnit4
Code Smell
JUnit5 test classes and methods should not be silently ignored
Bug
Authorizations should be based on strong decisions
Vulnerability
Allowing user enumeration is security-sensitive
Security Hotspot
Class members annotated with "@VisibleForTesting" should not be accessed from production code
Code Smell
Migrate your tests from JUnit4 to the new JUnit5 annotations
Code Smell
JUnit5 inner test classes should be annotated with @Nested
Bug
JUnit5 test classes and methods should have default package visibility
Code Smell
JUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
Code Smell
Only one method invocation is expected when testing checked exceptions
Bug
Assertion methods should not be used within the try block of a try-catch catching an Error
Bug
Only one method invocation is expected when testing runtime exceptions
Code Smell
Exception testing via JUnit @Test annotation should be avoided
Code Smell
Exception testing via JUnit ExpectedException rule should not be mixed with other assertions
Code Smell
"@Deprecated" code marked for removal should never be used
Code Smell
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Disclosing fingerprints from web application technologies is security-sensitive
Security Hotspot
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Vararg method arguments should not be confusing
Code Smell
Escape sequences should not be used in text blocks
Code Smell
Whitespace for text block indent should be consistent
Code Smell
Simple string literal should be used for single line strings
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Lambdas should not have too many lines
Code Smell
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Server-side templates should not be vulnerable to injection attacks
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Using publicly writable directories is security-sensitive
Security Hotspot
'List.remove()' should not be used in ascending 'for' loops
Code Smell
Avoid using boxed "Boolean" types directly in boolean expressions
Code Smell
"String#replace" should be preferred to "String#replaceAll"
Code Smell
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
Collection constructors should not be used as java.util.function.Function
Code Smell
Accessing Android external storage is security-sensitive
Security Hotspot
Receiving intents is security-sensitive
Security Hotspot
Broadcasting intents is security-sensitive
Security Hotspot
"ActiveMQConnectionFactory" should not be vulnerable to malicious code deserialization
Vulnerability
"else" statements should be clearly matched with an "if"
Code Smell
Disabling auto-escaping in template engines is security-sensitive
Security Hotspot
Use Java 14 "switch" expression
Code Smell
"ThreadLocal" variables should be cleaned up when no longer used
Bug
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
"Bean Validation" (JSR 380) should be properly configured
Code Smell
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Type parameters should not shadow other type parameters
Code Smell
Strings and Boxed types should be compared using "equals()"
Bug
Derived exceptions should not hide their parents' catch blocks
Code Smell
The upper bound of type variables and wildcards should not be "final"
Code Smell
"read(byte[],int,int)" should be overridden
Code Smell
"serialVersionUID" should not be declared blindly
Code Smell
"Class.forName()" should not load JDBC 4.0+ drivers
Code Smell
An iteration on a Collection should be performed on the type handled by the Collection
Code Smell
Server certificates should be verified during SSL/TLS connections
Vulnerability
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Java features should be preferred to Guava
Code Smell
"StandardCharsets" constants should be preferred
Code Smell
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
"@CheckForNull" or "@Nullable" should not be used on primitive types
Code Smell
String offset-based methods should be preferred for finding substrings from offsets
Code Smell
Spring beans should be considered by "@ComponentScan"
Code Smell
"@EnableAutoConfiguration" should be fine-tuned
Code Smell
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Enum values should be compared with "=="
Code Smell
Using unsafe Jackson deserialization configuration is security-sensitive
Security Hotspot
"default" clauses should be last
Code Smell
InputSteam.read() implementation should not return a signed byte
Bug
Setting JavaBean properties is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Composed "@RequestMapping" variants should be preferred
Code Smell
"equals" method parameters should not be marked "@Nonnull"
Code Smell
Nullness of parameters should be guaranteed
Code Smell
Allowing deserialization of LDAP objects is security-sensitive
Security Hotspot
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
"Integer.toHexString" should not be used to build hexadecimal strings
Code Smell
Weak SSL/TLS protocols should not be used
Vulnerability
"compareTo" should not be overloaded
Bug
"write(byte[],int,int)" should be overridden
Code Smell
"iterator" should not return "this"
Bug
Secure random number generators should not output predictable values
Vulnerability
Spring components should use constructor injection
Code Smell
Functional Interfaces should be as specialised as possible
Code Smell
Getters and setters should access the expected fields
Bug
Asserts should not be used to check the parameters of a public method
Code Smell
"Stream.collect()" calls should not be redundant
Code Smell
Regex patterns should not be created needlessly
Code Smell
Null checks should not be used with "instanceof"
Code Smell
Local constants should follow naming conventions for constants
Code Smell
Assignments should not be redundant
Code Smell
Methods should not have identical implementations
Code Smell
Map values should not be replaced unconditionally
Bug
"close()" calls should not be redundant
Code Smell
"ThreadLocal.withInitial" should be preferred
Code Smell
"java.nio.Files#delete" should be preferred
Code Smell
Searching OS commands in PATH is security-sensitive
Security Hotspot
"Stream" call chains should be simplified when possible
Code Smell
Packages containing only "package-info.java" should be removed
Code Smell
Track uses of disallowed constructors
Code Smell
Week Year ("YYYY") should not be used for date formatting
Bug
Unused "private" classes should be removed
Code Smell
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Consumed Stream pipelines should not be reused
Bug
Intermediate Stream methods should not be left unused
Bug
Number patterns should be regular
Code Smell
All branches in a conditional structure should not have exactly the same implementation
Bug
Arrays should not be created for varargs parameters
Code Smell
"Stream.peek" should be used with caution
Code Smell
"Map.get" and value test should be replaced with single method call
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
"@RequestMapping" methods should not be "private"
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Members of Spring components should be injected
Code Smell
Raw types should not be used
Code Smell
Java 8's "Files.exists" should not be used
Code Smell
Track uses of disallowed classes
Code Smell
Unit tests should throw exceptions
Code Smell
Optional value should only be accessed after calling isPresent()
Bug
Database queries should not be vulnerable to injection attacks
Vulnerability
"Arrays.stream" should be used for primitive arrays
Code Smell
Jump statements should not be redundant
Code Smell
Double Brace Initialization should not be used
Bug
Test methods should comply with a naming convention
Code Smell
Test classes should comply with a naming convention
Code Smell
"Optional" should not be used for parameters
Code Smell
Overrides should match their parent class methods in synchronization
Bug
Custom resources should be closed
Bug
Zero should not be a possible denominator
Bug
Methods returns should not be invariant
Code Smell
Format strings should be used correctly
Code Smell
Value-based objects should not be serialized
Code Smell
Value-based classes should not be used for locking
Bug
Loggers should be named for their enclosing classes
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Tests should be kept in a dedicated source directory
Code Smell
Methods should not return constants
Code Smell
"private" methods called only by inner classes should be moved to those classes
Code Smell
"this" should not be exposed from constructors
Code Smell
Ternary operators should not be nested
Code Smell
Expressions used in "assert" should not produce side effects
Bug
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Constructor injection should be used instead of field injection
Bug
Factory method injection should be used in "@Configuration" classes
Code Smell
Default annotation parameter values should not be passed as arguments
Code Smell
"static" base class members should not be accessed via derived types
Code Smell
Method parameters should be declared with base types
Code Smell
"volatile" variables should not be used with compound operators
Bug
Non-primitive fields should not be "volatile"
Bug
"getClass" should not be used for synchronization
Bug
"enum" fields should not be publicly mutable
Code Smell
Min and max used in combination should not always return the same value
Bug
Assignment of lazy-initialized members should be the last step with double-checked locking
Bug
Fields should not be initialized to default values
Code Smell
Multiple loops over the same set should be combined
Code Smell
"wait" should not be called when multiple locks are held
Bug
"writeObject" should not be the only "synchronized" code in a class
Code Smell
Indexes to passed to "String" operations should be within the string's bounds
Bug
Abstract methods should not be redundant
Code Smell
Raw byte values should not be used in bitwise operations in combination with shifts
Bug
JEE applications should not "getClassLoader"
Bug
Classes should not have too many "static" imports
Code Smell
"Collection.toArray()" should be passed an array of the proper type
Bug
"ThreadGroup" should not be used
Code Smell
Arrays and lists should not be copied using loops
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Static fields should not be updated in constructors
Code Smell
Static non-final field names should comply with a naming convention
Code Smell
"clone" should not be overridden
Code Smell
Classes without "public" constructors should be "final"
Code Smell
Escaped Unicode characters should not be used
Code Smell
Inner classes should not have too many lines of code
Code Smell
Assertions should be complete
Code Smell
Unnecessary semicolons should be omitted
Code Smell
"Thread.sleep" should not be used in tests
Code Smell
JUnit rules should be used
Code Smell
Getters and setters should be synchronized in pairs
Bug
Non-thread-safe fields should not be static
Bug
"entrySet()" should be iterated when both the key and value are needed
Code Smell
"null" should not be used with "Optional"
Bug
Nested "enum"s should not be declared static
Code Smell
Unary prefix operators should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
XML parsers should not be vulnerable to XXE attacks
Vulnerability
"catch" clauses should do more than rethrow
Code Smell
"DateUtils.truncate" from Apache Commons Lang library should not be used
Code Smell
Literal boolean values and nulls should not be used in assertions
Code Smell
Tests should include assertions
Code Smell
Test assertions should include messages
Code Smell
Instance methods should not write to "static" fields
Code Smell
"PreparedStatement" and "ResultSet" methods should be called with valid indices
Bug
Inner classes which do not reference their owning classes should be "static"
Code Smell
Threads should not be started in constructors
Code Smell
"indexOf" checks should not be for positive numbers
Code Smell
Files opened in append mode should not be used with "ObjectOutputStream"
Bug
Multiline blocks should be enclosed in curly braces
Code Smell
"read" and "readLine" return values should be used
Bug
"Math.abs" and negation should not be used on numbers that could be "MIN_VALUE"
Bug
"readObject" should not be "synchronized"
Code Smell
The value returned from a stream read should be checked
Bug
Classes should not be loaded dynamically
Vulnerability
Basic authentication should not be used
Vulnerability
Inappropriate regular expressions should not be used
Bug
Method overrides should not change contracts
Code Smell
"@NonNull" values should not be set to null
Bug
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
"Preconditions" and logging arguments should not require evaluation
Code Smell
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Boolean expressions should not be gratuitous
Code Smell
Conditionally executed code should be reachable
Bug
Whitespace and control characters in literals should be explicit
Code Smell
"null" should not be returned from a "Boolean" method
Code Smell
"notifyAll()" should be preferred over "notify()"
Bug
Blocks should be synchronized on "private final" fields
Bug
Lazy initialization of "static" fields should be "synchronized"
Code Smell
Synchronizing on a "Lock" object should be avoided
Code Smell
Non-serializable objects should not be stored in "javax.servlet.http.HttpSession" instances
Bug
Classes with only "static" methods should not be instantiated
Code Smell
"Thread" should not be used where a "Runnable" argument is expected
Code Smell
Unnecessary bit operations should not be performed
Code Smell
Classes should not access their own subclasses during class initialization
Bug
Inner class calls to super class methods should be unambiguous
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Mutable fields should not be "public static"
Code Smell
Private mutable members should not be stored or returned directly
Code Smell
Redundant modifiers should not be used
Code Smell
Unused type parameters should be removed
Code Smell
"private" and "final" methods that don't access instance data should be "static"
Code Smell
Files should not be empty
Code Smell
"deleteOnExit" should not be used
Code Smell
Public methods should not contain selector arguments
Code Smell
The diamond operator ("<>") should be used
Code Smell
"wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
"Object.wait(...)" and "Condition.await(...)" should be called inside a "while" loop
Code Smell
"Object.wait()", "Object.notify()" and "Object.notifyAll()" should only be called from synchronized code
Bug
"Iterator.next()" methods should throw "NoSuchElementException"
Bug
Java parser failure
Code Smell
Null pointers should not be dereferenced
Bug
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
"HttpServletRequest.getRequestedSessionId()" should not be used
Vulnerability
Track uses of disallowed methods
Code Smell
Loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Collection methods with O(n) performance should be used carefully
Code Smell
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Methods "wait(...)", "notify()" and "notifyAll()" should not be called on Thread instances
Bug
"IllegalMonitorStateException" should not be caught
Code Smell
Parameters should be passed in the correct order
Code Smell
"ResultSet.isLast()" should not be used
Code Smell
Methods with Spring proxying annotations should be public
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Servlets should not have mutable instance fields
Bug
"toString()" and "clone()" methods should not return null
Bug
Locks should be released on all paths
Bug
"Exception" should not be caught when not required by called methods
Code Smell
Types should be used in lambdas
Code Smell
"static" members should be accessed statically
Code Smell
Wildcard imports should not be used
Code Smell
".equals()" should not be used to test the values of "Atomic" classes
Bug
"collect" should be used with "Streams" instead of "list::add"
Code Smell
Return values from functions without side effects should not be ignored
Bug
"compareTo" results should not be checked for specific values
Bug
Modulus results should not be checked for direct equality
Code Smell
Switches should be used for sequences of simple "String" tests
Code Smell
Recursion should not be infinite
Bug
Loops should not be infinite
Bug
JUnit test cases should call super methods
Code Smell
TestCases should contain tests
Code Smell
JUnit assertions should not be used in "run" methods
Code Smell
Do not perform unnecessary mathematical operations
Code Smell
Math operands should be cast before assignment
Bug
Ints and longs should not be shifted by zero or more than their number of bits-1
Bug
Short-circuit logic should be used in boolean contexts
Code Smell
Child class methods named for parent class methods should be overrides
Bug
Class names should not shadow interfaces or superclasses
Code Smell
Inappropriate "Collection" calls should not be made
Bug
Double-checked locking should not be used
Bug
"compareTo" should not return "Integer.MIN_VALUE"
Bug
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
"finalize" should not set fields to "null"
Code Smell
Math should not be performed on floats
Bug
"equals" methods should be symmetric and work for subclasses
Bug
Subclasses that add fields to classes that override "equals" should also override "equals"
Code Smell
Unnecessary equality checks should not be made
Bug
"Cloneables" should implement "clone"
Code Smell
"final" classes should not have "protected" members
Code Smell
Dissimilar primitive wrappers should not be used with the ternary operator without explicit casting
Bug
Unnecessary boxing and unboxing should be avoided
Bug
"runFinalizersOnExit" should not be called
Bug
Underscores should be used to make large numbers readable
Code Smell
Catches should be combined
Code Smell
"java.time" classes should be used for dates and times
Code Smell
"InterruptedException" and "ThreadDeath" should not be ignored
Bug
Classes that don't define "hashCode()" should not be used in hashes
Bug
Methods of "Random" that return floating point values should not be used in random integer generation
Code Smell
Exceptions should be either logged or rethrown but not both
Code Smell
Classes extending java.lang.Thread should provide a specific "run" behavior
Bug
Objects should not be created only to invoke "getClass"
Code Smell
Primitives should not be boxed just for "String" conversion
Code Smell
Parsing should be used to convert "Strings" to primitives
Code Smell
Constructors should not be used to instantiate "String", "BigInteger", "BigDecimal" and primitive-wrapper classes
Code Smell
"Double.longBitsToDouble" should take "long" as argument
Bug
Values should not be uselessly incremented
Bug
"ScheduledThreadPoolExecutor" should not have 0 core threads
Bug
String operations with predictable outcomes should be avoided
Bug
"Random" objects should be reused
Bug
"writeObject" argument must implement "Serializable"
Bug
"hashCode" and "toString" should not be called on array instances
Bug
A secure password should be used when connecting to a database
Vulnerability
Collections should not be passed as arguments to their own methods
Bug
"URL.hashCode" and "URL.equals" should be avoided
Code Smell
"BigDecimal(double)" should not be used
Bug
Invalid "Date" values should not be used
Bug
Reflection should not be used to check non-runtime annotations
Bug
"equals(Object obj)" should test the argument's type
Bug
"main" should not "throw" anything
Code Smell
Resources should be closed
Bug
Classes should not be empty
Code Smell
Try-with-resources should be used
Code Smell
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
Formatting SQL queries is security-sensitive
Security Hotspot
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded passwords are security-sensitive
Security Hotspot
"Serializable" inner classes of non-serializable outer classes should be "static"
Bug
Fields in non-serializable classes should not be "transient"
Code Smell
Comparators should be "Serializable"
Code Smell
"readResolve" methods should be inheritable
Code Smell
Custom serialization methods should have required signatures
Bug
"Externalizable" classes should have no-arguments constructors
Bug
"Serializable" inner classes of "Serializable" classes should be static
Code Smell
"Serializable" classes should have a "serialVersionUID"
Code Smell
The non-serializable super class of a "Serializable" class should have a no-argument constructor
Bug
Password hashing functions should use an unpredictable salt
Vulnerability
The names of methods with boolean return values should start with "is" or "has"
Code Smell
Member variable visibility should be specified
Code Smell
Files should contain only one top-level class or interface each
Code Smell
"for" loop increment clauses should modify the loops' counters
Code Smell
Exceptions should not be thrown from servlet methods
Vulnerability
Fields in a "Serializable" class should either be transient or serializable
Code Smell
Classes and methods that rely on the default system encoding should not be used
Code Smell
Simple class names should be used
Code Smell
Variables should not be declared before they are relevant
Code Smell
Boolean checks should not be inverted
Code Smell
Extensions and implementations should not be redundant
Code Smell
Redundant casts should not be used
Code Smell
"@Deprecated" code should not be used
Code Smell
Classes should not be compared by name
Bug
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
Synchronization should not be done on instances of value-based classes
Bug
"toString()" should never be called on a String object
Code Smell
Unused assignments should be removed
Code Smell
"Iterator.hasNext()" should not call "Iterator.next()"
Bug
Methods and field names should not be the same or differ only by capitalization
Code Smell
"Object.wait" should not be called on objects that implement "java.util.concurrent.locks.Condition"
Code Smell
"switch" statements and expressions should not be nested
Code Smell
Classes should not have too many fields
Code Smell
The ternary operator should not be used
Code Smell
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Standard functional interfaces should not be redefined
Code Smell
Annotation repetitions should not be wrapped
Code Smell
A field should not duplicate the name of its containing class
Code Smell
Constructors should only call non-overridable methods
Code Smell
"==" and "!=" should not be used when "equals" is overridden
Code Smell
"NullPointerException" should not be caught
Code Smell
"NullPointerException" should not be explicitly thrown
Code Smell
An abstract class should have both abstract and concrete methods
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Variables should not be self-assigned
Bug
Strings should not be concatenated using '+' in a loop
Code Smell
Sets with elements that are enum values should be replaced with EnumSet
Code Smell
Maps with keys that are enum values should use the EnumMap implementation
Code Smell
Lambdas should be replaced with method references
Code Smell
Parentheses should be removed from a single lambda parameter when its type is inferred
Code Smell
Abstract classes without fields should be converted to interfaces
Code Smell
JUnit4 @Ignored and JUnit5 @Disabled annotations should be used to disable tests and should provide a rationale
Code Smell
Anonymous inner classes containing only one method should become lambdas
Code Smell
Lambdas containing only one statement should not nest this statement in a block
Code Smell
Package declaration should match source file directory
Code Smell
"Collections.EMPTY_LIST", "EMPTY_MAP", and "EMPTY_SET" should not be used
Code Smell
Methods should not be too complex
Code Smell
Local variables should not be declared and then immediately returned or thrown
Code Smell
Unused local variables should be removed
Code Smell
"switch" statements should not have too many "case" clauses
Code Smell
Generic wildcard types should not be used in return types
Code Smell
Track lack of copyright and license headers
Code Smell
Private fields only used as local variables in methods should become local variables
Code Smell
String operations should not rely on the default system locale
Code Smell
Classes should not have too many methods
Code Smell
"public static" fields should be constant
Code Smell
Comments should not be located at the end of lines of code
Code Smell
Methods should not have too many lines
Code Smell
Loops should not contain more than a single "break" or "continue" statement
Code Smell
Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply
Code Smell
Declarations should use Java collection interfaces such as "List" rather than specific implementation classes such as "LinkedList"
Code Smell
"StringBuilder" and "StringBuffer" should not be instantiated with a character
Bug
Track uses of "CHECKSTYLE:OFF" suppression comments
Code Smell
Octal values should not be used
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Loggers should be "private static final" and should share a naming convention
Code Smell
Track uses of "NOPMD" suppression comments
Code Smell
"switch" statements should have "default" clauses
Code Smell
Track uses of "@SuppressWarnings" annotations
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Switch cases should end with an unconditional "break" statement
Code Smell
"for" loop stop conditions should be invariant
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Classes and enums with private members should have a constructor
Code Smell
Sections of code should not be commented out
Code Smell
Floating point numbers should not be tested for equality
Bug
Track comments matching a regular expression
Code Smell
Packages should have a javadoc file 'package-info.java'
Code Smell
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
Non-constructor methods should not have the same name as the enclosing class
Code Smell
Methods should not be named "tostring", "hashcode" or "equal"
Bug
The default unnamed package should not be used
Code Smell
Statements should be on separate lines
Code Smell
"switch" statements should not contain non-case labels
Code Smell
"Thread.run()" should not be called directly
Bug
Execution of the Garbage Collector should be triggered only by the JVM
Code Smell
Interfaces should not solely consist of constants
Code Smell
The members of an interface or class declaration should appear in a pre-defined order
Code Smell
"equals(Object obj)" should be overridden along with the "compareTo(T obj)" method
Code Smell
Control structures should use curly braces
Code Smell
"equals(Object obj)" and "hashCode()" should be overridden in pairs
Bug
"equals" method overrides should accept "Object" parameters
Bug
Classes should not be coupled to too many other classes
Code Smell
Package names should comply with a naming convention
Code Smell
Nested code blocks should not be used
Code Smell
Array designators "[]" should be on the type, not the variable
Code Smell
Array designators "[]" should be located after the type in method signatures
Code Smell
"java.lang.Error" should not be extended
Code Smell
Exception types should not be tested using "instanceof" in catch blocks
Code Smell
String literals should not be duplicated
Code Smell
Classes from "sun.*" packages should not be used
Code Smell
Future keywords should not be used as names
Code Smell
Type parameter names should comply with a naming convention
Code Smell
Anonymous classes should not have too many lines
Code Smell
Methods should not be empty
Code Smell
Overriding methods should do more than simply call the same method in the super class
Code Smell
Classes that override "clone" should be "Cloneable" and call "super.clone()"
Code Smell
Throwable and Error should not be caught
Code Smell
Abstract class names should comply with a naming convention
Code Smell
Public types, methods and fields (API) should be documented with Javadoc
Code Smell
The signature of "finalize()" should match that of "Object.finalize()"
Bug
"Object.finalize()" should remain protected (versus public) when overriding
Code Smell
Unused method parameters should be removed
Code Smell
Only static class initializers should be used
Code Smell
Public constants and fields initialized at declaration should be "static final" rather than merely "final"
Code Smell
Local variable and method parameter names should comply with a naming convention
Code Smell
Empty arrays and collections should be returned instead of null
Code Smell
Exception handlers should preserve the original exceptions
Code Smell
Exception classes should have final fields
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Checked exceptions should not be thrown
Code Smell
"@Override" should be used on overriding and implementing methods
Code Smell
Public methods should throw at most one checked exception
Code Smell
Field names should comply with a naming convention
Code Smell
Primitive wrappers should not be instantiated only for "toString" or "compareTo" calls
Code Smell
Case insensitive string comparisons should be made without intermediate upper or lower casing
Code Smell
"Collection.isEmpty()" should be used to test for emptiness
Code Smell
"String.valueOf()" should not be appended to a "String"
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
"Enumeration" should not be implemented
Code Smell
Constant names should comply with a naming convention
Code Smell
Synchronized classes "Vector", "Hashtable", "Stack" and "StringBuffer" should not be used
Code Smell
Exit methods should not be called
Code Smell
Unused "private" methods should be removed
Code Smell
Jump statements should not occur in "finally" blocks
Bug
Methods should not have too many return statements
Code Smell
Try-catch blocks should not be nested
Code Smell
Interface names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated code should be removed
Code Smell
Strings literals should be placed on the left side when checking for equality
Code Smell
Exceptions in "throws" clauses should not be superfluous
Code Smell
Files should end with a newline
Code Smell
Unnecessary imports should be removed
Code Smell
Return of boolean expressions should not be wrapped into an "if-then-else" statement
Code Smell
Boolean literals should not be redundant
Code Smell
Modifiers should be declared in the correct order
Code Smell
Deprecated elements should have both the annotation and the Javadoc tag
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
Source code should be indented consistently
Code Smell
Generic exceptions should never be thrown
Code Smell
Labels should not be used
Code Smell
Utility classes should not have public constructors
Code Smell
Local variables should not shadow class fields
Code Smell
Empty statements should be removed
Code Smell
"super.finalize()" should be called at the end of "Object.finalize()" implementations
Bug
The "Object.finalize()" method should not be overridden
Code Smell
The "Object.finalize()" method should not be called
Bug
Redundant pairs of parentheses should be removed
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
Close curly brace and the next "else", "catch" and "finally" keywords should be on two different lines
Code Smell
Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line
Code Smell
An open curly brace should be located at the beginning of a line
Code Smell
An open curly brace should be located at the end of a line
Code Smell
Class variable fields should not have public accessibility
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Magic numbers should not be used
Code Smell
Nested blocks of code should not be left empty
Code Smell
URIs should not be hardcoded
Code Smell
Methods should not have too many parameters
Code Smell
Unused "private" fields should be removed
Code Smell
Expressions should not be too complex
Code Smell
Mergeable "if" statements should be combined
Code Smell
Unused labels should be removed
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
Tabulation characters should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Class names should comply with a naming convention
Code Smell
Method names should comply with a naming convention
Code Smell

Hard-coded secrets are security-sensitive

responsibility - trustworthy

security

Security Hotspot

cwe
cert

Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

CVE-2022-25510
CVE-2021-42635

Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

Ask Yourself Whether

The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
The secret is used in a production environment.
Application re-distribution is required before updating the secret.

There would be a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Store the secret in a configuration file that is not pushed to the code repository.
Use your cloud provider’s service for managing secrets.
If a secret has been disclosed through the source code: revoke it and create a new one.

Sensitive Code Example

private static final String MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";

public static void main(String[] args) {
  MyClass.callMyService(MY_SECRET);
}

Compliant Solution

Using AWS Secrets Manager:

import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;

public static void main(String[] args) {
  SecretsManagerClient secretsClient = ...
  MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET");
}

public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
  GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build();

  GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
  String secret = valueResponse.secretString();
  // do something with the secret
  MyClass.callMyService(secret);
}

Using Azure Key Vault Secret:

import com.azure.identity.DefaultAzureCredentialBuilder;

import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

public static void main(String[] args) throws InterruptedException, IllegalArgumentException {
  String keyVaultName = System.getenv("KEY_VAULT_NAME");
  String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";

  SecretClient secretClient = new SecretClientBuilder()
    .vaultUrl(keyVaultUri)
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

  MyClass.doSomething(secretClient, "MY_SERVICE_SECRET");
}

public static void doSomething(SecretClient secretClient, String secretName) {
  KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
  String secret = retrievedSecret.getValue(),

  // do something with the secret
  MyClass.callMyService(secret);
}

See

OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
OWASP - Top 10 2017 Category A2 - Broken Authentication
CWE - CWE-798 - Use of Hard-coded Credentials
MSC - MSC03-J - Never hard code sensitive information

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.5

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.5

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted