SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 110 rules found
cert
    Impact
      Clean code attribute
        1. Functions should not be defined with a variable number of arguments

           Code Smell
        2. Return values should not be ignored when they contain the operation status code

           Bug
        3. Equality operators should not be used in "for" loop termination conditions

           Code Smell
        4. Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression

           Code Smell
        5. Limited dependence should be placed on operator precedence

           Code Smell
        6. Literal suffixes should be upper case

           Code Smell
        7. Hard-coded secrets are security-sensitive

           Security Hotspot
        8. "@Deprecated" code marked for removal should never be used

           Code Smell
        9. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        10. Strings and Boxed types should be compared using "equals()"

           Bug
        11. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        12. Setting JavaBean properties is security-sensitive

           Security Hotspot
        13. Secure random number generators should not output predictable values

           Vulnerability
        14. Overrides should match their parent class methods in synchronization

           Bug
        15. Zero should not be a possible denominator

           Bug
        16. Format strings should be used correctly

           Code Smell
        17. "this" should not be exposed from constructors

           Code Smell
        18. Expressions used in "assert" should not produce side effects

           Bug
        19. "volatile" variables should not be used with compound operators

           Bug
        20. Non-primitive fields should not be "volatile"

           Bug
        21. "getClass" should not be used for synchronization

           Bug
        22. Assignment of lazy-initialized members should be the last step with double-checked locking

           Bug
        23. Raw byte values should not be used in bitwise operations in combination with shifts

           Bug
        24. "ThreadGroup" should not be used

           Code Smell
        25. Reflection should not be used to increase accessibility of classes, methods, or fields

           Code Smell
        26. Getters and setters should be synchronized in pairs

           Bug
        27. Threads should not be started in constructors

           Code Smell
        28. Multiline blocks should be enclosed in curly braces

           Code Smell
        29. The value returned from a stream read should be checked

           Bug
        30. "@NonNull" values should not be set to null

           Bug
        31. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        32. Conditionally executed code should be reachable

           Bug
        33. "null" should not be returned from a "Boolean" method

           Code Smell
        34. "notifyAll()" should be preferred over "notify()"

           Bug
        35. Blocks should be synchronized on "private final" fields

           Bug
        36. Synchronizing on a "Lock" object should be avoided

           Code Smell
        37. Classes should not access their own subclasses during class initialization

           Bug
        38. Mutable fields should not be "public static"

           Code Smell
        39. Private mutable members should not be stored or returned directly

           Code Smell
        40. "wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held

           Bug
        41. Printf-style format strings should not lead to unexpected behavior at runtime

           Bug
        42. "Object.wait(...)" and "Condition.await(...)" should be called inside a "while" loop

           Code Smell
        43. Null pointers should not be dereferenced

           Bug
        44. A "for" loop update clause should move the counter in the right direction

           Bug
        45. Servlets should not have mutable instance fields

           Bug
        46. "toString()" and "clone()" methods should not return null

           Bug
        47. Return values from functions without side effects should not be ignored

           Bug
        48. Modulus results should not be checked for direct equality

           Code Smell
        49. Loops should not be infinite

           Bug
        50. Math operands should be cast before assignment

           Bug
        51. Short-circuit logic should be used in boolean contexts

           Code Smell
        52. Inappropriate "Collection" calls should not be made

           Bug
        53. Double-checked locking should not be used

           Bug
        54. Math should not be performed on floats

           Bug
        55. "equals" methods should be symmetric and work for subclasses

           Bug
        56. Unnecessary equality checks should not be made

           Bug
        57. "runFinalizersOnExit" should not be called

           Bug
        58. "BigDecimal(double)" should not be used

           Bug
        59. Resources should be closed

           Bug
        60. Try-with-resources should be used

           Code Smell
        61. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        62. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        63. Formatting SQL queries is security-sensitive

           Security Hotspot
        64. Hard-coded passwords are security-sensitive

           Security Hotspot
        65. "Serializable" inner classes of non-serializable outer classes should be "static"

           Bug
        66. Custom serialization methods should have required signatures

           Bug
        67. "Serializable" inner classes of "Serializable" classes should be static

           Code Smell
        68. "Serializable" classes should have a "serialVersionUID"

           Code Smell
        69. Exceptions should not be thrown from servlet methods

           Vulnerability
        70. Classes and methods that rely on the default system encoding should not be used

           Code Smell
        71. "@Deprecated" code should not be used

           Code Smell
        72. Classes should not be compared by name

           Bug
        73. Related "if/else if" statements should not have the same condition

           Bug
        74. Synchronization should not be done on instances of value-based classes

           Bug
        75. Unused assignments should be removed

           Code Smell
        76. Identical expressions should not be used on both sides of a binary operator

           Bug
        77. Constructors should only call non-overridable methods

           Code Smell
        78. "==" and "!=" should not be used when "equals" is overridden

           Code Smell
        79. "NullPointerException" should not be caught

           Code Smell
        80. Multiple variables should not be declared on the same line

           Code Smell
        81. Variables should not be self-assigned

           Bug
        82. String operations should not rely on the default system locale

           Code Smell
        83. "public static" fields should be constant

           Code Smell
        84. Octal values should not be used

           Code Smell
        85. Using hardcoded IP addresses is security-sensitive

           Security Hotspot
        86. "switch" statements should have "default" clauses

           Code Smell
        87. Switch cases should end with an unconditional "break" statement

           Code Smell
        88. "if ... else if" constructs should end with "else" clauses

           Code Smell
        89. "Thread.run()" should not be called directly

           Bug
        90. Control structures should use curly braces

           Code Smell
        91. "equals(Object obj)" and "hashCode()" should be overridden in pairs

           Bug
        92. Exception types should not be tested using "instanceof" in catch blocks

           Code Smell
        93. Classes that override "clone" should be "Cloneable" and call "super.clone()"

           Code Smell
        94. Throwable and Error should not be caught

           Code Smell
        95. "Object.finalize()" should remain protected (versus public) when overriding

           Code Smell
        96. Unused method parameters should be removed

           Code Smell
        97. Empty arrays and collections should be returned instead of null

           Code Smell
        98. Exception handlers should preserve the original exceptions

           Code Smell
        99. Exceptions should not be thrown in finally blocks

           Code Smell
        100. Exit methods should not be called

           Code Smell
        101. Jump statements should not occur in "finally" blocks

           Bug
        102. Assignments should not be made from within sub-expressions

           Code Smell
        103. Generic exceptions should never be thrown

           Code Smell
        104. Local variables should not shadow class fields

           Code Smell
        105. Empty statements should be removed

           Code Smell
        106. The "Object.finalize()" method should not be overridden

           Code Smell
        107. The "Object.finalize()" method should not be called

           Bug
        108. URIs should not be hardcoded

           Code Smell
        109. Unused labels should be removed

           Code Smell
        110. Standard outputs should not be used directly to log anything

           Code Smell

        "notifyAll()" should be preferred over "notify()"

        intentionality - complete
        reliability
        Bug
        Quick FixIDE quick fixes available with SonarQube for IDE
        • multi-threading
        • cert

        Why is this an issue?

        More Info

        notify and notifyAll both wake up sleeping threads waiting on the object’s monitor, but notify only wakes up one single thread, while notifyAll wakes them all up. Unless you do not care which specific thread is woken up, notifyAll should be used instead.

        Noncompliant code example

        class MyThread implements Runnable {
          Object lock = new Object();
        
          @Override
          public void run() {
            synchronized(lock) {
              // ...
              lock.notify();  // Noncompliant
            }
          }
        }
        

        Compliant solution

        class MyThread implements Runnable {
          Object lock = new Object();
        
          @Override
          public void run() {
            synchronized(lock) {
              // ...
              lock.notifyAll();
            }
          }
        }
        
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.1
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use