SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 131 rules found
cwe
    Impact
      Clean code attribute
        1. Return values should not be ignored when they contain the operation status code

           Bug
        2. Equality operators should not be used in "for" loop termination conditions

           Code Smell
        3. Limited dependence should be placed on operator precedence

           Code Smell
        4. WebViews should not be vulnerable to cross-app scripting attacks

           Vulnerability
        5. Exposing native code through JavaScript interfaces is security-sensitive

           Security Hotspot
        6. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        7. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        8. Environment variables should not be defined from untrusted input

           Vulnerability
        9. Credentials should not be hard-coded

           Vulnerability
        10. Counter Mode initialization vectors should not be reused

           Vulnerability
        11. Hard-coded secrets are security-sensitive

           Security Hotspot
        12. XML operations should not be vulnerable to injection attacks

           Vulnerability
        13. JSON operations should not be vulnerable to injection attacks

           Vulnerability
        14. Thread suspensions should not be vulnerable to Denial of Service attacks

           Vulnerability
        15. Enabling file access for WebViews is security-sensitive

           Security Hotspot
        16. Enabling JavaScript support for WebViews is security-sensitive

           Security Hotspot
        17. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        18. Mobile database encryption keys should not be disclosed

           Vulnerability
        19. Using biometric authentication without a cryptographic solution is security-sensitive

           Security Hotspot
        20. Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

           Security Hotspot
        21. Applications should not create session cookies from untrusted input

           Vulnerability
        22. Reflection should not be vulnerable to injection attacks

           Vulnerability
        23. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        24. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        25. A new session should be created during user authentication

           Vulnerability
        26. Using slow regular expressions is security-sensitive

           Security Hotspot
        27. Authorizations should be based on strong decisions

           Vulnerability
        28. Allowing user enumeration is security-sensitive

           Security Hotspot
        29. "@Deprecated" code marked for removal should never be used

           Code Smell
        30. Allowing requests with excessive content length is security-sensitive

           Security Hotspot
        31. Disclosing fingerprints from web application technologies is security-sensitive

           Security Hotspot
        32. JWT should be signed and verified with strong cipher algorithms

           Vulnerability
        33. Cipher algorithms should be robust

           Vulnerability
        34. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        35. Server hostnames should be verified during SSL/TLS connections

           Vulnerability
        36. Server-side templates should not be vulnerable to injection attacks

           Vulnerability
        37. Insecure temporary file creation methods should not be used

           Vulnerability
        38. Using publicly writable directories is security-sensitive

           Security Hotspot
        39. Passwords should not be stored in plaintext or with a fast hashing algorithm

           Vulnerability
        40. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        41. Using clear-text protocols is security-sensitive

           Security Hotspot
        42. Accessing Android external storage is security-sensitive

           Security Hotspot
        43. Receiving intents is security-sensitive

           Security Hotspot
        44. Broadcasting intents is security-sensitive

           Security Hotspot
        45. "ActiveMQConnectionFactory" should not be vulnerable to malicious code deserialization

           Vulnerability
        46. Disabling auto-escaping in template engines is security-sensitive

           Security Hotspot
        47. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        48. HTTP request redirections should not be open to forging attacks

           Vulnerability
        49. Logging should not be vulnerable to injection attacks

           Vulnerability
        50. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        51. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        52. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        53. Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

           Security Hotspot
        54. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        55. Strings and Boxed types should be compared using "equals()"

           Bug
        56. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        57. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        58. Persistent entities should not be used as arguments of "@RequestMapping" methods

           Vulnerability
        59. Using unsafe Jackson deserialization configuration is security-sensitive

           Security Hotspot
        60. Setting JavaBean properties is security-sensitive

           Security Hotspot
        61. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        62. Disabling CSRF protections is security-sensitive

           Security Hotspot
        63. Allowing deserialization of LDAP objects is security-sensitive

           Security Hotspot
        64. LDAP connections should be authenticated

           Vulnerability
        65. Cryptographic keys should be robust

           Vulnerability
        66. "Integer.toHexString" should not be used to build hexadecimal strings

           Code Smell
        67. Weak SSL/TLS protocols should not be used

           Vulnerability
        68. Secure random number generators should not output predictable values

           Vulnerability
        69. Searching OS commands in PATH is security-sensitive

           Security Hotspot
        70. Allowing both safe and unsafe HTTP methods is security-sensitive

           Security Hotspot
        71. Optional value should only be accessed after calling isPresent()

           Bug
        72. Database queries should not be vulnerable to injection attacks

           Vulnerability
        73. Zero should not be a possible denominator

           Bug
        74. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        75. Cipher Block Chaining IVs should be unpredictable

           Vulnerability
        76. XML parsers should not be vulnerable to XXE attacks

           Vulnerability
        77. Multiline blocks should be enclosed in curly braces

           Code Smell
        78. "@NonNull" values should not be set to null

           Bug
        79. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        80. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        81. Boolean expressions should not be gratuitous

           Code Smell
        82. Conditionally executed code should be reachable

           Bug
        83. "null" should not be returned from a "Boolean" method

           Code Smell
        84. Blocks should be synchronized on "private final" fields

           Bug
        85. Non-serializable objects should not be stored in "javax.servlet.http.HttpSession" instances

           Bug
        86. Mutable fields should not be "public static"

           Code Smell
        87. Private mutable members should not be stored or returned directly

           Code Smell
        88. Null pointers should not be dereferenced

           Bug
        89. Using non-standard cryptographic algorithms is security-sensitive

           Security Hotspot
        90. "HttpServletRequest.getRequestedSessionId()" should not be used

           Vulnerability
        91. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        92. "toString()" and "clone()" methods should not return null

           Bug
        93. Locks should be released on all paths

           Bug
        94. "Exception" should not be caught when not required by called methods

           Code Smell
        95. Math operands should be cast before assignment

           Bug
        96. Double-checked locking should not be used

           Bug
        97. "InterruptedException" and "ThreadDeath" should not be ignored

           Bug
        98. A secure password should be used when connecting to a database

           Vulnerability
        99. Resources should be closed

           Bug
        100. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        101. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        102. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        103. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        104. Formatting SQL queries is security-sensitive

           Security Hotspot
        105. OS commands should not be vulnerable to command injection attacks

           Vulnerability
        106. Hard-coded passwords are security-sensitive

           Security Hotspot
        107. Password hashing functions should use an unpredictable salt

           Vulnerability
        108. Exceptions should not be thrown from servlet methods

           Vulnerability
        109. Fields in a "Serializable" class should either be transient or serializable

           Code Smell
        110. "@Deprecated" code should not be used

           Code Smell
        111. Classes should not be compared by name

           Bug
        112. Unused assignments should be removed

           Code Smell
        113. "==" and "!=" should not be used when "equals" is overridden

           Code Smell
        114. "NullPointerException" should not be caught

           Code Smell
        115. "public static" fields should be constant

           Code Smell
        116. "switch" statements should have "default" clauses

           Code Smell
        117. Switch cases should end with an unconditional "break" statement

           Code Smell
        118. "Thread.run()" should not be called directly

           Bug
        119. "equals(Object obj)" and "hashCode()" should be overridden in pairs

           Bug
        120. Classes that override "clone" should be "Cloneable" and call "super.clone()"

           Code Smell
        121. Throwable and Error should not be caught

           Code Smell
        122. "Object.finalize()" should remain protected (versus public) when overriding

           Code Smell
        123. Exception handlers should preserve the original exceptions

           Code Smell
        124. Exit methods should not be called

           Code Smell
        125. Jump statements should not occur in "finally" blocks

           Bug
        126. Track uses of "TODO" tags

           Code Smell
        127. Track uses of "FIXME" tags

           Code Smell
        128. Assignments should not be made from within sub-expressions

           Code Smell
        129. Generic exceptions should never be thrown

           Code Smell
        130. The "Object.finalize()" method should not be called

           Bug
        131. Class variable fields should not have public accessibility

           Code Smell

        Extracting archives should not lead to zip slip vulnerabilities

        intentionality - complete
        security
        Vulnerability
        • cwe
        • injection

        Why is this an issue?

        How can I fix it?

        More Info

        Zip slip is a special case of path injection. It occurs when an application uses the name of an archive entry to construct a file path and access this file without validating its path first.

        This rule will consider all archives untrusted, assuming they have been created outside the application file system.

        A user with malicious intent would inject specially crafted values, such as ../, in the archive entry name to change the initial intended path. The resulting path would resolve somewhere in the filesystem where the user should not normally have access.

        What is the potential impact?

        A web application is vulnerable to Zip Slip and an attacker is able to exploit it by submitting an archive he controls.

        The files that can be affected are limited by the permission of the process that runs the application. Worst case scenario: the process runs with root privileges on Linux, and therefore any file can be affected.

        Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.

        Override arbitrary files

        The application opens the archive to copy its entries to the file system. The entries' names contain path traversal payloads for existing files in the system, which are overwritten once the entries are copied. The vulnerability is exploited to corrupt files critical for the application or operating system to work properly.

        It could result in data being lost or the application being unavailable.

          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use