SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 29 rules found
injection
    Impact
      Clean code attribute
        1. Sensitive information should not be logged in production builds

           Vulnerability
        2. WebViews should not be vulnerable to cross-app scripting attacks

           Vulnerability
        3. Privileged prompts should not be vulnerable to injection attacks

           Vulnerability
        4. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        5. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        6. Environment variables should not be defined from untrusted input

           Vulnerability
        7. XML operations should not be vulnerable to injection attacks

           Vulnerability
        8. JSON operations should not be vulnerable to injection attacks

           Vulnerability
        9. Thread suspensions should not be vulnerable to Denial of Service attacks

           Vulnerability
        10. Components should not be vulnerable to intent redirection

           Vulnerability
        11. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        12. Applications should not create session cookies from untrusted input

           Vulnerability
        13. Reflection should not be vulnerable to injection attacks

           Vulnerability
        14. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        15. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        16. Server-side templates should not be vulnerable to injection attacks

           Vulnerability
        17. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        18. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        19. HTTP request redirections should not be open to forging attacks

           Vulnerability
        20. Logging should not be vulnerable to injection attacks

           Vulnerability
        21. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        22. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        23. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        24. Database queries should not be vulnerable to injection attacks

           Vulnerability
        25. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        26. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        27. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        28. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        29. OS commands should not be vulnerable to command injection attacks

           Vulnerability

        Sensitive information should not be logged in production builds

        responsibility - trustworthy
        security
        Vulnerability
        • injection

        On client-side applications, such as Android apps, logging sensitive information like passwords, personal data, or API keys, poses a significant security risk. While direct log access by other applications is restricted on modern Android, these logs can still be read by anyone with physical device access (e.g. via Logcat), on rooted devices, or by malicious apps with special permissions.

        Even if not directly accessible to other apps, they might be stored on the device in plaintext, making them vulnerable if the device is lost, stolen, or compromised. Furthermore, these logs can be inadvertently collected and transmitted by crash reporting or analytics services, exposing sensitive data to third parties. This can lead to compromised user accounts, data breaches, and a loss of trust in the application.

        Why is this an issue?

        How can I fix it?

        More Info

        Logging sensitive data creates a persistent security risk, as logs can remain on a device or in backups indefinitely. This exposes credentials and personal information to malware or anyone who gains physical or remote access to the device, long after the data was recorded.

        What is the potential impact?

        A breach resulting from logged sensitive data can cause irreparable reputational damage and erode user trust. This can lead to customer churn and negative publicity. Furthermore, such an incident can trigger significant legal and financial repercussions, including heavy fines under data protection regulations like GDPR and CCPA, and potential class-action lawsuits. This places the business in a state of extended liability, requiring it to manage ongoing incident response, regulatory scrutiny, and legal obligations to all affected parties.

          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use