SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 29 rules found
injection
    Impact
      Clean code attribute
        1. Sensitive information should not be logged in production builds

           Vulnerability
        2. WebViews should not be vulnerable to cross-app scripting attacks

           Vulnerability
        3. Privileged prompts should not be vulnerable to injection attacks

           Vulnerability
        4. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        5. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        6. Environment variables should not be defined from untrusted input

           Vulnerability
        7. XML operations should not be vulnerable to injection attacks

           Vulnerability
        8. JSON operations should not be vulnerable to injection attacks

           Vulnerability
        9. Thread suspensions should not be vulnerable to Denial of Service attacks

           Vulnerability
        10. Components should not be vulnerable to intent redirection

           Vulnerability
        11. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        12. Applications should not create session cookies from untrusted input

           Vulnerability
        13. Reflection should not be vulnerable to injection attacks

           Vulnerability
        14. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        15. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        16. Server-side templates should not be vulnerable to injection attacks

           Vulnerability
        17. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        18. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        19. HTTP request redirections should not be open to forging attacks

           Vulnerability
        20. Logging should not be vulnerable to injection attacks

           Vulnerability
        21. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        22. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        23. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        24. Database queries should not be vulnerable to injection attacks

           Vulnerability
        25. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        26. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        27. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        28. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        29. OS commands should not be vulnerable to command injection attacks

           Vulnerability

        Thread suspensions should not be vulnerable to Denial of Service attacks

        intentionality - complete
        security
        Vulnerability
        • cwe
        • denial-of-service
        • injection

        Why is this an issue?

        How can I fix it?

        More Info

        Most modern applications use threads to handle incoming requests or other long-running tasks concurrently. In some cases, the number of concurrent threads is limited to avoid system resource exhaustion due to too numerous actions being run.

        When an application uses user-controlled data as a parameter of a thread suspension operation, a Denial of Service attack can be made possible.

        What is the potential impact?

        An attacker with the capability to insert an arbitrary duration into a thread suspension operation could suspend the corresponding thread for a long time. Depending on the application’s architecture and the thread handling logic, this can lead to a complete Denial of Service of the application.

        Indeed, if the number of threads, either created by the application or allocated by a web server, is limited, the attacker will be able to suspend all of them at the same time. Without any remaining thread to handle actions, the application might badly answer, be slowed down, or become completely irresponsive.

          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.4

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use