SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 35 rules found
performance
    Impact
      Clean code attribute
        1. Hash-based collections with known capacity should be initialized with the proper related static method.

           Code Smell
        2. "String#replace" should be preferred to "String#replaceAll"

           Code Smell
        3. "ThreadLocal" variables should be cleaned up when no longer used

           Bug
        4. "read(byte[],int,int)" should be overridden

           Code Smell
        5. String offset-based methods should be preferred for finding substrings from offsets

           Code Smell
        6. "write(byte[],int,int)" should be overridden

           Code Smell
        7. Functional Interfaces should be as specialised as possible

           Code Smell
        8. Regex patterns should not be created needlessly

           Code Smell
        9. Collection contents should be used

           Code Smell
        10. Java 8's "Files.exists" should not be used

           Code Smell
        11. "Arrays.stream" should be used for primitive arrays

           Code Smell
        12. Factory method injection should be used in "@Configuration" classes

           Code Smell
        13. "StringBuilder" data should be used

           Code Smell
        14. Multiple loops over the same set should be combined

           Code Smell
        15. ".isEmpty" should be used to test for the emptiness of StringBuffers/Builders

           Code Smell
        16. Arguments to "append" should not be concatenated

           Code Smell
        17. "entrySet()" should be iterated when both the key and value are needed

           Code Smell
        18. "DateUtils.truncate" from Apache Commons Lang library should not be used

           Code Smell
        19. Inner classes which do not reference their owning classes should be "static"

           Code Smell
        20. "Preconditions" and logging arguments should not require evaluation

           Code Smell
        21. "deleteOnExit" should not be used

           Code Smell
        22. "wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held

           Bug
        23. Collection methods with O(n) performance should be used carefully

           Code Smell
        24. "ResultSet.isLast()" should not be used

           Code Smell
        25. Methods of "Random" that return floating point values should not be used in random integer generation

           Code Smell
        26. Objects should not be created only to invoke "getClass"

           Code Smell
        27. Parsing should be used to convert "Strings" to primitives

           Code Smell
        28. Constructors should not be used to instantiate "String", "BigInteger", "BigDecimal" and primitive-wrapper classes

           Code Smell
        29. "URL.hashCode" and "URL.equals" should be avoided

           Code Smell
        30. Strings should not be concatenated using '+' in a loop

           Code Smell
        31. Sets with elements that are enum values should be replaced with EnumSet

           Code Smell
        32. Maps with keys that are enum values should use the EnumMap implementation

           Code Smell
        33. Primitive wrappers should not be instantiated only for "toString" or "compareTo" calls

           Code Smell
        34. Case insensitive string comparisons should be made without intermediate upper or lower casing

           Code Smell
        35. Synchronized classes "Vector", "Hashtable", "Stack" and "StringBuffer" should not be used

           Code Smell

        Regex patterns should not be created needlessly

        intentionality - efficient
        maintainability
        Code Smell
        • regex
        • performance

        Why is this an issue?

        The java.util.regex.Pattern.compile() methods have a significant performance cost, and therefore should be used sensibly.

        Moreover they are the only mechanism available to create instances of the Pattern class, which are necessary to do any pattern matching using regular expressions. Unfortunately that can be hidden behind convenience methods like String.matches() or String.split().

        It is therefore somewhat easy to inadvertently repeatedly compile the same regular expression at great performance cost with no valid reason.

        This rule raises an issue when:

        • A Pattern is compiled from a String literal or constant and is not stored in a static final reference.
        • String.matches, String.split, String.replaceAll or String.replaceFirst are invoked with a String literal or constant. In which case the code should be refactored to use a java.util.regex.Pattern while respecting the previous rule.

        Noncompliant code example

        public void doingSomething(String stringToMatch) {
          Pattern regex = Pattern.compile("myRegex");  // Noncompliant
          Matcher matcher = regex.matcher("s");
          // ...
          if (stringToMatch.matches("myRegex2")) {  // Noncompliant
            // ...
          }
        }
        

        Compliant solution

        private static final Pattern myRegex = Pattern.compile("myRegex");
        private static final Pattern myRegex2 = Pattern.compile("myRegex2");
        
        public void doingSomething(String stringToMatch) {
          Matcher matcher = myRegex.matcher("s");
          // ...
          if (myRegex2.matcher(stringToMatch).matches()) {
            // ...
          }
        }
        

        Exceptions

        String.split doesn’t create a regex when the string passed as argument meets either of these 2 conditions:

        • It is a one-char String and this character is not one of the RegEx’s meta characters ".$|()[{^?*+\"
        • It is a two-char String and the first char is the backslash and the second is not the ascii digit or ascii letter.

        In which case no issue will be raised.

          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.1
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use