Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Tags

Impact

Clean code attribute

"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
"wait" should not be called when multiple locks are held
Bug
"PreparedStatement" and "ResultSet" methods should be called with valid indices
Bug
"wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
Methods "wait(...)", "notify()" and "notifyAll()" should not be called on Thread instances
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Recursion should not be infinite
Bug
Double-checked locking should not be used
Bug
Accessing an array element should not trigger an ArrayIndexOutOfBoundsException
Bug
Calls to methods should not trigger an exception
Bug
Unsupported methods should not be called on some collection implementations
Bug
Cast operations should not trigger a ClassCastException
Bug
Members ignored during record serialization should not be used
Bug
Map "computeIfAbsent()" and "computeIfPresent()" should not be used to add "null" values.
Bug
Regex lookahead assertions should not be contradictory
Bug
Back references in regular expressions should only refer to capturing groups that are matched before the reference
Bug
Regex boundaries should not be used in a way that can never be matched
Bug
Regex patterns following a possessive quantifier should not always fail
Bug
Regular expressions should be syntactically valid
Bug
Assertions comparing incompatible types should not be made
Bug
JUnit5 inner test classes should be annotated with @Nested
Bug
Only one method invocation is expected when testing checked exceptions
Bug
Assertion methods should not be used within the try block of a try-catch catching an Error
Bug
Getters and setters should access the expected fields
Bug
Classes should not access their own subclasses during class initialization
Bug
"runFinalizersOnExit" should not be called
Bug
"ScheduledThreadPoolExecutor" should not have 0 core threads
Bug
"Random" objects should be reused
Bug
The signature of "finalize()" should match that of "Object.finalize()"
Bug
Jump statements should not occur in "finally" blocks
Bug
"String.indexOf" should be used with correct ranges
Bug
"Math.clamp" should be used with correct ranges
Bug
Virtual threads should not run tasks that include synchronized code
Bug
"setDaemon", "setPriority" and "getThreadGroup" should not be invoked on virtual threads
Bug
Virtual threads should be used for tasks that include heavy blocking operations
Bug
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
"@Qualifier" should not be used on "@Bean" methods
Bug
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
Async methods should return void or Future
Bug
Model attributes should follow the Java identifier naming convention
Bug
Collections should not be modified while they are iterated
Bug
Equals method should be overridden in records containing array fields
Bug
Reflection should not be used to increase accessibility of records' fields
Bug
AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
Bug
The regex escape sequence \cX should only be used with characters in the @-_ range
Bug
Regular expressions should not overflow the stack
Bug
Tests method should not be annotated with competing annotations
Bug
Assertions should not be used in production code
Bug
DateTimeFormatters should not use mismatched year and week numbers
Bug
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Case insensitive Unicode regular expressions should enable the "UNICODE_CASE" flag
Bug
Assertions should not compare an object to itself
Bug
Regex alternatives should not be redundant
Bug
Alternatives in regular expressions should be grouped when used with anchors
Bug
AssertJ methods setting the assertion context should come before an assertion
Bug
AssertJ configuration should be applied
Bug
JUnit5 test classes and methods should not be silently ignored
Bug
"ThreadLocal" variables should be cleaned up when no longer used
Bug
Strings and Boxed types should be compared using "equals()"
Bug
InputSteam.read() implementation should not return a signed byte
Bug
"compareTo" should not be overloaded
Bug
"iterator" should not return "this"
Bug
Map values should not be replaced unconditionally
Bug
Week Year ("YYYY") should not be used for date formatting
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Overrides should match their parent class methods in synchronization
Bug
Value-based classes should not be used for locking
Bug
Expressions used in "assert" should not produce side effects
Bug
"volatile" variables should not be used with compound operators
Bug
"getClass" should not be used for synchronization
Bug
Assignment of lazy-initialized members should be the last step with double-checked locking
Bug
Indexes to passed to "String" operations should be within the string's bounds
Bug
Raw byte values should not be used in bitwise operations in combination with shifts
Bug
Getters and setters should be synchronized in pairs
Bug
Non-thread-safe fields should not be static
Bug
"null" should not be used with "Optional"
Bug
Unary prefix operators should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
"read" and "readLine" return values should be used
Bug
Inappropriate regular expressions should not be used
Bug
"notifyAll()" should be preferred over "notify()"
Bug
Blocks should be synchronized on "private final" fields
Bug
Non-serializable objects should not be stored in "javax.servlet.http.HttpSession" instances
Bug
"Object.wait()", "Object.notify()" and "Object.notifyAll()" should only be called from synchronized code
Bug
Loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Methods with Spring proxying annotations should be public
Bug
Servlets should not have mutable instance fields
Bug
"toString()" and "clone()" methods should not return null
Bug
".equals()" should not be used to test the values of "Atomic" classes
Bug
Return values from functions without side effects should not be ignored
Bug
Child class methods named for parent class methods should be overrides
Bug
Inappropriate "Collection" calls should not be made
Bug
Unnecessary equality checks should not be made
Bug
Dissimilar primitive wrappers should not be used with the ternary operator without explicit casting
Bug
"InterruptedException" and "ThreadDeath" should not be ignored
Bug
Classes extending java.lang.Thread should provide a specific "run" behavior
Bug
"Double.longBitsToDouble" should take "long" as argument
Bug
Values should not be uselessly incremented
Bug
String operations with predictable outcomes should be avoided
Bug
"writeObject" argument must implement "Serializable"
Bug
"hashCode" and "toString" should not be called on array instances
Bug
Collections should not be passed as arguments to their own methods
Bug
"BigDecimal(double)" should not be used
Bug
Invalid "Date" values should not be used
Bug
Reflection should not be used to check non-runtime annotations
Bug
Custom serialization methods should have required signatures
Bug
"Externalizable" classes should have no-arguments constructors
Bug
Classes should not be compared by name
Bug
Related "if/else if" statements should not have the same condition
Bug
Synchronization should not be done on instances of value-based classes
Bug
"Iterator.hasNext()" should not call "Iterator.next()"
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
"StringBuilder" and "StringBuffer" should not be instantiated with a character
Bug
Methods should not be named "tostring", "hashcode" or "equal"
Bug
"Thread.run()" should not be called directly
Bug
"equals" method overrides should accept "Object" parameters
Bug
The "Object.finalize()" method should not be called
Bug
Return values should not be ignored when they contain the operation status code
Bug
Repeated patterns in regular expressions should not match the empty string
Bug
AssertJ assertions "allMatch" and "doesNotContains" should also test for emptiness
Bug
Double Brace Initialization should not be used
Bug
Non-primitive fields should not be "volatile"
Bug
"Collection.toArray()" should be passed an array of the proper type
Bug
"Math.abs" and negation should not be used on numbers that could be "MIN_VALUE"
Bug
The value returned from a stream read should be checked
Bug
"Iterator.next()" methods should throw "NoSuchElementException"
Bug
"compareTo" results should not be checked for specific values
Bug
Math operands should be cast before assignment
Bug
Ints and longs should not be shifted by zero or more than their number of bits-1
Bug
"compareTo" should not return "Integer.MIN_VALUE"
Bug
Unnecessary boxing and unboxing should be avoided
Bug
"equals(Object obj)" should test the argument's type
Bug
"Serializable" inner classes of non-serializable outer classes should be "static"
Bug
The non-serializable super class of a "Serializable" class should have a no-argument constructor
Bug
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
"equals(Object obj)" and "hashCode()" should be overridden in pairs
Bug
Annotated Mockito objects should be initialized
Bug
Custom resources should be closed
Bug
Files opened in append mode should not be used with "ObjectOutputStream"
Bug
Loops should not be infinite
Bug
Resources should be closed
Bug
Zero should not be a possible denominator
Bug
Locks should be released on all paths
Bug
"super.finalize()" should be called at the end of "Object.finalize()" implementations
Bug
Consumed Stream pipelines should not be reused
Bug
Mockito argument matchers should be used on all parameters
Bug
Consumed Stream pipelines should not be reused
Bug
Intermediate Stream methods should not be left unused
Bug
Spring "@Controller" classes should not use "@Scope"
Bug
Optional value should only be accessed after calling isPresent()
Bug
Constructor injection should be used instead of field injection
Bug
Min and max used in combination should not always return the same value
Bug
Conditionally executed code should be reachable
Bug
Null pointers should not be dereferenced
Bug
Classes that don't define "hashCode()" should not be used in hashes
Bug
Floating point numbers should not be tested for equality
Bug
JEE applications should not "getClassLoader"
Bug
"@NonNull" values should not be set to null
Bug
Math should not be performed on floats
Bug
"equals" methods should be symmetric and work for subclasses
Bug

Classes should not be compared by name

intentionality - logical

reliability

Bug

MajorSonarSource default severity
click to learn more

cwe
cert

Why is this an issue?

More Info

There is no requirement that class names be unique, only that they be unique within a package. Therefore trying to determine an object’s type based on its class name is an exercise fraught with danger. One of those dangers is that a malicious user will send objects of the same name as the trusted class and thereby gain trusted access.

Instead, the instanceof operator or the Class.isAssignableFrom() method should be used to check the object’s underlying type.

Noncompliant code example

package computer;
class Pear extends Laptop { ... }

package food;
class Pear extends Fruit { ... }

class Store {

  public boolean hasSellByDate(Object item) {
    if ("Pear".equals(item.getClass().getSimpleName())) {  // Noncompliant
      return true;  // Results in throwing away week-old computers
    }
    return false;
  }

  public boolean isList(Class<T> valueClass) {
    if (List.class.getName().equals(valueClass.getName())) {  // Noncompliant
      return true;
    }
    return false;
  }
}

Compliant solution

class Store {

  public boolean hasSellByDate(Object item) {
    if (item instanceof food.Pear) {
      return true;
    }
    return false;
  }

  public boolean isList(Class<T> valueClass) {
    if (valueClass.isAssignableFrom(List.class)) {
      return true;
    }
    return false;
  }
}

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted