Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Tags

Impact

Clean code attribute

Return values should not be ignored when they contain the operation status code
Bug
@EventListener methods should have one parameter at most
Bug
"@Scheduled" annotation should only be applied to no-arg methods
Bug
Consumed Stream pipelines should not be reused
Bug
"String.indexOf" should be used with correct ranges
Bug
"Math.clamp" should be used with correct ranges
Bug
Virtual threads should not run tasks that include synchronized code
Bug
"setDaemon", "setPriority" and "getThreadGroup" should not be invoked on virtual threads
Bug
Virtual threads should be used for tasks that include heavy blocking operations
Bug
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
"@Qualifier" should not be used on "@Bean" methods
Bug
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
Async methods should return void or Future
Bug
Model attributes should follow the Java identifier naming convention
Bug
Accessing an array element should not trigger an ArrayIndexOutOfBoundsException
Bug
Collections should not be modified while they are iterated
Bug
Calls to methods should not trigger an exception
Bug
Unsupported methods should not be called on some collection implementations
Bug
Cast operations should not trigger a ClassCastException
Bug
Equals method should be overridden in records containing array fields
Bug
Reflection should not be used to increase accessibility of records' fields
Bug
Members ignored during record serialization should not be used
Bug
Map "computeIfAbsent()" and "computeIfPresent()" should not be used to add "null" values.
Bug
AssertJ assertions with "Consumer" arguments should contain assertion inside consumers
Bug
Mockito argument matchers should be used on all parameters
Bug
The regex escape sequence \cX should only be used with characters in the @-_ range
Bug
Regex lookahead assertions should not be contradictory
Bug
Back references in regular expressions should only refer to capturing groups that are matched before the reference
Bug
Regular expressions should not overflow the stack
Bug
Regex boundaries should not be used in a way that can never be matched
Bug
Regex patterns following a possessive quantifier should not always fail
Bug
Annotated Mockito objects should be initialized
Bug
Tests method should not be annotated with competing annotations
Bug
Assertions should not be used in production code
Bug
DateTimeFormatters should not use mismatched year and week numbers
Bug
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Case insensitive Unicode regular expressions should enable the "UNICODE_CASE" flag
Bug
Assertions should not compare an object to itself
Bug
Regular expressions should be syntactically valid
Bug
Regex alternatives should not be redundant
Bug
Alternatives in regular expressions should be grouped when used with anchors
Bug
Assertions comparing incompatible types should not be made
Bug
Repeated patterns in regular expressions should not match the empty string
Bug
AssertJ assertions "allMatch" and "doesNotContain" should also test for emptiness
Bug
AssertJ methods setting the assertion context should come before an assertion
Bug
AssertJ configuration should be applied
Bug
JUnit5 test classes and methods should not be silently ignored
Bug
JUnit5 inner test classes should be annotated with @Nested
Bug
Only one method invocation is expected when testing checked exceptions
Bug
Assertion methods should not be used within the try block of a try-catch catching an Error
Bug
"ThreadLocal" variables should be cleaned up when no longer used
Bug
Strings and Boxed types should be compared using "equals()"
Bug
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
InputSteam.read() implementation should not return a signed byte
Bug
"compareTo" should not be overloaded
Bug
"iterator" should not return "this"
Bug
Getters and setters should access the expected fields
Bug
Map values should not be replaced unconditionally
Bug
Week Year ("YYYY") should not be used for date formatting
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
Consumed Stream pipelines should not be reused
Bug
Intermediate Stream methods should not be left unused
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Spring "@Controller" classes should not use "@Scope"
Bug
Optional value should only be accessed after calling isPresent()
Bug
Double Brace Initialization should not be used
Bug
Overrides should match their parent class methods in synchronization
Bug
Custom resources should be closed
Bug
Zero should not be a possible denominator
Bug
Value-based classes should not be used for locking
Bug
Expressions used in "assert" should not produce side effects
Bug
Constructor injection should be used instead of field injection
Bug
"volatile" variables should not be used with compound operators
Bug
Non-primitive fields should not be "volatile"
Bug
"getClass" should not be used for synchronization
Bug
Min and max used in combination should not always return the same value
Bug
Assignment of lazy-initialized members should be the last step with double-checked locking
Bug
"wait" should not be called when multiple locks are held
Bug
Indexes to passed to "String" operations should be within the string's bounds
Bug
Raw byte values should not be used in bitwise operations in combination with shifts
Bug
JEE applications should not "getClassLoader"
Bug
"Collection.toArray()" should be passed an array of the proper type
Bug
Getters and setters should be synchronized in pairs
Bug
Non-thread-safe fields should not be static
Bug
"null" should not be used with "Optional"
Bug
Unary prefix operators should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
"PreparedStatement" and "ResultSet" methods should be called with valid indices
Bug
Files opened in append mode should not be used with "ObjectOutputStream"
Bug
"read" and "readLine" return values should be used
Bug
"Math.abs" and negation should not be used on numbers that could be "MIN_VALUE"
Bug
The value returned from a stream read should be checked
Bug
Inappropriate regular expressions should not be used
Bug
"@NonNull" values should not be set to null
Bug
Conditionally executed code should be reachable
Bug
"notifyAll()" should be preferred over "notify()"
Bug
Blocks should be synchronized on "private final" fields
Bug
Non-serializable objects should not be stored in "javax.servlet.http.HttpSession" instances
Bug
Classes should not access their own subclasses during class initialization
Bug
"wait(...)" should be used instead of "Thread.sleep(...)" when a lock is held
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
"Object.wait()", "Object.notify()" and "Object.notifyAll()" should only be called from synchronized code
Bug
"Iterator.next()" methods should throw "NoSuchElementException"
Bug
Null pointers should not be dereferenced
Bug
Loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Methods "wait(...)", "notify()" and "notifyAll()" should not be called on Thread instances
Bug
Methods with Spring proxying annotations should be public
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Servlets should not have mutable instance fields
Bug
"toString()" and "clone()" methods should not return null
Bug
Locks should be released on all paths
Bug
".equals()" should not be used to test the values of "Atomic" classes
Bug
Return values from functions without side effects should not be ignored
Bug
"compareTo" results should not be checked for specific values
Bug
Recursion should not be infinite
Bug
Loops should not be infinite
Bug
Math operands should be cast before assignment
Bug
Ints and longs should not be shifted by zero or more than their number of bits-1
Bug
Child class methods named for parent class methods should be overrides
Bug
Inappropriate "Collection" calls should not be made
Bug
Double-checked locking should not be used
Bug
"compareTo" should not return "Integer.MIN_VALUE"
Bug
Math should not be performed on floats
Bug
"equals" methods should be symmetric and work for subclasses
Bug
Unnecessary equality checks should not be made
Bug
Dissimilar primitive wrappers should not be used with the ternary operator without explicit casting
Bug
Unnecessary boxing and unboxing should be avoided
Bug
"runFinalizersOnExit" should not be called
Bug
"InterruptedException" and "ThreadDeath" should not be ignored
Bug
Classes that don't define "hashCode()" should not be used in hashes
Bug
Classes extending java.lang.Thread should provide a specific "run" behavior
Bug
"Double.longBitsToDouble" should take "long" as argument
Bug
Values should not be uselessly incremented
Bug
"ScheduledThreadPoolExecutor" should not have 0 core threads
Bug
String operations with predictable outcomes should be avoided
Bug
"Random" objects should be reused
Bug
"writeObject" argument must implement "Serializable"
Bug
"hashCode" and "toString" should not be called on array instances
Bug
Collections should not be passed as arguments to their own methods
Bug
"BigDecimal(double)" should not be used
Bug
Invalid "Date" values should not be used
Bug
Reflection should not be used to check non-runtime annotations
Bug
"equals(Object obj)" should test the argument's type
Bug
Resources should be closed
Bug
"Serializable" inner classes of non-serializable outer classes should be "static"
Bug
Custom serialization methods should have required signatures
Bug
"Externalizable" classes should have no-arguments constructors
Bug
The non-serializable super class of a "Serializable" class should have a no-argument constructor
Bug
Classes should not be compared by name
Bug
Related "if/else if" statements should not have the same condition
Bug
Synchronization should not be done on instances of value-based classes
Bug
"Iterator.hasNext()" should not call "Iterator.next()"
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
"StringBuilder" and "StringBuffer" should not be instantiated with a character
Bug
Floating point numbers should not be tested for equality
Bug
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
Methods should not be named "tostring", "hashcode" or "equal"
Bug
"Thread.run()" should not be called directly
Bug
"equals(Object obj)" and "hashCode()" should be overridden in pairs
Bug
"equals" method overrides should accept "Object" parameters
Bug
The signature of "finalize()" should match that of "Object.finalize()"
Bug
Jump statements should not occur in "finally" blocks
Bug
"super.finalize()" should be called at the end of "Object.finalize()" implementations
Bug
The "Object.finalize()" method should not be called
Bug

The value returned from a stream read should be checked

intentionality - complete

reliability

Bug

cert

Why is this an issue?

More Info

You cannot assume that any given stream reading call will fill the byte[] passed in to the method. Instead, you must check the value returned by the read method to see how many bytes were read. Fail to do so, and you introduce bug that is both harmful and difficult to reproduce.

Similarly, you cannot assume that InputStream.skip will actually skip the requested number of bytes, but must check the value returned from the method.

This rule raises an issue when an InputStream.read method that accepts a byte[] is called, but the return value is not checked, and when the return value of InputStream.skip is not checked. The rule also applies to InputStream child classes.

Noncompliant code example

public void doSomething(String fileName) {
  try {
    InputStream is = new InputStream(file);
    byte [] buffer = new byte[1000];
    is.read(buffer);  // Noncompliant
    // ...
  } catch (IOException e) { ... }
}

Compliant solution

public void doSomething(String fileName) {
  try {
    InputStream is = new InputStream(file);
    byte [] buffer = new byte[1000];
    int count = 0;
    while (count = is.read(buffer) > 0) {
      // ...
    }
  } catch (IOException e) { ... }
}

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted