463 Rules
| ID | Name | Severity |
|---|---|---|
| 2230 | DEPRECATED: Use of style sheets (JEE) |
medium
|
| 2232 | Pages should use error handling page |
medium
|
| 2236 | DEPRECATED: Avoid use of standard SQL API |
medium
|
| 2238 | Avoid unreferenced JSP pages |
medium
|
| 2242 | DEPRECATED: Avoid direct definition of JavaScript Functions in a Web page (JEE) |
medium
|
| 2244 | DEPRECATED: Avoid undocumented Web Server Pages |
medium
|
| 2248 | DEPRECATED: Avoid Web Server pages having a very low Comment/Code ratio |
medium
|
| 2254 | DEPRECATED: Avoid large Page files (JEE) |
medium
|
| 2258 | DEPRECATED: All image files should be in a specific directory |
medium
|
| 2260 | DEPRECATED: All script files should be in a specific directory |
medium
|
| 2262 | DEPRECATED: All cascading style sheet files should be in specific directory |
medium
|
| 2264 | DEPRECATED: All page files should be in a specific directory |
medium
|
| 2266 | DEPRECATED: Avoid non standard file extensions (JEE) |
medium
|
| 2278 | DEPRECATED: Check the use of "foreach" custom tag library |
medium
|
| 2280 | DEPRECATED: Avoid using Document.all collection |
medium
|
| 2282 | DEPRECATED: Avoid large Include Files |
medium
|
| 2284 | DEPRECATED: Avoid large JSP Pages - too many Scriptlets |
medium
|
| 4554 | Avoid large Classes - too many Methods (JEE) |
medium
|
| 4556 | Avoid large Classes - too many Constructors (JEE) |
medium
|
| 4558 | Avoid large Classes - too many Fields |
medium
|
| 4560 | Avoid large Interfaces - too many Methods (JEE) |
medium
|
| 4566 | Avoid declaring Instance Variables without defined access type |
medium
|
| 4568 | DEPRECATED: Avoid declaring Public Instance Variables |
high
|
| 4570 | Avoid declaring Non Final Class Variables with Public, Protected or Package access type |
medium
|
| 4572 | DEPRECATED : Avoid declaring Final Instance Variables that are not initialized |
medium
|
| 4574 | DEPRECATED: Avoid using deprecated objects |
medium
|
| 4576 | DEPRECATED: Provide accessors to Private Fields |
medium
|
| 4578 | Collection interfaces should be used as method return types instead of their implementation classes |
medium
|
| 4580 | Collection declarations should use interfaces instead of implementation classes |
medium
|
| 4592 | Avoid hiding static Methods |
high
|
| 4594 | Avoid using 'java.io.File' |
medium
|
| 4596 | Avoid using 'java.lang.System.getenv()' |
medium
|
| 4598 | Avoid using 'java.lang.Runtime.exec()' |
high
|
| 4600 | Avoid using Exit and Halt Methods on a Web/Application Server |
high
|
| 4602 | Avoid using Fields (non static final) from other Classes |
high
|
| 4604 | Avoid using 'java.lang.Error' |
medium
|
| 4606 | Avoid using 'sun.*' Classes |
medium
|
| 4610 | Avoid using anonymous Classes |
medium
|
| 4612 | Avoid using native Methods (JNI) |
medium
|
| 4614 | DEPRECATED: Proper overriding of 'clone()' |
high
|
| 4616 | 'super.finalize()' should be invoked when overriding finalize() method |
high
|
| 4618 | Avoid instantiating a Boolean object |
medium
|
| 4652 | Avoid direct Class inheritance from java.lang.Throwable |
medium
|
| 4656 | Avoid declaring an exception in the method signature and not throwing it |
medium
|
| 4666 | Classes and Interfaces must have JavaDoc Comments |
medium
|
| 4668 | DEPRECATED: Classes and Interfaces must have JavaDoc @author tag |
medium
|
| 4670 | Public Methods must have JavaDoc comments |
medium
|
| 4672 | Public Methods must have appropriate JavaDoc @param tags |
medium
|
| 4674 | Public Methods must have appropriate JavaDoc @return tags |
medium
|
| 4676 | Public Methods must have appropriate JavaDoc @throws/@exception tags |
medium
|
| 4678 | DEPRECATED: Public Methods must have appropriate JavaDoc @exception tags |
medium
|
| 4680 | Public Fields must have JavaDoc Comments |
medium
|
| 4694 | Avoid using 'System.gc' and 'Runtime.gc' |
high
|
| 4696 | DEPRECATED: Avoid using 'System.err' and 'System.out' within a try catch block |
medium
|
| 4698 | DEPRECATED: Avoid using 'System.err' and 'System.out' outside a try catch block |
medium
|
| 4702 | Avoid using 'Throwable.printStackTrace()' with no argument |
medium
|
| 4704 | Avoid using Vector |
medium
|
| 4706 | Avoid using Hashtable |
medium
|
| 4708 | Avoid using Dynamic Instantiation |
medium
|
| 4712 | Avoid inheritance down the Package path |
medium
|
| 4716 | Avoid Classes implementing too many Interfaces (JEE) |
medium
|
| 4718 | Avoid having package without enough Classes/Interfaces |
medium
|
| 4722 | DEPRECATED: Avoid having classes referencing Database objects |
medium
|
| 4730 | Package naming convention - case control |
medium
|
| 4732 | Interface naming convention - case control |
medium
|
| 4734 | Class naming convention - case control (JEE) |
medium
|
| 4736 | Method naming convention - case control (JEE) |
medium
|
| 4738 | Constant naming convention - case control (JEE) |
medium
|
| 4740 | Field naming convention - case control |
medium
|
| 4744 | DEPRECATED: EJB Entity access through their local Interface |
high
|
| 4746 | DEPRECATED: EJB Session access through their local Interface |
high
|
| 7132 | DEPRECATED: Struts action Mappings should have few forwards |
medium
|
| 7134 | DEPRECATED: Avoid having Struts local forward with same name as Struts global forward |
medium
|
| 7136 | DEPRECATED: Each method in an Action Class should have a small complexity |
medium
|
| 7138 | DEPRECATED : Action Classes should only be called by Action Mappings tag (for Struts 1.x) or Action tag (for Struts 2.x) |
medium
|
| 7140 | Struts Action artifacts should not directly call a JSP page |
medium
|
| 7142 | DEPRECATED: Action Classes should have only one public method |
medium
|
| 7144 | DEPRECATED : Avoid using database objects from Struts Action Artifacts |
high
|
| 7146 | Always have JSP pages referencing Java Objects associated to JEE Scoped Bean |
medium
|
| 7148 | DEPRECATED: JSP pages should always be accessed through their tiles definition |
medium
|
| 7150 | Favor PreparedStatement or CallableStatement over Statement |
medium
|
| 7152 | Avoid Fields in Servlet Classes that are not final static |
high
|
| 7154 | Struts1: Avoid Struts Fields in Action Classes that are not final static |
high
|
| 7188 | DEPRECATED : Private fields must have JavaDoc Comments |
medium
|
| 7190 | Struts1: Validate() Method of Struts Validator form must call super.validate() |
high
|
| 7192 | Avoid using Struts Form that cannot extend Validator Class |
medium
|
| 7196 | Avoid large number of String concatenation (JEE) |
medium
|
| 7200 | Avoid String concatenation in loops |
medium
|
| 7202 | Avoid using '==' and '!=' to compare objects |
high
|
| 7206 | Avoid the use of Instanceof inside loops |
medium
|
| 7210 | Avoid instantiations inside loops |
high
|
| 7220 | DEPRECATED: Avoid Unused Imports |
medium
|
| 7238 | Avoid calls between JSP Page for application using Struts framework |
medium
|
| 7240 | DEPRECATED: Struts Action Classes should only call Business Classes |
medium
|
| 7242 | Struts1: Avoid implementing Action Classes inheriting directly from Struts Action |
medium
|
| 7246 | Avoid Packages with High Efferent Coupling (CE) |
medium
|
| 7248 | Avoid Packages with High Afferent Coupling (CA) |
medium
|
| 7250 | Avoid String initialization with String object (created using the 'new' keyword) |
medium
|
| 7252 | Call 'super.finalize ()' in the "finally" block of 'finalize ()' methods |
medium
|
| 7254 | Declare as Static all methods not using instance members |
medium
|
| 7256 | Provide a private default Constructor for utility Classes |
medium
|
| 7292 | Avoid cyclical calls and inheritances between packages |
medium
|
| 7306 | DEPRECATED: Avoid declaring Inner Classes |
medium
|
| 7308 | DEPRECATED: Avoid using Inner Classes |
medium
|
| 7362 | DEPRECATED: Avoid Struts action mappings validator turned off |
high
|
| 7372 | Struts 1: Enable Struts Validator plugin |
high
|
| 7378 | Avoid include JavaScript Files |
medium
|
| 7380 | Struts 1: Avoid unused validation form |
medium
|
| 7382 | Struts1: Avoid Struts Validator field without Form Field |
medium
|
| 7416 | Struts1: Avoid Action Form Field without Validator |
high
|
| 7434 | Ensure to override both equals() and hashCode() |
high
|
| 7438 | Avoid non thread safe singleton |
high
|
| 7440 | Avoid having suspicious similar method names or signatures in an inheritance tree |
high
|
| 7442 | Avoid to use keyword 'this' within Constructor in multi-thread environment |
high
|
| 7444 | Avoid Using Non-Serialized Beans with Session Scope |
medium
|
| 7446 | Avoid double checked locking for JSE 4.x and previous version |
high
|
| 7488 | DEPRECATED: Lazy fetching should be used for Hibernate collection |
high
|
| 7490 | DEPRECATED: Avoid UPDATE trigger firing when not necessary |
high
|
| 7492 | DEPRECATED: Avoid Hibernate and JPA Entities using many-to-many association. |
medium
|
| 7494 | Persistent class method's equals() and hashCode() must access its fields through getter methods |
high
|
| 7496 | DEPRECATED: Use table-per-subclass strategy when subclasses have many properties |
medium
|
| 7498 | DEPRECATED: Avoid Incorrect implementation of getters and setters for Collection Type |
medium
|
| 7500 | DEPRECATED: Use table-per-class-hierarchy when subclasses have few properties |
medium
|
| 7502 | DEPRECATED: Never use an array to map Hibernate collection |
high
|
| 7504 | Persistent classes should Implement hashCode() and equals() |
high
|
| 7506 | equals() and hashCode() should be defined for Hibernate/JPA component |
high
|
| 7508 | DEPRECATED: Getter of collection-typed persistent attributes should return the correct interface type |
medium
|
| 7510 | DEPRECATED: Use only Hibernate API to access to the database |
medium
|
| 7556 | Avoid instanceof in Methods that override or implement Object.equals(), Comparable.compareTo() |
medium
|
| 7562 | Avoid static Field of type collection |
medium
|
| 7634 | DEPRECATED: Avoid Hibernate Entity with 'select-before-update' set to true if not associated to table that fires an UPDATE trigger. |
high
|
| 7636 | DEPRECATED: Prefer using version number instead of timestamp for Hibernate Entity |
medium
|
| 7638 | Avoid directly managing the connection to the database by using DriverManager |
medium
|
| 7640 | Avoid using catch blocks with assertion |
medium
|
| 7648 | Avoid an explicit call to finalize() |
medium
|
| 7650 | All types of a serializable Class must be serializable |
medium
|
| 7652 | Avoid throwing an exception in a catch block without chaining it |
medium
|
| 7654 | DEPRECATED: Avoid database tables associated to more than one Hibernate Entity |
medium
|
| 7668 | DEPRECATED: Avoid using DOM parser for large or medium sized XML file parsing |
medium
|
| 7676 | DEPRECATED: Avoid too many packages referencing Mainframe |
medium
|
| 7678 | Avoid logging using basic java log files |
medium
|
| 7682 | Avoid having Hibernate domain model depending on other Java APIs |
medium
|
| 7700 | Struts1: Only Struts HTTP Servlet should be used for Struts based application |
medium
|
| 7702 | Hibernate-provided implementations from third parties should be used for connection pool |
medium
|
| 7704 | All static fields in the enterprise bean class should be declared as final |
medium
|
| 7706 | DEPRECATED: Avoid table and column names that are too long (portability) |
medium
|
| 7708 | DEPRECATED: Avoid using session.setFlushMode(FlushMode.COMMIT, FlushMode.NEVER or FlushMode.MANUAL) |
medium
|
| 7710 | DEPRECATED: Avoid non serializable Entity beans |
medium
|
| 7712 | DEPRECATED: Avoid public/protected setter for the generated identifier field |
medium
|
| 7714 | Avoid using auto-wiring |
medium
|
| 7716 | Avoid defining singleton or factory classes when using Spring |
medium
|
| 7720 | DEPRECATED: Avoid too many EJB beans |
medium
|
| 7722 | Avoid using persistent class's identifier in equals() method |
high
|
| 7724 | Overriden equals() Methods in persistent Subclasses should only reference properties from the persistent base Class |
high
|
| 7726 | Avoid Struts Action Classes that call packages having direct access to database |
medium
|
| 7728 | Avoid thread creation for application running on application server |
critical
|
| 7730 | Always use declarative transaction |
medium
|
| 7732 | Avoid non validated inputs in JSP files that use JSF |
high
|
| 7734 | Avoid using debug() method without calling isDebugEnabled() method |
medium
|
| 7740 | Avoid HTTP response splitting |
critical
|
| 7742 | Avoid SQL injection |
critical
|
| 7746 | Avoid LDAP injection |
critical
|
| 7748 | Avoid OS command injection |
critical
|
| 7750 | Avoid XPath injection |
critical
|
| 7752 | Avoid file path manipulation |
high
|
| 7766 | Avoid Artifacts with High Cyclomatic Complexity |
medium
|
| 7768 | Avoid Artifacts with High Depth of Code |
medium
|
| 7770 | Avoid Artifacts with too many parameters |
medium
|
| 7772 | Avoid Artifacts with High Essential Complexity |
medium
|
| 7774 | Avoid Artifacts with High Integration Complexity |
medium
|
| 7776 | Avoid Artifacts with High Fan-In |
medium
|
| 7778 | Avoid Artifacts with High Fan-Out |
medium
|
| 7780 | Avoid Classes with a very low comment/code ratio |
medium
|
| 7782 | Avoid empty finally blocks |
medium
|
| 7784 | Avoid Artifacts with lines longer than X characters |
medium
|
| 7788 | Avoid empty catch blocks |
high
|
| 7792 | Avoid Classes with a High Number Of Children |
medium
|
| 7794 | Avoid Classes with a High Public Data Ratio |
medium
|
| 7796 | Avoid Classes with a High Lack of Cohesion - variant |
medium
|
| 7798 | Avoid Classes with a High Lack of Cohesion |
medium
|
| 7800 | Avoid Classes with High Coupling Between Objects |
medium
|
| 7802 | Avoid Classes with a High Depth of Inheritance Tree |
medium
|
| 7804 | Avoid Classes with High Weighted Methods per Class |
medium
|
| 7806 | Avoid Artifacts with Group By |
medium
|
| 7808 | Avoid Artifacts with SQL statement including subqueries |
medium
|
| 7810 | Avoid Artifacts with a Complex SELECT Clause |
medium
|
| 7818 | Avoid Functions having a very low Comment/Code ratio |
medium
|
| 7822 | Avoid Artifacts with queries on more than 4 Tables |
medium
|
| 7824 | Avoid directly throwing instance of Exception class |
high
|
| 7828 | Avoid Artifacts with High RAW SQL Complexity |
medium
|
| 7830 | Avoid unreferenced Interfaces |
medium
|
| 7834 | Avoid undocumented Interfaces |
medium
|
| 7836 | Avoid undocumented Functions |
medium
|
| 7838 | Avoid undocumented Methods |
medium
|
| 7842 | Avoid large Artifacts - too many Lines of Code |
medium
|
| 7844 | Avoid undocumented Classes |
medium
|
| 7846 | Avoid Methods with a very low comment/code ratio |
medium
|
| 7860 | Avoid unreferenced Functions and Procedures |
medium
|
| 7862 | Avoid catching an exception of type Exception, RuntimeException, or Throwable |
medium
|
| 7908 | Avoid unreferenced Methods |
medium
|
| 7910 | Never exit a finally block with a return, break, continue, or throw statements |
high
|
| 7912 | Avoid unreferenced Data Members |
medium
|
| 7914 | Avoid direct access to Database Tables |
medium
|
| 7916 | Avoid direct use of Database objects (JSP/ASP) |
medium
|
| 7934 | Avoid Superclass (or Interface) knowing Subclass (or Interface) |
medium
|
| 7936 | DEPRECATED: Avoid using finalize() |
high
|
| 7940 | Avoid accumulating Stateful Beans |
high
|
| 7942 | Avoid EJBs using 'synchronized' qualifier, 'wait', 'notify' and 'notifyAll' Methods |
medium
|
| 7944 | Avoid High Response for Classes |
medium
|
| 7954 | Avoid indirect String concatenation inside loops |
high
|
| 7956 | DEPRECATED:Avoid indirect exception handling inside loops |
medium
|
| 7962 | Avoid direct or indirect remote calls inside a loop |
critical
|
| 7964 | Avoid directly instantiating a Class used as a managed bean |
high
|
| 8016 | Avoid unrestricted access to EJB remote methods |
high
|
| 8022 | Avoid hiding attributes |
medium
|
| 8028 | Avoid missing default in switch statements |
medium
|
| 8032 | Avoid using break statement in FOR loops |
medium
|
| 8038 | Struts 2: Avoid Struts Validator field without Form Field |
medium
|
| 8040 | Struts 2: Avoid Action Fields without Validation |
high
|
| 8042 | Struts 2: Avoid unused validation form |
medium
|
| 8044 | Avoid log forging |
high
|
| 8096 | Avoid testing floating point numbers for equality |
high
|
| 8098 | Avoid uncontrolled format string |
critical
|
| 8100 | Blocking synchronous calls should have associated timeouts |
medium
|
| 8102 | Avoid hard-coded network resource names (JEE) |
high
|
| 8104 | Avoid missing release of SQL connection after an effective lifetime (JEE) |
critical
|
| 8108 | Avoid missing release of stream connection after an effective lifetime |
critical
|
| 8110 | Avoid not using dedicated stored procedures when processing multiple data accesses |
high
|
| 8112 | Avoid improper processing of the execution status of data handling operations |
high
|
| 8136 | CDI Beans with normal scope must be proxyable to avoid runtime errors |
high
|
| 8214 | Avoid operating on resource after expiration or release |
high
|
| 8216 | Avoid using incompatible mutation |
high
|
| 8218 | DEPRECATED: Content type should be checked when receiving a HTTP Post |
critical
|
| 8220 | Avoid using deprecated method, constructor, field, type or package |
medium
|
| 8222 | Avoid hard-coded credentials |
critical
|
| 8238 | Avoid mixing trusted and untrusted data in HTTP requests |
high
|
| 8240 | Avoid using unsecured cookie |
critical
|
| 8242 | Avoid using insufficient random values for cookies |
high
|
| 8408 | Avoid reflected cross-site scripting (non persistent) |
critical
|
| 8410 | Avoid cross-site scripting (persistent) |
critical
|
| 8414 | Avoid weak cryptographic algorithm |
high
|
| 8416 | Avoid use of a reversible one-way hash |
high
|
| 8418 | Avoid NoSQL injection |
critical
|
| 8420 | Avoid second order SQL injection |
critical
|
| 8424 | Avoid hard-coded HMAC and cryptographic key |
critical
|
| 8434 | Avoid process control |
critical
|
| 8436 | Avoid thread injection |
critical
|
| 8438 | Avoid code injection |
critical
|
| 8440 | Avoid reflection injection |
critical
|
| 8442 | Avoid resource injection |
critical
|
| 8444 | Avoid resource URL manipulation |
critical
|
| 8446 | Avoid URL redirection to untrusted site |
critical
|
| 8482 | Avoid cross-site scripting through API requests |
critical
|
| 8484 | Avoid HTTP response splitting through API requests |
critical
|
| 8486 | Avoid resource injection through API requests |
critical
|
| 8488 | Avoid resource URL manipulation through API requests |
critical
|
| 8490 | Avoid SQL injection through API requests |
critical
|
| 8492 | Avoid LDAP injection through API requests |
critical
|
| 8494 | Avoid OS command injection through API requests |
critical
|
| 8496 | Avoid process control through API requests |
critical
|
| 8498 | Avoid thread injection through API requests |
critical
|
| 8500 | Avoid code injection through API requests |
critical
|
| 8502 | Avoid reflection injection through API requests |
critical
|
| 8504 | Avoid XPath injection through API requests |
critical
|
| 8506 | Avoid file path manipulation through API requests |
critical
|
| 8508 | Avoid log forging through API requests |
high
|
| 8510 | Avoid uncontrolled format string through API requests |
critical
|
| 8512 | Avoid mixing trusted and untrusted data in HTTP requests through API requests |
critical
|
| 8514 | Avoid NoSQL injection through API requests |
critical
|
| 8516 | Avoid URL redirection to untrusted site through API requests |
critical
|
| 8518 | Avoid regular expression injection |
critical
|
| 8520 | Avoid second order regular expression injection |
critical
|
| 8522 | Avoid regular expression injection through API requests |
critical
|
| 8524 | Avoid deserialization injection |
critical
|
| 8526 | Avoid second order deserialization injection |
critical
|
| 8528 | Avoid deserialization injection through API requests |
critical
|
| 8530 | Avoid XQuery injection |
critical
|
| 8532 | Avoid second order XQuery injection |
critical
|
| 8534 | Avoid XQuery injection through API requests |
critical
|
| 8536 | Avoid expression language injection |
critical
|
| 8538 | Avoid second order expression language injection |
critical
|
| 8540 | Avoid expression language injection through API requests |
critical
|
| 8542 | Avoid debug forging |
medium
|
| 8544 | Avoid debug forging through API requests |
medium
|
| 8554 | Avoid using insufficient random generator |
critical
|
| 8560 | Avoid server-side request forgery |
critical
|
| 8562 | Avoid server-side request forgery through API requests |
critical
|
| 8564 | Avoid second order server-side request forgery |
critical
|
| 1022000 | DEPRECATED: Avoid weak encryption algorithm as DES and triple DES |
high
|
| 1022002 | Avoid using RSA Cryptographic algorithms without OAEP (Optimal Asymmetric Encryption Padding) |
high
|
| 1024000 | Avoid using AbsoluteLayout |
medium
|
| 1024002 | Always have read permission to read data of Content Provider |
high
|
| 1024004 | Always have writing permission to write data of Content Provider |
high
|
| 1024006 | Always limit the accessibility of your app's Content Provider |
high
|
| 1024008 | Always use onActivityResult to pass the login results when using Facebook SDK |
high
|
| 1024010 | Avoid applying dangerous protection level for signature-based permissions |
critical
|
| 1024012 | Avoid setting android:grantUriPermissions as True |
medium
|
| 1024014 | Always set permission for securing Receivers |
high
|
| 1024016 | Always provide permission for securing Services |
high
|
| 1024018 | Always provide a permission to secure Activities |
high
|
| 1024020 | Avoid using implicit intent |
high
|
| 1024022 | Always released Media Resources |
medium
|
| 1024024 | Always use HTTPS traffic to particular domains |
high
|
| 1024026 | Avoid using MODE_WORLD_READABLE and MODE_WORLD_WRITEABLE |
medium
|
| 1024028 | Avoid using "Android Protected Confirmation" without User Confirmation |
high
|
| 1024030 | Avoid using FingerprintManager as biometric API |
critical
|
| 1024032 | Always manage the BiometricPrompt onAuthenticationFailed method |
high
|
| 1024034 | Always check all the BiometricPrompt error options in the onAuthenticationError method |
high
|
| 1024036 | Always check all the BiometricPrompt acquired options in the onAuthenticationSucceeded method |
high
|
| 1024038 | Avoid processing Google Sign In Client without catching error |
medium
|
| 1024040 | Always activate unlockedDeviceRequired to avoid data decryption when device is unlocked |
high
|
| 1024042 | Avoid using weak encryption algorithm (Android) |
critical
|
| 1024044 | Always check the device supports Biometric capability before using BiometricPrompt API |
high
|
| 1025000 | Avoid second order OS command injection |
critical
|
| 1025002 | Avoid second order XPath injection |
critical
|
| 1025004 | Avoid second order URL redirection to untrusted site |
critical
|
| 1025010 | Avoid second order LDAP injection |
critical
|
| 1025016 | Avoid using cookie without the HttpOnly flag |
critical
|
| 1025018 | Avoid cookie injection |
critical
|
| 1025020 | Avoid data filter injection |
critical
|
| 1025022 | Avoid data filter injection through API requests |
critical
|
| 1025024 | Avoid disabling the expiration time validation of a JWT token |
critical
|
| 1025026 | Avoid disabling the expiration time requirement of a JWT token |
critical
|
| 1025028 | Avoid disabling the signature requirement of a JWT token |
critical
|
| 1025030 | Avoid hard-coded JWT secret keys |
critical
|
| 1025032 | Avoid insecure parameters for PBKDF2 password encoder |
critical
|
| 1025034 | Avoid insecure parameters for BCrypt password encoder |
critical
|
| 1025036 | Avoid insecure parameters for Argon2 password encoder |
critical
|
| 1025038 | Avoid insecure parameters for SCrypt password encoder |
critical
|
| 1025040 | Avoid external control of system or configuration setting |
critical
|
| 1025042 | Avoid external control of system or configuration setting through API requests |
critical
|
| 1025044 | Avoid MVC injection |
critical
|
| 1025046 | Avoid MVC injection through API requests |
critical
|
| 1025048 | Avoid hard-coded password in connection string |
critical
|
| 1025050 | Avoid dangerous file inclusion |
critical
|
| 1025052 | Avoid using unnormalized input strings |
critical
|
| 1025054 | Avoid plaintext storage of password |
critical
|
| 1025056 | Avoid running SQL queries inside a loop |
critical
|
| 1025058 | Avoid numeric user inputs in SQL queries |
critical
|
| 1025060 | Avoid second order numeric user inputs in SQL queries |
critical
|
| 1025062 | Avoid numeric user inputs in SQL queries through API requests |
critical
|
| 1025064 | Avoid weak encoding for password |
high
|
| 1039002 | Avoid using deprecated SSL protocols to secure connection |
high
|
| 1039004 | Avoid using HttpServletRequest.getRequestedSessionId() |
critical
|
| 1039006 | Avoid using predictable SecureRandom Seeds |
high
|
| 1039008 | Avoid thrown Exceptions in servlet methods |
high
|
| 1039010 | Avoid using risky cryptographic hash (JEE) |
critical
|
| 1039012 | Avoid using referer header field in HTTP request |
critical
|
| 1039014 | Avoid using Cipher with no HMAC to ensure data integrity |
high
|
| 1039018 | Avoid using cryptography hash with hard-coded salt |
high
|
| 1039020 | Avoid using javax.crypto.NullCipher |
high
|
| 1039022 | Avoid using Insecure PBE Iteration Count |
high
|
| 1039024 | Avoid using unsecured cookie (JEE) |
high
|
| 1039026 | Avoid creating cookie without setting httpOnly option (JEE) |
high
|
| 1039028 | Avoid weak encryption providing not sufficient key size (JEE) |
high
|
| 1039030 | Avoid using DefaultHttpClient constructor |
high
|
| 1039032 | Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE) |
high
|
| 1039034 | Avoid using SAXParserFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039036 | Avoid using XMLReader without restriction of XML External Entity Reference (XXE) |
high
|
| 1039038 | Avoid using XPathFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039040 | Avoid using XMLInputFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039044 | Avoid usage of BannedAPI when using ESAPI library |
medium
|
| 1039046 | Always use {@code} to wrap code statements or values such as null |
medium
|
| 1039050 | Add @Override on methods overriding or implementing a method declared in a super type |
medium
|
| 1039052 | Avoid Http Session without expiration |
critical
|
| 1039056 | Avoid insecure use of YAML deserialization when using SnakeYaml (JEE) |
high
|
| 1039062 | Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream |
high
|
| 1039064 | Avoid having cookie with an overly broad domain (JEE) |
high
|
| 1039066 | Avoid creating cookie with an overly broad path (JEE) |
high
|
| 1039068 | Avoid using the Non-Serializable Object Stored in Session |
high
|
| 1039070 | Avoid using URL.equals(Object obj) or URL.hashCode() |
high
|
| 1039072 | Avoid using jYAML to deserialize YAML (JEE) |
high
|
| 1039074 | Avoid using Apache ActiveMQ 5.x before 5.13.0 |
critical
|
| 1039076 | Avoid using HttpURLConnection with HTTP protocol |
high
|
| 1039078 | Avoid using SchemaFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039080 | Avoid using TransformerFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039082 | Avoid using SAXTransformerFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039084 | Avoid using SAXBuilder without restriction of XML External Entity Reference (XXE) |
high
|
| 1039086 | Avoid using DOMParser without restriction of XML External Entity Reference (XXE) |
high
|
| 1039088 | Avoid using Validator without restriction of XML External Entity Reference (XXE) |
high
|
| 1039090 | Avoid using java.beans.XMLDecoder (XXE) |
high
|
| 1039092 | Avoid using JAXB Unmarshaller without a configurable secure parser (XXE) |
high
|
| 1039094 | Avoid using XPathExpression without a configurable secure parser (XXE) |
high
|
| 1039096 | Ensure httpOnly option is enabled when creating session (JEE) |
high
|
| 1039098 | Ensure secure option is enabled when creating session (JEE) |
high
|
| 1039100 | Avoid creating cookie without setting SameSite option (JEE) |
critical
|
| 1039102 | Ensure SameSite option is enabled when creating session (JEE) |
critical
|
| 1039104 | Avoid creation of temporary file with insecure permissions (JEE) |
high
|
| 1039106 | Avoid disabling the automatic HTML escaping for Spring |
high
|
| 1039108 | Avoid leaving temporary files in directory (JEE) |
high
|
| 1039110 | Ensure initializing cryptographic key generators (JEE) |
high
|
| 1039112 | Avoid mutable fields inside a class with JCIP @Immutable annotation |
high
|
| 1039114 | Avoid predictable initialization vector (JEE) |
high
|
| 1039116 | Ensure setting origins when using @CrossOrigin Spring annotation |
high
|
| 1039118 | Avoid enabling directory listing (JEE) |
high
|
| 1039120 | Avoid weak password requirements (JEE) |
high
|
| 1040002 | Avoid disabling CSRF Protection (Spring Security) |
critical
|
| 1040006 | Always set Content-Security-Policy for spring application |
high
|
| 1040008 | Ensure declaring formLogin after requesting authorization and authentication |
high
|
| 1040010 | Always delete the cookies during the logout (Spring) |
high
|
| 1040012 | HTTP user session must be invalidated during logout |
critical
|
| 1040014 | Avoid using Spring Security's debug mode |
medium
|
| 1040016 | PermitAll or user role should be specified to access URL(s) of the application |
high
|
| 1040018 | Ensure the X-Frame-Options header is setup (Spring) |
high
|
| 1040024 | Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access. |
high
|
| 1040026 | Avoid not providing an explicit HTTP method in @RequestMapping methods |
critical
|
| 1040030 | Avoid Using Generic Authentication Exception Class |
medium
|
| 1040032 | Avoid Using ControllerAdvice And HandlerExceptionResolver simultaneously |
medium
|
| 1040034 | StrictHttpFirewall should be set as Http Firewall before Spring Security 5.0.1, 4.2.4, and 4.1.5 |
critical
|
| 1040036 | Avoid using STOMP Spring messaging module before Spring 5.0.5 and 4.3.16 |
critical
|
| 1040038 | Avoid using Spring Security Path Matching Inconsistency before Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x |
medium
|
| 1040042 | Avoid using Spring Security in combination with Spring Framework 5.0.5 |
high
|
| 1040044 | Avoid using UnZipTransformer of spring-integration-zip prior to version 1.0.1 |
high
|
| 1040046 | Avoid weak encryption algorithm (Spring) |
critical
|
| 1040048 | Avoid unsafe object binding (Spring) |
high
|
| 1042004 | Avoid Duplicate Struts validation forms with the same name |
medium
|
| 1042008 | Avoid using ActionForward with untrusted data source to prevent file path disclosure |
high
|
| 1042010 | Avoid using ParametersInterceptor with class parameter for Struts 2.3.16 (and older) |
critical
|
| 1042012 | Avoid Unused Validation Form in Struts 1.x |
medium
|
| 1042016 | Avoid Struts action Mapping with disabled validator |
high
|
| 1042018 | Avoid Missing Form Bean in Struts 1.x |
medium
|
| 1042022 | Avoid using CookieInterceptor with Struts 2.3.16 (and Older) |
critical
|
| 1042024 | Avoid Unescaped User-controlled Input attribute in Struts 1.x and 2.x |
critical
|
| 1042026 | Avoid Action Mapping based on wildcards with Struts 2.3.14.2 and older |
critical
|
| 1042028 | Avoid activating alwaysSelectFullNamespace when actions configured without namespace or with a wildcard namespace for Struts pre 2.3.34 and pre 2.5.1 |
critical
|
| 1042030 | Avoid using Default exclude patterns (excludeParams) for Struts 2.3.20 ( and older) |
critical
|
| 1042036 | Avoid Long request parameter names in Struts 2.0.0 - struts 2.3.4 |
critical
|
| 1042040 | Avoid using Struts URLValidator with version before 2.5.13 |
critical
|
| 1042042 | Avoid using Rest Plugin with XStream handler to deserialise XML requests in Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
critical
|
| 1042046 | Avoid Using Dynamic Method Invocation for Apache Struts 2.x |
critical
|
| 1042050 | Avoid using special top object in struts 2.0.0 - struts 2.3.24 |
critical
|
| 1042052 | Avoid using JSON-lib library for Rest Plugin of Struts 2.5 to 2.5.14 |
critical
|
| 1045000 | Lazy fetching should be used for Hibernate collection |
high
|
| 1045002 | Avoid Hibernate Entity with 'select-before-update' set to true if not associated to table that fires an UPDATE trigger |
high
|
| 1045004 | Avoid UPDATE trigger firing when not necessary |
high
|
| 1045006 | Never use an array to map Hibernate collection |
high
|
| 1045008 | Avoid non serializable Entity beans |
medium
|
| 1045010 | Prefer using version number instead of timestamp for Hibernate Entity |
medium
|
| 1045012 | Avoid public/protected setter for the generated identifier field |
medium
|
| 1045300 | Prefer using column index over column label for ResultSet getters parameter |
medium
|
| 1045302 | Ensure specifying fetch size for large queries |
medium
|
| 1045304 | Avoid calling JDBC DatabaseMetaData costly methods |
medium
|
| 1060004 | Avoid Empty Finally Block When Calling Resource |
high
|
| 1060018 | Avoid String concatenation in loops for artifacts with high fan in |
high
|
| 1060020 | Avoid empty catch blocks for methods with high fan-in |
critical
|
| 1060022 | Avoid too many SQL calls for methods with high fan-in |
critical
|
| 1060104 | Review APIs returning sensitive data fields |
medium
|
| 1060106 | Avoid using generic methods such as 'ToJson' or 'ToString' to save sensitive or PII data |
medium
|
| 1060108 | Avoid data fields binded to columns to return sensitive data via APIs |
medium
|
| 1060110 | Avoid filtering sensitive data using front-end |
medium
|
| 1060112 | Review APIs not accessed by frontend functions |
medium
|
| 1060114 | Always enable authorization checks at function level for functions called on by APIs based with Spring Application |
high
|
| 1060116 | Always avoid http redirects to unknown or untrusted URLs |
medium
|
| 1101036 | Use ANSI standard operators in SQL WHERE clauses |
medium
|
| 1101916 | When using compound indexes, avoid having different index ordering in collection access |
medium
|
| 1101920 | Avoid using explain() in production code (JEE) |
medium
|
| 1101922 | Avoid having multiple Artifacts updating data on the same NoSQL Collection (JEE) |
medium
|
| 1101924 | Avoid having multiple Artifacts inserting data on the same NoSQL Collection (JEE) |
medium
|
| 1101926 | Avoid having multiple artifacts deleting data on the same NoSQL collections (JEE) |
medium
|
| 1677000 | Avoid string interpolations to prevent SQL injections (MyBatis/iBatis) |
critical
|
| 2121002 | Always enable authorization checks at function level for functions called on by APIs based with Spring Application |
high
|
| 2121010 | Avoid filtering sensitive data using Web Front-end |
medium
|
| 2121112 | Ensure Back-end REST APIs are all accessed by Front-end Web App functions |
medium
|
