Java detectors

Showing all detectors for the Java language.

Browse by tags
Browse all detectors by tags.
Browse by severity
Browse all detectors by severity.
Browse by category
Browse all detectors by category.

Browse all detectors

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Unauthenticated LDAP requests

Unauthenticated LDAP requests can allow untrusted access to LDAP servers.

Incorrect string equality operator

Use equals(), not ==, when checking if two strings are equal.

Mutually exclusive call

Calls to mutually exclusive methods were found in the code.

Input and output values become out of sync

If a method that uses an input parameter to update an output value throws an exception, then the output value is not updated.

Inefficient chain of AWS API calls

The chain of API calls can be replaced with a single, more efficient API call.

AWS DynamoDB getItem output is not null checked

Outputs of AWS DynamoDB's GetItem method are not null checked.

OS command injection

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.

Atomicity violation

Atomicity violations caused by improper usage of ConcurrentHashMap or ConcurrentLinkedQueue can result in crashses or incorrect program results.

User interface thread starvation

Blocking calls in a user interface thread can lead to the application becoming unresponsive.

Log injection

Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.

Sensitive information leak

Sensitive information should not be exposed through log files or stack traces.

Mandatory method not called after object creation

Mandatory methods must be called after object creation.

Missing handling of specifically-thrown exceptions

Catching generic exceptions might hide issues when specific exceptions are thrown.

Process empty record list in Amazon KCL

Setting withCallProcessRecordsEvenForEmptyRecordList to TRUE during Kinesis Client Library (KCL) initialization will treat empty records differently.

Code clone

Similar code fragments were detected in the same file.

Infinite loop

Use loop control flow to ensure that loops are exited, even if exceptional behaviors are encountered.

Concurrency deadlock

Improper use of locks in a multi-threaded program can lead to deadlock and cause the program to be unresponsive.

Sensitive data stored unencrypted due to partial encryption

Encryption that is dependent on conditional logic, such as an if...then clause, might cause unencrypted sensitive data to be stored.

SQL injection

Use of untrusted inputs in SQL database query can enable attackers to read, modify, or delete sensitive data in the database

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Untrusted AMI images

Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, a potential security vulnerability.

Override of reserved variable names in a Lambda function

Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.

Missing byte array length of JSON parser

Specify the length of the input byte array when creating a JSON parser to avoid a deserialization problem.

Batch operations preferred over looping

Batch operations are more efficient than looping to process several items at the same time.

Synchronous publication of AWS Lambda metrics

Synchronous publication of AWS Lambda metrics is inefficient.

AWS object presence check

Manually performing an object existence check is inefficient when a built-in operation is available.

Insecure SAML parser configuration

Comment parsing for OpenSAML2 might enable an attacker to bypass authentication.

Usage of an API that is not recommended

APIs that are not recommended were found.

Weak obfuscation of web request

Weak obfuscation while configuring a web request

Improper use of classes that aren't thread-safe

Improper use of thread-unsafe classes in multi-threaded programs can cause the programs to be unstable.

Hardcoded credentials

Hardcoded credentials can be intercepted by malicious actors.

Incorrect null check before setting a value

When a variable is assigned a value after checking if it's not null (for example, x != null insead of x == null), it might be inadvertently overwritten.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.

Case sensitive keys in S3 object user metadata

User metadata keys are case insensitive and are returned as lowercase strings, even if they were originally specified with uppercase strings.

Not calling finalize causes skipped cleanup steps

Always call super.finalize explicitly.

Unchecked S3 object metadata content length

Failure to specify a content length causes the contents of the input stream to buffer locally in memory in order to calculate its length. This can result in performance problems.

Clear text credentials

Credentials that are stored in clear text can be intercepted by a malicious actor.

Untrusted data in security decision

Security decisions should not depend on branching that can be influenced by untrusted or client-provided data.

Insecure cookie

Insecure cookies can lead to unencrypted transmission of sensitive data.

Unexpected re-assignment of synchronized objects

Synchronized objects should not be re-assigned in the same synchronized block because the references to the synchronized object would be lost.

Resources used by an Amazon S3 TransferManager are not released

Call ShutdownNow when you use TransferManager to manage transfers to Amazon S3.

Session fixation

Session fixation might allow an attacker to steal authenticated session IDs.

Deserialization of untrusted object

Deserialization of untrusted objects can lead to security vulnerabilities such as inadvertently running remote code.

Stack trace not included in re-thrown exception

When re-throwing an exception, make sure to include the stack trace.

Thread safety violation

A thread safety violation might indicate a data race which can put the system into an inconsistent state.

XPath injection

Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.

Insecure cryptography

Weak, broken, or misconfigured cryptography can lead to security vulnerabilities.

Resource leak

Allocated resources are not released properly.

Region specification missing from AWS client initialization

Set an explicit AWS Region to avoid cold start delays in AWS client initialization.

Missing timezone of SimpleDateFormat

Using a SimpleDateFormat object without setting its timezone can result in unexpected date and time.

Overflow when deserializing relational database objects

Deserializing objects from relational databases should allocate a 64-bit, not 32-bit, type for the auto-incremented identifier.

Weak pseudorandom number generation

Insufficiently random generators (or hardcoded seeds) can make pseudorandom sequences predictable.

Insecure CORS policy

Cross-Origin Resource Sharing policies that are too permissive may lead to security vulnerabilities.

Insufficient use of name in Amazon SQS queue

Provide the full URL for the Amazon SQS queue.

Custom manual retries of AWS SDK calls

Custom manual retries of calls to AWS SDK APIs are inefficient.

Syntax error in file

Some files contain syntax errors.

XML External Entity

Objects that parse or handle XML can lead to XML External Entity (XXE) attacks when misconfigured.

Client constructor deprecation

Client constructors are now deprecated in favor of using builders to create the client.

Amazon SQS message visibility changed without a status check

When you change Amazon SQS message visibility, check for MessageNotInFlight exceptions.

Missing handling of file deletion result

Unhandled failures of deleting files can exhaust file handles.

Missing null check for cache response metadata

Accessing the cache response metadata without performing a null check might cause a null dereference error.

Inefficient usage of Transaction library from AWS Labs

The AWS Labs Transactions Library is a client-side solution and less efficient compared to DynamoDB native transactions.

AWS client not reused in a Lambda function

Recreating AWS clients in each Lambda function invocation is expensive.

Insecure connection using unencrypted protocol

Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.

Bad parameters used with AWS API methods

An outdated or bad parameters were detected in calls to some AWS API methods.

Missing position check before getting substring

Getting a substring outside the range of a string can cause an index-out-of-bounds exception.

Inefficient additional authenticated data (AAD) authenticity

Encryption can be improved by using Additional authenticated data (AAD).

Client-side KMS reencryption

Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks.

Ignored output of DynamoDBMapper operations

Check if errors are returned by DynamoDBMapper's BatchWrite operations.

LDAP injection

LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.

Unsanitized input is run as code

Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.

Inefficient use of stream sorting

Using Stream::min or Stream::max is more efficient than sorting and getting the first element in a stream.

Output of AWS batch APIs are not checked

Check the return value of AWS batch APIs for failures to identify data loss.

Long polling is not enabled in Amazon SQS

Enable long polling for efficiency.

Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny

Using Stream::anyMatch is more readable and convenient than using a chain of Stream::filter, Stream::findFirst or Stream::findAny and Optional::isPresent.

Loose file permissions

Weak file permissions can lead to privilege escalation.

Use an enum to specify an AWS Region

To minimize the risk of error, use an enum instead of a string to specify an AWS Region.

Avoid reset exception in Amazon S3

Uploading objects to Amazon S3 by using streams (either through an AmazonS3 client or TransferManager) might encounter network connectivity or timeout issues.

Insecure temporary file or directory

Insecure ways of creating temporary files and directories can lead to race conditions, privilege escalation, and other security vulnerabilities.

Improper locking

Improper use of locks can lead to deadlocks and the application becoming unresponsive.

Use of a deprecated method

This code uses deprecated methods, which suggests that it has not been recently reviewed or maintained.

Error-prone AWS IAM policy creation

Manually creating text-based IAM policies is error-prone.

Inefficient Amazon S3 manual pagination

Use S3Objects.withPrefix() instead of manually paginating results.

HTTP response splitting

Passing data from an untrusted source into a cookie or web response might expose the user to HTTP response splitting attacks.

Oversynchronization

Oversynchronization with ConcurrentHashMap or ConcurrentLinkedQueue can reduce program performance.

Backward compatibility breaks with error message parsing

Maintain your code's backward compatibility by checking the status code instead of parsing the error message.

Inefficient map entry iteration

Iterating on Map entries is more efficient than iterating on the keys and asking for their respective values.

Missing S3 bucket owner condition

Not setting the S3 bucket owner condition might introduce a risk of accidentally using a wrong bucket.

Null pointer dereference

Dereferencing a null pointer can lead to unexpected null pointer exceptions.

Improperly formatted string arguments

Format strings appropriately for their argument types. For example, use %d, not %s, for integers.