Storing an externally mutable value into a private static field may expose internal state JAVA-S0134
This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. It may be possible for external code to inspect or change the value of the static field by holding a reference to it after passing it to this class.
Public static method returns freely modifiable array that may expose internal state JAVA-S0131
A public static method returns a reference to an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. This is dangerous because it could allow external code to modify the behavior of the class by changing data asssumed to be invariant.
Database password field is empty JAVA-S0014
The password field for this database connection is empty.
Audit: XMLReader may be vulnerable to XXE attacks JAVA-A1060
This code appears to use an XMLReader instance without setting the correct input processing flags. This could allow XML External Entity (XXE) attacks to easily occur.
Non-constant string passed to execute or addBatch method on an SQL statement JAVA-S0082
The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. This can allow SQL injection attacks to occur.
Cookies must not be insecure JAVA-S1003
A new cookie is created without the Secure flag set to true. The Secure flag is a browser directive that prevents the cookie from being transmitted over insecure connections (http://).
Basic authorization is a security risk JAVA-S1019
Basic authorization only encodes the user name and password in base-64 before sending it to the server, which is just a step above sending the data as plain-text.
LDAP connections should be authenticated JAVA-S1020
A JNDI LDAP configuration was found where authentication was disabled.
This is highly discouraged, as it means the LDAP binding is accessible to any client that has its address.
Insecure RandomUtil implementations must not be used JAVA-S1036
An instance of a RandomUtil implementation generated by JHipster was found which is unsuitable for cryptographic purposes.
Spring component introduces unmanaged state JAVA-S1060
Spring components should not introduced unmanaged state variables (fields not managed by Spring).
Request handler method accepts persistent object as argument JAVA-S1061
Spring request handlers should not allow persistent objects (@Entity and @Document) to be passed through arguments.
SAML comment parsing should be disabled JAVA-S1062
Parsing SAML comments should be disabled in applications using OpenSAML2.
getRequestSessionId should not be used JAVA-S1063
The session ID returned by getRequestSessionId isn't necessarily the one belonging to the current user.
Audit: User input should not directly be used in network calls JAVA-A1034
Avoid using unsanitized data from sources like incoming requests or sockets in network calls.
SSLContext instances should not be constructed using "SSL" JAVA-A1059
SSLContext should be initialized with "TLS" in order to use more recent TLS versions. If SSL is used instead as the protocol string, the implementation will default to an older, insecure version of TLS or SSL.
Audit: Broadcasting intents without specifying a target package or receiver permission may be a security risk JAVA-A1023
Intents that contain sensitive information should only be broadcast as explicit intents with tight control on what activities may receive them.
Audit: Web views should not have access to files JAVA-A1028
Avoid granting file access privileges to web views.
Audit: Enabling JavaScript within a web view is a security risk JAVA-A1029
Do not grant JavaScript execution permissions to a web view unless absolutely required.
Audit: File can be modified or read by any user JAVA-A1038
File.setWritable() is invoked in a way that allows all users to write to a file. This may expose a security vulnerability in the application through that file.
Audit: Hibernate query may be vulnerable to injection attacks JAVA-A1040
Avoid creating Hibernate SQL queries with strings containing unsanitized input.