Audit: Biometric authentication should always be used with a cryptographic object JAVA-A1030
Biometric authentication should not be performed without an associated CryptoObject value.
Audit: XMLReader may be vulnerable to XXE attacks JAVA-A1060
This code appears to use an XMLReader instance without setting the correct input processing flags. This could allow XML External Entity (XXE) attacks to easily occur.
Non-constant string passed to execute or addBatch method on an SQL statement JAVA-S0082
The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. This can allow SQL injection attacks to occur.
Audit: DocumentBuilder may be vulnerable to XXE attacks JAVA-A1052
This code appears to use a DocumentBuilder instance without setting the correct input processing flags. This could allow XML External Entity (XXE) attacks to easily occur.
Prepared statements must not be generated from dynamically created strings JAVA-S0083
The code creates an SQL prepared statement from a String that was formed dynamically. This may be vulnerable to SQL injection attacks.
Spring password storage must use a strong hashing function JAVA-S1018
This Spring security configuration appears to store passwords in plaintext or hashed with a weak hashing algorithm. This could allow an attacker to easily steal user login information.
Configure Spring to store passwords securely.
Storing an externally mutable value into a private static field may expose internal state JAVA-S0134
This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. It may be possible for external code to inspect or change the value of the static field by holding a reference to it after passing it to this class.
Public static method returns freely modifiable array that may expose internal state JAVA-S0131
A public static method returns a reference to an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. This is dangerous because it could allow external code to modify the behavior of the class by changing data asssumed to be invariant.
Reference to mutable object which is returned may expose internal representation of data JAVA-S0132
Returning a reference to a mutable value stored in any of an object's fields exposes the internal state of the object. This could lead to an injection vulnerability.
Reference to externally mutable object stored as internal state JAVA-S0133
This code stores a reference to an externally mutable object as part of the internal state of the object. This can allow an injection attack to occur.
Cookies must not be insecure JAVA-S1003
A new cookie is created without the Secure flag set to true. The Secure flag is a browser directive that prevents the cookie from being transmitted over insecure connections (http://).
Audit: Broadcasting intents without specifying a target package or receiver permission may be a security risk JAVA-A1023
Intents that contain sensitive information should only be broadcast as explicit intents with tight control on what activities may receive them.
Prepared statements must not be generated from dynamically created strings JAVA-S1016
The code creates an SQL prepared statement from a String that was formed dynamically. This may be vulnerable to SQL injection attacks.
XMLStreamReaders must be secure JAVA-S1009
This code appears to create an XMLStreamReader using an XMLInputFactory instance without setting the correct input processing flags. This could allow XML External Entity (XXE) attacks to easily occur.
Overly permissive CORS policies are a security risk JAVA-S1000
An overly permissive CORS policy can allow malicious actors to retrieve sensitive data from your own servers through the client.
Servlet does not sanitize path names from HTTP requests JAVA-S1001
This servlet uses an HTTP request parameter to construct a path. While this action may mean to access only one directory in the server's file system, it does not properly neutralize sequences such as ".." that can resolve to a location that is outside that directory.
CBC and ECB modes are insecure JAVA-S1004
ECB and CBC encryption modes are both known to be insecure due to a number of attacks that they make possible. As the default encryption mode in Java is ECB, this issue will be raised if only the algorithm is specified in a cipher transformation.
Cipher does not support integrity verification JAVA-S1005
The ciphertext produced is susceptible to alteration by an adversary. This means that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection.
XSSRequestWrapper must not be used JAVA-S1007
XSSRequestWrapper is an HTTPRequestWrapper implementation that attempts to strip out potential XSS vulnerabilities from request data, and has been circulated through a number of blogs over the years. Unfortunately its implementation suffers from a number of design defects. These render it a weak protection, and even contribute towards facilitating certain attacks.
Using XSSRequestWrapper is not recommended due to its defective design.
Custom hashing algorithms must not be used JAVA-S1008
Implementing a custom hashing algorithm can be error-prone and could allow for collision-based attacks on hashed data. Avoid implementing your own hash function, and use only trusted implementations.