Java Rules
SAST rules for Java that identify insecure patterns in application code.
Java Rule Catalog
| ID | Title | Severity | Category |
|---|---|---|---|
CODE-0006 | User input used in MongoDB $where operator | CRITICAL | Injection |
CODE-0057 | Hard-coded Password in Database Connection String | CRITICAL | Secrets |
CODE-0058 | Hard-coded Database Password | CRITICAL | Secrets |
CODE-0101 | User Input Controls Remote URL Destination | CRITICAL | Injection |
CODE-0184 | GCM Nonce Reuse Risk | CRITICAL | Crypto |
CODE-0212 | Path Traversal due to Unsafe File Access | CRITICAL | Injection |
CODE-0292 | MongoDB Client with SSL Hostname Verification Disabled | CRITICAL | Crypto |
CODE-0303 | Use of a broken or risky cryptographic algorithm | CRITICAL | Crypto |
CODE-0324 | SQL Injection | CRITICAL | Injection |
CODE-0334 | Server-Side Request Forgery (SSRF) | CRITICAL | Web |
CODE-0625 | WebView loads files from external storage | CRITICAL | Web |
CODE-0637 | Unsafe dynamic code execution via GroovyShell | CRITICAL | Injection |
CODE-0645 | Unvalidated user input used in file path | CRITICAL | Injection |
CODE-0649 | Insecure 'none' algorithm in JWT | CRITICAL | Crypto |
CODE-0705 | OS Command Injection | CRITICAL | Injection |
CODE-0714 | Hard-coded password in database connection string | CRITICAL | Secrets |
CODE-0715 | Missing Database Authentication | CRITICAL | Auth |
CODE-0716 | Hard-coded password | CRITICAL | Secrets |
CODE-0719 | Improper control of generation of code ('Code Injection') | CRITICAL | Injection |
CODE-0720 | Expression Language Injection | CRITICAL | Injection |
CODE-0759 | Seam log injection via dynamic expression evaluation | CRITICAL | Injection |
CODE-0760 | Deserialization of untrusted data with SnakeYAML | CRITICAL | Deserialization |
CODE-0033 | Unencrypted Server Socket | HIGH | Crypto |
CODE-0054 | SQL Injection | HIGH | Injection |
CODE-0059 | Hard-coded Password | HIGH | Secrets |
CODE-0061 | Overly Permissive File Permission | HIGH | InsecureConfig |
CODE-0068 | Server-Side Request Forgery (SSRF) | HIGH | Web |
CODE-0075 | External Control of System or Configuration Setting | HIGH | InsecureConfig |
CODE-0080 | Deserialization of Untrusted Data | HIGH | Deserialization |
CODE-0290 | Command injection via environment variables | HIGH | Injection |
CODE-0504 | Unsafe Deserialization from JMS | HIGH | Deserialization |
CODE-0666 | SQL Injection risk due to untrusted input | HIGH | Injection |
CODE-0682 | HTTP Response Splitting | HIGH | Injection |
CODE-0683 | HTTP Response Splitting | HIGH | Injection |
CODE-0701 | Unvalidated Redirect | HIGH | Web |
CODE-0703 | Path Traversal in File Upload | HIGH | AccessControl |
CODE-0704 | Path Traversal Vulnerability | HIGH | Injection |
CODE-0706 | Expression Language Injection | HIGH | Injection |
CODE-0707 | RequestDispatcher File Disclosure | HIGH | AccessControl |
CODE-0708 | Potential File Disclosure via User-Supplied Input | HIGH | AccessControl |
CODE-0709 | HTTP Parameter Pollution | HIGH | Injection |
CODE-0710 | LDAP Injection | HIGH | Injection |
CODE-0711 | Expression injection (OGNL) | HIGH | Injection |
CODE-0713 | Missing Authentication for LDAP Connection | HIGH | Auth |
CODE-0728 | Template Injection | HIGH | Injection |
CODE-0731 | Deserialization of untrusted data | HIGH | Deserialization |
CODE-0734 | Cross-Site Scripting (XSS) via Improper Input Neutralization | HIGH | Web |
CODE-0740 | Insecure GCM IV and Key Usage | HIGH | Crypto |
CODE-0002 | Missing secure configuration in DocumentBuilderFactory | MEDIUM | Injection |
CODE-0026 | Inadequate Encryption Strength | MEDIUM | Crypto |
CODE-0055 | LDAP Anonymous Authentication | MEDIUM | Auth |
CODE-0062 | Overly Permissive File Permission | MEDIUM | InsecureConfig |
CODE-0069 | Incorrect Type Conversion or Cast | MEDIUM | Generic |
CODE-0081 | XML Injection (Blind XPath Injection) | MEDIUM | Injection |
CODE-0100 | Insecure Random Number Generation | MEDIUM | Crypto |
CODE-0109 | Unencrypted HTTP request using Unirest | MEDIUM | Crypto |
CODE-0110 | Insecure Deserialization via ObjectInputStream | MEDIUM | Deserialization |
CODE-0111 | Jackson Unsafe Polymorphic Deserialization | MEDIUM | Deserialization |
CODE-0221 | Spring Boot Actuator full exposure in properties | MEDIUM | AccessControl |
CODE-0229 | Use of HTTP instead of HTTPS | MEDIUM | Crypto |
CODE-0233 | External parameter entities allowed in XML parser | MEDIUM | Injection |
CODE-0236 | Unsafe Spring Service Exporter | MEDIUM | InsecureConfig |
CODE-0237 | Unsafe Spring Service Exporter | MEDIUM | InsecureConfig |
CODE-0240 | Insecure Protocol in Socket Connection | MEDIUM | Crypto |
CODE-0251 | Use of cleartext transport protocol (Telnet) | MEDIUM | Crypto |
CODE-0261 | Unsafe TLS Renegotiation Enabled | MEDIUM | Crypto |
CODE-0279 | CSRF protection disabled in Spring | MEDIUM | Web |
CODE-0283 | SAXParserFactory Improperly Configured Against XXE | MEDIUM | Injection |
CODE-0311 | Inadequate encryption strength | MEDIUM | Crypto |
CODE-0325 | Missing authentication for critical function (LDAP) | MEDIUM | Auth |
CODE-0461 | Cleartext HTTP used in Spring RestTemplate | MEDIUM | Crypto |
CODE-0481 | External general entities allowed in XML parser | MEDIUM | Injection |
CODE-0500 | Unsafe Deserialization via RMI Parameter Types | MEDIUM | Deserialization |
CODE-0506 | Insecure Cryptographic Algorithm: RC2 | MEDIUM | Crypto |
CODE-0507 | Insecure HTTP request via URLConnection | MEDIUM | InsecureConfig |
CODE-0514 | Insecure FTP transport | MEDIUM | InsecureConfig |
CODE-0558 | JWT token decoded without signature verification | MEDIUM | Crypto |
CODE-0623 | Insecure WebView Implementation: SSL Certificate Validation Bypass | MEDIUM | Web |
CODE-0624 | Remote WebView Debugging Enabled | MEDIUM | Web |
CODE-0626 | WebView File System Access Enabled | MEDIUM | Web |
CODE-0638 | Unvalidated input used in XPath expression | MEDIUM | Injection |
CODE-0646 | Insecure FTP protocol detected in Spring Integration configuration | MEDIUM | Crypto |
CODE-0665 | Use of deprecated cryptographic algorithm (RC4) | MEDIUM | Crypto |
CODE-0668 | Insecure TLS/SSL version usage | MEDIUM | Crypto |
CODE-0674 | External entities enabled in XMLInputFactory | MEDIUM | Injection |
CODE-0684 | Permissive Cross-Domain Policy with Untrusted Domains | MEDIUM | Web |
CODE-0685 | Inadequate encryption strength due to small key size for Blowfish | MEDIUM | Crypto |
CODE-0686 | Inadequate encryption strength | MEDIUM | Crypto |
CODE-0687 | Use of a broken or risky cryptographic algorithm | MEDIUM | Crypto |
CODE-0688 | Use of a broken or risky cryptographic algorithm | MEDIUM | Crypto |
CODE-0689 | Use of a broken or risky cryptographic algorithm | MEDIUM | Crypto |
CODE-0690 | Use of a broken or risky cryptographic algorithm | MEDIUM | Crypto |
CODE-0691 | Custom MessageDigest Implementation | MEDIUM | Crypto |
CODE-0692 | Inadequate encryption strength | MEDIUM | Crypto |
CODE-0693 | Inadequate encryption strength | MEDIUM | Crypto |
CODE-0694 | Use of NullCipher | MEDIUM | Crypto |
CODE-0695 | Use of RSA algorithm without OAEP | MEDIUM | Crypto |
CODE-0696 | Use of a broken or risky cryptographic algorithm (SHA1/MD5) | MEDIUM | Crypto |
CODE-0697 | Improper Certificate Validation | MEDIUM | InsecureConfig |
CODE-0698 | Insecure SSL Protocol | MEDIUM | Crypto |
CODE-0699 | Inadequate encryption strength | MEDIUM | Crypto |
CODE-0700 | Improper Certificate Validation | MEDIUM | Crypto |
CODE-0702 | Improper Certificate Validation | MEDIUM | Crypto |
CODE-0712 | Path Traversal Vulnerability | MEDIUM | Injection |
CODE-0717 | Dangerous Permission Combination | MEDIUM | AccessControl |
CODE-0718 | Overly Permissive File Permissions | MEDIUM | AccessControl |
CODE-0721 | Insecure SMTP SSL Configuration | MEDIUM | InsecureConfig |
CODE-0722 | SMTP Header Injection | MEDIUM | Injection |
CODE-0723 | Server-Side Request Forgery (SSRF) | MEDIUM | Injection |
CODE-0724 | Incorrect Hex Conversion | MEDIUM | Generic |
CODE-0725 | Use of externally-controlled format string | MEDIUM | Injection |
CODE-0726 | Modification after validation | MEDIUM | Injection |
CODE-0727 | Incorrect behavior order: validate before canonicalize | MEDIUM | Injection |
CODE-0730 | SAML Authentication Bypass via XML Comments | MEDIUM | Auth |
CODE-0732 | XSLT Translation with Potentially Malicious Input | MEDIUM | Injection |
CODE-0733 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | MEDIUM | Web |
CODE-0735 | Improper Restriction of XML External Entity Reference ('XXE') | MEDIUM | Injection |
CODE-0739 | Use of HTTP with Apache HttpClient | MEDIUM | Crypto |
CODE-0754 | TransformerFactory missing secure configuration | MEDIUM | Injection |
CODE-0762 | DOCTYPE declaration explicitly enabled in XML parser | MEDIUM | Injection |
CODE-0766 | XMLInputFactory Misconfiguration | MEDIUM | Injection |
CODE-0799 | Missing HTTP method in Spring @RequestMapping | MEDIUM | Web |
CODE-0016 | Permissive Cross-domain Policy with Untrusted Domains | LOW | Web |
CODE-0238 | Unsafe Spring Service Exporter | LOW | InsecureConfig |
CODE-0263 | Explicit Garbage Collection Call | LOW | Generic |
CODE-0671 | Cookie missing HttpOnly attribute | LOW | Web |
CODE-0681 | Sensitive cookie in HTTPS session without 'Secure' attribute | LOW | Web |
CODE-0729 | External Control of System Setting | LOW | Injection |
Total Rules: 128
Click on any rule ID to view detailed information, examples, and remediation guidance.