| Checker | Guideline |
| JAVA.ALLOC.LEAK.NOTCLOSED | FIO04-J. Release resources when they are no longer needed |
| JAVA.ALLOC.LEAK.NOTSTORED | FIO04-J. Release resources when they are no longer needed |
| JAVA.ALLOC.LEAK.NOTSTORED | SER10-J. Avoid memory and resource leaks during serialization |
| JAVA.ALLOC.LEAK.NOTSTORED | MSC05-J. Do not exhaust heap space |
| JAVA.ARITH.FPEQUAL | NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data |
| JAVA.ARITH.OFLOW | NUM00-J. Detect or prevent integer overflow |
| JAVA.CAST.FTRUNC | NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data |
| JAVA.CAST.FTRUNC | NUM13-J. Avoid loss of precision when converting primitive integers to floating-point |
| JAVA.CLASS.ACCESS.BYPASS | SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields |
| JAVA.CLASS.ACCESS.MODIFY | SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields |
| JAVA.CLASS.CLONE.CCSM | MET53-J. Ensure that the clone() method calls super.clone() |
| JAVA.CLASS.CLONE.CNC | OBJ07-J. Sensitive classes must not let themselves be copied |
| JAVA.CLASS.CLONE.NF | OBJ07-J. Sensitive classes must not let themselves be copied |
| JAVA.CLASS.CLONE.SCNC | OBJ07-J. Sensitive classes must not let themselves be copied |
| JAVA.CLASS.ICSBS | OBJ08-J. Do not expose private members of an outer class from within a nested class |
| JAVA.CLASS.MCS | MET53-J. Ensure that the clone() method calls super.clone() |
| JAVA.CLASS.SER.ND | SER01-J. Do not deviate from the proper signatures of serialization methods |
| JAVA.CLASS.SER.ND | SER03-J. Do not serialize unencrypted sensitive data |
| JAVA.CLASS.SER.ND | SER06-J. Make defensive copies of private mutable components during deserialization |
| JAVA.CLASS.SER.ND | SER07-J. Do not use the default serialized form for classes with implementation-defined invariants |
| JAVA.CLASS.SER.ND | SER12-J. Prevent deserialization of untrusted data |
| JAVA.CLASS.SER.UIDM | SER00-J. Enable serialization compatibility during class evolution |
| JAVA.CLASS.UI | SER10-J. Avoid memory and resource leaks during serialization |
| JAVA.CLASS.UI | MSC05-J. Do not exhaust heap space |
| JAVA.COMPARE.CTO.ASSYM | MET08-J. Preserve the equality contract when overriding the equals() method |
| JAVA.COMPARE.EMPTYSTR | EXP03-J. Do not use the equality operators when comparing values of boxed primitives |
| JAVA.COMPARE.EQ | EXP02-J. Do not use the Object.equals() method to compare two arrays |
| JAVA.COMPARE.EQ | EXP03-J. Do not use the equality operators when comparing values of boxed primitives |
| JAVA.COMPARE.EQARRAY | EXP02-J. Do not use the Object.equals() method to compare two arrays |
| JAVA.COMPARE.EQARRAY | EXP03-J. Do not use the equality operators when comparing values of boxed primitives |
| JAVA.CONCURRENCY.LOCK.DCL | LCK10-J. Use a correct form of the double-checked locking idiom |
| JAVA.CONCURRENCY.LOCK.ICS | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.LOCK.ISTR | LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code |
| JAVA.CONCURRENCY.LOCK.SCTB | THI00-J. Do not invoke Thread.run() |
| JAVA.CONCURRENCY.LOCK.STATIC | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.STARVE.BLOCKING | LCK09-J. Do not perform operations that can block while holding a lock |
| JAVA.CONCURRENCY.SYNC.MSS | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.UG.FIELD | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.UG.METH | LCK05-J. Synchronize access to static fields that can be modified by untrusted code |
| JAVA.CONCURRENCY.UG.PARAM | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.VOLATILE | VNA00-J. Ensure visibility when accessing shared primitive variables |
| JAVA.CONCURRENCY.VOLATILE | VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic |
| JAVA.CRYPTO.BASE64 | MSC02-J. Generate strong random numbers |
| JAVA.CRYPTO.RA | MSC02-J. Generate strong random numbers |
| JAVA.CRYPTO.RCF | MSC02-J. Generate strong random numbers |
| JAVA.CRYPTO.RF | MSC02-J. Generate strong random numbers |
| JAVA.CRYPTO.WHAF | MSC02-J. Generate strong random numbers |
| JAVA.DEBUG.CALL | ERR09-J. Do not allow untrusted code to terminate the JVM |
| JAVA.DEBUG.CEDF | ENV06-J. Production code must not contain debugging entry points |
| JAVA.DEBUG.LOG | ERR02-J. Prevent exceptions while logging data |
| JAVA.DEBUG.MEDF | ENV06-J. Production code must not contain debugging entry points |
| JAVA.DEEPNULL.DEREF | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.EFIELD | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.FIELD | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.PARAM.ACTUAL | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.PARAM.EACTUAL | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.RET.EMETH | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.DEEPNULL.RET.METH | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.FUNCS.IRV | EXP00-J. Do not ignore values returned by methods |
| JAVA.FUNCS.IRV | FIO02-J. Detect and handle file-related errors |
| JAVA.HARDCODED.PASSWD | MSC03-J. Never hard code sensitive information |
| JAVA.HARDCODED.SEED | MSC02-J. Generate strong random numbers |
| JAVA.IDEF.CTOEQ | MET08-J. Preserve the equality contract when overriding the equals() method |
| JAVA.IDEF.CTONOEQ | MET08-J. Preserve the equality contract when overriding the equals() method |
| JAVA.IDEF.EQUALSNOHC | MET09-J. Classes that define an equals() method must also define a hashCode() method |
| JAVA.IDEF.HCNOEQUALS | MET09-J. Classes that define an equals() method must also define a hashCode() method |
| JAVA.IDEF.NOEQUALS | MET08-J. Preserve the equality contract when overriding the equals() method |
| JAVA.INSEC.LDAP.DA | ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it |
| JAVA.IO.INJ.ANDROID.MESSAGE | SER02-J. Sign then seal objects before sending them outside a trust boundary |
| JAVA.IO.INJ.ANDROID.MESSAGE | SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar |
| JAVA.IO.INJ.CODE | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.COMMAND | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| JAVA.IO.INJ.COMMAND | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.DENIAL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.DLL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.SQL | IDS00-J. Prevent SQL injection |
| JAVA.IO.INJ.SQL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.XSS | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.INJ.XSS.EMWP | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.PERM | FIO01-J. Create files with appropriate access permissions |
| JAVA.IO.PERM | SEC01-J. Do not allow tainted variables in privileged blocks |
| JAVA.IO.PERM | ENV03-J. Do not grant dangerous combinations of permissions |
| JAVA.IO.PERM.ACCESS | FIO01-J. Create files with appropriate access permissions |
| JAVA.IO.PERM.ACCESS | SEC01-J. Do not allow tainted variables in privileged blocks |
| JAVA.IO.TAINT.ADDR | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.BUNDLE | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.CONTROL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.DEVICE | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.EVAL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.HTTP | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.LDAP.ATTR | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.LDAP.FILTER | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.LOG | IDS03-J. Do not log unsanitized user input |
| JAVA.IO.TAINT.LOG | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.MESSAGE | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.MESSAGE | SER02-J. Sign then seal objects before sending them outside a trust boundary |
| JAVA.IO.TAINT.MESSAGE | SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar |
| JAVA.IO.TAINT.PATH | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.REFLECTION | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.REGEX | IDS08-J. Sanitize untrusted data included in a regular expression |
| JAVA.IO.TAINT.REGEX | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.RESOURCE | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.SESSION | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.TRUSTED | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.URL | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.XAML | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.XML | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.IO.TAINT.XPATH | IDS14-J. Do not trust the contents of hidden form fields |
| JAVA.LIB.RAND.FUNC | MSC02-J. Generate strong random numbers |
| JAVA.LIB.RAND.LEGACY.GEN | MSC02-J. Generate strong random numbers |
| JAVA.MATH.ABSRAND | NUM00-J. Detect or prevent integer overflow |
| JAVA.MATH.APPROX.E | NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data |
| JAVA.MATH.APPROX.PI | NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data |
| JAVA.MISC.SD.EXT | MSC03-J. Never hard code sensitive information |
| JAVA.NULL.DEREF | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.NULL.PARAM.ACTUAL | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.NULL.RET.ARRAY | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.NULL.RET.BOOL | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.NULL.RET.OPT | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.NULL.RET.UNCHECKED | EXP00-J. Do not ignore values returned by methods |
| JAVA.STRUCT.DUPD | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.STRUCT.EXCP.BROAD | ERR07-J. Do not throw RuntimeException, Exception, or Throwable |
| JAVA.STRUCT.EXCP.EEH | ERR00-J. Do not suppress or ignore checked exceptions |
| JAVA.STRUCT.EXCP.GEH | ERR08-J. Do not catch NullPointerException or any of its ancestors |
| JAVA.STRUCT.EXCP.INAPP | ERR08-J. Do not catch NullPointerException or any of its ancestors |
| JAVA.STRUCT.SE.ASSERT | DCL00-J. Prevent class initialization cycles |
| JAVA.STRUCT.SE.ASSERT | EXP06-J. Expressions used in assertions must not produce side effects |
| JAVA.STRUCT.UA | DCL00-J. Prevent class initialization cycles |
| JAVA.STRUCT.UA.DEFAULT | DCL00-J. Prevent class initialization cycles |
| JAVA.STRUCT.UPD | EXP01-J. Do not use a null in a case where an object is required |
| JAVA.STRUCT.UPED | EXP01-J. Do not use a null in a case where an object is required |