| Checker | Guideline |
| CMP.CLASS | OBJ09-J. Compare classes and not class names |
| CMP.OBJ | EXP03-J. Do not use the equality operators when comparing values of boxed primitives |
| EHC.EQ | MET09-J. Classes that define an equals() method must also define a hashCode() method |
| EHC.HASH | MET09-J. Classes that define an equals() method must also define a hashCode() method |
| EXC.BROADTHROWS | ERR07-J. Do not throw RuntimeException, Exception, or Throwable |
| FIN.EMPTY | MET12-J. Do not use finalizers |
| FIN.NOSUPER | MET12-J. Do not use finalizers |
| JAVA.ASSERT.ARG | MET01-J. Never use assertions to validate method arguments |
| JAVA.BIGDEC.FLOAT | NUM10-J. Do not construct BigDecimal objects from floating-point literals |
| JAVA.COMPARE.NAN | NUM07-J. Do not attempt comparisons with NaN |
| JAVA.CTOR.EXCEPT | OBJ11-J. Be wary of letting constructors throw exceptions |
| JAVA.DEBUG.ENTRY | ENV06-J. Production code must not contain debugging entry points |
| JAVA.FINAL.STATIC.VAR | OBJ11-J. Be wary of letting constructors throw exceptions |
| JAVA.INF.LOOP.EMPTY | MSC01-J. Do not use an empty infinite loop |
| JAVA.LOOP.CTR.FLOAT | NUM09-J. Do not use floating-point variables as loop counters |
| JAVA.NATIVE.PUBLIC | JNI00-J. Define wrappers around native methods |
| JAVA.SERIALIZE.INNER | SER05-J. Do not serialize instances of inner classes |
| JAVA.SV.XML.INVALID | IDS16-J. Prevent XML Injection |
| JAVA.THREADGROUP | THI01-J. Do not invoke ThreadGroup methods |
| JAVA.WAIT.IN.LOOP | THI03-J. Always invoke wait() and await() methods inside a loop |
| JD.CATCH | ERR08-J. Do not catch NullPointerException or any of its ancestors |
| JD.EQ.ARR | EXP02-J. Do not use the Object.equals() method to compare two arrays |
| JD.FINRET | ERR04-J. Do not complete abruptly from a finally block |
| JD.LOCK.NOTIFY | LCK09-J. Do not perform operations that can block while holding a lock |
| JD.LOCK.SLEEP | LCK09-J. Do not perform operations that can block while holding a lock |
| JD.LOCK.WAIT | LCK09-J. Do not perform operations that can block while holding a lock |
| JD.SYNC.DCL | LCK10-J. Use a correct form of the double-checked locking idiom |
| JD.THREAD.RUN | THI00-J. Do not invoke Thread.run() |
| JD.UMC.FINALIZE | MET12-J. Do not use finalizers |
| JD.UMC.RUNFIN | MET12-J. Do not use finalizers |
| JD.UNCAUGHT | ERR05-J. Do not let checked exceptions escape from a finally block |
| JD.UNMOD | DCL02-J. Do not modify the collection's elements during an enhanced for statement |
| NPE.COND | EXP01-J. Do not use a null in a case where an object is required |
| NPE.CONST | EXP01-J. Do not use a null in a case where an object is required |
| NPE.RET | EXP01-J. Do not use a null in a case where an object is required |
| NPE.RET.UTIL | EXP01-J. Do not use a null in a case where an object is required |
| NPE.STAT | EXP01-J. Do not use a null in a case where an object is required |
| REDUN.EQNULL | EXP01-J. Do not use a null in a case where an object is required |
| RI.IGNOREDCALL | EXP00-J. Do not ignore values returned by methods |
| RR.IGNORED | EXP00-J. Do not ignore values returned by methods |
| SV.DATA.DB | IDS00-J. Prevent SQL injection |
| SV.EXEC | IDS06-J. Exclude unsanitized user input from format strings |
| SV.EXEC | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| SV.EXEC.DIR | IDS06-J. Exclude unsanitized user input from format strings |
| SV.EXEC.DIR | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| SV.EXEC.ENV | IDS06-J. Exclude unsanitized user input from format strings |
| SV.EXEC.ENV | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| SV.EXEC.LOCAL | IDS06-J. Exclude unsanitized user input from format strings |
| SV.EXEC.LOCAL | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| SV.EXEC.PATH | IDS06-J. Exclude unsanitized user input from format strings |
| SV.EXEC.PATH | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method |
| SV.EXPOSE.FIELD | OBJ01-J. Limit accessibility of fields |
| SV.EXPOSE.FIELD | OBJ10-J. Do not use public static nonfinal fields |
| SV.EXPOSE.FIN | MET12-J. Do not use finalizers |
| SV.EXPOSE.IFIELD | OBJ01-J. Limit accessibility of fields |
| SV.EXPOSE.MUTABLEFIELD | OBJ01-J. Limit accessibility of fields |
| SV.EXPOSE.RET | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
| SV.EXPOSE.RET | OBJ05-J. Do not return references to private mutable class members |
| SV.EXPOSE.STORE | OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code |
| SV.EXPOSE.STORE | OBJ05-J. Do not return references to private mutable class members |
| SV.HTTP_SPLIT | ERR03-J. Restore prior object state on method failure |
| SV.IL.DEV | ERR01-J. Do not allow exceptions to expose sensitive information |
| SV.INT_OVF | NUM00-J. Detect or prevent integer overflow |
| SV.SHARED.VAR | VNA00-J. Ensure visibility when accessing shared primitive variables |
| SV.SHARED.VAR | VNA01-J. Ensure visibility of shared references to immutable objects |
| SV.SHARED.VAR | VNA02-J. Ensure that compound operations on shared variables are atomic |
| SV.SHARED.VAR | LCK05-J. Synchronize access to static fields that can be modified by untrusted code |
| SV.SQL | IDS00-J. Prevent SQL injection |
| SV.SQL.DBSOURCE | IDS00-J. Prevent SQL injection |
| SV.SSRF.URI | ERR03-J. Restore prior object state on method failure |
| SV.STRUTS.PRIVATE | OBJ01-J. Limit accessibility of fields |
| SV.STRUTS.STATIC | OBJ01-J. Limit accessibility of fields |
| SV.STRUTS.STATIC | OBJ10-J. Do not use public static nonfinal fields |
| SV.TAINT | IDS01-J. Normalize strings before validating them |
| SV.TAINT_NATIVE | IDS01-J. Normalize strings before validating them |
| SV.UMC.EXIT | ERR09-J. Do not allow untrusted code to terminate the JVM |
| SV.XSS.DB | IDS01-J. Normalize strings before validating them |
| SV.XSS.REF | IDS01-J. Normalize strings before validating them |
| SV.XXE.DBF | IDS17-J. Prevent XML External Entity Attacks |
| SV.XXE.SF | IDS17-J. Prevent XML External Entity Attacks |
| SV.XXE.SPF | IDS17-J. Prevent XML External Entity Attacks |
| SV.XXE.TF | IDS17-J. Prevent XML External Entity Attacks |
| SV.XXE.XIF | IDS17-J. Prevent XML External Entity Attacks |
| SV.XXE.XRF | IDS17-J. Prevent XML External Entity Attacks |
| SVLOG_FORGING | IDS03-J. Do not log unsanitized user input |
| UMC.EXIT | ERR09-J. Do not allow untrusted code to terminate the JVM |