DISA STIG version 4 IDs mapped to Klocwork Java checkers

SV.DOS.TMPFILEDEL  Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT  Leaving temporary file

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.PASSWD.HC.EMPTY  Empty Password

SV.EXPOSE.FIELD  Static field may be changed by malicious code

SV.EXPOSE.FIN  Method finalize() should have protected access modifier, not public

SV.EXPOSE.IFIELD  Instance field should be made final

SV.EXPOSE.MUTABLEFIELD  Static mutable field can be accessed by malicious code

SV.EXPOSE.RET  Internal representation may be exposed

SV.EXPOSE.STORE  Method stores reference to mutable object

SV.LOG_FORGING  Log Forging

SV.LOG_FORGING  Log Forging

SV.EMAIL  Unchecked e-mail

UMC.SYSERR  Debug print using System.err method calls is unwanted

UMC.SYSOUT  Debug print using System.out method calls is unwanted

SV.PASSWD.HC.EMPTY  Empty Password

SV.PASSWD.PLAIN  Plain-text Password

SV.PASSWD.PLAIN  Plain-text Password

SV.ECV  Empty certificate validation

SV.PASSWD.PLAIN  Plain-text Password

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

JD.NEXT  Possible 'NoSuchElementException'

JD.SYNC.IN  Inconsistent synchronization

SV.SHARED.VAR  Unsynchronized access to static variable from servlet

SV.STRUTS.STATIC  Struts Forms: static fields

SV.UMC.THREADS  Bad practices: use of thread management

RLK.NIO  NIO object is not closed on exit

RLK.SOCK  Socket is not closed on exit

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.RANDOM  Use of insecure Random number generator

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.CLEXT.POLICY  Class extends 'java.security.Policy'

SV.USE.POLICY  Direct use methods of Policy

SV.DOS.ARRINDEX  Tainted index used for array access

SV.DOS.ARRSIZE  Tainted size used for array allocation

SV.TAINT_NATIVE  Tainted data goes to native code

SV.TMPFILE  Temporary file path tampering

SV.UMC.EXIT  The System.exit() and Runtime.exit() method calls should not be used in servlets code

SV.IL.DEV  Design information leakage

SV.IL.FILE  File Name Leaking

SV.STRBUF.CLEAN  String buffer not cleaned

SV.STRUTS.NOTRESET  Struts Forms: inconsistent reset

ANDROID.LIFECYCLE.SV.GETEXTRA  Unvalidated external data

SV.HTTP_SPLIT  Http Response Splitting

SV.XSS.DB  Cross Site Scripting (Stored XSS)

SV.XSS.REF  Cross Site Scripting (Reflected XSS)

SV.CSRF.GET  CSRF Token in GET request

SV.CSRF.ORIGIN  Request handler without an origin check

SV.CSRF.TOKEN  State changing request handler without a CSRF check

SV.CLASSDEF.INJ  Runtime Class Definition Injection

SV.CLASSLOADER.INJ  Class Loader URL Injection

SV.CLEXT.CLLOADER  Class extends 'java.lang.ClassLoader'

SV.EXEC  Process Injection

SV.EXEC.DIR  Process Injection. Working Directory

SV.EXEC.ENV  Process Injection. Environment Variables

SV.EXEC.LOCAL  Process Injection. Local Arguments

SV.PATH  Path and file name injection

SV.PATH.INJ  File injection

SV.SCRIPT  Script Execution

SV.SERIAL.INON  Interface extends 'Serializable'

SV.SERIAL.NON  Class implements 'Serializable'

SV.SERIAL.NOREAD  Method readObject() should be defined for a serializable class

SV.SERIAL.NOWRITE  Method writeObject() should be defined for a serializable class

SV.SERIAL.SIG  Methods readObject() and writeObject() in serializable classes should have correct signature

ANDROID.LIFECYCLE.SV.FRAGMENTINJ  Unvalidated fragment class name

CMP.CLASS  Comparing by classname

SV.DATA.BOUND  Untrusted Data leaks into trusted storage

SV.DATA.DB  Data injection

SV.LDAP  Unvalidated user input is used as LDAP filter

SV.STRUTS.NOTVALID  Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET  Struts Forms: validate method

SV.TAINT  Tainted data

SV.XPATH  Unvalidated user input is used as an XPath expression

SV.SQL  Sql Injection

SV.SQL.DBSOURCE  Unchecked information from the database is used in SQL statements

ANDROID.LIFECYCLE.SV.FRAGMENTINJ  Unvalidated fragment class name

CMP.CLASS  Comparing by classname

SV.DATA.BOUND  Untrusted Data leaks into trusted storage

SV.DATA.DB  Data injection

SV.LDAP  Unvalidated user input is used as LDAP filter

SV.STRUTS.NOTVALID  Struts Forms: inconsistent validate

SV.STRUTS.VALIDMET  Struts Forms: validate method

SV.TAINT  Tainted data

SV.XPATH  Unvalidated user input is used as an XPath expression

SV.INT_OVF  Tainted data may lead to Integer Overflow

JD.INF.AREC  Apparent infinite recursion

JD.LOCK  Lock without unlock

JD.LOCK.NOTIFY  Method 'notify' called with locks held

JD.LOCK.SLEEP  Method 'sleep' called with locks held

JD.LOCK.WAIT  Method 'wait' called with locks held

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.PASSWD.HC  Hardcoded Password

JD.THREAD.RUN  Explicit call to a 'Thread.run' method

JD.UMC.FINALIZE  Explicit call to method 'Object.finalize'

JD.UMC.RUNFIN  runFinalizersOnExit() is called

MNA.CAP  Method name should start with non-capital letter

MNA.CNS  Method name is same as constructor name but it is not a constructor

MNA.SUS  Suspicious method name

ECC.EMPTY  Empty catch clause

EXC.BROADTHROWS  Method has an overly broad throws declaration

JD.CATCH  Catching runtime exception

JD.UNCAUGHT  Uncaught exception

RI.IGNOREDCALL  The value returned by a method called on immutable object is ignored

RI.IGNOREDNEW  Newly created object is ignored

RR.IGNORED  The returned value is ignored

SV.PASSWD.HC  Hardcoded Password

SV.DOS.ARRINDEX  Tainted index used for array access

SV.DOS.ARRSIZE  Tainted size used for array allocation

SV.TAINT_NATIVE  Tainted data goes to native code

SV.TMPFILE  Temporary file path tampering

SV.UMC.EXIT  The System.exit() and Runtime.exit() method calls should not be used in servlets code