CodeQL query help for Java and Kotlin¶
Visit the articles below to see the documentation for the queries included in the following query suites:
default: queries run by default in CodeQL code scanning on GitHub.security-extended: queries fromdefault, plus extra security queries with slightly lower precision and severity.security-and-quality: queries fromdefault,security-extended, plus extra maintainability and reliability queries.
These queries are published in the CodeQL query pack codeql/java-queries (changelog, source).
For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.
- Access Java object methods through JavaScript exposure
- Access to unsupported JDK-internal API
- Android APK installation
- Android Intent redirection
- Android WebSettings file access
- Android WebView JavaScript settings
- Android WebView settings allows access to content links
- Android Webview debugging enabled
- Android
WebViewthat accepts all certificates - Android debuggable attribute enabled
- Android fragment injection
- Android fragment injection in PreferenceActivity
- Android missing certificate pinning
- Android sensitive keyboard cache
- AnnotationPresent check
- Application backup allowed
- Arbitrary file access during archive extraction (”Zip Slip”)
- Array index out of bounds
- Bad implementation of an event Adapter
- Bad suite method
- Boxed variable is never null
- Building a command line with string concatenation
- Building a command with an injected environment variable
- Call to Iterator.remove may fail
- Cast from abstract to concrete collection
- Chain of ‘instanceof’ tests
- Character passed to StringBuffer or StringBuilder constructor
- Class has same name as super class
- Cleartext storage of sensitive information in cookie
- Cleartext storage of sensitive information in the Android filesystem
- Cleartext storage of sensitive information using ‘Properties’ class
- Cleartext storage of sensitive information using
SharedPreferenceson Android - Cleartext storage of sensitive information using a local database on Android
- Comparison of identical values
- Comparison of narrow type with wide type in loop condition
- Confusing method names because of capitalization
- Confusing non-overriding of package-private method
- Confusing overloading of methods
- Constant interface anti-pattern
- Constant loop condition
- Container contents are never accessed
- Container contents are never initialized
- Container size compared to zero
- Continue statement that does not continue
- Contradictory type checks
- Creates empty ZIP file entry
- Cross-site scripting
- Dangerous non-short-circuit logic
- Dangerous runFinalizersOnExit
- Depending upon JCenter/Bintray as an artifact repository
- Deprecated method or constructor invocation
- Dereferenced expression may be null
- Dereferenced variable is always null
- Dereferenced variable may be null
- Deserialization of user-controlled data
- Detect JHipster Generator Vulnerability CVE-2019-16303
- Direct call to a run() method
- Disabled Netty HTTP header validation
- Disabled Spring CSRF protection
- Double-checked locking is not thread-safe
- Equals method does not inspect argument type
- Equals on incomparable types
- Equals or hashCode on arrays
- Executing a command with a relative path
- Exposing internal representation
- Exposure of sensitive information to UI text views
- Exposure of sensitive information to notifications
- Expression always evaluates to the same value
- Expression language injection (JEXL)
- Expression language injection (MVEL)
- Expression language injection (Spring)
- Externalizable but no public no-argument constructor
- Failure to use HTTPS or SFTP URL in Maven artifact upload/download
- Failure to use secure cookies
- Field masks field in super class
- Finalizer inconsistency
- Futile synchronization on field
- Groovy Language injection
- HTTP response splitting
- Hard-coded credential in API call
- Hashed value without hashCode definition
- Ignored error status of call
- Implicit conversion from array to string
- Implicit narrowing conversion in compound assignment
- Implicitly exported Android component
- Improper validation of user-provided array index
- Improper validation of user-provided size used for array construction
- Improper verification of intent by broadcast receiver
- Inconsistent compareTo
- Inconsistent equals and hashCode
- Inconsistent synchronization for writeObject()
- Inconsistent synchronization of getter and setter
- Incorrect absolute value of random number
- Incorrect serialVersionUID field
- Inefficient String constructor
- Inefficient empty string test
- Inefficient output stream
- Inefficient primitive constructor
- Inefficient regular expression
- Inefficient use of key set iterator
- Information exposure through a stack trace
- Information exposure through an error message
- Inner class could be static
- Insecure Bean Validation
- Insecure JavaMail SSL Configuration
- Insecure LDAP authentication
- Insecure basic authentication
- Insecure local authentication
- Insecure randomness
- Insecurely generated keys for local authentication
- Insertion of sensitive information into log files
- Intent URI permission manipulation
- Interface cannot be implemented
- Iterable wrapping an iterator
- Iterator implementing Iterable
- JNDI lookup with user-controlled name
- Javadoc has impossible ‘throws’ tag
- LDAP query built from user-controlled sources
- Leaking sensitive information through a ResultReceiver
- Leaking sensitive information through an implicit Intent
- Left shift by more than the type width
- Local information disclosure in a temporary directory
- Log Injection
- Loop with unreachable exit condition
- Misleading indentation
- Missing JWT signature check
- Missing Override annotation
- Missing catch of NumberFormatException
- Missing enum case in switch
- Missing format argument
- Missing read or write permission in a content provider
- Missing space in string literal
- Missing super clone
- Multiplication of remainder
- Next in hasNext implementation
- No clone method
- Non-final method invocation in constructor
- Non-synchronized override of synchronized method
- OGNL Expression Language statement with user-controlled input
- Overloaded compareTo
- Overloaded equals
- Overly permissive regular expression range
- Partial path traversal vulnerability
- Partial path traversal vulnerability from remote
- Polynomial regular expression used on uncontrolled data
- Possible confusion of local and field
- Potential database resource leak
- Potential input resource leak
- Potential output resource leak
- Query built by concatenation with a possibly-untrusted string
- Query built from user-controlled sources
- Race condition in double-checked locking object initialization
- Race condition in socket authentication
- Random used only once
- ReadResolve must have Object return type, not void
- Reading from a world writable file
- Reference equality test of boxed types
- Reference equality test on strings
- Regular expression injection
- Resolving XML external entity in user-controlled data
- Result of multiplication cast to wider type
- Self assignment
- Serializable but no void constructor
- Serializable inner class of non-serializable class
- Serialization methods do not match required signature
- Server-side request forgery
- Server-side template injection
- Sleep with lock held
- Spin on field
- Spurious Javadoc @param tags
- Start of thread in constructor
- Subtle call to inherited method
- Suspicious date format
- Synchronization on boxed types or strings
- Thread-unsafe use of DateFormat
- Time-of-check time-of-use race condition
- Trust boundary violation
- Type bound extends a final class
- Type mismatch on container access
- Type mismatch on container modification
- Type variable hides another type
- Typo in equals
- Typo in hashCode
- Typo in toString
- URL forward from a remote source
- URL redirection from remote source
- Uncontrolled command line
- Uncontrolled data in arithmetic expression
- Uncontrolled data used in content resolution
- Uncontrolled data used in path expression
- Underscore used as identifier
- Unreachable catch clause
- Unread local variable
- Unreleased lock
- Unsafe certificate trust
- Unsafe hostname verification
- Unsafe resource fetching in Android WebView
- Unsafe use of getResource
- Unused classes and interfaces
- Unused format argument
- Unused label
- Use of RSA algorithm without OAEP
- Use of a broken or risky cryptographic algorithm
- Use of a cryptographic algorithm with insufficient key size
- Use of a potentially broken or risky cryptographic algorithm
- Use of a potentially dangerous function
- Use of a predictable seed in a secure random number generator
- Use of default toString()
- Use of externally-controlled format string
- Use of implicit PendingIntents
- Useless comparison test
- Useless null check
- Useless parameter
- Useless toString on String
- Useless type test
- User-controlled bypass of sensitive method
- User-controlled data in arithmetic expression
- User-controlled data in numeric cast
- User-controlled data used in permissions check
- Using a static initialization vector for encryption
- Wait on condition
- Whitespace contradicts operator precedence
- Wrong NaN comparison
- XPath injection
- XSLT transformation with user-controlled stylesheet
TrustManagerthat accepts all certificates- notify instead of notifyAll