header icons

Documentation Rules


Rules are mapped to good and bad practices, as defined by the open-source community. They are computed by open-source rule-checking tools like PMD or FindBugs. They are classified by category associated to some quality characteristics.



  • BC: Impossible cast ( BC_IMPOSSIBLE_CAST ) provided by FindBugs Rules 3.0.0

    This cast will always throw a ClassCastException. FindBugs tracks type information from instanceof checks, and also uses more precise information about the types of values returned from methods and loaded from fields. Thus, it may have more precise information that just the declared type of a variable, and can use this to determine that a cast will always throw an exception at runtime.

    This rule impacts reliability, since an exception will be thrown. It also impacts correctness, since invariably throwing an exception was probably not what was intended.

  • BC: Impossible downcast ( BC_IMPOSSIBLE_DOWNCAST ) provided by FindBugs Rules 3.0.0

    This cast will always throw a ClassCastException. The analysis believes it knows the precise type of the value being cast, and the attempt to downcast it to a subtype will always fail by throwing a ClassCastException.

    This rule impacts reliability, since an exception will be thrown. It also impacts correctness, since invariably throwing an exception was probably not what was intended.

  • DMI: Bad constant value for month ( DMI_BAD_MONTH ) provided by FindBugs Rules 3.0.0

    This code passes a constant month value outside the expected range of 0..11 to a method.

    This rule impacts correctness, since the result is not what was intended.

  • DMI: Collections should not contain themselves ( DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES ) provided by FindBugs Rules 3.0.0

    This call to a generic collection's method would only make sense if a collection contained itself (e.g., if s.contains(s) were true). This is unlikely to be true and would cause problems if it were true (such as the computation of the hash code resulting in infinite recursion). It is likely that the wrong value is being passed as a parameter.

    This rule impacts correctness, since the result is not what was intended.

  • Dm: Hardcoded constant database password ( DMI_CONSTANT_DB_PASSWORD ) provided by FindBugs Rules 3.0.0

    This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

  • Dm: Empty database password ( DMI_EMPTY_DB_PASSWORD ) provided by FindBugs Rules 3.0.0

    This code creates a database connect using a blank or empty password. This indicates that the database is not protected by a password.

  • DMI: Invocation of hashCode on an array ( DMI_INVOKING_HASHCODE_ON_ARRAY ) provided by FindBugs Rules 3.0.0

    The code invokes hashCode on an array. Calling hashCode on an array returns the same value as System.identityHashCode, and ignores the contents and length of the array. If you need a hashCode that depends on the contents of an array a, use java.util.Arrays.hashCode(a).

    This rule impacts correctness, since the result is not what was intended.

  • DMI: Double.longBitsToDouble invoked on an int ( DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT ) provided by FindBugs Rules 3.0.0

    The Double.longBitsToDouble method is invoked, but a 32 bit int value is passed as an argument. This almostly certainly is not intended and is unlikely to give the intended result.

    This rule impacts correctness, since the result is not what was intended.

  • DMI: Vacuous call to collections ( DMI_VACUOUS_SELF_COLLECTION_CALL ) provided by FindBugs Rules 3.0.0

    This call doesn't make sense. For any collection c, calling c.containsAll(c) should always be true, and c.retainAll(c) should have no effect.

    This rule impacts correctness, since the result is not what was intended.

  • EC: equals() used to compare array and nonarray ( EC_ARRAY_AND_NONARRAY ) provided by FindBugs Rules 3.0.0

    This method invokes the .equals(Object o) to compare an array and a reference that doesn't seem to be an array. If things being compared are of different types, they are guaranteed to be unequal and the comparison is almost certainly an error. Even if they are both arrays, the equals method on arrays only determines of the two arrays are the same object. To compare the contents of the arrays, use java.util.Arrays.equals(Object[], Object[]).

    This rule impacts correctness, since the result is not what was intended.

  • EC: equals(...) used to compare incompatible arrays ( EC_INCOMPATIBLE_ARRAY_COMPARE ) provided by FindBugs Rules 3.0.0

    This method invokes the .equals(Object o) to compare two arrays, but the arrays are of incompatible types (e.g., String[] and StringBuffer[], or String[] and int[]). They will never be equal. In addition, when equals(...) is used to compare arrays it only checks to see if they are the same array, and ignores the contents of the arrays.

    This rule impacts correctness, since the result is not what was intended.

  • Eq: equals method always returns false ( EQ_ALWAYS_FALSE ) provided by FindBugs Rules 3.0.0

    This class defines an equals method that always returns false. This means that an object is not equal to itself, and it is impossible to create useful Maps or Sets of this class. More fundamentally, it means that equals is not reflexive, one of the requirements of the equals method.

    The likely intended semantics are object identity: that an object is equal to itself. This is the behavior inherited from class Object. If you need to override an equals inherited from a different superclass, you can use use:

    public boolean equals(Object o) { return this == o; }

    This rule impacts correctness, since the result is not what was intended. It also impacts reusability, since the reflexive requirement is not met and other developers will assume it is.

  • Eq: equals() method always returns true ( EQ_ALWAYS_TRUE ) provided by FindBugs Rules 3.0.0

    This class defines an equals method that always returns true. This is imaginative, but not very smart. Plus, it means that the equals method is not symmetric.

    This rule impacts correctness, since the result is not what was intended. It also impacts reusability, since the reflexive requirement is not met and other developers will assume it is.

  • FE: Doomed test for equality to NaN ( FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER ) provided by FindBugs Rules 3.0.0

    This code checks to see if a floating point value is equal to the special Not A Number value (e.g., if (x == Double.NaN)). However, because of the special semantics of NaN, no value is equal to Nan, including NaN. Thus, x == Double.NaN always evaluates to false. To check to see if a value contained in x is the special Not A Number value, use Double.isNaN(x) (or Float.isNaN(x) if x is floating point precision).

    This rule impacts correctness, since the result is not what was intended.

  • FL: Method performs math using floating point precision ( FL_MATH_USING_FLOAT_PRECISION ) provided by FindBugs Rules 3.0.0

    The method performs math operations using floating point precision. Floating point precision is very imprecise. For example, 16777216.0f + 1.0f = 16777216.0f. Consider using double math instead.

    This rule impacts correctness, since the result is not what was intended.

  • This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

    FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriouslyconsider using a commercial static analysis or pen-testing tool.

  • HRS: HTTP Response splitting vulnerability ( HRS_REQUEST_PARAMETER_TO_HTTP_HEADER ) provided by FindBugs Rules 3.0.0

    This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

    FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriouslyconsider using a commercial static analysis or pen-testing tool.

  • PT: Absolute path traversal in servlet ( PT_ABSOLUTE_PATH_TRAVERSAL ) provided by FindBugs Rules 3.0.0

    The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/36.html for more information.

    FindBugs looks only for the most blatant, obvious cases of absolute path traversal. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about absolute path traversal, you should seriously consider using a commercial static analysis or pen-testing tool.

  • PT: Relative path traversal in servlet ( PT_RELATIVE_PATH_TRAVERSAL ) provided by FindBugs Rules 3.0.0

    The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/23.html for more information.

    FindBugs looks only for the most blatant, obvious cases of absolute path traversal. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about absolute path traversal, you should seriously consider using a commercial static analysis or pen-testing tool.

  • Se: Non-serializable class has a serializable inner class ( SE_BAD_FIELD_INNER_CLASS ) provided by FindBugs Rules 3.0.0

    This Serializable class is an inner class of a non-serializable class. Thus, attempts to serialize it will also attempt to associate instance of the outer class with which it is associated, leading to a runtime error. If possible, making the inner class a static inner class should solve the problem. Making the outer class serializable might also work, but that would mean serializing an instance of the inner class would always also serialize the instance of the outer class, which it often not what you really want.

    This rule impacts reliability, since an exception will occur when attempting to serialise the inner class.

  • Se: Non-serializable value stored into instance field of a serializable class ( SE_BAD_FIELD_STORE ) provided by FindBugs Rules 3.0.0

    A non-serializable value is stored into a non-transient field of a serializable class.

    This rule impacts reliability, since an exception will occur when attempting to serialise the inner class.

  • Se: Class is Serializable but its superclass doesn't define a void constructor ( SE_NO_SUITABLE_CONSTRUCTOR ) provided by FindBugs Rules 3.0.0

    This class implements the Serializable interface and its superclass does not. When such an object is deserialized, the fields of the superclass need to be initialized by invoking the void constructor of the superclass. Since the superclass does not have one, serialization and deserialization will fail at runtime.

    This rule impacts reliability, since an exception will be thrown at runtime when deserialising the object.

  • Se: Class is Externalizable but doesn't define a void constructor ( SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION ) provided by FindBugs Rules 3.0.0

    This class implements the Externalizable interface, but does not define a void constructor. When Externalizable objects are deserialized, they first need to be constructed by invoking the void constructor. Since this class does not have one, serialization and deserialization will fail at runtime.

    This rule impacts reliability, since an exception may be thrown at runtime when deserialising the object.

  • FS: Format string placeholder incompatible with passed argument ( VA_FORMAT_STRING_BAD_ARGUMENT ) provided by FindBugs Rules 3.0.0

    The format string placeholder is incompatible with the corresponding argument. For example, System.out.println("%d ", "hello"); The %d placeholder requires a numeric argument, but a string value is passed instead. A runtime exception will occur when this statement is executed.

    This rule impacts reliability, since the pattern will throw an exception when executed.

  • FS: The type of a supplied argument doesn't match format specifier ( VA_FORMAT_STRING_BAD_CONVERSION ) provided by FindBugs Rules 3.0.0

    One of the arguments is uncompatible with the corresponding format string specifier. As a result, this will generate a runtime exception when executed. For example, String.format("%d", "1") will generate an exception, since the String "1" is incompatible with the format specifier %d.

    This rule impacts reliability, since the pattern will throw an exception when executed.

  • FS: Illegal format string ( VA_FORMAT_STRING_ILLEGAL ) provided by FindBugs Rules 3.0.0

    The format string is syntactically invalid, and a runtime exception will occur when this statement is executed.

    This rule impacts reliability, since the pattern will throw an exception when executed.

  • FS: Format string references missing argument ( VA_FORMAT_STRING_MISSING_ARGUMENT ) provided by FindBugs Rules 3.0.0

    Not enough arguments are passed to satisfy a placeholder in the format string. A runtime exception will occur when this statement is executed.

    This rule impacts reliability, since the pattern will throw an exception when executed.

  • FS: No previous argument for format string ( VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT ) provided by FindBugs Rules 3.0.0

    The format string specifies a relative index to request that the argument for the previous format specifier be reused. However, there is no previous argument. For example, formatter.format("%<s %s", "a", "b") would throw a MissingFormatArgumentException when executed.

    This rule impacts reliability, since the pattern will throw an exception when executed.

  • XSS: JSP reflected cross site scripting vulnerability ( XSS_REQUEST_PARAMETER_TO_JSP_WRITER ) provided by FindBugs Rules 3.0.0

    This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

    FindBugs looks only for the most blatant, obvious cases of cross site scripting. If FindBugs found any, you almost certainly have more cross site scripting vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

  • XSS: Servlet reflected cross site scripting vulnerability in error page ( XSS_REQUEST_PARAMETER_TO_SEND_ERROR ) provided by FindBugs Rules 3.0.0

    This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

    FindBugs looks only for the most blatant, obvious cases of cross site scripting. If FindBugs found any, you almost certainly have more cross site scripting vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

  • XSS: Servlet reflected cross site scripting vulnerability ( XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER ) provided by FindBugs Rules 3.0.0

    This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

    FindBugs looks only for the most blatant, obvious cases of cross site scripting. If FindBugs found any, you almost certainly have more cross site scripting vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.