• CodeQL query help documentation »

CodeQL query help for Java

Visit the articles below to see the documentation for the queries included in the following query suites:

• default: queries run by default in CodeQL code scanning on GitHub.

• security-extended: queries from default, plus extra security queries with slightly lower precision and severity.

• security-and-quality: queries from default, security-extended, plus extra maintainability and reliability queries.

These queries are published in the CodeQL query pack codeql/java-queries (changelog, source).

For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.

• Access Java object methods through JavaScript exposure
• Access to unsupported JDK-internal API
• Android APK installation
• Android Intent redirection
• Android WebSettings file access
• Android WebView JavaScript settings
• Android WebView settings allows access to content links
• Android Webview debugging enabled
• Android WebView that accepts all certificates
• Android debuggable attribute enabled
• Android fragment injection
• Android fragment injection in PreferenceActivity
• Android missing certificate pinning
• Android sensitive keyboard cache
• AnnotationPresent check
• Application backup allowed
• Arbitrary file access during archive extraction (”Zip Slip”)
• Array index out of bounds
• Bad implementation of an event Adapter
• Bad suite method
• Boxed variable is never null
• Building a command line with string concatenation
• Call to Iterator.remove may fail
• Cast from abstract to concrete collection
• Chain of ‘instanceof’ tests
• Character passed to StringBuffer or StringBuilder constructor
• Class has same name as super class
• Cleartext storage of sensitive information in cookie
• Cleartext storage of sensitive information in the Android filesystem
• Cleartext storage of sensitive information using ‘Properties’ class
• Cleartext storage of sensitive information using SharedPreferences on Android
• Cleartext storage of sensitive information using a local database on Android
• Comparison of identical values
• Comparison of narrow type with wide type in loop condition
• Confusing method names because of capitalization
• Confusing non-overriding of package-private method
• Confusing overloading of methods
• Constant interface anti-pattern
• Constant loop condition
• Container contents are never accessed
• Container contents are never initialized
• Container size compared to zero
• Continue statement that does not continue
• Contradictory type checks
• Creates empty ZIP file entry
• Cross-site scripting
• Dangerous non-short-circuit logic
• Dangerous runFinalizersOnExit
• Depending upon JCenter/Bintray as an artifact repository
• Deprecated method or constructor invocation
• Dereferenced expression may be null
• Dereferenced variable is always null
• Dereferenced variable may be null
• Deserialization of user-controlled data
• Detect JHipster Generator Vulnerability CVE-2019-16303
• Direct call to a run() method
• Disabled Netty HTTP header validation
• Disabled Spring CSRF protection
• Double-checked locking is not thread-safe
• Equals method does not inspect argument type
• Equals on incomparable types
• Equals or hashCode on arrays
• Executing a command with a relative path
• Exposing internal representation
• Expression always evaluates to the same value
• Expression language injection (JEXL)
• Expression language injection (MVEL)
• Expression language injection (Spring)
• Externalizable but no public no-argument constructor
• Failure to use HTTPS or SFTP URL in Maven artifact upload/download
• Failure to use secure cookies
• Field masks field in super class
• Finalizer inconsistency
• Futile synchronization on field
• Groovy Language injection
• HTTP response splitting
• Hard-coded credential in API call
• Hashed value without hashCode definition
• Ignored error status of call
• Implicit conversion from array to string
• Implicit narrowing conversion in compound assignment
• Implicitly exported Android component
• Improper validation of user-provided array index
• Improper validation of user-provided size used for array construction
• Improper verification of intent by broadcast receiver
• Inconsistent compareTo
• Inconsistent equals and hashCode
• Inconsistent synchronization for writeObject()
• Inconsistent synchronization of getter and setter
• Incorrect absolute value of random number
• Incorrect serialVersionUID field
• Inefficient String constructor
• Inefficient empty string test
• Inefficient output stream
• Inefficient primitive constructor
• Inefficient regular expression
• Inefficient use of key set iterator
• Information exposure through a stack trace
• Inner class could be static
• Insecure Bean Validation
• Insecure JavaMail SSL Configuration
• Insecure LDAP authentication
• Insecure basic authentication
• Insertion of sensitive information into log files
• Intent URI permission manipulation
• Interface cannot be implemented
• Iterable wrapping an iterator
• Iterator implementing Iterable
• JNDI lookup with user-controlled name
• Javadoc has impossible ‘throws’ tag
• LDAP query built from user-controlled sources
• Leaking sensitive information through a ResultReceiver
• Leaking sensitive information through an implicit Intent
• Left shift by more than the type width
• Local information disclosure in a temporary directory
• Log Injection
• Loop with unreachable exit condition
• Misleading indentation
• Missing JWT signature check
• Missing Override annotation
• Missing catch of NumberFormatException
• Missing enum case in switch
• Missing format argument
• Missing read or write permission in a content provider
• Missing space in string literal
• Missing super clone
• Multiplication of remainder
• Next in hasNext implementation
• No clone method
• Non-final method invocation in constructor
• Non-synchronized override of synchronized method
• OGNL Expression Language statement with user-controlled input
• Overloaded compareTo
• Overloaded equals
• Overly permissive regular expression range
• Partial path traversal vulnerability
• Partial path traversal vulnerability from remote
• Polynomial regular expression used on uncontrolled data
• Possible confusion of local and field
• Potential database resource leak
• Potential input resource leak
• Potential output resource leak
• Query built by concatenation with a possibly-untrusted string
• Query built from user-controlled sources
• Race condition in double-checked locking object initialization
• Race condition in socket authentication
• Random used only once
• ReadResolve must have Object return type, not void
• Reading from a world writable file
• Reference equality test of boxed types
• Reference equality test on strings
• Regular expression injection
• Resolving XML external entity in user-controlled data
• Result of multiplication cast to wider type
• Self assignment
• Serializable but no void constructor
• Serializable inner class of non-serializable class
• Serialization methods do not match required signature
• Server-side request forgery
• Server-side template injection
• Sleep with lock held
• Spin on field
• Spurious Javadoc @param tags
• Start of thread in constructor
• Subtle call to inherited method
• Suspicious date format
• Synchronization on boxed types or strings
• Thread-unsafe use of DateFormat
• Time-of-check time-of-use race condition
• Trust boundary violation
• Type bound extends a final class
• Type mismatch on container access
• Type mismatch on container modification
• Type variable hides another type
• Typo in equals
• Typo in hashCode
• Typo in toString
• URL redirection from remote source
• Uncontrolled command line
• Uncontrolled data in arithmetic expression
• Uncontrolled data used in content resolution
• Uncontrolled data used in path expression
• Underscore used as identifier
• Unreachable catch clause
• Unread local variable
• Unreleased lock
• Unsafe certificate trust
• Unsafe hostname verification
• Unsafe resource fetching in Android WebView
• Unsafe use of getResource
• Unused classes and interfaces
• Unused format argument
• Unused label
• Use of RSA algorithm without OAEP
• Use of a broken or risky cryptographic algorithm
• Use of a cryptographic algorithm with insufficient key size
• Use of a potentially broken or risky cryptographic algorithm
• Use of a potentially dangerous function
• Use of a predictable seed in a secure random number generator
• Use of default toString()
• Use of externally-controlled format string
• Use of implicit PendingIntents
• Useless comparison test
• Useless null check
• Useless parameter
• Useless toString on String
• Useless type test
• User-controlled bypass of sensitive method
• User-controlled data in arithmetic expression
• User-controlled data in numeric cast
• User-controlled data used in permissions check
• Using a static initialization vector for encryption
• Wait on condition
• Whitespace contradicts operator precedence
• Wrong NaN comparison
• XPath injection
• XSLT transformation with user-controlled stylesheet
• TrustManager that accepts all certificates
• notify instead of notifyAll

• © GitHub, Inc.
• Terms
• Privacy