Rule Description KPI URL
NP_BOOLEAN_RETURN_NULL A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. This method can be invoked as though it returned a value of type boolean, and the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, this will result in a NullPointerException. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-with-boolean-return-type-returns-explicit-null-np-boolean-return-null
FI_FINALIZER_NULLS_FIELDS This finalizer nulls out fields. This is usually an error, as it does not aid garbage collection, and the object is going to be garbage collected anyway. Maintainability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fi-finalizer-nulls-fields-fi-finalizer-nulls-fields
CN_IDIOM_NO_SUPER_CALL This non-final class defines a clone() method that does not call super.clone(). If this class (“A”) is extended by a subclass (“B”), and the subclass B calls super.clone(), then it is likely that B’s clone() method will return an object of type A, which violates the standard contract for clone().

If all clone() methods call super.clone(), then they are guaranteed to use Object.clone(), which always returns an object of the correct type.

Understandability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#cn-clone-method-does-not-call-super-clone-cn-idiom-no-super-call
DE_MIGHT_DROP This method might drop an exception. In general, exceptions should be handled or reported in some way, or they should be thrown out of the method. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#de-method-might-drop-exception-de-might-drop
DE_MIGHT_IGNORE This method might ignore an exception. In general, exceptions should be handled or reported in some way, or they should be thrown out of the method. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#de-method-might-ignore-exception-de-might-ignore
DM_EXIT Invoking System.exit shuts down the entire Java virtual machine. This should only been done when it is appropriate. Such calls make it hard or impossible for your code to be invoked by other code. Consider throwing a RuntimeException instead. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-method-invokes-system-exit-dm-exit
JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS The class is annotated with net.jcip.annotations.Immutable or javax.annotation.concurrent.Immutable, and the rules for those annotations require that all fields are final. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#jcip-fields-of-immutable-classes-should-be-final-jcip-field-isnt-final-in-immutable-class
DM_RUN_FINALIZERS_ON_EXIT Never call System.runFinalizersOnExit or Runtime.runFinalizersOnExit for any reason: they are among the most dangerous methods in the Java libraries. — Joshua Bloch Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-method-invokes-dangerous-method-runfinalizersonexit-dm-run-finalizers-on-exit
NP_EQUALS_SHOULD_HANDLE_NULL_ARGUMENT This implementation of equals(Object) violates the contract defined by java.lang.Object.equals() because it does not check for null being passed as the argument. All equals() methods should return false if passed a null value. Maintainability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-equals-method-does-not-check-for-null-argument-np-equals-should-handle-null-argument
FI_NULLIFY_SUPER This empty finalize() method explicitly negates the effect of any finalizer defined by its superclass. Any finalizer actions defined for the superclass will not be performed. Unless this is intended, delete this method. Analyzability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fi-finalizer-nullifies-superclass-finalizer-fi-nullify-super
FI_USELESS The only thing this finalize() method does is call the superclass’s finalize() method, making it redundant. Delete it. Understandability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fi-finalizer-does-nothing-but-call-superclass-finalizer-fi-useless
FI_MISSING_SUPER_CALL This finalize() method does not make a call to its superclass’s finalize() method. So, any finalizer actions defined for the superclass will not be performed. Add a call to super.finalize(). Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fi-finalizer-does-not-call-superclass-finalizer-fi-missing-super-call
FI_EXPLICIT_INVOCATION This method contains an explicit invocation of the finalize() method on an object. Because finalizer methods are supposed to be executed once, and only by the VM, this is a bad idea.

If a connected set of objects beings finalizable, then the VM will invoke the finalize method on all the finalizable object, possibly at the same time in different threads. Thus, it is a particularly bad idea, in the finalize method for a class X, invoke finalize on objects referenced by X, because they may already be getting finalized in a separate thread.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fi-explicit-invocation-of-finalizer-fi-explicit-invocation
EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS This equals method is checking to see if the argument is some incompatible type (i.e., a class that is neither a supertype nor subtype of the class that defines the equals method). Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#eq-equals-checks-for-incompatible-operand-eq-check-for-operand-not-compatible-with-this
EQ_GETCLASS_AND_CLASS_CONSTANT This class has an equals method that will be broken if it is inherited by subclasses. It compares a class literal with the class of the argument (e.g., in class Foo it might check if Foo.class == o.getClass()). It is better to check if this.getClass() == o.getClass(). Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#eq-equals-method-fails-for-subtypes-eq-getclass-and-class-constant
CO_COMPARETO_INCORRECT_FLOATING This method compares double or float values using pattern like this: val1 > val2 ? 1 : val1 < val2 ? -1 : 0. This pattern works incorrectly for -0.0 and NaN values which may result in incorrect sorting result or broken collection (if compared values are used as keys). Consider using Double.compare or Float.compare static methods which handle all the special cases correctly. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#co-compareto-compare-incorrectly-handles-float-or-double-value-co-compareto-incorrect-floating
ES_COMPARING_STRINGS_WITH_EQ This code compares java.lang.String objects for reference equality using the == or != operators. Unless both strings are either constants in a source file, or have been interned using the String.intern() method, the same string value may be represented by two different String objects. Consider using the equals(Object) method instead. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#es-comparison-of-string-objects-using-or-es-comparing-strings-with-eq
ES_COMPARING_PARAMETER_STRING_WITH_EQ This code compares a java.lang.String parameter for reference equality using the == or != operators. Requiring callers to pass only String constants or interned strings to a method is unnecessarily fragile, and rarely leads to measurable performance gains. Consider using the equals(Object) method instead. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#es-comparison-of-string-parameter-using-or-es-comparing-parameter-string-with-eq
HE_HASHCODE_NO_EQUALS This class defines a hashCode() method but not an equals() method. Therefore, the class may violate the invariant that equal objects must have equal hashcodes. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#he-class-defines-hashcode-but-not-equals-he-hashcode-no-equals
HE_EQUALS_USE_HASHCODE This class overrides equals(Object), but does not override hashCode(), and inherits the implementation of hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM). Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#he-class-defines-equals-and-uses-object-hashcode-he-equals-use-hashcode
HE_INHERITS_EQUALS_USE_HASHCODE This class inherits equals(Object) from an abstract superclass, and hashCode() from java.lang.Object (which returns the identity hash code, an arbitrary value assigned to the object by the VM). Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.

If you don’t want to define a hashCode method, and/or don’t believe the object will ever be put into a HashMap/Hashtable, define the hashCode() method to throw UnsupportedOperationException.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#he-class-inherits-equals-and-uses-object-hashcode-he-inherits-equals-use-hashcode
HE_EQUALS_NO_HASHCODE This class overrides equals(Object), but does not override hashCode(). Therefore, the class may violate the invariant that equal objects must have equal hashcodes. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#he-class-defines-equals-but-not-hashcode-he-equals-no-hashcode
IT_NO_SUCH_ELEMENT This class implements the java.util.Iterator interface. However, its next() method is not capable of throwing java.util.NoSuchElementException. The next() method should be changed so it throws NoSuchElementException if is called when there are no more elements to return. Understandability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#it-iterator-next-method-can-t-throw-nosuchelementexception-it-no-such-element
SE_NO_SERIALVERSIONID This class implements the Serializable interface, but does not define a serialVersionUID field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID. Portability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#snvi-class-is-serializable-but-doesn-t-define-serialversionuid-se-no-serialversionid
SE_TRANSIENT_FIELD_NOT_RESTORED This class contains a field that is updated at multiple places in the class, thus it seems to be part of the state of the class. However, since the field is marked as transient and not set in readObject or readResolve, it will contain the default value in any deserialized instance of the class. Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#se-transient-field-that-isn-t-set-by-deserialization-se-transient-field-not-restored
NP_TOSTRING_COULD_RETURN_NULL This toString method seems to return null in some circumstances. A liberal reading of the spec could be interpreted as allowing this, but it is probably a bad idea and could cause other code to break. Return the empty string or some other appropriate string rather than null. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-tostring-method-may-return-null-np-tostring-could-return-null
OS_OPEN_STREAM The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method. This may result in a file descriptor leak. It is generally a good idea to use a finally block to ensure that streams are closed. Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#os-method-may-fail-to-close-stream-os-open-stream
OS_OPEN_STREAM_EXCEPTION_PATH The method creates an IO stream object, does not assign it to any fields, pass it to other methods, or return it, and does not appear to close it on all possible exception paths out of the method. This may result in a file descriptor leak. It is generally a good idea to use a finally block to ensure that streams are closed. Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#os-method-may-fail-to-close-stream-on-exception-os-open-stream-exception-path
RC_REF_COMPARISON_BAD_PRACTICE This method compares a reference value to a constant using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#rc-suspicious-reference-comparison-to-constant-rc-ref-comparison-bad-practice
RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN This method compares two Boolean values using the == or != operator. Normally, there are only two Boolean values (Boolean.TRUE and Boolean.FALSE), but it is possible to create other Boolean objects using the new Boolean(b) constructor. It is best to avoid such objects, but if they do exist, then checking Boolean objects for equality using == or != will give results than are different than you would get using .equals(…). Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#rc-suspicious-reference-comparison-of-boolean-values-rc-ref-comparison-bad-practice-boolean
ODR_OPEN_DATABASE_RESOURCE The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all paths out of the method. Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database. Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#odr-method-may-fail-to-close-database-resource-odr-open-database-resource
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all exception paths out of the method. Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database. Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#odr-method-may-fail-to-close-database-resource-on-exception-odr-open-database-resource-exception-path
J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION This code seems to be storing a non-serializable object into an HttpSession. If this session is passivated or migrated, an error will result. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#j2ee-store-of-non-serializable-object-into-httpsession-j2ee-store-of-non-serializable-object-into-session
DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION If you want to remove all elements from a collection c, use c.clear, not c.removeAll(c). Calling c.removeAll(c) to clear a collection is less clear, susceptible to errors from typos, less efficient and for some collections, might throw a ConcurrentModificationException. Maintainability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dmi-don-t-use-removeall-to-clear-a-collection-dmi-using-removeall-to-clear-collection
NP_OPTIONAL_RETURN_NULL The usage of Optional return type (java.util.Optional or com.google.common.base.Optional) always means that explicit null returns were not desired by design. Returning a null value in such case is a contract violation and will most likely break client code. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-with-optional-return-type-returns-explicit-null-np-optional-return-null
VR_UNRESOLVABLE_REFERENCE This class makes a reference to a class or method that can not be resolved using against the libraries it is being analyzed with. Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#vr-class-makes-reference-to-unresolvable-class-or-method-vr-unresolvable-reference
IL_INFINITE_LOOP This loop doesn’t seem to have a way to terminate (other than by perhaps throwing an exception). Understandability https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#il-an-apparent-infinite-loop-il-infinite-loop
FL_MATH_USING_FLOAT_PRECISION The method performs math operations using floating point precision. Floating point precision is very imprecise. For example, 16777216.0f + 1.0f = 16777216.0f. Consider using double math instead. Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fl-method-performs-math-using-floating-point-precision-fl-math-using-float-precision
NP_ARGUMENT_MIGHT_BE_NULL A parameter to this method has been identified as a value that should always be checked to see whether or not it is null, but it is being dereferenced without a preceding null check. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-does-not-check-for-null-argument-np-argument-might-be-null
EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC This class defines an equals method that overrides an equals method in a superclass. Both equals methods methods use instanceof in the determination of whether two objects are equal. This is fraught with peril, since it is important that the equals method is symmetrical (in other words, a.equals(b) == b.equals(a)). If B is a subtype of A, and A’s equals method checks that the argument is an instanceof A, and B’s equals method checks that the argument is an instanceof B, it is quite likely that the equivalence relation defined by these methods is not symmetric. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#eq-equals-method-overrides-equals-in-superclass-and-may-not-be-symmetric-eq-overriding-equals-not-symmetric
EQ_DONT_DEFINE_EQUALS_FOR_ENUM This class defines an enumeration, and equality on enumerations are defined using object identity. Defining a covariant equals method for an enumeration value is exceptionally bad practice, since it would likely result in having two different enumeration values that compare as equals using the covariant enum method, and as not equal when compared normally. Don’t do it. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#eq-covariant-equals-method-defined-for-enum-eq-dont-define-equals-for-enum
RANGE_ARRAY_INDEX Array operation is performed, but array index is out of bounds, which will result in ArrayIndexOutOfBoundsException at runtime. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#range-array-index-is-out-of-bounds-range-array-index
RANGE_ARRAY_OFFSET Method is called with array parameter and offset parameter, but the offset is out of bounds. This will result in IndexOutOfBoundsException at runtime. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#range-array-offset-is-out-of-bounds-range-array-offset
RANGE_ARRAY_LENGTH Method is called with array parameter and length parameter, but the length is out of bounds. This will result in IndexOutOfBoundsException at runtime. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#range-array-length-is-out-of-bounds-range-array-length
RANGE_STRING_INDEX String method is called and specified string index is out of bounds. This will result in StringIndexOutOfBoundsException at runtime. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#range-string-index-is-out-of-bounds-range-string-index
NP_ALWAYS_NULL A null pointer is dereferenced here. This will lead to a NullPointerException when the code is executed. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-null-pointer-dereference-np-always-null
NP_CLOSING_NULL close() is being invoked on a value that is always null. If this statement is executed, a null pointer exception will occur. But the big risk here you never close something that should be closed. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-close-invoked-on-a-value-that-is-always-null-np-closing-null
NP_STORE_INTO_NONNULL_FIELD A value that could be null is stored into a field that has been annotated as @Nonnull. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-store-of-null-value-into-field-annotated-nonnull-np-store-into-nonnull-field
NP_ALWAYS_NULL_EXCEPTION A pointer which is null on an exception path is dereferenced here. This will lead to a NullPointerException when the code is executed. Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-null-pointer-dereference-in-method-on-exception-path-np-always-null-exception
NP_NULL_ON_SOME_PATH There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPointerException when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception can’t ever be executed; deciding that is beyond the ability of SpotBugs. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-possible-null-pointer-dereference-np-null-on-some-path
NP_NULL_ON_SOME_PATH_EXCEPTION A reference value which is null on some exception control path is dereferenced here. This may lead to a NullPointerException when the code is executed. Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-possible-null-pointer-dereference-in-method-on-exception-path-np-null-on-some-path-exception
NP_NULL_PARAM_DEREF This method call passes a null value for a non-null method parameter. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-call-passes-null-for-non-null-parameter-np-null-param-deref
NP_NULL_PARAM_DEREF_NONVIRTUAL A possibly-null value is passed to a non-null method parameter. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-non-virtual-method-call-passes-null-for-non-null-parameter-np-null-param-deref-nonvirtual
NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS A possibly-null value is passed at a call site where all known target methods require the parameter to be non-null. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-call-passes-null-for-non-null-parameter-np-null-param-deref-all-targets-dangerous
NP_GUARANTEED_DEREF There is a statement or branch that if executed guarantees that a value is null at this point, and that value that is guaranteed to be dereferenced (except on forward paths involving runtime exceptions).

Note that a check such as if (x == null) throw new NullPointerException(); is treated as a dereference of x.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-null-value-is-guaranteed-to-be-dereferenced-np-guaranteed-deref
RC_REF_COMPARISON This method compares two reference values using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#rc-suspicious-reference-comparison-rc-ref-comparison
VA_PRIMITIVE_ARRAY_PASSED_TO_OBJECT_VARARG This code passes a primitive array to a function that takes a variable number of object arguments. This creates an array of length one to hold the primitive array and passes it to the function. Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#va-primitive-array-passed-to-function-expecting-a-variable-number-of-object-arguments-va-primitive-array-passed-to-object-vararg
BAC_BAD_APPLET_CONSTRUCTOR This constructor calls methods in the parent Applet that rely on the AppletStub. Since the AppletStub isn’t initialized until the init() method of this applet is called, these methods will not perform correctly. Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#bac-bad-applet-constructor-relies-on-uninitialized-appletstub-bac-bad-applet-constructor
DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT The Double.longBitsToDouble method is invoked, but a 32 bit int value is passed as an argument. This almost certainly is not intended and is unlikely to give the intended result. Accuracy https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dmi-double-longbitstodouble-invoked-on-an-int-dmi-long-bits-to-double-invoked-on-int
BC_IMPOSSIBLE_CAST This cast will always throw a ClassCastException. SpotBugs tracks type information from instanceof checks, and also uses more precise information about the types of values returned from methods and loaded from fields. Thus, it may have more precise information that just the declared type of a variable, and can use this to determine that a cast will always throw an exception at runtime. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#bc-impossible-cast-bc-impossible-cast
OBL_UNSATISFIED_OBLIGATION This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern.

Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#obl-method-may-fail-to-clean-up-stream-or-resource-obl-unsatisfied-obligation
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation. In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

Resource Utilization https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#obl-method-may-fail-to-clean-up-stream-or-resource-on-checked-exception-obl-unsatisfied-obligation-exception-edge
DP_DO_INSIDE_DO_PRIVILEGED This code invokes a method that requires a security permission check. If this code will be granted security permissions, but might be invoked by code that does not have security permissions, then the invocation needs to occur inside a doPrivileged block. Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dp-method-invoked-that-should-be-only-be-invoked-inside-a-doprivileged-block-dp-do-inside-do-privileged
DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED This code creates a classloader, which needs permission if a security manage is installed. If this code might be invoked by code that does not have security permissions, then the classloader creation needs to occur inside a doPrivileged block. Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dp-classloaders-should-only-be-created-inside-doprivileged-block-dp-create-classloader-inside-do-privileged
MS_EXPOSE_REP A public static method returns a reference to an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. One fix is to return a copy of the array. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ms-public-static-method-may-expose-internal-representation-by-returning-array-ms-expose-rep
EI_EXPOSE_REP Returning a reference to a mutable object value stored in one of the object’s fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ei-may-expose-internal-representation-by-returning-reference-to-mutable-object-ei-expose-rep
EI_EXPOSE_REP2 This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ei2-may-expose-internal-representation-by-incorporating-reference-to-mutable-object-ei-expose-rep2
EI_EXPOSE_STATIC_REP2 This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ms-may-expose-internal-static-state-by-storing-a-mutable-object-into-a-static-field-ei-expose-static-rep2
DL_SYNCHRONIZATION_ON_SHARED_CONSTANT The code synchronizes on interned String. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dl-synchronization-on-interned-string-dl-synchronization-on-shared-constant
DL_SYNCHRONIZATION_ON_BOOLEAN The code synchronizes on a boxed primitive constant, such as a Boolean. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dl-synchronization-on-boolean-dl-synchronization-on-boolean
DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE The code synchronizes on a boxed primitive constant, such as an Integer. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dl-synchronization-on-boxed-primitive-dl-synchronization-on-boxed-primitive
DL_SYNCHRONIZATION_ON_UNSHARED_BOXED_PRIMITIVE The code synchronizes on an apparently unshared boxed primitive, such as an Integer. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dl-synchronization-on-boxed-primitive-values-dl-synchronization-on-unshared-boxed-primitive
SC_START_IN_CTOR The constructor starts a thread. This is likely to be wrong if the class is ever extended/subclassed, since the thread will be started before the subclass constructor is started. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#sc-constructor-invokes-thread-start-sc-start-in-ctor
UL_UNRELEASED_LOCK This method acquires a JSR-166 (java.util.concurrent) lock, but does not release it on all paths out of the method. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ul-method-does-not-release-lock-on-all-paths-ul-unreleased-lock
UL_UNRELEASED_LOCK_EXCEPTION_PATH This method acquires a JSR-166 (java.util.concurrent) lock, but does not release it on all exception paths out of the method. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ul-method-does-not-release-lock-on-all-exception-paths-ul-unreleased-lock-exception-path
LI_LAZY_INIT_STATIC This method contains an unsynchronized lazy initialization of a non-volatile static field. Because the compiler or processor may reorder instructions, threads are not guaranteed to see a completely initialized object, if the method can be called by multiple threads. You can make the field volatile to correct the problem. For more information, see the Java Memory Model web site. Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#li-incorrect-lazy-initialization-of-static-field-li-lazy-init-static
LI_LAZY_INIT_UPDATE_STATIC This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the further accesses in the method that set the field serve to initialize the object, then you have a very serious multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized.

Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized.

Robustness https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#li-incorrect-lazy-initialization-and-update-of-static-field-li-lazy-init-update-static
SWL_SLEEP_WITH_LOCK_HELD This method calls Thread.sleep() with a lock held. This may result in very poor performance and scalability, or a deadlock, since other threads may be waiting to acquire the lock. It is a much better idea to call wait() on the lock, which releases the lock and allows other threads to run. Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#swl-method-calls-thread-sleep-with-a-lock-held-swl-sleep-with-lock-held
DMI_BLOCKING_METHODS_ON_URL The equals and hashCode method of URL perform domain name resolution, this can result in a big performance hit. See http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html for more information. Consider using java.net.URI instead. Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-the-equals-and-hashcode-methods-of-url-are-blocking-dmi-blocking-methods-on-url
DMI_COLLECTION_OF_URLS This method or field is or uses a Map or Set of URLs. Since both the equals and hashCode method of URL perform domain name resolution, this can result in a big performance hit. See http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html for more information. Consider using java.net.URI instead. Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-maps-and-sets-of-urls-can-be-performance-hogs-dmi-collection-of-urls
DM_GC Code explicitly invokes garbage collection. Except for specific use in benchmarking, this is very dubious.

In the past, situations where people have explicitly invoked the garbage collector in routines such as close or finalize methods has led to huge performance black holes. Garbage collection can be expensive. Any situation that forces hundreds or thousands of garbage collections will bring the machine to a crawl.

Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-explicit-garbage-collection-extremely-dubious-except-in-benchmarking-code-dm-gc
WMI_WRONG_MAP_ITERATOR This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup. Efficiency https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#wmi-inefficient-use-of-keyset-iterator-instead-of-entryset-iterator-wmi-wrong-map-iterator
XSS_REQUEST_PARAMETER_TO_SEND_ERROR This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found any, you almost certainly have more cross site scripting vulnerabilities that SpotBugs doesn’t report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#xss-servlet-reflected-cross-site-scripting-vulnerability-in-error-page-xss-request-parameter-to-send-error
XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found any, you almost certainly have more cross site scripting vulnerabilities that SpotBugs doesn’t report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#xss-servlet-reflected-cross-site-scripting-vulnerability-xss-request-parameter-to-servlet-writer
XSS_REQUEST_PARAMETER_TO_JSP_WRITER This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.

SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found any, you almost certainly have more cross site scripting vulnerabilities that SpotBugs doesn’t report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#xss-jsp-reflected-cross-site-scripting-vulnerability-xss-request-parameter-to-jsp-writer
HRS_REQUEST_PARAMETER_TO_HTTP_HEADER This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting. If SpotBugs found any, you almost certainly have more vulnerabilities that SpotBugs doesn’t report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#hrs-http-response-splitting-vulnerability-hrs-request-parameter-to-http-header
HRS_REQUEST_PARAMETER_TO_COOKIE This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting. If SpotBugs found any, you almost certainly have more vulnerabilities that SpotBugs doesn’t report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#hrs-http-cookie-formed-from-untrusted-input-hrs-request-parameter-to-cookie
PT_ABSOLUTE_PATH_TRAVERSAL The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/36.html for more information.

SpotBugs looks only for the most blatant, obvious cases of absolute path traversal. If SpotBugs found any, you almost certainly have more vulnerabilities that SpotBugs doesn’t report. If you are concerned about absolute path traversal, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#pt-absolute-path-traversal-in-servlet-pt-absolute-path-traversal
PT_RELATIVE_PATH_TRAVERSAL The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/23.html for more information.

SpotBugs looks only for the most blatant, obvious cases of relative path traversal. If SpotBugs found any, you almost certainly have more vulnerabilities that SpotBugs doesn’t report. If you are concerned about relative path traversal, you should seriously consider using a commercial static analysis or pen-testing tool.

Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#pt-relative-path-traversal-in-servlet-pt-relative-path-traversal
DMI_CONSTANT_DB_PASSWORD This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password. Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-hardcoded-constant-database-password-dmi-constant-db-password
DMI_EMPTY_DB_PASSWORD This code creates a database connect using a blank or empty password. This indicates that the database is not protected by a password. Security https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-empty-database-password-dmi-empty-db-password
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#sql-nonconstant-string-passed-to-execute-or-addbatch-method-on-an-sql-statement-sql-nonconstant-string-passed-to-execute
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#sql-a-prepared-statement-is-generated-from-a-nonconstant-string-sql-prepared-statement-generated-from-nonconstant-string
CAA_COVARIANT_ARRAY_FIELD Array of covariant type is assigned to a field. This is confusing and may lead to ArrayStoreException at runtime if the reference of some other type will be stored in this array later like in the following code:

Number[] arr = new Integer[10];
arr[0] = 1.0;

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#caa-covariant-array-assignment-to-a-field-caa-covariant-array-field
CAA_COVARIANT_ARRAY_RETURN Array of covariant type is returned from the method. This is confusing and may lead to ArrayStoreException at runtime if the calling code will try to store the reference of some other type in the returned array.

Consider changing the type of created array or the method return type.

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#caa-covariant-array-is-returned-from-the-method-caa-covariant-array-return
CAA_COVARIANT_ARRAY_LOCAL Array of covariant type is assigned to a local variable. This is confusing and may lead to ArrayStoreException at runtime if the reference of some other type will be stored in this array later like in the following code:

Number[] arr = new Integer[10];
arr[0] = 1.0;

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#caa-covariant-array-assignment-to-a-local-variable-caa-covariant-array-local
DMI_UNSUPPORTED_METHOD All targets of this method invocation throw an UnsupportedOperationException.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-call-to-unsupported-method-dmi-unsupported-method
DMI_THREAD_PASSED_WHERE_RUNNABLE_EXPECTED A Thread object is passed as a parameter to a method where a Runnable is expected. This is rather unusual, and may indicate a logic error or cause unexpected behavior.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#dm-thread-passed-where-runnable-expected-dmi-thread-passed-where-runnable-expected
NS_DANGEROUS_NON_SHORT_CIRCUIT This code seems to be using non-short-circuit logic (e.g., & or |) rather than short-circuit logic (&& or ||). In addition, it seem possible that, depending on the value of the left hand side, you might not want to evaluate the right hand side (because it would have side effects, could cause an exception or could be expensive.

Non-short-circuit logic causes both sides of the expression to be evaluated even when the result can be inferred from knowing the left-hand side. This can be less efficient and can result in errors if the left-hand side guards cases when evaluating the right-hand side can generate an error.

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ns-potentially-dangerous-use-of-non-short-circuit-logic-ns-dangerous-non-short-circuit
IC_INIT_CIRCULARITY A circularity was detected in the static initializers of the two classes referenced by the bug instance. Many kinds of unexpected behavior may arise from such circularity.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ic-initialization-circularity-ic-init-circularity
QF_QUESTIONABLE_FOR_LOOP Are you sure this for loop is incrementing the correct variable? It appears that another variable is being initialized and checked by the for loop.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#qf-complicated-subtle-or-wrong-increment-in-for-loop-qf-questionable-for-loop
NP_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD The program is dereferencing a public or protected field that does not seem to ever have a non-null value written to it. Unless the field is initialized via some mechanism not seen by the analysis, dereferencing this value will generate a null pointer exception.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-read-of-unwritten-public-or-protected-field-np-unwritten-public-or-protected-field
UCF_USELESS_CONTROL_FLOW_NEXT_LINE This method contains a useless control flow statement in which control flow follows to the same or following line regardless of whether or not the branch is taken. Often, this is caused by inadvertently using an empty statement as the body of an if statement.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ucf-useless-control-flow-to-next-line-ucf-useless-control-flow-next-line
REC_CATCH_EXCEPTION This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { … } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions.

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#rec-exception-is-caught-when-exception-is-not-thrown-rec-catch-exception
FE_FLOATING_POINT_EQUALITY This operation compares two floating point values for equality. Because floating point calculations may involve rounding, calculated float and double values may not be accurate. For values that must be precise, such as monetary values, consider using a fixed-precision type such as BigDecimal. For values that need not be precise, consider comparing for equality within some range, for example: if ( Math.abs(x – y) < .0000001 ). See the Java Language Specification, section 4.2.4.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#fe-test-for-floating-point-equality-fe-floating-point-equality
CD_CIRCULAR_DEPENDENCY This class has a circular dependency with other classes. This makes building these classes difficult, as each is dependent on the other to build correctly. Consider using interfaces to break the hard dependency.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#cd-test-for-circular-dependencies-among-classes-cd-circular-dependency
PS_PUBLIC_SEMAPHORES This class uses synchronization along with wait(), notify() or notifyAll() on itself (the this reference). Client classes that use this class, may, in addition, use an instance of this class as a synchronizing object. Because two classes are using the same object for synchronization, Multithread correctness is suspect. You should not synchronize nor call semaphore methods on a public reference. Consider using a internal private member variable to control synchronization.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ps-class-exposes-synchronization-and-semaphores-in-its-public-interface-ps-public-semaphores
IM_AVERAGE_COMPUTATION_COULD_OVERFLOW The code computes the average of two integers using either division or signed right shift, and then uses the result as the index of an array. If the values being averaged are very large, this can overflow (resulting in the computation of a negative average). Assuming that the result is intended to be nonnegative, you can use an unsigned right shift instead. In other words, rather that using (low+high)/2, use (low+high) >>> 1

This bug exists in many earlier implementations of binary search and merge sort. Martin Buchholz found and fixed it in the JDK libraries, and Joshua Bloch widely publicized the bug pattern.

  https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#im-computation-of-average-could-overflow-im-average-computation-could-overflow
NP_METHOD_RETURN_RELAXING_ANNOTATION A method should always implement the contract of a method it overrides. Thus, if a method takes is annotated as returning a @Nonnull value, you shouldn’t override that method in a subclass with a method annotated as returning a @Nullable or @CheckForNull value. Doing so violates the contract that the method shouldn’t return null.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-relaxes-nullness-annotation-on-return-value-np-method-return-relaxing-annotation
NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION A method should always implement the contract of a method it overrides. Thus, if a method takes a parameter that is marked as @Nullable, you shouldn’t override that method in a subclass with a method where that parameter is @Nonnull. Doing so violates the contract that the method should handle a null parameter.   https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#np-method-tightens-nullness-annotation-on-parameter-np-method-parameter-tightens-annotation