High level issues – Code Quality Docs

July 21, 2020

Rule	Description	Example	KPI
Initialization Of Secure Random At Method Level	"SecureRandom" should not be initialized in method. Every SecureRandom generation is seeded from some entropy pool. Creating a new SecureRandom method on every call might slow down the application as it might block the creation of seed. Use a statically created instance instead.	Non-compliant code `class Demo { public int generateSecureKey() { SecureRandom secureRandom = new SecureRandom(); return secureRandom.nextInt(); } }` Compliant code `class SecureRandomGenerator { static SecureRandom secureRandom = new SecureRandom(); public int generateSecureKey() { return secureRandom.nextInt(); } }`	Security
Security Sensitive Regex	Regular expressions are security-sensitive. Evaluating regular expressions with input string can be an extremely CPU-intensive task. The regular expression naive algorithm builds a Nondeterministic Finite Automaton (NFA), the attacker might use the knowledge of states of finite state machine to look for applications that use regular expressions, containing an Evil Regex, and send a well-crafted input, that will hang the system. Alternatively, if a Regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable.	Examples of Evil Patterns: Examples of Evil pattern : 1) (a+)+ 2) ([a-zA-Z]+)* 3) (a\|aa)+ 4) (a\|a?)+ 5) (.a){2} for x > 10 E.g Pattern: /(a+)+b/; Input string:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab Instead use Pattern:(/a+b/) //fixed the hard-coded regex pattern to avoid possible captures, possessive quantifiers and back-references To avoid possible attacks, if the regex pattern is defined with an user-controlled input, it should be sanitized in order to escape characters which are part of the regular expression syntax. Non-compliant code* `class Demo { public boolean validate1(javax.servlet.http.HttpServletRequest request) { String regex = " /(a+)+b/"; String input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab"; input.matches(regex); //Noncompliant } }` Compliant code `class Demo { public boolean { validate2(javax.servlet.http.HttpServletRequest request) { String regex = "/a+b/"; String input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab"; input.matches(Pattern.quote(regex)); // Compliant } }`	Efficiency, Security
Use Of System.err.println	1. System.err.println is an IO-operation and therefore is time consuming. 2. The better approach is to use a logging framework for a message queue. 3. Moreover, you can configure separate log files for different purposes.	Non-compliant code `class Demo { public void process1() { System.err.println("Error while processing"); } }` Compliant code `class Demo { public void process2() { logger.error("Error while processing",e); } }`	Analyzability
Invalid Logging Class Name	Avoid incorrect class names while creating logger. Ignoring this may create confusion while analysing logs.	Non-compliant code `public class LoggingClass extends BaseChecker { private static Logger logger = LogManager.getLogger(InvalidLoggingClass.class.getName()); }` Compliant code `public class LoggingClass extends BaseChecker { private static Logger logger = LogManager.getLogger(LoggingClass.class.getName()); }`	Analyzability
Use Of System.out.println	1.Sending messages to stdout is usually inappropriate in a production environment. E.g. If you are coding a GUI app, the information should be presented to the user and not to the stdout method anywhere. 2.System.out.println is an IO-operation and therefore is time consuming. The better approach is to use a logging framework for a message queue. 3.Moreover, you can configure separate log files for different purposes.	Non-compliant code `class Demo { public void process1() { //some statements System.out.println("Some text"); }` Compliant code `public void process2() { //some statements logger.info("Some text"); } }`	Analyzability
Complex Regex Pattern	Avoid usage of complex Regex pattern as it involves heavy processing.In some cases complex Regex performance test shows that regex is significantly inefficient.	//Non-compliant code `class Demo { String regex = "(.)(\\d+)(.)"; Pattern p = Pattern.compile(regex); }`	Efficiency
Empty Catch Block	Empty Catch Block finds instances where an exception is caught, but nothing is done. In most circumstances, this ignores an exception which should either be acted on or reported. Avoid keeping the catch block empty.	// Non-compliant code `class Demo { public void process1() { try { FileInputStream fis = new FileInputStream("/tmp/bugger"); } catch (IOException ioe) { } }` // compliant code `public void process2() { try { FileInputStream fis = new FileInputStream("/tmp/bugger"); } catch (IOException ex) { logger.error("Inside catch block",ex); } } }`	Analyzability
Empty Catch Block	Empty Catch Block finds instances where an exception is caught, but nothing is done. In most circumstances, this ignores an exception which should either be acted on or reported. Avoid keeping the catch block empty.	// Non-compliant code `class Demo { public void process1() { try { FileInputStream fis = new FileInputStream("/tmp/bugger"); } catch (IOException ioe) { } }` // compliant code `public void process2() { try { FileInputStream fis = new FileInputStream("/tmp/bugger"); } catch (IOException ex) { logger.error("Inside catch block",ex); } } }`	Analyzability
Sensitive Info Logged	Logger is used for recording application activity. Information displayed on the logs is visible to different stakeholders. Avoid logging sensitive information such as password, key, social security number etc. Not complying may compromise the system security.	Non-compliant code: `class Demo { void process1(String password) { //Displaying sensitive information in logs logger.info("Password received "+ password); } }` Compliant code `class Demo { void process1(String password) { //doSomething logger.info("Password received"); } }`	Security
Main Should Not Throw Anything	The main method should not throw any checked exception, instead, it needs to handle properly. If a non-checked exception is thrown (and not catch) in the main method, it will terminate.	Non-compliant code: `public static void main(String args[]) throws Exception{ System.out.println("Hello"); } }` Compliant code `public static void main(String[] args) { try { int data=50/0; } catch(ArithmeticException e){ System.out.println(e); } }`	Functionality
Avoid Synchronized At Method Level	Avoid synchronized at method level. When new code is added to the existing method then method-level synchronization can cause problems so to avoid these kind of problems use block-level synchronization. Block-level synchronization helps to ensure that only the code that needs synchronization gets it.	Non-compliant code: `public class SynchronizedCounter { // Non-compliant code private int c = 0; public synchronized void increment() { c++; } }` Compliant code `public class SynchronizedCounter { // compliant code private int c = 0; public void increment() { synchronized(Test.class) { c++; } } }`	Efficiency
Shortcircuit Logic Should Be Used In Boolean Contexts	Using non-short-curcuit logic is a mistake it can also cause serious problem error.	Non-compliant code: `if(getTrue() \| getFalse()) { ... }` Compliant code `if(getTrue() \|\| getFalse()) { ... }`	Efficiency

Embold Java Issues