Sensitive cookies without the HttpOnly response header set — CodeQL query help documentation CodeQL query help for C and C++ CodeQL query help for C# CodeQL query help for GitHub Actions CodeQL query help for Go CodeQL query help for Java and Kotlin Access Java object methods through JavaScript exposure Access to unsupported JDK-internal API Android APK installation Android Intent redirection Android WebSettings file access Android WebView JavaScript settings Android WebView settings allows access to content links Android Webview debugging enabled Android WebView that accepts all certificates Android debuggable attribute enabled Android fragment injection Android fragment injection in PreferenceActivity Android missing certificate pinning Android sensitive keyboard cache AnnotationPresent check Application backup allowed Arbitrary file access during archive extraction (”Zip Slip”) Array index out of bounds Bad implementation of an event Adapter Bad suite method Boxed variable is never null Building a command line with string concatenation Building a command with an injected environment variable Call to Iterator.remove may fail Cast from abstract to concrete collection Chain of ‘instanceof’ tests Character passed to StringBuffer or StringBuilder constructor Class has same name as super class Cleartext storage of sensitive information in cookie Cleartext storage of sensitive information in the Android filesystem Cleartext storage of sensitive information using ‘Properties’ class Cleartext storage of sensitive information using SharedPreferences on Android Cleartext storage of sensitive information using a local database on Android Comparison of identical values Comparison of narrow type with wide type in loop condition Confusing method names because of capitalization Confusing non-overriding of package-private method Confusing overloading of methods Constant interface anti-pattern Constant loop condition Container contents are never accessed Container contents are never initialized Container size compared to zero Continue statement that does not continue Contradictory type checks Creates empty ZIP file entry Cross-site scripting Dangerous non-short-circuit logic Dangerous runFinalizersOnExit Depending upon JCenter/Bintray as an artifact repository Deprecated method or constructor invocation Dereferenced expression may be null Dereferenced variable is always null Dereferenced variable may be null Deserialization of user-controlled data Detect JHipster Generator Vulnerability CVE-2019-16303 Direct call to a run() method Disabled Netty HTTP header validation Disabled Spring CSRF protection Do not call finalize() Double-checked locking is not thread-safe Equals method does not inspect argument type Equals on incomparable types Equals or hashCode on arrays Escaping Executing a command with a relative path Exposed Spring Boot actuators Exposed Spring Boot actuators in configuration file Exposing internal representation Exposure of sensitive information to UI text views Exposure of sensitive information to notifications Expression always evaluates to the same value Expression language injection (JEXL) Expression language injection (MVEL) Expression language injection (Spring) Externalizable but no public no-argument constructor Failure to use HTTPS or SFTP URL in Maven artifact upload/download Failure to use secure cookies Field masks field in super class Finalizer inconsistency Futile synchronization on field Groovy Language injection HTTP request type unprotected from CSRF HTTP response splitting Hashed value without hashCode definition Ignored error status of call Ignored serialization member of record class Implicit conversion from array to string Implicit narrowing conversion in compound assignment Implicitly exported Android component Improper validation of user-provided array index Improper validation of user-provided size used for array construction Improper verification of intent by broadcast receiver Inconsistent compareTo Inconsistent equals and hashCode Inconsistent synchronization for writeObject() Inconsistent synchronization of getter and setter Incorrect absolute value of random number Incorrect serialVersionUID field Inefficient String constructor Inefficient empty string test Inefficient output stream Inefficient primitive constructor Inefficient regular expression Inefficient use of key set iterator Information exposure through a stack trace Information exposure through an error message Inner class could be static Insecure Bean Validation Insecure JavaMail SSL Configuration Insecure LDAP authentication Insecure basic authentication Insecure local authentication Insecure randomness Insecurely generated keys for local authentication Insertion of sensitive information into log files Intent URI permission manipulation Interface cannot be implemented Iterable wrapping an iterator Iterator implementing Iterable JNDI lookup with user-controlled name Javadoc has impossible ‘throws’ tag LDAP query built from user-controlled sources Leaking sensitive information through a ResultReceiver Leaking sensitive information through an implicit Intent Left shift by more than the type width Local information disclosure in a temporary directory Log Injection Loop with unreachable exit condition Misleading indentation Missing JWT signature check Missing Override annotation Missing @Nested annotation on JUnit 5 inner test class Missing catch of NumberFormatException Missing enum case in switch Missing format argument Missing read or write permission in a content provider Missing space in string literal Missing super clone Mocking all public methods of a class may indicate the unit test is testing too much Multiplication of remainder Next in hasNext implementation No clone method Non-case label in switch statement Non-explicit control and whitespace characters Non-final method invocation in constructor Non-synchronized override of synchronized method Not thread-safe OGNL Expression Language statement with user-controlled input Overloaded compareTo Overloaded equals Overly permissive regular expression range Partial path traversal vulnerability Partial path traversal vulnerability from remote Polynomial regular expression used on uncontrolled data Possible confusion of local and field Potential database resource leak Potential input resource leak Potential output resource leak Query built by concatenation with a possibly-untrusted string Query built from user-controlled sources Race condition in double-checked locking object initialization Race condition in socket authentication Random used only once ReadResolve must have Object return type, not void Reading from a world writable file Reference equality test of boxed types Reference equality test on strings Regular expression injection Resolving XML external entity in user-controlled data Result of multiplication cast to wider type Safe publication Self assignment Sensitive cookies without the HttpOnly response header set Serializable but no void constructor Serializable inner class of non-serializable class Serialization methods do not match required signature Server-side request forgery Server-side template injection Sleep with lock held Spin on field Spurious Javadoc @param tags Start of thread in constructor Subtle call to inherited method Suspicious date format Synchronization on boxed types or strings Thread-unsafe use of DateFormat Time-of-check time-of-use race condition Trust boundary violation Type bound extends a final class Type mismatch on container access Type mismatch on container modification Type variable hides another type Typo in equals Typo in hashCode Typo in toString URL forward from a remote source URL redirection from remote source Uncontrolled command line Uncontrolled data in arithmetic expression Uncontrolled data used in content resolution Uncontrolled data used in path expression Underscore used as identifier Unreachable catch clause Unread local variable Unreleased lock Unsafe certificate trust Unsafe hostname verification Unsafe resource fetching in Android WebView Unsafe use of getResource Unused classes and interfaces Unused format argument Unused label Use of RSA algorithm without OAEP Use of VisibleForTesting in production code Use of String#replaceAll with a first argument which is not a regular expression Use of a broken or risky cryptographic algorithm Use of a cryptographic algorithm with insufficient key size Use of a potentially broken or risky cryptographic algorithm Use of a potentially dangerous function Use of a predictable seed in a secure random number generator Use of default toString() Use of externally-controlled format string Use of implicit PendingIntents Useless comparison test Useless null check Useless parameter Useless toString on String Useless type test User-controlled bypass of sensitive method User-controlled data in arithmetic expression User-controlled data in numeric cast User-controlled data used in permissions check Using a static initialization vector for encryption Wait on condition Whitespace contradicts operator precedence Wrong NaN comparison XPath injection XSLT transformation with user-controlled stylesheet Zero threads set for java.util.concurrent.ScheduledThreadPoolExecutor TrustManager that accepts all certificates notify instead of notifyAll CodeQL query help for JavaScript and TypeScript CodeQL query help for Python CodeQL query help for Ruby CodeQL query help for Rust CodeQL query help for Swift CodeQL CWE coverage © GitHub, Inc. Terms Privacy