Showing 6,935 of 6,952 total issues
Remove this unused "cpeUptimeAvg" private field. Open
private Average cpeUptimeAvg = new Average(1);- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this unused "firstEventTms" private field. Open
private Date firstEventTms;- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this unused "unconfirmedFailed" private field. Open
private Integer unconfirmedFailed;- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this useless assignment; "ds" already holds the assigned value along all execution paths. Open
ds = addUnittypeOrProfileCriteria(ds, filter);- Read upRead up
- Exclude checks
The transitive property says that if a == b and b == c, then a == c. In such cases, there's no point in
assigning a to c or vice versa because they're already equivalent.
This rule raises an issue when an assignment is useless because the assigned-to variable already holds the value on all execution paths.
Noncompliant Code Example
a = b; c = a; b = c; // Noncompliant: c and b are already the same
Compliant Solution
a = b; c = a;
Either re-interrupt this method or rethrow the "InterruptedException" that can be caught here. Open
} catch (InterruptedException e) {- Read upRead up
- Exclude checks
InterruptedExceptions should never be ignored in the code, and simply logging the exception counts in this case as "ignoring". The
throwing of the InterruptedException clears the interrupted state of the Thread, so if the exception is not handled properly the fact
that the thread was interrupted will be lost. Instead, InterruptedExceptions should either be rethrown - immediately or after cleaning up
the method's state - or the thread should be re-interrupted by calling Thread.interrupt() even if this is supposed to be a
single-threaded application. Any other course of action risks delaying thread shutdown and loses the information that the thread was interrupted -
probably without finishing its task.
Similarly, the ThreadDeath exception should also be propagated. According to its JavaDoc:
If
ThreadDeathis caught by a method, it is important that it be rethrown so that the thread actually dies.
Noncompliant Code Example
public void run () {
try {
while (true) {
// do stuff
}
}catch (InterruptedException e) { // Noncompliant; logging is not enough
LOGGER.log(Level.WARN, "Interrupted!", e);
}
}
Compliant Solution
public void run () {
try {
while (true) {
// do stuff
}
}catch (InterruptedException e) {
LOGGER.log(Level.WARN, "Interrupted!", e);
// Restore interrupted state...
Thread.currentThread().interrupt();
}
}
See
- MITRE, CWE-391 - Unchecked Error Condition
- Dealing with InterruptedException
Use try-with-resources or close this "Statement" in a "finally" clause. Open
s = c.createStatement();- Read upRead up
- Exclude checks
Connections, streams, files, and other classes that implement the Closeable interface or its super-interface,
AutoCloseable, needs to be closed after use. Further, that close call must be made in a finally block otherwise
an exception could keep the call from being made. Preferably, when class implements AutoCloseable, resource should be created using
"try-with-resources" pattern and will be closed automatically.
Failure to properly close resources will result in a resource leak which could bring first the application and then perhaps the box the application is on to their knees.
Noncompliant Code Example
private void readTheFile() throws IOException {
Path path = Paths.get(this.fileName);
BufferedReader reader = Files.newBufferedReader(path, this.charset);
// ...
reader.close(); // Noncompliant
// ...
Files.lines("input.txt").forEach(System.out::println); // Noncompliant: The stream needs to be closed
}
private void doSomething() {
OutputStream stream = null;
try {
for (String property : propertyList) {
stream = new FileOutputStream("myfile.txt"); // Noncompliant
// ...
}
} catch (Exception e) {
// ...
} finally {
stream.close(); // Multiple streams were opened. Only the last is closed.
}
}
Compliant Solution
private void readTheFile(String fileName) throws IOException {
Path path = Paths.get(fileName);
try (BufferedReader reader = Files.newBufferedReader(path, StandardCharsets.UTF_8)) {
reader.readLine();
// ...
}
// ..
try (Stream<String> input = Files.lines("input.txt")) {
input.forEach(System.out::println);
}
}
private void doSomething() {
OutputStream stream = null;
try {
stream = new FileOutputStream("myfile.txt");
for (String property : propertyList) {
// ...
}
} catch (Exception e) {
// ...
} finally {
stream.close();
}
}
Exceptions
Instances of the following classes are ignored by this rule because close has no effect:
-
java.io.ByteArrayOutputStream -
java.io.ByteArrayInputStream -
java.io.CharArrayReader -
java.io.CharArrayWriter -
java.io.StringReader -
java.io.StringWriter
Java 7 introduced the try-with-resources statement, which implicitly closes Closeables. All resources opened in a try-with-resources
statement are ignored by this rule.
try (BufferedReader br = new BufferedReader(new FileReader(fileName))) {
//...
}
catch ( ... ) {
//...
}
See
- MITRE, CWE-459 - Incomplete Cleanup
- MITRE, CWE-772 - Missing Release of Resource after Effective Lifetime
- CERT, FIO04-J. - Release resources when they are no longer needed
- CERT, FIO42-C. - Close files when they are no longer needed
- Try With Resources
Remove this unused "provisioningRescheduledCount" private field. Open
private Counter provisioningRescheduledCount = new Counter();- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this unused "periodType" private field. Open
private final PeriodType periodType;- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this "clone" implementation; use a copy constructor or copy factory instead. Open
public abstract R clone();- Read upRead up
- Exclude checks
Many consider clone and Cloneable broken in Java, largely because the rules for overriding clone are tricky
and difficult to get right, according to Joshua Bloch:
Object's clone method is very tricky. It's based on field copies, and it's "extra-linguistic." It creates an object without calling a constructor. There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years, both in and outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have a shallow copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two independent objects. If you modify one, the other changes as well. And all of a sudden, you get random behavior.
A copy constructor or copy factory should be used instead.
This rule raises an issue when clone is overridden, whether or not Cloneable is implemented.
Noncompliant Code Example
public class MyClass {
// ...
public Object clone() { // Noncompliant
//...
}
}
Compliant Solution
public class MyClass {
// ...
MyClass (MyClass source) {
//...
}
}
See
See Also
- {rule:java:S2157} - "Cloneables" should implement "clone"
- {rule:java:S1182} - Classes that override "clone" should be "Cloneable" and call "super.clone()"
Remove this unused "key" private field. Open
private Key key;- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this unused "bootResetCount" private field. Open
private Counter bootResetCount = new Counter();- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this unused "bootProvConfCount" private field. Open
private Counter bootProvConfCount = new Counter();- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Remove this "clone" implementation; use a copy constructor or copy factory instead. Open
public Average clone() {- Read upRead up
- Exclude checks
Many consider clone and Cloneable broken in Java, largely because the rules for overriding clone are tricky
and difficult to get right, according to Joshua Bloch:
Object's clone method is very tricky. It's based on field copies, and it's "extra-linguistic." It creates an object without calling a constructor. There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years, both in and outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have a shallow copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two independent objects. If you modify one, the other changes as well. And all of a sudden, you get random behavior.
A copy constructor or copy factory should be used instead.
This rule raises an issue when clone is overridden, whether or not Cloneable is implemented.
Noncompliant Code Example
public class MyClass {
// ...
public Object clone() { // Noncompliant
//...
}
}
Compliant Solution
public class MyClass {
// ...
MyClass (MyClass source) {
//...
}
}
See
See Also
- {rule:java:S2157} - "Cloneables" should implement "clone"
- {rule:java:S1182} - Classes that override "clone" should be "Cloneable" and call "super.clone()"
This block of commented-out lines of code should be removed. Open
// this.getJitterAbove200msCount().add(record.getJitterAbove200msCount());- Read upRead up
- Exclude checks
Programmers should not comment out code as it bloats programs and reduces readability.
Unused code should be deleted and can be retrieved from source control history if required.
Rename this constant name to match the regular expression '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$'. Open
private static final String provMsgId = "^ProvMsg: PP:";- Read upRead up
- Exclude checks
Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.
Noncompliant Code Example
With the default regular expression ^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$:
public class MyClass {
public static final int first = 1;
}
public enum MyEnum {
first;
}
Compliant Solution
public class MyClass {
public static final int FIRST = 1;
}
public enum MyEnum {
FIRST;
}
Rename this variable to not match a restricted identifier. Open
RecordProvisioning record = report.getRecord(key);- Read upRead up
- Exclude checks
Even if it is technically possible, Restricted Identifiers should not be used as identifiers. This is only possible for compatibility reasons, using it in Java code is confusing and should be avoided.
Note that this applies to any version of Java, including the one where these identifiers are not yet restricted, to avoid future confusion.
This rule reports an issue when restricted identifiers:
- var
- yield
- record
are used as identifiers.
Noncompliant Code Example
var var = "var"; // Noncompliant: compiles but this code is confusing
var = "what is this?";
int yield(int i) { // Noncompliant
return switch (i) {
case 1: yield(0); // This is a yield from switch expression, not a recursive call.
default: yield(i-1);
};
}
String record = "record"; // Noncompliant
Compliant Solution
var myVariable = "var";
int minusOne(int i) {
return switch (i) {
case 1: yield(0);
default: yield(i-1);
};
}
String myRecord = "record";
See
Add a default case to this switch. Open
switch (status) {- Read upRead up
- Exclude checks
The requirement for a final default clause is defensive programming. The clause should either take appropriate action, or contain a
suitable comment as to why no action is taken.
Noncompliant Code Example
switch (param) { //missing default clause
case 0:
doSomething();
break;
case 1:
doSomethingElse();
break;
}
switch (param) {
default: // default clause should be the last one
error();
break;
case 0:
doSomething();
break;
case 1:
doSomethingElse();
break;
}
Compliant Solution
switch (param) {
case 0:
doSomething();
break;
case 1:
doSomethingElse();
break;
default:
error();
break;
}
Exceptions
If the switch parameter is an Enum and if all the constants of this enum are used in the case statements,
then no default clause is expected.
Example:
public enum Day {
SUNDAY, MONDAY
}
...
switch(day) {
case SUNDAY:
doSomething();
break;
case MONDAY:
doSomethingElse();
break;
}
See
- MITRE, CWE-478 - Missing Default Case in Switch Statement
- CERT, MSC01-C. - Strive for logical completeness
Remove this unused "temperatureMaxAvg" private field. Open
private Average temperatureMaxAvg = new Average(1);- Read upRead up
- Exclude checks
If a private field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will
improve maintainability because developers will not wonder what the variable is used for.
Note that this rule does not take reflection into account, which means that issues will be raised on private fields that are only
accessed using the reflection API.
Noncompliant Code Example
public class MyClass {
private int foo = 42;
public int compute(int a) {
return a * 42;
}
}
Compliant Solution
public class MyClass {
public int compute(int a) {
return a * 42;
}
}
Exceptions
The Java serialization runtime associates with each serializable class a version number, called serialVersionUID, which is used during
deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to
serialization.
A serializable class can declare its own serialVersionUID explicitly by declaring a field named serialVersionUID that
must be static, final, and of type long. By definition those serialVersionUID fields should not be reported by this rule:
public class MyClass implements java.io.Serializable {
private static final long serialVersionUID = 42L;
}
Moreover, this rule doesn't raise any issue on annotated fields.
Make "SECOND_FORMAT" an instance variable. Open
public static final SimpleDateFormat SECOND_FORMAT = new SimpleDateFormat("yyyyMMddHHmmss");- Read upRead up
- Exclude checks
Not all classes in the standard Java library were written to be thread-safe. Using them in a multi-threaded manner is highly likely to cause data problems or exceptions at runtime.
This rule raises an issue when an instance of Calendar, DateFormat, javax.xml.xpath.XPath, or
javax.xml.validation.SchemaFactory is marked static.
Noncompliant Code Example
public class MyClass {
private static SimpleDateFormat format = new SimpleDateFormat("HH-mm-ss"); // Noncompliant
private static Calendar calendar = Calendar.getInstance(); // Noncompliant
Compliant Solution
public class MyClass {
private SimpleDateFormat format = new SimpleDateFormat("HH-mm-ss");
private Calendar calendar = Calendar.getInstance();
Refactor this method to reduce its Cognitive Complexity from 27 to the 15 allowed. Open
private void addOrChangeGroupImpl(Group group, ACS acs) throws SQLException {- Read upRead up
- Exclude checks
Cognitive Complexity is a measure of how hard the control flow of a method is to understand. Methods with high Cognitive Complexity will be difficult to maintain.