add Java rule documentation (DataDog#20909)

dastrong · web-flow · commit d7aad519ed01 · 2023-12-05T14:10:09.000-08:00
diff --git a/content/en/continuous_integration/static_analysis/rules/_index.md b/content/en/continuous_integration/static_analysis/rules/_index.md
@@ -67,6 +67,313 @@ docker_best_practices_data:
   - link: "/continuous_integration/static_analysis/rules/docker-best-practices/zypper-use-y"
     tag: "zypper-use-y"
     text: "Always use -y with zypper install"
+java_best_practices_data:
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/add-empty-string"
+    tag: "add-empty-string"
+    text: "Do not add an empty string"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/array-is-stored-directly"
+    tag: "array-is-stored-directly"
+    text: "Should clone array"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/arrays-aslist"
+    tag: "arrays-aslist"
+    text: "Use asList to create a list from array"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-calendar-creation"
+    tag: "avoid-calendar-creation"
+    text: "Avoid Date() instantiation"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-filestream"
+    tag: "avoid-filestream"
+    text: "Avoid creating FileStream directly"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-message-digest-field"
+    tag: "avoid-message-digest-field"
+    text: "Avoid declaring a field type as MessageDigest"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-printstacktrace"
+    tag: "avoid-printstacktrace"
+    text: "Avoid using printStackTrace()"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-reassigning-catch-vars"
+    tag: "avoid-reassigning-catch-vars"
+    text: "Don't reassign a catch variable"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-reassigning-parameters"
+    tag: "avoid-reassigning-parameters"
+    text: "Avoid reassigning parameters"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/avoid-string-instantiation"
+    tag: "avoid-string-instantiation"
+    text: "Avoid instantiating strings "
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/constants-in-interfaces"
+    tag: "constants-in-interfaces"
+    text: "Using constants in an interface"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/default-label-not-last-in-switch"
+    tag: "default-label-not-last-in-switch"
+    text: "Default label should be last in a switch"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/forloop-variable-count"
+    tag: "forloop-variable-count"
+    text: "Too many control variables in for loop"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/indexof-char"
+    tag: "indexof-char"
+    text: "Do not use a string with only one character"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/literals-first-in-comparison"
+    tag: "literals-first-in-comparison"
+    text: "The literals should be first in String comparisons"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/loose-coupling"
+    tag: "loose-coupling"
+    text: "Avoid using specific implementation types"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/missing-switch-statement-default"
+    tag: "missing-switch-statement-default"
+    text: "Switch statements should have a default case"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/one-declaration-per-line"
+    tag: "one-declaration-per-line"
+    text: "Separate lines for each field declaration"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/preserve-stack-trace"
+    tag: "preserve-stack-trace"
+    text: "Preserve the thrown stack trace"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/redundant-initializer"
+    tag: "redundant-initializer"
+    text: "Avoid redundant initialization"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/replace-hashtable-with-map"
+    tag: "replace-hashtable-with-map"
+    text: "Should use Map instead of Hashtable"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/replace-vector-with-list"
+    tag: "replace-vector-with-list"
+    text: "Replace Vector with List"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/return-internal-array"
+    tag: "return-internal-array"
+    text: "Do not return internal array"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/sb-append-char"
+    tag: "sb-append-char"
+    text: "Do not append char as strings"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/simplify-test-assertions-boolean"
+    tag: "simplify-test-assertions-boolean"
+    text: "Test assertions for booleans can be simplified"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/simplify-test-assertions-equals"
+    tag: "simplify-test-assertions-equals"
+    text: "Test assertions using equals comparison can be simplified"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/simplify-test-assertions-null"
+    tag: "simplify-test-assertions-null"
+    text: "Test assertions using null comparison can be simplified"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/simplify-test-assertions-ops"
+    tag: "simplify-test-assertions-ops"
+    text: "Test assertions using operator comparison can be simplified"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/string-buffer-field"
+    tag: "string-buffer-field"
+    text: "Do not use StringBuffer or StringBuilder as a class field"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/switch-few-branches"
+    tag: "switch-few-branches"
+    text: "Avoid switch with very few branches"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/use-stringbuffer"
+    tag: "use-stringbuffer"
+    text: "Use StringBuffer to concatenate strings"
+  - link: "/continuous_integration/static_analysis/rules/java-best-practices/while-loop-with-literal-boolean"
+    tag: "while-loop-with-literal-boolean"
+    text: "Loops can be simplified or removed"
+java_code_style_data:
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/avoid-dollar-signs"
+    tag: "avoid-dollar-signs"
+    text: "Avoid using dollar signs in variable names"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/avoid-protected-in-final-class"
+    tag: "avoid-protected-in-final-class"
+    text: "Avoid using protected field in final class"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/avoid-using-native-code"
+    tag: "avoid-using-native-code"
+    text: "Avoid using Java native code"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/boolean-get-method-name"
+    tag: "boolean-get-method-name"
+    text: "Avoid prefix boolean returning method with `get`"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/call-super-in-constructor"
+    tag: "call-super-in-constructor"
+    text: "Consider calling super in constructor"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/class-naming-conventions"
+    tag: "class-naming-conventions"
+    text: "Enforce a naming convention for any type of class"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/confusing-ternary"
+    tag: "confusing-ternary"
+    text: "Avoid negation in your ternary operation"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/control-statement-braces"
+    tag: "control-statement-braces"
+    text: "Enforce using control statement brackets"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/extends-object"
+    tag: "extends-object"
+    text: "Avoid unnecessary object extend"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/final-param-in-abstract-method"
+    tag: "final-param-in-abstract-method"
+    text: "Avoid useless final type in interface method"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/for-loop-should-be-while-loop"
+    tag: "for-loop-should-be-while-loop"
+    text: "Simplify for loops for while loops"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/generics-naming"
+    tag: "generics-naming"
+    text: "Enforce generic naming standards"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/local-home-naming-convention"
+    tag: "local-home-naming-convention"
+    text: "Enforce using the LocalHome suffix for Session EJB"
+  - link: "/continuous_integration/static_analysis/rules/java-code-style/package-case"
+    tag: "package-case"
+    text: "Package names should not contain uppercase characters"
+java_inclusive_data:
+  - link: "/continuous_integration/static_analysis/rules/java-inclusive/class-definition"
+    tag: "class-definition"
+    text: "Check class definition language"
+  - link: "/continuous_integration/static_analysis/rules/java-inclusive/function-definition"
+    tag: "function-definition"
+    text: "Check function definition language"
+  - link: "/continuous_integration/static_analysis/rules/java-inclusive/variable-assignment"
+    tag: "variable-assignment"
+    text: "Check variable assignment language"
+java_security_data:
+  - link: "/continuous_integration/static_analysis/rules/java-security/aes-ecb-insecure"
+    tag: "aes-ecb-insecure"
+    text: "ECB mode is insecure"
+  - link: "/continuous_integration/static_analysis/rules/java-security/algorithm-no-hardcoded-secret"
+    tag: "algorithm-no-hardcoded-secret"
+    text: "No hardcoded secret with algorithm methods"
+  - link: "/continuous_integration/static_analysis/rules/java-security/avoid-null-cipher"
+    tag: "avoid-null-cipher"
+    text: "Avoid NullCipher"
+  - link: "/continuous_integration/static_analysis/rules/java-security/avoid-random"
+    tag: "avoid-random"
+    text: "Prefer SecureRandom over Random"
+  - link: "/continuous_integration/static_analysis/rules/java-security/bad-hexa-concatenation"
+    tag: "bad-hexa-concatenation"
+    text: "Bad hexadecimal concatenation"
+  - link: "/continuous_integration/static_analysis/rules/java-security/blowfish-short-key"
+    tag: "blowfish-short-key"
+    text: "Blowfish should use a large key"
+  - link: "/continuous_integration/static_analysis/rules/java-security/cipher-padding-oracle"
+    tag: "cipher-padding-oracle"
+    text: "ECB mode is insecure"
+  - link: "/continuous_integration/static_analysis/rules/java-security/cookies-http-only"
+    tag: "cookies-http-only"
+    text: "Cookies HTTP only"
+  - link: "/continuous_integration/static_analysis/rules/java-security/cookies-persistence"
+    tag: "cookies-persistence"
+    text: "Cookies should not have a long expiration"
+  - link: "/continuous_integration/static_analysis/rules/java-security/cookies-secure-flag"
+    tag: "cookies-secure-flag"
+    text: "Ensure cookies have the secure flag"
+  - link: "/continuous_integration/static_analysis/rules/java-security/default-http-client-def-cons"
+    tag: "default-http-client-def-cons"
+    text: "DefaultHttpClient with default constructor is not secure"
+  - link: "/continuous_integration/static_analysis/rules/java-security/files-permissions"
+    tag: "files-permissions"
+    text: "Do not give write access to others"
+  - link: "/continuous_integration/static_analysis/rules/java-security/groovyshell-code-injection"
+    tag: "groovyshell-code-injection"
+    text: "Potential code injection when using GroovyShell"
+  - link: "/continuous_integration/static_analysis/rules/java-security/hardcoded-crypto-key"
+    tag: "hardcoded-crypto-key"
+    text: "Secret should not be hardcoded in code"
+  - link: "/continuous_integration/static_analysis/rules/java-security/hostname-verifier-true"
+    tag: "hostname-verifier-true"
+    text: "HostnameVerifier should check certificates"
+  - link: "/continuous_integration/static_analysis/rules/java-security/http-parameter-pollution"
+    tag: "http-parameter-pollution"
+    text: "Prevent HTTP parameter pollution"
+  - link: "/continuous_integration/static_analysis/rules/java-security/ignore-saml-comment"
+    tag: "ignore-saml-comment"
+    text: "Ignore SAML comments"
+  - link: "/continuous_integration/static_analysis/rules/java-security/json-unsafe-deserialization"
+    tag: "json-unsafe-deserialization"
+    text: "Avoid unsafe deserialization"
+  - link: "/continuous_integration/static_analysis/rules/java-security/keygenerator-avoid-des"
+    tag: "keygenerator-avoid-des"
+    text: "Avoid DES keys"
+  - link: "/continuous_integration/static_analysis/rules/java-security/ldap-entry-poisoning"
+    tag: "ldap-entry-poisoning"
+    text: "Prevent LDAP Entry Poisoning"
+  - link: "/continuous_integration/static_analysis/rules/java-security/ldap-injection"
+    tag: "ldap-injection"
+    text: "Avoid LDAP injections"
+  - link: "/continuous_integration/static_analysis/rules/java-security/message-digest-custom"
+    tag: "message-digest-custom"
+    text: "Do not use custom digest"
+  - link: "/continuous_integration/static_analysis/rules/java-security/no-des-cipher"
+    tag: "no-des-cipher"
+    text: "Do not use DES"
+  - link: "/continuous_integration/static_analysis/rules/java-security/no-pseudo-random-secret"
+    tag: "no-pseudo-random-secret"
+    text: "Do not use a pseudo-random number to generate a secret"
+  - link: "/continuous_integration/static_analysis/rules/java-security/no-rsa-no-padding"
+    tag: "no-rsa-no-padding"
+    text: "RSA with no padding is insecure"
+  - link: "/continuous_integration/static_analysis/rules/java-security/object-deserialization"
+    tag: "object-deserialization"
+    text: "Prevent deserialization"
+  - link: "/continuous_integration/static_analysis/rules/java-security/path-traversal-file-read"
+    tag: "path-traversal-file-read"
+    text: "Potential path traversal from request"
+  - link: "/continuous_integration/static_analysis/rules/java-security/permissive-cors"
+    tag: "permissive-cors"
+    text: "Avoid overly permissive CORS"
+  - link: "/continuous_integration/static_analysis/rules/java-security/potential-sql-injection"
+    tag: "potential-sql-injection"
+    text: "SQL injection in SqlUtil.execQuery"
+  - link: "/continuous_integration/static_analysis/rules/java-security/processbuilder-injection"
+    tag: "processbuilder-injection"
+    text: "Avoid command injection with ProcessBuilder"
+  - link: "/continuous_integration/static_analysis/rules/java-security/random-iv"
+    tag: "random-iv"
+    text: "Use a randomly-generated IV"
+  - link: "/continuous_integration/static_analysis/rules/java-security/response-direct-writer"
+    tag: "response-direct-writer"
+    text: "Prevent direct writing on the response"
+  - link: "/continuous_integration/static_analysis/rules/java-security/rsa-short-key"
+    tag: "rsa-short-key"
+    text: "RSA should use a long key"
+  - link: "/continuous_integration/static_analysis/rules/java-security/smtp-insecure-connection"
+    tag: "smtp-insecure-connection"
+    text: "SMTP server identify must be enforced"
+  - link: "/continuous_integration/static_analysis/rules/java-security/spring-csrf-disable"
+    tag: "spring-csrf-disable"
+    text: "Do not disable CSRF"
+  - link: "/continuous_integration/static_analysis/rules/java-security/spring-csrf-requestmapping"
+    tag: "spring-csrf-requestmapping"
+    text: "Spring CSRF unrestricted RequestMapping"
+  - link: "/continuous_integration/static_analysis/rules/java-security/spring-expression-injection"
+    tag: "spring-expression-injection"
+    text: "Potential code injection when using Spring Expression"
+  - link: "/continuous_integration/static_analysis/rules/java-security/spring-request-file-tainted"
+    tag: "spring-request-file-tainted"
+    text: "Avoid user-input file"
+  - link: "/continuous_integration/static_analysis/rules/java-security/sql-injection-hibernate"
+    tag: "sql-injection-hibernate"
+    text: "SQL injection in Hibernate"
+  - link: "/continuous_integration/static_analysis/rules/java-security/sql-injection-turbine"
+    tag: "sql-injection-turbine"
+    text: "SQL injection in BasePeer"
+  - link: "/continuous_integration/static_analysis/rules/java-security/sql-string-tainted"
+    tag: "sql-string-tainted"
+    text: "Avoid manual SQL queries"
+  - link: "/continuous_integration/static_analysis/rules/java-security/ssl-context"
+    tag: "ssl-context"
+    text: "Do not use weak SSL context"
+  - link: "/continuous_integration/static_analysis/rules/java-security/unencrypted-socket"
+    tag: "unencrypted-socket"
+    text: "Use of socket on HTTP port"
+  - link: "/continuous_integration/static_analysis/rules/java-security/unsafe-reflection"
+    tag: "unsafe-reflection"
+    text: "Avoid user-generated class names for reflection"
+  - link: "/continuous_integration/static_analysis/rules/java-security/unvalidated-redirect"
+    tag: "unvalidated-redirect"
+    text: "Do not use unvalidated request"
+  - link: "/continuous_integration/static_analysis/rules/java-security/weak-message-digest-md5"
+    tag: "weak-message-digest-md5"
+    text: "MD2, MD4, and MD5 are weak hash functions"
+  - link: "/continuous_integration/static_analysis/rules/java-security/weak-message-digest-sha1"
+    tag: "weak-message-digest-sha1"
+    text: "SHA-1 is a weak hash function"
+  - link: "/continuous_integration/static_analysis/rules/java-security/xml-parsing-xee"
+    tag: "xml-parsing-xee"
+    text: "XML parsing vulnerable to XEE"
+  - link: "/continuous_integration/static_analysis/rules/java-security/xml-parsing-xxe-saxparser"
+    tag: "xml-parsing-xxe-saxparser"
+    text: "XML parsing vulnerable to XXE for SAX Parsers"
+  - link: "/continuous_integration/static_analysis/rules/java-security/xml-parsing-xxe-transformer"
+    tag: "xml-parsing-xxe-transformer"
+    text: "XML parsing vulnerable to XXE for TransformerFactory"
+  - link: "/continuous_integration/static_analysis/rules/java-security/xml-parsing-xxe-xmlreader"
+    tag: "xml-parsing-xxe-xmlreader"
+    text: "XML parsing vulnerable to XXE for XML Reader"
+  - link: "/continuous_integration/static_analysis/rules/java-security/xml-parsing-xxe-xpath"
+    tag: "xml-parsing-xxe-xpath"
+    text: "XML parsing vulnerable to XXE for XPath"
 javascript_best_practices_data:
   - link: "/continuous_integration/static_analysis/rules/javascript-best-practices/for-direction"
     tag: "for-direction"
@@ -1256,6 +1563,48 @@ Best practices for using Docker.
 
 <br>
 
+## Java rules
+
+### Follow best practices in Java
+
+**Ruleset ID:** `java-best-practices`
+
+Rules to enforce Java best practices.
+
+{{< sa-rule-list "java_best_practices_data" >}}
+
+<br>
+
+### Follow Java code style patterns
+
+**Ruleset ID:** `java-code-style`
+
+Rules to enforce Java code style.
+
+{{< sa-rule-list "java_code_style_data" >}}
+
+<br>
+
+### Use inclusive language in Java
+
+**Ruleset ID:** `java-inclusive`
+
+Rules for Java to avoid inappropriate wording in the code and comments.
+
+{{< sa-rule-list "java_inclusive_data" >}}
+
+<br>
+
+### Ensure your Java code is secure
+
+**Ruleset ID:** `java-security`
+
+Rules focused on finding security issues in Java code.
+
+{{< sa-rule-list "java_security_data" >}}
+
+<br>
+
 ## JavaScript rules
 
 ### Follow best practices for writing JavaScript code
