FindBugs Report

Project Information

Project:

FindBugs version: 3.0.1

Code analyzed:



Metrics

7792 lines of code analyzed, in 147 classes, in 17 packages.

Metric Total Density*
High Priority Warnings 57 7.32
Medium Priority Warnings 149 19.12
Total Warnings 206 26.44

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 11
Correctness Warnings 42
Internationalization Warnings 5
Malicious code vulnerability Warnings 9
Multithreaded correctness Warnings 4
Performance Warnings 17
Security Warnings 28
Dodgy code Warnings 89
Total 205

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
Eq com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.equals(Object) fails for subtypes
Eq com.owncloud.android.lib.resources.status.OwnCloudVersion defines compareTo(OwnCloudVersion) and uses Object.equals()
OS com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File) may fail to close stream
OS com.owncloud.android.lib.resources.users.GetRemoteUserAvatarOperation.run(OwnCloudClient) may fail to close stream
RV Exceptional return value of java.io.File.renameTo(File) ignored in com.owncloud.android.lib.common.utils.Log_OC.appendLog(String)
RV Exceptional return value of java.io.File.delete() ignored in com.owncloud.android.lib.common.utils.Log_OC.deleteHistoryLogging()
RV Exceptional return value of java.io.File.createNewFile() ignored in com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File)
RV Exceptional return value of java.io.File.delete() ignored in com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File)
RV Exceptional return value of java.io.File.mkdirs() ignored in com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.run(OwnCloudClient)
Se Class com.owncloud.android.lib.common.operations.RemoteOperationResult defines non-transient non-serializable instance field mNotificationData
Se Class com.owncloud.android.lib.common.operations.RemoteOperationResult defines non-transient non-serializable instance field mPushResponse

Correctness Warnings

Code Warning
BED Method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(String, int) declares throwing two or more exceptions related by inheritance
BED Method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(String, int, InetAddress, int, HttpConnectionParams) declares throwing two or more exceptions related by inheritance
BED Method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(Socket, String, int, boolean) declares throwing two or more exceptions related by inheritance
BED Non derivable method com.owncloud.android.lib.common.network.AdvancedX509TrustManager.findX509TrustManager(TrustManagerFactory) declares throwing an exception that isn't thrown
CLI Method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) accesses list or array with constant index
CLI Method com.owncloud.android.lib.common.utils.Log_OC.appendLog(String) accesses list or array with constant index
FCBL Class com.owncloud.android.lib.resources.shares.ShareToRemoteOperationResultParser defines fields that are used only as locals
FCCD Class com.owncloud.android.lib.common.DynamicSessionManager has a circular dependency with other classes
FCCD Class com.owncloud.android.lib.common.OwnCloudClient has a circular dependency with other classes
ISB Method com.owncloud.android.lib.common.OwnCloudClient.getCookiesString() concatenates the result of a toString() call
LEST Method com.owncloud.android.lib.common.network.ChunkFromFileChannelRequestEntity.writeRequest(OutputStream) throws alternative exception from catch block without history
LEST Method com.owncloud.android.lib.common.network.FileRequestEntity.writeRequest(OutputStream) throws alternative exception from catch block without history
LSYC Method com.owncloud.android.lib.common.network.BearerAuthScheme.authenticate(BearerCredentials, String) creates local variable-based synchronized collection
MDM Method new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, String, int) encodes String bytes without specifying the character encoding
MDM Method new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, HttpMethod) encodes String bytes without specifying the character encoding
MDM Method com.owncloud.android.lib.resources.shares.ShareToRemoteOperationResultParser.parse(String) encodes String bytes without specifying the character encoding
NP Possible null pointer dereference of fos in com.owncloud.android.lib.common.network.NetworkUtils.addCertToKnownServersStore(Certificate, Context) on exception path
PCOA Constructor new com.owncloud.android.lib.common.network.BearerAuthScheme(String) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, int, String, Header[]) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, int, Header[]) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.common.OwnCloudClient(Uri, HttpConnectionManager, boolean) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.FileVersion(Parcel) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.FileVersion(String, WebdavEntry) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.RemoteFile(Parcel) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.RemoteFile(WebdavEntry) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.TrashbinFile(Parcel) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.files.TrashbinFile(WebdavEntry, String) makes call to non-final method
PCOA Constructor new com.owncloud.android.lib.resources.shares.OCShare(Parcel) makes call to non-final method
PDP Method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(String, int, Socket) defines parameters more abstractly than needed to function properly
RV Bad attempt to compute absolute value of signed 32-bit hashcode in com.owncloud.android.lib.resources.files.ChunkedUploadRemoteFileOperation.uploadFile(OwnCloudClient)
SPP Method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(String, int, Socket) checks a reference for null before calling instanceof
SPP Method com.owncloud.android.lib.common.network.AdvancedX509TrustManager.checkServerTrusted(X509Certificate[], String) checks a reference for null before calling instanceof
SPP Method com.owncloud.android.lib.common.operations.RemoteOperation.run() calls equals on an enum instance
SPP Method com.owncloud.android.lib.common.operations.RemoteOperationResult.getCertificateCombinedException(Exception) checks a reference for null before calling instanceof
SPP Method com.owncloud.android.lib.resources.shares.OCShare.isPasswordProtected() calls equals on an enum instance
SUA Method com.owncloud.android.lib.common.ExternalLink$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.common.Quota$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.common.UserInfo$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.resources.files.FileVersion$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.resources.files.RemoteFile$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.resources.files.TrashbinFile$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.owncloud.android.lib.resources.shares.OCShare$1.newArray(int) returns an array that appears not to be initialized

Internationalization Warnings

Code Warning
Dm Found reliance on default encoding in new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, String, int): String.getBytes()
Dm Found reliance on default encoding in new com.owncloud.android.lib.common.operations.RemoteOperationResult(boolean, HttpMethod): String.getBytes()
Dm Found reliance on default encoding in com.owncloud.android.lib.common.utils.Log_OC.appendLog(String): new java.io.FileWriter(File, boolean)
Dm Found reliance on default encoding in com.owncloud.android.lib.common.utils.Log_OC.startLogging(Context): new java.io.FileWriter(File, boolean)
Dm Found reliance on default encoding in com.owncloud.android.lib.resources.shares.ShareToRemoteOperationResultParser.parse(String): String.getBytes()

Malicious code vulnerability Warnings

Code Warning
EI com.owncloud.android.lib.resources.activities.models.Activity.getDate() may expose internal representation by returning Activity.date
EI com.owncloud.android.lib.resources.activities.models.Activity.getDatetime() may expose internal representation by returning Activity.datetime
EI com.owncloud.android.lib.resources.notifications.models.Notification.getDatetime() may expose internal representation by returning Notification.datetime
EI com.owncloud.android.lib.resources.users.GetRemoteUserAvatarOperation$ResultData.getAvatarData() may expose internal representation by returning GetRemoteUserAvatarOperation$ResultData.mAvatarData
EI2 com.owncloud.android.lib.resources.activities.models.Activity.setDate(Date) may expose internal representation by storing an externally mutable object into Activity.date
EI2 com.owncloud.android.lib.resources.activities.models.Activity.setDatetime(Date) may expose internal representation by storing an externally mutable object into Activity.datetime
EI2 new com.owncloud.android.lib.resources.notifications.models.Notification(int, String, String, Date, String, String, String, String, Map, String, String, Map, String, String, Collection) may expose internal representation by storing an externally mutable object into Notification.datetime
EI2 com.owncloud.android.lib.resources.notifications.models.Notification.setDatetime(Date) may expose internal representation by storing an externally mutable object into Notification.datetime
MS Public static com.owncloud.android.lib.common.utils.Log_OC.getLogFileNames() may expose internal representation by returning Log_OC.mLogFileNames

Multithreaded correctness Warnings

Code Warning
JLM Synchronization performed on java.util.concurrent.atomic.AtomicBoolean in com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File)
JLM Synchronization performed on java.util.concurrent.atomic.AtomicBoolean in com.owncloud.android.lib.resources.files.UploadRemoteFileOperation.cancel()
LI Incorrect lazy initialization and update of static field com.owncloud.android.lib.common.network.NetworkUtils.mConnManager in com.owncloud.android.lib.common.network.NetworkUtils.getMultiThreadedConnManager()
STCAL com.owncloud.android.lib.common.network.WebdavUtils.DISPLAY_DATE_FORMAT is a static field of type java.text.DateFormat, which isn't thread safe

Performance Warnings

Code Warning
Bx Boxing/unboxing to parse a primitive new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String)
IOI Method com.owncloud.android.lib.common.network.NetworkUtils.getKnownServersStore(Context) uses a FileInputStream or FileOutputStream constructor
IOI Method com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File) uses a FileInputStream or FileOutputStream constructor
NAB Method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) converts String to primitive using excessive boxing
NAB Method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) converts String to primitive using excessive boxing
NAB Method new com.owncloud.android.lib.common.OwnCloudClient(Uri, HttpConnectionManager, boolean) needlessly boxes a boolean constant
PRMC Method com.owncloud.android.lib.resources.files.ChunkedUploadRemoteFileOperation.uploadFile(OwnCloudClient) appears to call the same method on the same object redundantly
PRMC Method com.owncloud.android.lib.resources.files.CopyRemoteFileOperation.run(OwnCloudClient) appears to call the same method on the same object redundantly
PRMC Method com.owncloud.android.lib.resources.files.MoveRemoteFileOperation.run(OwnCloudClient) appears to call the same method on the same object redundantly
PRMC Method com.owncloud.android.lib.resources.files.ReadRemoteFolderOperation.readData(MultiStatus, OwnCloudClient) appears to call the same method on the same object redundantly
PRMC Method com.owncloud.android.lib.resources.files.RenameRemoteFileOperation.run(OwnCloudClient) appears to call the same method on the same object redundantly
SBSC com.owncloud.android.lib.common.OwnCloudClient.getCookiesString() concatenates strings using + in a loop
SBSC com.owncloud.android.lib.resources.status.OwnCloudVersion.toString() concatenates strings using + in a loop
SIC Should com.owncloud.android.lib.resources.files.RenameRemoteFileOperation$LocalMoveMethod be a _static_ inner class?
UCPM Method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) passes constant String of length 1 to character overridden method
UCPM Method com.owncloud.android.lib.common.utils.WebDavFileUtils.readData(MultiStatus, OwnCloudClient, boolean, boolean, String) passes constant String of length 1 to character overridden method
WMI com.owncloud.android.lib.common.SingleSessionManager.saveAllClients(Context, String) makes inefficient use of keySet iterator instead of entrySet iterator

Security Warnings

Code Warning
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECHPP Concatenating user-controlled input into a URL
SECPTI java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
SECPTI java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input

Dodgy code Warnings

Code Warning
CC Method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) is excessively complex, with a cyclomatic complexity of 55
CC Method com.owncloud.android.lib.resources.status.GetRemoteCapabilitiesOperation.run(OwnCloudClient) is excessively complex, with a cyclomatic complexity of 75
CE Method com.owncloud.android.lib.common.ExternalLink$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.owncloud.android.lib.common.ExternalLink$$Parcelable.write(ExternalLink, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.owncloud.android.lib.common.UserInfo$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.owncloud.android.lib.common.UserInfo$$Parcelable.write(UserInfo, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.owncloud.android.lib.common.utils.WebDavFileUtils.fillOCFile(WebdavEntry) excessively uses methods of another class
CE Method com.owncloud.android.lib.resources.files.ReadRemoteFolderOperation.fillOCFile(WebdavEntry) excessively uses methods of another class
DLS Dead store to version in com.owncloud.android.lib.common.accounts.AccountUtils.constructFullURLForAccount(Context, Account)
DLS Dead store to version in com.owncloud.android.lib.common.OwnCloudClientFactory.createOwnCloudClient(Account, Context)
DLS Dead store to version in com.owncloud.android.lib.resources.files.MoveRemoteFileOperation.run(OwnCloudClient)
DRE Method com.owncloud.android.lib.resources.status.OwnCloudVersion.getParsedVersion(String) declares RuntimeException in throws clause
LSC Method com.owncloud.android.lib.common.operations.ExceptionParser.isInvalidCharacterException() makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.operations.ExceptionParser.isInvalidCharacterException() makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.operations.ExceptionParser.isVirusException() makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.operations.ExceptionParser.readError(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.operations.ExceptionParser.readError(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.OwnCloudClient.logCookiesAtRequest(Header[], String) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.common.OwnCloudClient.logSetCookiesAtResponse(Header[]) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.files.FileVersion.isFolder() makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.files.TrashbinFile.isFolder() makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readData(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readData(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readData(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readData(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readElement(XmlPullParser, ArrayList) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readMeta(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readMeta(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readMeta(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readOCS(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.shares.ShareXMLParser.readOCS(XmlPullParser) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.status.GetRemoteCapabilitiesOperation.run(OwnCloudClient) makes literal string comparisons passing the literal as an argument
LSC Method com.owncloud.android.lib.resources.status.GetRemoteCapabilitiesOperation.run(OwnCloudClient) makes literal string comparisons passing the literal as an argument
MOM Class com.owncloud.android.lib.common.network.BearerAuthScheme 'overloads' a method with both instance and static versions
NOS Class com.owncloud.android.lib.common.network.WebdavUtils uses non owned variables to synchronize on
NP Possible null pointer dereference in com.owncloud.android.lib.common.utils.Log_OC.deleteHistoryLogging() due to return value of called method
RCN Redundant nullcheck of shares, which is known to be non-null in com.owncloud.android.lib.resources.shares.ShareToRemoteOperationResultParser.parse(String)
REC Exception is caught when Exception is not thrown in com.owncloud.android.lib.resources.activities.GetRemoteActivitiesOperation.run(OwnCloudClient)
REC Exception is caught when Exception is not thrown in com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File)
SA Double assignment of field OCCapability.mVersionString in new com.owncloud.android.lib.resources.status.OCCapability()
SF Switch statement found in com.owncloud.android.lib.common.operations.ExceptionParser.skip(XmlPullParser) where default case is missing
SF Switch statement found in com.owncloud.android.lib.resources.shares.ShareXMLParser.skip(XmlPullParser) where default case is missing
SF Switch statement found in com.owncloud.android.lib.resources.status.GetRemoteCapabilitiesOperation.run(OwnCloudClient) where default case is missing
SPP Method com.owncloud.android.lib.resources.shares.ShareToRemoteOperationResultParser.parse(String) checks the size of a collection against zero rather than using isEmpty()
ST Write to static field com.owncloud.android.lib.common.OwnCloudClient.sIntanceCounter from instance method new com.owncloud.android.lib.common.OwnCloudClient(Uri, HttpConnectionManager, boolean)
STT This method com.owncloud.android.lib.common.accounts.AccountUtils.getUsernameForAccount(Account) parses a String that is a field
STT This method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) parses a String that is a field
STT This method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) parses a String that is a field
STT This method new com.owncloud.android.lib.common.network.WebdavEntry(MultiStatusResponse, String) parses a String that is a field
STT This method com.owncloud.android.lib.common.network.WebdavEntry stores the value of a toString() call into a field
STT This method com.owncloud.android.lib.common.network.WebdavEntry stores the value of a toString() call into a field
STT This method com.owncloud.android.lib.common.network.WebdavEntry stores the value of a toString() call into a field
STT This method com.owncloud.android.lib.common.network.WebdavEntry stores the value of a toString() call into a field
STT This method com.owncloud.android.lib.common.network.WebdavEntry stores the value of a toString() call into a field
STT This method com.owncloud.android.lib.common.OwnCloudSamlSsoCredentials.applyTo(OwnCloudClient) parses a String that is a field
UP Static or private method com.owncloud.android.lib.common.ExternalLink$$Parcelable.write(ExternalLink, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(String, int, Socket) has unused parameters
UP Static or private method com.owncloud.android.lib.common.Quota$$Parcelable.write(Quota, Parcel, int, IdentityCollection) has unused parameters
UrF Unread public/protected field: com.owncloud.android.lib.resources.notifications.models.Action.label
UrF Unread public/protected field: com.owncloud.android.lib.resources.notifications.models.Action.link
UrF Unread public/protected field: com.owncloud.android.lib.resources.notifications.models.Action.primary
UrF Unread public/protected field: com.owncloud.android.lib.resources.notifications.models.Action.type
USBR Method com.owncloud.android.lib.common.accounts.AccountUtils.buildAccountName(Uri, String) stores return result in local before immediately returning it
USBR Method com.owncloud.android.lib.common.network.BearerCredentials.hashCode() stores return result in local before immediately returning it
USBR Method com.owncloud.android.lib.resources.files.FileUtils.getParentPath(String) stores return result in local before immediately returning it
UTWR Method com.owncloud.android.lib.resources.files.ChunkedUploadRemoteFileOperation.uploadFile(OwnCloudClient) manually handles closing an auto-closeable resource
UTWR Method com.owncloud.android.lib.resources.files.DownloadRemoteFileOperation.downloadFile(OwnCloudClient, File) manually handles closing an auto-closeable resource
UTWR Method com.owncloud.android.lib.resources.users.GetRemoteUserAvatarOperation.run(OwnCloudClient) manually handles closing an auto-closeable resource

Details

BED_HIERARCHICAL_EXCEPTION_DECLARATION: Method declares throwing two or more exceptions related by inheritance

This method declares that it throws an exception that is the child of another exception that is also declared to be thrown. Given that the parent exception is declared, there is no need for the child exception to also be declared; it just adds confusion.

BED_BOGUS_EXCEPTION_DECLARATION: Non derivable method declares throwing an exception that isn't thrown

This method declares that it throws a checked exception that it does not throw. As this method is either a constructor, static method or private method, there is no reason for this method to declare the exception in its throws clause, and just causes calling methods to unnecessarily handle an exception that will never be thrown. The exception in question should be removed from the throws clause.

DM_BOXED_PRIMITIVE_FOR_PARSING: Boxing/unboxing to parse a primitive

A boxed primitive is created from a String, just to extract the unboxed primitive value. It is more efficient to just call the static parseXXX method.

CC_CYCLOMATIC_COMPLEXITY: Method is excessively complex

This method has a high cyclomatic complexity figure, which represents the number of branch points. It is likely difficult to test, and is brittle to change. Consider refactoring this method into several to reduce the risk.

CE_CLASS_ENVY: Method excessively uses methods of another class

This method makes extensive use of methods from another class over methods of its own class. Typically this means that the functionality that is accomplished by this method most likely belongs with the class that is being used so liberally. Consider refactoring this method to be contained in that class, and to accept all the parameters needed in the method signature.

CLI_CONSTANT_LIST_INDEX: Method accesses list or array with constant index

This method accesses an array or list using a constant integer index. Often, this is a typo where a loop variable is intended to be used. If however, specific list indices mean different specific things, then perhaps replacing the list with a first-class object with meaningful accessors would make the code less brittle.

DLS_DEAD_LOCAL_STORE: Dead store to local variable

This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.

Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.

DM_DEFAULT_ENCODING: Reliance on default encoding

Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.

DRE_DECLARED_RUNTIME_EXCEPTION: Method declares RuntimeException in throws clause

This method declares a RuntimeException derived class in its throws clause. This may indicate a misunderstanding as to how unchecked exceptions are handled. If it is felt that a RuntimeException is so prevalent that it should be declared, it is probably a better idea to prevent the occurrence in code.

EI_EXPOSE_REP: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.

EI_EXPOSE_REP2: May expose internal representation by incorporating reference to mutable object

This code stores a reference to an externally mutable object into the internal representation of the object.  If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

EQ_COMPARETO_USE_OBJECT_EQUALS: Class defines compareTo(...) and uses Object.equals()

This class defines a compareTo(...) method but inherits its equals() method from java.lang.Object. Generally, the value of compareTo should return zero if and only if equals returns true. If this is violated, weird and unpredictable failures will occur in classes such as PriorityQueue. In Java 5 the PriorityQueue.remove method uses the compareTo method, while in Java 6 it uses the equals method.

From the JavaDoc for the compareTo method in the Comparable interface:

It is strongly recommended, but not strictly required that (x.compareTo(y)==0) == (x.equals(y)). Generally speaking, any class that implements the Comparable interface and violates this condition should clearly indicate this fact. The recommended language is "Note: this class has a natural ordering that is inconsistent with equals."

EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails for subtypes

This class has an equals method that will be broken if it is inherited by subclasses. It compares a class literal with the class of the argument (e.g., in class Foo it might check if Foo.class == o.getClass()). It is better to check if this.getClass() == o.getClass().

FCBL_FIELD_COULD_BE_LOCAL: Class defines fields that are used only as locals

This class defines fields that are used in a local only fashion, specifically private fields or protected fields in final classes that are accessed first in each method with a store vs. a load. This field could be replaced by one or more local variables.

FCCD_FIND_CLASS_CIRCULAR_DEPENDENCY: Class has a circular dependency with other classes

This class has a circular dependency with other classes. This makes building these classes difficult, as each is dependent on the other to build correctly. Consider using interfaces to break the hard dependency. The dependency chain can be seen in the GUI version of FindBugs.

IOI_USE_OF_FILE_STREAM_CONSTRUCTORS: Method uses a FileInputStream or FileOutputStream constructor

This method creates and uses a java.io.FileInputStream or java.io.FileOutputStream object. Unfortunately both of these classes implement a finalize method, which means that objects created will likely hang around until a full garbage collection occurs, which will leave excessive garbage on the heap for longer, and potentially much longer than expected. Java 7 introduced two ways to create streams for reading and writing files that do not have this concern. You should consider switching from these above classes to InputStream is = java.nio.file.Files.newInputStream(myfile.toPath()); OutputStream os = java.nio.file.Files.newOutputStream(myfile.toPath());

ISB_TOSTRING_APPENDING: Method concatenates the result of a toString() call

This method concatenates the output of a toString() call into a StringBuffer or StringBuilder. It is simpler just to pass the object you want to append to the append call, as that form does not suffer the potential for NullPointerExceptions, and is easier to read.

Keep in mind that Java compiles simple String concatenation to use StringBuilders, so you may see this bug even when you don't use StringBuilders explicitly.

Instead of:


StringBuilder builder = ...;
builder.append(someObj.toString());
...
System.out.println("Problem with the object :" + someObj.toString());
just do:

StringBuilder builder = ...
builder.append(someObj);
...
System.out.println("Problem with the object :" + someObj);
to avoid the possibility of NullPointerExceptions when someObj is null.

JLM_JSR166_UTILCONCURRENT_MONITORENTER: Synchronization performed on util.concurrent instance

This method performs synchronization an object that is an instance of a class from the java.util.concurrent package (or its subclasses). Instances of these classes have their own concurrency control mechanisms that are orthogonal to the synchronization provided by the Java keyword synchronized. For example, synchronizing on an AtomicBoolean will not prevent other threads from modifying the AtomicBoolean.

Such code may be correct, but should be carefully reviewed and documented, and may confuse people who have to maintain the code at a later date.

LEST_LOST_EXCEPTION_STACK_TRACE: Method throws alternative exception from catch block without history

This method catches an exception, and throws a different exception, without incorporating the original exception. Doing so hides the original source of the exception, making debugging and fixing these problems difficult. It is better to use the constructor of this new exception that takes an original exception so that this detail can be passed along to the user. If this exception has no constructor that takes an initial cause parameter, use the initCause method to initialize it instead.


catch (IOException e) {
    throw new MySpecialException("Failed to open configuration", e);
}

LI_LAZY_INIT_UPDATE_STATIC: Incorrect lazy initialization and update of static field

This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the futher accesses in the method that set the field serve to initialize the object, then you have a very serious multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized.

Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized.

LSC_LITERAL_STRING_COMPARISON: Method makes literal string comparisons passing the literal as an argument

This line is in the form of

String str = ...
str.equals("someOtherString");
//or
str.compareTo("someOtherString");

A NullPointerException may occur if the String variable str is null. If instead the code was restructured to

String str = ...
"someOtherString".equals(str);
//or
"someOtherString".compareTo(str);

that is, call equals() or compareTo() on the string literal, passing the variable as an argument, then this exception could never happen as both equals() and compareTo() check for null.

LSYC_LOCAL_SYNCHRONIZED_COLLECTION: Method creates local variable-based synchronized collection

This method creates a synchronized collection and stores the reference to it in a local variable. As local variables are by definition thread-safe, it seems questionable that this collection needs to be synchronized.

If you are usingconsider using
java.util.Vectorjava.util.ArrayList
java.util.Hashtablejava.util.HashMap
java.lang.StringBufferjava.lang.StringBuilder

MDM_STRING_BYTES_ENCODING: Method encodes String bytes without specifying the character encoding

The behavior of the String(byte[] bytes) and String.getBytes() is undefined if the string cannot be encoded in the platform's default charset. Instead, use the String(byte[] bytes, String encoding) or String.getBytes(String encoding) constructor which accepts the string's encoding as an argument. Be sure to specify the encoding used for the user's locale.

As per the Java specifications, "UTF-8", "US-ASCII", "UTF-16" and "ISO-8859-1" will all be valid encoding charsets. If you aren't sure, try "UTF-8".

New in Java 1.7, you can specify an encoding from StandardCharsets, like StandardCharsets.UTF_8. These are generally preferrable because you don't have to deal with UnsupportedEncodingException.

MOM_MISLEADING_OVERLOAD_MODEL: Class 'overloads' a method with both instance and static versions

This class 'overloads' the same method with both instance and static versions. As the use of these two models is different, it will be confusing to the users of these methods.

MS_EXPOSE_REP: Public static method may expose internal representation by returning array

A public static method returns a reference to an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. One fix is to return a copy of the array.

NAB_NEEDLESS_BOXING_PARSE: Method converts String to primitive using excessive boxing

This method passes a String to a wrapped primitive object's valueOf method, which in turn calls the boxedValue() method to convert to a primitive. When it is desired to convert from a String to a primitive value, it is simpler to use the BoxedPrimitive.parseBoxedPrimitive(String) method.

Instead of something like:


public int someMethod(String data) {
long l = Long.valueOf(data).longValue();
float f = Float.valueOf(data).floatValue();
return Integer.valueOf(data); // There is an implicit .intValue() call
}
Simply do:

public int someMethod(String data) {
	long l = Long.parseLong(data);
	float f = Float.parseFloat(data);
	return Integer.parseInt(data);
}

NAB_NEEDLESS_BOOLEAN_CONSTANT_CONVERSION: Method needlessly boxes a boolean constant

This method assigns a Boxed boolean constant to a primitive boolean variable, or assigns a primitive boolean constant to a Boxed boolean variable. Use the correct constant for the variable desired. Use


boolean b = true;
boolean b = false;
or

Boolean b = Boolean.TRUE;
Boolean b = Boolean.FALSE;

Be aware that this boxing happens automatically when you might not expect it. For example,


Map statusMap = ...

public Boolean someMethod() {
    statusMap.put("foo", true);  //the "true" here is boxed
    return false;  //the "false" here is boxed
}
has two cases of this needless autoboxing. This can be made more efficient by simply substituting in the constant values:

Map statusMap = ...

public Boolean someMethod() {
    statusMap.put("foo", Boolean.TRUE);
    return Boolean.FALSE;
}

NOS_NON_OWNED_SYNCHRONIZATION: Class uses non owned variables to synchronize on

This method uses a synchronize block where the object that is being synchronized on, is not owned by this current instance. This means that other instances may use this same object for synchronization for their own purposes, causing synchronization confusion. It is always cleaner and safer to only synchronize on private fields of this class. Note that 'this' is not owned by the current instance, but is owned by whomever assigns it to a field of its class. Synchronizing on 'this' is also not a good idea.

NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE: Possible null pointer dereference due to return value of called method

The return value from a method is dereferenced without a null check, and the return value of that method is one that should generally be checked for null. This may lead to a NullPointerException when the code is executed.

NP_NULL_ON_SOME_PATH_EXCEPTION: Possible null pointer dereference in method on exception path

A reference value which is null on some exception control path is dereferenced here.  This may lead to a NullPointerException when the code is executed.  Note that because FindBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that FindBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

OS_OPEN_STREAM: Method may fail to close stream

The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.

PCOA_PARTIALLY_CONSTRUCTED_OBJECT_ACCESS: Constructor makes call to non-final method

This constructor makes a call to a non-final method. Since this method can be overridden, a subclass' implementation will be executing against an object that has not been initialized at the subclass level. You should mark all methods called from the constructor as final to avoid this problem.

PDP_POORLY_DEFINED_PARAMETER: Method defines parameters more abstractly than needed to function properly

This method defines parameters at a more abstract level than is actually needed to function correctly, as the code casts these parameters to more concrete types. Since this method is not derivable, you should just define the parameters with the type that is needed.

PRMC_POSSIBLY_REDUNDANT_METHOD_CALLS: Method appears to call the same method on the same object redundantly

This method makes two consecutive calls to the same method, using the same constant parameters, on the same instance, without any intervening changes to the objects. If this method does not make changes to the object, which it appears it doesn't, then making two calls is just a waste. These method calls could be combined by assigning the result into a temporary variable, and using the variable the second time.

RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE: Redundant nullcheck of value known to be non-null

This method contains a redundant check of a known non-null value against the constant null.

REC_CATCH_EXCEPTION: Exception is caught when Exception is not thrown

This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:

  try {
    ...
  } catch (RuntimeException e) {
    throw e;
  } catch (Exception e) {
    ... deal with all non-runtime exceptions ...
  }

RV_ABSOLUTE_VALUE_OF_HASHCODE: Bad attempt to compute absolute value of signed 32-bit hashcode

This code generates a hashcode and then computes the absolute value of that hashcode. If the hashcode is Integer.MIN_VALUE, then the result will be negative as well (since Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE).

One out of 2^32 strings have a hashCode of Integer.MIN_VALUE, including "polygenelubricants" "GydZG_" and ""DESIGNING WORKHOUSES".

RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: Method ignores exceptional return value

This method returns a value that is not checked. The return value should be checked since it can indicate an unusual or unexpected function execution. For example, the File.delete() method returns false if the file could not be successfully deleted (rather than throwing an Exception). If you don't check the result, you won't notice if the method invocation signals unexpected behavior by returning an atypical return value.

SA_FIELD_DOUBLE_ASSIGNMENT: Double assignment of field

This method contains a double assignment of a field; e.g.

  int x,y;
  public void foo() {
    x = x = 17;
  }

Assigning to a field twice is useless, and may indicate a logic error or typo.

SBSC_USE_STRINGBUFFER_CONCATENATION: Method concatenates strings using + in a loop

The method seems to be building a String using concatenation in a loop. In each iteration, the String is converted to a StringBuffer/StringBuilder, appended to, and converted back to a String. This can lead to a cost quadratic in the number of iterations, as the growing string is recopied in each iteration.

Better performance can be obtained by using a StringBuffer (or StringBuilder in Java 1.5) explicitly.

For example:

  // This is bad
  String s = "";
  for (int i = 0; i < field.length; ++i) {
    s = s + field[i];
  }

  // This is better
  StringBuffer buf = new StringBuffer();
  for (int i = 0; i < field.length; ++i) {
    buf.append(field[i]);
  }
  String s = buf.toString();

SE_BAD_FIELD: Non-transient non-serializable instance field in serializable class

This Serializable class defines a non-primitive instance field which is neither transient, Serializable, or java.lang.Object, and does not appear to implement the Externalizable interface or the readObject() and writeObject() methods.  Objects of this class will not be deserialized correctly if a non-Serializable object is stored in this field.

HTTP_PARAMETER_POLLUTION: HTTP Parameter Pollution

Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks.
In the following example the programmer has not considered the possibility that an attacker could provide a lang such as en&user_id=1, which would enable him to change the user_id at will.

Vulnerable Code:

String lang = request.getParameter("lang");
GetMethod get = new GetMethod("http://www.host.com");
get.setQueryString("lang=" + lang + "&user_id=" + user_id);
get.execute();

Solution:
Sanitize user input before using it in HTTP parameters.


References
CAPEC-460: HTTP Parameter Pollution (HPP)

PATH_TRAVERSAL_IN: Potential Path Traversal (file read)

A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.

This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.


Vulnerable Code:

@GET
@Path("/images/{image}")
@Produces("images/*")
public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", image); //Weak point

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}


Solution:

import org.apache.commons.io.FilenameUtils;

@GET
@Path("/images/{image}")
@Produces("images/*")
public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", FilenameUtils.getName(image)); //Fix

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}


References
WASC: Path Traversal
OWASP: Path Traversal
CAPEC-126: Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

SF_SWITCH_NO_DEFAULT: Switch statement found where default case is missing

This method contains a switch statement where default case is missing. Usually you need to provide a default case.

Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.

SIC_INNER_SHOULD_BE_STATIC: Should be a static inner class

This class is an inner class, but does not use its embedded reference to the object which created it.  This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary.  If possible, the class should be made static.

SPP_EQUALS_ON_ENUM: Method calls equals on an enum instance

This method calls the equals(Object) method on an enum instance. Since enums values are singletons, you can use == to safely compare two enum values. In fact, the implementation for Enum.equals does just that.

SPP_NULL_BEFORE_INSTANCEOF: Method checks a reference for null before calling instanceof

This method checks a reference for null just before seeing if the reference is an instanceof some class. Since instanceof will return false for null references, the null check is not needed.

SPP_USE_ISEMPTY: Method checks the size of a collection against zero rather than using isEmpty()

This method calls the size() method on a collection and compares the result to zero to see if the collection is empty. For better code clarity, it is better to just use col.isEmpty() or !col.isEmpty().

ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD: Write to static field from instance method

This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.

STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE: Static DateFormat

As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the application.

You may also experience serialization problems.

Using an instance field is recommended.

For more information on this see Sun Bug #6231579 and Sun Bug #6178997.

STT_STRING_PARSING_A_FIELD: This method parses a String that is a field

This method calls a parsing method (indexOf, lastIndexOf, startsWith, endsWith, substring, indexOf) on a String that is a field, or comes from a collection that is a field. This implies that the String in question is holding multiple parts of information inside the string, which would be more maintainable and type safe if that value was a true collection or a first class object with fields, rather than a String.

STT_TOSTRING_STORED_IN_FIELD: This method stores the value of a toString() call into a field

This method calls the toString() method on an object and stores the value in a field. Doing this throws away the type safety of having the object defined by a Class. Using String makes it very easy to use the wrong type of value, and the compiler will not catch these mistakes. You should delay converting values to Strings for as long as possible, and thus not store them as fields.

SUA_SUSPICIOUS_UNINITIALIZED_ARRAY: Method returns an array that appears not to be initialized

This method returns an array that was allocated but apparently not initialized. It is possible that the caller of this method will do the work of initializing this array, but that is not a common pattern, and it is assumed that this array has just been forgotten to be initialized.

UCPM_USE_CHARACTER_PARAMETERIZED_METHOD: Method passes constant String of length 1 to character overridden method

This method passes a constant literal String of length 1 as a parameter to a method, when a similar method is exposed that takes a char. It is simpler and more expedient to handle one character, rather than a String.

Instead of making calls like:


String myString = ...
if (myString.indexOf("e") != -1) {
    int i = myString.lastIndexOf("e");
    System.out.println(myString + ":" + i);  //the Java compiler will use a StringBuilder internally here [builder.append(":")]
    ...
    return myString.replace("m","z");
}
Replace the single letter Strings with their char equivalents like so:

String myString = ...
if (myString.indexOf('e') != -1) {
    int i = myString.lastIndexOf('e');
    System.out.println(myString + ':' + i);  //the Java compiler will use a StringBuilder internally here [builder.append(':')]
    ...
    return myString.replace('m','z');
}

UP_UNUSED_PARAMETER: Static or private method has unused parameters

This method defines parameters that are never used. As this method is either static or private, and can't be derived from, it is safe to remove these parameters and simplify your method. You should consider, while unlikely, that this method may be used reflectively, and thus you will want to change that call as well. In this case, it is likely that once you remove the parameter, there will be a chain of method calls that have spent time creating this parameter and passing it down the line. All of this may be able to be removed.

URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD: Unread public/protected field

This field is never read.  The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.

USBR_UNNECESSARY_STORE_BEFORE_RETURN: Method stores return result in local before immediately returning it

This method stores the return result in a local variable, and then immediately returns the local variable. It would be simpler just to return the value that is assigned to the local variable, directly.

Instead of the following:


public float average(int[] arr) {
    float sum = 0;
    for (int i = 0; i < arr.length; i++) {
        sum += arr[i];
    }
    float ave = sum / arr.length;
    return ave;
}
Simply change the method to return the result of the division:

public float average(int[] arr) {
    float sum = 0;
    for (int i = 0; i < arr.length; i++) {
        sum += arr[i];
    }
    return sum / arr.length; //Change
}

UTWR_USE_TRY_WITH_RESOURCES: Method manually handles closing an auto-closeable resource

[

This method allocates and uses an auto closeable resource. However, it manually closes the resource in a finally block. While this is correct management, it doesn't rely on the idiomatic way available to JDK 7 and above, allows for possible subtle problems, and complicates the reading of code by developers expecting the use of try-with-resources.

Switch to using try with resources, as:

    		    try (InputStream is = getAStream()) {
    		        useTheStream(is);
    		    }
    		

WMI_WRONG_MAP_ITERATOR: Inefficient use of keySet iterator instead of entrySet iterator

This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.