SpotBugs Report

Project Information

Project: app (spotbugsGplayDebugReport)

SpotBugs version: 4.1.1

Code analyzed:



Metrics

15614 lines of code analyzed, in 567 classes, in 46 packages.

Metric Total Density*
High Priority Warnings 22 1.41
Medium Priority Warnings 219 14.03
Total Warnings 241 15.43

(* Defects per Thousand lines of non-commenting source statements)



Contents

Summary

Warning Type Number
Bad practice Warnings 8
Correctness Warnings 107
Experimental Warnings 2
Performance Warnings 11
Security Warnings 8
Dodgy code Warnings 98
Total 234

Warnings

Click on a warning row to see full context information.

Bad practice Warnings

Code Warning
HE com.nextcloud.talk.adapters.items.AppItem defines equals but not hashCode
HE com.nextcloud.talk.adapters.items.MenuItem defines equals but not hashCode
OS new com.nextcloud.talk.utils.ssl.MagicTrustManager() may fail to close stream
OS com.nextcloud.talk.utils.ssl.MagicTrustManager.addCertInTrustStore(X509Certificate) may fail to close stream
Se The field com.nextcloud.talk.models.database.ArbitraryStorageEntity.$proxy is transient but isn't set by deserialization
Se The field com.nextcloud.talk.models.database.UserEntity.$proxy is transient but isn't set by deserialization
SnVI com.nextcloud.talk.models.database.ArbitraryStorageEntity is Serializable; consider declaring a serialVersionUID
SnVI com.nextcloud.talk.models.database.UserEntity is Serializable; consider declaring a serialVersionUID

Correctness Warnings

Code Warning
BED Non derivable method com.nextcloud.talk.components.filebrowser.models.BrowserFile$$JsonObjectMapper.parseField(BrowserFile, String, JsonParser) declares throwing an exception that isn't thrown
BED Non derivable method com.nextcloud.talk.models.SignatureVerification$$JsonObjectMapper.parseField(SignatureVerification, String, JsonParser) declares throwing an exception that isn't thrown
BED Non derivable method com.nextcloud.talk.models.json.push.PushConfiguration$$JsonObjectMapper.parseField(PushConfiguration, String, JsonParser) declares throwing an exception that isn't thrown
FCBL Class com.nextcloud.talk.events.MoreMenuClickEvent defines fields that are used only as locals
FCCD Class com.nextcloud.talk.webrtc.MagicBluetoothManager has a circular dependency with other classes
LUI Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onValidateSchema(SupportSQLiteDatabase) builds a list from one element using Arrays.asList rather than Collections.singletonList
LUI Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onValidateSchema(SupportSQLiteDatabase) builds a list from one element using Arrays.asList rather than Collections.singletonList
LUI Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onValidateSchema(SupportSQLiteDatabase) builds a list from one element using Arrays.asList rather than Collections.singletonList
LUI Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onValidateSchema(SupportSQLiteDatabase) builds a list from one element using Arrays.asList rather than Collections.singletonList
MF Field EventOverallWebSocketMessage.type masks field in superclass com.nextcloud.talk.models.json.websocket.BaseWebSocketMessage
NP Possible null pointer dereference of MagicTrustManager.trustedKeyStore in new com.nextcloud.talk.utils.ssl.MagicTrustManager() on exception path
PCOA Constructor new com.nextcloud.talk.utils.BetterImageSpan(Drawable, int) makes call to non-final method
PCOA Constructor new com.nextcloud.talk.webrtc.MagicBluetoothManager(Context, MagicAudioManager) makes call to non-final method
SPP Method com.nextcloud.talk.models.json.capabilities.SpreedCapability$$JsonObjectMapper.serialize(SpreedCapability, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.capabilities.SpreedCapability$$JsonObjectMapper.serialize(SpreedCapability, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.chat.ChatMessage$$JsonObjectMapper.serialize(ChatMessage, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.chat.ChatMessage$$JsonObjectMapper.serialize(ChatMessage, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.conversations.Conversation$$JsonObjectMapper.serialize(Conversation, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.notifications.Notification$$JsonObjectMapper.serialize(Notification, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.notifications.Notification$$JsonObjectMapper.serialize(Notification, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.notifications.Notification$$JsonObjectMapper.serialize(Notification, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.notifications.Notification$$JsonObjectMapper.serialize(Notification, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.signaling.DataChannelMessageNick$$JsonObjectMapper.serialize(DataChannelMessageNick, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.websocket.ByeWebSocketMessage$$JsonObjectMapper.serialize(ByeWebSocketMessage, JsonGenerator, boolean) calls toString() on a String
SPP Method com.nextcloud.talk.models.json.websocket.EventOverallWebSocketMessage$$JsonObjectMapper.serialize(EventOverallWebSocketMessage, JsonGenerator, boolean) calls toString() on a String
SUA Method com.nextcloud.talk.components.filebrowser.controllers.BrowserController$BrowserType$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.components.filebrowser.models.BrowserFile$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.controllers.CallController$CallStatus$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.ExternalSignalingServer$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.RetrofitBucket$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.RingtoneSettings$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.SignatureVerification$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.database.ArbitraryStorageEntity$11.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.database.UserEntity$27.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.autocomplete.AutocompleteOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.autocomplete.AutocompleteOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.autocomplete.AutocompleteUser$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.Capabilities$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.CapabilitiesList$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.CapabilitiesOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.CapabilitiesOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.NotificationsCapability$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.SpreedCapability$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.capabilities.ThemingCapability$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.chat.ChatMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.chat.ChatOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.chat.ChatOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.conversations.Conversation$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.conversations.Conversation$ConversationType$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.conversations.RoomsOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.conversations.RoomsOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.generic.GenericMeta$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.generic.GenericOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.generic.GenericOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.generic.Status$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.mention.Mention$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.mention.MentionOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.mention.MentionOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.notifications.Notification$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.notifications.NotificationAction$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.notifications.NotificationOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.notifications.NotificationRichObject$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.notifications.NotificationsOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.participants.Participant$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.participants.ParticipantsOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.participants.ParticipantsOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.DecryptedPushMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.NotificationUser$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.PushConfiguration$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.PushRegistration$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.PushRegistrationOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.push.PushRegistrationOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.ExactSharees$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.Sharee$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.ShareesOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.ShareesOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.SharesData$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.sharees.Value$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.signaling.NCIceCandidate$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.signaling.NCMessagePayload$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.signaling.NCMessageWrapper$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.signaling.NCSignalingMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.userprofile.UserProfileData$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.userprofile.UserProfileOCS$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.userprofile.UserProfileOverall$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.ActorWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.AuthParametersWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.AuthWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.BaseWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.ByeWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.CallOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.CallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.ErrorOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.ErrorWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.EventOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.HelloOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.HelloResponseOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.HelloResponseWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.HelloWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.JoinedRoomOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.RequestOfferOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.RequestOfferSignalingMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.RoomOverallWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.RoomPropertiesWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.RoomWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.ServerHelloResponseFeaturesWebSocketMessage$$Parcelable$1.newArray(int) returns an array that appears not to be initialized
SUA Method com.nextcloud.talk.models.json.websocket.SignalingDataWebSocketMessageForOffer$$Parcelable$1.newArray(int) returns an array that appears not to be initialized

Experimental Warnings

Code Warning
OBL new com.nextcloud.talk.utils.ssl.MagicTrustManager() may fail to clean up java.io.InputStream
OBL com.nextcloud.talk.utils.ssl.MagicTrustManager.addCertInTrustStore(X509Certificate) may fail to clean up java.io.OutputStream

Performance Warnings

Code Warning
IOI Method new com.nextcloud.talk.utils.ssl.MagicTrustManager() uses a FileInputStream or FileOutputStream constructor
IOI Method com.nextcloud.talk.utils.ssl.MagicTrustManager.addCertInTrustStore(X509Certificate) uses a FileInputStream or FileOutputStream constructor
ISB Method com.nextcloud.talk.callbacks.MentionAutocompleteCallback.onPopupItemClicked(Editable, Mention) passes simple concatenating string in StringBuffer or StringBuilder append
NAB Method com.nextcloud.talk.utils.database.user.UserUtils.getUsers() needlessly boxes a boolean constant
PSC Method com.nextcloud.talk.components.filebrowser.webdav.DavUtils.getAllPropSet() does not presize the allocation of a collection
PSC Method com.nextcloud.talk.components.filebrowser.webdav.ReadFilesystemOperation.readRemotePath() does not presize the allocation of a collection
UCPM Method com.nextcloud.talk.utils.TextMatchers.getMessageTypeFromString(String) passes constant String of length 1 to character overridden method
UEC Class com.nextcloud.talk.webrtc.MagicAudioManager uses an ordinary set or map with an enum class as the key
UuF Unused field: com.nextcloud.talk.components.filebrowser.models.DavResponse.response
WMI com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessage(String, HashMap) makes inefficient use of keySet iterator instead of entrySet iterator
WMI com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessageForSending(String, HashMap) makes inefficient use of keySet iterator instead of entrySet iterator

Security Warnings

Code Warning
SECHCK Hard coded cryptographic key found
SECPTI This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input
SECUHE Unsafe comparison of hash that are susceptible to timing attack
SECUHE Unsafe comparison of hash that are susceptible to timing attack
SECUHE Unsafe comparison of hash that are susceptible to timing attack
SECUHE Unsafe comparison of hash that are susceptible to timing attack
SECUHE Unsafe comparison of hash that are susceptible to timing attack
SECUHE Unsafe comparison of hash that are susceptible to timing attack

Dodgy code Warnings

Code Warning
CC Method com.nextcloud.talk.models.json.conversations.Conversation$$JsonObjectMapper.parseField(Conversation, String, JsonParser) is excessively complex, with a cyclomatic complexity of 57
CC Method com.nextcloud.talk.models.json.notifications.Notification$$JsonObjectMapper.parseField(Notification, String, JsonParser) is excessively complex, with a cyclomatic complexity of 59
CE Method com.nextcloud.talk.components.filebrowser.models.BrowserFile$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.components.filebrowser.models.BrowserFile$$Parcelable.write(BrowserFile, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.generic.Status$$JsonObjectMapper.parseField(Status, String, JsonParser) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.generic.Status$$JsonObjectMapper.serialize(Status, JsonGenerator, boolean) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.generic.Status$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.generic.Status$$Parcelable.write(Status, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.notifications.Notification$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.notifications.Notification$$Parcelable.write(Notification, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.notifications.NotificationAction$$JsonObjectMapper.serialize(NotificationAction, JsonGenerator, boolean) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.signaling.NCMessagePayload$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.signaling.NCMessagePayload$$Parcelable.write(NCMessagePayload, Parcel, int, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.signaling.NCSignalingMessage$$Parcelable.read(Parcel, IdentityCollection) excessively uses methods of another class
CE Method com.nextcloud.talk.models.json.signaling.NCSignalingMessage$$Parcelable.write(NCSignalingMessage, Parcel, int, IdentityCollection) excessively uses methods of another class
CNC Collection variable propSet is named with a different type of collection in the name
CNC Collection variable com.nextcloud.talk.webrtc.MagicWebRTCUtils.HARDWARE_ACCELERATION_DEVICE_BLACKLIST is named with a different type of collection in the name
CNC Collection variable com.nextcloud.talk.webrtc.MagicWebRTCUtils.HARDWARE_ACCELERATION_VENDOR_BLACKLIST is named with a different type of collection in the name
CNC Collection variable com.nextcloud.talk.webrtc.MagicWebRTCUtils.HARDWARE_AEC_BLACKLIST is named with a different type of collection in the name
CNC Collection variable com.nextcloud.talk.webrtc.MagicWebRTCUtils.OPEN_SL_ES_WHITELIST is named with a different type of collection in the name
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.NCEncrypted$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.NCEncrypted$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.NCPreview$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.NCPreview$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCFavorite$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCFavorite$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCId$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCId$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCSize$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.models.properties.OCSize$Factory.create(XmlPullParser) prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.webdav.ReadFilesystemOperation.readRemotePath() prints the stack trace to the console
IMC Method com.nextcloud.talk.components.filebrowser.webdav.ReadFilesystemOperation.readRemotePath() prints the stack trace to the console
LII Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.dropAllTables(SupportSQLiteDatabase) uses integer based for loops to iterate over a List
LII Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onCreate(SupportSQLiteDatabase) uses integer based for loops to iterate over a List
LII Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl$1.onOpen(SupportSQLiteDatabase) uses integer based for loops to iterate over a List
LSC Method com.nextcloud.talk.callbacks.MentionAutocompleteCallback.onPopupItemClicked(Editable, Mention) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.callbacks.MentionAutocompleteCallback.onPopupItemClicked(Editable, Mention) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.callbacks.MentionAutocompleteCallback.onPopupItemClicked(Editable, Mention) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessage(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessage(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessage(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessageForSending(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessageForSending(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessageForSending(String, HashMap) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.utils.DeviceUtils.ignoreSpecialBatteryFeatures() makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.utils.DeviceUtils.ignoreSpecialBatteryFeatures() makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.utils.TextMatchers.getMessageTypeFromString(String) makes literal string comparisons passing the literal as an argument
LSC Method new com.nextcloud.talk.webrtc.MagicAudioManager(Context, boolean) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.webrtc.MagicAudioManager.isSpeakerphoneAutoOn() makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.webrtc.MagicAudioManager.onProximitySensorChangedState() makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.webrtc.MagicAudioManager.toggleUseSpeakerphone() makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.webrtc.MagicBluetoothManager$BluetoothHeadsetBroadcastReceiver.onReceive(Context, Intent) makes literal string comparisons passing the literal as an argument
LSC Method com.nextcloud.talk.webrtc.MagicBluetoothManager$BluetoothHeadsetBroadcastReceiver.onReceive(Context, Intent) makes literal string comparisons passing the literal as an argument
OCP com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessage(String, HashMap): 2nd parameter 'messageParameters' could be declared as java.util.Map instead
OCP com.nextcloud.talk.models.json.chat.ChatUtils.getParsedMessageForSending(String, HashMap): 2nd parameter 'messageParameters' could be declared as java.util.Map instead
OCP com.nextcloud.talk.webrtc.MagicWebRTCUtils.movePayloadTypesToFront(List, String): 1st parameter 'preferredPayloadTypes' could be declared as java.util.Collection instead
REC Exception is caught when Exception is not thrown in new com.nextcloud.talk.utils.ssl.MagicTrustManager()
UP Static or private method com.nextcloud.talk.components.filebrowser.controllers.BrowserController$BrowserType$$Parcelable.write(BrowserController$BrowserType, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.components.filebrowser.models.BrowserFile$$Parcelable.write(BrowserFile, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.controllers.CallController$CallStatus$$Parcelable.write(CallController$CallStatus, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.ExternalSignalingServer$$Parcelable.write(ExternalSignalingServer, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.RetrofitBucket$$Parcelable.write(RetrofitBucket, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.autocomplete.AutocompleteUser$$Parcelable.write(AutocompleteUser, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.capabilities.NotificationsCapability$$Parcelable.write(NotificationsCapability, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.capabilities.SpreedCapability$$Parcelable.write(SpreedCapability, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.capabilities.ThemingCapability$$Parcelable.write(ThemingCapability, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.conversations.Conversation$ConversationType$$Parcelable.write(Conversation$ConversationType, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.generic.GenericMeta$$Parcelable.write(GenericMeta, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.generic.Status$$Parcelable.write(Status, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.mention.Mention$$Parcelable.write(Mention, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.notifications.NotificationAction$$Parcelable.write(NotificationAction, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.notifications.NotificationRichObject$$Parcelable.write(NotificationRichObject, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.participants.Participant$$Parcelable.write(Participant, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.push.NotificationUser$$Parcelable.write(NotificationUser, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.push.PushRegistration$$Parcelable.write(PushRegistration, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.sharees.Value$$Parcelable.write(Value, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.signaling.NCIceCandidate$$Parcelable.write(NCIceCandidate, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.userprofile.UserProfileData$$Parcelable.write(UserProfileData, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.ActorWebSocketMessage$$Parcelable.write(ActorWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.AuthParametersWebSocketMessage$$Parcelable.write(AuthParametersWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.BaseWebSocketMessage$$Parcelable.write(BaseWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.ByeWebSocketMessage$$Parcelable.write(ByeWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.ErrorWebSocketMessage$$Parcelable.write(ErrorWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.EventOverallWebSocketMessage$$Parcelable.write(EventOverallWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.RoomPropertiesWebSocketMessage$$Parcelable.write(RoomPropertiesWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.ServerHelloResponseFeaturesWebSocketMessage$$Parcelable.write(ServerHelloResponseFeaturesWebSocketMessage, Parcel, int, IdentityCollection) has unused parameters
UP Static or private method com.nextcloud.talk.models.json.websocket.SignalingDataWebSocketMessageForOffer$$Parcelable.write(SignalingDataWebSocketMessageForOffer, Parcel, int, IdentityCollection) has unused parameters
USBR Method com.nextcloud.talk.newarch.local.db.TalkDatabase_Impl.createOpenHelper(DatabaseConfiguration) stores return result in local before immediately returning it
UrF Unread public/protected field: com.nextcloud.talk.components.filebrowser.models.DavResponse.data
UrF Unread public/protected field: com.nextcloud.talk.events.EventStatus.allGood
UrF Unread public/protected field: com.nextcloud.talk.events.EventStatus.eventType
UrF Unread public/protected field: com.nextcloud.talk.events.EventStatus.userId
UrF Unread public/protected field: com.nextcloud.talk.models.ImportAccount.baseUrl
UrF Unread public/protected field: com.nextcloud.talk.models.ImportAccount.token
UrF Unread public/protected field: com.nextcloud.talk.models.ImportAccount.username
UrF Unread public/protected field: com.nextcloud.talk.utils.text.Spans$MentionChipSpan.id
UrF Unread public/protected field: com.nextcloud.talk.utils.text.Spans$MentionChipSpan.label
UrF Unread public/protected field: com.nextcloud.talk.utils.text.Spans$MentionChipSpan.type

Details

BED_BOGUS_EXCEPTION_DECLARATION: Non derivable method declares throwing an exception that isn't thrown

This method declares that it throws a checked exception that it does not throw. As this method is either a constructor, static method or private method, there is no reason for this method to declare the exception in its throws clause, and just causes calling methods to unnecessarily handle an exception that will never be thrown. The exception in question should be removed from the throws clause.

CC_CYCLOMATIC_COMPLEXITY: Method is excessively complex

This method has a high cyclomatic complexity figure, which represents the number of branch points. It is likely difficult to test, and is brittle to change. Consider refactoring this method into several to reduce the risk.

CE_CLASS_ENVY: Method excessively uses methods of another class

This method makes extensive use of methods from another class over methods of its own class. Typically this means that the functionality that is accomplished by this method most likely belongs with the class that is being used so liberally. Consider refactoring this method to be contained in that class, and to accept all the parameters needed in the method signature.

CNC_COLLECTION_NAMING_CONFUSION: Collection variable is named with a different type of collection in the name

This class defines a field or local collection variable with a name that contains a different type of collection in its name. An example would be a Set called userList. This is confusing to the reader, and likely caused by a previous refactor of type, without changing the name. This detector is obviously only checking for English names.

FCBL_FIELD_COULD_BE_LOCAL: Class defines fields that are used only as locals

This class defines fields that are used in a local only fashion, specifically private fields or protected fields in final classes that are accessed first in each method with a store vs. a load. This field could be replaced by one or more local variables.

FCCD_FIND_CLASS_CIRCULAR_DEPENDENCY: Class has a circular dependency with other classes

This class has a circular dependency with other classes. This makes building these classes difficult, as each is dependent on the other to build correctly. Consider using interfaces to break the hard dependency. The dependency chain can be seen in the GUI version of FindBugs.

HE_EQUALS_NO_HASHCODE: Class defines equals() but not hashCode()

This class overrides equals(Object), but does not override hashCode().  Therefore, the class may violate the invariant that equal objects must have equal hashcodes.

IMC_IMMATURE_CLASS_PRINTSTACKTRACE: Method prints the stack trace to the console

This method prints a stack trace to the console. This is non configurable, and causes an application to look unprofessional. Switch to using loggers so that users can control what is logged and where.

IOI_USE_OF_FILE_STREAM_CONSTRUCTORS: Method uses a FileInputStream or FileOutputStream constructor

This method creates and uses a java.io.FileInputStream or java.io.FileOutputStream object. Unfortunately both of these classes implement a finalize method, which means that objects created will likely hang around until a full garbage collection occurs, which will leave excessive garbage on the heap for longer, and potentially much longer than expected. Java 7 introduced two ways to create streams for reading and writing files that do not have this concern. You should consider switching from these above classes to InputStream is = java.nio.file.Files.newInputStream(myfile.toPath()); OutputStream os = java.nio.file.Files.newOutputStream(myfile.toPath());

ISB_INEFFICIENT_STRING_BUFFERING: Method passes simple concatenating string in StringBuffer or StringBuilder append

This method uses StringBuffer or StringBuilder's append method to concatenate strings. However, it passes the result of doing a simple String concatenation to one of these append calls, thus removing any performance gains of using the StringBuffer or StringBuilder class.

Java will implicitly use StringBuilders, which can make this hard to detect or fix. For example,


StringBuilder sb = new StringBuilder();
for (Map.Entry e : map.entrySet()) {
    sb.append(e.getKey() + e.getValue());		//bug detected here
}

gets automatically turned into something like:

StringBuilder sb = new StringBuilder();
for (Map.Entry e : map.entrySet()) {
    StringBuilder tempBuilder = new StringBuilder();
    tempBuilder.append(e.getKey());
    tempBuilder.append(e.getValue());
    sb.append(tempBuilder.toString());		//this isn't too efficient
}

which involves a temporary StringBuilder, which is completely unnecessary. To prevent this from happening, simply do:

StringBuilder sb = new StringBuilder();
for (Map.Entry e : map.entrySet()) {
    sb.append(e.getKey());
    sb.append(e.getValue());
}

LII_LIST_INDEXED_ITERATING: Method uses integer based for loops to iterate over a List

This method uses an integer-based for loop to iterate over a java.util.List, by calling List.get(i) each time through the loop. The integer is not used for other reasons. It is better to use an Iterator instead, as depending on List implementation, iterators can perform better, and they also allow for exchanging of other collection types without issue.

LSC_LITERAL_STRING_COMPARISON: Method makes literal string comparisons passing the literal as an argument

This line is in the form of

String str = ...
str.equals("someOtherString");
//or
str.compareTo("someOtherString");

A NullPointerException may occur if the String variable str is null. If instead the code was restructured to

String str = ...
"someOtherString".equals(str);
//or
"someOtherString".compareTo(str);

that is, call equals() or compareTo() on the string literal, passing the variable as an argument, then this exception could never happen as both equals() and compareTo() check for null.

LUI_USE_SINGLETON_LIST: Method builds a list from one element using Arrays.asList

This method builds a list using Arrays.asList(foo), passing in a single element. Arrays.asList needs to first create an array from this one element, and then build a List that wraps this array. It is simpler to use Collections.singletonList(foo), which does not create the array, and produces a far simpler instance of List. Since both of these arrays are immutable (from the List's point of view) they are equivalent from a usage standpoint.

There is one difference between Array.asList and Collections.singletonList that you should be mindful of. The rarely used set(index, value) method is allowed to be used with a List created by Array.asList, but not with Collections.singletonList. So if you do use the set(index, value) method continue using Arrays.asList.

MF_CLASS_MASKS_FIELD: Class defines field that masks a superclass field

This class defines a field with the same name as a visible instance field in a superclass. This is confusing, and may indicate an error if methods update or access one of the fields when they wanted the other.

NAB_NEEDLESS_BOOLEAN_CONSTANT_CONVERSION: Method needlessly boxes a boolean constant

This method assigns a Boxed boolean constant to a primitive boolean variable, or assigns a primitive boolean constant to a Boxed boolean variable. Use the correct constant for the variable desired. Use


boolean b = true;
boolean b = false;
or

Boolean b = Boolean.TRUE;
Boolean b = Boolean.FALSE;

Be aware that this boxing happens automatically when you might not expect it. For example,


Map statusMap = ...

public Boolean someMethod() {
    statusMap.put("foo", true);  //the "true" here is boxed
    return false;  //the "false" here is boxed
}
has two cases of this needless autoboxing. This can be made more efficient by simply substituting in the constant values:

Map statusMap = ...

public Boolean someMethod() {
    statusMap.put("foo", Boolean.TRUE);
    return Boolean.FALSE;
}

NP_NULL_ON_SOME_PATH_EXCEPTION: Possible null pointer dereference in method on exception path

A reference value which is null on some exception control path is dereferenced here.  This may lead to a NullPointerException when the code is executed.  Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.

Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.

OBL_UNSATISFIED_OBLIGATION: Method may fail to clean up stream or resource

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes, for a description of the analysis technique.

OCP_OVERLY_CONCRETE_PARAMETER: Method needlessly defines parameter with concrete classes

This method uses concrete classes for parameters when only methods defined in an implemented interface or superclass are used. Consider increasing the abstraction of the interface to make low impact changes easier to accomplish in the future.

Take the following example:


private void appendToList(ArrayList<String> list) {
    if (list.size() < 100) {
        list.add("Foo");
    }
}
The parameter list is currently defined as an ArrayList, which is a concrete implementation of the List interface. Specifying ArrayList is unnecessary here, because we aren't using any ArrayList-specific methods (like ensureCapacity() or trimToSize()). Instead of using the concrete definition, it is better to do something like:

private void appendToList(List<String> list) {
    ...
If the design ever changes, e.g. a LinkedList is used instead, this code won't have to change.

IDEs tend to have tools to help generalize parameters. For example, in Eclipse, the refactoring tool Generalize Declared Type helps find an appropriate level of concreteness.

OS_OPEN_STREAM: Method may fail to close stream

The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.

PCOA_PARTIALLY_CONSTRUCTED_OBJECT_ACCESS: Constructor makes call to non-final method

This constructor makes a call to a non-final method. Since this method can be overridden, a subclass' implementation will be executing against an object that has not been initialized at the subclass level. You should mark all methods called from the constructor as final to avoid this problem.

PSC_PRESIZE_COLLECTIONS: Method does not presize the allocation of a collection

This method allocates a collection using the default constructor even though it is known a priori (or at least can be reasonably guessed) how many items are going to be placed in the collection, and thus needlessly causes intermediate reallocations of the collection.

You can use the constructor that takes an initial size and that will be much better, but due to the loadFactor of Maps and Sets, even this will not be a correct estimate.

If you are using Guava, use its methods that allocate maps and sets with a predetermined size, to get the best chance for no reallocations, such as:

If not, a good estimate would be the expectedSize / {LOADING_FACTOR} which by default is 0.75

REC_CATCH_EXCEPTION: Exception is caught when Exception is not thrown

This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.

A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:

try {
    ...
} catch (RuntimeException e) {
    throw e;
} catch (Exception e) {
    ... deal with all non-runtime exceptions ...
}

HARD_CODE_KEY: Hard coded key

Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores. (Hard coded passwords are reported separately by the Hard coded password pattern)

Vulnerable Code:

byte[] key = {1, 2, 3, 4, 5, 6, 7, 8};
SecretKeySpec spec = new SecretKeySpec(key, "AES");
Cipher aes = Cipher.getInstance("AES");
aes.init(Cipher.ENCRYPT_MODE, spec);
return aesCipher.doFinal(secretData);


References
CWE-321: Use of Hard-coded Cryptographic Key

PATH_TRAVERSAL_IN: Potential Path Traversal (file read)

A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.

This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.


Vulnerable Code:

@GET
@Path("/images/{image}")
@Produces("images/*")
public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", image); //Weak point

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}


Solution:

import org.apache.commons.io.FilenameUtils;

@GET
@Path("/images/{image}")
@Produces("images/*")
public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", FilenameUtils.getName(image)); //Fix

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}


References
WASC: Path Traversal
OWASP: Path Traversal
CAPEC-126: Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

UNSAFE_HASH_EQUALS: Unsafe hash equals

An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched.

Vulnerable Code:

String actualHash = ...

if(userInput.equals(actualHash)) {
    ...
}

Solution:

String actualHash = ...

if(MessageDigest.isEqual(userInput.getBytes(),actualHash.getBytes())) {
    ...
}


References
CWE-203: Information Exposure Through DiscrepancyKey

SPP_TOSTRING_ON_STRING: Method calls toString() on a String

This method calls toString on a String. Just use the object itself if you want a String.

SUA_SUSPICIOUS_UNINITIALIZED_ARRAY: Method returns an array that appears not to be initialized

This method returns an array that was allocated but apparently not initialized. It is possible that the caller of this method will do the work of initializing this array, but that is not a common pattern, and it is assumed that this array has just been forgotten to be initialized.

SE_TRANSIENT_FIELD_NOT_RESTORED: Transient field that isn't set by deserialization.

This class contains a field that is updated at multiple places in the class, thus it seems to be part of the state of the class. However, since the field is marked as transient and not set in readObject or readResolve, it will contain the default value in any deserialized instance of the class.

SE_NO_SERIALVERSIONID: Class is Serializable, but doesn't define serialVersionUID

This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.

UCPM_USE_CHARACTER_PARAMETERIZED_METHOD: Method passes constant String of length 1 to character overridden method

This method passes a constant literal String of length 1 as a parameter to a method, when a similar method is exposed that takes a char. It is simpler and more expedient to handle one character, rather than a String.

Instead of making calls like:


String myString = ...
if (myString.indexOf("e") != -1) {
    int i = myString.lastIndexOf("e");
    System.out.println(myString + ":" + i);  //the Java compiler will use a StringBuilder internally here [builder.append(":")]
    ...
    return myString.replace("m","z");
}
Replace the single letter Strings with their char equivalents like so:

String myString = ...
if (myString.indexOf('e') != -1) {
    int i = myString.lastIndexOf('e');
    System.out.println(myString + ':' + i);  //the Java compiler will use a StringBuilder internally here [builder.append(':')]
    ...
    return myString.replace('m','z');
}

UEC_USE_ENUM_COLLECTIONS: Class uses an ordinary set or map with an enum class as the key

This class uses an ordinary set or map collection and uses an enum class as the key type. It is more performant to use the JDK 1.5 EnumSet or EnumMap classes.

UP_UNUSED_PARAMETER: Static or private method has unused parameters

This method defines parameters that are never used. As this method is either static or private, and can't be derived from, it is safe to remove these parameters and simplify your method. You should consider, while unlikely, that this method may be used reflectively, and thus you will want to change that call as well. In this case, it is likely that once you remove the parameter, there will be a chain of method calls that have spent time creating this parameter and passing it down the line. All of this may be able to be removed.

USBR_UNNECESSARY_STORE_BEFORE_RETURN: Method stores return result in local before immediately returning it

This method stores the return result in a local variable, and then immediately returns the local variable. It would be simpler just to return the value that is assigned to the local variable, directly.

Instead of the following:


public float average(int[] arr) {
    float sum = 0;
    for (int i = 0; i < arr.length; i++) {
        sum += arr[i];
    }
    float ave = sum / arr.length;
    return ave;
}
Simply change the method to return the result of the division:

public float average(int[] arr) {
    float sum = 0;
    for (int i = 0; i < arr.length; i++) {
        sum += arr[i];
    }
    return sum / arr.length; //Change
}

URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD: Unread public/protected field

This field is never read.  The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.

UUF_UNUSED_FIELD: Unused field

This field is never used.  Consider removing it from the class.

WMI_WRONG_MAP_ITERATOR: Inefficient use of keySet iterator instead of entrySet iterator

This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.