CodeQL documentation
CodeQL resources
CodeQL overview
CodeQL guides
Writing CodeQL queries
CodeQL language guides
Reference docs
QL language reference
CodeQL standard-libraries
CodeQL query help
Source files
CodeQL repository
Academic
QL publications
CodeQL query help for C and C++
CodeQL query help for C#
CodeQL query help for GitHub Actions
CodeQL query help for Go
CodeQL query help for Java and Kotlin
Access Java object methods through JavaScript exposure
Access to unsupported JDK-internal API
Android APK installation
Android Intent redirection
Android WebSettings file access
Android WebView JavaScript settings
Android WebView settings allows access to content links
Android Webview debugging enabled
Android
WebView
that accepts all certificates
Android debuggable attribute enabled
Android fragment injection
Android fragment injection in PreferenceActivity
Android missing certificate pinning
Android sensitive keyboard cache
AnnotationPresent check
Application backup allowed
Arbitrary file access during archive extraction (”Zip Slip”)
Array index out of bounds
Bad implementation of an event Adapter
Bad suite method
Boxed variable is never null
Building a command line with string concatenation
Building a command with an injected environment variable
Call to Iterator.remove may fail
Cast from abstract to concrete collection
Chain of ‘instanceof’ tests
Character passed to StringBuffer or StringBuilder constructor
Class has same name as super class
Cleartext storage of sensitive information in cookie
Cleartext storage of sensitive information in the Android filesystem
Cleartext storage of sensitive information using ‘Properties’ class
Cleartext storage of sensitive information using
SharedPreferences
on Android
Cleartext storage of sensitive information using a local database on Android
Comparison of identical values
Comparison of narrow type with wide type in loop condition
Confusing method names because of capitalization
Confusing non-overriding of package-private method
Confusing overloading of methods
Constant interface anti-pattern
Constant loop condition
Container contents are never accessed
Container contents are never initialized
Container size compared to zero
Continue statement that does not continue
Contradictory type checks
Creates empty ZIP file entry
Cross-site scripting
Dangerous non-short-circuit logic
Dangerous runFinalizersOnExit
Depending upon JCenter/Bintray as an artifact repository
Deprecated method or constructor invocation
Dereferenced expression may be null
Dereferenced variable is always null
Dereferenced variable may be null
Deserialization of user-controlled data
Detect JHipster Generator Vulnerability CVE-2019-16303
Direct call to a run() method
Disabled Netty HTTP header validation
Disabled Spring CSRF protection
Double-checked locking is not thread-safe
Equals method does not inspect argument type
Equals on incomparable types
Equals or hashCode on arrays
Executing a command with a relative path
Exposed Spring Boot actuators
Exposing internal representation
Exposure of sensitive information to UI text views
Exposure of sensitive information to notifications
Expression always evaluates to the same value
Expression language injection (JEXL)
Expression language injection (MVEL)
Expression language injection (Spring)
Externalizable but no public no-argument constructor
Failure to use HTTPS or SFTP URL in Maven artifact upload/download
Failure to use secure cookies
Field masks field in super class
Finalizer inconsistency
Futile synchronization on field
Groovy Language injection
HTTP request type unprotected from CSRF
HTTP response splitting
Hard-coded credential in API call
Hashed value without hashCode definition
Ignored error status of call
Implicit conversion from array to string
Implicit narrowing conversion in compound assignment
Implicitly exported Android component
Improper validation of user-provided array index
Improper validation of user-provided size used for array construction
Improper verification of intent by broadcast receiver
Inconsistent compareTo
Inconsistent equals and hashCode
Inconsistent synchronization for writeObject()
Inconsistent synchronization of getter and setter
Incorrect absolute value of random number
Incorrect serialVersionUID field
Inefficient String constructor
Inefficient empty string test
Inefficient output stream
Inefficient primitive constructor
Inefficient regular expression
Inefficient use of key set iterator
Information exposure through a stack trace
Information exposure through an error message
Inner class could be static
Insecure Bean Validation
Insecure JavaMail SSL Configuration
Insecure LDAP authentication
Insecure basic authentication
Insecure local authentication
Insecure randomness
Insecurely generated keys for local authentication
Insertion of sensitive information into log files
Intent URI permission manipulation
Interface cannot be implemented
Iterable wrapping an iterator
Iterator implementing Iterable
JNDI lookup with user-controlled name
Javadoc has impossible ‘throws’ tag
LDAP query built from user-controlled sources
Leaking sensitive information through a ResultReceiver
Leaking sensitive information through an implicit Intent
Left shift by more than the type width
Local information disclosure in a temporary directory
Log Injection
Loop with unreachable exit condition
Misleading indentation
Missing JWT signature check
Missing Override annotation
Missing catch of NumberFormatException
Missing enum case in switch
Missing format argument
Missing read or write permission in a content provider
Missing space in string literal
Missing super clone
Multiplication of remainder
Next in hasNext implementation
No clone method
Non-final method invocation in constructor
Non-synchronized override of synchronized method
OGNL Expression Language statement with user-controlled input
Overloaded compareTo
Overloaded equals
Overly permissive regular expression range
Partial path traversal vulnerability
Partial path traversal vulnerability from remote