Java Warning Classes

• Introduction
• Enabled By Default
• Disabled By Default
• Supported for All Languages

Introduction

The Java warning classes are detected in code analyzed with cs-java-scan.

The classes are supported for Java code, and also for Kotlin code targeting the JVM.

• Warnings of these classes are not issued if you only analyze Kotlin code with codesonar kotlin_scan.py and do not invoke cs-java-scan on the Kotlin sources.
• Some classes have additional enhancements for improved rendering on Kotlin sources. These classes are identified in the tables below.

Important Note: CodeSonar projects are built from Java bytecode (.class or archive files). However, CodeSonar will only analyze those parts of the project for which corresponding source code (.java or .kt files) is also available, because warning reports are not useful or comprehensible without source information.

Java Versions

Warning Class Overview

The Java warning classes can be divided into four groups.

• Warning classes that are enabled by default.
• Warning classes that are disabled by default, may involve complex triggering contexts, and are based on checks that are generally cost-intensive and produce many warnings.
  We refer to this group as (disabled) deep Java warning classes.
  • You can enable all these classes with the java_deep preset.
  • The deep and pedantic sets are disjoint: no warning class is characterized as both deep and pedantic.
• Warning classes that are disabled by default, describe issues that some users may consider safe to ignore, and are based on checks that are generally lightweight and may produce many warnings.
  We refer to this group as disabled pedantic Java warning classes.
  • You can enable all these classes with the java_pendantic preset.
  • The deep and pedantic sets are disjoint: no warning class is characterized as both deep and pedantic.
• Warning classes whose significance is 'security'. This is considered a fourth group in order to ensure that every Java warning class is in at least one group. In particular, there are Java warning classes that are disabled by default but considered neither deep nor pendantic, but all such classes are in the security group.
  We refer to this group as Java security warning classes.
  • You can enable all these classes with the java_security preset.
  • A Java warning class that is disabled by default will always belong to at least one of {security, deep, pedantic}. However, it cannot belong to all three since the deep and pedantic sets are disjoint.
  • There are also security warning classes that are enabled by default.

The table of Java warning classes that are disabled by default, below, specifies the security/deep/pedantic designation for each warning class.

Configuration Presets

There are several configuration presets that are specific to the Java analysis, as well as a number of presets that apply across all analyzed source languages.

Enabled By Default

CodeSonar will perform checks for warnings in these classes by default. If there are classes on this list for which you do not wish to see warnings, use WARNING_FILTER discard rules to instruct CodeSonar accordingly.

Disabled By Default

Reporting for these classes is disabled by default. See individual warning class documentation pages for enabling instructions: the requirements vary depending on the class.

Supported for All Languages

The following warning classes are supported for all languages, including Java.