Frameworks & libraries scanned
We test fixture coverage on these frameworks. New patterns are added with each builtin rule release.
Top CWE classes detected
These CWE classes appear most often in modern codebases of this language. StaticCodeAudit ships dedicated rules for each, mapped to OWASP Top 10 / ISO 27001 / ASVS where relevant.
CWE-89
SQL Injection
String concatenation in JDBC Statement, JPA createQuery with concat, MyBatis ${...} instead of #{...}, Hibernate HQL with string format.
Detected by SCA rule: sql_injection_concat_java
CWE-611
XML External Entity (XXE)
DocumentBuilderFactory, SAXParserFactory, XMLReader without FEATURE_SECURE_PROCESSING or DTD disabled. Allows file disclosure and SSRF.
Detected by SCA rule: xxe_injection
CWE-502
Insecure Deserialization
Java native ObjectInputStream.readObject on untrusted bytes (the « Java serialization gadget » class of bugs that led to log4shell). Apache Commons Collections payloads still work in 2026.
Detected by SCA rule: unsafe_deserialization
CWE-78
OS Command Injection
Runtime.getRuntime().exec(userString) with shell string, ProcessBuilder with concat. Both interpret the shell metacharacters.
Detected by SCA rule: command_injection_java
CWE-798
Hardcoded Credentials
Credentials in application.properties committed, AWS keys in application.yml, JWT signing secret as constant String.
Detected by SCA rule: hardcoded_secret
CWE-22
Path Traversal
new File(userPath), Files.readAllBytes(Paths.get(userPath)) without root anchor check — typical with multi-tenant file storage endpoints.
Detected by SCA rule: path_traversal_python
Vulnerable vs. clean — three quick examples
CWE-89
Detected by SCA rule: sql_injection_concat_java
// Vulnerable — Statement concat
String sql = "SELECT * FROM users WHERE name = \'" + name + "\'";
ResultSet rs = stmt.executeQuery(sql);// Clean — PreparedStatement with bind
PreparedStatement ps = conn.prepareStatement(
"SELECT * FROM users WHERE name = ?");
ps.setString(1, name);
ResultSet rs = ps.executeQuery();CWE-611
Detected by SCA rule: xxe_injection
// Vulnerable — default DocumentBuilderFactory
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
Document doc = dbf.newDocumentBuilder().parse(input);// Clean — disable DTD + secure processing
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Document doc = dbf.newDocumentBuilder().parse(input);CWE-78
Detected by SCA rule: command_injection_java
// Vulnerable — shell string
Runtime.getRuntime().exec("ping -c 1 " + userInput);// Clean — argument array, no shell interpretation
ProcessBuilder pb = new ProcessBuilder("ping", "-c", "1", userInput);
pb.start();What StaticCodeAudit detects (this language)
- SQL injection in JDBC
Statement, JPA, MyBatis, Hibernate HQL with concat - XXE in
DocumentBuilderFactory,SAXParserFactory,XMLReader - Java native deserialization on untrusted streams
- Command injection via
Runtime.exec,ProcessBuilderwith shell string - Hardcoded secrets in
application.properties,application.yml - Path traversal in
new File,Files.readAllByteswithout root anchor - LDAP injection in
DirContext.search - Insecure cookies (
setSecure,setHttpOnlymissing in Servlet API) - CSRF: Spring Security
.csrf().disable()in production config - Insecure crypto (MD5/SHA1 for security, DES, RC4, hardcoded IV)
- JWT none algorithm, hardcoded HS256 secret
- Log4j tagged sinks (CVE-2021-44228 pattern detection)
- Deprecated APIs (SSLv3, javax.xml.ws Endpoint, sun.misc.Unsafe)
- CI/CD misconfigurations (Maven/Gradle wrappers, GitHub Actions tokens)
Audit your codebase
Audit Spring Boot, JEE, Hibernate and plain JDBC for OWASP Top 10 vulnerabilities, framework misconfigurations and supply-chain risks — all without uploading code to the cloud.
Download demo binary Book a walkthrough