```java Bad theme={null} if ("red".equals(choice)) { // Noncompliant dispenseRed(); } else if ("blue".equals(choice)) { dispenseBlue(); } else if ("yellow".equals(choice)) { dispenseYellow(); } else { promptUser(); } ``` ```java Fix theme={null} switch(choice) { case "Red": dispenseRed(); break; case "Blue": dispenseBlue(): break; case "Yellow": dispenseYellow(); break; default: promptUser(); break; } ```

Comparisons of dissimilar types will always return false. The comparison and all its dependent code can simply be removed. This includes:

comparing an object with null
comparing an object with an unrelated primitive (E.G. a string with an int)
comparing unrelated classes
comparing an unrelated \`class and interface
comparing unrelated interface types
comparing an array to a non-array
comparing two arrays

Specifically in the case of arrays, since arrays don’t override Object.equals(), calling equals on two arrays is the same as comparing their addresses. This means that array1.equals(array2) is equivalent to array1==array2.

However, some developers might expect Array.equals(Object obj) to do more than a simple memory address comparison, comparing for instance the size and content of the two arrays. Instead, the == operator or Arrays.equals(array1, array2)\` should always be used with arrays.

```java Bad theme={null} interface KitchenTool { ... }; interface Plant {...} public class Spatula implements KitchenTool { ... } public class Tree implements Plant { ...} //... Spatula spatula = new Spatula(); KitchenTool tool = spatula; KitchenTool [] tools = {tool}; Tree tree = new Tree(); Plant plant = tree; Tree [] trees = {tree}; if (spatula.equals(tree)) { // Noncompliant; unrelated classes // ... } else if (spatula.equals(plant)) { // Noncompliant; unrelated class and interface // ... } else if (tool.equals(plant)) { // Noncompliant; unrelated interfaces // ... } else if (tool.equals(tools)) { // Noncompliant; array & non-array // ... } else if (trees.equals(tools)) { // Noncompliant; incompatible arrays // ... } else if (tree.equals(null)) { // Noncompliant // ... } ``` ```java Fix theme={null} ```

Using a type parameter when you don’t have to simply obfuscates the code. Qualifying an inner type with a type parameter will compile, but confuse maintainers.

```java Bad theme={null} T doTheThing(T.Entry type) { // Noncompliant //... } ``` ```java Fix theme={null} T doTheThing(Map.Entry type) { //... } ```

This rule allows you to track the use of the Checkstyle suppression comment mechanism.

```java Bad theme={null} // CHECKSTYLE:OFF ``` ```java Fix theme={null} ```

HttpSession s are managed by web servers and can be serialized and stored on disk as the server manages its memory use in a process called "passivation" (and later restored during "activation").

Even though HttpSession does not extend Serializable, you must nonetheless assume that it will be serialized. If non-serializable objects are stored in the session, serialization might fail.

```java Bad theme={null} public class Address { //... } HttpSession session = request.getSession(); session.setAttribute("address", new Address()); // Noncompliant; Address isn't serializable ``` ```java Fix theme={null} public class Address implements Serializable { //... } HttpSession session = request.getSession(); session.setAttribute("address", new Address()); ```

A cache is a long-lived object that holds references to shorter-lived objects. To prevent a cache from growing indefinitely, old objects the cache should be removed when they’re no longer used. This can be done with the use of soft references, which allow the garbage collector to remove unused cache entries when memory needs to be freed.

This rule raises an issue when a \`static collection does not use SoftReference.

Note that this rule is automatically disabled when the project’s sonar.java.source\` is lower than 7.

```java Bad theme={null} public class MyClass { private static List cache = new ArrayList<>(); // Noncompliant ``` ```java Fix theme={null} public class MyClass { private static List> cache = new ArrayList<>(); ```

The Object#equals(Object obj) method is used to compare two objects to see if they are equal.

The obj parameter’s type is Object, this means that an object of any type can be passed as a parameter to this method.

Any class overriding Object#equals(Object obj) should respect this contract, accept any object as an argument, and return false when the argument’s type differs from the expected type. The obj parameter’s type can be checked using instanceof or by comparing the getClass() value:

```java Bad theme={null} @Override public boolean equals(Object obj) { // ... if (this.getClass() != obj.getClass()) { return false; } // ... } ``` ```java Fix theme={null} public class MyClass { @Override public boolean equals(Object obj) { MyClass that = (MyClass) obj; // may throw a ClassCastException // ... } // ... } ```

The readObject method is implemented when a Serializable object requires special handling to be reconstructed from a file. The object created by readObject is accessed only by the thread that called the method, thus using the synchronized keyword in this context is unnecessary and causes confusion.

```java Bad theme={null} private synchronized void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException { // Noncompliant //... } ``` ```java Fix theme={null} private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException { // Compliant //... } ```

In Java 8, underscore (\_) cannot be used as a parameter to a lambda, and by Java 9, it’s a keyword. To ensure future portability (not to mention current readability), it should not be used now as an identifier.

```java Bad theme={null} private String _; // Noncompliant ``` ```java Fix theme={null} private String foo; ```

According to the Java \`Comparable.compareTo(T o) documentation:

It is strongly recommended, but not strictly required that \`++(x.compareTo(y)==0)

```java Bad theme={null} public class Foo implements Comparable { @Override public int compareTo(Foo foo) { /* ... */ } // Noncompliant as the equals(Object obj) method is not overridden } ``` ```java Fix theme={null} public class Foo implements Comparable { @Override public int compareTo(Foo foo) { /* ... */ } // Compliant @Override public boolean equals(Object obj) { /* ... */ } } ```

notify and notifyAll both wake up sleeping threads waiting on the object’s monitor, but notify only wakes up one single thread, while notifyAll wakes them all up. Unless you do not care which specific thread is woken up, notifyAll should be used instead.

```java Bad theme={null} class MyThread implements Runnable { Object lock = new Object(); @Override public void run() { synchronized(lock) { // ... lock.notify(); // Noncompliant } } } ``` ```java Fix theme={null} class MyThread implements Runnable { Object lock = new Object(); @Override public void run() { synchronized(lock) { // ... lock.notifyAll(); } } } ```

The \`java.util.function package provides a large array of functional interface definitions for use in lambda expressions and method references. In general it is recommended to use the more specialised form to avoid auto-boxing. For instance IntFunction\ should be preferred over Function\.

This rule raises an issue when any of the following substitution is possible:

Current Interface	Preferred Interface
Function\	IntFunction\
Function\	LongFunction\
Function\	DoubleFunction\
Function\	DoubleToIntFunction
Function\	DoubleToLongFunction
Function\	LongToDoubleFunction
Function\	LongToIntFunction
Function\	ToIntFunction\
Function\	ToLongFunction\
Function\	ToDoubleFunction\
Function\	UnaryOperator\
BiFunction\	BinaryOperator\
Consumer\	IntConsumer
Consumer\	DoubleConsumer
Consumer\	LongConsumer
BiConsumer\	ObjIntConsumer\
BiConsumer\	ObjLongConsumer\
BiConsumer\	ObjDoubleConsumer\
Predicate\	IntPredicate
Predicate\	DoublePredicate
Predicate\	LongPredicate
Supplier\	IntSupplier
Supplier\	DoubleSupplier
Supplier\	LongSupplier
Supplier\	BooleanSupplier
UnaryOperator\	IntUnaryOperator
UnaryOperator\	DoubleUnaryOperator
UnaryOperator\	LongUnaryOperator
BinaryOperator\	IntBinaryOperator
BinaryOperator\	LongBinaryOperator
BinaryOperator\	DoubleBinaryOperator
Function\	Predicate\
BiFunction\	BiPredicate\\`

Current Interface

Preferred Interface

Function\

IntFunction\

Function\

LongFunction\

Function\

DoubleFunction\

Function\

DoubleToIntFunction

Function\

DoubleToLongFunction

Function\

LongToDoubleFunction

Function\

LongToIntFunction

Function\

ToIntFunction\

Function\

ToLongFunction\

Function\

ToDoubleFunction\

Function\

UnaryOperator\

BiFunction\

BinaryOperator\

Consumer\

IntConsumer

Consumer\

DoubleConsumer

Consumer\

LongConsumer

BiConsumer\

ObjIntConsumer\

BiConsumer\

ObjLongConsumer\

BiConsumer\

ObjDoubleConsumer\

Predicate\

IntPredicate

Predicate\

DoublePredicate

Predicate\

LongPredicate

Supplier\

IntSupplier

Supplier\

DoubleSupplier

Supplier\

LongSupplier

Supplier\

BooleanSupplier

UnaryOperator\

IntUnaryOperator

UnaryOperator\

DoubleUnaryOperator

UnaryOperator\

LongUnaryOperator

BinaryOperator\

IntBinaryOperator

BinaryOperator\

LongBinaryOperator

BinaryOperator\

DoubleBinaryOperator

Function\

Predicate\

BiFunction\

BiPredicate\\`

```java Bad theme={null} public class Foo implements Supplier { // Noncompliant @Override public Integer get() { // ... } } ``` ```java Fix theme={null} public class Foo implements IntSupplier { @Override public int getAsInt() { // ... } } ```

By accepting persistent entities as method arguments, the application allows clients to manipulate the object’s properties directly.

```java Bad theme={null} import javax.persistence.Entity; @Entity public class Wish { Long productId; Long quantity; Client client; } @Entity public class Client { String clientId; String name; String password; } import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class PurchaseOrderController { @RequestMapping(path = "/saveForLater", method = RequestMethod.POST) public String saveForLater(Wish wish) { // Noncompliant session.save(wish); } } ``` ```java Fix theme={null} public class WishDTO { Long productId; Long quantity; Long clientId; } import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class PurchaseOrderController { @RequestMapping(path = "/saveForLater", method = RequestMethod.POST) public String saveForLater(WishDTO wish) { Wish persistentWish = new Wish(); persistentWish.productId = wish.productId persistentWish.quantity = wish.quantity persistentWish.client = getClientById(with.clientId) session.save(persistentWish); } } ```

Validation is the first line of defense against injection, cross-site scripting, and many other attacks. Omitting it in modern web applications is simply negligent.

When creating a Struts ActionForm, you have the choice of extending something from the org.apache.struts.action package, or extending something from the org.apache.struts.validator package. Since you can’t use the Struts validator capabilities without extending something from the validator package, that should always be your choice.

```java Bad theme={null} public class MyForm extends org.apache.struts.action.ActionForm { // Noncompliant // ... ``` ```java Fix theme={null} public class MyForm extends org.apache.struts.validator.ValidatorForm { // ... ```

If you go to the trouble of importing a symbol statically, then you should make use of it, and you should do so consistently. Similarly, there’s no reason to both import a class and then refer to it in code by its fully-qualified name. Otherwise, maintainers could be confused by the difference between qualified and unqualified references.

```java Bad theme={null} import java.util.*; import java.math.BigInteger; import static java.lang.String.format; //... String s1 = format("%cello %cellow", 'h','f'); // Compliant String s2 = String.format("%cello %cellow", 'm','y'); // Noncompliant; is this a different format function than on the previous line? java.util.List list = new java.util.ArrayList(); // Noncompliant; both classes included in java.util.* import java.math.BigInteger myBigI = BigInteger.ZERO; // Noncompliant. This mixed usage is particularly confusing ``` ```java Fix theme={null} import java.util.*; import java.math.BigInteger; import static java.lang.String.format; //... String s1 = format("%cello %cellow", 'h','f'); String s2 = format("%cello %cellow", 'm','y'); List list = new ArrayList(); BigInteger myBigI = BigInteger.ZERO; ```

By contract, the NullCipher class provides an "identity cipher" - one that does not transform or encrypt the plaintext in any way. As a consequence, the ciphertext is identical to the plaintext. So this class should be used for testing, and never in production code.

```java Bad theme={null} NullCipher nc = new NullCipher(); ``` ```java Fix theme={null} ```

Both \`FixedSizeList from the Commons library, and the list returned from Arrays.asList offer add and remove methods (as required by the List interface they implement), but neither truly supports their use. Both list types have fixed lengths and will throw errors if an add or remove method, or any of their variations, is called.

This rule raises an issue when one of the following methods is invoked on a FixedSizeList instance:

add
addAll
clear
remove
removeAll\`

```java Bad theme={null} List strings = Arrays.asList("Hello"); strings.add("world"); // Noncompliant ``` ```java Fix theme={null} List strings = Arrays.asList("Hello", "world"); ```

When verifying that code raises a runtime exception, a good practice is to avoid having multiple method calls inside the tested code, to be explicit about which method call is expected to raise the exception.

It increases the clarity of the test, and avoid incorrect testing when another method is actually raising the exception.

```java Bad theme={null} @Test public void testToString() { // Do you expect get() or toString() throwing the exception? org.junit.Assert.assertThrows(IndexOutOfBoundsException.class, () -> get().toString()); } @Test public void testToStringTryCatchIdiom() { try { // Do you expect get() or toString() throwing the exception? get().toString(); Assert.fail("Expected an IndexOutOfBoundsException to be thrown"); } catch (IndexOutOfBoundsException e) { // Test exception message... } } ``` ```java Fix theme={null} @Test public void testToString() { Object obj = get(); Assert.assertThrows(IndexOutOfBoundsException.class, () -> obj.toString()); } @Test public void testToStringTryCatchIdiom() { Object obj = get(); try { obj.toString(); Assert.fail("Expected an IndexOutOfBoundsException to be thrown"); } catch (IndexOutOfBoundsException e) { // Test exception message... } } ```

Fields marked as transient in a Serializable class will be ignored during serialization and consequently not written out to a file (or stream).

This can be useful in situations such as where the content of a field can be recomputed from other fields. To reduce the output size, this field can be marked as transient and recomputed when a given object is deserialized.

Since transient is very specific to classes that implement Serializable, it is superfluous in classes that do not.

This rule raises an issue when a field is marked as transient, even though the containing class does not implement Serializable.

```java Bad theme={null} class Vegetable { private transient Season ripe; // Noncompliant, the "Vegetable" class does not implement "Serializable" but the field is marked as "transient" // ... } ``` ```java Fix theme={null} class Vegetable { private Season ripe; // Compliant, the field is not marked as "transient" // ... } ```

If you’ve gone to the trouble of writing an iterator method in a class that doesn’t implement Iterable, that trivial omission is costing you half the benefit of the method because you can’t use the class in enhanced for loops.

```java Bad theme={null} public class MyList { // Noncompliant public Iterator iterator() { //... } } public class MyClass { public void doSomething(MyList myList) { Iterator itr = myList.iterator(); while (itr.hasNext() { Object obj = itr.next(); processObj(obj); } } } ``` ```java Fix theme={null} public class MyList implements Iterable{ public Iterator iterator() { //... } } public class MyClass { public void doSomething(MyList myList) { for(Object obj : myList) { processObj(obj); } } } ```

A Spring \`singleton bean may be used by many threads at once, and the use of instance (non-static) variables could cause concurrency issues.

This rule applies to classes with the following annotations: @Service, @Component, @Repository, @Scope("singleton")\`

```java Bad theme={null} @Service("animalService") public class AnimalService { private int age = 1; // Noncompliant private static int count = 0; // Compliant; static @Inject private AnimalDAO animalDAO; // Compliant; managed by Spring ... } ``` ```java Fix theme={null} ```

Using boxed values in a ternary operator does not simply return one operand or the other based on the condition. Instead, the values are unboxed and coerced to a common type, which can result in a loss of precision when converting one operand from int to float or from long to double.

While this behavior is expected for arithmetic operations, it may be unexpected for the ternary operator. To avoid confusion or unexpected behavior, cast to a compatible type explicitly.

```java Bad theme={null} Integer i = 123456789; Float f = 1.0f; Number n1 = condition ? i : f; // Noncompliant, unexpected precision loss, n1 = 1.23456792E8 ``` ```java Fix theme={null} Integer i = 123456789; Float f = 1.0f; Number n1 = condition ? (Number) i : f; // Compliant, cast to Number prevents unboxing Number n2 = condition ? i : (Number) f; // Compliant, cast to Number prevents unboxing ```

Once a value is known to be null or non-null, there’s no reason to re-check it unless it has been changed (or potentially changed) in the interim. Doing so anyway may may just be an over-abundance of caution, but it could indicate a bug.

```java Bad theme={null} public void assignCoach(Team team, Person person) { if (team.hasCoach()) { // team is dereferenced return; } if (team != null) { // Noncompliant; if we got this far, team is not null //... } if (person != null) { // ... if (disqualified) { person = getAlternate(); } } if (person != null) { // Compliant; person may have changed since last check team.setCoach(person); } if (person != null) { // Noncompliant; no changes to person since last check // ... ``` ```java Fix theme={null} ```

There’s no valid reason to test this with instanceof. The only plausible explanation for such a test is that you’re executing code in a parent class conditionally based on the kind of child class this is. But code that’s specific to a child class should be in that child class, not in the parent.

```java Bad theme={null} public class JunkFood{ public void doSomething() { if (this instanceof Pizza) { // Noncompliant // ... } else if (... } } ``` ```java Fix theme={null} ```

The old, much-derided Date and Calendar classes have always been confusing and difficult to use properly, particularly in a multi-threaded context. JodaTime has long been a popular alternative, but now an even better option is built-in. Java 8’s JSR 310 implementation offers specific classes for:

Class	Use for
LocalDate	a date, without time of day, offset, or zone
LocalTime	the time of day, without date, offset, or zone
LocalDateTime	the date and time, without offset, or zone
OffsetDate	a date with an offset such as +02:00, without time of day, or zone
OffsetTime	the time of day with an offset such as +02:00, without date, or zone
OffsetDateTime	the date and time with an offset such as +02:00, without a zone
ZonedDateTime	the date and time with a time zone and offset
YearMonth	a year and month
MonthDay	month and day
Year/MonthOfDay/DayOfWeek/…	classes for the important fields
DateTimeFields	stores a map of field-value pairs which may be invalid
Calendrical	access to the low-level API
Period	a descriptive amount of time, such as "2 months and 3 days"

Class

Use for

LocalDate

a date, without time of day, offset, or zone

LocalTime

the time of day, without date, offset, or zone

LocalDateTime

the date and time, without offset, or zone

OffsetDate

a date with an offset such as +02:00, without time of day, or zone

OffsetTime

the time of day with an offset such as +02:00, without date, or zone

OffsetDateTime

the date and time with an offset such as +02:00, without a zone

ZonedDateTime

the date and time with a time zone and offset

YearMonth

a year and month

MonthDay

month and day

Year/MonthOfDay/DayOfWeek/…

classes for the important fields

DateTimeFields

stores a map of field-value pairs which may be invalid

Calendrical

access to the low-level API

Period

a descriptive amount of time, such as "2 months and 3 days"

```java Bad theme={null} Date now = new Date(); // Noncompliant DateFormat df = new SimpleDateFormat("dd.MM.yyyy"); Calendar christmas = Calendar.getInstance(); // Noncompliant christmas.setTime(df.parse("25.12.2020")); ``` ```java Fix theme={null} LocalDate now = LocalDate.now(); // gets calendar date. no time component LocalTime now2 = LocalTime.now(); // gets current time. no date component LocalDate christmas = LocalDate.of(2020,12,25); ```

A for loop termination condition should test the loop counter against an invariant value that does not change during the execution of the loop. Invariant termination conditions make the program logic easier to understand and maintain.

This rule tracks three types of non-invariant termination conditions:

When the loop counters are updated in the body of the for loop
When the termination condition depends on a method call
When the termination condition depends on an object property since such properties could change during the execution of the loop.

```java Bad theme={null} for (int i = 0; i < foo(); i++) { // Noncompliant, "foo()" is not an invariant // ... } ``` ```java Fix theme={null} int end = foo(); for (int i = 0; i < end; i++) { // Compliant, "end" does not change during loop execution // ... } ```

Even if it is technically possible, Restricted Identifiers should not be used as identifiers. This is only possible for compatibility reasons, using it in Java code is confusing and should be avoided.

Note that this applies to any version of Java, including the one where these identifiers are not yet restricted, to avoid future confusion.

This rule reports an issue when restricted identifiers:

var
yield
record

are used as identifiers.

```java Bad theme={null} var var = "var"; // Noncompliant: compiles but this code is confusing var = "what is this?"; int yield(int i) { // Noncompliant return switch (i) { case 1: yield(0); // This is a yield from switch expression, not a recursive call. default: yield(i-1); }; } String record = "record"; // Noncompliant ``` ```java Fix theme={null} var myVariable = "var"; int minusOne(int i) { return switch (i) { case 1: yield(0); default: yield(i-1); }; } String myRecord = "record"; ```

Collection.removeIf is more readable and less verbose than using the Iterator.remove idiom. It might also be more performant in some cases, particularly for ArrayList instances.

```java Bad theme={null} for (Iterator it = items.iterator(); it.hasNext();) { if (this.predicate(it.next())) { it.remove(); } } ``` ```java Fix theme={null} items.removeIf(this::predicate); ```

If the Service Provider does not manage to properly validate the incoming SAML response message signatures, attackers might be able to manipulate the response content without the application noticing. Especially, they might be able to alter the authentication-targeted user.

```java Bad theme={null} import org.opensaml.xml.parse.StaticBasicParserPool; import org.opensaml.xml.parse.ParserPool; public ParserPool parserPool() { StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool(); staticBasicParserPool.setIgnoreComments(false); // Noncompliant return staticBasicParserPool; } ``` ```java Fix theme={null} import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.parse.ParserPool; public ParserPool parserPool() { BasicParserPool basicParserPool = new BasicParserPool(); basicParserPool.setIgnoreComments(false); // Noncompliant return basicParserPool; } ```

JDK7 introduced the class \`java.nio.charset.StandardCharsets. It provides constants for all charsets that are guaranteed to be available on every implementation of the Java platform.

ISO\_8859\_1
US\_ASCII
UTF\_16
UTF\_16BE
UTF\_16LE
UTF\_8

These constants should be preferred to:

the use of a String such as "UTF-8" which has the drawback of requiring the catch/throw of an UnsupportedEncodingException that will never actually happen
the use of Guava’s Charsets\` class, which has been obsolete since JDK7

```java Bad theme={null} try { byte[] bytes = string.getBytes("UTF-8"); // Noncompliant; use a String instead of StandardCharsets.UTF_8 } catch (UnsupportedEncodingException e) { throw new AssertionError(e); } // ... byte[] bytes = string.getBytes(Charsets.UTF_8); // Noncompliant; Guava way obsolete since JDK7 ``` ```java Fix theme={null} byte[] bytes = string.getBytes(StandardCharsets.UTF_8) ```

The processHttpRequest method and methods called from it can be executed by multiple threads within the same servlet instance, and state changes to the instance caused by these methods are, therefore, not threadsafe.

This is due to the servlet container creating only one instance of each servlet (javax.servlet.http.HttpServlet) and attaching a dedicated thread to each incoming HTTP request. The same problem exists for org.apache.struts.action.Action but with different methods.

To prevent unexpected behavior, avoiding mutable states in servlets is recommended. Mutable instance fields should either be refactored into local variables or made immutable by declaring them final.

```java Bad theme={null} public class MyServlet extends HttpServlet { String apiVersion = "0.9.1"; // Noncompliant, field changes are not thread-safe } ``` ```java Fix theme={null} public class MyServlet extends HttpServlet { final String apiVersion = "0.9.1"; // Compliant, field cannot be changed } ```

In Switch Expressions, an arrow label consisting of a block with a single \`yield can be simplified to directly return the value, resulting in cleaner code.

Similarly, for Switch Statements and arrow labels, a break in a block is always redundant and should not be used. Furthermore, if the resulting block contains only one statement, the curly braces of that block can also be omitted.

This rule reports an issue when a case of a Switch Expression contains a block with a single yield or when a Switch Statement contains a block with a break\`.

```java Bad theme={null} int i = switch (mode) { case "a" -> { // Noncompliant: Remove the redundant block and yield. yield 1; } default -> { // Noncompliant: Remove the redundant block and yield. yield 2; } }; switch (mode) { case "a" -> { // Noncompliant: Remove the redundant block and break. result = 1; break; } default -> { // Noncompliant: Remove the redundant break. doSomethingElse(); result = 2; break; } } ``` ```java Fix theme={null} int i = switch (mode) { case "a" -> 1; default -> 2; }; switch (mode) { case "a" -> result = 1; default -> { doSomethingElse(); result = 2; } } ```

In a multi-threaded situation, un-\`synchronized lazy initialization of static fields could mean that a second thread has access to a half-initialized object while the first thread is still creating it. Allowing such access could cause serious bugs. Instead. the initialization block should be synchronized.

Similarly, updates of such fields should also be synchronized.

This rule raises an issue whenever a lazy static initialization is done on a class with at least one synchronized\` method, indicating intended usage in multi-threaded applications.

```java Bad theme={null} private static Properties fPreferences = null; private static Properties getPreferences() { if (fPreferences == null) { fPreferences = new Properties(); // Noncompliant fPreferences.put("loading", "true"); fPreferences.put("filterstack", "true"); readPreferences(); } return fPreferences; } } ``` ```java Fix theme={null} private static Properties fPreferences = null; private static synchronized Properties getPreferences() { if (fPreferences == null) { fPreferences = new Properties(); fPreferences.put("loading", "true"); fPreferences.put("filterstack", "true"); readPreferences(); } return fPreferences; } } ```

There’s no need to null-test a variable before an instanceof test because instanceof tests for null. Similarly, there’s no need to null-test a variable before dereferencing some other object.

```java Bad theme={null} if (myVar != null && myVar instanceof MyClass) { // Noncompliant // ... } else if (myVar != null && myOtherVar.equals(myVar) { // Noncompliant // ... } ``` ```java Fix theme={null} if (myVar instanceof MyClass) { // ... } else if (myVar != null && myVar.equals(myOtherVar) { // ... } ```

Denoted by the "@" symbol, annotations are metadata that can be added to classes, methods, and variables for various purposes such as documentation, code analysis, and runtime processing.

Annotations have retention policies that determine in which context they are retained and available for use. There are three retention policies for annotations:

RetentionPolicy.SOURCE - Annotations are only available during compilation and code analysis. They are not included in the compiled class file and are not available at runtime. E.G. @Override, @SuppressWarnings
RetentionPolicy.CLASS - Annotations are included in the compiled class file providing information to the compiler, but they are not retained by the JVM at runtime. This is the default retention policy. E.G. @PreviewFeature
RetentionPolicy.RUNTIME - Annotations are included in the compiled class file and available at runtime. They can be accessed and used by the program through reflection. E.G. @FunctionalInterface, @Deprecated

It is important to understand that only annotations having the RUNTIME retention policy can be accessed at runtime using reflection. For example, the following if condition is true when the method argument is the java.util.function.Function class:

```java Bad theme={null} void execute(Class cls) { if (cls.isAnnotationPresent(FunctionalInterface.class)) { // ... } } ``` ```java Fix theme={null} void execute(Method method) { if (method.isAnnotationPresent(Override.class)) { // Noncompliant, if condition will always be false because // @Override is declared with @Retention(RetentionPolicy.SOURCE) // ... } } ```

Before Java 8, a container annotation was required as wrapper to use multiple instances of the same annotation. As of Java 8, this is no longer necessary. Instead, these annotations should be used directly without a wrapper, resulting in cleaner and more readable code.

This rule is automatically disabled when the project’s sonar.java.source is lower than 8 as repeating annotations were introduced in Java 8.

```java Bad theme={null} @SomeAnnotations({ // Noncompliant, wrapper annotations are not necessary in Java 8+ @SomeAnnotation(..a..), @SomeAnnotation(..b..), @SomeAnnotation(..c..), }) public class SomeClass { ... } ``` ```java Fix theme={null} @SomeAnnotation(..a..) @SomeAnnotation(..b..) @SomeAnnotation(..c..) public class SomeClass { ... } ```

Java 21 virtual threads allow the JVM to optimize the usage of OS threads, by mounting and unmounting them on an OS thread when needed, and making them more efficient when dealing with blocking operations such as HTTP requests or I/O.

However, when code is executed inside a synchronized block or synchronized method, the virtual thread stays pinned to the underlying OS thread and cannot be unmounted during a blocking operation. This will cause the OS thread to be blocked, which can impact the scalability of the application.

Therefore, virtual threads should not execute code that contains synchronized blocks or invokes synchronized methods. Platform threads should be used in these cases.

This rule raises an issue when a virtual thread contains synchronized blocks or invokes synchronized methods.

```java Bad theme={null} void enqueue(){ Thread.startVirtualThread(() -> { // Noncompliant; use a platform thread instead setupOperations(); dequeLogic(); } }); } ``` ```java Fix theme={null} void enqueue(){ new Thread(() -> { synchronized { setupOperations(); dequeLogic(); } }).start(); } ```

According to the Java documentation, any implementation of the \`InputSteam.read() method is supposed to read the next byte of data from the input stream. The value byte must be an int in the range 0 to 255. If no byte is available because the end of the stream has been reached, the value -1 is returned.

But in Java, the byte primitive data type is an 8-bit signed two’s complement integer. It has a minimum value of -128 and a maximum value of 127. So by contract, the implementation of an InputSteam.read() method should never directly return a byte\` primitive data type. A conversion into an unsigned byte must be done before by applying a bitmask.

```java Bad theme={null} @Override public int read() throws IOException { if (pos == buffer.length()) { return -1; } return buffer.getByte(pos++); // Noncompliant, a signed byte value is returned } ``` ```java Fix theme={null} @Override public int read() throws IOException { if (pos == buffer.length()) { return -1; } return buffer.getByte(pos++) & 0xFF; // The 0xFF bitmask is applied } ```

Setting the wrong Content-Type for a response can leave an application vulnerable to cross-site scripting attacks. Specifically, JSON should always be served with the \`application/json Content-Type.

This rule checks the Content-Type of responses containing classes in the org.json and javax.json\` packages.

```java Bad theme={null} public void doGet(HttpServletRequest request, HttpServletResponse response) { JSONObject jsonRespone = getJsonResponse(request); try { response.setContentType("text/html"); // Noncompliant; wrong type PrintWriter out = response.getWriter(); out.println(jsonResponse.toJSONString()); out.close(); } catch (IOException e) { e.printStackTrace(); } } public void doPost(HttpServletRequest request, HttpServletResponse response) { // Noncompliant; response type not set JSONObject jsonRespone = getJsonResponse(request); try { PrintWriter out = response.getWriter(); out.println(jsonResponse.toJSONString()); out.close(); } catch (IOException e) { e.printStackTrace(); } } ``` ```java Fix theme={null} ```

Hibernate’s lazy loading allows you to retrieve just the data of the current class without being forced to load all its related classes. For instance with lazy loading, you can pull up an instance of a \`Lecture @Entity without being forced to load all its Students.

But that’s only if you’re storing the Students in a collection. Store them in an array instead, and the benefits of lazy loading are no longer available.

This rule raises an issue on each array in @Entity\` classes.

```java Bad theme={null} @Entity public class Lecture { @OneToMany private Student [] attendees; // Noncompliant // ... } ``` ```java Fix theme={null} @Entity public class Lecture { @OneToMany private List attendees; // ... } ```

Configured URL matchers are considered in the order they are declared. Especially, for a given resource, if a looser filter is defined before a stricter one, only the less secure configuration will apply. No request will ever reach the stricter rule.

This rule raises an issue when:

A URL pattern ending with \*\* precedes another one having the same prefix. E.g. /admin/\*\* is defined before /admin/example/\*\*
A pattern without wildcard characters is preceded by another one that matches it. E.g.: /page-index/db is defined after /page\*/\*\*

```java Bad theme={null} protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/admin/login").permitAll() // Noncompliant .antMatchers("/**", "/home").permitAll() .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); } ``` ```java Fix theme={null} protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") .antMatchers("/**", "/home").permitAll() .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); } ```

\`ThreadLocal variables are supposed to be garbage collected once the holding thread is no longer alive. Memory leaks can occur when holding threads are re-used which is the case on application servers using pool of threads.

To avoid such problems, it is recommended to always clean up ThreadLocal variables using the remove() method to remove the current thread’s value for the ThreadLocal variable.

In addition, calling set(null) to remove the value might keep the reference to this pointer in the map, which can cause memory leak in some scenarios. Using remove\` is safer to avoid this issue.

```java Bad theme={null} public class ThreadLocalUserSession implements UserSession { private static final ThreadLocal DELEGATE = new ThreadLocal<>(); public UserSession get() { UserSession session = DELEGATE.get(); if (session != null) { return session; } throw new UnauthorizedException("User is not authenticated"); } public void set(UserSession session) { DELEGATE.set(session); } public void incorrectCleanup() { DELEGATE.set(null); // Noncompliant } // some other methods without a call to DELEGATE.remove() } ``` ```java Fix theme={null} public class ThreadLocalUserSession implements UserSession { private static final ThreadLocal DELEGATE = new ThreadLocal<>(); public UserSession get() { UserSession session = DELEGATE.get(); if (session != null) { return session; } throw new UnauthorizedException("User is not authenticated"); } public void set(UserSession session) { DELEGATE.set(session); } public void unload() { DELEGATE.remove(); // Compliant } // ... } ```

Shared naming conventions allow teams to collaborate efficiently.

This rule raises an issue when a method name does not match a provided regular expression.

For example, with the default provided regular expression ^\[a-z]\[a-zA-Z0-9]\*\$, the method:

```java Bad theme={null} public int DoSomething(){...} // Noncompliant ``` ```java Fix theme={null} public int doSomething(){...} ```

The Reader.read() and the BufferedReader.readLine() are used for reading data from a data source. The return value of these methods is the data read from the data source, or null when the end of the data source is reached. If the return value is ignored, the data read from the source is thrown away and may indicate a bug.

This rule raises an issue when the return values of Reader.read() and BufferedReader.readLine() and their subclasses are ignored or merely null-checked.

```java Bad theme={null} public void doSomethingWithFile(String fileName) { try(BufferedReader buffReader = new BufferedReader(new FileReader(fileName))) { while (buffReader.readLine() != null) { // Noncompliant // ... } } catch (IOException e) { // ... } } ``` ```java Fix theme={null} public void doSomethingWithFile(String fileName) { try(BufferedReader buffReader = new BufferedReader(new FileReader(fileName))) { String line = null; while ((line = buffReader.readLine()) != null) { // ... } } catch (IOException e) { // ... } } ```

Unlike similar AssertJ methods testing exceptions (\`assertThatCode(), assertThatExceptionOfType(), …), the assertThatThrownBy() method can be used alone, failing if the code did not raise any exception.

Still, only testing that an exception was raised is not enough to guarantee that it was the expected one, and you should test the exception type or content further. In addition, it will make explicit what you are expecting, without relying on side-effects.

This rule raises an issue when assertThatThrownBy\` is used, without testing the exception further.

```java Bad theme={null} assertThatThrownBy(() -> shouldThrow()); // Noncompliant, is it really the exception you expected? ``` ```java Fix theme={null} assertThatThrownBy(() -> shouldThrow()).isInstanceOf(IOException.class); //or assertThatThrownBy(() -> shouldThrow()).hasMessage("My exception"); ```

JUnit assertions should not be made from the run method of a Runnable, because their failure may not be detected in the test that initiated them. Failed assertions throw assertion errors. However, if the error is thrown from another thread than the one that initiated the test, the thread will exit but the test will not fail.

```java Bad theme={null} class RunnableWithAnAssertion extends Thread { @Override public void run() { Assert.assertEquals(expected, actual); // Noncompliant } @Test void test() { RunnableWithAnAssertion otherThread = new RunnableWithAnAssertion(); otherThread.start(); // The assertion in the run method above will be executed by other thread than the current one // ... // Perform some actions that do not make the test fail // ... Assert.assertTrue(true); } } ``` ```java Fix theme={null} class RunnableWithAnAssertion extends Thread { @Override public void run() { Assert.assertEquals(expected, actual); // Noncompliant } @Test void test() { RunnableWithAnAssertion otherThread = new RunnableWithAnAssertion(); otherThread.run(); // ... // The failed assertions in the run method will prevent us from reaching the assertion below // ... Assert.assertTrue(true); } } ```

Having too many return statements in a method increases the method’s essential complexity because the flow of execution is broken each time a return statement is encountered. This makes it harder to read and understand the logic of the method.

```java Bad theme={null} public boolean myMethod() { // Noncompliant; there are 4 return statements if (condition1) { return true; } else { if (condition2) { return false; } else { return true; } } return false; } ``` ```java Fix theme={null} ```

Java 7’s try-with-resources structure automatically handles closing the resources that the try itself opens. Thus, adding an explicit close() call is redundant and potentially confusing.

```java Bad theme={null} try (PrintWriter writer = new PrintWriter(process.getOutputStream())) { String contents = file.contents(); writer.write(new Gson().toJson(new MyObject(contents))); writer.flush(); writer.close(); // Noncompliant } ``` ```java Fix theme={null} try (PrintWriter writer = new PrintWriter(process.getOutputStream())) { String contents = file.contents(); writer.write(new Gson().toJson(new MyObject(contents))); writer.flush(); } ```

In records, introduced in Java 16, there are 2 ways to write a custom constructor: canonical and compact.

A canonical constructor is an ordinary constructor with arguments for all private fields. The default implementation just provides initialization for all private fields and there is no need to write it manually. You might want to write it yourself when you need to customize the constructor logic.

A compact constructor doesn’t have parameters defined explicitly, parentheses are omitted and access to private fields is not possible (even via this). The compact constructor has access to the constructor’s arguments and its body is executed right before the field initialization. It’s a perfect place to provide validation.

This rule reports an issue when a canonical constructor can be easily replaced by a compact version when these requirements are met:

the last statements are trivial field initializations
no statement reads from fields or components
there are other statements in the constructor (case covered by S6207: redundant constructors in records)

```java Bad theme={null} record Person(String name, int age) { Person(String name, int age) { // Noncompliant if (age < 0) { throw new IllegalArgumentException("Negative age"); } this.name = name; this.age = age; } } ``` ```java Fix theme={null} record Person(String name, int age) { Person { // Compliant if (age < 0) { throw new IllegalArgumentException("Negative age"); } } } ```

The repetition of a unary operator is usually a typo. The second operator invalidates the first one in most cases:

```java Bad theme={null} int i = 1; int j = - - -i; // Noncompliant: equivalent to "-i" int k = ~~~i; // Noncompliant: equivalent to "~i" int m = + +i; // Noncompliant: equivalent to "i" boolean b = false; boolean c = !!!b; // Noncompliant ``` ```java Fix theme={null} int i = 1; int j = ++ ++i; // Noncompliant int k = i-- --; // Noncompliant ```

Non final classes shouldn’t use a hardcoded class name in the equals method. Doing so breaks the method for subclasses. Instead, make the comparison dynamic.

```java Bad theme={null} public class Fruit { private Season ripe; public boolean equals(Object obj) { if (obj == this) { return true; } if (Fruit.class == obj.class) { // Noncompliant return false; } // ... ``` ```java Fix theme={null} public class Fruit { private Season ripe; public boolean equals(Object obj) { if (obj == this) { return true; } if (this.class == obj.class) { // will work for subclasses too return false; } // ... ```

In Records, serialization is not done the same way as for ordinary serializable or externalizable classes. The serialized representation of a record object will be a sequence of values (record components). During the deserialization of records, the stream of components is read and components are constructed. Then the record object is recreated by invoking the record’s canonical constructor with the component values serving as arguments (or default values for absent arguments).

This process cannot be customized, so any class-specific \`writeObject, readObject, readObjectNoData, writeExternal, and readExternal methods or serialPersistentFields fields in record classes are ignored during serialization and deserialization.

However, there is a way to substitute serialized/deserialized objects in writeReplace and readResolve.

This rule raises an issue when any of writeObject, readObject, readObjectNoData, writeExternal, readExternal or serialPersistentFields\` are present as members in a Record class.

```java Bad theme={null} record Record() implements Serializable { @Serial private static final ObjectStreamField[] serialPersistentFields = new ObjectStreamField[0]; // Noncompliant @Serial private void writeObject(ObjectOutputStream out) throws IOException { // Noncompliant ... } } record Record() implements Externalizable { @Override public void writeExternal(ObjectOutput out) throws IOException { // Noncompliant ... } @Override public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException { // Noncompliant ... } } ``` ```java Fix theme={null} record Record() implements Serializable {} record Record() implements Serializable { private Object writeReplace() throws ObjectStreamException { ... } private Object readResolve() throws ObjectStreamException { ... } } ```

Java 21 introduces case null for switch. It is a more concise and readable way to handle nullability compared to an if statement before a switch.

```java Bad theme={null} switch (s) { case null: /* code if null */ // ... } ``` ```java Fix theme={null} if (s == null) { /* code if null */ } switch (s) { // ... } ```

When the application does not implement controls over the JMS object types, its clients could be able to force the deserialization of arbitrary objects. This may lead to deserialization injection attacks.

```java Bad theme={null} ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616"); factory.setTrustAllPackages(true); // Noncompliant ``` ```java Fix theme={null} ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616"); factory.setTrustedPackages(Arrays.asList("org.mypackage1", "org.mypackage2")); ```

StringBuffer and StringBuilder instances that are appended but never toStringed needlessly clutter the code, and worse are a drag on performance. Either they should be removed, or the missing toString call added.

```java Bad theme={null} public void doSomething(List strings) { StringBuilder sb = new StringBuilder(); // Noncompliant sb.append("Got: "); for (String str : strings) { sb.append(str).append(", "); // ... } } ``` ```java Fix theme={null} public void doSomething(List strings) { for (String str : strings) { // ... } } ```

When using the \`Stream API, call chains should be simplified as much as possible. Not only does it make the code easier to read, it also avoid creating unnecessary temporary objects.

This rule raises an issue when one of the following substitution is possible:

Original	Preferred
stream.filter(predicate).findFirst().isPresent()	stream.anyMatch(predicate)
stream.filter(predicate).findAny().isPresent()	stream.anyMatch(predicate)
!stream.anyMatch(predicate)	stream.noneMatch(predicate)
!stream.anyMatch(x -> !(...))	stream.allMatch(...)
stream.map(mapper).anyMatch(Boolean::booleanValue)	stream.anyMatch(predicate)\`

Original

Preferred

stream.filter(predicate).findFirst().isPresent()

stream.anyMatch(predicate)

stream.filter(predicate).findAny().isPresent()

stream.anyMatch(predicate)

!stream.anyMatch(predicate)

stream.noneMatch(predicate)

!stream.anyMatch(x -> !(...))

stream.allMatch(...)

stream.map(mapper).anyMatch(Boolean::booleanValue)

stream.anyMatch(predicate)\`

```java Bad theme={null} boolean hasRed = widgets.stream().filter(w -> w.getColor() == RED).findFirst().isPresent(); // Noncompliant ``` ```java Fix theme={null} boolean hasRed = widgets.stream().anyMatch(w -> w.getColor() == RED); ```

java.lang.Error and its subclasses represent abnormal conditions, such as OutOfMemoryError, which should only be encountered by the Java Virtual Machine.

```java Bad theme={null} public class MyException extends Error { /* ... */ } // Noncompliant ``` ```java Fix theme={null} public class MyException extends Exception { /* ... */ } // Compliant ```

A common reason for a poorly performant query is because it’s processing more data than required.

Querying unnecessary data demands extra work on the server, adds network overhead, and consumes memory and CPU resources on the application server. The effect is amplified when the query includes multiple joins.

The rule flags an issue when a SELECT \* query is provided as an argument to methods in java.sql.Connection and java.sql.Statement.

```java Bad theme={null} public class OrderRepository { public record OrderSummary(String name, String orderId, BigDecimal price) { } public List queryOrderSummaries(Connection conn) { String sql = "SELECT * " + // Noncompliant "FROM Orders JOIN Customers ON Orders.customerId = Customers.id "; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql); return convertResultToOrderSummaryList(rs); } } ``` ```java Fix theme={null} public class OrderRepository { public record OrderSummary(String name, String orderId, BigDecimal price) { } public List queryOrderSummaries(Connection conn) { String sql = "SELECT Customers.name, Orders.id, Orders.price " + // Compliant "FROM Orders JOIN Customers ON Orders.customerId = Customers.id "; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql); return convertResultToOrderSummaryList(rs); } } ```

Objects annotated with Mockito annotations \`@Mock, @Spy, @Captor, or @InjectMocks need to be initialized explicitly.

There are several ways to do this:

Call MockitoAnnotations.openMocks(this) or MockitoAnnotations.initMocks(this) in a setup method
Annotate test class with @RunWith(MockitoJUnitRunner.class) (JUnit 4)
Annotate test class with @ExtendWith(MockitoExtension.class) (JUnit 5 Jupiter)
Use @Rule public MockitoRule rule = MockitoJUnit.rule();

Test using uninitialized mocks will fail.

Note that this only applies to annotated Mockito objects. It is not necessary to initialize objects instantiated via Mockito.mock() or Mockito.spy()\`.

This rule raises an issue when a test class uses uninitialized mocks.

```java Bad theme={null} public class FooTest { // Noncompliant: Mockito initialization missing @Mock private Bar bar; @Spy private Baz baz; @InjectMocks private Foo fooUnderTest; @Test void someTest() { // test something ... } @Nested public class Nested { @Mock private Bar bar; } ``` ```java Fix theme={null} @RunWith(MockitoJUnitRunner.class) public class FooTest { @Mock private Bar bar; // ... } ```

Some mathematical operations are unnecessary and should not be performed because their results are predictable.

For instance, anyValue % 1 will always return 0, as any integer value can be divided by 1 without remainder.

Similarly, casting a non-floating-point to a floating-point value and then passing it to Math.round, Math.ceil, or Math.floor is also unnecessary, as the result will always be the original value.

The following operations are unnecessary when given any constant value: Math.abs, Math.ceil, Math.floor, Math.rint, Math.round. Instead, use the result of the operation directly.

The following operations are unnecessary with certain constants and can be replaced by the result of the operation directly:

Operation	Value
acos	0.0 or 1.0
asin	0.0 or 1.0
atan	0.0 or 1.0
atan2	0.0
cbrt	0.0 or 1.0
cos	0.0
cosh	0.0
exp	0.0 or 1.0
expm1	0.0
log	0.0 or 1.0
log10	0.0 or 1.0
sin	0.0
sinh	0.0
sqrt	0.0 or 1.0
tan	0.0
tanh	0.0
toDegrees	0.0 or 1.0
toRadians	0.0

Operation

Value

acos

0.0 or 1.0

asin

0.0 or 1.0

atan

0.0 or 1.0

atan2

0.0

cbrt

0.0 or 1.0

cos

0.0

cosh

0.0

exp

0.0 or 1.0

expm1

0.0

log

0.0 or 1.0

log10

0.0 or 1.0

sin

0.0

sinh

0.0

sqrt

0.0 or 1.0

tan

0.0

tanh

0.0

toDegrees

0.0 or 1.0

toRadians

0.0

```java Bad theme={null} public void doMath(int a) { double res1 = Math.floor((double)a); // Noncompliant, the result will always be equal to '(double) a' double res2 = Math.ceil(4.2); // Noncompliant, the result will always be 5.0 double res3 = Math.atan(0.0); // Noncompliant, the result will always be 0.0 } ``` ```java Fix theme={null} public void doMath(int a) { double res1 = a; // Compliant double res2 = 5.0; // Compliant double res3 = 0.0; // Compliant } ```

The Spring framework’s @RestController annotation is equivalent to using the @Controller and @ResponseBody annotations together. As such, it is redundant to add a @ResponseBody annotation when the class is already annotated with @RestController.

```java Bad theme={null} @RestController public class MyController { @ResponseBody // Noncompliant, the @RestController annotation already implies @ResponseBody @RequestMapping("/hello") public String hello() { return "Hello World!"; } } ``` ```java Fix theme={null} @RestController public class MyController { @RequestMapping("/hello") public String hello() { return "Hello World!"; } } ```

Passing single null or primitive array argument to the variable arity method may not work as expected. In the case of null, it is not passed as array with single element, but the argument itself is null. In the case of a primitive array, if the formal parameter is Object..., it is passed as a single element array. This may not be obvious to someone not familiar with such corner cases, and it is probably better to avoid such ambiguities by explicitly casting the argument to the desired type.

```java Bad theme={null} class A { public static void main(String[] args) { vararg(null); // Noncompliant, prints "null" int[] arr = {1,2,3}; vararg(arr); // Noncompliant, prints "length: 1" } static void vararg(Object... s) { if (s == null) { System.out.println("null"); } else { System.out.println("length: " + s.length); } } } ``` ```java Fix theme={null} class A { public static void main(String[] args) { vararg((Object) null); // prints 1 Object[] arr = {1,2,3}; vararg(arr); // prints 3 } static void vararg(Object... s) { if (s == null) { System.out.println("null"); // not reached } else { System.out.println("length: " + s.length); } } } ```

@VisibleForTesting can be used to mark methods, fields and classes whose visibility restrictions have been relaxed more than necessary for the API to allow for easier unit testing.

Access to such methods, fields and classes only possible thanks to this relaxed visibility is fine for test code, but it should be avoided in production code. In production code these methods should be treated as if they are private.

Supported framework:

Guava: \`com.google.common.annotations.VisibleForTesting
AssertJ: org.assertj.core.util.VisibleForTesting
Android: androidx.annotation.VisibleForTesting
Apache Flink: org.apache.flink.annotation.VisibleForTesting

or any other annotation named VisibleForTesting\`

```java Bad theme={null} /** src/main/java/MyObject.java */ @VisibleForTesting String foo; /** src/main/java/Service.java */ new MyObject().foo; // Noncompliant, foo is accessed from production code ``` ```java Fix theme={null} /** src/main/java/MyObject.java */ @VisibleForTesting String foo; /** src/test/java/MyObjectTest.java */ new MyObject().foo; // Compliant, foo is accessed from test code ```

Java 15 introduced feature of \`sealed classes. With sealed classes and interfaces you can specify a strict hierarchy of types and restrict possible inheritance.

Although this feature can help to make code safer, it is not applicable everywhere. Functional interfaces can not be sealed. This means that if an interface with a single abstract method is declared with a sealed keyword, its implementation can’t be replaced with a lambda.

This rule reports an issue when an interface with a single abstract method is marked sealed\`.

```java Bad theme={null} public sealed interface F permits ... { // Noncompliant void f(); } ``` ```java Fix theme={null} public interface F { // Compliant void f(); } ```

When List.remove() is called, the list shrinks, and the indices of all elements following the removed element are decremented by one. If this operation is performed within a loop that iterates through the elements in ascending order, it will cause the loop to skip the element immediately following the removed element.

```java Bad theme={null} void removeFrom(List list) { // expected: iterate over all list elements for (int i = 0; i < list.size(); i++) { if (list.get(i).isEmpty()) { list.remove(i); // Noncompliant, next element is skipped } } } ``` ```java Fix theme={null} void removeFrom(List list) { list.removeIf(String::isEmpty); // Compliant } ```

According to the EJB specification, EJB’s:

…must not attempt to create a class loader; obtain the current class loader; set the context class loader…

This rule raises an issue each time an EJB obtains a class loader.

```java Bad theme={null} ClassLoader loader = this.getClass().getClassLoader(); // Noncompliant ClassLoader loader = new MyClassLoader(); // Noncompliant ``` ```java Fix theme={null} ```

Overriding a parent class' method implementation with an \`abstract method is a terrible practice for a number of reasons:

it blocks invocation of the original class' method by children of the abstract class.
it requires the abstract\` class' children to re-implement (copy/paste?) the original class' logic.
it violates the inherited contract.

```java Bad theme={null} public class Parent { public int getNumber() { return 1; } } public abstract class AbstractChild { abstract public int getNumber(); // Noncompliant } ``` ```java Fix theme={null} ```

In Java, the Thread class represents a thread of execution. Synchronization between threads is typically achieved using objects or shared resources.

The methods wait(…), notify(), and notifyAll() are related to the underlying object’s monitor and are designed to be called on objects that act as locks or monitors for synchronization. These methods are available on Java Object and, therefore, automatically inherited by all objects, including Thread.

Calling these methods on a Thread may corrupt the behavior of the JVM, which relies on them to change the state of the thread (BLOCKED, WAITING,…).

```java Bad theme={null} Thread myThread = new Thread(new RunnableJob()); ... myThread.wait(); // Noncompliant ``` ```java Fix theme={null} ```

An equals method that unconditionally returns the same answer is an error likely to cause many bugs.

```java Bad theme={null} public class Fruit extends Food { private Season ripe; public boolean equals(Object obj) { return ripe.equals(this); // Noncompliant } ``` ```java Fix theme={null} ```

When using null-related annotations at global scope level, for instance using \`javax.annotation.ParametersAreNonnullByDefault (from JSR-305) at package level, it means that all the parameters to all the methods included in the package will, or should, be considered Non-null. It is equivalent to annotating every parameter in every method with non-null annotations (such as @Nonnull).

The rule raises an issue every time a parameter could be null\` for a method invocation, where the method is annotated as forbidding null parameters.

```java Bad theme={null} @javax.annotation.ParametersAreNonnullByDefault class A { void foo() { bar(getValue()); // Noncompliant - method 'bar' do not expect 'null' values as parameter } void bar(Object o) { // 'o' is by contract expected never to be null // ... } @javax.annotation.CheckForNull abstract Object getValue(); } ``` ```java Fix theme={null} @javax.annotation.ParametersAreNonnullByDefault abstract class A { void foo() { Object o = getValue(); if (o != null) { bar(o); // Compliant - 'o' can not be null } } void bar(Object o) { // ... } @javax.annotation.CheckForNull abstract Object getValue(); } ```

Calling an overridable method from a constructor could result in failures or strange behaviors when instantiating a subclass which overrides the method.

For example:

The subclass class constructor starts by contract by calling the parent class constructor.
The parent class constructor calls the method, which has been overridden in the child class.
If the behavior of the child class method depends on fields that are initialized in the child class constructor, unexpected behavior (like a NullPointerException) can result, because the fields aren’t initialized yet.

```java Bad theme={null} public class Parent { public Parent () { doSomething(); // Noncompliant } public void doSomething () { // not final; can be overridden ... } } public class Child extends Parent { private String foo; public Child(String foo) { super(); // leads to call doSomething() in Parent constructor which triggers a NullPointerException as foo has not yet been initialized this.foo = foo; } public void doSomething () { System.out.println(this.foo.length()); } } ``` ```java Fix theme={null} ```

\`Optional value can hold either a value or not. The value held in the Optional can be accessed using the get() method, but it will throw a

NoSuchElementException if there is no value present. To avoid the exception, calling the isPresent() or ! isEmpty() method should always be done before any call to get().

Alternatively, note that other methods such as orElse(...), orElseGet(...) or orElseThrow(...) can be used to specify what to do with an empty Optional\`.

```java Bad theme={null} Optional value = this.getOptionalValue(); // ... String stringValue = value.get(); // Noncompliant ``` ```java Fix theme={null} if (methodThatReturnsOptional().isEmpty()) { throw new NotFoundException(); } String value = methodThatReturnsOptional().get(); // Noncompliant: indirect access, we consider that two consecutive calls can return different values. ```

Throwing generic exceptions such as \`Error, RuntimeException, Throwable, and Exception will have a negative impact on any code trying to catch these exceptions.

From a consumer perspective, it is generally a best practice to only catch exceptions you intend to handle. Other exceptions should ideally be let to propagate up the stack trace so that they can be dealt with appropriately. When a generic exception is thrown, it forces consumers to catch exceptions they do not intend to handle, which they then have to re-throw.

Besides, when working with a generic type of exception, the only way to distinguish between multiple exceptions is to check their message, which is error-prone and difficult to maintain. Legitimate exceptions may be unintentionally silenced and errors may be hidden.

For instance, when a Throwable is caught and not re-thrown, it may mask errors such as OutOfMemoryError\` and prevent the program from terminating gracefully.

When throwing an exception, it is therefore recommended to throw the most specific exception possible so that it can be handled intentionally by consumers.

```java Bad theme={null} @Override public void myMethod() throws Exception {...} ``` ```java Fix theme={null} public void myOtherMethod() throws Exception { doTheThing(); // this method throws Exception } ```

Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the documentation. Toward that end, methods returning a boolean should have names that start with "is" or "has" rather than with "get".

```java Bad theme={null} public boolean getFoo() { // Noncompliant // ... } public boolean getBar(Bar c) { // Noncompliant // ... } public boolean testForBar(Bar c) { // Compliant - The method does not start by 'get'. // ... } ``` ```java Fix theme={null} public boolean isFoo() { // ... } public boolean hasBar(Bar c) { // ... } public boolean testForBar(Bar c) { // ... } ```

The ability to map a class to a database table has made database interaction in Java a lot easier. But map multiple classes to the same table and you’ll end up with a classic case of the left hand not knowing what the right hand is doing. In the worse case scenario, it could lead to serious data corruption.

This rule raises an issue when multiple classes are mapped to the same table with Hibernate or JPA annotations.

```java Bad theme={null} @Entity // implicitly mapped to "point" table public class Point { // .. } @Entity @Table(name = "point") // Noncompliant public class Spot { // ... } ``` ```java Fix theme={null} ```

When using POSIX classes like \`\p\{Alpha} without the UNICODE\_CHARACTER\_CLASS flag or when using hard-coded character classes like "\[a-zA-Z]", letters outside of the ASCII range, such as umlauts, accented letters or letter from non-Latin languages, won’t be matched. This may cause code to incorrectly handle input containing such letters.

To correctly handle non-ASCII input, it is recommended to use Unicode classes like \p\{IsAlphabetic}. When using POSIX classes, Unicode support should be enabled by either passing Pattern.UNICODE\_CHARACTER\_CLASS as a flag to Pattern.compile or by using (?U)\` inside the regex.

```java Bad theme={null} Pattern.compile("[a-zA-Z]"); Pattern.compile("\\p{Alpha}"); ``` ```java Fix theme={null} Pattern.compile("\\p{IsAlphabetic}"); // matches all letters from all languages Pattern.compile("\\p{IsLatin}"); // matches latin letters, including umlauts and other non-ASCII variations Pattern.compile("\\p{Alpha}", Pattern.UNICODE_CHARACTER_CLASS); Pattern.compile("(?U)\\p{Alpha}"); ```

Testing equality or nullness with JUnit’s assertTrue() or assertFalse() should be simplified to the corresponding dedicated assertion.

```java Bad theme={null} Assert.assertTrue(a.equals(b)); Assert.assertTrue(a == b); Assert.assertTrue(a == null); Assert.assertTrue(a != null); Assert.assertFalse(a.equals(b)); ``` ```java Fix theme={null} Assert.assertEquals(a, b); Assert.assertSame(a, b); Assert.assertNull(a); Assert.assertNotNull(a); Assert.assertNotEquals(a, b); ```

Using \`File.createTempFile as the first step in creating a temporary directory causes a race condition and is inherently unreliable and insecure. Instead, Files.createTempDirectory (Java 7+) or a library function such as Guava’s similarly-named Files.createTempDir should be used.

This rule raises an issue when the following steps are taken in immediate sequence:

call to File.createTempFile
delete resulting file
call mkdir on the File object

Note that this rule is automatically disabled when the project’s sonar.java.source is lower than 7\`.

```java Bad theme={null} File tempDir; tempDir = File.createTempFile("", "."); tempDir.delete(); tempDir.mkdir(); // Noncompliant ``` ```java Fix theme={null} Path tempPath = Files.createTempDirectory(""); File tempDir = tempPath.toFile(); ```

It is not uncommon, for instance when dealing with SQL requests, to have repeated calls to StringBuilder.append() to create a long (sometimes really long) String that will be then passed to the appropriate subsystem (e.g. jdbc.Statement()). This is very undesirable because it makes it more difficult to read, and maintain, the statement in the String due to overlapping syntaxes.

It is highly recommended to address such a case with an external text file loaded as a resource.

```java Bad theme={null} sb = new StringBuilder() .append("SELECT CASE ") .append("WHEN year = 'FR' THEN 'FR'") .append("WHEN year = 'SO' THEN 'SO'") .append("WHEN year = 'JR' THEN 'JR'") .append("WHEN year = 'SR' THEN 'SR'") .append("ELSE 'No Year Data' END AS year_group,") .append("COUNT(1) AS count") .append("FROM benn.college_football_players") .append("GROUP BY CASE WHEN year = 'FR' THEN 'FR'") .append("WHEN year = 'SO' THEN 'SO'") .append("WHEN year = 'JR' THEN 'JR'") .append("WHEN year = 'SR' THEN 'SR'") .append("ELSE 'No Year Data' END"); ``` ```java Fix theme={null} InputStream inputStream = this.getClass().getResourceAsStream("MySQLRequest.txt"); ```

The purpose of the @Value annotation in org.springframework.beans.factory.annotation is to inject a value into a field or method based on the Spring context after it has been established.

If the annotation does not include an expression (either Spring Expression Language or a property injection), the injected value is a simple constant that does not depend on the Spring context, making the annotation replaceable with a standard field initialization statement.

This not only implies the redundant use of @Value, but could also indicate an error where the expression indicators (#, \$) were omitted by mistake.

```java Bad theme={null} @Value("catalog.name") // Noncompliant, this will not inject the property String catalog; ``` ```java Fix theme={null} @Value("${catalog.name}") // Compliant String catalog; ```

For maximum reusability, methods should accept parameters with as little specialization as possible. So unless specific features from a child class are required by a method, a type higher up the class hierarchy should be used instead.

```java Bad theme={null} public void printSize(ArrayList