Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

Java detectors (132/132)

Reflected cross site scripting Mandatory method not called after object creation Process empty record list in Amazon KCL AWS object presence check Missing timeout check on CountDownLatch.await Unspecified default value Device Permission Usage.Deserialization of untrusted object Preserve thread interruption status rule Missing check on the value returned by moveToFirst API Missing timeout check on ExecutorService.awaitTermination Overflow when deserializing relational database objects Custom manual retries of AWS SDK calls Missing null check for cache response metadata Inefficient usage of Transaction library from AWS Labs Insecure connection using unencrypted protocol Inefficient additional authenticated data (AAD) authenticity Use of a deprecated method Error-prone AWS IAM policy creation Use of externally-controlled input to build connection string Inefficient Amazon S3 manual pagination Mutually exclusive call AWS Lambda client not reused Missing check on the result of createNewFile Sensitive data stored unencrypted due to partial encryption Missing statement to record cause of InvocationTargetException Misconfigured Concurrency Inefficient polling of AWS resource Improper Initialization Unexpected re-assignment of synchronized objects XPath injection AWS client not reused in a Lambda function Long polling is not enabled in Amazon SQS Insecure temporary file or directory HTTP response splitting Input and output values become out of sync Server-side request forgery Missing Authorization for address id Do not catch and throw exception Concurrency deadlock Not recommended aws credentials classes Path traversal Override of reserved variable names in a Lambda function Missing byte array length of JSON parser Usage of an API that is not recommended Hardcoded credentials Insecure JSON web token (JWT) parsing Not calling finalize causes skipped cleanup steps Unchecked S3 object metadata content length Untrusted data in security decision Permissive cors configuration rule Insecure cookie Resource leak XML External Entity Bad parameters used with AWS API methods Missing position check before getting substring LDAP injection Avoid reset exception in Amazon S3 Insecure hashing Backward compatibility breaks with error message parsing Inefficient map entry iteration Missing S3 bucket owner condition AWS DynamoDB getItem output is not null checked Invalid public method parameters Log injection Sensitive information leak Usage of multiple date time pattern formatter Synchronous publication of AWS Lambda metrics XML External Entity Document Builder Factory Improper use of classes that aren't thread-safe Incorrect null check before setting a value Insufficient use of name in Amazon SQS queue Missing check on the value returned by ResultSet.next Insecure TLS version Unsanitized input is run as code Use an enum to specify an AWS Region Improperly formatted string arguments Improper service shutdown Unrestricted upload of dangerous file type Untrusted AMI images Insecure SAML parser configuration Cross-site request forgery Case sensitive keys in S3 object user metadata Stack trace not included in re-thrown exception Region specification missing from AWS client initialization Insufficient number of PBEKeySpec iterations URL redirection to untrusted site Use of externally-controlled input to select classes or code Missing encryption of sensitive data in storage Ignored output of DynamoDBMapper operations Null pointer dereference Cross-site scripting Unauthenticated LDAP requests Use of inefficient APIs Low maintainability with old Android features Atomicity violation Missing handling of specifically-thrown exceptions Weak obfuscation of web request Clear text credentials Session fixation Catching and not re-throwing or logging exceptions Missing check when launching an Android activity with an implicit intent Client constructor deprecation Inefficient use of stream sorting Arithmetic overflow or underflow Simplifiable code Loose file permissions Manual pagination Incorrect string equality operator Inefficient chain of AWS API calls OS command injection Internationalization Code clone SQL injection Missing check on method output Missing pagination Resources used by an Amazon S3 TransferManager are not released Insecure cryptography Missing timezone of SimpleDateFormat Low maintainability with low class cohesion Oversynchronization Infinite loop Batch operations preferred over looping Object Input Stream Insecure Deserialization Weak pseudorandom number generation Insecure CORS policy Missing handling of file deletion result Amazon SQS message visibility changed without a status check State machine execution ARN is not logged Client-side KMS reencryption Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny Batch request with unchecked failures

Tag: aws-java-sdk

Mandatory method not called after object creation

Mandatory methods must be called after object creation.

Process empty record list in Amazon KCL

Setting withCallProcessRecordsEvenForEmptyRecordList to TRUE during Kinesis Client Library (KCL) initialization will treat empty records differently.

AWS object presence check

Manually performing an object existence check is inefficient when a built-in operation is available.

Custom manual retries of AWS SDK calls

Custom manual retries of calls to AWS SDK APIs are inefficient.

Missing null check for cache response metadata

Accessing the cache response metadata without performing a null check might cause a null dereference error.

Inefficient usage of Transaction library from AWS Labs

The AWS Labs Transactions Library is a client-side solution and less efficient compared to DynamoDB native transactions.

Error-prone AWS IAM policy creation

Manually creating text-based IAM policies is error-prone.

Inefficient Amazon S3 manual pagination

Use S3Objects.withPrefix() instead of manually paginating results.

AWS Lambda client not reused

Reuse AWS clients in Lambda.

Sensitive data stored unencrypted due to partial encryption

Encryption that is dependent on conditional logic, such as an if...then clause, might cause unencrypted sensitive data to be stored.

Inefficient polling of AWS resource

Custom polling can be inefficient and prone to error. Consider using AWS waiters instead.

AWS client not reused in a Lambda function

Recreating AWS clients in each Lambda function invocation is expensive.

Long polling is not enabled in Amazon SQS

Enable long polling for efficiency.

Override of reserved variable names in a Lambda function

Overriding environment variables that are reserved by AWS Lambda might lead to unexpected behavior.

Unchecked S3 object metadata content length

Failure to specify a content length causes the contents of the input stream to buffer locally in memory in order to calculate its length. This can result in performance problems.

Bad parameters used with AWS API methods

An outdated or bad parameters were detected in calls to some AWS API methods.

Avoid reset exception in Amazon S3

Uploading objects to Amazon S3 by using streams (either through an AmazonS3 client or TransferManager) might encounter network connectivity or timeout issues.

Backward compatibility breaks with error message parsing

Maintain your code's backward compatibility by checking the status code instead of parsing the error message.

Missing S3 bucket owner condition

Not setting the S3 bucket owner condition might introduce a risk of accidentally using a wrong bucket.

AWS DynamoDB getItem output is not null checked

Outputs of AWS DynamoDB's GetItem method are not null checked.

Synchronous publication of AWS Lambda metrics

Synchronous publication of AWS Lambda metrics is inefficient.

Insufficient use of name in Amazon SQS queue

Provide the full URL for the Amazon SQS queue.

Use an enum to specify an AWS Region

To minimize the risk of error, use an enum instead of a string to specify an AWS Region.

Untrusted AMI images

Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, a potential security vulnerability.

Case sensitive keys in S3 object user metadata

User metadata keys are case insensitive and are returned as lowercase strings, even if they were originally specified with uppercase strings.

Region specification missing from AWS client initialization

Set an explicit AWS Region to avoid cold start delays in AWS client initialization.

Ignored output of DynamoDBMapper operations

Check if errors are returned by DynamoDBMapper's BatchWrite operations.

Client constructor deprecation

Client constructors are now deprecated in favor of using builders to create the client.

Manual pagination

Suggest using auto-pagination instead of manual pagination.

Inefficient chain of AWS API calls

The chain of API calls can be replaced with a single, more efficient API call.

Missing pagination

Additional results are not checked for a paginated API call. This might produce inaccurate results.

Resources used by an Amazon S3 TransferManager are not released

Call ShutdownNow when you use TransferManager to manage transfers to Amazon S3.

Batch operations preferred over looping

Batch operations are more efficient than looping to process several items at the same time.

Amazon SQS message visibility changed without a status check

When you change Amazon SQS message visibility, check for MessageNotInFlight exceptions.

Client-side KMS reencryption

Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks.

Batch request with unchecked failures

Not checking which items have failed can lead to loss of data.