Audit: Unsafe Jackson deserialization configurations should not be usedJAVA-A1024
Using features such as @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or ObjectMapper.enableDefaultTyping() with Jackson can be a security risk, as such configurations are stepping stones towards a successful exploit.
Jackson is a well known serialization/deserialization library for Java that supports deserializing data based solely on type information contained within it. This mechanism can be abused through "deserialization gadgets" to execute attacks on the target system.
Avoid specifying unsafe configurations for Jackson deserialization.
Audit: Biometric authentication should always be used with a cryptographic objectJAVA-A1030
Biometric authentication should not be performed without an associated CryptoObject value.
Storing an externally mutable value into a private static field may expose internal stateJAVA-S0134
This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. It may be possible for external code to inspect or change the value of the static field by holding a reference to it after passing it to this class.
Mutable static fields must be package protectedJAVA-S0159
A mutable static field could be changed by malicious code or by accident if it is public. The field could be made package protected to avoid this vulnerability.
Audit: Setting bean properties with unsanitized input may be a security riskJAVA-A1027
Be careful when setting bean properties using external data.