Java Code Checker: Free Online Security Analysis for Java Applications

CodeSlick analyzes Java code with 32 security checks targeting the vulnerability classes most prevalent in enterprise Java applications: unsafe deserialization, SQL injection in JDBC, XXE in XML parsers, and Spring Security misconfigurations. Analysis runs in under 3 seconds with CWE classification and CVSS scoring on every finding.

Deserialization (CWE-502)

• ObjectInputStream: Unsafe readObject() calls without validation — the #1 Java-specific RCE vector
• XStream deserialization: Unsafe XStream usage without security framework configuration
• Jackson polymorphic typing: enableDefaultTyping() enabling deserialization gadget chain attacks

Injection

• JDBC SQL injection: String concatenation in Statement.execute(), executeQuery()
• JNDI injection: InitialContext.lookup() with user-controlled arguments (Log4Shell attack vector)
• OS command injection: Runtime.exec() and ProcessBuilder with user-controlled arguments
• Path traversal: new File(userInput) without path canonicalization

XML Security (CWE-611)

• XXE in SAX parsers: Missing FEATURE_SECURE_PROCESSING flag on SAXParserFactory
• XXE in DOM parsers: Missing external entity disabling on DocumentBuilderFactory
• XXE in JAXB: Unsafe unmarshalling configuration

Spring Security

• CSRF disabled: .csrf().disable() in Spring Security configuration
• Permissive CORS: allowedOrigins("*") with credentials enabled
• Missing method security: @PreAuthorize absent on sensitive service methods

Cryptography

• Weak algorithms: MD5, SHA-1, DES in MessageDigest and Cipher
• Hardcoded secrets: Embedded passwords, API keys, and private keys in Java source
• Insecure random: java.util.Random for security-sensitive operations (use SecureRandom)

CodeSlick understands Spring Boot, Spring MVC, and Spring Security idioms:

• Spring Data JPA: Detects native queries with string concatenation
• Spring Web: Flags @RequestMapping controllers passing user input to unsafe operations without validation
• Spring Security config: Identifies misconfigurations in WebSecurityConfigurerAdapter subclasses
• Bean validation bypass: Detects direct use of request body fields without @Valid or @Validated

Enterprise Java frameworks (JBoss/WildFly, Jakarta EE, Micronaut) are also covered — any JDBC, JAX-RS, or CDI code is analyzed with the same 32 checks.

CodeSlick includes 12 Java-specific AI code detection patterns that identify hallucinations from GitHub Copilot, ChatGPT, and Claude in Java code:

• Non-existent API calls: Methods that do not exist in the Java standard library or common frameworks
• Incorrect exception handling: Swallowing exceptions in patterns characteristic of LLM-generated boilerplate
• LLM fingerprints: Verbose Javadoc patterns and over-engineered generics typical of AI generation

No account required:

1. Visit codeslick.dev/analyze
2. Select Java from the language selector
3. Paste your Java code or upload a .java file
4. Click Analyze
5. Review findings — Tier 1 (syntax errors) and Tier 2 (security issues) are displayed separately

For team-wide scanning on every PR, install the CodeSlick GitHub App — it runs all 32 Java checks automatically.