This rule flags: "Finalizer nullifies superclass finalizer", i.e., doesn't call super.finalize().
But it is mapped to: CWE-586: Explicit Call to Finalize().
However, I think this is the correct mapping: CWE-568: finalize() Method Without super.finalize()
UPDATE: The rule: FI_MISSING_SUPER_CALL, which says: "Finalizer does not call superclass finalizer" should be mapped to 568 as well.
They both talk about finalizers but I think its mapped to the wrong one.
Also, where are these rules defined in the codebase and/or the CWE mappings defined? I am aware of some other rules that I don't think are properly mapped as well. If there is a single mapping file, I could provide feedback on multiple rules that are either missing CWE mappings, but should have them, or are mapped to CWEs MITRE has marked as DEPRECATED/PROHIBITED, like this one as an example: https://cwe.mitre.org/data/definitions/218.html. There is a spotbugs rule that is mapped to CWE 218. 218 says: it is a duplicate of CWE-493, so that rule should be mapped to CWE 493 instead. This rule is MS_PKGPROTECT.
Ideally, someone would go through all the CWE mappings and move them to non-deprected, non-prohibited CWEs.
This rule flags: "Finalizer nullifies superclass finalizer", i.e., doesn't call super.finalize().
But it is mapped to: CWE-586: Explicit Call to Finalize().
However, I think this is the correct mapping: CWE-568: finalize() Method Without super.finalize()
UPDATE: The rule: FI_MISSING_SUPER_CALL, which says: "Finalizer does not call superclass finalizer" should be mapped to 568 as well.
They both talk about finalizers but I think its mapped to the wrong one.
Also, where are these rules defined in the codebase and/or the CWE mappings defined? I am aware of some other rules that I don't think are properly mapped as well. If there is a single mapping file, I could provide feedback on multiple rules that are either missing CWE mappings, but should have them, or are mapped to CWEs MITRE has marked as DEPRECATED/PROHIBITED, like this one as an example: https://cwe.mitre.org/data/definitions/218.html. There is a spotbugs rule that is mapped to CWE 218. 218 says: it is a duplicate of CWE-493, so that rule should be mapped to CWE 493 instead. This rule is MS_PKGPROTECT.
Ideally, someone would go through all the CWE mappings and move them to non-deprected, non-prohibited CWEs.