JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution.
This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization.
DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
new SearchControls(scope, countLimit, timeLimit, attributes,
true, // Noncompliant; allows deserialization
deref));
DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
new SearchControls(scope, countLimit, timeLimit, attributes,
false,
deref));