Reports calls to java.lang.Runtime.exec() or any of its variants which take a dynamically-constructed string as the command to execute. Constructed execution strings are a common source of security breaches. By default this inspection ignores compile-time constants.

Use the checkbox below to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled:

private static final String COMMAND =
  "ping " + getDomainFromUserInput() + "'";