Inappropriate implementations of the clone method return objects that bypass validation and security checks. That vulnerable implementation of clone is commonly hidden by the attacker in derived classes of the cloned parameter. Thus, the rule checks when clone is invoked against a parameter in a public method of a public class, and the type of the parameter is not final (overridable).