SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 119

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Historically, using a narrow type to capture the return value of a byte input method has resulted in significant vulnerabilities, including command injection attacks; see CA-1996-22 advisory. Consequently, the severity of this error is high.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

FIO08-J

High

Probable

Yes

Medium

Yes

P12

P18

L1

Automated Detection

Some static analysis tools can detect violations of this rule.

ToolVersionCheckerDescription
Parasoft Jtest
9.5PB.LOGIC.CRRVImplemented
Include Page
Parasoft_V
Parasoft_V
CERT.FIO08.CRRVCheck the return value of methods which read or skip input
SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

EOS_BAD_END_OF_STREAM_CHECKImplemented (since 4.4.0)

Related Guidelines

SEI CERT C Coding Standard

FIO34-C. Distinguish between characters read from a file and EOF or WEOF

SEI CERT C++ Coding Standard

FIO34-CPP. Use int to capture the return value of character IO functions
FIO35-CPP. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) 

Bibliography

[API 2014]

Class InputStream

[JLS 2005]

§4.2 "Primitive Types and Values"

[Pugh 2008]

"Waiting for the End"

...


...