SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 120

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Historically, using a narrow type to capture the return value of a byte input method has resulted in significant vulnerabilities, including command injection attacks; see CA-1996-22 advisory. Consequently, the severity of this error is high.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

FIO08-J

High

Probable

Medium

Yes

Yes

P12

P18

L1

Automated Detection

Some static analysis tools can detect violations of this rule.

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
PB
CERT.
LOGIC
FIO08.CRRV
Implemented
Check the return value of methods which read or skip input
SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

EOS_BAD_END_OF_STREAM_CHECKImplemented (since 4.4.0)

Related Guidelines

SEI CERT C Coding Standard

FIO34-C. Distinguish between characters read from a file and EOF or WEOF

SEI CERT C++ Coding Standard

FIO34-CPP. Use int to capture the return value of character IO functions
FIO35-CPP. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) 

Bibliography

[API 2014]

Class InputStream

[JLS 2005]

§4.2 "Primitive Types and Values"

[Pugh 2008]

"Waiting for the End"

...


...