SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 126

changes.mady.by.user Amy Gale

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

OBJ09-J

High

Unlikely

Yes
Low

No

P9

P6

L2

Automated Detection

ToolVersionCheckerDescription
CodeSonar4.2FB.CORRECTNESS.EQ_COMPARING_CLASS_NAMES
equals method compares class names rather than class objectsParasoft Jtest9.5SECURITY.EAB.CMPImplementedSonarQube Java Plugin Include Page
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Signature String CheckerEnsure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)
Klocwork

Include Page
Klocwork_V
Klocwork_V

CMP.CLASS
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ09.CMPDo not compare Class objects by name
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V6054
SonarQube

Include Page
SonarQube_V
SonarQube_V

S1872Classes should not be compared by name
SonarQube Java Plugin_VSonarQube Java Plugin_VS1872Implemented

Related Guidelines

MITRE CWE

CWE-486, Comparison of Classes by Name

Bibliography

[Christudas 2005]

Internals of Java Class Loading

[JVMSpec 1999]

§2.8.1, Class Names

[McGraw 1998]

"Twelve Rules for Developing More Secure Java Code"

[Wheeler 2003]

Java Secure Programming for Linux and UNIX HOWTO

...


...