SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 158

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Improper use of finalizers can result in resurrection of garbage-collection-ready objects and result in denial-of-service vulnerabilities.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

MET12-J

Medium

Probable

Yes

MediumNo

P8

L2

Automated Detection

EJB.MNDF, GC.FCF, GC.FM, GC.IFF, GC.NCF, PB.API.OF,UC.EF, UC.FCSFObjectFinalizeOverridenCheck,
ObjectFinalizeCheck,
S1174,
S2151,
ObjectFinalizeOverridenCallsSuperFinalizeCheck
Tool
Version
Checker
Description
Coverity7.5CodeSonar4.2

CALL_SUPER
DC.THREADING


FB.

BAD_PRACTICE.

FI_EMPTY
FB.

BAD_PRACTICE.

FI_EXPLICIT_INVOCATION
FB.

BAD_PRACTICE.

FI_FINALIZER_NULLS_FIELDS
FB

.BAD_PRACTICE

.FI_FINALIZER_ONLY_NULLS_FIELDS
FB

.BAD_PRACTICE

.FI_MISSING_SUPER_CALL
FB

.BAD_PRACTICE

.FI_NULLIFY_SUPER
FB.

MALICIOUS

FI_

CODE

USELESS
FB.FI_PUBLIC_SHOULD_BE_ PROTECTED

FB.BAD_PRACTICE.FI_USELESS

Empty finalizer should be deleted
Explicit invocation of finalizer
Finalizer nulls fields
Finalizer nulls fields
Finalizer does not call superclass finalizer
Finalizer nullifies superclass finalizer
Finalizer should be protected, not public
Finalizer does nothing but call superclass finalizer

Coverity7.5

CALL_SUPER
DC.THREADING
FB.FI_EMPTY
FB.FI_EXPLICIT_INVOCATION
FB.FI_FINALIZER_NULLS_FIELDS
FB.FI_FINALIZER_ONLY_NULLS_FIELDS
FB.FI_MISSING_SUPER_CALL
FB.FI_NULLIFY_SUPER
FB.FI_USELESS
FB.FI_PUBLIC_SHOULD_BE_ PROTECTED

Implemented
Implemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

JD.UMC.RUNFIN
SV.EXPOSE.FIN
FIN.EMPTY
FIN.NOSUPER
JD.UMC.FINALIZE


Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V

CERT.MET12.MNDF
CERT.MET12.FCF
CERT.MET12.FM
CERT.MET12.IFF
CERT.MET12.NCF
CERT.MET12.OF
CERT.MET12.EF
CERT.MET12.FCSF
CERT.MET12.MFP

Do not define 'finalize()' method in bean classes
Call 'super.finalize()' from 'finalize()'
Do not use 'finalize()' methods to unregister listeners
Call 'super.finalize()' in the "finally" block of 'finalize()' methods
Do not call 'finalize()' explicitly
Do not overload the 'finalize()' method
Avoid empty 'finalize()' methods
Avoid redundant 'finalize()' methods which only call the superclass' 'finalize()' method
Give "finalize()" methods "protected" access		Parasoft Jtest
Include Page
Parasoft_VParasoft_V
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1113
S1111
S1174
S2151
S1114		The Object.finalize() method should not be overriden
The Object.finalize() method should not be called
"Object.finalize()" should remain protected (versus public) when overriding
"runFinalizersOnExit" should not be called
"super.finalize()" should be called at the end of "Object.finalize()" implementations

Related Vulnerabilities

AXIS2-4163 describes a vulnerability in the finalize() method in the Axis web services framework. The finalizer incorrectly calls super.finalize() before doing its own cleanup, leading to errors in GlassFish when the garbage collector runs.

...