Title: SEI CERT Oracle Coding Standard for Java  
Author: Joe McManus MGR Jan 12, 2007
Last Changed by: Robert Schiela Nov 06, 2017
Tiny Link: (useful for email) https://wiki.sei.cmu.edu/confluence/x/FjdGBQ
Export As: Word · PDF  
Incoming Links
SEI CERT C++ Coding Standard (28)
    Page: VOID INT31-CPP. Ensure that integer conversions do not result in lost or misinterpreted data
    Page: INT09-CPP. Ensure enumeration constants map to unique values
    Page: VOID INT32-CPP. Ensure that operations on signed integers do not result in overflow
    Page: EXP19-CPP. Do not perform assignments in conditional expressions
    Page: VOID INT33-CPP. Ensure that division and modulo operations do not result in divide-by-zero errors
    Page: MSC09-CPP. Character encoding: Use subset of ASCII for safety
    Page: VOID FLP36-CPP. Beware of precision loss when converting integral types to floating point
    Page: CON53-CPP. Avoid deadlock by locking in a predefined order
    Page: CON51-CPP. Ensure actively held locks are released on exceptional conditions
    Page: CON55-CPP. Preserve thread safety and liveness when using condition variables
    Page: FLP00-CPP. Understand the limitations of floating-point numbers
    Page: MSC18-CPP. Finish every set of statements associated with a case label with a break statement
    Page: CON54-CPP. Wrap functions that can spuriously wake up in a loop
    Page: ERR04-CPP. Choose an appropriate termination strategy
    Page: INT10-CPP. Do not assume a positive remainder when using the % operator
    Page: INT14-CPP. Avoid performing bitwise and arithmetic operations on the same data
    Page: PRE04-CPP. Do not reuse a standard header file name
    Page: ENV02-CPP. Do not call system() if you do not need a command processor
    Page: CTR57-CPP. Provide a valid ordering predicate
    Page: VOID FLP30-CPP. Do not use floating point variables as loop counters
    Page: FIO06-CPP. Create files with appropriate access permissions
    Page: VOID FLP34-CPP. Ensure that floating point conversions are within range of the new type
    Page: VOID FIO30-CPP. Exclude user input from format strings
    Page: VOID FIO32-CPP. Do not perform operations on devices that are only appropriate for files
    Page: MSC21-CPP. Use inequality to terminate a loop whose counter changes by more than one
    Page: VOID EXP31-CPP. Avoid side effects in assertions
    Page: MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers
    Page: VOID EXP34-CPP. Ensure a null pointer is not dereferenced
SEI CERT Oracle Coding Standard for Java (205)
    Page: EXP03-J. Do not use the equality operators when comparing values of boxed primitives
    Page: SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
    Page: void FIO17-J. Pass a character set to any method converting bytes to strings
    Page: Rule 49. Miscellaneous (MSC)
    Page: OBJ13-J. Ensure that references to mutable objects are not exposed
    Page: ERR05-J. Do not let checked exceptions escape from a finally block
    Page: MET06-J. Do not invoke overridable methods in clone()
    Page: MET01-J. Never use assertions to validate method arguments
    Page: SER04-J. Do not allow serialization and deserialization to bypass the security manager
    Page: OBJ02-J. Preserve dependencies in subclasses when changing superclasses
    Page: SER06-J. Make defensive copies of private mutable components during deserialization
    Page: MSC08-J. Do not store nonserializable objects as attributes in an HTTP session
    Page: IDS15-J. Do not allow sensitive information to leak outside a trust boundary
    Page: ERR02-J. Prevent exceptions while logging data
    Page: NUM10-J. Do not construct BigDecimal objects from floating-point literals
    Page: IDS08-J. Sanitize untrusted data included in a regular expression
    Page: Rule 12. Thread-Safety Miscellaneous (TSM)
    Page: DCL01-J. Do not reuse public identifiers from the Java Standard Library
    Page: NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
    Page: VNA05-J. Ensure atomicity when reading and writing 64-bit values
    Page: FIO14-J. Perform proper cleanup at program termination
    Page: MSC06-J. Do not modify the underlying collection when an iteration is in progress
    Page: NUM09-J. Do not use floating-point variables as loop counters
    Page: SER01-J. Do not deviate from the proper signatures of serialization methods
    Page: TPS01-J. Do not execute interdependent tasks in a bounded thread pool
    Page: TSM03-J. Do not publish partially initialized objects
    Page: MSC02-J. Generate strong random numbers
    Page: Rule 08. Visibility and Atomicity (VNA)
    Page: IDS04-J. Safely extract files from ZipInputStream
    Page: OBJ58-J. Limit the extensibility of classes and methods with invariants
    Page: Rule 14. Serialization (SER)
    Page: OBJ05-J. Do not return references to private mutable class members
    Page: OBJ07-J. Sensitive classes must not let themselves be copied
    Page: ERR03-J. Restore prior object state on method failure
    Page: LCK05-J. Synchronize access to static fields that can be modified by untrusted code
    Page: Rule 02. Expressions (EXP)
    Page: TSM02-J. Do not use background threads during class initialization
    Page: Rule 01. Declarations and Initialization (DCL)
    Page: TPS03-J. Ensure that tasks executing in a thread pool do not fail silently
    Page: MET11-J. Ensure that keys used in comparison operations are immutable
    Page: Rule 09. Locking (LCK)
    Page: THI01-J. Do not invoke ThreadGroup methods
    Page: LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
    Page: SER00-J. Enable serialization compatibility during class evolution
    Page: OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
    Page: Rule 00. Input Validation and Data Sanitization (IDS)
    Page: SER09-J. Do not invoke overridable methods from the readObject() method
    Page: SER12-J. Prevent deserialization of untrusted data
    Page: THI05-J. Do not use Thread.stop() to terminate threads
    Page: MET08-J. Preserve the equality contract when overriding the equals() method
    Page: MSC09-J. For OAuth, ensure (a) [relying party receiving user's ID in last step] is same as (b) [relying party the access token was granted to].
    Page: LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
    Page: THI03-J. Always invoke wait() and await() methods inside a loop
    Page: EXP02-J. Do not use the Object.equals() method to compare two arrays
    Page: MET12-J. Do not use finalizers
    Page: STR02-J. Specify an appropriate locale when comparing locale-dependent data
    Page: IDS11-J. Perform any string modifications before validation
    Page: STR03-J. Do not encode noncharacter data as a string
    Page: MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface
    Page: MET09-J. Classes that define an equals() method must also define a hashCode() method
    Page: ERR04-J. Do not complete abruptly from a finally block
    Page: EXP01-J. Do not use a null in a case where an object is required
    Page: THI04-J. Ensure that threads performing blocking operations can be terminated
    Page: IDS14-J. Do not trust the contents of hidden form fields
    Page: IDS50-J. Use conservative file naming conventions
    Page: EXP06-J. Expressions used in assertions must not produce side effects
    Page: MSC10-J. Do not use OAuth 2.0 implicit grant (unmodified) for authentication
    Page: LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects
    Page: DCL00-J. Prevent class initialization cycles
    Page: NUM11-J. Do not compare or inspect the string representation of floating-point values
    Page: SEC02-J. Do not base security checks on untrusted sources
    Page: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
    Page: Rule 03. Numeric Types and Operations (NUM)
    Page: STR51-J. Use the charset encoder and decoder classes when more control over the encoding process is required
    Page: TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools
    Page: Rule 07. Exceptional Behavior (ERR)
    Page: IDS06-J. Exclude unsanitized user input from format strings
    Page: ENV04-J. Do not disable bytecode verification
    Page: SER05-J. Do not serialize instances of inner classes
    Page: MET10-J. Follow the general contract when implementing the compareTo() method
    Page: JNI03-J. Do not use direct pointers to Java objects in JNI code
    Page: MSC04-J. Do not leak memory
    Page: FIO10-J. Ensure the array is filled when using read() to fill an array
    Page: OBJ11-J. Be wary of letting constructors throw exceptions
    Page: JNI04-J. Do not assume that Java strings are null-terminated
    Page: Rule 17. Java Native Interface (JNI)
    Page: EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
    Page: JNI01-J. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary)
    Page: SER02-J. Sign then seal objects before sending them outside a trust boundary
    Page: FIO12-J. Provide methods to read and write little-endian data
    Page: NUM14-J. Use shift operators correctly
    Page: SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
    Page: SER10-J. Avoid memory and resource leaks during serialization
    Page: IDS01-J. Normalize strings before validating them
    Page: SEC04-J. Protect sensitive operations with security manager checks
    Page: ERR07-J. Do not throw RuntimeException, Exception, or Throwable
    Page: THI00-J. Do not invoke Thread.run()
    Page: STR50-J. Use the appropriate method for counting characters in a string
    Page: OBJ01-J. Limit accessibility of fields
    Page: JNI00-J. Define wrappers around native methods
    Page: EXP00-J. Do not ignore values returned by methods
    Page: ERR06-J. Do not throw undeclared checked exceptions
    Page: SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader
    Page: NUM08-J. Check floating-point inputs for exceptional values
    Page: DCL02-J. Do not modify the collection's elements during an enhanced for statement
    Page: IDS16-J. Prevent XML Injection
    Page: LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
    Page: FIO02-J. Detect and handle file-related errors
    Page: Rule 16. Runtime Environment (ENV)
    Page: STR01-J. Do not assume that a Java char fully represents a Unicode code point
    Page: MSC07-J. Prevent multiple instantiations of singleton objects
    Page: NUM00-J. Detect or prevent integer overflow
    Page: ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
    Page: NUM07-J. Do not attempt comparisons with NaN
    Page: void IDS12-J. Perform lossless conversion of String data between differing character encodings
    Page: MSC01-J. Do not use an empty infinite loop
    Page: NUM03-J. Use integer types that can fully represent the possible range of unsigned data
    Page: VNA00-J. Ensure visibility when accessing shared primitive variables
    Page: IDS17-J. Prevent XML External Entity Attacks
    Page: Rule. Preface
    Page: SEC58-J. Deserialization methods should not perform potentially dangerous operations
    Page: VNA02-J. Ensure that compound operations on shared variables are atomic
    Page: ENV00-J. Do not sign code that performs only unprivileged operations
    Page: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
    Page: NUM04-J. Do not use floating-point numbers if precise computation is required
    Page: VOID Rule: Acknowledgments (Java)
    Page: VNA04-J. Ensure that calls to chained methods are atomic
    Page: FIO16-J. Canonicalize path names before validating them
    Page: NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
    Page: LCK09-J. Do not perform operations that can block while holding a lock
    Page: ERR09-J. Do not allow untrusted code to terminate the JVM
    Page: FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
    Page: ENV03-J. Do not grant dangerous combinations of permissions
    Page: FIO07-J. Do not let external processes block on IO buffers
    Page: Rule 06. Methods (MET)
    Page: NUM54-J. Do not use denormalized numbers
    Page: SER03-J. Do not serialize unencrypted sensitive data
    Page: FIO13-J. Do not log sensitive information outside a trust boundary
    Page: FIO08-J. Distinguish between characters or bytes read from a stream and -1
    Page: NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
    Page: MET02-J. Do not use deprecated or obsolete classes or methods
    Page: STR04-J. Use compatible character encodings when communicating string data between JVMs
    Page: TPS02-J. Ensure that tasks submitted to a thread pool are interruptible
    Page: VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
    Page: LCK02-J. Do not synchronize on the class object returned by getClass()
    Page: LCK06-J. Do not use an instance lock to protect shared static data
    Page: LCK01-J. Do not synchronize on objects that may be reused
    Page: FIO15-J. Do not reset a servlet's output stream after committing it
    Page: ENV06-J. Production code must not contain debugging entry points
    Page: ERR01-J. Do not allow exceptions to expose sensitive information
    Page: EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
    Page: MSC00-J. Use SSLSocket rather than Socket for secure data exchange
    Page: Rule 04. Characters and Strings (STR)
    Page: TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
    Page: Java Rules
    Page: THI02-J. Notify all waiting threads rather than a single thread
    Page: MSC05-J. Do not exhaust heap space
    Page: MET05-J. Ensure that constructors do not call overridable methods
    Page: OBJ12-J. Respect object-based annotations
    Page: STR00-J. Don't form strings containing partial characters from variable-width encodings
    Page: LCK10-J. Use a correct form of the double-checked locking idiom
    Page: OBJ06-J. Defensively copy mutable inputs and mutable internal components
    Page: MSC03-J. Never hard code sensitive information
    Page: EXP07-J. Prevent loss of useful data due to weak references
    Page: IDS00-J. Prevent SQL injection
    Page: ERR00-J. Do not suppress or ignore checked exceptions
    Page: void FIO15-J. Do not operate on untrusted file links
    Page: Rule 11. Thread Pools (TPS)
    Page: OBJ03-J. Prevent heap pollution
    Page: FIO04-J. Release resources when they are no longer needed
    Page: IDS03-J. Do not log unsanitized user input
    Page: VOID 05. Scope (SCP)
    Page: OBJ09-J. Compare classes and not class names
    Page: FIO00-J. Do not operate on files in shared directories
    Page: LCK08-J. Ensure actively held locks are released on exceptional conditions
    Page: MET03-J. Methods that perform a security check must be declared private or final
    Page: NUM01-J. Do not perform bitwise and arithmetic operations on the same data
    Page: OBJ08-J. Do not expose private members of an outer class from within a nested class
    Page: Rule 50. Android (DRD)
    Page: SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary
    Page: OBJ10-J. Do not use public static nonfinal fields
    Page: SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes
    Page: TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts
    Page: FIO01-J. Create files with appropriate access permissions
    Page: JNI02-J. Do not assume object references are constant or unique
    Page: ENV05-J. Do not deploy an application that can be remotely monitored
    Page: Rule 13. Input Output (FIO)
    Page: NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
    Page: FIO05-J. Do not expose buffers created using the wrap() or duplicate() methods to untrusted code
    Page: SER08-J. Minimize privileges before deserializing from a privileged context
    Page: MET04-J. Do not increase the accessibility of overridden or hidden methods
    Page: SER11-J. Prevent overwriting of externalizable objects
    Page: ERR08-J. Do not catch NullPointerException or any of its ancestors
    Page: Rule 15. Platform Security (SEC)
    Page: ENV02-J. Do not trust the values of environment variables
    Page: TSM01-J. Do not let the this reference escape during object construction
    Page: FIO03-J. Remove temporary files before termination
    Page: VNA01-J. Ensure visibility of shared references to immutable objects
    Page: Rule 05. Object Orientation (OBJ)
    Page: MSC11-J. Do not let session information leak within a servlet
    Page: Rule 10. Thread APIs (THI)
    Page: SEC01-J. Do not allow tainted variables in privileged blocks
    Page: FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
    Page: LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
    Page: MET00-J. Validate method arguments
SEI CERT Perl Coding Standard (9)
    Page: EXP31-PL. Do not suppress or ignore exceptions
    Page: FIO01-PL. Do not operate on files that can be modified by untrusted users
    Page: IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter
    Page: VOID DCL06-PL. Do not name a subroutine after a builtin function
    Page: EXP32-PL. Do not ignore function return values
    Page: IDS00-PL. Canonicalize path names before validating them
    Page: IDS30-PL. Exclude user input from format strings
    Page: IDS33-PL. Sanitize untrusted data passed across a trust boundary
    Page: EXP30-PL. Do not use deprecated or obsolete functions or modules
SEI CERT C Coding Standard (56)
    Page: void FIO34-C. Use int to capture the return value of character IO functions that might be used to check for end of file
    Page: INT10-C. Do not assume a positive remainder when using the % operator
    Page: VOID POS54-C. Notify all POSIX threads waiting on a condition variable instead of a single thread
    Page: EXP34-C. Do not dereference null pointers
    Page: STR02-C. Sanitize data passed to complex subsystems
    Page: MSC17-C. Finish every set of statements associated with a case label with a break statement
    Page: PRE04-C. Do not reuse a standard header file name
    Page: MSC30-C. Do not use the rand() function for generating pseudorandom numbers
    Page: ERR08-C. Restore prior data state when recovering from a failed operation
    Page: FLP02-C. Avoid using floating-point numbers when precise computation is needed
    Page: VOID EXP31-C. Do not perform side effects in assertions
    Page: EXP12-C. Do not ignore values returned by functions
    Page: FIO34-C. Distinguish between characters read from a file and EOF or WEOF
    Page: ENV33-C. Do not call system()
    Page: FLP05-C. Do not use denormalized numbers
    Page: CON41-C. Wrap functions that can fail spuriously in a loop
    Page: INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
    Page: FLP06-C. Convert integers to floating point for floating-point operations
    Page: FIO06-C. Create files with appropriate access permissions
    Page: POS51-C. Avoid deadlock with POSIX threads by locking in predefined order
    Page: EXP30-C. Do not depend on the order of evaluation for side effects
    Page: MSC06-C. Beware of compiler optimizations
    Page: CON05-C. Do not perform operations that can block while holding a lock
    Page: TODO List
    Page: FIO42-C. Close files when they are no longer needed
    Page: FLP00-C. Understand the limitations of floating-point numbers
    Page: FIO22-C. Close files before spawning processes
    Page: PRE31-C. Avoid side effects in arguments to unsafe macros
    Page: FIO32-C. Do not perform operations on devices that are only appropriate for files
    Page: POS47-C. Do not use threads that can be canceled asynchronously
    Page: INT32-C. Ensure that operations on signed integers do not result in overflow
    Page: FIO21-C. Do not create temporary files in shared directories
    Page: FIO02-C. Canonicalize path names originating from tainted sources
    Page: MSC21-C. Use robust loop termination conditions
    Page: ENV03-C. Sanitize the environment when invoking external programs
    Page: FIO30-C. Exclude user input from format strings
    Page: MSC09-C. Character encoding: Use subset of ASCII for safety
    Page: FLP04-C. Check floating-point inputs for exceptional values
    Page: MEM11-C. Do not assume infinite heap space
    Page: POS52-C. Do not perform operations that can block while holding a POSIX lock
    Page: INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors
    Page: CON07-C. Ensure that compound operations on shared variables are atomic
    Page: ERR04-C. Choose an appropriate termination strategy
    Page: FLP34-C. Ensure that floating-point conversions are within range of the new type
    Page: VOID INT36-C. Do not perform bitwise and arithmetic operations on the same variable
    Page: EXP45-C. Do not perform assignments in selection statements
    Page: CON38-C. Preserve thread safety and liveness when using condition variables
    Page: FLP30-C. Do not use floating-point variables as loop counters
    Page: void MSC40-C. Do not use an empty infinite loop
    Page: CON36-C. Wrap functions that can spuriously wake up in a loop
    Page: INT14-C. Avoid performing bitwise and arithmetic operations on the same data
    Page: EXP15-C. Do not place a semicolon on the same line as an if, for, or while statement
    Page: CON35-C. Avoid deadlock by locking in a predefined order
    Page: MSC18-C. Be careful while handling sensitive data, such as passwords, in program code
    Page: FLP36-C. Preserve precision when converting integral values to floating-point type
    Page: INT09-C. Ensure enumeration constants map to unique values
Secure Coding (1)
    Home page: SEI CERT Coding Standards
Android (25)
    Page: DRD04-J. Do not log sensitive information
    Page: DRD06. Do not act on malicious intents
    Page: Applicability Test
    Page: DRD10-X. Do not release apps that are debuggable
    Page: DRD08-J. Always canonicalize a URL received by a content provider
    Page: VOID Android
    Page: DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first
    Page: DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)
    Page: DRD17-J. Do not use the Android cryptographic security provider encryption default for AES
    Page: DRD20-C. Specify permissions when creating files via the NDK
    Page: DRD05-J. Do not grant URI permissions on implicit intents
    Page: DRD14-J. Check that a calling app has appropriate permissions before responding
    Page: DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices
    Page: DRD09. Restrict access to sensitive activities
    Page: Java Rule 50: Android (DRD)
    Page: Applicable in Principle to Android (Java Rules/Recomendations)
    Page: DRD02-J. Do not allow WebView to access sensitive local resource through file scheme
    Page: DRD15-J. Consider privacy concerns when using Geolocation API
    Page: Unknown Applicability to Android (Java Rules/Recomendations)
    Page: DRD16-X. Explicitly define the exported attribute for private components
    Page: DRD11. Ensure that sensitive data is kept secure
    Page: DRD01-X. Limit the accessibility of an app's sensitive content provider
    Page: DRD07-X. Protect exported services with strong permissions
    Page: DRD03-J. Do not broadcast sensitive information using an implicit intent
    Page: DRD12. Do not trust data that is world writable
Hierarchy
Children (7)
    Page: 1 Front Matter
    Page: 2 Rules
    Page: 3 Recommendations
    Page: 4 Back Matter
    Page: 5 Admin
    Page: 6 The Void
    Page: 7 Index
Labels
Global Labels (1)
Time Editor  
Nov 06, 2017 11:53 Robert Schiela View Changes
Changed notice to be macro.
Nov 05, 2017 17:30 Robert Schiela View Changes
Changed Maintenance Notice to reference a page rather than have all of the information.
Oct 24, 2017 21:10 Robert Schiela View Changes
updated maintenance notice and changed page layout.
Oct 23, 2017 10:50 Robert Schiela View Changes
Updated maintenance notice for upgrade.
Oct 15, 2017 19:19 Robert Schiela