Title: Rule BB. Glossary  
Author: Dhruv Mohindra Nov 27, 2009
Last Changed by: Robert Seacord Jun 13, 2015
Tiny Link: (useful for email) https://wiki.sei.cmu.edu/confluence/x/1jdGBQ
Export As: Word · PDF  
Incoming Links
SEI CERT Oracle Coding Standard for Java (117)
    Page: IDS04-J. Safely extract files from ZipInputStream
    Page: OBJ51-J. Minimize the accessibility of classes and their members
    Page: DCL01-J. Do not reuse public identifiers from the Java Standard Library
    Page: STR04-J. Use compatible character encodings when communicating string data between JVMs
    Page: MSC06-J. Do not modify the underlying collection when an iteration is in progress
    Page: SER08-J. Minimize privileges before deserializing from a privileged context
    Page: TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts
    Page: SER03-J. Do not serialize unencrypted sensitive data
    Page: ENV00-J. Do not sign code that performs only unprivileged operations
    Page: Concurrency, Visibility, and Memory
    Page: MSC04-J. Do not leak memory
    Page: TPS01-J. Do not execute interdependent tasks in a bounded thread pool
    Page: MSC02-J. Generate strong random numbers
    Page: FIO16-J. Canonicalize path names before validating them
    Page: ERR02-J. Prevent exceptions while logging data
    Page: FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
    Page: Rule: Usage
    Page: VNA02-J. Ensure that compound operations on shared variables are atomic
    Page: IDS50-J. Use conservative file naming conventions
    Page: OBJ58-J. Limit the extensibility of classes and methods with invariants
    Page: IDS17-J. Prevent XML External Entity Attacks
    Page: OBJ01-J. Limit accessibility of fields
    Page: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
    Page: FIO14-J. Perform proper cleanup at program termination
    Page: VNA05-J. Ensure atomicity when reading and writing 64-bit values
    Page: LCK09-J. Do not perform operations that can block while holding a lock
    Page: OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
    Page: Rule: Priority and Levels
    Page: ERR09-J. Do not allow untrusted code to terminate the JVM
    Page: SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
    Page: MET08-J. Preserve the equality contract when overriding the equals() method
    Page: EXP03-J. Do not use the equality operators when comparing values of boxed primitives
    Page: NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
    Page: LCK08-J. Ensure actively held locks are released on exceptional conditions
    Page: JNI00-J. Define wrappers around native methods
    Page: VNA00-J. Ensure visibility when accessing shared primitive variables
    Page: EXP01-J. Do not use a null in a case where an object is required
    Page: IDS11-J. Perform any string modifications before validation
    Page: SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader
    Page: THI04-J. Ensure that threads performing blocking operations can be terminated
    Page: FIO13-J. Do not log sensitive information outside a trust boundary
    Page: LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
    Page: MSC05-J. Do not exhaust heap space
    Page: MSC07-J. Prevent multiple instantiations of singleton objects
    Page: LCK10-J. Use a correct form of the double-checked locking idiom
    Page: MET05-J. Ensure that constructors do not call overridable methods
    Page: THI02-J. Notify all waiting threads rather than a single thread
    Page: Java Rules
    Page: THI03-J. Always invoke wait() and await() methods inside a loop
    Page: LCK02-J. Do not synchronize on the class object returned by getClass()
    Page: TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
    Page: MSC00-J. Use SSLSocket rather than Socket for secure data exchange
    Page: TSM03-J. Do not publish partially initialized objects
    Page: ERR00-J. Do not suppress or ignore checked exceptions
    Page: ERR01-J. Do not allow exceptions to expose sensitive information
    Page: ENV03-J. Do not grant dangerous combinations of permissions
    Page: SER01-J. Do not deviate from the proper signatures of serialization methods
    Page: TSM02-J. Do not use background threads during class initialization
    Page: VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
    Page: OBJ06-J. Defensively copy mutable inputs and mutable internal components
    Page: THI01-J. Do not invoke ThreadGroup methods
    Page: SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary
    Page: ENV02-J. Do not trust the values of environment variables
    Page: ERR03-J. Restore prior object state on method failure
    Page: TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools
    Page: FIO07-J. Do not let external processes block on IO buffers
    Page: LCK05-J. Synchronize access to static fields that can be modified by untrusted code
    Page: LCK06-J. Do not use an instance lock to protect shared static data
    Page: FIO08-J. Distinguish between characters or bytes read from a stream and -1
    Page: OBJ05-J. Do not return references to private mutable class members
    Page: IDS08-J. Sanitize untrusted data included in a regular expression
    Page: FIO04-J. Release resources when they are no longer needed
    Page: TPS02-J. Ensure that tasks submitted to a thread pool are interruptible
    Page: STR03-J. Do not encode noncharacter data as a string
    Page: Rule: Conformance Testing
    Page: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
    Page: OBJ07-J. Sensitive classes must not let themselves be copied
    Page: THI05-J. Do not use Thread.stop() to terminate threads
    Page: MSC03-J. Never hard code sensitive information
    Page: IDS00-J. Prevent SQL injection
    Page: Rule 50. Android (DRD)
    Page: SEC02-J. Do not base security checks on untrusted sources
    Page: LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
    Page: VNA04-J. Ensure that calls to chained methods are atomic
    Page: SER04-J. Do not allow serialization and deserialization to bypass the security manager
    Page: MET01-J. Never use assertions to validate method arguments
    Page: EXP02-J. Do not use the Object.equals() method to compare two arrays
    Page: MET12-J. Do not use finalizers
    Page: OBJ10-J. Do not use public static nonfinal fields
    Page: Rule: System Qualities
    Page: OBJ13-J. Ensure that references to mutable objects are not exposed
    Page: ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
    Page: NUM01-J. Do not perform bitwise and arithmetic operations on the same data
    Page: LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
    Page: SER06-J. Make defensive copies of private mutable components during deserialization
    Page: IDS16-J. Prevent XML Injection
    Page: NUM00-J. Detect or prevent integer overflow
    Page: TSM01-J. Do not let the this reference escape during object construction
    Page: IDS14-J. Do not trust the contents of hidden form fields
    Page: FIO00-J. Do not operate on files in shared directories
    Page: OBJ02-J. Preserve dependencies in subclasses when changing superclasses
    Page: SER02-J. Sign then seal objects before sending them outside a trust boundary
    Page: SER11-J. Prevent overwriting of externalizable objects
    Page: MET06-J. Do not invoke overridable methods in clone()
    Page: MET00-J. Validate method arguments
    Page: OBJ11-J. Be wary of letting constructors throw exceptions
    Page: IDS03-J. Do not log unsanitized user input
    Page: IDS01-J. Normalize strings before validating them
    Page: VNA01-J. Ensure visibility of shared references to immutable objects
    Page: MSC11-J. Do not let session information leak within a servlet
    Page: FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
    Page: FIO03-J. Remove temporary files before termination
    Page: FIO12-J. Provide methods to read and write little-endian data
    Page: IDS06-J. Exclude unsanitized user input from format strings
    Page: SEC01-J. Do not allow tainted variables in privileged blocks
    Page: ENV05-J. Do not deploy an application that can be remotely monitored
    Page: ERR07-J. Do not throw RuntimeException, Exception, or Throwable
Parent Page
    Page: 4 Back Matter
Global Labels (2)