 
                            When you declare a variable final, you do not want anyone to change it. If the type of variable is primitive types, you can undoubtedly make it. Unfortunately, if the variable is a reference to an object, the "final" stuff you think may be not final!
Non-compliant Code Example
class Test{
 
 Test(int a, int b){
  this.a = a;
  this.b = b;
 }
 void set_ab(int a, int b){
  this.a = a;
  this.b = b;
 }
 void print_ab(){
  System.out.println("the value a is: "+this.a);
  System.out.println("the value b is: "+this.b);
 }
 private int a;
 private int b;
}
public class TestFinal1 {
 
 public static void main(String[] args) {
        final Test mytest = new Test(1,2);
        mytest.print_ab();
        //now we change the value of a,b.
        mytest.set_ab(5, 6);
        mytest.print_ab();
       
    }
}
We can see that the value of a and b has been changed, which means that when you declare a reference final, it only means that the reference can not be changed but the contents it refer to can still be changed! 
Non-Compliant Solution
If you do not want to change a and b after they are initialized, the simplest approach is to declare a and b final:
 void set_ab(int a, int b){ //But now compiler complains about set_ab method!
  this.a = a;
  this.b = b;
 }
 private final int a;
 private final int b;
But now you can not have setter methods of a and b.
Compliant Solution
An alternative approach is to provide the clone method in the class. When you want do something about the object, you can use clone method to get a copy of original object. Now, you can do everything to this new object, and the original one will be never changed.
class NewFinal implements Cloneable
{
 NewFinal(int a, int b){
  this.a = a;
  this.b = b;
 }
 void print_ab(){
  System.out.println("the value a is: "+this.a);
  System.out.println("the value b is: "+this.b);
 }
 void set_ab(int a, int b){
  this.a = a;
  this.b = b;
 }
 public NewFinal clone() throws CloneNotSupportedException{
  NewFinal cloned = (NewFinal) super.clone();
  return cloned;
 }
 private int a;
 private int b;
}
public class Test2 {
 
 public static void main(String[] args) {
        final NewFinal mytest = new NewFinal(1,2);
        mytest.print_ab();
        //get the copy of original object
        try {
         
  NewFinal mytest2 = mytest.clone();
        //now we change the value of a,b of the copy.
  mytest2.set_ab(5, 6);
  //but the original value will not be changed
        mytest.print_ab();
  } catch (CloneNotSupportedException e) {
   // TODO Auto-generated catch block
   e.printStackTrace();
  }
       
    }
}
Risk Assessment
Using final to declare the reference to an object is a potential security risk, because the contents of the object can still be changed.
| Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| SEC37-J | medium | likely | low | P18 | L1 | 
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Chapter 6, Core Java⢠2 Volume I - Fundamentals, Seventh Edition