SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

A method should never throw RuntimeException or Exception. This is because handling these requires catching RuntimeException, which is forbidden in EXC32-J. Do not catch RuntimeException.

Instead, always throw an exception subclassed from Exception. It is permissible to construct an exception class specifically for a single throw statement.

Noncompliant Code Example

The following function takes a string and returns true if it consists of a capital letter succeeded by lowercase letters. To handle corner cases, it checks for them and throws exceptions if they would prevent normal analysis.

boolean isCapitalized(String s) {
  if (s == null) {
    throw new RuntimeException("Null String");
  }
  if (s.equals("")) {
    return true;
  }
  String first = s.substring( 0, 1);
  String rest = s.substring( 1);
  return (first.equals( first.toUpperCase()) &&
          rest.equals( rest.toLowerCase()));
}

In order to handle the case of passing in a null string, code calling this function would have to catch RuntimeException, which violates EXC32-J. Do not catch RuntimeException

Compliant Solution

An exception specifically devoted to the error would be more appropriate.

boolean isCapitalized(String s) {
  if (s == null) {
    throw new NullPointerException();
  }
  if (s.equals("")) {
    return true;
  }
  String first = s.substring( 0, 1);
  String rest = s.substring( 1);
  return (first.equals( first.toUpperCase()) &&
          rest.equals( rest.toLowerCase()));
}

Risk Assessment

Throwing RuntimeException, Exception, or General prevents classes from catching your exception without catching other unintended exceptions as well.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC33-J

low

likely

medium

P6

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[MITRE 09]] CWE ID 397 "Declaration of Throws for Generic Exception", CWE ID 537 "Information Leak Through Java Runtime Error Message"
[[Goetz 04b]]

EXC03-J. Try to recover gracefully from system errors      10. Exceptional Behavior (EXC)      EXC30-J. Do not exit abruptly from a finally block

  • No labels