Guidelines

FIO00-J. Defensively copy mutable inputs and mutable internal components

FIO01-J. Do not expose buffers created using the wrap() or duplicate() methods to untrusted code

FIO02-J. Keep track of bytes read and account for character encoding while reading data

FIO03-J. Specify the character encoding while performing file or network IO

FIO04-J. Canonicalize path names before validating

FIO05-J. Do not create multiple buffered wrappers on an InputStream

FIO06-J. Ensure all resources are properly closed when they are no longer needed

FIO07-J. Do not create temporary files in shared directories

FIO08-J. Do not log sensitive information

FIO09-J. Exclude user input from format strings

FIO10-J. Do not let Runtime.exec() fail or block indefinitely

FIO35-J. Reserved (moved to SDV00)

Risk Assessment Summary

Recommendations

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00- J

medium

probable

high

P4

L3

FIO01- J

medium

likely

low

P18

L1

FIO02- J

low

unlikely

medium

P2

L3

FIO03- J

low

unlikely

medium

P2

L3

FIO04- J

medium

unlikely

medium

P4

L3

FIO05- J

low

unlikely

medium

P2

L3

FIO06- J

low

probable

medium

P4

L3

FIO07- J

high

probable

medium

P12

L1

FIO08- J

medium

probable

high

P4

L3

FIO09- J

medium

unlikely

medium

P4

L3

FIO10- J

low

probable

medium

P4

L3


OBJ14-J. Encapsulate the absence of an object by using a Null Object      The CERT Sun Microsystems Secure Coding Standard for Java      FIO00-J. Defensively copy mutable inputs and mutable internal components