| The Java compiler type-checks the arguments to a varargs method to ensure that they are of the same type or object reference. However, the compile-time checking is ineffective when two method signatures are used in particular - {{Object}} and the generic type {{T}} \[[Bloch 2008|AA. Bibliography#Bloch 08]\]. Another requirement for providing strong compile-time type checking of variable argument methods is to be as specific as possible when declaring the type of the method parameter. | 
This noncompliant code example declares two varargs methods. As written, the first accepts an arbitrary mix of parameters of any object type; the second accepts a variable number of parameters that are all of the same object type. Although such declarations have legitimate uses (see exception below), those uses rarely arise; avoid use of such declarations in general.
| 
ReturnType1 suspect1(Object... args) { }
<T> ReturnType2 suspect2(T... args) { }
 | 
Be as specific as possible when declaring parameter types; avoid Object and imprecise generic types in varargs.
| 
ReturnType1 specific1(somePrimitiveType1... args) { } // int, or whatever
ReturnType2 specific2(SpecificObjectType2... args) { }
 | 
| Retrofitting old methods containing final array parameters with generically typed varargs is not always a good idea. This is because if some method did not accept an argument of a particular type, it may be possible to override the compile-time checking so that with the use of generic varargs, it now compiles cleanly \[[Bloch 2008|AA. Bibliography#Bloch 08]\]. | 
Also, note that autoboxing does not allow strong compile time type checking of primitive types and their corresponding wrapper classes.
DCL09-EX1: Varargs signatures using Object and imprecise generic types are acceptable when, and only when, the body of the method uses no casts or auto-boxing, and compiles without error. For example:
| 
Collection<T> assembleCollection(T... args) {
  Collection<T> result = new HashSet<T>();
  // add each argument to the result collection
  return result;
}
 | 
operates correctly for all object types and type-checks successfully.
Unmindful use of the varargs feature breaks strong compile-time type checking, creates ambiguity and diminishes code readability.
| Guideline | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| DCL09-J | low | unlikely | medium | P2 | L3 | 
Automated detection appears to be straightforward.
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
| \[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 42: "Use varargs judiciously" \[[Steinberg 2005|AA. Bibliography#Steinberg 05]\] "Using the Varargs Language Feature" \[[Sun 2006|AA. Bibliography#Sun 06]\] [varargs|http://java.sun.com/j2se/1.5.0/docs/guide/language/varargs.html] | 
DCL08-J. Avoid overloading varargs methods 03. Declarations and Initialization (DCL) DCL10-J. Ensure proper initialization by declaring class and instance variables final