Recommendations
FIO00-J. Validate deserialized objects
FIO01-J. Canonicalize path names originating from untrusted sources
FIO02-J. Use Runtime.exec() correctly
FIO04-J. Understand the limitations of the logging framework
FIO05-J. Document character encoding while performing file IO
FIO07-J. Do not assume infinite heap space when reading in data
Rules
FIO31-J. Create a copy of mutable inputs
FIO32-J. Do not serialize sensitive data
FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager
FIO34-J. Ensure all resources are properly closed when they are no longer needed
FIO35-J. Exclude user input from format strings
FIO36-J. Never hardcode sensitive information
Risk Assessment Summary
Recommendations
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO00-J |
medium |
probable |
high |
P4 |
L3 |
FIO01-J |
high |
probable |
high |
P6 |
L2 |
FIO02-J |
high |
probable |
high |
P6 |
L2 |
FIO06-J |
medium |
probable |
high |
P4 |
L3 |
Rules
Rules |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO31-J |
medium |
probable |
high |
P4 |
L3 |
FIO32-J |
medium |
likely |
high |
P6 |
L2 |
FIO33-J |
high |
probable |
high |
P6 |
L2 |
FIO35-J |
medium |
probable |
high |
P4 |
L3 |
OBJ35-J. Use checked collections against external code CERT Java Secure Coding Standard FIO00-J. Validate deserialized objects