SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

When you declare a variable final, you do not want anyone to change it.  If the type of variable is primitive types, you can undoubtedly make it. Unfortunately, if the variable is  a reference to an object, the "final" stuff you think may be not final!

Noncompliant Code Example

class Test{
 
 Test(int a, int b){
  this.a = a;
  this.b = b;
 }
 void set_ab(int a, int b){
  this.a = a;
  this.b = b;
 }
 void print_ab(){
  System.out.println("the value a is: "+this.a);
  System.out.println("the value b is: "+this.b);
 }
 private int a;
 private int b;
}
public class TestFinal1 {
 
 public static void main(String[] args) {
        final Test mytest = new Test(1,2);
        mytest.print_ab();
        //now we change the value of a,b.
        mytest.set_ab(5, 6);
        mytest.print_ab();
       
    }
}

We can see that the value of a and b has been changed, which means that when you declare a reference final, it only means that the reference can not be changed but the contents it refer to can still be changed! 

Compliant Solution

If you do not want to change a and b after they are initialized, the simplest approach is to declare a and b final: private final int a;
 private final int b;
But now you can not have setter method of a and b.

Compliant Solution 2

An alternative approach is to provide the clone method in the class. When you want do something about the object, you can use clone method to get a copy of original object. Now, you can do everything to this new object, and the original one will be never changed.  

 public Test2 clone() throws CloneNotSupportedException{
  Test2 cloned = (Test2) super.clone();
  return cloned;
 }


Risk Assessment

Using final to declare the reference to an object is a potential security risk, because the contents of the object can still be changed. 

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

SEC37-J

medium

likely

low

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Chapter 6, Core Javaâ„¢ 2 Volume I - Fundamentals, Seventh Edition

  • No labels