SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Space Index

Total number of pages: 607

info Page excerpts are hidden because there are more than 200 pages
0-9 ... 12 A ... 1 B ... 0 C ... 8 D ... 18 E ... 38
F ... 25 G ... 0 H ... 0 I ... 27 J ... 7 K ... 2
L ... 16 M ... 49 N ... 18 O ... 24 P ... 9 Q ... 0
R ... 69 S ... 48 T ... 21 U ... 0 V ... 6 W ... 0
X ... 0 Y ... 0 Z ... 0 !@#$ ... 0    

0-9

Page: 00. Input Validation and Data Sanitization (IDS)
Page: 1 Front Matter
Page: 1. Security
Page: 2 Rules
Page: 2. Defensive Programming
Page: 3 Recommendations
Page: 3. Reliability
Page: 4 Back Matter
Page: 4. Program Understandability
Page: 5 Admin
Page: 5. Programmer Misconceptions
Page: 7 Index

A

Page: Acknowledgments

B

C

Page: CodeSonar
Page: CodeSonar_V
Page: CON50-J. Do not assume that declaring a reference volatile guarantees safe publication of the members of the referenced object
Page: CON51-J. Do not assume that the sleep(), yield(), or getState() methods provide synchronization semantics
Page: CON52-J. Document thread-safety and use annotations where applicable
Page: Concurrency, Visibility, and Memory
Page: Coverity
Page: Coverity_V

D

Page: DCL00-J. Prevent class initialization cycles
Page: DCL01-J. Do not reuse public identifiers from the Java Standard Library
Page: DCL02-J. Do not modify the collection's elements during an enhanced for statement
Page: DCL50-J. Use visually distinct identifiers
Page: DCL51-J. Do not shadow or obscure identifiers in subscopes
Page: DCL52-J. Do not declare more than one variable per declaration
Page: DCL53-J. Minimize the scope of variables
Page: DCL54-J. Use meaningful symbolic constants to represent literal values in program logic
Page: DCL55-J. Properly encode relationships in constant definitions
Page: DCL56-J. Do not attach significance to the ordinal associated with an enum
Page: DCL57-J. Avoid ambiguous overloading of variable arity methods
Page: DCL58-J. Enable compile-time type checking of variable arity parameter types
Page: DCL59-J. Do not apply public final to constants whose value might change in later releases
Page: DCL60-J. Avoid cyclic dependencies between packages
Page: DCL61-J. Do not use raw types
Page: Defensive Programming: Introduction
Page: Denial of Service
Page: Deprecations

E

Page: Eclipse
Page: Eclipse_V
Page: ENV00-J. Do not sign code that performs only unprivileged operations
Page: ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
Page: ENV02-J. Do not trust the values of environment variables
Page: ENV03-J. Do not grant dangerous combinations of permissions
Page: ENV04-J. Do not disable bytecode verification
Page: ENV05-J. Do not deploy an application that can be remotely monitored
Page: ENV06-J. Production code must not contain debugging entry points
Page: ERR00-J. Do not suppress or ignore checked exceptions
Page: ERR01-J. Do not allow exceptions to expose sensitive information
Page: ERR02-J. Prevent exceptions while logging data
Page: ERR03-J. Restore prior object state on method failure
Page: ERR04-J. Do not complete abruptly from a finally block
Page: ERR05-J. Do not let checked exceptions escape from a finally block
Page: ERR06-J. Do not throw undeclared checked exceptions
Page: ERR07-J. Do not throw RuntimeException, Exception, or Throwable
Page: ERR08-J. Do not catch NullPointerException or any of its ancestors
Page: ERR09-J. Do not allow untrusted code to terminate the JVM
Page: ERR50-J. Use exceptions only for exceptional conditions
Page: ERR51-J. Prefer user-defined exceptions over more general exception types
Page: ERR52-J. Avoid in-band error indicators
Page: ERR53-J. Try to gracefully recover from system errors
Page: ERR54-J. Use a try-with-resources statement to safely handle closeable resources
Page: EXP00-J. Do not ignore values returned by methods
Page: EXP01-J. Do not use a null in a case where an object is required
Page: EXP02-J. Do not use the Object.equals() method to compare two arrays
Page: EXP03-J. Do not use the equality operators when comparing values of boxed primitives
Page: EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
Page: EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
Page: EXP06-J. Expressions used in assertions must not produce side effects
Page: EXP07-J. Prevent loss of useful data due to weak references
Page: EXP50-J. Do not confuse abstract object equality with reference equality
Page: EXP51-J. Do not perform assignments in conditional expressions
Page: EXP52-J. Use braces for the body of an if, for, or while statement
Page: EXP53-J. Use parentheses for precedence of operation
Page: EXP54-J. Understand the differences between bitwise and logical operators
Page: EXP55-J. Use the same type for the second and third operands in conditional expressions

F

Page: Findbugs
Page: Findbugs_V
Page: FIO00-J. Do not operate on files in shared directories
Page: FIO01-J. Create files with appropriate access permissions
Page: FIO02-J. Detect and handle file-related errors
Page: FIO03-J. Remove temporary files before termination
Page: FIO04-J. Release resources when they are no longer needed
Page: FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
Page: FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
Page: FIO07-J. Do not let external processes block on IO buffers
Page: FIO08-J. Distinguish between characters or bytes read from a stream and -1
Page: FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
Page: FIO10-J. Ensure the array is filled when using read() to fill an array
Page: FIO11-J. Do not convert between strings and bytes without specifying a valid character encoding
Page: FIO12-J. Provide methods to read and write little-endian data
Page: FIO13-J. Do not log sensitive information outside a trust boundary
Page: FIO14-J. Perform proper cleanup at program termination
Page: FIO15-J. Do not reset a servlet's output stream after committing it
Page: FIO16-J. Canonicalize path names before validating them
Page: FIO50-J. Do not make assumptions about file creation
Page: FIO51-J. Identify files using multiple file attributes
Page: FIO52-J. Do not store unencrypted sensitive information on the client side
Page: FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care
Page: Fortify
Page: Fortify_V

G

H

I

Page: IDS00-J. Prevent SQL injection
Page: IDS01-J. Normalize strings before validating them
Page: IDS02-J. Canonicalize path names before validating them
Page: IDS03-J. Do not log unsanitized user input
Page: IDS04-J. Safely extract files from ZipInputStream
Page: IDS05-J. Use a safe subset of ASCII for file and path names
Page: IDS06-J. Exclude unsanitized user input from format strings
Page: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
Page: IDS08-J. Sanitize untrusted data included in a regular expression
Page: IDS09-J. Specify an appropriate locale when comparing locale-dependent data
Page: IDS10-J. Don't form strings containing partial characters
Page: IDS11-J. Perform any string modifications before validation
Page: IDS13-J. Use compatible character encodings on both sides of file or network IO
Page: IDS14-J. Do not trust the contents of hidden form fields
Page: IDS15-J. Do not allow sensitive information to leak outside a trust boundary
Page: IDS16-J. Prevent XML Injection
Page: IDS17-J. Prevent XML External Entity Attacks
Page: IDS50-J. Use conservative file naming conventions
Page: IDS51-J. Properly encode or escape output
Page: IDS52-J. Prevent code injection
Page: IDS53-J. Prevent XPath Injection
Page: IDS54-J. Prevent LDAP injection
Page: IDS55-J. Understand how escape characters are interpreted when strings are loaded
Page: IDS56-J. Prevent arbitrary file upload
Page: Input Validation and Data Sanitization
Page: ISO/IEC TR 24772:2010
Page: ISO/IEC TR 24772:2013

J

Page: Java Coding Guidelines
Page: Java Rules
Page: JNI00-J. Define wrappers around native methods
Page: JNI01-J. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary)
Page: JNI02-J. Do not assume object references are constant or unique
Page: JNI03-J. Do not use direct pointers to Java objects in JNI code
Page: JNI04-J. Do not assume that Java strings are null-terminated

K

Page: Klocwork
Page: Klocwork_V

L

Page: Labels for this Space
Page: LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
Page: LCK01-J. Do not synchronize on objects that may be reused
Page: LCK02-J. Do not synchronize on the class object returned by getClass()
Page: LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects
Page: LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
Page: LCK05-J. Synchronize access to static fields that can be modified by untrusted code
Page: LCK06-J. Do not use an instance lock to protect shared static data
Page: LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
Page: LCK08-J. Ensure actively held locks are released on exceptional conditions
Page: LCK09-J. Do not perform operations that can block while holding a lock
Page: LCK10-J. Use a correct form of the double-checked locking idiom
Page: LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
Page: Leaking Capabilities
Page: Leaking Sensitive Data
Page: Libraries

M

Page: MET00-J. Validate method arguments
Page: MET01-J. Never use assertions to validate method arguments
Page: MET02-J. Do not use deprecated or obsolete classes or methods
Page: MET03-J. Methods that perform a security check must be declared private or final
Page: MET04-J. Do not increase the accessibility of overridden or hidden methods
Page: MET05-J. Ensure that constructors do not call overridable methods
Page: MET06-J. Do not invoke overridable methods in clone()
Page: MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface
Page: MET08-J. Preserve the equality contract when overriding the equals() method
Page: MET09-J. Classes that define an equals() method must also define a hashCode() method
Page: MET10-J. Follow the general contract when implementing the compareTo() method
Page: MET11-J. Ensure that keys used in comparison operations are immutable
Page: MET12-J. Do not use finalizers
Page: MET13-J. Do not assume that reassigning method arguments modifies the calling environment
Page: MET50-J. Avoid ambiguous or confusing uses of overloading
Page: MET51-J. Do not use overloaded methods to differentiate between runtime types
Page: MET52-J. Do not use the clone() method to copy untrusted method parameters
Page: MET53-J. Ensure that the clone() method calls super.clone()
Page: MET54-J. Always provide feedback about the resulting value of a method
Page: MET55-J. Return an empty array or collection instead of a null value for methods that return an array or collection
Page: MET56-J. Do not use Object.equals() to compare cryptographic keys
Page: MITRE CAPEC
Page: MITRE CWE
Page: MSC00-J. Use SSLSocket rather than Socket for secure data exchange
Page: MSC01-J. Do not use an empty infinite loop
Page: MSC02-J. Generate strong random numbers
Page: MSC03-J. Never hard code sensitive information
Page: MSC04-J. Do not leak memory
Page: MSC05-J. Do not exhaust heap space
Page: MSC06-J. Do not modify the underlying collection when an iteration is in progress
Page: MSC07-J. Prevent multiple instantiations of singleton objects
Page: MSC08-J. Do not store nonserializable objects as attributes in an HTTP session
Page: MSC09-J. For OAuth, ensure (a) [relying party receiving user's ID in last step] is same as (b) [relying party the access token was granted to].
Page: MSC10-J. Do not use OAuth 2.0 implicit grant (unmodified) for authentication
Page: MSC11-J. Do not let session information leak within a servlet
Page: MSC50-J. Minimize the scope of the @SuppressWarnings annotation
Page: MSC51-J. Do not place a semicolon immediately following an if, for, or while condition
Page: MSC52-J. Finish every set of statements associated with a case label with a break statement
Page: MSC53-J. Carefully design interfaces before releasing them
Page: MSC54-J. Avoid inadvertent wrapping of loop counters
Page: MSC55-J. Use comments consistently and in a readable fashion
Page: MSC56-J. Detect and remove superfluous code and values
Page: MSC57-J. Strive for logical completeness
Page: MSC58-J. Prefer using iterators over enumerations
Page: MSC59-J. Limit the lifetime of sensitive data
Page: MSC60-J. Do not use assertions to verify the absence of runtime errors
Page: MSC61-J. Do not use insecure or weak cryptographic algorithms
Page: MSC62-J. Store passwords using a hash function
Page: MSC63-J. Ensure that SecureRandom is properly seeded

N

Page: NUM00-J. Detect or prevent integer overflow
Page: NUM01-J. Do not perform bitwise and arithmetic operations on the same data
Page: NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
Page: NUM03-J. Use integer types that can fully represent the possible range of unsigned data
Page: NUM04-J. Do not use floating-point numbers if precise computation is required
Page: NUM07-J. Do not attempt comparisons with NaN
Page: NUM08-J. Check floating-point inputs for exceptional values
Page: NUM09-J. Do not use floating-point variables as loop counters
Page: NUM10-J. Do not construct BigDecimal objects from floating-point literals
Page: NUM11-J. Do not compare or inspect the string representation of floating-point values
Page: NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
Page: NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
Page: NUM14-J. Use shift operators correctly
Page: NUM50-J. Convert integers to floating point for floating-point operations
Page: NUM51-J. Do not assume that the remainder operator always returns a nonnegative result for integral operands
Page: NUM52-J. Be aware of numeric promotion behavior
Page: NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
Page: NUM54-J. Do not use denormalized numbers

O

Page: OBJ01-J. Limit accessibility of fields
Page: OBJ02-J. Preserve dependencies in subclasses when changing superclasses
Page: OBJ03-J. Prevent heap pollution
Page: OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
Page: OBJ05-J. Do not return references to private mutable class members
Page: OBJ06-J. Defensively copy mutable inputs and mutable internal components
Page: OBJ07-J. Sensitive classes must not let themselves be copied
Page: OBJ08-J. Do not expose private members of an outer class from within a nested class
Page: OBJ09-J. Compare classes and not class names
Page: OBJ10-J. Do not use public static nonfinal fields
Page: OBJ11-J. Be wary of letting constructors throw exceptions
Page: OBJ12-J. Respect object-based annotations
Page: OBJ13-J. Ensure that references to mutable objects are not exposed
Page: OBJ14-J. Do not use an object that has been freed.
Page: OBJ50-J. Never confuse the immutability of a reference with that of the referenced object
Page: OBJ51-J. Minimize the accessibility of classes and their members
Page: OBJ52-J. Write garbage-collection-friendly code
Page: OBJ53-J. Do not use direct buffers for short-lived, infrequently used objects
Page: OBJ54-J. Do not attempt to help the garbage collector by setting local reference variables to null
Page: OBJ55-J. Remove short-lived objects from long-lived container objects
Page: OBJ56-J. Provide sensitive mutable classes with unmodifiable wrappers
Page: OBJ57-J. Do not rely on methods that can be overridden by untrusted code
Page: OBJ58-J. Limit the extensibility of classes and methods with invariants
Page: Old Categories

P

Page: Parasoft
Page: Parasoft_V
Page: Pmd
Page: Pmd_V
Page: Privilege Escalation
Page: Program Understandability: Introduction
Page: Programmer Misconceptions: Introduction
Page: PVS-Studio
Page: PVS-Studio_V

Q

R

Page: Rec. 00. Input Validation and Data Sanitization (IDS)
Page: Rec. 01. Declarations and Initialization (DCL)
Page: Rec. 02. Expressions (EXP)
Page: Rec. 03. Numeric Types and Operations (NUM)
Page: Rec. 04. Characters and Strings (STR)
Page: Rec. 05. Object Orientation (OBJ)
Page: Rec. 06. Methods (MET)
Page: Rec. 07. Exceptional Behavior (ERR)
Page: Rec. 13. Input Output (FIO)
Page: Rec. 15. Platform Security (SEC)
Page: Rec. 18. Concurrency (CON)
Page: Rec. 49. Miscellaneous (MSC)
Page: Rec. AA. References
Page: Rec. BB. Definitions
Page: Rec. Preface
Page: Rec.: All Guidelines with Classification
Page: Rec.: Audience
Page: Rec.: Automatically Generated Code
Page: Rec.: Contents and Organization
Page: Rec.: Priority and Levels
Page: Rec.: Scope
Page: Rec.: Source Code Validation
Page: Rec.: System Qualities
Page: Rec.: TODO List
Page: Rec.: Tool Selection and Validation
Page: Rec.: Usage
Page: Rec.:Guidelines
Page: Reliability: Introduction
Page: Rule 00. Input Validation and Data Sanitization (IDS)
Page: Rule 01. Declarations and Initialization (DCL)
Page: Rule 02. Expressions (EXP)
Page: Rule 03. Numeric Types and Operations (NUM)
Page: Rule 04. Characters and Strings (STR)
Page: Rule 05. Object Orientation (OBJ)
Page: Rule 06. Methods (MET)
Page: Rule 07. Exceptional Behavior (ERR)
Page: Rule 08. Visibility and Atomicity (VNA)
Page: Rule 09. Locking (LCK)
Page: Rule 10. Thread APIs (THI)
Page: Rule 11. Thread Pools (TPS)
Page: Rule 12. Thread-Safety Miscellaneous (TSM)
Page: Rule 13. Input Output (FIO)
Page: Rule 14. Serialization (SER)
Page: Rule 15. Platform Security (SEC)
Page: Rule 16. Runtime Environment (ENV)
Page: Rule 17. Java Native Interface (JNI)
Page: Rule 49. Miscellaneous (MSC)
Page: Rule 50. Android (DRD)
Page: Rule AA. References
Page: Rule BB. Glossary
Page: Rule or Rec. CC. Analyzers
Page: Rule or Rec. DD. Related Guidelines
Page: Rule or Rec. EE. Risk Assessments
Page: Rule. Introduction
Page: Rule. Preface
Page: Rule: Audience
Page: Rule: Automatically Generated Code
Page: Rule: Conformance Testing
Page: Rule: Contents and Organization
Page: Rule: Identifiers
Page: Rule: Normative Guidelines
Page: Rule: Priority and Levels
Page: Rule: Scope
Page: Rule: System Qualities
Page: Rule: Tech-edit
Page: Rule: TODO List
Page: Rule: Tool Selection and Validation
Page: Rule: Usage
Page: Rules versus Recommendations (Java)

S

Page: SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary
Page: SEC01-J. Do not allow tainted variables in privileged blocks
Page: SEC02-J. Do not base security checks on untrusted sources
Page: SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes
Page: SEC04-J. Protect sensitive operations with security manager checks
Page: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
Page: SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
Page: SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader
Page: SEC08-J Trusted code must discard or clean any arguments provided by untrusted code
Page: SEC09-J Never leak the results of certain standard API methods from trusted code to untrusted code
Page: SEC10-J Never permit untrusted code to invoke any API that may (possibly transitively) invoke the reflection APIs
Page: SEC50-J. Avoid granting excess privileges
Page: SEC51-J. Minimize privileged code
Page: SEC52-J. Do not expose methods that use reduced-security checks to untrusted code
Page: SEC53-J. Define custom security permissions for fine-grained security
Page: SEC54-J. Create a secure sandbox using a security manager
Page: SEC55-J. Ensure that security-sensitive methods are called with validated arguments
Page: SEC56-J. Do not serialize direct handles to system resources
Page: SEC57-J. Do not let untrusted code misuse privileges of callback methods
Page: SEC58-J. Deserialization methods should not perform potentially dangerous operations
Page: SECURE CODING GUIDELINES FOR JAVA SE, VERSION 5.0
Page: Security: Introduction
Home page: SEI CERT Oracle Coding Standard for Java
Page: SER00-J. Enable serialization compatibility during class evolution
Page: SER01-J. Do not deviate from the proper signatures of serialization methods
Page: SER02-J. Sign then seal objects before sending them outside a trust boundary
Page: SER03-J. Do not serialize unencrypted sensitive data
Page: SER04-J. Do not allow serialization and deserialization to bypass the security manager
Page: SER05-J. Do not serialize instances of inner classes
Page: SER06-J. Make defensive copies of private mutable components during deserialization
Page: SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
Page: SER08-J. Minimize privileges before deserializing from a privileged context
Page: SER09-J. Do not invoke overridable methods from the readObject() method
Page: SER10-J. Avoid memory and resource leaks during serialization
Page: SER11-J. Prevent overwriting of externalizable objects
Page: SER12-J. Prevent deserialization of untrusted data
Page: SER13-J. Deserialization methods should not perform potentially dangerous operations
Page: SonarQube
Page: SonarQube_V
Page: SpotBugs
Page: SpotBugs_V
Page: STR00-J. Don't form strings containing partial characters from variable-width encodings
Page: STR01-J. Do not assume that a Java char fully represents a Unicode code point
Page: STR02-J. Specify an appropriate locale when comparing locale-dependent data
Page: STR03-J. Do not encode noncharacter data as a string
Page: STR04-J. Use compatible character encodings when communicating string data between JVMs
Page: STR50-J. Use the appropriate method for counting characters in a string
Page: STR51-J. Use the charset encoder and decoder classes when more control over the encoding process is required

T

Page: Test Page
Page: The Checker Framework
Page: The Checker Framework_V
Page: THI00-J. Do not invoke Thread.run()
Page: THI01-J. Do not invoke ThreadGroup methods
Page: THI02-J. Notify all waiting threads rather than a single thread
Page: THI03-J. Always invoke wait() and await() methods inside a loop
Page: THI04-J. Ensure that threads performing blocking operations can be terminated
Page: THI05-J. Do not use Thread.stop() to terminate threads
Page: ThreadSafe
Page: ThreadSafe_V
Page: TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts
Page: TPS01-J. Do not execute interdependent tasks in a bounded thread pool
Page: TPS02-J. Ensure that tasks submitted to a thread pool are interruptible
Page: TPS03-J. Ensure that tasks executing in a thread pool do not fail silently
Page: TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools
Page: TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
Page: TSM01-J. Do not let the this reference escape during object construction
Page: TSM02-J. Do not use background threads during class initialization
Page: TSM03-J. Do not publish partially initialized objects
Page: Type Safety

U

V

Page: VNA00-J. Ensure visibility when accessing shared primitive variables
Page: VNA01-J. Ensure visibility of shared references to immutable objects
Page: VNA02-J. Ensure that compound operations on shared variables are atomic
Page: VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
Page: VNA04-J. Ensure that calls to chained methods are atomic
Page: VNA05-J. Ensure atomicity when reading and writing 64-bit values

W

X

Y

Z

!@#$

  • No labels