rspec/rules/S2385/rule.adoc

== Why is this an issue?

Mutable ``++static++`` members which are accessed directly, rather than through getters and setters, should be protected to the degree possible. That can be done by reducing visibility or making the field ``++final++`` if appropriate. Note that making a mutable field, such as an array, ``++final++`` will keep the variable from being reassigned, but doing so has no effect on the mutability of the internal state of the array (i.e. it doesn't accomplish the goal).


This rule checks that ``++static++`` arrays, ``++Collection++``s, ``++Date++``s, and ``++awt.Point++``s are not ``++public++`` in classes and enumerations.


=== Noncompliant code example

[source,text]
----
public class A {
  public static String [] strings1 = {"first","second"};  // Noncompliant
  public static String [] strings2 = {"first","second"};  // Noncompliant
  public static List<String> strings3 = new ArrayList&lt;&gt;();  // Noncompliant
  // ...
}
----


=== Compliant solution

[source,text]
----
public class A {
  protected static final String [] strings1 = {"first","second"};  // access limited
  private static String [] strings2 = {"first","second"};  // made private with getter, setter
  private static List<String> strings3 = new ArrayList<>();

  public static String [] getStrings2() {
    return strings2.clone();
  }

  public static void setStrings2(String [] strings) {
    strings2 = strings.clone();
  }

  // ...
}
----


== Resources

* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static]
* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make this member "protected".


'''
== Comments And Links
(visible only on this page)

=== on 13 Jan 2015, 14:18:13 Ann Campbell wrote:
Title may need work...

=== on 27 Jan 2015, 20:43:13 Freddy Mallet wrote:
This rule relates to some threads of discussions on the user mailing list:

* It's ultimately hard to know if an object is mutable or not
* And so it's almost impossible to have a rule checking something on "mutable" objects

That's why the scope of the Findbugs rules is limited to known mutable objects like arrays and hashtables. I would also limit the scope of this rule to a defined list of objects. 

=== on 27 Jan 2015, 20:52:45 Freddy Mallet wrote:
I guess we could link this rule with \http://cwe.mitre.org/data/definitions/607.html

=== on 28 Jan 2015, 12:18:47 Ann Campbell wrote:
\[~freddy.mallet] do you want a narrower list than "arrays, collections and Dates" ?

=== on 20 Jul 2015, 07:41:14 Ann Campbell wrote:
Tagged java-top by Ann


endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Fix the double-plus ++ handling in the inline-code 2021-01-27 16:55:38 +01:00			Mutable ``++static++`` members which are accessed directly, rather than through getters and setters, should be protected to the degree possible. That can be done by reducing visibility or making the field ``++final++`` if appropriate. Note that making a mutable field, such as an array, ``++final++`` will keep the variable from being reassigned, but doing so has no effect on the mutability of the internal state of the array (i.e. it doesn't accomplish the goal).
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Fix the double-plus ++ handling in the inline-code 2021-01-27 16:55:38 +01:00			This rule checks that ``++static++`` arrays, ``++Collection++``s, ``++Date++``s, and ``++awt.Point++``s are not ``++public++`` in classes and enumerations.
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`public class A {`
			`public static String [] strings1 = {"first","second"}; // Noncompliant`
			`public static String [] strings2 = {"first","second"}; // Noncompliant`
			`public static List<String> strings3 = new ArrayList<>(); // Noncompliant`
			`// ...`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`public class A {`
			`protected static final String [] strings1 = {"first","second"}; // access limited`
			`private static String [] strings2 = {"first","second"}; // made private with getter, setter`
			`private static List<String> strings3 = new ArrayList<>();`

			`public static String [] getStrings2() {`
			`return strings2.clone();`
			`}`

			`public static void setStrings2(String [] strings) {`
			`strings2 = strings.clone();`
			`}`

			`// ...`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static]`
			`* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
Add missing asciidoc includes 2022-01-25 18:36:46 +01:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make this member "protected".`

Add missing asciidoc includes 2022-01-25 18:36:46 +01:00
			`'''`
			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 13 Jan 2015, 14:18:13 Ann Campbell wrote:`
			`Title may need work...`

			`=== on 27 Jan 2015, 20:43:13 Freddy Mallet wrote:`
			`This rule relates to some threads of discussions on the user mailing list:`

			`* It's ultimately hard to know if an object is mutable or not`
			`* And so it's almost impossible to have a rule checking something on "mutable" objects`

			`That's why the scope of the Findbugs rules is limited to known mutable objects like arrays and hashtables. I would also limit the scope of this rule to a defined list of objects.`

			`=== on 27 Jan 2015, 20:52:45 Freddy Mallet wrote:`
			`I guess we could link this rule with \http://cwe.mitre.org/data/definitions/607.html`

			`=== on 28 Jan 2015, 12:18:47 Ann Campbell wrote:`
			`\[~freddy.mallet] do you want a narrower list than "arrays, collections and Dates" ?`

			`=== on 20 Jul 2015, 07:41:14 Ann Campbell wrote:`
			`Tagged java-top by Ann`

Add missing asciidoc includes 2022-01-25 18:36:46 +01:00
			`endif::env-github,rspecator-view[]`