ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2385/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

86 lines
2.7 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Mutable ``++static++`` members which are accessed directly, rather than through getters and setters, should be protected to the degree possible. That can be done by reducing visibility or making the field ``++final++`` if appropriate. Note that making a mutable field, such as an array, ``++final++`` will keep the variable from being reassigned, but doing so has no effect on the mutability of the internal state of the array (i.e. it doesn't accomplish the goal).
This rule checks that ``++static++`` arrays, ``++Collection++``s, ``++Date++``s, and ``++awt.Point++``s are not ``++public++`` in classes and enumerations.
=== Noncompliant code example
[source,text]
----
public class A {
public static String [] strings1 = {"first","second"}; // Noncompliant
public static String [] strings2 = {"first","second"}; // Noncompliant
public static List<String> strings3 = new ArrayList&lt;&gt;(); // Noncompliant
// ...
}
----
=== Compliant solution
[source,text]
----
public class A {
protected static final String [] strings1 = {"first","second"}; // access limited
private static String [] strings2 = {"first","second"}; // made private with getter, setter
private static List<String> strings3 = new ArrayList<>();
public static String [] getStrings2() {
return strings2.clone();
}
public static void setStrings2(String [] strings) {
strings2 = strings.clone();
}
// ...
}
----
== Resources
* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static]
* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make this member "protected".
'''
== Comments And Links
(visible only on this page)
=== on 13 Jan 2015, 14:18:13 Ann Campbell wrote:
Title may need work...
=== on 27 Jan 2015, 20:43:13 Freddy Mallet wrote:
This rule relates to some threads of discussions on the user mailing list:
* It's ultimately hard to know if an object is mutable or not
* And so it's almost impossible to have a rule checking something on "mutable" objects
That's why the scope of the Findbugs rules is limited to known mutable objects like arrays and hashtables. I would also limit the scope of this rule to a defined list of objects.
=== on 27 Jan 2015, 20:52:45 Freddy Mallet wrote:
I guess we could link this rule with \http://cwe.mitre.org/data/definitions/607.html
=== on 28 Jan 2015, 12:18:47 Ann Campbell wrote:
\[~freddy.mallet] do you want a narrower list than "arrays, collections and Dates" ?
=== on 20 Jul 2015, 07:41:14 Ann Campbell wrote:
Tagged java-top by Ann
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink