ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2885/java/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

76 lines
2.8 KiB
Plaintext
Raw Blame History

== Why is this an issue?
When an object is marked as `static`, it means that it belongs to the class rather than any class instance.
This means there is only one copy of the static object in memory, regardless of how many class instances are created.
Static objects are shared among all instances of the class and can be accessed using the class name rather than an instance of the class.
A data type is considered thread-safe if it can be used correctly by multiple threads, regardless of how those threads are executed,
without requiring additional coordination from the calling code.
In other words, a thread-safe data type can be accessed and modified by multiple threads simultaneously without causing any issues or
requiring extra work from the programmer to ensure correct behavior.
Non-thread-safe objects are objects that are not designed to be used in a multi-threaded environment and can lead to race conditions and
data inconsistencies when accessed by multiple threads simultaneously.
Using them in a multi-threaded manner is highly likely to cause data problems or exceptions at runtime.
When a non-thread-safe object is marked as static in a multi-threaded environment, it can cause issues because the non-thread-safe object
will be shared across different instances of the containing class.
This rule raises an issue when any of the following instances and their subtypes are marked as `static`:
* `java.util.Calendar`,
* `java.text.DateFormat`,
* `javax.xml.xpath.XPath`, or
* `javax.xml.validation.SchemaFactory`.
== How to fix it
Remove the `static` keyword from non-thread-safe fields.
=== Code examples
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
----
public class MyClass {
private static Calendar calendar = Calendar.getInstance(); // Noncompliant
private static SimpleDateFormat format = new SimpleDateFormat("HH-mm-ss"); // Noncompliant
}
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
public class MyClass {
private Calendar calendar = Calendar.getInstance();
private SimpleDateFormat format = new SimpleDateFormat("HH-mm-ss");
}
----
== Resources
=== Articles & blog posts
* https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety]
* https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety]
* https://www.baeldung.com/java-static[Baeldung - Static]
=== Standards
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make "XXX" an instance variable.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink