ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2652/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

76 lines
2.1 KiB
Plaintext
Raw Blame History

== Why is this an issue?
To ensure EJB portability, the EJB specification forbids the use of functionality in the ``++java.io++`` package. Instead of reading and writing files, EJB's should use some other means of data storage and retrieval, such as JDBC.
This rule raises an issue for the first ``++java.io++`` method call in each method.
=== Noncompliant code example
[source,java]
----
public class MyBean implements BeanInterface {
private File baseline = null;
private void readBaseline () {
try {
baseline = new File(Constants.INTEREST_RATE_FILE); // Noncompliant.
if (baseline.exists()) {
//...
}
} catch (IOException e) {
//...
}
}
private void writeBaseline() {
try {
FileWriter fw = new FileWriter(baseline.getAbsoluteFile()); // Noncompliant
BufferedWriter bw = new BufferedWriter(fw);
bw.write(content);
bw.close();
} catch (IOException e) {
//...
}
}
}
----
== Resources
* CWE - https://cwe.mitre.org/data/definitions/576[CWE-576 - EJB Bad Practices: Use of Java I/O]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Remove the use of Java I/O functionality from this method.
'''
== Comments And Links
(visible only on this page)
=== on 27 Feb 2015, 17:39:39 Ann Campbell wrote:
\[~nicolas.peru] see what you think about the way the rule would raise issues. My first thought was to log an issue for each ``++java.io++`` method call, but that would have quickly gotten ridiculous.
=== on 8 Apr 2015, 15:01:02 Nicolas Peru wrote:
\[~ann.campbell.2] I am wondering about this: what about debt count then ? Maybe we should raise issue on file with a linear debt ?
=== on 8 Apr 2015, 19:20:19 Ann Campbell wrote:
\[~nicolas.peru] how about we stick with an issue per method-using-I/O with a baseline+offset cost: 10 min + 2 min per I/O-object method call after object acquisition ?
=== on 9 Apr 2015, 07:28:57 Nicolas Peru wrote:
\[~ann.campbell.2] Ok, let's go with that. Probably not the simplest implementation but we'll deal with that during impl time.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink