Page History

...

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
EXP02-J	Low	Likely	Low	P9	L2

Automated Detection

Static detection of calls to to Object.equals() is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() is invoked for an array type.

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

FB.CORRECTNESS.EC_BAD_ARRAY_COMPARE

Invocation of equals() on an array, which is equivalent to ==

Coverity

7.5

BAD_EQ
FB.EQ_ABSTRACT_SELF
FB.EQ_ALWAYS_FALSE
FB.EQ_ALWAYS_TRUE
FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS
FB.EQ_COMPARETO_USE_OBJECT_ EQUALS
FB.EQ_COMPARING_CLASS_NAMES
FB.EQ_DOESNT_OVERRIDE_EQUALS
FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM
FB.EQ_GETCLASS_AND_CLASS_ CONSTANT
FB.EQ_OTHER_NO_OBJECT
FB.EQ_OTHER_USE_OBJECT
FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC
FB.EQ_SELF_NO_OBJECT
FB.EQ_SELF_USE_OBJECT
FB.EQ_UNUSUAL

Implemented

Parasoft Jtest

Include Page

java:

	Parasoft_V

java:

	Parasoft_V

PB.CUB.UEIC

SonarQube

Java Plugin

Include Page

	SonarQube

Java Plugin

_V
	SonarQube

Java Plugin

_V

S2159

Implemented

Silly equality checks should not be made

Related Guidelines

MITRE CWE

CWE-595, Comparison of Object References Instead of Object Contents

Bibliography

[API 2006]	Class `Arrays`
[Seacord 2015]	Image Modified EXP02-J. Do not use the Object.equals () method to compare two arrays LiveLesson

...

Space shortcuts

Page tree

Versions Compared

Old Version 95

New Version 96

Key

Automated Detection

Related Guidelines

Bibliography