SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 90

changes.mady.by.user Alexandre GIGLEUX

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Allowing unauthorized calls to System.exit() may lead to denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ERR09-J

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
PMD.J2EE.DoNotCallSystemExit
FB.BAD_PRACTICE.DM_EXIT		Do not call System exit
Method invokes System.exit(...)
Coverity7.5

DC.CODING_STYLE
FB.DM_EXIT

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CODSTA.BP.EXIT, SECURITY.EAB.JVMImplemented
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1147
Implemented
Exit methods should not be called

Related Guidelines

MITRE CWE

CWE-382, J2EE Bad Practices: Use of System.exit()

Android Implementation Details

On Android, System.exit() should not be used because it will terminate the virtual machine abruptly, ignoring the activity life cycle, which may prevent proper garbage collection.

Bibliography

[API 2014]

Method checkExit()
Class Runtime: Method addShutdownHook

[Austin 2000]

"Writing a Security Manager"

[Darwin 2004]

Section 9.5, "The Finalize Method"

[ESA 2005]

Rule 78, Restrict the use of the System.exit method

[Goetz 2006]

Section 7.4, "JVM Shutdown"

[Kalinovsky 2004]

Chapter 16, "Intercepting a Call to System.exit"

...


...