SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 27

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 28

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Instead, prefer throwing a more specific exception, subclassed from Exception. It is permissible to construct an exception class specifically for a single throw statement.

Noncompliant Code Example

This noncompliant code example takes a string and returns true if it consists of a capital letter followed by lowercase letters. To handle corner cases, it checks for the exceptional conditions and throws exceptions if they are likely to disrupt the normal operation.

...

To handle the case of passing in a null string parameter, code calling this method may require catching RuntimeException, which is a violation of EXC32-J. Catch specific exceptions as opposed to the more general RuntimeException.

Compliant Solution

This compliant solution devotes a specific exception (NullPointerException) to denote the particular exceptional condition.

Code Block
bgColor#ccccff
boolean isCapitalized(String s) {
  if (s == null) {
    throw new NullPointerException();
  }
  if (s.equals("")) {
    return true;
  }
  String first = s.substring(0, 1);
  String rest = s.substring(1);
  return (first.equals(first.toUpperCase()) &&
          rest.equals(rest.toLowerCase()));
}

Noncompliant Code Example

This noncompliant code example uses a broad Exception class in the throws declaration of the method.

Code Block
bgColor#ffcccc
private void doSomething() throws Exception {
//...
}

Compliant Solution

To be compliant, be as specific as possible when declaring exceptions and respect the required abstraction level.

...

Using instanceof to check for narrower exceptions in a general catch block is not always helpful because it is usually impossible to enumerate all the exceptions that the code is capable of throwing.

Risk Assessment

Throwing RuntimeException and Exception prevents classes from catching the intended exceptions without catching other unintended exceptions as well.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC33- J

low

likely

medium

P6

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 397|http://cwe.mitre.org/data/definitions/397.html] "Declaration of Throws for Generic Exception", [CWE ID 537|http://cwe.mitre.org/data/definitions/537.html] "Information Leak Through Java Runtime Error Message"
\[[Goetz 04b|AA. Java References#Goetz 04b]\]
\[[Tutorials 08|AA. Java References#Tutorials 08]\] [Unchecked Exceptions — The Controversy|http://java.sun.com/docs/books/tutorial/essential/exceptions/runtime.html]

...