The definitions of two constant expressions should be related only when the values they express are also related.
Noncompliant Code Example
In this noncompliant code example, OUT_STR_LEN
must always be exactly 2 greater than IN_STR_LEN
. These definitions fail to reflect this requirement:
Code Block | ||
---|---|---|
| ||
public static final int IN_STR_LEN = 18; public static final int OUT_STR_LEN = 1220; |
Compliant Solution
In this compliant solution, the relationship between the two values is represented in the definitions:
Code Block | ||
---|---|---|
| ||
public static final int IN_STR_LEN = 18;
public static final int OUT_STR_LEN = IN_STR_LEN + 2;
|
Noncompliant Code Example
In this noncompliant code example, there appears to be an underlying relationship between the two constants where none exists.
Code Block | ||
---|---|---|
| ||
public static final int ADULT_AGE = 18;
public static final int ALCOHOL_AGE = ADULT_AGE + 3;
|
A programmer performing routine maintenance may modify the definition for ADULT_AGE
but fail to recognize the resulting change in the definition for ALCOHOL_AGE
.
Compliant Solution
In this compliant solution, the definitions reflect the independence of the two constants.
Code Block | ||
---|---|---|
| ||
public static final int ADULT_AGE = 18;
public static final int ALCOHOL_AGE = 21;
|
Risk Assessment
Failure to properly encode relationships in constant declarations can lead to unexpected values and can complicate maintenance.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL03DCL57-J JG | low | unlikely | high | P1 | L3 |
Automated Detection
Automated detection is not currently feasible.
Related Guidelines
C Secure Coding Standard: DCL08-C. Properly encode relationships in constant definitions
C++ Secure Coding Standard: DCL08-CPP. Properly encode relationships in constant definitions
Bibliography
[JLS 2005] §4§4.12.4, "final
Variables"
...
DCL56-JG. Use meaningful symbolic constants to represent literal values in program logic 01. Declarations and Initialization (DCL) DCL56-J. Do not apply public final to constants whose value might change