Arrays do not override the Object.equals() method; rather, the implementation of the equals() method compares array references rather than their contents. Programs must use the two-argument Arrays.equals() method to compare the contents of two arrays. Programs must use the reference equality operators, == and !=, when intentionally testing reference equality. Programs also must not use the array equals() method because it can lead to unexpected results.
...
| Code Block | ||
|---|---|---|
| ||
public void arrayEqualsExample() { int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false } |
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals() method.
| Code Block | ||
|---|---|---|
| ||
public void arrayEqualsExample() { int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 Arrays.equals(arr1, arr2); // true } |
Risk Assessment
Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP02-J | low | likely | low | P9 | L2 |
Automated Detection
...
Static detection of attempts to use array_objectcalls to Array.equals(...) appears to be is straightforward.
Related Guidelines
CWE-595, " Comparison of Object References Instead of Object Contents" object references instead of object contents |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="019fa7f88f964864-7396f4f6-4e9c4b98-91a481a4-a49397a17ae03afeca4b8c57"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class | http://download.oracle.com/javase/6/docs/api/java/util/Arrays.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...