Software systems can be validated as conforming to the CERT Oracle Secure Coding Standard for Java. Source code analysis tools, including compilers and static analysis tools, can be certified as able to validate source code as conforming to this coding standard.
Normative vs. Non-
...
Normative Text
Portions of this coding standard are intended to be normative; other portions are intended as good advice. The normative statements in these guideline rules are the requirements for conformance with the standard. Normative statements use imperative language , for example, such as "must," "shall," and "require,." etc. Normative portions of each guideline rule must be analyzable, although automated analysis is infeasible for some guidelinesrules and not required.
The non-normative nonnormative portions of a guideline are those where we rule describe good practice practices or useful advice. Non-normative Nonnormative statements do not establish conformance requirements. Non-normative Nonnormative statements use verbs such as "should," or phrases such as "we recommendis recommended" or "Good practice is to..is good practice." . Non-normative Nonnormative portions of guidelines rules may be inappropriate for automated checking , because such checking would likely report excessive false positives when applied to existing code. Automated checkers for these non-normative nonnormative portions might be useful when analyzing " new " code (that is, code that has been developed to this coding standard).
The vast majority of guidelines All of the rules in this standard have a normative component. Non-normative portions exist Nonnormative recommendations are provided only when:
- there is well-known good practice to follow.
...
- the rule describes an approach that, if universally followed, would
...
- avoid violations where the normative part of the
...
- rule applies
...
- and would also be harmless when applied to code where the normative part of the
...
- rule is inapplicable.
Entirely non-normative nonnormative guidelines are not included in excluded from this coding standard, but will be covered in . However, the authors of this book are planning a follow on publication: Recommendations for Secure Coding in Java-on effort to publish these guidelines.
Source Code Conformance
Conformance to The CERT Oracle Secure Coding Standard for Java can be used as as security indicator or metric. While conformance does not guarantee the absence of vulnerabilities (for example, vulnerabilities resulting from design flaws), it does guarantee the absence of coding errors that are commonly found to be the root causes of vulnerabilities.
...