In Java, arrays are objects and support object methods such as Object.equals()
. However, arrays do not support any methods besides those provided by Object
. Consequently, using Object.equals()
on any array only compares compares only array references rather than , not their contents. Programmers who wish to compare the contents of two arrays must use the static two-argument Arrays.equals()
method. This This method considers two arrays equivalent if both arrays contain the same number of elements, and all corresponding pairs of elements in the two arrays are equivalent, according to Object.equals()
. In other words, two arrays are equal if they contain equivalent elements in the same order. To test for reference equality, use the reference equality operators, ==
and !=
.
...
This noncompliant code example uses the Object.equals()
method to compare two arrays.:
Code Block | ||
---|---|---|
| ||
int[] arr1 = new int[20]; // initializedInitialized to 0 int[] arr2 = new int[20]; // initializedInitialized to 0 System.out.println(arr1.equals(arr2)); // printsPrints false |
Compliant Solution
This compliant solution compares the content of two arrays using the two-argument Arrays.equals()
method.
...
This compliant solution compares the array references using the reference equality operators ==
.:
Code Block | ||
---|---|---|
| ||
int[] arr1 = new int[20]; // initializedInitialized to 0 int[] arr2 = new int[20]; // initializedInitialized to 0 System.out.println(arr1 == arr2); // printsPrints false |
Risk Assessment
Using the equals()
method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP02-J | Low | Likely | Low | P9 | L2 |
Automated Detection
Static detection of calls to to Object.equals()
is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals()
is invoked for an array type.
Tool | Version | Checker | Description |
---|---|---|---|
Coverity | 7.5 | BAD_EQ | Implemented |
Related Guidelines
CWE-595. , Comparison of object references instead of object contentsObject References Instead of Object Contents |
Bibliography
[API 2006] | |
[Seacord 2015] | EXP02-J. Do not use the Object.equals () method to compare two arrays LiveLesson |
...