Few, if any, methods are capable of handling all possible runtime exceptions. Consequently, methods are forbidden to catch RuntimeException. When a method catches RuntimeException, it may receive exceptions unanticipated by the designer, such as NullPointerException. Many catch clauses simply log or ignore the enclosed exceptional condition, and attempt to resume normal execution; this practice often violates guideline rule ERR00-J. Do not suppress or ignore checked exceptions. Runtime exceptions often indicate bugs in the program that should be fixed by the developer, and often cause control flow vulnerabilities. Additionally, methods must not catch Exception or Throwable, because this implies catching RuntimeException; RuntimeException extends Exception which in turn extends Throwable. Finally, any class that catches RuntimeException also violates ERR15-J. Do not catch NullPointerException.
...
EXC14-EX0: A catch block may catch all exceptions to process them before re-throwing them. For example, filtering sensitive information from exceptions before the call stack leaves a trust boundary. Refer to guideline rule ERR06-J. Do not allow exceptions to expose sensitive information, as well as CWE 7 and CWE 388). In such cases, a catch block should catch Throwable rather than Exception or RuntimeException.
...
Automated detection of code that catches RuntimeException, Exception, or Throwable is trivial. Sound automated determination of whether such code complies with the exceptions to this guideline rule is infeasible. Heuristic techniques may be helpful.
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Related Guidelines
...