SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Fred Long

Saved on

compared with

New Version 20

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

Programmers often fall into the trap of suppressing or ignoring checked exceptions. Unless there is a valid reason for ignoring exceptions, such as the client cannot be expected to stage a recovery, it is important to handle them appropriately.

Noncompliant Code Example

In this noncompliant example, the programmer leaves the catch block adorned with an ignore comment.

Code Block
bgColor#FFCCCC
try {
//...
}catch(IOException ioe) { /* ignore */ }

Noncompliant Code Example

Printing the exception's stack trace can be useful for debugging but is equivalent to ignoring the exception, as this noncompliant example demonstrates.

Code Block
bgColor#FFCCCC
try {
//...
}catch(IOException ioe) { ioe.printStacktrace(); }

Compliant Solution

This compliant solution attempts to recover from a FileNotFoundException by forcing the user to specify another file when a particular file does not exist in the user-specific directory.

Code Block
bgColor#ccccff
try {
// Requested file does not exist
}catch(IOException) { /* ask the user for a different filename */ }

Wiki Markup
Although, not explicitly required by this recommendation, failure tolerant systems must also catch and handle unexpected unchecked exceptions resulting from programming errors. In all other cases, refrain from using the {{throws}} clause to force the client into dealing with unchecked exceptions \[[Bloch 08|AA. Java References#Bloch 08]\].

Exceptions

It is reasonable to ignore an exception which occurs within a catch or finally block, such as while trying to close a FileInputStream object. It is also permissible when the client cannot be expected to recover from the exception easily.

Risk Assessment

Ignoring or suppressing exceptions violates the fail-safe criteria of an application.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC00- J

low

probable

medium

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 65: "Don't ignore exceptions", Item 62: "Document all exceptions thrown by each method"
\[[MITRE 09|AA. Java References#MITRE 09]\]  [CWE ID 390|http://cwe.mitre.org/data/definitions/390.html] "Detection of Error Condition Without Action"

11. Exceptional Behavior (EXC)      11. Exceptional Behavior (EXC)      EXC01-J. Do not allow exceptions to transmit sensitive information