SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 62

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 63

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SEC02-J

medium

likely

high

P6

L2

Automated Detection

Identifying sensitive information requires assistance from the programmer; fully-automated identification of sensitive information is beyond the current state of the art.

If we had user-provided tagging of sensitive information, we could do some kind of escape analysis on the doPrivileged blocks and perhaps prove that nothing sensitive leaks out of them. We could even use something akin to thread coloring to identify the methods that either must (or must not) be called from doPrivileged blocks.The step that will certainly resist automated detection is identifying sensitive information in the first place. This is essentially guaranteed to require assistance from the programmer.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...