SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 5

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated

This page contains adhoc TODO ideas or topics being currently investigated. Please feel free to comment on these or suggest new ones.

Possible Changes to Current Guidelines

...

  • All classes, methods will need to include the final keyword. Although this is against extensibility, it is critical from the security point of view.

...

  • All file separators must be replaced by platform independent File.separator
  • Wiki Markup

...

  • Possibly use the memento design pattern with deserialization. An inner class performs input validation using 'safe' objects, for example, {{long}} to store {{int}} vals and then updates the state of the actual outer class and so on..., Item 50 \[Daconta 03\]
Possible Recommendations

...

  • readResolve() for deserialization (singletons). Do not serialize sensitive external mutable variables (best to declare them transient)
  • Calling clone.super() is necessary.

...

Possible Recommendations
  • Careful while using environment variables - investigate usual conditions
  • Wiki Markup

...

  • Use HttpSession carefully, Item 25 \[Daconta 03\]

...

  •  Wiki Markup
...
  • For good portability, do not make the assumption - all DBMSs can tolerate several open ResultSet Objects at a time, Item 41 \[Daconta 03\]
  • Thread.interrupted issues
  • Java encoding issues
  • Prefer composition over inheritance
  • Avoid flaws in interfaces
  • Naming conventions
  • Check nonpublic method's params using assertions rather than normal checks
  • Create defensive copies of method params
  • Prefer interfaces to abstract classes
  • Prefer interfaces to Reflection (methods)
  • Failure Atomicity (exceptions should not leave object state inconsistent)
  • Avoid ThreadGroup APIs
  • Masking, Shadowing, Obscuration
...
Possible Rules 
  • Do not catch Error
  • Avoid using Reflection to instantiate inner classes
  •  Wiki Markup
    Use a typesafe enum pattern \[Bloch, Item 20\]
  • Do not hardcode sensitive information
  • compareTo() contract violations like natural ordering that is not consistent with equals
  • Don't catch Throwable without checking for ThreadDeath.
  •  Wiki Markup
    Usage of {{GetResource}} may be unsafe if class is extended \[Findbugs\]
...