...
Avoid these problems by declaring meaningfully-named constants as class variables, setting their values to the desired literals, and referencing the constants in place of the literals throughout the program. This approach allows the use of a name that clearly indicates the meaning or intended use of the literal. Further, should the constant require modification, the change is limited to the declaration; searching the code is unnecessary.
...
The final keyword in Java is used to declare constants. Its effect is to render the affected non-composite variable immutable. Attempts to change the value of a final-qualified variable after it has been initialized result in a compile-time error. Because constants cannot be changed, it is desirable to define only one instance of them for the class; consequently, constants should also be declared with the static modifier. (See guideline DCL04-J. Declare mathematical constants as static and final.)
...
This code snippet declares the value SIZE to be of the type int and value 25. This constant can subsequently be used wherever the value 25 is needed.
...
The methods use the seemingly-random literals 12.56, 4.19, and 6.28 to represent various scaling factors used to calculate these dimensions. Someone reading this code may would have little idea about how they were generated or what they mean, and would, consequently, be unable to understand the function of this code.
...
This noncompliant code attempts to avoid the above issues by explicitly calculating the required constants.
| Code Block | ||
|---|---|---|
| ||
double area(double radius) {
return 4.0 * 3.14 * radius * radius; }
double volume(double radius) {
return 4.0/3.0 * 3.14 * radius * radius * radius; }
double greatCircleCircumference(double radius) {
return 2 * 3.14 * radius; }
|
...
This reduces clutter and promotes maintainability. If a more precise value of pi is required, the programmer can simply redefine the constant.
Compliant Solution
...
(Predefined Constants)
The class java.lang.Math defines a large set of numeric constants, such as PI and the exponential constant E. Prefer the use of predefined constants when the are available.
...
DCL02-EX1: The use of symbolic constants should be restricted to cases where they improve the readability and maintainability of the code. Using them when the intent of the literal is obvious, or where the literal is not likely to change, can impair code readability. In the preceding compliant solution, the values 4.0 and 3.0 in the volume calculation are clearly scaling factors used to calculate the circle volume , and as such are not subject to change (unlike pi), so they can be represented exactly; there is no reason to change them to increase precision). Hence, replacing them with symbolic constants is inappropriate.
...
Using numeric literals makes code more difficult to read, understand, and edit.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL02-J | low | unlikely | high | P1 | L3 |
...
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Other Languages
Related Guidelines
This guideline appears in the C++ Secure Coding Standard as DCL06-CPP. Use meaningful symbolic constants to represent literal values in program logic.This guideline appears in the
C Secure Coding Standard as DCL06-C. Use meaningful symbolic constants to represent literal values in program logic.
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] \[[Core Java 2004|AA. Bibliography#Core Java 04]\] |
...