The definitions of two constant expressions should be related if and only if related exactly when the values they are expressing express are also related.
Noncompliant Code Example
In this noncompliant code example, OUT_STR_LEN
must always be exactly two greater than IN_STR_LEN
. However, this is not obvious from the definitions. These definitions fail to reflect this requirement:
Code Block | ||
---|---|---|
| ||
public static final int IN_STR_LEN = 18;
public static final int OUT_STR_LEN = 20;
|
Compliant Solution
InsteadIn this compliant solution, the relationship between the two values should be is represented in the definitions.:
Code Block | ||
---|---|---|
| ||
public static final int IN_STR_LEN = 18;
public static final int OUT_STR_LEN = IN_STR_LEN + 2;
|
Noncompliant Code Example
In this noncompliant code example, there appears to be an underlying relationship between the two constants , but there is none.where none exists:
Code Block | ||
---|---|---|
| ||
public static final int ADULTVOTING_AGE = 18; public static final int ALCOHOL_AGE = ADULTVOTING_AGE + 3; |
A programmer performing routine maintenance may modify the definition for ADULTVOTING_AGE
but fail to recognize the resulting change in the definition for ALCOHOL_AGE
.
Compliant Solution
InsteadIn this compliant solution, the definitions should reflect the lack independence of a relationship between the two constants.:
Code Block | ||
---|---|---|
| ||
public static final int ADULTVOTING_AGE = 18; public static final int ALCOHOL_AGE = 21; |
Risk Assessment
Failure to properly encode relationships in constant declarations can lead to unexpected values and produce code that is difficult to maintain.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL05- J | low | unlikely | high | P1 | L3 |
Other Languages
This rule appears in the C Secure Coding Standard as DCL08-C. Properly encode relationships in constant definitions.
This rule appears in the C++ Secure Coding Standard as DCL08-CPP. Properly encode relationships in constant definitions.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[JLS 05\] Section 4.12.4 |
Bibliography
...
DCL01-J. Do not declare more than one variable per declaration 03. Declarations and Initialization (DCL) DCL06-J. Beware of integer literals beginning with '0'