Scope minimization helps in capturing developers avoid common programming errors, improves code readability by tying together connecting the declaration and actual use of a variable, and eases improves maintainability because unused variables are more easily caught and removeddetected and removed. It may also allow objects to be recovered by the garbage collector more quickly, and it prevents violations of DCL51-J. Do not shadow or obscure identifiers in subscopes.
Noncompliant Code Example
This noncompliant code example shows a variable that is declared outside the for
loop. This can harm reusability as the loop index i
will change after the for
statement. Consider for instance, the case when this code snippet is copy pasted with the intent of using a different index j
but the statement mistakenly still iterates over index i
. As i
is still in scope, this will lead to a unexpected behavior.
Code Block | ||
---|---|---|
| ||
public class Scope { public static void main(String[] args) { int i = 0; for (i = 0; i < 10; i++) { // Do operations } } } |
This code is noncompliant because, even though variable i
is not intentionally used outside the for
loop, it is declared in method scope. One of the few scenarios where variable i
would need to be declared in method scope is when the loop contains a break statement and the value of i
must be inspected after conclusion of the loop.
Compliant Solution
To be compliant, minimize Minimize the scope of variables where possible, such as by declaring loop indexes . For example, declare loop indices within the for
statement. :
Code Block | ||
---|---|---|
| ||
public class Scope { public static void main(String[] args) { for (int i = 0; i < 10; i++) { //contains Contains declaration // Do operations } } } |
Additionally, methods should be designed to perform only one operation if possible. This reduces the need for variables existing in overlapping scopes and consequently, helps prevent errors.
Risk Assessment
Using a larger scope than what is necessary results in less reliable code.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SCP00-J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODO
Other Languages
This rule appears in the C Secure Coding Standard as DCL19-C. Use as minimal a scope as possible for all variables and functions.
This rule appears in the C++ Secure Coding Standard as DCL07-CPP. Use as minimal scope as possible for all variables and methods.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 14.4.2, Scope of Local Variable Declarations|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.4.2]
\[[Bloch 2001|AA. Bibliography#Bloch 01]\] Item 29, Minimize the scope of local variables |
Noncompliant Code Example
This noncompliant code example shows a variable count
that is declared outside the counter
method, although the variable is not used outside the counter
method.
Code Block | ||
---|---|---|
| ||
public class Foo {
private int count;
private static final int MAX_COUNT = 10;
public void counter() {
count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) {
return;
}
}
}
private boolean condition() {/* ... *}
// No other method references count
// but several other methods reference MAX_COUNT
}
|
Compliant Solution
In this compliant solution, the count
field is declared local to the counter()
method:
Code Block | ||
---|---|---|
| ||
public class Foo {
private static final int MAX_COUNT = 10;
public void counter() {
int count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) {
return;
}
}
}
private boolean condition() {/* ... */}
// No other method references count
// but several other methods reference MAX_COUNT
}
|
Applicability
Detecting local variables that are declared in a larger scope than is required by the code as written is straightforward and can eliminate the possibility of false positives.
Detecting multiple for
statements that use the same index variable is straightforward; it produces false positives in the unusual case where the value of the index variable is intended to persist between loops.
Bibliography
Item 29, "Minimize the Scope of Local Variables" | |
[JLS 2013] |
...
05. Scope (SCP) 05. Scope (SCP) SCP01-J. Do not increase the accessibility of overridden or hidden methods