SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 61

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

Reuse of identifier names in subscopes leads to obscuration or shadowing; that is, the names . Reused identifiers in the current scope mask can render those defined elsewhere . Name reuse creates ambiguity and burdens code maintenanceinaccessible. Although the Java Language Specification (JLS) [JLS 2013] clearly resolves any syntactic ambiguity arising from obscuring or shadowing, such ambiguity burdens code maintainers and auditors, especially when code requires access to both the original named entity and the entity with the reused nameinaccessible one. The problem is aggravated exacerbated when the reused name is required to be defined in a different package.unmigrated-wiki-markup

According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], [Section 6.3.2|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.3.2], "Obscured Declarations"to §6.4.2, "Obscuring," of the JLS [JLS 2013],

A simple name may occur in contexts where it may potentially be interpreted as the name of a variable, a type, or a package. In these situations, the rules of §6.5 specify that a variable will be chosen in preference to a type, and that a type will be chosen in preference to a package.

This implies that a variable can obscure a type or a package, and a type can obscure a package name. Shadowing, on the other hand, refers to masking variables, fields, types, method parameters, labels, and exception handler parameters in a subscope. Both these differ from hiding wherein one variable rendering another variable inaccessible in a containing scope. One type can also shadow another type.

No identifier should obscure or shadow another identifier in a containing scope. For example, a local variable should not reuse the name of a class field or method or a class name or package name. Similarly, an inner class name should not reuse the name of an outer class or package.

Both overriding and shadowing differ from hiding, in which an accessible member (typically non-privatenonprivate) that should have been inherited by a subclass is forgone in lieu of replaced by a locally declared subclass member that assumes the same name .

In general, do not reuse the name of

  • a superclass
  • an interface
  • a field defined in a superclass
  • a field that appears in a different scope within the same method
  • a field, type, or another parameter across packages

but has a different, incompatible method signature.

Noncompliant Code Example (

...

Field Shadowing)

This noncompliant code example implements a class that reuses the name of the class java.util.Vector. It attempts to introduce a different condition for the isEmpty() method for interfacing with native legacy code, by overriding the corresponding method in java.util.Vector.

A future programmer might not know about this extension and incorrectly use the custom Vector class when his intention was to use the original java.util.Vector class. The custom type Vector can obscure a class name from another package (for example, java.util.Vector), as specified by JLS 6.3.2 (see above). Should this occur, it can cause undesirable effects by violating the programmer's assumptions.

Wiki MarkupWell-defined import statements resolve these issues. However, when the definitions of the reused name are imported from other packages, use of the _type-import-on-demand declaration_ (see Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], [Section 7.5.2|http://java.sun.com/docs/books/jls/third_edition/html/packages.html#7.5.2], "Type-Import-on-Demand Declaration") can lead to unexpected import of a class that was not intended. Moreover, a common—and potentially misleading—tendency is to produce the import statements _after_ writing the code, often via automatic inclusion of import statements by an IDE. This creates further ambiguity with respect to the names; when a custom type is found earlier in the Java include path than the intended type, no further searches are conducted. val instance field in the scope of an instance method.

Code Block
bgColor#FFcccc

class VectorMyVector {
  private int val = 1;

  publicprivate booleanvoid isEmptydoLogic() {
    ifint (val == 1) {   //compares with 1 instead of 0
      return true;
    } else {
      return false;
    }
  }
  //other functionality is same as java.util.Vector
}

// import java.util.Vector; omitted

public class VectorUser {
  public static void main(String[] args) {
    Vector v = new Vector();
    if (v.isEmpty()) {
      System.out.println("Vector is empty");
    }
  }
}

Compliant Solution (Class Name)

This compliant solution declares the class Vector with a different name.

Code Block
bgColor#ccccff

class MyVector {
  //other code
}

Wiki Markup
Note: When the developer and organization control the original hidden class, in addition to the code being written, it may be preferable to change the design strategy of the original in accordance with Bloch's _Effective Java_ \[[Bloch 2008|AA. Bibliography#Bloch 08]\] "Item 16: Prefer interfaces to abstract classes." Changing the original class into an interface would permit class {{MyVector}} to declare that it implements the hypothetical {{Vector}} interface. This would permit client code that intended to use {{MyVector}} to remain compatible with code that uses the original implementation of {{Vector}}.

Noncompliant Code Example (Field Shadowing)

This noncompliant code example reuses the name of the val instance field in the scope of an instance method. This behavior can be classified as shadowing.

The resulting behavior can be classified as shadowing; the method variable renders the instance variable inaccessible within the scope of the method. For example, assigning to val from within the method does not affect the value of the instance variable, although assigning to this.val from within the method does.

Compliant Solution (Field Shadowing)

This compliant solution eliminates shadowing by changing the name of the variable defined in the method scope from val to newValue:

Code Block
bgColor#ccccff
Code Block
bgColor#FFcccc

class MyVector {
  private int val = 1;
  private void doLogic() {
    int valnewValue;
    //...   
  }
}

...

Noncompliant Code Example (Variable Shadowing)

This compliant solution eliminates shadowing by changing the name of the variable defined in method scope. example is noncompliant because the variable i defined in the scope of the second for loop block shadows the definition of the instance variable i defined in the MyVector class:

Code Block
bgColor#ccccff#FFcccc

class MyVector {
  private int vali = 10;
  private void doLogic() {
    for (i = 0; i < 10; i++) {/* ... */}
    for (int newValue;
    //i = 0; i < 20; i++) {/* ...  */} 
  }
}

Exceptions

Compliant Solution (Variable Shadowing)

In this compliant solution, the loop counter i is defined in the scope of each for loop blockSCP02-EX1: Reuse of names is permitted for trivial loop counter declarations in the same scope:

Code Block
bgColor#ccccff
class MyVector {
  private void doLogic() {
    for (int i = 0; i < 10; i++) {/* ... */}
    for (int i = 0; i < 20; i++) {/* ... */} 
  }
}

...

Applicability

Name reuse makes code more difficult to read and maintain. This , which can result in security weaknesses.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SCP02-J

low

unlikely

medium

P2

L3

Automated Detection

Wiki Markup An automated tool can easily detect reuse of names whose earlier definition appears somewhere in the Java include path. FindBugs, for example, detects at least four sub-instances of this guideline \[[FindBugs 2008|AA. Bibliography#FindBugs 08]\]:

  • Nm: Class names shouldn't shadow simple name of implemented interface
  • Nm: Class names shouldn't shadow simple name of superclass
  • MF: Class defines field that masks a superclass field
  • MF: Method defines a variable that obscures a field

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Secure Coding Standard: DCL01-C. Do not reuse variable names in subscopes

C++ Secure Coding Standard: DCL01-CPP. Do not reuse variable names in subscopes

Bibliography

Wiki Markup
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 6.3.2|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.3.2] "Obscured Declarations", [Section 6.3.1|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.3.1] "Shadowing Declarations", [Section 7.5.2|http://java.sun.com/docs/books/jls/third_edition/html/packages.html#7.5.2] "Type-Import-On_Demand Declaration", [Section 14.4.3|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.4.3] "Shadowing of Names by Local Variables"
\[[Bloch 2005|AA. Bibliography#Bloch 05]\] Puzzle 67: All Strung Out
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 16: Prefer interfaces to abstract classes
\[[Kabanov 2009|AA. Bibliography#Kabanov 09]\]
\[[Conventions 2009|AA. Bibliography#Conventions 09]\] 6.3 Placement
\[[FindBugs 2008|AA. Bibliography#FindBugs 08]\]

of identifiers in containing scopes.

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.DCL51.HMFDo not give method local variables and parameters the same name as class fields
SonarQube
Include Page
SonarQube_V
SonarQube_V
HiddenFieldCheck


Bibliography

[Bloch 2005]

Puzzle 67, "All Strung Out"

[Bloch 2008]

Item 16, "Prefer Interfaces to Abstract Classes"

[Conventions 2009]

§6.3, "Placement"

[FindBugs 2008]


[JLS 2013]

§6.4.1, "Shadowing"
§6.4.2, "Obscuring"
§7.5.2, "Type-Import-on-Demand Declarations"


...

Image Added Image Added Image AddedMET17-J. Do not increase the accessibility of overridden or hidden methods      Image Removed      OBJ17-J. Do not expose sensitive private members of an outer class from within a nested class