SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

The read methods (readByte(), readShort(), readInt(), readLong(), readFloat(), and readDouble()) and the corresponding write methods defined by class java.io.DataInputStream and class java.io.DataOutputStream operate only on big-endian data. Use of these methods while interoperating with traditional languages, such as C or and C++, is insecure because such languages lack any guarantees about endianness. This noncompliant code example shows such a discrepancy:

...

Reading and writing data without considering endianness can lead to misinterpretations of both the magnitude and sign of the data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO12-J

Low

Unlikely

Low

P3

L3

Automated Detection

Automated detection is infeasible in the general case.

ToolVersionCheckerDescription
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.FIO12.PMRWLEDProvide methods to read and write little-endian data

Related Guidelines

MITRE CWE

CWE-198, Use of Incorrect Byte Ordering

Bibliography

[API 2014]

Class ByteBuffer
  

Methods

Method wrap()

and


   Method order()
Class Integer
   Method reverseBytes()

[Cohen 1981]

"On Holy Wars and a Plea for Peace"

[Harold 1997]

Chapter 2, "Primitive Data Types, Cross-Platform Issues"

...


...