SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This compliant solution compares the content of two arrays using the two-argument Arrays.equals() method.:

Code Block
bgColor#ccccff
int[] arr1 = new int[20]; // initializedInitialized to 0
int[] arr2 = new int[20]; // initializedInitialized to 0
System.out.println(Arrays.equals(arr1, arr2)); // printsPrints true

Compliant Solution

This compliant solution compares the array references using the reference equality operators ==:

...

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP02-J

Low

Likely

Low

P9

L2

Automated Detection

Static detection of calls to to Object.equals() is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() is invoked for an array type.

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.COMPARE.EQ
JAVA.COMPARE.EQARRAY

Should Use equals() Instead of == (Java)
equals on Array (Java)

Coverity7.5

BAD_EQ
FB.EQ_ABSTRACT_SELF
FB.EQ_ALWAYS_FALSE
FB.EQ_ALWAYS_TRUE
FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS
FB.EQ_COMPARETO_USE_OBJECT_ EQUALS
FB.EQ_COMPARING_CLASS_NAMES
FB.EQ_DOESNT_OVERRIDE_EQUALS
FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM
FB.EQ_GETCLASS_AND_CLASS_ CONSTANT
FB.EQ_OTHER_NO_OBJECT
FB.EQ_OTHER_USE_OBJECT
FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC
FB.EQ_SELF_NO_OBJECT
FB.EQ_SELF_USE_OBJECT
FB.EQ_UNUSUAL

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.EXP02.UEICDo not use '==' or '!=' to compare objects
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2159Silly equality checks should not be made

Related Guidelines

MITRE CWE

CWE-595, Comparison of Object References Instead of Object Contents

Bibliography

[API 2006]

Class Arrays

[Seacord 2015]
Image result for video iconImage Modified EXP02-J. Do not use the Object.equals () method to compare two arrays LiveLesson

...


...