Page History

...

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
EXP02-J	Low	Likely	Low	P9	L2

Automated Detection

Static detection of calls to to Object.equals() is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() is invoked for an array type.

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

4

JAVA.COMPARE.

4

EQ

FB

JAVA.

CORRECTNESS.EC_BAD_ARRAY_COMPAREInvocation of equals() on an array, which is equivalent to ==

COMPARE.EQARRAY	Should Use equals() Instead of == (Java) equals on Array (Java)
Coverity	7.5	BAD_EQ FB.EQ_ABSTRACT_SELF FB.EQ_ALWAYS_FALSE FB.EQ_ALWAYS_TRUE FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS FB.EQ_COMPARETO_USE_OBJECT_ EQUALS FB.EQ_COMPARING_CLASS_NAMES FB.EQ_DOESNT_OVERRIDE_EQUALS FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM FB.EQ_GETCLASS_AND_CLASS_ CONSTANT FB.EQ_OTHER_NO_OBJECT FB.EQ_OTHER_USE_OBJECT FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC FB.EQ_SELF_NO_OBJECT FB.EQ_SELF_USE_OBJECT FB.EQ_UNUSUAL	Implemented
Parasoft Jtest

9.5PB.CUB.UEIC SonarQube Java Plugin

Include Page

	Parasoft_V
	Parasoft_V

CERT.EXP02.UEIC

Do not use '==' or '!=' to compare objects

SonarQube

Include Page

	SonarQube

Java Plugin

_V
	SonarQube

Java Plugin

_V

S2159

Implemented

Silly equality checks should not be made

Related Guidelines

MITRE CWE

CWE-595, Comparison of Object References Instead of Object Contents

Bibliography

[API 2006]	Class `Arrays`
[Seacord 2015]	Image Modified EXP02-J. Do not use the Object.equals () method to compare two arrays LiveLesson

...

Space shortcuts

Page tree

Versions Compared

Old Version 91

New Version Current

Key

Automated Detection

Related Guidelines

Bibliography