...
Using the equals()
method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP02-J | Low | Likely | Low | P9 | L2 |
Automated Detection
Static detection of calls to to Object.equals()
is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals()
is invoked for an array type.
Tool | Version | Checker | Description | ||||
---|---|---|---|---|---|---|---|
CodeSonar |
|
JAVA.COMPARE.EQ | Should Use equals() Instead of == (Java) | ||
Coverity | 7.5 | BAD_EQ | Implemented |
Parasoft Jtest |
|
|
|
CERT. |
EXP02.UEIC |
Do not use '==' or '!=' to compare objects |
SonarQube |
|
|
| S2159 |
Silly equality checks should not be made |
Related Guidelines
Bibliography
...
...