Arrays fail to override class Object
's equals()
method; the implementation of the equals()
method applied to arrays compares the array references rather than the contents of the arrays. Use the two-argument Arrays.equals() method to compare the contents of arrays. When intentionally testing reference equality, prefer the reference equality operators, ==
and !=
; inappropriate use of the equals()
method may lead to unexpected results.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals()
method to compare two arrays.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals()
method.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 Arrays.equals(arr1, arr2); // true
Risk Assessment
Using the equals()
method or relational operators when intending to compare array contents produces incorrect results, which may lead to vulnerabilities.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP02-J |
low |
likely |
low |
P9 |
L2 |
Automated Detection
The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where The "==" operator is being used for equality of objects when in ideal case equal method should have been used. The "==" operator may consider objects different when the equals method considers them the same.
Static detection of attempts to use array_object.equals(...)
appears to be straightforward.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]] Class Arrays
EXP01-J. Do not confuse abstract object equality with reference equality 04. Expressions (EXP) EXP03-J. Avoid the equal and not equal operators when comparing boxed primitives