SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Java defines equality operators == and != and relational operators such as <=,>=,>,<. When it comes to string object reference comparisons, these manifest as traps that an amateur programmer may unintentionally fall victim to.

Noncompliant Code Example

For == to return true for two string references, they must point to the same underlying object. This noncompliant example declares two different string objects with the same values, however, they compare unequal since they constitute different object references.

public class BadComparison {
  public static void main(String[] args) {
    String one = new String("one");
    String two = new String("one");
    if(one == two)
      System.out.println("Equal"); //not printed
  }
}

Compliant Solution

To be compliant, use the object1.equals(object2) method when comparing string values. 

public class GoodComparison {
  public static void main(String[] args) {
    String one = new String("one");
    String two = new String("one");
    if(one.equals(two))
      System.out.println("Equal"); //printed
  }
}

The mentioned operators seemingly work while dealing with string literals that have constant values (such as in String one = "one" and String two = "two" or when the intern method has been used on both strings to compare pointer references. Note however, that the performance gains achieved by doing so may be meeker than the benefits of having more robust code that also takes non-constant and non-interned values. Moreover, such behavior encourages ambiguity that hinders selection of proper methods for comparing String objects.

Risk Assessment

Using the equality or realtional operators to compare objects may lead to unexpected results.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP03-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[FindBugs 08]] ES: Comparison of String objects using == or !=
[[JLS 05]] Section 3.10.5 String Literals

EXP02-J. Do not ignore values returned by methods      02. Expressions (EXP)      EXP04-J. Be wary of invisible implicit casts

  • No labels