EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays

Arrays do not override the Object.equals() method; rather, the implementation of the equals() method compares an array's references rather than its contents. To compare the contents of two arrays, use the two-argument Arrays.equals() method instead. When intentionally testing reference equality, use the reference equality operators, == and !=. Inappropriate use of the equals() method can lead to unexpected results.

Noncompliant Code Example

This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.

public void arrayEqualsExample(){

int[] arr1 = new int[20]; // initialized to 0
int[] arr2 = new int[20]; // initialized to 0
arr1.equals(arr2); // false

}

Compliant Solution

This compliant solution compares the two arrays using the two-argument Arrays.equals() method.

public void arrayEqualsExample(){

int[] arr1 = new int[20]; // initialized to 0
int[] arr2 = new int[20]; // initialized to 0
Arrays.equals(arr1, arr2); // true

}

Risk Assessment

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Automated Detection

The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where the == operator is being used for equality of objects when, ideally, equals() should have been used. The == operator could consider the objects to be different, whereas the equals() method would consider them to be the same.

Static detection of attempts to use array_object.equals(...) appears to be straightforward.

Bibliography

EXP01-J. Do not confuse abstract object equality with reference equality      02. Expressions (EXP)