Arrays do not override class Object's equals() method. Consequently, the default implementation of the equals() method simply compares the array references instead of the contents of the arrays. If only the references need to be compared, it is better to use relational operators, such as == and !=. Vulnerabilities can result, for instance, when two arrays containing signers are compared incorrectly.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals() method.
Arrays.equals(arr1, arr2); // true
Risk Assessment
Using the equals() method or relational operators to compare array contents can produce incorrect results.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP02-J |
low |
likely |
low |
P9 |
L2 |
Automated Detection
The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where The "==" operator is being used for equality of objects when in ideal case equal method should have been used. The "==" operator may consider objects different when the equals method considers them the same.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]]
EXP01-J. Do not compare String objects using equality or relational operators 04. Expressions (EXP) EXP03-J. Do not use the equal and not equal operators to compare boxed primitives