Arrays do not override the Object.equals() method; rather, the implementation of the equals() method compares an array's references rather than its contents. To compare the contents of two arrays, use the two-argument Arrays.equals() method isntead. When intentionally testing reference equality, use the reference equality operators, == and !=. Inappropriate use of the equals() method can lead to unexpected results.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals() method.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 Arrays.equals(arr1, arr2); // true
Risk Assessment
Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP02-J |
low |
likely |
low |
P9 |
L2 |
Automated Detection
The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where the == operator is being used for equality of objects when, ideally, equals() should have been used. The == operator could consider the objects to be different, whereas the equals() method would consider them to be the same.
Static detection of attempts to use array_object.equals(...) appears to be straightforward.
Bibliography
[[API 2006]] Class Arrays
EXP01-J. Do not confuse abstract object equality with reference equality 02. Expressions (EXP)