Scope minimization helps developers to avoid common programming errors, improves code readability by tying together the declaration and actual use of a variable, and improves maintainability because unused variables are more easily detected and removed.
Noncompliant Code Example
This noncompliant code example shows a variable that is declared outside the for loop. This reduces reusability because the value of the loop index i will have changed after the for statement. Consider, for instance, the case when this code snippet is copied and pasted with the intent to use a different index j. If the index variable change were omitted, the new loop would then attempt to iterate over index i. Unexpected behavior can follow because i remains in scope.
public class Scope {
public static void main(String[] args) {
int i = 0;
for (i = 0; i < 10; i++) {
// Do operations
}
}
}
It should be noted that this code is noncompliant because i is not used outside the for loop. If, for instance, the loop contained a break statement, and the value of i when the loop exits prematurely is inspected, that would be a valid reason for i to be declared local to the method.
Compliant Solution
Minimize the scope of variables where possible, for example, by declaring loop indexes within the for statement.
public class Scope {
public static void main(String[] args) {
for (int i = 0; i < 10; i++) { //contains declaration
// Do operations
}
}
}
Noncompliant Code Example
This noncompliant code example shows a variable that is declared outside the counter method. This reduces reusability because the variable is not actually used anywhere outside the counter method.
public class Foo {
private int count;
static private final int MAX_COUNT;
public void counter() {
count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) return;
}
}
/* No other method references count */
}
Compliant Solution
In this case, the count field is only accessible within the counter method.
public class Foo {
static private final int MAX_COUNT;
public void counter() {
int count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) return;
}
}
/* No other method references count */
}
Risk Assessment
Using a larger scope than is necessary results in less reliable code.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
SCP00-J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
Detecting local variables that are declared in a larger scope than is required by the as-written code is straightforward and can avoid any possibility of false positives.
Detecting multiple for statements that use the same index variable is straightforward; it will produce false positives in the unusual case where this was intended by the programmer.
Related Guidelines
C Secure Coding Standard: DCL19-C. Use as minimal a scope as possible for all variables and functions
C++ Secure Coding Standard: DCL07-CPP. Use as minimal scope as possible for all variables and methods
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[Bloch 2001]] Item 29, Minimize the scope of local variables
[[JLS 2005]] Section 14.4.2
, "Scope of Local Variable Declarations"
MET17-J. Do not increase the accessibility of overridden or hidden methods