DATASHEET
CERT JAVA Rule Enforcement
(website 28 April 2020)
https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
Android Rules are not included.
ENFORCEMENT FOR KW 2023.3
Total | ||
|---|---|---|
a | Total Number of Rules | 183 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 |
c | Total Number of Enforceable Rules (a-b) | 183 |
d | Total Number of Enforced Rules | 7 |
e | Total Number of Unenforced Rules | 176 |
f | Enforce Rules Percentage (d/c) | 4% |
g | Unenforced Rules Percentage (e/c) | 96% |
Rule ID | Description | Enforced |
|---|---|---|
Rule 00. | Input Validation and Data Sanitization (IDS) | |
IDS00-J | Prevent SQL injection. | Yes |
IDS01-J | Normalize strings before validating them. | Yes |
IDS02-J | Canonicalize path names before validating them. | No |
IDS03-J | Do not log unsanitized user input. | No |
IDS04-J | Safely extract files from ZipInputStream. | No |
IDS05-J | Use a safe subset of ASCII for file and path names. | No |
IDS06-J | Exclude unsanitized user input from format strings. | No |
IDS07-J | Sanitize untrusted data passed to the Runtime.exec() method. | Yes |
IDS08-J | Sanitize untrusted data included in a regular expression. | No |
IDS09-J | Specify an appropriate locale when comparing locale-dependent data. | No |
IDS10-J | Don't form strings containing partial characters. | No |
IDS11-J | Perform any string modifications before validation. | No |
IDS13-J | Use compatible character encodings on both sides of file or network IO. | No |
IDS14-J | Do not trust the contents of hidden form fields. | No |
IDS15-J | Do not allow sensitive information to leak outside a trust boundary. | No |
IDS16-J | Prevent XML Injection. | No |
IDS17-J | Prevent XML External Entity Attacks. | No |
Rule 01. | Declarations and Initialization (DCL) | |
DCL00-J | Prevent class initialization cycles. | No |
DCL01-J | Do not reuse public identifiers from the Java Standard Library. | No |
DCL02-J | Do not modify the collection's elements during an enhanced for statement. | No |
Rule 02. | Expressions (EXP) | |
EXP00-J | Do not ignore values returned by methods. | No |
EXP01-J | Do not use a null in a case where an object is required. | No |
EXP02-J | Do not use the Object.equals() method to compare two arrays. | No |
EXP03-J | Do not use the equality operators when comparing values of boxed primitives. | No |
EXP04-J | Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type. | No |
EXP05-J | Do not follow a write by a subsequent write or read of the same object within an expression. | No |
EXP06-J | Expressions used in assertions must not produce side effects. | No |
EXP07-J | Prevent loss of useful data due to weak references. | No |
Rule 03. | Numeric Types and Operations (NUM) | |
NUM00-J | Detect or prevent integer overflow. | No |
NUM01-J | Do not perform bitwise and arithmetic operations on the same data. | No |
NUM02-J | Ensure that division and remainder operations do not result in divide-by-zero errors. | No |
NUM03-J | Use integer types that can fully represent the possible range of unsigned data. | No |
NUM04-J | Do not use floating-point numbers if precise computation is required. | No |
NUM07-J | Do not attempt comparisons with NaN. | No |
NUM08-J | Check floating-point inputs for exceptional values. | No |
NUM09-J | Do not use floating-point variables as loop counters. | No |
NUM10-J | Do not construct BigDecimal objects from floating-point literals. | No |
NUM11-J | Do not compare or inspect the string representation of floating-point values. | No |
NUM12-J | Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data. | No |
NUM13-J | Avoid loss of precision when converting primitive integers to floating-point. | No |
NUM14-J | Use shift operators correctly. | No |
Rule 04. | Characters and Strings (STR) | |
STR00-J | Don't form strings containing partial characters from variable-width encodings. | No |
STR01-J | Do not assume that a Java char fully represents a Unicode code point. | No |
STR02-J | Specify an appropriate locale when comparing locale-dependent data. | No |
STR03-J | Do not encode noncharacter data as a string. | No |
STR04-J | Use compatible character encodings when communicating string data between JVMs. | No |
Rule 05. | Object Orientation (OBJ) | |
OBJ01-J | Limit accessibility of fields. | No |
OBJ02-J | Preserve dependencies in subclasses when changing superclasses. | No |
OBJ03-J | Prevent heap pollution. | No |
OBJ04-J | Provide mutable classes with copy functionality to safely allow passing instances to untrusted code. | No |
OBJ05-J | Do not return references to private mutable class members. | No |
OBJ06-J | Defensively copy mutable inputs and mutable internal components. | No |
OBJ07-J | Sensitive classes must not let themselves be copied. | No |
OBJ08-J | Do not expose private members of an outer class from within a nested class. | No |
OBJ09-J | Compare classes and not class names. | No |
OBJ10-J | Do not use public static nonfinal fields. | No |
OBJ11-J | Be wary of letting constructors throw exceptions. | No |
OBJ12-J | Respect object-based annotations. | No |
OBJ13-J | Ensure that references to mutable objects are not exposed. | No |
OBJ14-J | Do not use an object that has been freed. | No |
Rule 06. | Methods (MET) | |
MET00-J | Validate method arguments. | No |
MET01-J | Never use assertions to validate method arguments. | No |
MET02-J | Do not use deprecated or obsolete classes or methods. | No |
MET03-J | Methods that perform a security check must be declared private or final. | No |
MET04-J | Do not increase the accessibility of overridden or hidden methods. | No |
MET05-J | Ensure that constructors do not call overridable methods. | No |
MET06-J | Do not invoke overridable methods in clone(). | No |
MET07-J | Never declare a class method that hides a method declared in a superclass or superinterface. | No |
MET08-J | Preserve the equality contract when overriding the equals() method. | No |
MET09-J | Classes that define an equals() method must also define a hashCode() method. | No |
MET10-J | Follow the general contract when implementing the compareTo() method. | No |
MET11-J | Ensure that keys used in comparison operations are immutable. | No |
MET12-J | Do not use finalizers. | No |
MET13-J | Do not assume that reassigning method arguments modifies the calling environment. | No |
Rule 07. | Exceptional Behavior (ERR) | |
ERR00-J | Do not suppress or ignore checked exceptions. | No |
ERR01-J | Do not allow exceptions to expose sensitive information. | No |
ERR02-J | Prevent exceptions while logging data. | No |
ERR03-J | Restore prior object state on method failure. | No |
ERR04-J | Do not complete abruptly from a finally block. | No |
ERR05-J | Do not let checked exceptions escape from a finally block. | No |
ERR06-J | Do not throw undeclared checked exceptions. | No |
ERR07-J | Do not throw RuntimeException, Exception, or Throwable. | No |
ERR08-J | Do not catch NullPointerException or any of its ancestors. | Yes |
ERR09-J | Do not allow untrusted code to terminate the JVM. | No |
Rule 08. | Visibility and Atomicity (VNA) | |
VNA00-J | Ensure visibility when accessing shared primitive variables. | No |
VNA01-J | Ensure visibility of shared references to immutable objects. | No |
VNA02-J | Ensure that compound operations on shared variables are atomic. | No |
VNA03-J | Do not assume that a group of calls to independently atomic methods is atomic. | No |
VNA04-J | Ensure that calls to chained methods are atomic. | No |
VNA05-J | Ensure atomicity when reading and writing 64-bit values. | No |
Rule 09. | Locking (LCK) | |
LCK00-J | Use private final lock objects to synchronize classes that may interact with untrusted code. | No |
LCK01-J | Do not synchronize on objects that may be reused. | No |
LCK02-J | Do not synchronize on the class object returned by getClass(). | No |
LCK03-J | Do not synchronize on the intrinsic locks of high-level concurrency objects. | No |
LCK04-J | Do not synchronize on a collection view if the backing collection is accessible. | No |
LCK05-J | Synchronize access to static fields that can be modified by untrusted code. | No |
LCK06-J | Do not use an instance lock to protect shared static data. | No |
LCK07-J | Avoid deadlock by requesting and releasing locks in the same order. | No |
LCK08-J | Ensure actively held locks are released on exceptional conditions. | No |
LCK09-J | Do not perform operations that can block while holding a lock. | No |
LCK10-J | Use a correct form of the double-checked locking idiom. | No |
LCK11-J | Avoid client-side locking when using classes that do not commit to their locking strategy. | No |
Rule 10. | Thread APIs (THI) | |
THI00-J | Do not invoke Thread.run(). | No |
THI01-J | Do not invoke ThreadGroup methods. | No |
THI02-J | Notify all waiting threads rather than a single thread. | No |
THI03-J | Always invoke wait() and await() methods inside a loop. | No |
THI04-J | Ensure that threads performing blocking operations can be terminated. | No |
THI05-J | Do not use Thread.stop() to terminate threads. | No |
Rule 11. | Thread Pools (TPS) | |
TPS00-J | Use thread pools to enable graceful degradation of service during traffic bursts. | No |
TPS01-J | Do not execute interdependent tasks in a bounded thread pool. | No |
TPS02-J | Ensure that tasks submitted to a thread pool are interruptible. | No |
TPS03-J | Ensure that tasks executing in a thread pool do not fail silently. | No |
TPS04-J | Ensure ThreadLocal variables are reinitialized when using thread pools. | No |
Rule 12. | Thread-Safety Miscellaneous (TSM) | |
TSM00-J | Do not override thread-safe methods with methods that are not thread-safe. | No |
TSM01-J | Do not let the this reference escape during object construction. | No |
TSM02-J | Do not use background threads during class initialization. | No |
TSM03-J | Do not publish partially initialized objects. | No |
Rule 13. | Input Output (FIO) | |
FIO00-J | Do not operate on files in shared directories. | No |
FIO01-J | Create files with appropriate access permissions. | No |
FIO02-J | Detect and handle file-related errors. | No |
FIO03-J | Remove temporary files before termination. | No |
FIO04-J | Release resources when they are no longer needed. | No |
FIO05-J | Do not expose buffers or their backing arrays methods to untrusted code. | No |
FIO06-J | Do not create multiple buffered wrappers on a single byte or character stream. | No |
FIO07-J | Do not let external processes block on IO buffers. | No |
FIO08-J | Distinguish between characters or bytes read from a stream and -1. | No |
FIO09-J | Do not rely on the write() method to output integers outside the range 0 to 255. | No |
FIO10-J | Ensure the array is filled when using read() to fill an array. | No |
FIO11-J | Do not convert between strings and bytes without specifying a valid character encoding. | No |
FIO12-J | Provide methods to read and write little-endian data. | No |
FIO13-J | Do not log sensitive information outside a trust boundary. | No |
FIO14-J | Perform proper cleanup at program termination. | No |
FIO15-J | Do not reset a servlet's output stream after committing it. | No |
FIO16-J | Canonicalize path names before validating them. | No |
Rule 14. | Serialization (SER) | |
SER00-J | Enable serialization compatibility during class evolution. | No |
SER01-J | Do not deviate from the proper signatures of serialization methods. | Yes |
SER02-J | Sign then seal objects before sending them outside a trust boundary. | No |
SER03-J | Do not serialize unencrypted sensitive data. | No |
SER04-J | Do not allow serialization and deserialization to bypass the security manager. | No |
SER05-J | Do not serialize instances of inner classes. | No |
SER06-J | Make defensive copies of private mutable components during deserialization. | No |
SER07-J | Do not use the default serialized form for classes with implementation-defined invariants. | No |
SER08-J | Minimize privileges before deserializing from a privileged context. | No |
SER09-J | Do not invoke overridable methods from the readObject() method. | No |
SER10-J | Avoid memory and resource leaks during serialization. | No |
SER11-J | Prevent overwriting of externalizable objects. | No |
SER12-J | Prevent deserialization of untrusted data. | No |
SER13-J | Deserialization methods should not perform potentially dangerous operations. | No |
Rule 15. | Platform Security (SEC) | |
SEC00-J | Do not allow privileged blocks to leak sensitive information across a trust boundary. | No |
SEC01-J | Do not allow tainted variables in privileged blocks. | No |
SEC02-J | Do not base security checks on untrusted sources. | No |
SEC03-J | Do not load trusted classes after allowing untrusted code to load arbitrary classes. | No |
SEC04-J | Protect sensitive operations with security manager checks. | No |
SEC05-J | Do not use reflection to increase accessibility of classes, methods, or fields. | No |
SEC06-J | Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar. | No |
SEC07-J | Call the superclass's getPermissions() method when writing a custom class loader. | No |
SEC08-J | Trusted code must discard or clean any arguments provided by untrusted code. | No |
SEC09-J | Never leak the results of certain standard API methods from trusted code to untrusted code. | No |
SEC10-J | Never permit untrusted code to invoke any API that may (possibly transitively) invoke the reflection APIs. | No |
Rule 16. | Runtime Environment (ENV) | |
ENV00-J | Do not sign code that performs only unprivileged operations. | No |
ENV01-J | Place all security-sensitive code in a single JAR and sign and seal it. | No |
ENV02-J | Do not trust the values of environment variables. | No |
ENV03-J | Do not grant dangerous combinations of permissions. | No |
ENV04-J | Do not disable bytecode verification. | No |
ENV05-J | Do not deploy an application that can be remotely monitored. | No |
ENV06-J | Production code must not contain debugging entry points. | No |
Rule 17. | Java Native Interface (JNI) | |
JNI00-J | Define wrappers around native methods. | No |
JNI01-J | Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary). | No |
JNI02-J | Do not assume object references are constant or unique. | No |
JNI03-J | Do not use direct pointers to Java objects in JNI code. | No |
JNI04-J | Do not assume that Java strings are null-terminated. | No |
Rule 49. | Miscellaneous (MSC) | |
MSC00-J | Use SSLSocket rather than Socket for secure data exchange. | No |
MSC01-J | Do not use an empty infinite loop. | No |
MSC02-J | Generate strong random numbers. | Yes |
MSC03-J | Never hard code sensitive information. | Yes |
MSC04-J | Do not leak memory. | No |
MSC05-J | Do not exhaust heap space. | No |
MSC06-J | Do not modify the underlying collection when an iteration is in progress. | No |
MSC07-J | Prevent multiple instantiations of singleton objects. | No |
MSC08-J | Do not store nonserializable objects as attributes in an HTTP session. | No |
MSC09-J | For OAuth, ensure (a) [relying party receiving user's ID in last step] is same as (b) [relying party the access token was granted to]. | No |
MSC10-J | Do not use OAuth 2.0 implicit grant (unmodified) for authentication. | No |
MSC11-J | Do not let session information leak within a servlet. | No |