DATASHEET
CERT JAVA Rule Enforcement
(website 25 March 2024)
https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
Android Rules and Stub Rules are not included
ENFORCEMENT FOR KW 2024.2
Total | ||
|---|---|---|
a | Total Number of Rules | 169 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 |
c | Total Number of Enforceable Rules (a-b) | 169 |
d | Total Number of Enforced Rules | 54 |
e | Total Number of Unenforced Rules | 115 |
f | Enforce Rules Percentage (d/c) | 32% |
g | Unenforced Rules Percentage (e/c) | 68% |
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rule 00. Input Validation and Data Sanitization (IDS) | |||
IDS00-J | Prevent SQL injection | L1 | Yes |
IDS01-J | Normalize strings before validating them | L1 | Yes |
IDS03-J | Do not log unsanitized user input | L2 | Yes |
IDS04-J | Safely extract files from ZipInputStream | L3 | No |
IDS06-J | Exclude unsanitized user input from format strings | L3 | No |
IDS07-J | Sanitize untrusted data passed to the Runtime.exec() method | L1 | Yes |
IDS08-J | Sanitize untrusted data included in a regular expression | L3 | No |
IDS11-J | Perform any string modifications before validation | L1 | No |
IDS14-J | Do not trust the contents of hidden form fields | L2 | No |
IDS15-J | Do not allow sensitive information to leak outside a trust boundary | L2 | No |
IDS16-J | Prevent XML Injection | L1 | Yes |
IDS17-J | Prevent XML External Entity Attacks | L2 | Yes |
Rule 01. Declarations and Initialization (DCL) | |||
DCL00-J | Prevent class initialization cycles | L3 | No |
DCL01-J | Do not reuse public identifiers from the Java Standard Library | L3 | No |
DCL02-J | Do not modify the collection's elements during an enhanced for statement | L3 | Yes |
Rule 02. Expressions (EXP) | |||
EXP00-J | Do not ignore values returned by methods | L2 | Yes |
EXP01-J | Do not use a null in a case where an object is required | L3 | Yes |
EXP02-J | Do not use the Object.equals() method to compare two arrays | L2 | Yes |
EXP03-J | Do not use the equality operators when comparing values of boxed primitives | L2 | Yes |
EXP04-J | Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type | L2 | No |
EXP05-J | Do not follow a write by a subsequent write or read of the same object within an expression | L3 | No |
EXP06-J | Expressions used in assertions must not produce side effects | L3 | No |
Rule 03. Numeric Types and Operations (NUM) | |||
NUM00-J | Detect or prevent integer overflow | L3 | Yes |
NUM01-J | Do not perform bitwise and arithmetic operations on the same data | L3 | No |
NUM02-J | Ensure that division and remainder operations do not result in divide-by-zero errors | L2 | No |
NUM03-J | Use integer types that can fully represent the possible range of unsigned data | L3 | No |
NUM04-J | Do not use floating-point numbers if precise computation is required | L3 | No |
NUM07-J | Do not attempt comparisons with NaN | L3 | No |
NUM08-J | Check floating-point inputs for exceptional values | L3 | No |
NUM09-J | Do not use floating-point variables as loop counters | L2 | No |
NUM10-J | Do not construct BigDecimal objects from floating-point literals | L2 | No |
NUM11-J | Do not compare or inspect the string representation of floating-point values | L2 | No |
NUM12-J | Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data | L3 | No |
NUM13-J | Avoid loss of precision when converting primitive integers to floating-point | L3 | No |
NUM14-J | Use shift operators correctly | L3 | No |
Rule 04. Characters and Strings (STR) | |||
STR00-J | Don't form strings containing partial characters from variable-width encodings | L3 | No |
STR01-J | Do not assume that a Java char fully represents a Unicode code point | L3 | No |
STR02-J | Specify an appropriate locale when comparing locale-dependent data | L2 | No |
STR03-J | Do not encode noncharacter data as a string | L3 | No |
STR04-J | Use compatible character encodings when communicating string data between JVMs | L3 | No |
Rule 05. Object Orientation (OBJ) | |||
OBJ01-J | Limit accessibility of fields | L1 | Yes |
OBJ02-J | Preserve dependencies in subclasses when changing superclasses | L3 | No |
OBJ03-J | Prevent heap pollution | L3 | No |
OBJ04-J | Provide mutable classes with copy functionality to safely allow passing instances to untrusted code | L2 | Yes |
OBJ05-J | Do not return references to private mutable class members | L1 | Yes |
OBJ06-J | Defensively copy mutable inputs and mutable internal components | L3 | No |
OBJ07-J | Sensitive classes must not let themselves be copied | L2 | No |
OBJ08-J | Do not expose private members of an outer class from within a nested class | L2 | No |
OBJ09-J | Compare classes and not class names | L2 | Yes |
OBJ10-J | Do not use public static nonfinal fields | L2 | Yes |
OBJ11-J | Be wary of letting constructors throw exceptions | L1 | No |
OBJ13-J | Ensure that references to mutable objects are not exposed | L1 | No |
OBJ14-J | Do not use an object that has been freed. | L2 | No |
Rule 06. Methods (MET) | |||
MET00-J | Validate method arguments | L2 | No |
MET01-J | Never use assertions to validate method arguments | L2 | No |
MET02-J | Do not use deprecated or obsolete classes or methods | L3 | No |
MET03-J | Methods that perform a security check must be declared private or final | L2 | No |
MET04-J | Do not increase the accessibility of overridden or hidden methods | L2 | No |
MET05-J | Ensure that constructors do not call overridable methods | L2 | No |
MET06-J | Do not invoke overridable methods in clone() | L1 | No |
MET07-J | Never declare a class method that hides a method declared in a superclass or superinterface | L3 | No |
MET08-J | Preserve the equality contract when overriding the equals() method | L3 | No |
MET09-J | Classes that define an equals() method must also define a hashCode() method | L3 | Yes |
MET10-J | Follow the general contract when implementing the compareTo() method | L3 | No |
MET11-J | Ensure that keys used in comparison operations are immutable | L3 | No |
MET12-J | Do not use finalizers | L2 | Yes |
MET13-J | Do not assume that reassigning method arguments modifies the calling environment | L2 | No |
Rule 07. Exceptional Behavior (ERR) | |||
ERR00-J | Do not suppress or ignore checked exceptions | L3 | No |
ERR01-J | Do not allow exceptions to expose sensitive information | L3 | Yes |
ERR02-J | Prevent exceptions while logging data | L2 | No |
ERR03-J | Restore prior object state on method failure | L3 | Yes |
ERR04-J | Do not complete abruptly from a finally block | L3 | Yes |
ERR05-J | Do not let checked exceptions escape from a finally block | L3 | Yes |
ERR06-J | Do not throw undeclared checked exceptions | L3 | No |
ERR07-J | Do not throw RuntimeException, Exception, or Throwable | L2 | Yes |
ERR08-J | Do not catch NullPointerException or any of its ancestors | L1 | Yes |
ERR09-J | Do not allow untrusted code to terminate the JVM | L3 | Yes |
Rule 08. Visibility and Atomicity (VNA) | |||
VNA00-J | Ensure visibility when accessing shared primitive variables | L2 | Yes |
VNA01-J | Ensure visibility of shared references to immutable objects | L3 | Yes |
VNA02-J | Ensure that compound operations on shared variables are atomic | L2 | Yes |
VNA03-J | Do not assume that a group of calls to independently atomic methods is atomic | L3 | No |
VNA04-J | Ensure that calls to chained methods are atomic | L3 | No |
VNA05-J | Ensure atomicity when reading and writing 64-bit values | L3 | No |
Rule 09. Locking (LCK) | |||
LCK00-J | Use private final lock objects to synchronize classes that may interact with untrusted code | L3 | No |
LCK01-J | Do not synchronize on objects that may be reused | L2 | No |
LCK02-J | Do not synchronize on the class object returned by getClass() | L2 | No |
LCK03-J | Do not synchronize on the intrinsic locks of high-level concurrency objects | L2 | No |
LCK04-J | Do not synchronize on a collection view if the backing collection is accessible | L3 | No |
LCK05-J | Synchronize access to static fields that can be modified by untrusted code | L3 | Yes |
LCK06-J | Do not use an instance lock to protect shared static data | L2 | No |
LCK07-J | Avoid deadlock by requesting and releasing locks in the same order | L3 | Yes |
LCK08-J | Ensure actively held locks are released on exceptional conditions | L2 | No |
LCK09-J | Do not perform operations that can block while holding a lock | L3 | Yes |
LCK10-J | Use a correct form of the double-checked locking idiom | L3 | Yes |
LCK11-J | Avoid client-side locking when using classes that do not commit to their locking strategy | L3 | No |
Rule 10. Thread APIs (THI) | |||
THI00-J | Do not invoke Thread.run() | L3 | Yes |
THI01-J | Do not invoke ThreadGroup methods | L3 | No |
THI02-J | Notify all waiting threads rather than a single thread | L3 | No |
THI03-J | Always invoke wait() and await() methods inside a loop | L3 | No |
THI04-J | Ensure that threads performing blocking operations can be terminated | L3 | No |
THI05-J | Do not use Thread.stop() to terminate threads | L3 | No |
Rule 11. Thread Pools (TPS) | |||
TPS00-J | Use thread pools to enable graceful degradation of service during traffic bursts | L3 | No |
TPS01-J | Do not execute interdependent tasks in a bounded thread pool | L3 | No |
TPS02-J | Ensure that tasks submitted to a thread pool are interruptible | L3 | No |
TPS03-J | Ensure that tasks executing in a thread pool do not fail silently | L3 | No |
TPS04-J | Ensure ThreadLocal variables are reinitialized when using thread pools | L3 | No |
Rule 12. Thread-Safety Miscellaneous (TSM) | |||
TSM00-J | Do not override thread-safe methods with methods that are not thread-safe | L3 | No |
TSM01-J | Do not let the this reference escape during object construction | L3 | No |
TSM02-J | Do not use background threads during class initialization | L3 | No |
TSM03-J | Do not publish partially initialized objects | L2 | No |
Rule 13. Input Output (FIO) | |||
FIO00-J | Do not operate on files in shared directories | L3 | No |
FIO01-J | Create files with appropriate access permissions | L3 | Yes |
FIO02-J | Detect and handle file-related errors | L2 | No |
FIO03-J | Remove temporary files before termination | L2 | Yes |
FIO04-J | Release resources when they are no longer needed | L3 | Yes |
FIO05-J | Do not expose buffers or their backing arrays methods to untrusted code | L1 | No |
FIO06-J | Do not create multiple buffered wrappers on a single byte or character stream | L3 | No |
FIO07-J | Do not let external processes block on IO buffers | L3 | No |
FIO08-J | Distinguish between characters or bytes read from a stream and -1 | L1 | No |
FIO09-J | Do not rely on the write() method to output integers outside the range 0 to 255 | L3 | No |
FIO10-J | Ensure the array is filled when using read() to fill an array | L3 | No |
FIO12-J | Provide methods to read and write little-endian data | L3 | No |
FIO13-J | Do not log sensitive information outside a trust boundary | L3 | Yes |
FIO14-J | Perform proper cleanup at program termination | L1 | No |
FIO15-J | Do not reset a servlet's output stream after committing it | L3 | No |
FIO16-J | Canonicalize path names before validating them | L3 | Yes |
Rule 14. Serialization (SER) | |||
SER00-J | Enable serialization compatibility during class evolution | L3 | No |
SER01-J | Do not deviate from the proper signatures of serialization methods | L1 | Yes |
SER02-J | Sign then seal objects before sending them outside a trust boundary | L3 | No |
SER03-J | Do not serialize unencrypted sensitive data | L2 | Yes |
SER04-J | Do not allow serialization and deserialization to bypass the security manager | L2 | No |
SER05-J | Do not serialize instances of inner classes | L1 | No |
SER06-J | Make defensive copies of private mutable components during deserialization | L3 | Yes |
SER07-J | Do not use the default serialized form for classes with implementation-defined invariants | L3 | No |
SER08-J | Minimize privileges before deserializing from a privileged context | L1 | No |
SER09-J | Do not invoke overridable methods from the readObject() method | L3 | Yes |
SER10-J | Avoid memory and resource leaks during serialization | L3 | No |
SER11-J | Prevent overwriting of externalizable objects | L2 | No |
SER12-J | Prevent deserialization of untrusted data | L2 | Yes |
Rule 15. Platform Security (SEC) | |||
SEC00-J | Do not allow privileged blocks to leak sensitive information across a trust boundary | L2 | Yes |
SEC01-J | Do not allow tainted variables in privileged blocks | L1 | No |
SEC02-J | Do not base security checks on untrusted sources | L1 | No |
SEC03-J | Do not load trusted classes after allowing untrusted code to load arbitrary classes | L1 | Yes |
SEC04-J | Protect sensitive operations with security manager checks | L1 | No |
SEC05-J | Do not use reflection to increase accessibility of classes, methods, or fields | L1 | No |
SEC06-J | Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar | L1 | No |
SEC07-J | Call the superclass's getPermissions() method when writing a custom class loader | L1 | No |
Rule 16. Runtime Environment (ENV) | |||
ENV00-J | Do not sign code that performs only unprivileged operations | L1 | No |
ENV01-J | Place all security-sensitive code in a single JAR and sign and seal it | L1 | No |
ENV02-J | Do not trust the values of environment variables | L2 | No |
ENV03-J | Do not grant dangerous combinations of permissions | L1 | Yes |
ENV04-J | Do not disable bytecode verification | L1 | No |
ENV05-J | Do not deploy an application that can be remotely monitored | L1 | No |
ENV06-J | Production code must not contain debugging entry points | L1 | No |
Rule 17. Java Native Interface (JNI) | |||
JNI00-J | Define wrappers around native methods | L3 | No |
JNI01-J | Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) | L1 | Yes |
JNI02-J | Do not assume object references are constant or unique | L3 | No |
JNI03-J | Do not use direct pointers to Java objects in JNI code | L1 | No |
JNI04-J | Do not assume that Java strings are null-terminated | L3 | No |
Rule 49. Miscellaneous (MSC) | |||
MSC00-J | Use SSLSocket rather than Socket for secure data exchange | L2 | Yes |
MSC01-J | Do not use an empty infinite loop | L3 | No |
MSC02-J | Generate strong random numbers | L1 | Yes |
MSC03-J | Never hard code sensitive information | L1 | Yes |
MSC04-J | Do not leak memory | L3 | No |
MSC05-J | Do not exhaust heap space | L3 | Yes |
MSC06-J | Do not modify the underlying collection when an iteration is in progress | L3 | Yes |
MSC07-J | Prevent multiple instantiations of singleton objects | L3 | No |
MSC08-J | Do not store nonserializable objects as attributes in an HTTP session | L3 | No |
MSC11-J | Do not let session information leak within a servlet | L2 | Yes |