dumper
Reputation: 485
Malicious code vulnerability - Field should be package protected
Sonar is giving me the message:
Malicious code vulnerability - Field should be package protected for static array
FORMATS.
Why is this code considered malicious? I have a public class to store all the constants.
public class Constants
{
/*
all the public static final constants of primitive datatypes for which
there is no sonar warning.
*/
public static final String[] FORMATS = new String[] {
"yyyy-MM-dd HH:mm:ss.S z",
"yyyy-MM-dd HH:mm:ss.S"
}
Upvotes: 5
Views: 20535
Answers (1)
assylias
Reputation: 328608
Probably because another piece of code could execute:
Constants.FORMATS[0] = "SOME GARBAGE";
And break the rest of your code.
In other words your array is constant but not its content.
Examples of alternatives:
- you can store each format as a separate String constant
- you can use an immutable list instead:
public static final List<String> FORMATS = Collections.unmodifiableList(Arrays.asList("yyyy-MM-dd HH:mm:ss.S z", "yyyy-MM-dd HH:mm:ss.S")); make it a method:
public static String[] formats() { return new String[] { "yyyy-MM-dd HH:mm:ss.S z", "yyyy-MM-dd HH:mm:ss.S" }; }- ignore the warning if you are confident that (i) only your own code will access that class and (ii) there is no way you/your colleagues would even think of reassigning one of the values.
Upvotes: 20
Related Questions
- SonarQube Java path traversal attack
- SonarQube bug related to "Safe File handling"
- SonarQube vulnerability: Explicitly declare the visibility for variable
- Sonar Error - Make this member "protected"
- Sonar Violation: Security - Array is stored directly
- Command Injection Vulnerability in Java
- Sonar violation
- Sonar violation properly sanitized before use in this OS command
- Allow protected variables in Java for SonnarQube
- Sonar violation to show Java files without license/copyright information?