Reputation: 4135
SonarQube - May Expose Internal Representation by storing an external mutable object
the below code is giving an error when running through SonalQube for code Vulnerability.
public class Myclass{
String[] text;
public MyClass(String [] texts){
this.texts = texts;
}
}
The above code is throwing vulnerability error: May Expose Internal Representation by storing an external mutable object
Upvotes: 2
Views: 2120
Answers (2)
Reputation: 1
But each time you create a copy when using Arrays.copyOf(), a new array object is allocated in memory. I would suggest you just use the SuppressWarning annotation.
Upvotes: 0
Reputation: 595
As already mentioned in the comments, arrays are passed by Reference in Java (as all complex Objects). This means there is the oportiunity to pass a valid Sting[] to your class and after you checked it and stored it, the caller changes the content of the array to what ever he wants.
So if you want to close thie vulnerabilitity you need to store the array like this:
public class SaveArrayContainer {
public String[] data;
public SaveArrayContainer(String[] array) {
data = Arrays.copyOf(array, array.length);
}
}
Upvotes: 1
Related Questions
- Malicious code vulnerability - May expose internal representation by returning reference to mutable object
- sonarQube raises Make a static final constant or non-public and provide accessors if needed on JNA structure
- SonarQube: Mutable members should not be stored or returned directly
- SonarQube vulnerability: Explicitly declare the visibility for variable
- Mutable fields should not be "public static"
- Can not resolve "May expose internal representation by returning reference to mutable object"
- sonarQube - make field transient or serializable
- Sonar dead store to local variable
- Sonar Violation: Security - Array is stored directly - Why only arrays?
- Malicious code vulnerability - May expose internal representation by returning reference to mutable object - With what objects?