Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks

A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.

See SEI CERT Rule OBJ-11 [https://wiki.sei.cmu.edu/confluence/display/java/OBJ11-J.+Be+wary+of+letting+constructors+throw+exceptions] for more information.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation.

In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns.

This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check:

 * contributing guideline [https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md]
 * mailinglist [https://github.com/spotbugs/discuss/issues?q=]

In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us.

See Weimer and Necula, Finding and Preventing Run-Time Error Handling Mistakes (PDF [https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf]), for a description of the analysis technique.

The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all paths out of the method.  Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database.

The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all paths out of the method.  Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database.

SEI CERT rule OBJ01-J [https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields] requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.

SEI CERT rule OBJ01-J [https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields] requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.

SEI CERT rule OBJ01-J [https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields] requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.

SEI CERT rule OBJ01-J [https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields] requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Vulnerable Code:


Connection conn = [...];
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("update COFFEES set SALES = "+nbSales+" where COF_NAME = '"+coffeeName+"'");



Solution:


Connection conn = [...];
conn.prepareStatement("update COFFEES set SALES = ? where COF_NAME = ?");
updateSales.setInt(1, nbSales);
updateSales.setString(2, coffeeName);




References (JDBC)
Oracle Documentation: The Java Tutorials > Prepared Statements [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html]
References (SQL injection)
WASC-19: SQL Injection [http://projects.webappsec.org/w/page/13246963/SQL%20Injection]
CAPEC-66: SQL Injection [https://capec.mitre.org/data/definitions/66.html]
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [https://cwe.mitre.org/data/definitions/89.html]
OWASP: Top 10 2013-A1-Injection [https://www.owasp.org/index.php/Top_10_2013-A1-Injection]
OWASP: SQL Injection Prevention Cheat Sheet [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet]
OWASP: Query Parameterization Cheat Sheet [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet]

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Vulnerable Code:


Connection conn = [...];
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("update COFFEES set SALES = "+nbSales+" where COF_NAME = '"+coffeeName+"'");



Solution:


Connection conn = [...];
conn.prepareStatement("update COFFEES set SALES = ? where COF_NAME = ?");
updateSales.setInt(1, nbSales);
updateSales.setString(2, coffeeName);




References (JDBC)
Oracle Documentation: The Java Tutorials > Prepared Statements [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html]
References (SQL injection)
WASC-19: SQL Injection [http://projects.webappsec.org/w/page/13246963/SQL%20Injection]
CAPEC-66: SQL Injection [https://capec.mitre.org/data/definitions/66.html]
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [https://cwe.mitre.org/data/definitions/89.html]
OWASP: Top 10 2013-A1-Injection [https://www.owasp.org/index.php/Top_10_2013-A1-Injection]
OWASP: SQL Injection Prevention Cheat Sheet [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet]
OWASP: Query Parameterization Cheat Sheet [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet]

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Vulnerable Code:


Connection conn = [...];
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("update COFFEES set SALES = "+nbSales+" where COF_NAME = '"+coffeeName+"'");



Solution:


Connection conn = [...];
conn.prepareStatement("update COFFEES set SALES = ? where COF_NAME = ?");
updateSales.setInt(1, nbSales);
updateSales.setString(2, coffeeName);




References (JDBC)
Oracle Documentation: The Java Tutorials > Prepared Statements [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html]
References (SQL injection)
WASC-19: SQL Injection [http://projects.webappsec.org/w/page/13246963/SQL%20Injection]
CAPEC-66: SQL Injection [https://capec.mitre.org/data/definitions/66.html]
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [https://cwe.mitre.org/data/definitions/89.html]
OWASP: Top 10 2013-A1-Injection [https://www.owasp.org/index.php/Top_10_2013-A1-Injection]
OWASP: SQL Injection Prevention Cheat Sheet [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet]
OWASP: Query Parameterization Cheat Sheet [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet]