界: Code Quality
程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。
Code Correctness: null Argument To Equivalence Method
Abstract
表示式
obj.Equals(null) 將永遠為 false。Explanation
程式會使用
Equals() 方法將物件與 null 做比較。Equals() 方法的約定將要求此比較永遠傳回 false。References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[7] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.dotnet.code_correctness_null_argument_to_equivalence_method
Abstract
表示式
obj.equals(null) 將永遠為 false。Explanation
程式會使用
equals() 方法將物件與 null 做比較。由於該物件不是 null,因此,此比較將永遠傳回 false。(如果該物件為 null,程式會拋出 NullPointerException)。References
[1] JavaDoc for Object Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_null_argument_to_equivalence_method