531 개 항목 찾음
취약점

Code Correctness: Call to sleep() in Lock

Abstract
잠금 상태에 있는 동안 sleep()을 호출하면 성능이 떨어질 수 있고 교착 상태(deadlock)가 발생할 수도 있습니다.
Explanation
여러 스레드가 리소스를 잠그려고 할 경우, 잠금 상태에 있는 동안 sleep()을 호출하면 다른 모든 스레드는 리소스가 해제되기를 기다리게 될 수 있어 성능이 저하되거나 교착 상태(deadlock)가 될 수 있습니다.

예제 1: 다음 코드는 잠금 상태에 있는 동안 sleep()을 호출합니다.

ReentrantLock rl = new ReentrantLock();
...
rl.lock();
Thread.sleep(500);
...
rl.unlock();
References
[1] LCK09-J. Do not perform operations that can block while holding a lock CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 557
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.code_correctness_call_to_sleep_in_lock

Code Correctness: Call to System.gc()

Abstract
명시적인 가비지 수집 요청은 성능 문제 발생 가능성을 나타내는 신호입니다.
Explanation
Java 개발자는 개발 경력을 쌓다 보면 누구나 아주 난해하고 이해하기 힘들고 디버깅으로 해결할 수 없어서 가비지 수집기(garbage collector) 외에는 다른 원인을 찾을 수 없을 것 같은 문제를 겪게 됩니다. 특히 버그가 time and state와 관련된 경우 이 이론을 뒷받침하는 경험 상의 증거는 다음과 같습니다. 바로 call to System.gc()를 삽입하면 문제가 사라지는 경우가 있다는 것입니다.

대부분의 경우, System.gc() 호출은 바르지 못한 방법입니다. 실제로 System.gc()를 너무 자주 호출하면 성능 문제가 생길 수 있습니다.
References
[1] D. H. Hovermeyer FindBugs User Manual
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 730
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.code_correctness_call_to_system_gc

Code Correctness: Call to Thread.run()

Abstract
이 프로그램은 start()를 호출하는 대신 스레드의 run() 메서드를 호출합니다.
Explanation
대부분의 경우 Thread 개체의 run() 메서드를 직접 호출하는 것은 버그입니다. 프로그래머는 새 제어 스레드를 시작하려 했지만 실수로 start() 대신 run()을 호출했기 때문에 run() 메서드는 호출자의 제어 스레드에서 실행됩니다.

예제 1: 다음의 발췌된 Java 프로그램은 실수로 start() 대신 run()을 호출합니다.


    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };

  thr.run();
References
[1] THI00-J. Do not invoke Thread.run() CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 572
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.code_correctness_call_to_thread_run

Code Correctness: Call to Thread.stop()

Abstract
프로그램은 스레드의 stop() 메서드를 호출하므로 리소스가 누출될 수 있습니다.
Explanation
대부분의 경우 Thread 개체의 stop() 메서드를 직접 호출하는 것은 버그입니다. 프로그래머는 스레드 실행을 중지하려고 했지만 이 방식이 스레드를 중지하는 데 적합하지 않음을 몰랐습니다. Thread 내의 stop() 함수는 Thread 개체 내의 모든 위치에서 ThreadDeath 예외를 발생시켜 개체가 일치하지 않는 상태가 되고 리소스가 누출될 수 있습니다. 이 API는 본질적으로 안전하지 않으므로 오래 전부터 더 이상 사용되지 않습니다.

예제 1: Java 프로그램에서 발췌된 다음 코드는 Thread.stop()을 잘못 호출합니다.


  ...
  public static void main(String[] args){
    ...
    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };
    ...
    thr.start();
    ...
    thr.stop();
    ...
  }
References
[1] THI05-J. Do not use Thread.stop() to terminate threads CERT
[2] Why are Thread.stop, Thread.suspend, Thread.resume and Runtime.runFinalizersOnExit Deprecated? Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 572
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.semantic.java.code_correctness_call_to_thread_stop

Code Correctness: Class Does Not Implement Cloneable

Abstract
이 클래스는 clone() 메서드를 구현하지만 Cloneable 인터페이스는 구현하지 않습니다.
Explanation
프로그래머는 이 클래스가 clone()이라는 메서드를 구현하기 때문에 Cloneable 인터페이스를 구현하도록 할 생각이었던 것 같습니다. 하지만 클래스는 Cloneable 인터페이스를 구현하지 않고 clone() 메서드는 올바로 동작하지 않습니다.

예제 1: 다음 클래스에서 clone()을 호출하면 CloneNotSupportedException.이 발생합니다.


public class Kibitzer {
  public Object clone() throws CloneNotSupportedException {
    ...
  }
}

References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 498
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.code_correctness_class_does_not_implement_cloneable

Code Correctness: Class Does Not Implement Equivalence Method

Abstract
Equals()Equals()를 구현하지 않는 개체에서 호출됩니다.
Explanation
개체 비교 시, 개발자는 대개 개체의 속성을 비교하려고 합니다. 그러나 Equals()를 명시적으로 구현하지 않는 클래스(또는 임의의 수퍼 클래스/인터페이스)에서 Equals()를 호출하면 System.Object에서 상속된 Equals() 메서드를 호출하게 됩니다. 개체 멤버 필드 또는 기타 속성을 비교하는 대신, Object.Equals()는 동일한지 알아보기 위해 두 개의 개체 인스턴스를 비교합니다. Object.Equals()를 올바르게 사용하더라도 때때로 버그가 있는 코드가 있음을 나타낼 수 있습니다.

예제 1:

public class AccountGroup
{
    private int gid;

    public int Gid
    {
        get { return gid; }
        set { gid = value; }
    }
}
...
public class CompareGroup
{
    public bool compareGroups(AccountGroup group1, AccountGroup group2)
    {
        return group1.Equals(group2);   //Equals() is not implemented in AccountGroup
    }
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_class_does_not_implement_equals
Abstract
equals() 메서드는 equals()를 구현하지 않는 개체에서 호출됩니다.
Explanation
개체 비교 시, 개발자는 대개 개체의 속성을 비교하려고 합니다. 그러나 equals()를 명시적으로 구현하지 않는 클래스(또는 임의의 수퍼 클래스/인터페이스)에서 equals()를 호출하면 java.lang.Object에서 상속된 equals() 메서드를 호출하게 됩니다. 개체 멤버 필드 또는 기타 속성을 비교하는 대신, Object.equals()는 동일한지 알아보기 위해 두 개의 개체 인스턴스를 비교합니다. Object.equals()를 올바르게 사용하더라도 때때로 버그가 있는 코드가 있음을 나타낼 수 있습니다.

예제 1:

public class AccountGroup
{
	private int gid;

	public int getGid()
	{
		return gid;
	}

	public void setGid(int newGid)
	{
		gid = newGid;
	}
}
...
public class CompareGroup
{
	public boolean compareGroups(AccountGroup group1, AccountGroup group2)
	{
		return group1.equals(group2);   //equals() is not implemented in AccountGroup
	}
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_class_does_not_implement_equals

Code Correctness: clone() Invokes Overridable Function

Abstract
이 클래스 내의 clone() 메서드는 재정의할 수 있는 함수를 호출합니다.
Explanation
clone() 함수가 오버라이드 가능 함수를 호출할 때 복제본이 부분적으로 초기화된 상태로 유지되거나 손상될 수 있습니다.

예제 1: 다음 clone() 함수는 오버라이드할 수 있는 메서드를 호출합니다.


  ...
  class User implements Cloneable {
    private String username;
    private boolean valid;
    public Object clone() throws CloneNotSupportedException {
      final User clone = (User) super.clone();
      clone.doSomething();
      return clone;
    }
    public void doSomething(){
      ...
    }
  }
doSomething() 함수와 이 함수를 포함하는 클래스는 final이 아니므로 함수를 오버라이드할 수 있습니다. 이로 인해 복제된 clone 개체가 부분적으로 초기화된 상태로 유지될 수 있고, 그 결과 예기치 않은 방식으로 로직의 문제를 해결하지 않을 경우 오류가 발생할 수 있습니다.
References
[1] MET06-J. Do not invoke overridable methods in clone() CERT
[2] EXTEND-5: Limit the extensibility of classes and methods Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_clone_invokes_overridable_function