The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ)

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

The product sends non-cloned mutable data as an argument to a method or function.

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" pu...