Public arrays, even ones declared static final can have their contents edited by malicious programs. The final keyword on an array declaration means that the array object itself may only be assigned once, but its contents are still mutable. Therefore making arrays public is a security risk.

Instead, arrays should be private and accessed through methods.

Noncompliant Code Example

public class Estate {
  // Noncompliant; array contents can be modified
  public static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };
}

public class Malicious {
  public void changeWill() {
    Estate.HEIRS[0] = "Biff";
    if (Estate.HEIRS.length > 1) {
      for (int i = 1; i < Estate.HEIRS.length; i++) {
        Estate.HEIRS[i] = "";
      }
  }
}

Compliant Solution

public class Estate {
  private static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };

  public String [] getHeirs() {
    // return copy of HEIRS
  }
}

See

• MITRE, CWE-582 - Array Declared Public, Final, and Static
• MITRE, CWE-607 - Public Static Final Field References Mutable Object
• CERT, OBJ01-J. - Limit accessibility of fields
• CERT, OBJ13-J. - Ensure that references to mutable objects are not exposed

Deprecated

This rule is deprecated, use {rule:squid:S2385} instead.