ByteOS Network

CWE-586:Explicit Call to Finalize()

Weakness ID:586

Version:v4.17

Weakness Name:Explicit Call to Finalize()

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product makes an explicit call to the finalize() method from outside the finalizer.

▼Extended Description

While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Prohibited	C	1076	Insufficient Adherence to Expected Conventions
ParentOf	Allowed-with-Review	C	675	Multiple Operations on Resource in Single-Operation Context

Nature: ChildOf

Mapping: Prohibited

Type: Class

ID: 1076

Name: Insufficient Adherence to Expected Conventions

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 675

Name: Multiple Operations on Resource in Single-Operation Context

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	850	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET)
MemberOf	Prohibited	C	1001	SFP Secondary Cluster: Use of an Improper API
MemberOf	Prohibited	C	1006	Bad Coding Practices
MemberOf	Prohibited	C	1140	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)
MemberOf	Prohibited	C	1412	Comprehensive Categorization: Poor Coding Practices

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 850

Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET)

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1001

Name: SFP Secondary Cluster: Use of an Improper API

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1006

Name: Bad Coding Practices

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1140

Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1412

Name: Comprehensive Categorization: Poor Coding Practices

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-315	Unexpected State (impact)
MemberOf	Prohibited	BS	BOSS-325	Quality Degradation (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-315

Name: Unexpected State (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-325

Name: Quality Degradation (impact)

▼Relevant To View

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1001	SFP Secondary Cluster: Use of an Improper API

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1001

Name: SFP Secondary Cluster: Use of an Improper API

Relevant to the view"Software Development - (699)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1006	Bad Coding Practices

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1006

Name: Bad Coding Practices

Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1140	SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1140

Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)

▼Common Consequences

Scope	Likelihood	Impact	Note
IntegrityOther	N/A	Unexpected StateQuality Degradation	N/A

Scope: Integrity, Other

Likelihood: N/A

Impact: Unexpected State, Quality Degradation

Note:

N/A

▼Potential Mitigations

Phase:Implementation, Testing

Description:

Do not make explicit calls to finalize(). Use static analysis tools to spot such instances.

▼Modes Of Introduction

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

Java(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

The following code fragment calls finalize() explicitly:

Language: Java(Bad code)

// time to clean up* widget.finalize();

▼Weakness Ordinalities

Ordinality	Description
Primary	N/A

Ordinality: Primary

Description:

N/A

▼Detection Methods

Automated Static Analysis

Detection Method ID:DM-14

Description:

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness:High

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
The CERT Oracle Secure Coding Standard for Java (2011)	MET12-J	N/A	Do not use finalizers
Software Fault Patterns	SFP3	N/A	Use of an improper API

Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)

Entry ID: MET12-J

Fit: N/A

Entry Name: Do not use finalizers

Taxonomy Name: Software Fault Patterns

Entry ID: SFP3

Fit: N/A

Entry Name: Use of an improper API