JAVA.FINAL.STATIC.VAR

Use of nonfinal static variable

Vulnerability and risk

The JLS does not mandate complete initialization and safe publication of a variable even if a static initializer is used.

Mitigation and prevention

Ensure safe publication by declaring the static variable final.

Vulnerable code example

Copy

1
2
3
4
5
6
7
8
9
package com.klocwork;

public class JAVA_FINAL_STATIC_VAR_POSITIVE {
    static String out = "hello world";

    public static void main(String args[]) {
        System.out.println(out);
    }
}

Fixed code example

Copy

1
2
3
4
5
6
7
8
9
package com.klocwork;

public class JAVA_FINAL_STATIC_VAR_NEGATIVE {
    final static String out = "hello world";

    public static void main(String args[]) {
        System.out.println(out);
    }
}

External guidance

CERT OBJ11-J: Be wary of letting constructors throw exceptions