SV.EXPOSE.IFIELD

This warning is reported for non-final public or protected non-static fields.

Vulnerability and risk

These fields might be changed by malicious code from another package.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

To fix the problem, make the fields final (if possible) or private/package protected.

Example 1

Copy

8
9
10
11
  public class SV_EXPOSE_IFIELD_Sample_1 {
      public boolean debug;
     // ...
 }

SV.EXPOSE.IFIELD is reported for field declaration on line 9: Non-final public instance field 'debug' could be changed by malicious code or by accident.

Related checkers

SV.EXPOSE.FIELD

External guidance

CERT OBJ01-J: Limit accessibility of fields