SV.EXPOSE.MUTABLEFIELD

This error is detected when a class contains a public, static, final field that references a mutable object.

Vulnerability and risk

See SV.EXPOSE.FIN.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

This vulnerability can be mitigated by removing references to mutable objects from the public interface of each class, using immutable object instead or avoid using static fields.

Example 1

10
11
12
13
14
15
    final public static String adminUsers[] = new String[]{"root","toor"};
 
    // ...
    void maliciousUserCode() {
      adminUsers[1]="myself";
    }

SV.EXPOSE.MUTABLEFIELD is reported for line 10: Public or protected static final field 'adminUsers' references a mutable object of type 'java.lang.String[]'. This object could be changed by malicious code or by accident from another package

External guidance

• CERT OBJ01-J: Limit accessibility of fields