SV.USE.POLICY

Code inspection rule. SV.USE.POLICY occurs when code uses getPolicy or setPolicy from java.security.Policy.

Vulnerability and risk

Usually 'security.Policy' should not be changed within the application. Cases where it is accessed and changed require an inspection.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Determined by organization policy.

Example 1

Copy

11
12
13
     void setPolicy(Policy newPolicy) {
         Policy.setPolicy(newPolicy);
     }

SV.USE.POLICY is reported for call on line 12: Method 'setPolicy' from 'java.security.Policy' is used directly.