CWE-1235
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Nome: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
General Informations
Background Details
Modes Of Introduction
Implementation : The programmer may use boxed primitives when not strictly necessary.Piattaforme applicabili
Linguaggio
Name: Java (Undetermined)Name: C# (Undetermined)
Sistemi operativi
Class: Not OS-Specific (Undetermined)Architetture
Class: Not Architecture-Specific (Undetermined)Tecnologie
Class: Not Technology-Specific (Undetermined)Conseguenze comuni
| Ambito | Impatto | Probabilità |
|---|---|---|
| Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance Note: Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues, impacting availability when used with generic collections. | Low |
Potential Mitigations
Phases : ImplementationUse of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Note sulla mappatura delle vulnerabilità
Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Riferimenti
REF-1051
Oracle Java Documentationhttps://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html
REF-1052
SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP)The Software Engineering Institute.
https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type
Invio
| Nome | Organizzazione | Data | Data di rilascio | Version |
|---|---|---|---|---|
| Joe Harvey | 4.0 |
Modifiche
| Nome | Organizzazione | Data | Commento |
|---|---|---|---|
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Background_Details, Common_Consequences, Description, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities |
