CWE-1235
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
Algemene informatie
Achtergrondinformatie
Introductiemodi
Implementation : The programmer may use boxed primitives when not strictly necessary.Toepasselijke platforms
Taal
Name: Java (Undetermined)Name: C# (Undetermined)
Besturingssystemen
Class: Not OS-Specific (Undetermined)Architecturen
Class: Not Architecture-Specific (Undetermined)Technologieën
Class: Not Technology-Specific (Undetermined)Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance Note: Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues, impacting availability when used with generic collections. | Low |
Mogelijke risicobeperkingen
Phases : ImplementationUse of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.
Detectiemethoden
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Referenties
REF-1051
Oracle Java Documentationhttps://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html
REF-1052
SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP)The Software Engineering Institute.
https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| Joe Harvey | 4.0 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Background_Details, Common_Consequences, Description, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities |
