CWE-1235
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Nome: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
Informações Gerais
Detalhes de Contexto
Modos de Introdução
Implementation : The programmer may use boxed primitives when not strictly necessary.Plataformas Aplicáveis
Linguagem
Name: Java (Undetermined)Name: C# (Undetermined)
Sistemas Operacionais
Class: Not OS-Specific (Undetermined)Arquiteturas
Class: Not Architecture-Specific (Undetermined)Tecnologias
Class: Not Technology-Specific (Undetermined)Consequências Comuns
| Escopo | Impacto | Probabilidade |
|---|---|---|
| Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance Note: Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues, impacting availability when used with generic collections. | Low |
Mitigações Potenciais
Phases : ImplementationUse of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.
Métodos de Detecção
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Notas de Mapeamento de Vulnerabilidade
Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Referências
REF-1051
Oracle Java Documentationhttps://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html
REF-1052
SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP)The Software Engineering Institute.
https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type
Submissão
| Nome | Organização | Data | Data de lançamento | Version |
|---|---|---|---|---|
| Joe Harvey | 4.0 |
Modificações
| Nome | Organização | Data | Comentário |
|---|---|---|---|
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Background_Details, Common_Consequences, Description, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities |
