These rules check the security guidelines from Sun, published at http://java.sun.com/security/seccodeguide.html#gcg
Exposing internal arrays directly allows the user to modify some code that could be critical. It is safer to return a copy of the array.
This rule is defined by the following Java class: net.sourceforge.pmd.rules.sunsecure.MethodReturnsInternalArray
Here's an example of code that would trigger this rule:
public class SecureSystem { UserData [] ud; public UserData [] getUserData() { // Don't return directly the internal array, return a copy return ud; } }
Constructors and methods receiving arrays shuold clone objects and store the copy. This prevents that future changes from the user affect the internal functionallity.
This rule is defined by the following Java class: net.sourceforge.pmd.rules.sunsecure.ArrayIsStoredDirectly
Here's an example of code that would trigger this rule:
public class Foo { private String [] x; public void foo (String [] param) { // Don't do this, make a copy of the array at least this.x=param; } }