Skip to main content

Inappropriate coding practices - Static Import

Description

The static import declaration could be analogous to a normal import declaration. Where the normal import declaration imports classes from packages, allowing them to be used without package qualification, the static import declaration imports static members from classes, allowing them to be used without class qualification.

Impact

  • Overuse static import can result in code that is difficult to read and maintain, since readers of the code will not know which class defines a particular static object. -Allow unqualified access to static members without inheriting from the type containing the static members.

Recommendation

Use static import very sparingly, if at all. Its useful for situations when you need frequent access to a few static objects from one or two classes.

Threat

Unauthorized attacker with access to the code.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 3.7
    • Temporal: 3.2
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Static imports are always used in the application classes and methods

import java.util.*;
import myPublicClass;

//Code using the imports

Non compliant code

There are static imports used in the application

import static java.lang.System.*;
import static java.lang.Math.*;
import static myPublicClass;

//Code that uses the static imports frequently

Requirements