CWE-487: Reliance on Package-level Scope
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
扩展描述
The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
影响范围: Integrity
技术影响: Modify Application Data
说明: The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.
潜在缓解措施
阶段: Architecture and Design Implementation
描述: Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Relying on package-level scope | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | MET04-J | Do not increase the accessibility of overridden or hidden methods | - |