CMP.STRThis warning appears if string references are compared rather than strings themselves for String type. Vulnerability and riskThis problem can cause unexpected application behavior. Comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values. To use == on a string, the programmer has to make sure that these are constant strings, statically created in the same class or "interned" prior to comparison using the intern() method. Mitigation and preventionUse the equals() method to compare objects instead of the == operator. Example 1
10 /**
11 * Return symbolic name of operation
12 */
13 public String nameOperation(String key) {
14 if (key == "++") return "PLUS";
15 if (key == "--") return "MINUS";
16 return "UNKNOWN";
17 }
CMP.STR is reported for line 14: Comparing strings 'key' and '++' with ==CMP.STR is reported for line 15: Comparing strings 'key' and '--' with == |