SV.UMC.THREADS

This warning is reported when an application is using threads.

Vulnerability and risk

Thread management should be avoided in many cases. For example, the EJB standard contains the following guidelines: The enterprise bean must not attempt to manage threads. The enterprise bean must not attempt to start, stop, suspend, or resume a thread, or to change a thread's priority or name. The enterprise bean must not attempt to manage thread groups. Thread management in servlets is also very questionable and might lead to problems. On the other hand, threads are used in applets and other GUI applications. In this context, a warning serves not to report an error, but rather as a reminder to programmers to pay more attention to this code.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

For EJB use framework approaches for parallel execution, instead of using threads.

Example 1

23 public class SV_UMC_THREADS_Sample_1 extends HttpServlet {
24     public void doPost(HttpServletRequest request,
25                        HttpServletResponse response) throws IOException,
26                                                             ServletException {
27         doProcessRequest(request, response);
28     }
29     public void doGet(HttpServletRequest request,
30                       HttpServletResponse response) throws IOException,
31                                                            ServletException {
32         doProcessRequest(request, response);
33     }
34     private void doProcessRequest(HttpServletRequest request,
35                                   HttpServletResponse response) throws IOException,
36                                                                        ServletException {
37         final StringBuffer buffer = new StringBuffer();
38         Runnable r = new Runnable() {
39             public void run() {
40                 buffer.append("Processing...\n");
41                 // do something
42                 buffer.append("Finished.\n");
43             }
44         };
45         Thread t = new Thread(r);
46         t.start();
47         // do something else, then get results from background thread
48         try {
49             t.join();
50         } catch (InterruptedException e) {
51         }
52         String log = buffer.toString();
53         // create page...
54     }
55 }

SV.UMC.THREADS is reported for calling 'Thread' constructor on line 36: Method 'Thread' is used. Thread management is deprecated in many cases (e.g. in EJBs). Also, it is always highly error prone SV.UMC.THREADS is reported for call on line 37: Method 'start' is used. Thread management is deprecated in many cases (e.g. in EJBs). Also, it is always highly error prone SV.UMC.THREADS is reported for call on line 40: Method 'join' is used. Thread management is deprecated in many cases (e.g. in EJBs). Also, it is always highly error prone

Security guidelines

• CWE-383: J2EE Bad Practices: Direct Use of Threads
• STIG-ID:APP3630.3 Race conditions