Code Standards
https://dzone.com/articles/java-code-review-checklist
Clean Code
Checklist Item | Category |
Use Intention-Revealing Names | Meaningful Names |
Pick one word per concept | Meaningful Names |
Use Solution/Problem Domain Names | Meaningful Names |
Classes should be small! | Classes |
Functions should be small! | Functions |
Do one Thing | Functions |
Don't Repeat Yourself (Avoid Duplication) | Functions |
Explain yourself in code | Comments |
Make sure the code formatting is applied | Formatting |
Use Exceptions rather than Return codes | Exceptions |
Don't return Null | Exceptions |
Security
Checklist Item | Category |
Make class final if not being used for inheritance | Fundamentals |
Avoid duplication of code | Fundamentals |
Restrict privileges: Application to run with the least privilege mode required for functioning | Fundamentals |
Minimize the accessibility of classes and members | Fundamentals |
Document security related information | Fundamentals |
Input into a system should be checked for valid data size and range | Denial of Service |
Avoid excessive logs for unusual behavior | Denial of Service |
Release resources (Streams, Connections, etc) in all cases | Denial of Service |
Purge sensitive information from exceptions (exposing file path, internals of the system, configuration) | Confidential Information |
Do not log highly sensitive information | Confidential Information |
Consider purging highly sensitive from memory after useĀ | Confidential Information |
Avoid dynamic SQL, use prepared statement | Injection Inclusion |
Limit the accessibility of packages,classes, interfaces, methods, and fields | Accessibility Extensibility |
Limit the extensibility of classes and methods (by making it final) | Accessibility Extensibility |
Validate inputs (for valid data, size, range, boundary conditions, etc) | Input Validation |
Validate output from untrusted objects as input | Input Validation |
Define wrappers around native methods (not declare a native method public) | Input Validation |
Treat output from untrusted object as input | Mutability |
Make public static fields final (to avoid caller changing the value) | Mutability |
Avoid exposing constructors of sensitive classes | Object Construction |
Avoid serialization for security-sensitive classes | Serialization Deserialization |
Guard sensitive data during serialization | Serialization Deserialization |
Be careful caching results of potentially privileged operations | Serialization Deserialization |
Only use JNI when necessary | Access Control |
Performance
Checklist Item | Category |
Avoid excessive synchronization | Concurrency |
Keep Synchronized Sections Small | Concurrency |
Beware the performance of string concatenation | General Programming |
Avoid creating unnecessary objects | Creating and Destroying Objects |
General
Category | Checklist Item |
Use checked exceptions for recoverable conditions and runtime exceptions for programming errors | Exceptions |
Favor the use of standard exceptions | Exceptions |
Don't ignore exceptions | Exceptions |
Check parameters for validity | Methods |
Return empty arrays or collections, not nulls | Methods |
Minimize the accessibility of classes and members | Classes and Interfaces |
In public classes, use accessor methods, not public fields | Classes and Interfaces |
Minimize the scope of local variables | General Programming |
Refer to objects by their interfaces | General Programming |
Adhere to generally accepted naming conventions | General Programming |
Avoid finalizers | Creating and Destroying Objects |
Always override hashCode when you override equals | General Programming |
Always override toString | General Programming |
Use enums instead of int constants | Enums and Annotations |
Use marker interfaces to define types | Enums and Annotations |
Synchronize access to shared mutable data | Concurrency |
Prefer executors to tasks and threads | Concurrency |
Document thread safety | Concurrency |
Valid JUnit / JBehave test cases exist | Testing |
Static Code Analysis Category Checklist Item
Check static code analyzer report for the classes added/modified
Static Code Analysis