Java Code Review Checklist
Java Code Review Checklist
Clean Code
|
Checklist Item |
Category |
|
Use Intention-Revealing Names |
Meaningful Names |
|
Pick one word per concept |
Meaningful Names |
|
Use Solution/Problem Domain Names |
Meaningful Names |
|
Classes should be small! |
Classes |
|
Functions should be small! |
Functions |
|
Do one Thing |
Functions |
|
Don't Repeat Yourself (Avoid Duplication) |
Functions |
|
Explain yourself in code |
Comments |
|
Make sure the code formatting is applied |
Formatting |
|
Use Exceptions rather than Return codes |
Exceptions |
|
Don't return Null |
Exceptions |
* Reference: http://techbus.safaribooksonline.com/book/software-engineering-and-development/agile-development/9780136083238
Security
|
Checklist Item |
Category |
|
Make class final if not being used for inheritance |
Fundamentals |
|
Avoid duplication of code |
Fundamentals |
|
Restrict privileges: Application to run with the least privilege mode required for functioning |
Fundamentals |
|
Minimize the accessibility of classes and members |
Fundamentals |
|
Document security related information |
Fundamentals |
|
Input into a system should be checked for valid data size and range |
Denial of Service |
|
Avoid excessive logs for unusual behavior |
Denial of Service |
|
Release resources (Streams, Connections, etc) in all cases |
Denial of Service |
|
Purge sensitive information from exceptions (exposing file path, internals of the system, configuration) |
Confidential Information |
|
Do not log highly sensitive information |
Confidential Information |
|
Consider purging highly sensitive from memory after use |
Confidential Information |
|
Avoid dynamic SQL, use prepared statement |
Injection Inclusion |
|
Limit the accessibility of packages,classes, interfaces, methods, and fields |
Accessibility Extensibility |
|
Limit the extensibility of classes and methods (by making it final) |
Accessibility Extensibility |
|
Validate inputs (for valid data, size, range, boundary conditions, etc) |
Input Validation |
|
Validate output from untrusted objects as input |
Input Validation |
|
Define wrappers around native methods (not declare a native method public) |
Input Validation |
|
Treat output from untrusted object as input |
Mutability |
|
Make public static fields final (to avoid caller changing the value) |
Mutability |
|
Avoid exposing constructors of sensitive classes |
Object Construction |
|
Avoid serialization for security-sensitive classes |
Serialization Deserialization |
|
Guard sensitive data during serialization |
Serialization Deserialization |
|
Be careful caching results of potentially privileged operations |
Serialization Deserialization |
|
Only use JNI when necessary |
Access Control |
* Reference: http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Performance
|
Checklist Item |
Category |
|
Avoid excessive synchronization |
Concurrency |
|
Keep Synchronized Sections Small |
Concurrency |
|
Beware the performance of string concatenation |
General Programming |
|
Avoid creating unnecessary objects |
Creating and Destroying Objects |
* Reference: http://techbus.safaribooksonline.com/book/programming/java/9780137150021
General
|
Category |
Checklist Item |
|
Use checked exceptions for recoverable conditions and runtime exceptions for programming errors |
Exceptions |
|
Favor the use of standard exceptions |
Exceptions |
|
Don't ignore exceptions |
Exceptions |
|
Check parameters for validity |
Methods |
|
Return empty arrays or collections, not nulls |
Methods |
|
Minimize the accessibility of classes and members |
Classes and Interfaces |
|
In public classes, use accessor methods, not public fields |
Classes and Interfaces |
|
Minimize the scope of local variables |
General Programming |
|
Refer to objects by their interfaces |
General Programming |
|
Adhere to generally accepted naming conventions |
General Programming |
|
Avoid finalizers |
Creating and Destroying Objects |
|
Always override hashCode when you override equals |
General Programming |
|
Always override toString |
General Programming |
|
Use enums instead of int constants |
Enums and Annotations |
|
Use marker interfaces to define types |
Enums and Annotations |
|
Synchronize access to shared mutable data |
Concurrency |
|
Prefer executors to tasks and threads |
Concurrency |
|
Document thread safety |
Concurrency |
|
Valid JUnit / JBehave test cases exist |
Testing |
* Reference: http://techbus.safaribooksonline.com/book/programming/java/9780137150021
Static Code Analysis
|
Category |
Checklist Item |
|
Check static code analyzer report for the classes added/modified |
Static Code Analysis |
source: http://java.dzone.com/articles/java-code-review-checklist
