SECURITY.PKG

Don't depend on Package Scope

Description

This rule flags code that depends on package-level access.

Package-level access is not secure enough to provide satisfactory security. Java packages are not closed (meaning that new elements can be added to them, even at program runtime). As a result, an attacker can potentially introduce a new class inside your packages and use this new class to access the things you thought you hid.

Repair

Do not rely on package-level access. Make your class, method, field have the least access possible.

Reference

Viaga, J., McGraw,G., Mutsdoch,T, Felten, E.. "Statically Scanning Java Code: Finding Security Vulnerabilities." IEEE Software, September/October 2000.