CWE-580: clone() Method Without super.clone()

Description

The product contains a clone() method that does not call super.clone() to obtain the new object.

Extended Description

All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State, Quality Degradation — Notes:

Potential Mitigations

Implementation: Call super.clone() within your clone() method, when obtaining a new object. (N/A)
Implementation: In some cases, you can eliminate the clone method altogether and use copy constructors. (N/A)

Applicable Platforms

Java (N/A, Undetermined)

Demonstrative Examples

Intro: The following two classes demonstrate a bug introduced by not calling super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer.

public class Kibitzer { public Object clone() throws CloneNotSupportedException { Object returnMe = new Kibitzer(); ... } } public class FancyKibitzer extends Kibitzer{ public Object clone() throws CloneNotSupportedException { Object returnMe = super.clone(); ... } }

Notes

No notes available.

← Back to CWE list