Enthuware

I cannot get my head around these security questions...

If the analyzeBonds method would be written by our own company instead of in a third party library, would the answer still be that I should create a defensive copy?

Typically, I would not use a third party library that I would not trust, so I treat it like our own code in the end...

And what if my application never uses the prepared Bond[] after the analysis. Why should I create a copy?

For me, many of the security questions lack context which I would need to answer them. Any hints on how to address this in the exam?

I agree with you on this. However, since the exam just tries to test you on the basic things, they just expect you to apply the principles given in the Security Coding Guidelines. Real life problems are not that straightforward and the solutions are not always so black and white.

So, it is best to just go through the guidelines and apply those for the purpose of the exam without worrying too much about alternative solutions.

Since there's some cases where the objects doesnt need to be cloned (like Strings, Wrappers or LocalDateTime objects), I thought I shouldn't answser option C because I can't say anything about Bond class.

I don't know if my understanding is correct, but for immutable classes the clone approach is not a must, right? Since the objects are already immutable?

I also have a second question... since the argument passed to the analyzeBonds() method is an Array, does it make a difference if Bond is immutable? I mean, if it was a String[] (String itself is immutable), do I have to clone the String[] reference?

1. Right, if an object is immutable, a defensive copy is not required.
2. Yes, arrays are mutable and so a defensive copy of the array is required.