Java Code Review Checklist
Clean Code
Checklist ItemCategory
Use Intention-Revealing NamesMeaningful Names
Pick one word per conceptMeaningful Names
Use Solution/Problem Domain NamesMeaningful Names
Classes should be small!Classes
Functions should be small!Functions
Do one ThingFunctions
Don't Repeat Yourself (Avoid Duplication)Functions
Explain yourself in codeComments
Make sure the code formatting is appliedFormatting
Use Exceptions rather than Return codesExceptions
Don't return NullExceptions
1
* Reference: http://techbus.safaribooksonline.com/book/software-engineering-and-development/agile-development/9780136083238
Security
Checklist ItemCategory
Make class final if not being used for inheritanceFundamentals
Avoid duplication of codeFundamentals
Restrict privileges: Application to run with the least privilege mode required for functioningFundamentals
Minimize the accessibility of classes and membersFundamentals
Document security related informationFundamentals
Input into a system should be checked for valid data size and rangeDenial of Service
Avoid excessive logs for unusual behaviorDenial of Service
Release resources (Streams, Connections, etc) in all casesDenial of Service
Purge sensitive information from exceptions (exposing file path, internals of the system, configuration)Confidential Information
Do not log highly sensitive informationConfidential Information
Consider purging highly sensitive from memory after use Confidential Information
Avoid dynamic SQL, use prepared statementInjection Inclusion
Limit the accessibility of packages,classes, interfaces, methods, and fieldsAccessibility Extensibility
Limit the extensibility of classes and methods (by making it final)Accessibility Extensibility
Validate inputs (for valid data, size, range, boundary conditions, etc)Input Validation
Validate output from untrusted objects as inputInput Validation
Define wrappers around native methods (not declare a native method public)Input Validation
Treat output from untrusted object as inputMutability
Make public static fields final (to avoid caller changing the value)Mutability
Avoid exposing constructors of sensitive classesObject Construction
Avoid serialization for security-sensitive classesSerialization Deserialization
Guard sensitive data during serializationSerialization Deserialization
Be careful caching results of potentially privileged operationsSerialization Deserialization
Only use JNI when necessaryAccess Control
1
* Reference: http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Performance
Checklist ItemCategory
Avoid excessive synchronizationConcurrency
Keep Synchronized Sections SmallConcurrency
Beware the performance of string concatenationGeneral Programming
Avoid creating unnecessary objectsCreating and Destroying Objects
1
* Reference: http://techbus.safaribooksonline.com/book/programming/java/9780137150021
General
CategoryChecklist Item
Use checked exceptions for recoverable conditions and runtime exceptions for programming errorsExceptions
Favor the use of standard exceptionsExceptions
Don't ignore exceptionsExceptions
Check parameters for validityMethods
Return empty arrays or collections, not nullsMethods
Minimize the accessibility of classes and membersClasses and Interfaces
In public classes, use accessor methods, not public fieldsClasses and Interfaces
Minimize the scope of local variablesGeneral Programming
Refer to objects by their interfacesGeneral Programming
Adhere to generally accepted naming conventionsGeneral Programming
Avoid finalizersCreating and Destroying Objects
Always override hashCode when you override equalsGeneral Programming
Always override toStringGeneral Programming
Use enums instead of int constantsEnums and Annotations
Use marker interfaces to define typesEnums and Annotations
Synchronize access to shared mutable dataConcurrency
Prefer executors to tasks and threadsConcurrency
Document thread safetyConcurrency
Valid JUnit / JBehave test cases existTesting
1
* Reference: http://techbus.safaribooksonline.com/book/programming/java/9780137150021
Static Code Analysis
CategoryChecklist Item
Check static code analyzer report for the classes added/modifiedStatic Code Analysis
Topics:
JAVA,ENTERPRISE-INTEGRATION,PATTERNS,SOFTWARE DEVELOPMENT,INTEGRATION,BEST PRACTICES,CLIENT-SIDE,CODE REVIEW,JAVA CODE REVIEW
