Java - J2EE Code Review Checklist v1-0

Guidelines to use the Checklist
1) In tab 'Variables', the developer should fill up the Developer's Section.
2) In tab 'Review Checklist', the developer must complete verifying against each check point in column 'Checklist' and upd
'Developer Check'. If any point is marked as "Fail", then providing supporting comments in column 'Developer Comment'
Leaving any point as blank is treated as non-compliance.
3) In tab 'Review Checklist', the reviewer has to similarly verify against each checkpoint and mark as appropriate in colum
Check'. If any point is marked as "Fail", then providing supporting comments in column 'Reviewer Comment' is mandatory
4) In tab 'Review Checklist', the reviewer has to mandatorily update the impact in column 'Impact', depending on the imp
defect (Failed items) and number of instances of the same defect. Leaving any impact item blank for 'Fail'ed points will aff
(Code Quality Index) number.
5) In tab 'Variables', reviewer has to mark the review as complete, fillup the SME (Reviewer Section).
Instructions for developing checklist using the template.
Sl.
2
3
1
2
3
Instructions for developing checklist using the template.
Instructions
Tab 'Variables'
Update the heading with technology name for which checklist is being created
Tab 'Review Checklist'
Update Checkpoint category headings (Grey colored rows) as per the coding standard/guideline.
Provide the checkpoints in column 'Checklist'. Insert or delete the rows as needed for each category. Do not add rows at the
formlue in various cells will not get updated.
Secure Coding Standard related checkpoints are mandatory to be part of the checklist and the review.
Mandatory - Update the priority/weightage value in column 'Checkpoint weightage' for each checkpoint on a scale of 1-5, 5
Hide grey colored columns - Checkpoint weightage, Calculated weightage, Calculated Impact Level, Calculated Defect Level,
weightage, Column(N), Impact Values, Check Values, Defect type Values
Write protect the sheet for columns other than columns - Developer Check, Developer Comment, Reviewer Check, Reviewe
General
Hide this Instructions tab
Include any additional instruction for the users in ReadMe tab.
Update Document Control tab for Project info, confidentiality info and Project Revision History table
CQI Calculation Method

Calculated weightage
If the checkpoint is applicable (value 'Pass'/'Fail' in column 'Reviewer Check'), same weightage value as in column 'Checkpoint weightage'
If the checkpoint is not applicable (value 'N/A' in column 'Reviewer Check'), 0 is identified.
Calculated impact level

Based on impact value - High/Medium/Low/No Impact - 2 or 1 or 0.5 or 0 is identified
Calculated defect level

For the Failed checkpoints - Calculated weightage and Calculated Impact level is multiplied
For Passed or N/A check points - 0 is identified
Sum of calculated weightage

Summation of calculated weightage values
Value calculation is done in first row so that formula is auto updated with insertion or removal of rows
CQI calculation
Default value is 0
Percentage of (1 - Total failed checkpoints/ total applicable checkpoints)
Percentage of (1 - sum of defect level/ sum of calculated weightage)
Defect level takes care of applicable checkpoints weightage and impact value
360454678.xls
JAVA/J2EE - Code Review Checklist
Developer's Section
Project Name/ Subproject Name SPS
Client Name
Deliverable ID and Name
Enhancement/ release
ID or name of the Configurable Item (source file/ function/
object/ etc.) being reviewed
Configurable Item type
Date (DD-MMM-YYYY)
Developer LN ID
SME (Reviewer) Section

Review
Completed
Reviewer LN ID
Date of review (DD-MMM-YYYY)
CQI Value
Review Result
Reviewer's comment
TAC ABAP Checklist General Standards Page 5 of 10
Checklist Defect Type Developer Developer Comment Reviewer Reviewer Comment

Check Check
<General>
1 proper configuration of frameworks such as Spring, Struts SQ. Configurability/ Usability Pass Pass
2 libraries are up-to-date SQ. Configurability/ Usability Pass Pass
3 system calls have their return status checked SK. Does not satisfy function/performance criteria Pass Pass
4 efficient memory usage SK. Does not satisfy function/performance criteria Pass Pass
code, services, commands and processes are executed using minimal SQ. Configurability/ Usability
5 privileges (least privileges) Pass Pass
6 debugging code and test harnesses have been removed SR. Redundant Code Pass Pass
7 code has no back doors SO. Inadequate/Incomplete Code Pass Pass
does each file have the correct header? SB. Code standard violation (too few comment lines, no
8 function/ interface headers, indentation style etc.) Pass Pass
do all packages start with "com.yourdomainname"? SB. Code standard violation (too few comment lines, no
package names single lowercase words with no spaces, dashes or SB. Code standard violation (too few comment lines, no
10 special characters (com.domain.package)? function/ interface headers, indentation style etc.) Pass Pass
do class names start with a capital letter followed by mixed case SB. Code standard violation (too few comment lines, no
11 (FooBarReader)? function/ interface headers, indentation style etc.) Pass Pass
constants all uppercase with underscores separating words? SB. Code standard violation (too few comment lines, no
12 (THIS_IS_A_CONSTANT) function/ interface headers, indentation style etc.) Pass Pass
13 initialization methods named init()? SO. Inadequate/Incomplete Code Pass Pass
braces line up vertically with the code indented from the braces? SB. Code standard violation (too few comment lines, no
is access to non-final static variables (glb or cls) synchronized? SB. Code standard violation (too few comment lines, no
are the correct parameters passed? That is, do the calling and called SB. Code standard violation (too few comment lines, no
16 parameters match? function/ interface headers, indentation style etc.) Pass Pass
17 are all object references checked for null before usage? SD. Logical error in the code Pass Pass
are class casts made safely (usually by checking with an instanceof)? SK. Does not satisfy function/performance criteria
18 Pass Pass
is conversion between integers and floats appropriately handled? SK. Does not satisfy function/performance criteria
19 Pass Pass
no public variables without strong justification in comments SB. Code standard violation (too few comment lines, no
do the classes avoid using protected and package/friendly variables SB. Code standard violation (too few comment lines, no
21 of other classes in the same package? function/ interface headers, indentation style etc.) Pass Pass
are all class variables appropriately prepended with their scope? SB. Code standard violation (too few comment lines, no
23 no exposures to buffer overruns SQ. Configurability/ Usability Pass Pass
Secure Coding Standard Check List
1. Authentication and User Management
user credentials are encrypted in the data store SS. Secure Coding Standard violation (Code not secure as per
1 Secure Coding Standard & Guideline) Pass Pass
security policies are configurable (not hardcoded) SS. Secure Coding Standard violation (Code not secure as per

Check Check
standard security frameworks are used (instead of custom code) SS. Secure Coding Standard violation (Code not secure as per
SSL is used to protect user credentials and authentication tokens SS. Secure Coding Standard violation (Code not secure as per
authentication cookies are encrypted SS. Secure Coding Standard violation (Code not secure as per
cookie names and paths are used SS. Secure Coding Standard violation (Code not secure as per
application handles user management events such as authentication SS. Secure Coding Standard violation (Code not secure as per
failure, password reset, password change, account lockout and cancel Secure Coding Standard & Guideline)
account
7 Pass Pass
application handles suspicious events such as multiple failed logon SS. Secure Coding Standard violation (Code not secure as per
attempts, session replay and attempted access to restricted resources Secure Coding Standard & Guideline)
8 Pass Pass
strong passwords policies are enforced SS. Secure Coding Standard violation (Code not secure as per
SS. Secure Coding Standard violation (Code not secure as per
10 authentication credentials are not passed by HTTP GET Secure Coding Standard & Guideline) Pass Pass
authentication cookies are not persisted SS. Secure Coding Standard violation (Code not secure as per
2.Authorization
authentication and authorization should be the first logic executed SS. Secure Coding Standard violation (Code not secure as per
1 for each request Secure Coding Standard & Guideline)
authorization checks are granular (page and directory level) SS. Secure Coding Standard violation (Code not secure as per
2 Secure Coding Standard & Guideline)
deny access to pages and data by default SS. Secure Coding Standard violation (Code not secure as per
re-authenticate for requests that have side-effects SS. Secure Coding Standard violation (Code not secure as per
access Control Lists are configured for all files SS. Secure Coding Standard violation (Code not secure as per
authorization based on clearly defined roles SS. Secure Coding Standard violation (Code not secure as per
authorization works properly and cannot be circumvented by SS. Secure Coding Standard violation (Code not secure as per
7 parameter manipulation Secure Coding Standard & Guideline)
authorization cannot be bypassed by cookie manipulation SS. Secure Coding Standard violation (Code not secure as per
3.Session Management
no session parameters passed in URLs SS. Secure Coding Standard violation (Code not secure as per
session cookies expire in a reasonably short time SS. Secure Coding Standard violation (Code not secure as per
session cookies are encrypted SS. Secure Coding Standard violation (Code not secure as per

Check Check
session data is being validated SS. Secure Coding Standard violation (Code not secure as per
private data in cookies is kept to a minimum SS. Secure Coding Standard violation (Code not secure as per
application avoids excessive cookie use SS. Secure Coding Standard violation (Code not secure as per
session id is complex SS. Secure Coding Standard violation (Code not secure as per
session storage is secure SS. Secure Coding Standard violation (Code not secure as per
application properly handles invalid session ids SS. Secure Coding Standard violation (Code not secure as per
session limits such as inactivity timeout are enforced SS. Secure Coding Standard violation (Code not secure as per
logout invalids the session SS. Secure Coding Standard violation (Code not secure as per
session resources are released when session invalidated SS. Secure Coding Standard violation (Code not secure as per
Input Validation
1 all external input is validated without exception SO. Inadequate/Incomplete Code
2 where possible input is restricted to known good chars SO. Inadequate/Incomplete Code
data is validated server side (security should not rely on client-side SK. Does not satisfy function/performance criteria
3 validations)
application validates numerical input and rejects unexpected input SO. Inadequate/Incomplete Code
4
5 application efficiently evaluates input length SO. Inadequate/Incomplete Code
6 strong separation between data and commands SK. Does not satisfy function/performance criteria
7 strong separation between data and client side scripts SK. Does not satisfy function/performance criteria
data should be checked for special characters before being passed to SK. Does not satisfy function/performance criteria
8 SQL, LDAP, OS and third party commands
9 http headers are validated for each request (e.g. referrer) SK. Does not satisfy function/performance criteria
Cryptography
sensitive data has been secured in memory, storage and transit SS. Secure Coding Standard violation (Code not secure as per
restricted areas require SSL SS. Secure Coding Standard violation (Code not secure as per
sensitive information not passed to/from non-SSL pages SS. Secure Coding Standard violation (Code not secure as per
proper SSL set up SS. Secure Coding Standard violation (Code not secure as per
SSL provider supports only strong algorithms SS. Secure Coding Standard violation (Code not secure as per
web based admin tools require SSL SS. Secure Coding Standard violation (Code not secure as per

Check Check
decryption services protected by authentication/authorisation SS. Secure Coding Standard violation (Code not secure as per
require SSL for login page SS. Secure Coding Standard violation (Code not secure as per
securely store cryptographic keys SS. Secure Coding Standard violation (Code not secure as per
Exception Handling
when exceptions occur the application fails securely SS. Secure Coding Standard violation (Code not secure as per
error messages do not reveal sensitive information SS. Secure Coding Standard violation (Code not secure as per
3 system errors are never shown to users SK. Does not satisfy function/performance criteria Pass Pass
resources are released and transactions rolled back when there is an SK. Does not satisfy function/performance criteria
4 error Pass Pass
Auditing and Logging
all user / system actions are logged SS. Secure Coding Standard violation (Code not secure as per
sensitive information is not logged (e.g. passwords) SS. Secure Coding Standard violation (Code not secure as per
logging for user management events (e.g. password reset) SS. Secure Coding Standard violation (Code not secure as per
unusual activity such as multiple login attempts are logged SS. Secure Coding Standard violation (Code not secure as per
logs have enough detail to reconstruct events for audit purposes SS. Secure Coding Standard violation (Code not secure as per
logging is highly configurable (logging levels) SS. Secure Coding Standard violation (Code not secure as per
<Project Name/ Subproject Name>:
Code Review Checklist
Confidentiality:
Code Review Checklist - Project Revision History

Changes to this checklist are summarized in the following table in reverse chronological order (latest version
first).
Revision Date Created/Updated by Change description
[1.0] [dd/mmm/yyyy] [Name] [Initial Version of document]
Code Review Checklist - Template Revision History
This revision history is to be updated by WW OPAL team only. Changes to this template are summarized in
the following table in reverse chronological order (latest version first).
Revision Date Created/Updated by Short Description of Changes
1.0 WW OPAL Content-Team Initial Version of the document

Java - J2EE Code Review Checklist v1-0

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Java - J2EE Code Review Checklist v1-0

Transféré par

Droits d'auteur :

Formats disponibles

Guidelines to use the Checklist

1) In tab 'Variables', the developer should fill up the Developer's Section.

CQI Calculation Method

Calculated impact level

Calculated defect level

Sum of calculated weightage

JAVA/J2EE - Code Review Checklist

SME (Reviewer) Section

Checklist Defect Type Developer Developer Comment Reviewer Reviewer Comment

Checklist Defect Type Developer Developer Comment Reviewer Reviewer Comment

Checklist Defect Type Developer Developer Comment Reviewer Reviewer Comment

Checklist Defect Type Developer Developer Comment Reviewer Reviewer Comment

Code Review Checklist - Project Revision History

Vous aimerez peut-être aussi