ABSTRACT

The use of deprecated or obsolete functions could indicate neglected code.

EXPLANATION

As programming languages evolve, methods occasionally become obsolete due to:

- Advances in the language

- Improved understanding of how operations should perform effectively and
securely

- Changes in the conventions that govern certain operations

Methods that are removed from a language are usually replaced by newer counterparts that perform the same task in some different and hopefully better way.

Example: The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character.


...
String name = new String(nameBytes, highByte);
...


In this example, the constructor may fail to correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion.

Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 477