The code is slightly different from the CWE sample, as there an assignment of a newly constructed object happens. But somewhere within the Builder also a new object is instantiated. Is there a guarantee that the construction has completed before the assignment happens?
If not, the code sample should use one of the better approaches as outlined by deepsource.
The
getDatabase()
code tries to avoid explicit synchronization by applying a double-ckecked locking pattern.https://developer.android.com/codelabs/android-room-with-a-view#7
The way it is implemented here looks like as a broken implementation as per CWE-609. https://cwe.mitre.org/data/definitions/609.html
I also get warnings by deepsource about the same, stating:
The code is slightly different from the CWE sample, as there an assignment of a newly constructed object happens. But somewhere within the Builder also a new object is instantiated. Is there a guarantee that the construction has completed before the assignment happens? If not, the code sample should use one of the better approaches as outlined by deepsource.