logo

Declaration of Throws for Generic Exception

Draft Base
Structure: Simple
Description

This vulnerability occurs when a method is declared to throw an overly broad exception type, such as a generic 'Exception' or 'Throwable'. This practice masks the specific error conditions that can occur, making it difficult for calling code to handle failures appropriately.

Extended Description

Declaring a method to throw a generic exception like `Exception` forces callers into generic error handling. Instead of being able to anticipate and write specific recovery code for different failure scenarios—like `FileNotFoundException` versus `AccessDeniedException`—developers are left with a catch-all block. This obscures the root cause, often leading to inappropriate user responses and making debugging significantly harder. Catching these overly broad declarations manually is tedious, especially in large codebases. While SAST tools can flag the pattern, Plexicus uses AI to not only detect the issue but also suggest the precise, narrower exception types to declare, automating the remediation and saving valuable development time.
Common Consequences 1
Scope: Non-RepudiationOther

Impact: Hide ActivitiesAlter Execution Logic

Throwing a generic exception can hide details about unexpected adversary activities by making it difficult to properly troubleshoot error conditions during execution.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Demonstrative Examples 2

ID : DX-198

The following method throws three types of exceptions.

Code Example:

Good
Java
java
While it might seem tidier to write

Code Example:

Bad
Java
java
doing so hampers the caller's ability to understand and handle the exceptions that occur. Further, if a later revision of doExchange() introduces a new type of exception that should be treated differently than previous exceptions, there is no easy way to enforce this requirement.
Early versions of C++ (C++98, C++03, C++11) included a feature known as Dynamic Exception Specification. This allowed functions to declare what type of exceptions it may throw. It is possible to declare a general class of exception to cover any derived exceptions that may be thrown.

Code Example:

Bad
C++
c++
In the example above, the code declares that myfunction() can throw an exception of type "std::exception" thus hiding details about the possible derived exceptions that could potentially be thrown.
References 3
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCSM/1.0/
ID: REF-962
Applicable Platforms
Languages:
C++ : UndeterminedC# : UndeterminedJava : UndeterminedPython : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Incorrect Control Flow Scoping (CWE-705)
ChildOf: Information Loss or Omission (CWE-221)
ChildOf: Improper Check or Handling of Exceptional Conditions (CWE-703)
Taxonomy Mapping
  • 7 Pernicious Kingdoms
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns
  • OMG ASCSM
  • OMG ASCRM
Notes
Applicable PlatformFor C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.