Unicorn with delicious cookie

Our website uses cookies to enhance your browsing experience.

Accept

Home

>

Documentation

>

Warnings

>

V6110. Using an environment variable...

Introduction

How to enter the PVS-Studio license and what's the next move

PVS-Studio's trial mode

System requirements

Technologies used in

Release history

Release history for previous versions (before 7.00)

Analyzing projects

On Windows

Getting acquainted with the PVS-Studio static code analyzer on Windows

Build-system independent analysis (C and

Direct integration of the analyzer into build automation systems (C and C++)

On Linux and macOS

PVS-Studio C# installation on Linux and macOS

How to run PVS-Studio C# on Linux and macOS

Installing and updating PVS-Studio C++ on Linux

Installing and updating PVS-Studio C++ on macOS

How to run PVS-Studio C++ on Linux and macOS

Cross-platform

Direct use of Java analyzer from command line

Cross-platform analysis of C and C++ projects in PVS-Studio

PVS-Studio for embedded

Analysis of C and C++ projects based on JSON Compilation Database

IDE

Get started with PVS-Studio in Visual

Using PVS-Studio with JetBrains Rider and

How to use the PVS-Studio extension for Qt Creator

How to integrate PVS-Studio in Qt Creator without the PVS-Studio plugin

Using the PVS-Studio extension for Visual Studio

Using PVS-Studio with IntelliJ IDEA and Android Studio

Build systems

Analyzing Visual Studio / MSBuild / .NET projects from the command line using PVS-Studio

Using PVS-Studio with the CMake module

Integrating PVS-Studio Java into the Gradle build system

Integrating PVS-Studio Java into the Maven build system

Game Engines

How to analyze Unity projects with PVS-Studio

Analysis of Unreal Engine

Continuous use of the analyzer in software development

Running PVS-Studio in Docker

Running PVS-Studio in Jenkins

Running PVS-Studio in TeamCity

How to upload analysis results to Jira

PVS-Studio and continuous integration

PVS-Studio's incremental analysis

Analyzing commits and pull requests

Unattended deployment of PVS-Studio

Speeding up the analysis of C and C++ code through distributed build systems (Incredibuild)

Integrating of PVS-Studio analysis results in code quality services (web dashboard)

Integration of PVS-Studio analysis results into DefectDojo

Integration of PVS-Studio analysis results into

Integration of PVS-Studio analysis results into CodeChecker

Deploying the analyzer in cloud Continuous Integration services

Using with Travis CI

Using with CircleCI

Using with GitLab CI/CD

Using with GitHub Actions

Using with Azure DevOps

Using with AppVeyor

Using with Buddy

Managing analysis results

How to display the analyzer's most interesting warnings

How to use the OWASP diagnostic group in PVS-Studio

MISRA Coding Standards and Compliance

Baselining analysis results (suppressing warnings for existing

Handling the diagnostic messages list in Visual Studio

Suppression of false-positive

How to view and convert analyzer's results

Relative paths in PVS-Studio log files

Viewing analysis results with C and C++ Compiler Monitoring UI

Notifying the developer teams (blame-notifier utility)

Filtering and handling the analyzer output through diagnostic configuration files (.pvsconfig)

Excluding files and directories from analysis

Additional configuration and resolving issues

Tips on speeding up PVS-Studio

PVS-Studio: troubleshooting

Additional diagnostics configuration

User annotation mechanism in JSON format

Annotating C and C++ entities in JSON format

Annotating C# entities in JSON format

Annotating Java entities in JSON format

Predefined PVS_STUDIO macro

Analysis configuration file (Settings.xml)

Settings: general

Settings: Common Analyzer Settings

Settings: Detectable Errors

Settings: Don't Check Files

Settings: Keyword Message Filtering

Settings: Registration

Settings: Specific Analyzer Settings

Analyzer diagnostics

PVS-Studio Messages

General Analysis (C++)

General Analysis (C#)

General Analysis (Java)

Micro-Optimizations (C++)

Micro-Optimizations (C#)

Diagnosis of 64-bit errors (Viva64, C++)

Customer specific requests (C++)

MISRA errors

AUTOSAR errors

OWASP errors (C++)

OWASP errors (C#)

OWASP errors (Java)

Problems related to code analyzer

Additional information

Credits and acknowledgements

Feb 28 2024

V6110. Using an environment variable could be unsafe or unreliable. Consider using trusted system property instead

Feb 28 2024

This diagnostic rule detects the use of environment variables that can be replaced by a system property.

According to the documentation, this may result in the following issues:

An attacker can control all environment variables of a program.
Environment variables may have slightly different semantics or case sensitivity on different operating systems.

This increases the chance of unanticipated side effects. Therefore, if an environment variable contains information that is available by other means, the variable should not be used.

For example, if the operating system provides a user name, it is always available in the 'user.name' system property.

Here is an example of how not to write such code:

String user = System.getenv("USER");

The fixed code:

String user = System.getProperty("java.name");

Aside from direct calls to the 'System.getenv()' method, the diagnostic rule tracks methods by their signatures, which may indicate the return of environment variable values.

This diagnostic is classified as:

CERT-ENV02-J

Was this page helpful?

If you can’t find an answer to your question, fill in the form below and our developers will contact you

By clicking this button you agree to our Privacy Policy statement

Want to try PVS‑Studio for free?