ken.har...@gmail.com
May 17, 2016, 5:22:16 PM5/17/16
to SonarQube
First I would like to add my vote for a way to define custom methods to close resources. S3546 is not working out for me. We use DbUtil.close(ResultSet, PreparedStatement, Connection ) to close db resources.
Second
S2095 in this code only see's the PreparedStatement as not closed. The Connection and ResultSet are not closed as well. If I close the PreparedStatement then S2095 still does not see the Connection or ResultSet as not closed.
--- sonar-maven-plugin:3.0.2:sonar (default-cli)
SonarQube version: 5.5
private String testingsonar() { Connection con = null;
PreparedStatement ps = null; ResultSet res = null;
String sql = "SELECT stuff from groups where id=?";
String mb = null; try {
con = DbUtil.getInstance().getDefaultConnection();
ps = con.prepareStatement(sql); ps.setLong(1, 3211 );
res = ps.executeQuery();
if (res.next()) { mb = res.getString(1); }
} catch (Exception e) { LOGGER.error( e.getMessage(), e); }
return mb; }
Nicolas Peru
May 18, 2016, 11:35:59 AM5/18/16
to ken.har...@gmail.com, SonarQube
Hi,
So in your case, the suggested approximation with the "close" methods detection would work. One thing to understand is that if we introduce this configuration feature it will be very hard (to not say impossible) to remove and we definitely don't want to cover this case by this mean : implementing a workaround of a current limitation as a feature is a really bad move from maintenance point of view.
For your issue, can you check which version of the Sonar Java plugin you are using ?
Could you precise a bit where are the issue reported exactly ?
Thanks
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b8349eda-7af6-4f34-b4cc-af5ec3f3809d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Ken Hargreaves
May 18, 2016, 12:23:26 PM5/18/16
to SonarQube, ken.har...@gmail.com
Yes if a newer version of the rule scanner can understand custom close methods automagically then that is absolutely the better solution. I agree with what you have been saying about adding configuration is not always the best choice. If we are a year away from that new version that is another story.
In my example the line
ps = con.prepareStatement(sql);
Is marked with the 'Close this "PreparedStatment".' error. No other errors are listed. SonarLint also flags that line.
Not sure how to find the version of the scanner can you point me where to find it?
All I have is:
--- sonar-maven-plugin:3.0.2:sonar (default-cli)
SonarQube version: 5.5
Java language plugin 3.13.1 installed
Nicolas Peru
May 20, 2016, 3:47:07 AM5/20/16
to Ken Hargreaves, SonarQube
ok so for the first problem :https://jira.sonarsource.com/browse/SONARJAVA-1670
Then there are two issues : we are not checking correctly the type hierarchy for Prepared statements : https://jira.sonarsource.com/browse/SONARJAVA-1692
And finally the problem is most probably that for some reason the method creating the connection is not resolved and we don't detect the opening of the connection.
Do you provide all the required bytecode to the analysis so that the method returning the connection can be properly resolve ? (if you analyze with maven, that should be the case).
Cheers,
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b7f0a97e-3dea-4196-9f7d-ef1fbedcbd5c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ken Hargreaves
May 21, 2016, 4:25:43 PM5/21/16
to SonarQube, ken.har...@gmail.com
I have been finding with sonarlint (Intelij), confirming/publishing with mvn sonar:sonar build cmd line.
Reply all
Reply to author
Forward
0 new messages