SonarQube 8.5 analyzing Java code with the SonarWay quality gate
The following code produces a false positive:
public String findProspect() {
String retVal = null;
int attempts = 0;
try {
this.lastName = this.lastName.trim();
final String fullOfferCode = getFullOfferCode(MediaType.DIRECT_MAIL);
// get person from marketing database
createPerson(fullOfferCode, MediaType.DIRECT_MAIL);
// get campaign from marketing database
createCampaign(fullOfferCode);
retVal = "/term/quote.jsp?faces-redirect=true";
} catch (final MalformedDataException ex) {
logger.log(Level.INFO, "MalformedDataException: {0}", new Object[] {ex.getMessage()});
attempts++;
} catch (SystemUnavailableException | KBMSystemUnavailableException ex) {
logger.log(Level.SEVERE, SYSTEM_UNAVAILABLE_EXCEPTION_0, new Object[] {ex.getMessage()});
retVal = "/term/system-error.jsp?faces-redirect=true";
} catch (final PersonNotFoundException ex) {
logger.log(Level.INFO, ex.getMessage());
attempts++;
}
// False Positive right here
if (attempts > 0) {
if (attempts < MAX_NUMBER_OF_ATTEMPTS) {
final FacesMessage msg = new FacesMessage("Member Last Name or Personal Code not found. Please try again.");
FacesContext.getCurrentInstance()
.addMessage("Member Last Name or Personal Code not found. Please try again.", msg);
} else {
retVal = "/term/access-error.jsp?faces-redirect=true";
}
}
return retVal;
}
(Yeah, it’s old crappy code that’s probably not used anymore.)
SQ does not seem to notice that attempts
could be incremented in one or the other of the catch
blocks. The exceptions could all be thrown by createPerson()
and createCampaign()
.
Fred Robinson