FP when prepared statement is indirectly initialized

Deuskull · August 26, 2020, 5:31pm

SonarQube * Developer Edition * Version 7.9.3 (build 33349)

private final String sqlCount = "NAME_OF_SQL";
// ...
PreparedStatement stmt = null;
try {
  conn = getConnection();
  baseRequest = getSqlByRessourceId(sqlCount);
  stmt = conn.prepareStatement(baseRequest);
  stmt.setInt(1, delai); // issue here
  // ...

At this last line, we have this rule : "PreparedStatement" and "ResultSet" methods should be called with valid indices
Rule is looking for a parameter but can’t find it because it’s loaded from a file.

It seems similar from SONARJAVA-2036 but I still get the issue.

Kind regards,
Michaël

Deuskull · September 4, 2020, 9:40am

Hello
Do you need any more information to take into account to what it seems a false positive ?

Quentin · January 28, 2021, 4:03pm

Hello @Deuskull,

I know it’s a late reaction, but as we say, better late than never.

I’m afraid your post did not get a lot of attention probably because it seems to me that it is working fine both on SonarQube Version 7.9.3 and in the latest version 8.6.
I tried with this sample code inspired by yours:

  void f(Connection connection) {
    PreparedStatement stmt = null;
    String baseRequest = null;
    try {
      baseRequest = getSqlByRessourceId(sqlCount);
      stmt = connection.prepareStatement(baseRequest);
      stmt.setInt(1, 123); // No issue!!!
    } catch (Exception e) {

    }
  }

  String getSqlByRessourceId(String s) {
    return s + "something";
  }

If you still face a similar issue in the latest version, feel free to get back to us with additional information you may have gathered in between.

Best,
Quentin