getInputStream no warning when not closed (S2095)

The rule for java called “Resources should be closed” does not warn when you don’t close a stream returned by a function.
A good example of this is spring-web’s MultipartFile.getInputStream() which states “The user is responsible for closing the returned stream.” in its documentation, yet sonar does not warn when it isn’t closed.

Hello @Jeppz,

Welcome to the community, and thanks for the feedback.

Correct, “Resources should be closed” (S2095) does not warn when you don’t close a stream returned by a function. In fact, sometimes, you are responsible to close it, but not always, think about the case where another mechanism is taking care of closing it, you don’t want to be warned each time. And even worse, sometimes, you should not close it, as the provider could continue to consume it later.
All in all, this is the expected behavior to avoid false positives, as we can not easily know from a static point of view if you are responsible of closing the stream or not.

An idea to improve the rule without downside could be to add a list of well-known methods returning a stream that you are responsible to close.
For now, one method is not worth the effort, if we manage to gather an interesting list, I would be happy to create a ticket.

Best,
Quentin