[java:s2095] - Potential leak not detected?

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • version: SonarQube 10.4.1
  • errors: in the code below, all 5 methods create a java.sql.Connection which is never closed.
    I would expect all cases to detect java:s2095, however, only 3 do.
public class JavaS2095 {
	DataSource dataSource;

	public void detected() throws SQLException {
		Connection c = dataSource.getConnection();
		c.prepareStatement("");
	}
	public void notDetectedIfConnectionPassedToMethod() throws SQLException {
		Connection c = dataSource.getConnection();
		doStuff(c);
	}

	public void detectedIfDummyStatementPrepared() throws SQLException {
		Connection c = dataSource.getConnection();
		c.prepareStatement("");
		doStuff(c);
	}

	public void detectedIfTryCatch() throws SQLException {
		Connection c = dataSource.getConnection();
		try {
			c.prepareStatement("");
			doStuff(c);
		} catch (SQLException e) {
			// NoOp
		}
	}

	public void notDetectedIfRethrown() throws SQLException {
		Connection c = dataSource.getConnection();
		try {
			c.prepareStatement("");
			doStuff(c);
		} catch (SQLException e) {
			throw new IllegalStateException();
		}
	}

	private void doStuff(Connection c) throws SQLException {
		c.prepareStatement("");
	}
}

Is there a reason why Sonar does not detect the issue with method #2 and 5?
Or else, any chance this could be fixed? Sonar does do a lot of useful and complex checks and I was surprised by these 2 misses.

4

Hello @f-delahaye, welcome to the Sonar Community.

Thank you for reporting the missing cases, I’ve added them to the existing issue: [SONARJAVA-4891] - Jira.

The rule is implemented using the Symbolic Execution engine, which is not actively maintained; an announcement about it should be made in the next few months.

Cheers

7

OK, many thanks