Can someone let me know if this was a false positive that was fixed recently?
This was a false positive on this code snippet as of Version 6.7.5 (build 38563)
This class below triggers sonar on S1989.
package sonar.example;
import java.io.IOException;
import java.io.OutputStream;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
/**
* Servlet implementation class S1989
*/
@WebServlet("/S1989")
public class S1989 extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
OutputStream out;
ObjectMapper mapper = new ObjectMapper();
DateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss a z");
mapper.setDateFormat(df);
try {
out = response.getOutputStream();
if (System.currentTimeMillis() < 0) {
throw new FileUploadException();
}
response.addHeader("Content-Type", "application/json");
String jsonResponse = mapper.writeValueAsString("{\"hi\": true}");
response.addHeader("Content-Length", String.valueOf(jsonResponse.length()));
out.write(jsonResponse.getBytes());
out.close();
} catch (IOException | FileUploadException ex) {
try {
out = response.getOutputStream();
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
out.write(mapper.writeValueAsString("{\"hi\": true}").getBytes());
out.close();
} catch (IOException ioe) {
out = response.getOutputStream();
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
out.write("bad".getBytes());
out.close();
}
}
}
}
SonarQube reports S1989 on
String jsonResponse = mapper.writeValueAsString("{\"hi\": true}");
and
out.write(jsonResponse.getBytes());
and
out.close();
However, SonarLint for Eclipse, 4.1.0.201901311043 does not show this issue.
I do not have access to any newer SonarQube instances to test on.