S1989 false positive on SonarQube 6.7.5

Can someone let me know if this was a false positive that was fixed recently?

This was a false positive on this code snippet as of Version 6.7.5 (build 38563)

This class below triggers sonar on S1989.

package sonar.example;

import java.io.IOException;
import java.io.OutputStream;
import java.text.DateFormat;
import java.text.SimpleDateFormat;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.fasterxml.jackson.databind.ObjectMapper;

/**
 * Servlet implementation class S1989
 */
@WebServlet("/S1989")
public class S1989 extends HttpServlet {
	private static final long serialVersionUID = 1L;
    

	/**
	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
	 */
	@Override
	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		OutputStream out;
		ObjectMapper mapper = new ObjectMapper();
		DateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss a z");
		mapper.setDateFormat(df);

		try {

			out = response.getOutputStream();
			
			if (System.currentTimeMillis() < 0) {
				throw new FileUploadException();
			}
			
			response.addHeader("Content-Type", "application/json");
			String jsonResponse = mapper.writeValueAsString("{\"hi\": true}");
			response.addHeader("Content-Length", String.valueOf(jsonResponse.length()));			
			out.write(jsonResponse.getBytes());	
			out.close();
		} catch (IOException | FileUploadException ex) {
			try {
				out = response.getOutputStream();
				response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
				out.write(mapper.writeValueAsString("{\"hi\": true}").getBytes());	
				out.close();
			} catch (IOException ioe) {
				out = response.getOutputStream();
				response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
				out.write("bad".getBytes());	
				out.close();
			}
		}
	}
}

SonarQube reports S1989 on

String jsonResponse = mapper.writeValueAsString("{\"hi\": true}");
and
out.write(jsonResponse.getBytes());
and
out.close();

However, SonarLint for Eclipse, 4.1.0.201901311043 does not show this issue.

I do not have access to any newer SonarQube instances to test on.

Hello @ndeepizza,

You have plenty of ways to do this kind of tests, you can use SonarJava unit tests, run a local sonarqube and analyse your sample code, or even use sonarcloud!

I tested your sample code against S1989, and only line 51

out.write(mapper.writeValueAsString("{\"hi\": true}").getBytes());

raises an issue:

“Handle the following exception that could be thrown by “writeValueAsString”:JsonProcessingException.”

At this point, if you think the rule is reporting FP, can you give us more details, and eventually a simple reproducer?

Best,
Quentin

Hi quentin. Sorry for my long delay, I was on another project for several months.

From your comments, sounds like the latest version of SonarQube has this fixed.

No problem with the delay, we all have various topic to focus on!

Concerning the original message, a lot happens since you first reported this problem, I invite you to retest everything with up-to-date versions, and if you still face it, come back to us with more details and a simple reproducer.