squid:S2695 "PreparedStatement" with valid indices - Is this a False-Positive?


(Steve) #1

Hello SonarQube Community,

One of my scans returned an issue indicating the PreparedStatement isn’t using a valid parameter (S2695) However, it is using ‘1’ below in the setLong( 1, routeid); function.

It seems like it is a false-positive, but I was under the impression that it was fixed previously. https://jira.sonarsource.com/browse/SONARJAVA-2036

I’m using SonarJava 5.7 and SonarQube 6.7.5.

Any insight into this issue is appreciated.

Thanks!

Steve

	try
	{
		String sql = "delete from " + MY_FILTER_RESULT + " where " + MY_FILTER_RESULT_ROUTE_ID + " = :routeId ";
		LogUtil.trace( LOG, "Benchmark Query #32: sql = " + sql );
		conn = JUtil.obtainCurrentDatabaseConnection( entityManager );
		stmt = conn.prepareStatement( sql );
		stmt.setLong( 1, routeId );
		JUtil.setStatementTimeout( stmt, QueryTimeout.getRemoveRouteFromQuery() );
		numberOfRowsDeleted = stmt.executeUpdate();
	}
	catch ( SQLException e )
	{
		throw new RuntimeException( e.getMessage() );
	}
	finally
	{
		JUtil.closeStatement( stmt );
		JUtil.releaseCurrentDatabaseConnection( conn );
	}
	return numberOfRowsDeleted