Try-with-resources does not match on several levels

Hello,
We are setting up sonar in our company and we are stuck on a specific rule for Java.
This rule is Use try-with-resources or close this “FileReader” in a “finally” clause.

In my first example, Sonarqube and Sonarlint show me a bug on “new FileReader(file)

sample 1 : Noncompliant
public void test(final File file) throws IOException {
	FileReader reader = new FileReader(file);
	char c = (char) reader.read();
	if (c == '"') {
		// do something
	}
	reader.close();
}

However in my second example, Sonarqube and Sonarlint doesn’t show me any error

sample 2 : Compliant
public void test(final File file) throws IOException {
	FileReader reader = new FileReader(file);
	subTest(reader);
}

public void subTest(final FileReader reader) throws IOException {
	char c = (char) reader.read();
	if (c == '"') {
		// do something
	}
	reader.close();
}

Is there something i’m actually missing ? Or, does it exist any other rule which corresponds to ressource closure on several levels ?

Thank you in advance for your answer.

Paul.

Hello,

this is known limitation of our symbolic execution engine. SonarJava can’t detect resource leak when it involves calling other methods, it will work only in the context of the single method.

We would like to be able to detect such cases eventually, but this is a complex problem and not something we will be able to deliver soon.

Note that, this limitation is only for certain rules. New taint analysis available in SonarQube 7.2. detects various security injections and works across full call graph.

Hello,
Thank you for your answer,
We will try the new rules in 7.2

Just to be clear, new engine in 7.2. will not solve your issue. So far only 6 “injection” rules benefit from it.