我使用强化工具扫描了我的项目,在生成的强化报告中,我在以下方法中遇到了Unreleased Resource: Database问题。
public String handleInput( HttpServletRequest request, HtmlGenerator htmlGenObj ) {
HashMap old_child_list = new HashMap();
HashMap old_parent_list = new HashMap();
HashMap new_child_list = new HashMap();
HashMap new_parent_list = new HashMap();
logger.debug( "Start of handle Input" );
String dataSource = request.getParameter( "datasource" ) == null ? "" : request.getParameter( "datasource" );
String sortBy = request.getParameter( "sortby" ) == null ? "" : request.getParameter( "sortby" );
long sqlConsStartTime = System.currentTimeMillis();
//
// Get the sql query based on data source
//
String sqlQuery = this.getSql( dataSource, request );
// If any error then return
if( sqlQuery.startsWith( "ERROR" ) ) {
return sqlQuery;
}
if( sortBy.trim().length() > 0 ) {
logger.debug( "Sort by value = " + sortBy );
int orderByIndex = sqlQuery.indexOf( "order by" );
// If order by already exists then remove that value.
if( orderByIndex > 0 ) {
sqlQuery = sqlQuery.substring( 0, orderByIndex );
}
sqlQuery = sqlQuery + " order by " + sortBy;
}
plog.debug( getUniqueId( request ) + "SQL Construction Time = " + ( ( System.currentTimeMillis()- sqlConsStartTime )/1000.0 ) );
logger.info( "Final SQL = " + sqlQuery );
String results = "NONE";
Connection conn = null;
try {
Context initCtx = new InitialContext();
Context envCtx = ( Context ) initCtx.lookup( "java:comp/env" );
// Look up for the data source
DataSource ds = ( DataSource ) envCtx.lookup( "NavigatorCon" );
conn = ds.getConnection();
htmlGenObj.setSql( sqlQuery );
if( dataSource.equals( "compass" ) ) {
results = doCompassSearch( sqlQuery, conn, request, old_parent_list, old_child_list );
String matchType = request.getParameter( "coname_st" ) == null ? "" : request.getParameter( "coname_st" );
if( "fuzzy".equals( matchType ) ) {
long rollupSqlConsStartTime = System.currentTimeMillis();
String rollupSql = build_rollup_sql( conn, old_parent_list, old_child_list, new_parent_list, new_child_list ); //System.out.println( "Rollup SQL: " + rollupSql );
plog.debug(getUniqueId(request)+"Rollup SQL Construction Time = "+ ((System.currentTimeMillis()- rollupSqlConsStartTime)/1000.0) );
if( rollupSql.length() > 0 ) {
String rollupResult = doCompassSearch( rollupSql, conn, request, old_parent_list, old_child_list );
results = results + rollupResult;
// Build the new sql which returns both parent and child records.This is used in Excel download
sqlQuery = sqlQuery + " UNION " + rollupSql;
} //System.out.println( "Navigator Query is: \n" + sqlQuery + "\n" );
htmlGenObj.setSql( sqlQuery );
}
}
else if( dataSource.equals( "psar" ) ) {
results = getAMSearchResults( sqlQuery, conn, request, htmlGenObj );
}
else if( dataSource.equals( "knac" ) ) {
results = do_knac_search( sqlQuery, conn, request );
}
else if( dataSource.equals( "auth_user" ) ) {
results = do_auth_user_search( sqlQuery, conn, request );
}
else if( "docstore".equalsIgnoreCase( dataSource ) ) {
results = this.doDocStoreSearch( sqlQuery, conn, request );
}
}
catch( Exception sqle ) {
logger.fatal( "Error : " + sqle.toString(), sqle );
}
finally {
try {
conn.close();
}
catch( Exception e ) {
// giveup
}
}
old_child_list.clear();
old_parent_list.clear();
new_child_list.clear();
new_parent_list.clear();
logger.debug( "End of handle Input");
return results;
}
据我所知,如果连接未正确关闭,则会出现此问题,但此连接在finally块内关闭。
任何人都可以建议我如何解决它吗? XXXXXX
答案 0 :(得分:1)
可能会抛出NullPointerException,因此可能会将第二个Exception更改为Throwable,因为NullPointerException是从已检查的Exception类派生的。 也许代码分析在这里有问题。
然后,从Java 7开始,您可以使用try-with-resources自动关闭内容:
try (Connection con = getDbConnection()) {
没有finally。也适用于PreparedStatement和ResultSet。
正如您所说的质量:使用SQLException e或类似SQLException | NullPointerException e之类的内容被视为更好的风格。
答案 1 :(得分:0)
您未关闭ResultSet rs和PreparedStatement ps。也许这就是问题所在。
答案 2 :(得分:0)
在强化和安全性方面,我会更加关注你的SQL注入......
String sortBy = request.getParameter...
[...]
sqlQuery = sqlQuery + " order by " + sortBy;
一般而言,Fortify可以产生大量的假阳性结果。