[SONARJAVA-1237] S2695 : NPE when sql query is defined in other file than the file currently analyzed - SonarSource

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.5
Fix Version/s: 3.6
Component/s: Rules
Labels:
None

Description

When the query used for the prepared statement is in another file, the rule fail with a NPE. Root cause: PreparedStatementAndResultSetCheck on line 123. Getting the declaration of a symbol outside currently analyzed file returns null. Return value is not checked.

Reproducer:

ExtendedClass.java

package sonar.testcase;

import java.sql.Connection;
import java.sql.PreparedStatement;

public class ExtendedClass extends BaseClass {

    protected void prepareReport(Connection connection) throws Exception {
        try {
            String sql = SQL_QUERY_BASE;
            PreparedStatement pstmt = connection.prepareStatement(sql);
            pstmt.setString(1, "smth"); 
        } catch (Exception e) {}
    }
}

BaseClass.java

package sonar.testcase;

public class BaseClass {
    public static final String SQL_QUERY_BASE = "select * from MYTABLE where customerId = ?"; // Declaration can not be retrieved when analyzing ExtendedClass.java
}

Original thread from SQ google group: https://groups.google.com/d/msgid/sonarqube/1cf433a1-fd19-454e-93f4-9de1cb32815b%40googlegroups.com

Attachments

Issue Links

is depended upon by

SONARJAVA-1270 Rule S3318: Untrusted data should not be stored in sessions

Closed

relates to

RSPEC-2695 "PreparedStatement" and "ResultSet" methods should be called with valid indices

Active

is related to: SUPPORT-1258 Loading...

Activity

People

Assignee:: Michael Gumowski

Reporter:: Michael Gumowski

Votes:: 4 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Due:: 02/Oct/15

Created:: 28/Aug/15 10:01 AM

Updated:: 02/Oct/15 7:12 AM

Resolved:: 29/Sep/15 11:08 AM