Potential database resource leak¶
ID: java/database-resource-leak
Kind: problem
Security severity:
Severity: warning
Precision: high
Tags:
- correctness
- resources
- external/cwe/cwe-404
- external/cwe/cwe-772
Query suites:
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
A database resource in the java.sql package that is opened but not closed may cause a resource leak and ultimately resource exhaustion.
Recommendation¶
Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions, it is safest to close a resource in a finally block.
For Java 7 or later, the recommended way to close resources that implement java.lang.AutoCloseable is to declare them within a try-with-resources statement, so that they are closed implicitly.
Example¶
In the following example, the resources stmt and rs are opened but not closed.
public class CloseSql {
public static void runQuery(Connection con, String query) throws SQLException {
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery(query);
while (rs.next()) {
// process result set
}
}
}
In the following example, the resources stmt and rs are declared within a try-with-resources block and are thus closed implicitly.
public class CloseSqlGood {
public static void runQuery(Connection con, String query) throws SQLException {
try (Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery(query)) {
while (rs.next()) {
// process result set
}
}
}
}
Note that the Connection that is passed into the method is a long-lived object that was created elsewhere and therefore need not be closed locally. It should instead be closed by the code that created it or by a server shutdown procedure, as appropriate.
References¶
IBM developerWorks: Java theory and practice: Good housekeeping practices.
The Java Tutorials: The try-with-resources Statement.
Common Weakness Enumeration: CWE-404.
Common Weakness Enumeration: CWE-772.