CodeQL documentation

Potential database resource leak

ID: java/database-resource-leak
Kind: problem
Security severity: 
Severity: warning
Precision: high
Tags:
   - correctness
   - resources
   - external/cwe/cwe-404
   - external/cwe/cwe-772
Query suites:
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A database resource in the java.sql package that is opened but not closed may cause a resource leak and ultimately resource exhaustion.

Recommendation

Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions, it is safest to close a resource in a finally block.

For Java 7 or later, the recommended way to close resources that implement java.lang.AutoCloseable is to declare them within a try-with-resources statement, so that they are closed implicitly.

Example

In the following example, the resources stmt and rs are opened but not closed.

public class CloseSql {
	public static void runQuery(Connection con, String query) throws SQLException {
		Statement stmt = con.createStatement();
		ResultSet rs = stmt.executeQuery(query);
		while (rs.next()) {
			// process result set
		}
	}
}

In the following example, the resources stmt and rs are declared within a try-with-resources block and are thus closed implicitly.

public class CloseSqlGood {
	public static void runQuery(Connection con, String query) throws SQLException {
		try (Statement stmt = con.createStatement();
				ResultSet rs = stmt.executeQuery(query)) {
			while (rs.next()) {
				// process result set
			}
		}
	}
}

Note that the Connection that is passed into the method is a long-lived object that was created elsewhere and therefore need not be closed locally. It should instead be closed by the code that created it or by a server shutdown procedure, as appropriate.

References

  • © GitHub, Inc.
  • Terms
  • Privacy