Missing format argument¶
ID: java/missing-format-argument
Kind: problem
Security severity:
Severity: error
Precision: very-high
Tags:
- correctness
- external/cwe/cwe-685
Query suites:
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
When formatting strings using printf-style format strings, one must ensure that the number of supplied arguments matches the number of arguments referenced by the format string. Additional arguments will be thrown away silently, which may not be the intended behavior, and too few arguments will cause an IllegalFormatException.
Format strings are used by the format method on the classes String, Formatter, Console, PrintWriter, and PrintStream. Several of these classes also supply the method alias printf. The class Console has two additional methods, readLine and readPassword, that also use format strings.
Recommendation¶
Supply the correct number of arguments to the format method, or change the format string to use the correct arguments.
Example¶
The following example supplies only one argument to be formatted, but the format string refers to two arguments, so this will throw an IllegalFormatException.
System.out.format("First string: %s Second string: %s", "Hello world");
References¶
Java API Specification: Format string syntax, Class String, Class Formatter, Class Console, Class PrintWriter, Class PrintStream.
SLF4J library: org.slf4j.Logger.
Common Weakness Enumeration: CWE-685.