← 返回首页
Potential database resource leak — CodeQL query help documentation CodeQL docs
CodeQL documentation
CodeQL resources

Potential database resource leak

ID: java/database-resource-leak Kind: problem Security severity: Severity: warning Precision: high Tags: - quality - reliability - performance - resources - external/cwe/cwe-404 - external/cwe/cwe-772 Query suites: - java-code-quality.qls - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A database resource in the java.sql package that is opened but not closed may cause a resource leak and ultimately resource exhaustion.

Recommendation

Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions, it is safest to close a resource in a finally block.

For Java 7 or later, the recommended way to close resources that implement java.lang.AutoCloseable is to declare them within a try-with-resources statement, so that they are closed implicitly.

Example

In the following example, the resources stmt and rs are opened but not closed.

public class CloseSql { public static void runQuery(Connection con, String query) throws SQLException { Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(query); while (rs.next()) { // process result set } } }

In the following example, the resources stmt and rs are declared within a try-with-resources block and are thus closed implicitly.

public class CloseSqlGood { public static void runQuery(Connection con, String query) throws SQLException { try (Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(query)) { while (rs.next()) { // process result set } } } }

Note that the Connection that is passed into the method is a long-lived object that was created elsewhere and therefore need not be closed locally. It should instead be closed by the code that created it or by a server shutdown procedure, as appropriate.

References