False Negative : CloseSql.ql cannot detect bugs in the Try-Catch block. #21393
Description
Version
codeql 2.23.9
Description of the issue
When I used java/Likely Bugs/Resource Leaks/CloseSql.ql to check the following code, it correctly reported an issue of improper use of createStatement.
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.sql.Statement;
public class PosCase3 {
public void test() throws SQLException {
// Scenario 3: Primary resource assigned
Connection conn = DriverManager.getConnection("url", "user", "pass");
// Secondary created from primary, not assigned, not closed
conn.createStatement(); // [REPORTED LINE]
// Secondary Statement leak -> Positive detection.
}
}However, when using CloseSql.ql to detect the following code, no bug were detected and no bug were reported.
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.function.Supplier;
public class PosCase3_Var3 {
public void test() throws SQLException {
// Variant 3: Use Supplier to defer creation, then discard
Connection conn = DriverManager.getConnection("url", "user", "pass");
Supplier<Statement> supplier = () -> {
try {
return conn.createStatement();
} catch (SQLException e) {
throw new RuntimeException(e);
}
};
supplier.get(); // Statement created and leaked
}
}