You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, we are doing research in testing static analyzer. Our approach found a false negative about the rule SQL_BAD_RESULTSET_ACCESS, SpotBugs should report a warning in line 6 because this line invokes getString with parameter 0.
importjava.sql.ResultSet;
importjava.sql.SQLException;
publicclassTest {
publicinta = 0;
voidbug1(ResultSetany) throwsSQLException {
any.getString(a); // should report a warning in this line, but no warning
}
}
However, the following two similar code examples can be detected:
Example 1:
publicclassTest {
voidbug1(ResultSetany) throwsSQLException {
inta = 0;
any.getString(a); // can report a warning in this line
}
}
Example 2:
publicclassTest {
inta = 0;
voidbug1(ResultSetany) throwsSQLException {
any.getString(a); // can report a warning in this line
}
}
Based on the above analysis results, I think this is a false negative. Thanks for your consideration.
SpotBugs version: 4.7.1
The text was updated successfully, but these errors were encountered:
Hello! Thank you for your issue report. Actually, you report two issues here.
The first one I am sure is not a false negative, because a is public but it is not final. This means that anyone, even from outside the package can change its value. Thus, at the time of calling bug1() we cannot know anything about its actual value.
The second case is indeed a false negative. To detect such bugs we need to introduce function summaries. This is something that could (and should) be done in the future. Hower, functions returning a constant are a very corner case, thus function summaries should cover a wider case. Maybe, if we could keep track somehow the possible value ranges a function returns we could record them as the summary of the function. (See #2073, it is a first step in that direction.) Then the summary of your function foo() would be a single range [0..0] and we could detect the bug.
Hi, we are doing research in testing static analyzer. Our approach found a false negative about the rule SQL_BAD_RESULTSET_ACCESS, SpotBugs should report a warning in line 6 because this line invokes
getString
with parameter0
.However, the following two similar code examples can be detected:
Example 1:
Example 2:
Based on the above analysis results, I think this is a false negative. Thanks for your consideration.
SpotBugs version: 4.7.1
The text was updated successfully, but these errors were encountered: