16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
80 lines
2.3 KiB
Plaintext
80 lines
2.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Leaving a ``++CATCH++`` block empty means that the exception in question is neither handled nor passed forward to callers for handling at a higher level. Suppressing errors rather than handling them could lead to unpredictable system behavior and should be avoided.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,abap]
|
|
----
|
|
try.
|
|
if ABS( NUMBER ) > 100.
|
|
write / 'Number is large'.
|
|
endif.
|
|
catch CX_SY_ARITHMETIC_ERROR into OREF.
|
|
endtry.
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,abap]
|
|
----
|
|
try.
|
|
if ABS( NUMBER ) > 100.
|
|
write / 'Number is large'.
|
|
endif.
|
|
catch CX_SY_ARITHMETIC_ERROR into OREF.
|
|
write / OREF->GET_TEXT( ).
|
|
endtry.
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
When a block contains a comment, it is not considered to be empty.
|
|
|
|
|
|
== Resources
|
|
|
|
* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition
|
|
* OWASP Top 10 2017 Category A10 - Insufficient Logging & Monitoring
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Either handle this XXX exception or propagate it.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 20 Oct 2014, 18:37:01 Ann Campbell wrote:
|
|
\[~nicolas.peru] note that this rule that was originally written for ABAP has been extended for Java & an exception added for a comment in the block, making ABAP outdated.
|
|
|
|
=== on 21 Oct 2014, 15:36:55 Nicolas Peru wrote:
|
|
This will be covered by \http://jira.sonarsource.com/browse/RSPEC-108
|
|
|
|
=== on 27 Feb 2015, 09:57:42 Freddy Mallet wrote:
|
|
\[~ann.campbell.2], this spec should be linked to \http://cwe.mitre.org/data/definitions/391.html
|
|
|
|
=== on 21 Mar 2018, 18:09:23 Alexandre Gigleux wrote:
|
|
\[~ann.campbell.2] I don't think this one should be classified as a "Bug Detection". No bug/failure will happen if you keep the code like this.
|
|
|
|
I think it should be classified as a "Vulnerability Detection". This RSPEC was classified like this in the past (2015) thanks to the tag "security". I don't see any good reason why we changed that. Also, we have an OWASP TOP 10 tag on the RSPEC replacing this one (RSPEC-2486) which is another justification to classify it as a "Vulnerability Detection".
|
|
|
|
|
|
Do you agree?
|
|
|
|
=== on 21 Mar 2018, 19:04:23 Ann Campbell wrote:
|
|
Fine for me [~alexandre.gigleux]
|
|
|
|
endif::env-github,rspecator-view[]
|