ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S1674/abap/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

80 lines
2.4 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Leaving a ``++CATCH++`` block empty means that the exception in question is neither handled nor passed forward to callers for handling at a higher level. Suppressing errors rather than handling them could lead to unpredictable system behavior and should be avoided.
=== Noncompliant code example
[source,abap]
----
try.
if ABS( NUMBER ) > 100.
write / 'Number is large'.
endif.
catch CX_SY_ARITHMETIC_ERROR into OREF.
endtry.
----
=== Compliant solution
[source,abap]
----
try.
if ABS( NUMBER ) > 100.
write / 'Number is large'.
endif.
catch CX_SY_ARITHMETIC_ERROR into OREF.
write / OREF->GET_TEXT( ).
endtry.
----
=== Exceptions
When a block contains a comment, it is not considered to be empty.
== Resources
* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition]
* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Either handle this XXX exception or propagate it.
'''
== Comments And Links
(visible only on this page)
=== on 20 Oct 2014, 18:37:01 Ann Campbell wrote:
\[~nicolas.peru] note that this rule that was originally written for ABAP has been extended for Java & an exception added for a comment in the block, making ABAP outdated.
=== on 21 Oct 2014, 15:36:55 Nicolas Peru wrote:
This will be covered by \http://jira.sonarsource.com/browse/RSPEC-108
=== on 27 Feb 2015, 09:57:42 Freddy Mallet wrote:
\[~ann.campbell.2], this spec should be linked to \http://cwe.mitre.org/data/definitions/391.html
=== on 21 Mar 2018, 18:09:23 Alexandre Gigleux wrote:
\[~ann.campbell.2] I don't think this one should be classified as a "Bug Detection". No bug/failure will happen if you keep the code like this.
I think it should be classified as a "Vulnerability Detection". This RSPEC was classified like this in the past (2015) thanks to the tag "security". I don't see any good reason why we changed that. Also, we have an OWASP TOP 10 tag on the RSPEC replacing this one (RSPEC-2486) which is another justification to classify it as a "Vulnerability Detection".
Do you agree?
=== on 21 Mar 2018, 19:04:23 Ann Campbell wrote:
Fine for me [~alexandre.gigleux]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink