在下面的代码中,我在try中使用了BufferedReader和InputStreamReader,但veracode抱怨安全性Improper Resource Shutdown or Release (CWE ID 404)
try (final BufferedReader bsr = new BufferedReader(new InputStreamReader(Myutils.class.getClassLoader()
.getResourceAsStream("fileName.txt")))) {
String currentLine;
while ((currentLine = bsr.readLine()) != null) {
// doing some operations
}
} catch (final Exception e) {
throw new IllegalStateException("exception occurres");
}
}
同样在另一个类中,我正在扩展HttpServletRequestWrapper
public class MyHttpServletRequestWrapper extends HttpServletRequestWrapper {
private BufferedReader reader;
@Override
public BufferedReader getReader() throws IOException {
if (null == this.reader) {
this.reader = new BufferedReader(new InputStreamReader(getInputStream(), getCharacterEncoding()));
}
return this.reader;
}
}
在this.reader行中,Veracode给出了Improper Resource Shutdown or Release (CWE ID 404).我认为框架(雄猫/弹簧(正在处理这个问题。但不知道为什么Veracode会这样说。
如果在打开InputStream之后但在分配BufferedReader之前引发异常,InputStream将保持打开状态。在您提供的示例中,仅当InputStreamReader构造函数引发异常时,才会发生这种情况。若要避免这种情况,可以使用以下代码:
try (final InputStream is = Example.class.getClassLoader().getResourceAsStream("filename.txt");
final InputStreamReader inputStreamReader = new InputStreamReader(is);
final BufferedReader bsr = new BufferedReader(inputStreamReader);) {