sonarqube incorrectly reports "PreparedStatement has no parameters."

Question

sonarqube incorrectly reports on the following (simplified) source PreparedStatement has no parameters. (squid:S2695):

public static final String UPDATE_QUERY = "UPDATE TABLE SET COL1=? WHERE PK=?";

private PreparedStatement preparedStatement = null;

public void updateMethod(Date date, Long pk )
{
  if(preparedStatement == null)
  {
    //ConnectionService is not a Connection!
    preparedStatement = ConnectionService.prepareStatement(UPDATE_QUERY);
  }

  //sonarqube reports on the following two lines: 'This "PreparedStatement" has no parameters.'
  preparedStatement.setDate(1, date);
  preparedStatement.setLong(2, pk);
  ResultSet rs = preparedStatement .executeQuery(); 

  //further code left out
}

Questions:

Is this a bug or a limitation of the analyser?
Is there something I can do to hide these "false positives"?

Don't try to cache `PreparedStatements` like this. If it can be done, the driver will already do it. — user207421, Apr 30 '19 at 12:37

fidudidu · Answer 1 · 2019-05-02T08:45:53.530

3

It's a false positive as you can see here it's fixed in version 4.5.

Answer to question 1:
Yes, it is a bug, upgrade your Sonar version to 4.5 (or newer)

Answer to question 2:
Disable rule in sonar here
or
How to remove False-Positive issues? here

edited May 02 '19 at 08:45

answered Apr 30 '19 at 11:53

fidudidu

399
3
10

score 0 · Answer 2 · answered Sep 23 '22 at 14:24

0

You can get sonarlint/sonarqube to ignore false-positives by just commenting //NOSONAR at the end of your code line.

preparedStatement.setDate(1, date); //NOSONAR
preparedStatement.setLong(2, pk); //NOSONAR

answered Sep 23 '22 at 14:24

Sahil

786
5
15

sonarqube incorrectly reports "PreparedStatement has no parameters."

2 Answers2

Linked