Page History

...

Failure to explicitly release nonmemory system resources when they are no longer needed can result in resource exhaustion.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
FIO04-J	Low	Probable	Medium	P4	L3

Automated Detection

Although sound automated detection of this vulnerability is not feasible in the general case, many interesting cases can be soundly detected.

Some static analysis tools can detect cases in which there is leak of a socket resource or leak of a stream representing a file or other system resources.

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.ALLOC.LEAK.NOTCLOSED
JAVA.ALLOC.LEAK.NOTSTORED

Closeable Not Closed (Java)
Closeable Not Stored (Java)

Coverity

7.5

ITERATOR
JDBC_CONNECTION
RESOURCE_LEAK

Implemented

Parasoft Jtest

Include Page

	Parasoft_V
	Parasoft_V

CERT.FIO04.LEAKS
CERT.FIO04.CIO
CERT.FIO04.CCR

Ensure resources are deallocated
Close input and output resources in "finally" blocks
Close all "java.io.Closeable" resources in a "finally" block

SonarQube

Include Page

	SonarQube_V
	SonarQube_V

S2095

Implemented

Related Guidelines

SEI CERT C Coding Standard	FIO22-C. Close files before spawning processes
SEI CERT C++ Coding Standard	FIO51-CPP. Close files when they are no longer needed
MITRE CWE	CWE-404, Improper Resource Shutdown or Release CWE-405, Asymmetric Resource Consumption (Amplification) CWE-459, Incomplete Cleanup CWE-770, Allocation of Resources without Limits or Throttling

Android Implementation Details

The compliant solution (try-with-resources) is not yet supported at API level 18 (Android 4.3).

Bibliography

[API 2014]	Class `Object`
[Goetz 2006b]


[J2SE 2011]	The `try`-with-resources Statement

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 119

New Version Current

Key

Automated Detection

Related Guidelines

Android Implementation Details

Bibliography