Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failure to explicitly release nonmemory system resources when they are no longer needed can result in resource exhaustion.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO04-J

Low

Probable

Medium

P4

L3

Automated Detection

Although sound automated detection of this vulnerability is not feasible in the general case, many interesting cases can be soundly detected.

Some static analysis tools can detect cases in which there is leak of a socket resource or leak of a stream representing a file or other system resources.

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.ALLOC.LEAK.NOTCLOSED
JAVA.ALLOC.LEAK.NOTSTORED

Closeable Not Closed (Java)
Closeable Not Stored (Java)

Coverity7.5

ITERATOR
JDBC_CONNECTION
RESOURCE_LEAK

Implemented
Parasoft Jtest
9.5BD.RES.LEAKS, OPT.CIO, OPT.CCRImplementedSonarQube Java Plugin Include PageSonarQube Java Plugin_V
Include Page
Parasoft_V
Parasoft_V
CERT.FIO04.LEAKS
CERT.FIO04.CIO
CERT.FIO04.CCR
Ensure resources are deallocated
Close input and output resources in "finally" blocks
Close all "java.io.Closeable" resources in a "finally" block
SonarQube
Include Page
SonarQube_V
SonarQube
SonarQube Java Plugin
_V
S2095Implemented

Related Guidelines

SEI CERT C Coding Standard

FIO22-C. Close files before spawning processes

SEI CERT C++ Coding Standard

FIO51-CPP. Close files when they are no longer needed

MITRE CWE

CWE-404, Improper Resource Shutdown or Release
CWE-405, Asymmetric Resource Consumption (Amplification)
CWE-459, Incomplete Cleanup
CWE-770, Allocation of Resources without Limits or Throttling

Android Implementation Details

The compliant solution (try-with-resources) is not yet supported at API level 18 (Android 4.3).

Bibliography

[API 2014]

Class Object

[Goetz 2006b]

 


[J2SE 2011]

The try-with-resources Statement

...


...

Image Modified Image Modified Image Modified