javahibernatefortifyhibernate-session

Fortify Scan Issue Fix- Unreleased Resource: Database

How can i avoid this issue , for the below line 

Query query = getSession().createQuery("my sql query");

or 

Session session = getSession();
SQLQuery query = session.createSQLQuery("");

There are a couple of queries in my DAO implementation and I cannot close the session after every query execution(If I do will not create connection pool bottleneck or overuse of memory?).
But I need to fix this issue or provide an appropriate reason to make this a positive error.

Please guide

Solution

  • There are a few options:

    1. You can mark those issues as "No an issue" in your FPR report file, and merge future scan to the baseline audit review. The same issue won't show up again in the merged file. There are ways to automate the merge from the command line by passing the original baseline file (first audit review).
    2. I think you can also add a close session statement in the finally block. This would execute only if an exception occurs.

    I don't think creating a custom rule would work here since there is no taint or session closing function to instrument.