The analyzer has detected an empty exception handling block ('catch' or 'finally'). Inappropriate exception handling may decrease the application's reliability.
In some cases, inappropriate exception handling may result in a vulnerability. Insufficient logging and monitoring are pointed out as a separate category on OWASP Top 10 Application Security Risks 2017: A10:2017-Insufficient Logging & Monitoring.
The following example contains an empty 'catch' block:
try
{
someCall();
}
catch (Exception e)
{
}
Code like this is not necessarily faulty, of course. But simply suppressing an exception without taking any further precautions against it is a strange practice since such insufficient exception handling may let defects stay unnoticed.
Logging is one example of how you can handle an exception. At least it will prevent the exception from passing unnoticed:
try
{
someCall();
}
catch (Exception e)
{
logger.error("Message", e);
}
An empty 'finally' block is no less suspicious. It may indicate incomplete implementation of some logic necessary for reliable behavior of the program. Consider the following example:
try
{
someCall();
}
catch (Exception e)
{ .... }
finally
{
}
This code is very likely to be faulty or simply redundant. Unlike the empty 'catch' block, which can be used to suppress an exception, the empty 'finally' block has no practical use at all.
This diagnostic is classified as:
|