The analyzer has detected that the original exception data was lost during rethrowing from a 'catch' block. The issue makes errors hard to debug.
The lack of clear issue identification leads to additional security risks. The OWASP Top 10 Application Security Risks 2017 lists insufficient logging and monitoring (including issue detectability) as a separate risk category: A10:2017-Insufficient Logging & Monitoring.
Look at the example of the incorrect code:
try {
sb.append((char) Integer.parseInt(someString));
....
} catch (NumberFormatException e) {
throw new IllegalArgumentException();
}In this case, developers want to rethrow the caught exception but do not pass the necessary data in the form of a message and stack trace.
Here is the fixed code:
try {
sb.append((char) Integer.parseInt(someString));
....
} catch (NumberFormatException e) {
throw new IllegalArgumentException(e);
}The original exception is passed as an internal exception. It saves all data about the original error.
As another option to fix the issue, we can throw an exception with a message.
try {
sb.append((char) Integer.parseInt(someString));
....
} catch (NumberFormatException e) {
throw new IllegalArgumentException(
"String " + someString + " is not number"
);
}The original error stack has been lost, but the new exception data helps debug the code.
If we expect to lose exception data, we can replace the 'catch' parameter names with 'ignore' or 'expected'. In this case, the exception is not thrown.