SV.UMC.JDBC

The DataSource interface, new in the JDBC 2.0 API, provides a better way to connect to a data source. Calling DriverManager.getConnection(...) should be avoided.

Vulnerability and risk

Acquiring and releasing database connections by means of the database manager, using JDBC 1.0, will impact the performance of the application. That impact is due to the overhead in creating and destroying those objects by the database resource manager process.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

The use of a DataSource object is the preferred means of connecting to a data source.

Example 1

Copy

18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
     protected void doPost(HttpServletRequest req,
                           HttpServletResponse resp) throws ServletException {
         String name = req.getParameter("userName");
         String pswd = req.getParameter("passwd");
         Connection conn = doGetConnection(name, pswd);
         // ...
     }
     private Connection doGetConnection(String name,
                                        String pswd) {
         Connection conn = null;
         try {
             return DriverManager.getConnection("localhost:3300",
                                                name, pswd);
         } catch (SQLException e) {
             // ...
         }
         return conn;
     }

SV.UMC.JDBC is reported for call on line 29: Application should avoid calling DriverManager.getConnection() directly.

External guidance

CWE-245: J2EE Bad Practices: Direct Management of Connections