In my veracode scan, I have very low vulnerability: Improper Resource Shutdown or Release CWE ID 404

And here is my code:

public static boolean nioCopy(File source, File destination) {
      boolean retval = false;
      
      FileChannel inChannel = null, outChannel = null;
      
      try {
          inChannel = (new FileInputStream(source)).getChannel();
          outChannel = (new FileOutputStream(destination)).getChannel();
          
          long size = inChannel.size();
          long position = 0;
          while ( position < size )
          {
             position  = inChannel.transferTo( position, WINDOWS_MAGIC_BUFFER_SIZE, outChannel );
          }
          retval = true;
      } catch (FileNotFoundException e) {
          e.printStackTrace();
          retval = false;
      } catch (IOException e) {
          e.printStackTrace();
          retval = false;
      } finally {
          try {
              if (inChannel != null) {
                  inChannel.close();
              }
              
              if (outChannel != null) {
                  outChannel.close();
              }
          } catch (IOException e) {
              e.printStackTrace();
          }
      }
      
      return retval;
  }

Veracode is specifically pointing to this line:

outChannel = (new FileOutputStream(destination)).getChannel();

However, I believe I am releasing the resource in finally block. I was referring to this link: http://javaelegance.blogspot.com/2015/10/improper-resource-shutdown-or-release.html

What am I doing wrong here?

CodePudding user response：

Assuming Java 8 or higher, use try with resources statements. See https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html. It basically will handle automatically closing closable objects for you.

try (inChannel = (new FileInputStream(source)).getChannel()) {
    //Use inChannel
}
catch(IOException ex) {
    //Handle exception
}