Skip to content

Reference the supplied format arguments (CodeQL java/unused-format-argument)#235

Open
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql-unused-format-arg
Open

Reference the supplied format arguments (CodeQL java/unused-format-argument)#235
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql-unused-format-arg

Conversation

@vharseko

@vharseko vharseko commented Jul 8, 2026

Copy link
Copy Markdown
Member

Summary

Resolves all ten open java/unused-format-argument CodeQL alerts. Every flagged
site supplied arguments that the format string never referenced, so those values
were silently dropped from the log line / exception message. The fix adds the
missing placeholders so the arguments are actually rendered.

File Line(s) Before Fix
SLF4JErrorReporter.java 52, 59 logger.warn("", {5 args}) / logger.error("", {5 args}) format with five {} placeholders
Util.java 584, 601, 618 "Value must be between %d and %d, inclusive: " + value append the matching %d / %f specifier
FieldStorageSchemeImpl.java 124, 131, 148 logger.error("…", storedField[, e]) with no {} add : {} for the stored field
OpenAMSessionModule.java 317, 368 LOG.error("…non HTTP 200 response", body) add : {} for the response body

Why these are real

  • SLF4JErrorReporter — the format string was the empty string, so the
    JavaScript error's message, source, line, line-source and offset were never
    logged. Now all five are rendered.
  • Util.rangeCheck — the "between" message ended right after inclusive:
    and dropped the actual out-of-range value, unlike the sibling "less than" /
    "greater than" messages which do print it. The value is now shown.
  • FieldStorageSchemeImpl — the three logger.error calls had no {}, so
    the stored field never appeared. On the two-argument calls the trailing
    Throwable is still logged as the exception (SLF4J trailing-throwable
    handling); only the stored-field placeholder was missing.
  • OpenAMSessionModule — the non-2xx REST validation response body was
    passed but not referenced, so the diagnostic body was lost.

No behavioural change beyond the previously discarded values now reaching the
message.

Testing

mvn -o -pl script/javascript,persistit/core,commons/selfservice/core,commons/auth-filters/authn-filter/jaspi-modules/openam-session-module compile — each module builds (BUILD SUCCESS).

…gument)

Ten format/log calls passed arguments that the format string never referenced,
so the values were silently dropped from the message. Add the missing
placeholders so the arguments actually appear:

  - SLF4JErrorReporter.warning/error: the format string was empty ("") while
    five values (message, sourceName, line, lineSource, lineOffset) were passed,
    so nothing about the script error was logged. Use a message with five {}
    placeholders.
  - Util.rangeCheck (int/long/float): the "Value must be between %d and %d,
    inclusive: " message ended after the colon and dropped the offending value.
    Append the matching specifier so the value is shown.
  - FieldStorageSchemeImpl.fieldMatches: three logger.error calls had no {}
    placeholder, dropping the stored field (and, on the two-arg calls, keeping
    the exception as the trailing throwable). Add a {} for the stored field.
  - OpenAMSessionModule.onValidateSuccess/onUserResponse: two LOG.error calls
    dropped the non-2xx response body. Add a {} so the body is logged.

Behaviour is otherwise unchanged; only the previously discarded values now
reach the message.
@vharseko vharseko added bug codeql CodeQL static-analysis findings labels Jul 8, 2026
@vharseko vharseko requested a review from maximthomas July 8, 2026 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug codeql CodeQL static-analysis findings

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants