Missing format argument¶
ID: java/missing-format-argumentKind: problemSecurity severity: Severity: errorPrecision: very-highTags: - quality - reliability - correctness - external/cwe/cwe-685Query suites: - java-security-and-quality.qls
Click to see the query in the CodeQL repository
When formatting strings usingprintf-style format strings, one must ensure that the number of supplied arguments matches the number of arguments referenced by the format string. Additional arguments will be thrown away silently, which may not be the intended behavior, and too few arguments will cause anIllegalFormatException.
Format strings are used by theformat method on the classesString,Formatter,Console,PrintWriter, andPrintStream. Several of these classes also supply the method aliasprintf. The classConsole has two additional methods,readLine andreadPassword, that also use format strings.
Recommendation¶
Supply the correct number of arguments to the format method, or change the format string to use the correct arguments.
Example¶
The following example supplies only one argument to be formatted, but the format string refers to two arguments, so this will throw anIllegalFormatException.
System.out.format("First string: %s Second string: %s","Hello world");
References¶
Java API Specification:Format string syntax,Class String,Class Formatter,Class Console,Class PrintWriter,Class PrintStream.
SLF4J library:org.slf4j.Logger.
Common Weakness Enumeration:CWE-685.