From 5702f3918151914cc6c06c369f153f73c90ffd78 Mon Sep 17 00:00:00 2001
From: Anthony Whitford <anthony@whitford.com>
Date: Wed, 9 Sep 2015 23:54:20 -0700
Subject: [PATCH] Addressed possible resource leak.

---
 .../org/owasp/dependencycheck/data/nvdcve/CveDB.java  | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index 741893289..b550b2458 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -321,7 +321,6 @@ public class CveDB {
      * @throws DatabaseException thrown if there is an exception retrieving data
      */
     public List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
-        ResultSet rs = null;
         final VulnerableSoftware cpe = new VulnerableSoftware();
         try {
             cpe.parseName(cpeStr);
@@ -331,7 +330,8 @@ public class CveDB {
         final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 
-        PreparedStatement ps;
+        PreparedStatement ps = null;
+        ResultSet rs = null;
         try {
             ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CVE_FROM_SOFTWARE"));
             ps.setString(1, cpe.getVendor());
@@ -365,12 +365,11 @@ public class CveDB {
                 v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
                 vulnerabilities.add(v);
             }
-            DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(ps);
         } catch (SQLException ex) {
             throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
         } finally {
             DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(ps);
         }
         return vulnerabilities;
     }
@@ -748,9 +747,9 @@ public class CveDB {
      * @return a dependency version
      */
     private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
-        DependencyVersion cpeVersion;
+        final DependencyVersion cpeVersion;
         if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
-            String versionText;
+            final String versionText;
             if (cpe.getUpdate() != null && !cpe.getUpdate().isEmpty()) {
                 versionText = String.format("%s.%s", cpe.getVersion(), cpe.getUpdate());
             } else {