Empty Catches may cause security risks

Software ResiliencyProgramming Best Practices

Why you should care

Most developers contend that it’s not ideal to have an empty catch block. Empty Catch is the cause of an exception occurring where nothing happens and the program fails. When such an exception occurs, it can be thrown up to the caller, or caught in catch block. Usually its considered to be flawed programming practice when an empty catch occurs. It can result in exposing a stack trace or maybe even a security risk.

Business Impacts

Empty catch blocks are considered a risk from a business perspective as it can pose security issues. Risks can involve programmers and/or the company are unaware of the security being compromised.

Production Risk

CAST Recommendations

CAST Recommends enforcing a Style Guide for the company that strongly suggests avoiding the use of empty-catch blocks to solve a problem in the code.  Instead teams should be encouraged to collaborate and work on the problem together through communication.

How we detect

This code insight shows that catching an exception provides robustness treatment or error management. A catch doing nothing can masks an error, allowing the program to pursue and ignore the problem.

Cloud Readiness

Versions & Deprecated Code

Ineffective use of the provided stack: Having an empty catch in the program can mask errors that can misinterpreted when migrating to the cloud.


About CAST and Highlight’s Code Insights

Over the last 25 years, CAST has leveraged unique knowledge on software quality measurement by analyzing thousands of applications and billions of lines of code. Based on this experience and community standards on programming best practices, Highlight implements hundreds of code insights across 15+ technologies to calculate health factors of a software.

See featuresHow it works