Closed PhilippSalvisberg closed 5 months ago
The returning clause is not applicable in select
and merge
statements and in PL/SQL blocks. Using an out
parameter in a select
statement does not work. So it might be better to search for begin
. This way we avoid false positives when DML is used in the dynamic PL/SQL block.
We could handle dynamic PL/SQL blocks as an exception. However, this could still lead to false positives when the PL/SQL block is unavailable in the code. For example, when passed via a parameter or read from a table.
False positives nor false negatives are avoidable. Still, I think we get fewer false positives when looking for update
, insert
and delete
.
fixed with Azure DevOps commit
A violation of G-6020 is reported in the following case:
The returning clause cannot be used in this case.
To reduce false positives it could be an option to scan the statement for
insert
,update
, anddelete
. Only if one of these words is found a violation should be thrown. In this case, a returning clause should be applicable. However, even then false positives are possible, e.g. when a dynamic PL/SQL block contains an insert statement, but it is less likely. A side effect of this approach is, that there will be false negatives, for example when the statement to be executed cannot be evaluated. Trying to find out if the statement contains such a keyword can be costly and should be done only when anout
parameter is defined.In any case, this is a limitation and should be documented.