I have read a bunch of the other Fortify null de-reference questions here, but none of them apply or seem to be as basic as the one our project incurred. While scanning this block of code:
private GenderCode gender;
.
.
.
if (gender != null) {
subject.setGender(gender.getName());
} else {
subject.setGender(null);
}
Fortify flags subject.setGender(null) as a possible null de-reference. This makes absolutely no sense to me -- all we are doing is explicitly setting a value to null. Note that in the local class, gender is of type GenderCode and in the subject class, gender is a String.
The original code we had:
subject.setGender(gender != null ? gender.getName() : null);
was also flagged. What variable is possibly being de-referenced here? We're only setting an attribute on another object to null! Perfectly legal. Further, the code specifically sets the value to null within an if-then-else block which should indicate to Fortify that, yes, we are doing this on purpose -- we are aware that we are setting gender (a String attribute on the subject object) to null. Why does this get flagged and is there a simple, non-convoluted solution that appeases the Fortify gods?
Related
We are seeing the NPE in the LinuxNetworkParams.getDomainName call in oshi version 6.1.6. Although I am not able to see any reason for this. Can anyone help me when with the reasons why this can throw NPE?
Caused by: java.lang.NullPointerException
at oshi.software.os.linux.LinuxNetworkParams.getDomainName(LinuxNetworkParams.java:80) ~[oshi-core-6.1.6.jar!/:6.1.6]
at com.airwatch.common.diagnostics.DiagnosticCollector.fetchSystemConfiguration(DiagnosticCollector.java:148) ~[diagnostic-library-2.0.3.jar!/:?]
Here is the code for the method :
https://github.com/oshi/oshi/blob/oshi-parent-6.1.6/oshi-core/src/main/java/oshi/software/os/linux/LinuxNetworkParams.java#L79-L80
Looks like info.ai_canonname is null, Try adding null check for ai_canonname or use null safe way to do trim like StringUtils.trim()
public static String trim(final String str) {
return str == null ? null : str.trim();
}
As #Jishnu-Prathap said in their answer, info.ai_canonname is null.
This value normally returns the "official name of the host" in response to the getaddrinfo() function whose docs state:
If hints.ai_flags includes the AI_CANONNAME flag, then the ai_canonname field of the first of the addrinfo structures in the returned list is set to point to the official name of the host.
This may represent an error in your server configuration; fixing the "official name of the host" will prevent the NPE if you keep the same OSHI version.
However, failing to null-check this value was a bug in earlier versions of OSHI but was fixed in version 6.2.2 and upgrading will also prevent the NPE (but not give you a canonical host name, since it doesn't exist!)
Small question regarding a SonarQube flagged issue I do not understand please.
My snippet is very simple.
VaultTokenResponse result = getWebClient().mutate().baseUrl(vaultUrl).build().post().retrieve().bodyToMono(VaultTokenResponse.class).block();
String vaultToken = result.getToken().getToken();
However, on the second line here, Sonarqube is telling me:
findbugs:NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE Style - Possible null pointer dereference due to return value of called method
The return value from a method is dereferenced without a null check, and the return value of that method is one that should generally be checked for null. This may lead to a NullPointerException when the code is executed
I am a bit unsure what this means.
Most of all, I do not know how to fix this.
Little help please?
Thank you
result.getToken() might return null. So when you call result.getToken().getToken() you are calling getToken() on a null reference. Thus a NullPointerException will be thrown.
So you could do something like
YourClass token = result.getToken();
if(token != null) {
String vaultToken = token.getToken(); // whatever you want to do with it
}
else {
// error handling
}
That is the best way in which I can describe what's going on.
This is my line of code:
if (offer.getFamily().getProfileImage() == null)
And this is what the debugger is showing:
Both offer and family aren't null.
So instead of going inside the if like it should it tries to get the file path and of course it fails with a NullPointerException.
java.lang.NullPointerException: Attempt to invoke virtual method 'boolean java.lang.String.isEmpty()' on a null object reference
at java.io.UnixFileSystem.resolve(UnixFileSystem.java:95)
at java.io.UnixFileSystem.resolve(UnixFileSystem.java:130)
at java.io.File.getAbsolutePath(File.java:524)
at com.yournanny.utilities.ProfileImageUtilities.showProfileImage(ProfileImageUtilities.java:109)
Here is where I get the error:
public static void showProfileImage(User user, ImageView image) {
image.setImageBitmap(BitmapFactory.decodeFile(user.getProfileImage().getAbsolutePath()));
}
What is going on here?
Update
Looking at the comments I broke the chains and re-run it, neither offer or getFamily() return null, if I call other method over them I get the expected values.
But getProfileImage() is definitely returning null, the problem is that somehow it isn't null enough when I compare it in the if.
But on calling getProfileImage().getAbsolutePath() I get this:
Well apparently the problem was with the deserialization of the offer (and particularly of the family inside of it).
I was getting offer through a retrofit get call.
I added transient to the profileImage attribute and this fixed the problem:
private transient File profileImage;
Now this is what the debugger shows:
So I'm guessing gson (I'm using it to deserialize the retrofit responses) was creating a file without a assigning it a path and that's why it was and wasn't null.
But a proper explanation would be great.
The File was non-null but its name was null internally.
How to avoid following error - ""user" is checked for null after being dereferenced.".
Highlighted code
OLCC olcc = saveOLCCRequest.getOLCC();
if (olcc != null) {
Thanks.
This is either a bug in the parasoft analyzer, or it has been able to determine that saveOLCCRequest.getOLCC() cannot return null.
It's not possible to say which from the two line snippet you've posted, but if getOLCC() cannot possibly return null then you can remove the warning by removing the null check.
This piece of code is causing a stackOverflow exception:
ISerializer serializer = buildSerializer(TestDataProvider.getAuthor());
ASObject result = (ASObject) serializer.serialize();
assert result.isNotLazyProxy
The StackOverflow is being thrown on this line: assert result.isNotLazyProxy. Note, the isNotLazyProxy method never actually gets called.
isNotLazyProxy is a extension method (what are these called in groovy?) defined as follows:
/**
* Asserts that this ASObject is not a lazy loaded proxy,
* ie - that all of it's properties' values have been included
*/
ASObject.metaClass.isNotLazyProxy = { ->
assert delegate[HibernateProxyConstants.PROXYINITIALIZED] == true
return true;
}
However, setting a breakpoint on the first line of that closure shows that it never gets called.
Instead, there's a StackOverflow thrown:
java.lang.StackOverflowError
at java.lang.System.arraycopy(Native Method)
at java.lang.String.getChars(String.java:855)
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:391)
at java.lang.StringBuffer.append(StringBuffer.java:224)
at java.lang.StringBuffer.<init>(StringBuffer.java:104)
at org.codehaus.groovy.runtime.InvokerHelper.formatMap(InvokerHelper.java:557)
at org.codehaus.groovy.runtime.InvokerHelper.format(InvokerHelper.java:530)
at org.codehaus.groovy.runtime.InvokerHelper.formatList(InvokerHelper.java:602)
at org.codehaus.groovy.runtime.InvokerHelper.format(InvokerHelper.java:527)
at org.codehaus.groovy.runtime.InvokerHelper.formatMap(InvokerHelper.java:575)
snip
I'm not sure if it's relevant, but ASObject is a subclass of a Map, and it's contents may have properties that refer to other keys within itself.
I would've have thought it was relevant, except the StackOverflow appears to indicate that groovy is traversing the members of the map.
What's going on? Why is this stackoverflow occurring?
assert result.isNotLazyProxy is probably not doing what you want to do.
In groovy map.somehing is translated to map.get(something). See http://groovy.codehaus.org/JN1035-Maps :
assert map2.class == null
//field syntax always refers to value of key, even if it doesn't exist
//use getClass() instead of class for maps...
assert map2.getClass() == LinkedHashMap //the kind of Map being used
So use assert result.isNotLazyProxy().
Of course result.isNotLazyProxy should return null in your case, and the assert result.isNotLazyProxy assertion should fail. When this assertion fails groovy will display an assertion error, and the map. In your case formatting the map fails for some reason.
Reason it fails:
It is a known bug, see example. As I see, it has nothing to do with ASObject, as it uses no lists.
At first glance, it looks like something else is causing the endless recursion...
Does ASObject have any other metaClass methods? Especially those overriding the getAt( key ) method of Map
I came up with this quick test script, and it seems to work fine as I'd expect (and I think it does the same as what you say you're doing)
class ASObject {
#Delegate Map map = [ 'PROXYINITIALIZED' : true ]
}
ASObject.metaClass.isNotLazyProxy = { ->
assert delegate[ 'PROXYINITIALIZED' ] == true
return true
}
assert new ASObject().isNotLazyProxy()