JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
Java

JAVA.NULL.PARAM.ACTUAL : Null Parameter Dereference (Java)

Summary

An actual parameter passed to a method might be null.

In Java, the classes java.lang.reflect.Method and java.lang.reflect.Field have some methods which throw a NullPointerException, if a specified argument is null and the method/field (used through reflection) is an instance method/field. When these instructions are detected, CodeSonar tries to statically resolve the reflection, in order to check if it is a valid reflection or if it leads to a NullPointerException. For performance reasons, CodeSonar checks only the constants inside the method where the reflection instruction is called.

If null is dereferenced, Java runs into a NullPointerException. For this reason, programmers must ensure that the content of expressions dereferenced in their programs is never null.

CodeSonar provides two sets of warning classes covering various aspects of null value handling.

For the most comprehensive null pointer checking, enable both sets of warning classes: JAVA.NULL.* and JAVA.DEEPNULL.*

Strict and Non-Strict Checking

When JAVA_ANALYSIS_STRICT_MODE=No, warnings of this class will not be issued if there are indications that the possibility of a NullPointerException has been recognized and accounted for. For example, warnings will not be issued for code inside a try-catch block that explicitly catches NullPointerException, or for a JUnit test that is annotated as expecting this exception.

When JAVA_ANALYSIS_STRICT_MODE=Yes, warnings will be issued even in these cases.

Properties

Class Name Null Parameter Dereference (Java)
Significance reliability
Mnemonic JAVA.NULL.PARAM.ACTUAL
Categories
CWE CWE:476 NULL Pointer Dereference
CERT-Java CERT-Java:EXP01-J Do not use a null in a case where an object is required
OWASP-2025 OWASP-2025:A10 Mishandling of Exceptional Conditions
Availability Available for Java and Kotlin.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Null Parameter Dereference (Java)"

Example 

// TestSupport.java
public class TestSupport {

  public int m01(String s) {
    return s.length();
  }

  public int m02(String s) {
    if (s != null)
      return s.length();

    return -1;
  }
}

// Test.java
public class Test {
  String f = null;

  public void test1(String s) {
    if ((System.nanoTime() % 2) == 0 || f != null)
      System.out.println(f.length()); // Null Pointer Dereference (Java) warning issued here 

    if (s != null)
      System.out.println("s01 is null");

    System.out.println(s.length());   // Null Pointer Dereference (Java) warning issued here 
  }

  public void test2(String par) {
    String s = System.currentTimeMillis() % 2 == 0 ? null : "ciao";
    TestSupport ts = new TestSupport();
    int n01 = ts.m01(s);              // Null Parameter Dereference (Java) warning issued here 
    int n02 = ts.m02(s);
                
    if (s != null)
      ts.m01(s);

    ts.m01(par);

    System.out.println(n01 + n02);
  }

  public void test3(String par) {
    if (par != null)
      System.out.println("is non-null");

    new TestSupport().m01(par);       // Null Parameter Dereference (Java) warning issued here 
  }
}

//  ReflectionExample.java 
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;

public class ReflectionExample {
    public static void Method() throws NoSuchFieldException, SecurityException,
                                       ClassNotFoundException, InstantiationException,
                                       IllegalAccessException, IllegalArgumentException,
                                       InvocationTargetException {
            
      Class<?> c = Class.forName(ClassUsedByReflection.class.getName());

      Field success1 = c.getField("ok");
      success1.get(nil());

      Field success2 = c.getField("hi");
      success2.get(new Object());              // arg0 is not null

      Field fail1 = c.getField("hi");
      fail1.get(nil());     // "Null Parameter Dereference (Java)" warning issued here. 

      Field[] fail2 = c.getFields();
      for(Field f : fail2)
          f.get(nil());     // "Null Parameter Dereference (Java)" warning issued here: 
                            // the ClassUsedByReflection class contains at least one instance field.      
    }

    private static class ClassUsedByReflection{
      public String hi = "Hello World!";       // instance field 
      public static String ok = "I am ok!";    // static, so not an instance field
      public ClassUsedByReflection(){ }
    }       

    public static String nil() {
        return null;
    }
}

Resolution

Check if the warning corresponds to a situation where null might actually be dereferenced at runtime. If that is the case, add a nullness check for the value being dereferenced, or change the logic of the code. Sometimes, a warning of this checker corresponds to a spurious nullness check, that can be removed.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.