Summary:
- What language is this for?
- java
- Which rule?
- Java static code analysis (S2259)
- Why do you believe it’s a false-negative?
- I have detailed it below.
- I’m using
- SonarQube Enterprise Edition (v9.9.6)
- How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
- I have detailed it below.
Description:
Dear SonarQube Team,
I would like to report a potential false negative case in SonarQube’s static analysis, where a possible NullPointerException (NPE) is not being detected. The issue arises in a scenario involving the use of AtomicReference
and nullable objects.
Code Example:
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;
import javax.annotation.Nullable;
import io.reactivex.functions.Action;
public class ExampleService {
private final AtomicReference<Cache<String, List<Object>>> cacheReference;
public ExampleService(ConfigService configService) {
cacheReference = new AtomicReference<>();
configService.doOnConfigUpdate(() -> cacheReference.set(configService.createCache()));
}
public List<Object> getItems(String key) {
Cache<String, List<Object>> cache = cacheReference.get(); // can be null
return cache.getOrReload(key); // NPE could be thrown
}
public static class ConfigService {
public void doOnConfigUpdate(Action createOrUpdateAction) {
// This method performs the action of safely executing the cache creation or update
// and subscribes to configuration changes.
}
@Nullable
public Cache<String, List<Object>> createCache() {
return null;
}
}
public interface Cache<K, V> {
V getOrReload(K key);
}
}
Issue Details:
In the above code, the ConfigService.createCache()
method is annotated with @Nullable
, indicating that it can return null
. This null
value is then set to the AtomicReference<Cache<String, List<Object>>> cacheReference
. When getItems(String key)
is called, cacheReference.get()
can return null
, leading to a potential NPE when cache.getOrReload(key)
is invoked.
Despite this clear path to a NullPointerException, SonarQube does not flag this as an issue. This oversight could lead to runtime exceptions that are not caught during the development phase.
Request:
Before requesting an enhancement, I would like to inquire if there is a way to configure the current version of SonarQube (v9.9.6) to detect this NPE scenario. If there is a configuration or rule adjustment that can address this, I would appreciate your guidance on implementing it.
If no such configuration is available, I kindly request that the SonarQube team consider improving detection capabilities for potential NPEs involving AtomicReference and nullable objects. Enhancing detection in these scenarios would greatly assist developers in identifying and resolving critical issues early in the development process.
Thank you for your attention to this matter.