java:S2259 False Negative: Fails to Report Null Pointer Dereferences in Non-static Methods

Hello @mohui1999,

First, thank you for your patience. I should have answered earlier.

What you are reporting is indeed an FN of the rule, however, this is an intended one. The FN is caused by a limitation of the Symbolic Execution engine rule java:S2259 rely on. Thanks for pointing us to it. Unfortunately, we don’t plan to fix it for the time being, as it would require too much investment.

More precisely, in your second example, the method hasArguments() is a class instance method and therefore requires a class instance to be called. Unfortunately, so far the engine that runs this rule is not able to track runtime types in the execution paths it follows. In order to explore what a method is doing, and to be as much as possible sure to not raise FPs, the engine will therefore only track methods that are effectively final.

In your example, since the method can be overridden (even if it is not in your scenario), then the engine does not take the risk to raise an FP and doesn’t raise an issue. Make your class final, or your method static, or final, and you will see the issue appear. In such context, it is necessarily this method being called, and so the engine knows it does not do any mistake.

Finally, note that we are working on a new bug-detection engine, that should be, at some point, able to handle such cases and would allow us to replace this rule with a more performant version of it (this new engine is already running on SonarCloud and some versions of SonarQube).

Hope this helps,
Michael