The Java rule S2259 produces a FP, if the null check is performed in another class.
public class MyChecker {
public static boolean isNullOrEmpty(CharSequence cs) {
if ((cs == null) || (cs.length() == 0))
return true;
return false;
}
}
public class A {
private static String getS() {
if (Boolean.parseBoolean("true"))
return null;
return "foo";
}
public static void foo() {
String s = getS();
if (!MyChecker.isNullOrEmpty(s)) {
s.getClass(); // FP
}
}
}
Yes, s can be null. But the method MyChecker.isNullOrEmpty() clearly checks for nulls. And hence the NPE cannot happen.
As long as Sonar has access to the implementation of isNullOrEmpty() it should dive into that method.
Thank you for reporting the problem, indeed the symbolic execution engine is not able to combine information from different files. You can track the progress at https://sonarsource.atlassian.net/browse/SONARJAVA-4026. Otherwise, you can mark the issue as a FP.
Concerning your question, if you mark a problem as a FP and then the rule changes and the problem is no longer raised, it will automatically change the issue state from FP to fixed (silently).
From what I understand, if for instance, the analyzer raises the rule S2259 on some code in a file. You mark the issue as an FP in SonarQube. Then you can see it as an FP on SonarQube (in issues, resolution). If the analyzer doesn’t raise the issue anymore (and the code doesn’t change), you will see it under Fixed with a message :
This issue is Closed (Fixed) . It was detected in the file below and is no longer being detected.