SonarJava does support interprocedural analysis?(NPE)

A.java <- class A { static String foo() { return null;}}
B.java <- class B { String bar(){ A.foo().xxx();}}

Here B.java, A.foo() returns null, it should raise NPE, but the sonarJava doesn’t report this problem…
Does sonarJava support cross-file (interprocedural analysi)?

Short answer is : no.

Longer answer is : we have some behaviors of well known methods that are read into bytecode and avalaible for such kind of rules. So yes for a very limited scope as of today.
We do have in mind do develop some technologies and tools in order to detect such cases but this is way to early to commit to anything yet…

What you describe is using this: BehaviorCache? So If the user could provide sonar.java.binaries, sonarjava can get the information to reduce the false positive?

Hello,

BehaviorCache is only the tip of the iceberg. It allows computation (and then store) summaries of well known methods from common utility libraries (white-list based). For these methods, we know the engine is able to deduce the correct behaviors, which won’t produce FPs during analysis.

The interprocedural cross-file analysis capacities of the SonarJava engine currently stops at this point. For methods defined in the same file, however, the engine will try as much as possible to take benefit of inter-procedural analysis, and the deduced behaviors. Concretely, the following case would have been detected:

A.java

class A {
  static String foo() {
    return null;
  }

  void bar(){
    foo().length(); // NPE detected
  }
}

Hope this helps,
Michael