I have a gradle(6.1) project And I am using SonarQube 8.2. In the project, I have the following method.
public void updateCatalog(final Catalog catalog){
if(Validator.validate(catalog)){
addItem(catalog.getMainItem());
....
}
}
the catalog object is a nullable object and in the Validator.validate() method it has null check. so NullPointerException cannot be thrown from catalog.getMainItem(). Also please note that Validator class is from a third-party dependency (managed by us).
But the issue is SonarQube raise an issue saying
“NullPointerException” will be thrown when invoking method “updateCatalog()”
But it cannot throw a NullPointerException. Seems like a false-positive. I like to know what might be the issue for this and how to resolve this.
Thanks for reporting the issue. What you are observing here is unfortunately the result of a limitation of our Symbolic Execution (SE) engine.
As of today, the SE engine can not predict what would be the behavior of methods, if they are not part of the current file being analyzed (it also requires these methods to be not overrideable).
It has for consequences to lead to such exact FPs: the engine doesn’t learn that to return true, it requires catalog to be not_null. If the definition of Validator.validate(...) would have been part of the file, the engine would have been able to deduce this method behavior and behave correctly, not reporting the issue at the end.
As of today, we have no solution to workaround this issue, other than marking the issue as an FP on SonarQube/SonarCloud. We are also thinking about a third approach, which would allow end-users to define their own behaviors for their utility methods (SONARJAVA-3502), but it’s still a draft.