Example:

void m(@nullable String p, boolean b) {
if (p != null & b) p.size();
}

The Nullable Dereference analyzer currently does not handle the case when a null check is performed by passing the result of the null check to a function that aborts execution if the checked parameter was null, for example:

void m(@Nullable String argument) {
  ensureTrue(argument != null);  // Throws exception if argument == null.
  argument.hashCode();  // False positive generated here.
}

To be able to exactly analyze the above an intraprocedural analysis would be required, so to avoid this false positive the analyzer could just stop analyzing the rest of the control flow after it sees the parameter inside an expression that is passed ot a method.

See comments in #2

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• third_party/shipshape/java_dispatcher_deploy.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

The latest release is 8.0.1 at commit 18624dc from 2015-10-20.

The current version is 7.1.1 at 1853c30 from 2015-07-31.

The analyzer can't handle the case where there is an indirect null check of a field and then a dereferencing of that field.

For instance:

protected Object obj;
void m() {
...
if (test()) {
obj.m();
}
...
}
boolean test() {
return obj != null;
}

This test case fails:

int f(@nullable String p) {
if (false == (p != null)) {
return 0;
}
return p.size();
}

This case produces a false positive:

if (x == null && y == null) {
return null;
}
// If x is null then y is not null
z = (x != null) ? x.m() : y.m(); // false positive for y.m()

ExtendJ has been refactored and many many bugfixes were added since the version currently used by SimpleCFG. It would be good to update to the latest version of ExtendJ, since it is now more stable and less buggy.

The ExtendJ analyzer image for Shipshape integration should be published, for example on DockerHub.

This code currently fails:

int test(@nullable String p) {
if (p == null || (true ? p.size() != 1 : false) {
return 1;
}
return 2;
}

But the following works:

int test(@nullable String p) {
if (p == null || p.size() != 1) {
return 1;
}
return 2;
}

The culprit appears to be the conditional operator.