1

I am going through a code analysis report of my project and got a lot of issues on null dereference.

We always declare a object as null. Let's say

String str = null;

Perform business logic with conditional operators

if (a.equals(b)) { s = "Assigned"; }

then assign the string to value objects.

form.setString(str);

We have followed the similar kind of coding practice everywhere in the codebase and handled not null check perfectly across the code base.

But we still getting "null dereference" security vulnerability issue. I dont think it is a valid vulnerability as we do not null check before accessing any variable from VO.

There could be a valid argument, what would happen if the busines logic does not execute and set null in your VO. But it is handled well before accessing it.

Also,

I do not have any issues in initializing a blank string (or any primitive data types) instead of null (with equivalent). This would work if I add empty check instead of not null. But, What about collections framework? If I initialize an array list and instantiate it (instead of null) , would it allocate memory for the list?

List strList = new ArrayList();

Please advise, if I can ignore these kind of null dereference issues from the report or should I handle them by instantiating it.

Dhana
  • 91
  • 9
  • 1
    It may come down to a style thing, but I would avoid null whenever possible. You could be right, and if you are really careful, you can probably avoid most or all null dereference issues, but why not just initialize the var to something other than null and sidestep the issue entirely? Aside from bugs, it can (depending a lot on your error handling) reveal system details to a bad actor, which is why I'm guessing it's being flagged as a security issue(https://www.owasp.org/index.php/Null_Dereference). Are you able to provide an in context example of one of these security issues you are seeing? – Nick DeFazio Apr 11 '18 at 15:22
  • Thanks @Nick I have 100s of such instances. But I am not able to share the exact code. Most of them are like declaring a string, assign null to it, perform business logic bounded by conditions and instantiate & assign value to it. Then, set the string to VO variable. – Dhana Apr 11 '18 at 15:27
  • Other question on the context, I wonder if I initialize a list while declaring would cause any memory related issues? – Dhana Apr 11 '18 at 15:30
  • 1
    It would create an object that takes a non-zero amount of memory. – Kayaman Apr 11 '18 at 15:40

1 Answers1

0

I spoke to a security architect. You can suppress this issue in the tool if you can prove that this part of code piece will not produce null pointer exception. But a proper coding practice is required to avoid using null in such unwanted cases.

Dhana
  • 91
  • 9