...
This compliant solution eliminates the null return and simply returns the List, even if when it is zero-length. The client can effectively handle this situation without effectively without being interrupted by runtime exceptions. When arrays are returned instead of returning arrays rather than collections, take care must be taken to ensure that the client does not avoids attempts to access individual elements of a zero-length array. This prevents an ArrayOutOfBoundsException.
...
Returning null rather than a zero-length array or collection may lead to denial-of-service vulnerabilities when the client code does not fails to handle null values properly.
Automatic detection is straightforward, but ; fixing the problem will probably require human intervention.
...