SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version Current

changes.mady.by.user Winfried Gerlach

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not use the null value in any instance where an object is required, including the following cases:

  • Calling the instance method of a null object
  • Accessing or modifying the field of a null object
  • Taking the length of null as if it were an array
  • Accessing or modifying the elements of null as if it were an array
  • Throwing null

...

  • as if it were a Throwable value

Using a null in cases where an object is required valid object or field and proceeding to use it without checking its state. Typically, this condition results in a NullPointerException which may lead to denial of service. While other runtime exceptions can produce similar effects, NullPointerException is often found to be the most frequent show-stopper.

Wiki Markup
The prevalence of null pointer dereferencing bugs is so widespread that it is not uncommon to find errors in security contexts. For instance, Java Webstart applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. A {{NullPointerException}} resulted in some isolated cases when the application or applet attempted to establish an https connection with the server \[[SDN 08|AA. Java References#SDN 08]\]. This caused a denial of service issue as clients were temporarily left with no choice but to provide an insecure channel for data exchange.

Noncompliant Code Example

being thrown, which interrupts execution of the program or thread. Code conforming to this coding standard will consequently terminate because ERR08-J. Do not catch NullPointerException or any of its ancestors requires that NullPointerException is not caught. 

Noncompliant Code Example

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [Reasoning 2003]. The cardinality() method was designed to return the number of occurrences of object obj in collection col. One valid use of the cardinality() method is to determine how many objects in the collection are null. However, because membership in the collection is checked using the expression obj.equals(elt), a null pointer dereference is guaranteed whenever obj is null and elt is not null. Wiki MarkupThis noncompliant example shows a bug in Tomcat version 4.1.24 initially discovered by Reasoning \[[Reasoning 03|AA. Java References#Reasoning 03]\]. The {{cardinality}} method was designed to return the number of occurrences of object {{obj}} in collection {{col}}. A valid use case would be to determine how many objects in the collection are {{null}}, given a {{null}} object parameter. However, when coupled with the {{obj.equals(elt)}} expression, this leads to a guaranteed null pointer dereference whenever {{obj}} is {{null}}. Such ambiguity can also result from the short-circuit behavior of the conditional AND and OR operators (See [EXP06-J. Be aware of the short-circuit behavior of the conditional AND and OR operators]).

Code Block
bgColor#FFcccc

public static int cardinality(Object obj, final CollectionCollection<?> col) {
  int count = 0;
  if  Iterator(col == null) {
    return count;
  }
  Iterator<?> it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) || obj.equals(elt)) {  // nullNull pointer dereference
      count++;
    }
  }
  return count;
}

Compliant Solution

The straightforward solution to this issue is to decouple the null checks from the expression that invokes a method on the variable obj.This compliant solution eliminates the null pointer dereference by adding an explicit check:

Code Block
bgColor#ccccff
public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  if (objcol == null) {
  for(  return count;
  }
  Iterator it = col.iterator();
  while (it.hasNext();) {
  // col isObject currentlyelt named coll= it.next();
    if (it.next()(null == obj && null == elt) ||
        (null != obj && obj.equals(elt))) {
      count++;
    }
  }
  return count;
} else

Noncompliant Code Example

This noncompliant code example defines an isProperName () method that returns true if the specified String argument is a valid name (two capitalized words separated by one or more spaces):

Code Block
bgColor#FFcccc
public boolean isProperName(String s) {
  for (Iterator itString names[] = cols.iteratorsplit(" ");it.hasNext();
  if (names.length != 2) {
 //  col isreturn currentlyfalse;
 named coll}
  return  if (obj.equals((isCapitalized(names[0]) && isCapitalized(names[1]));
}

Method isProperName () is noncompliant because it may be called with a null argument, resulting in a null pointer dereference.

Compliant Solution (Wrapped Method)

This compliant solution includes the same isProperName() method implementation as the previous noncompliant example, but it is now a private method with only one caller in its containing class.  

Code Block
bgColor#ccccff
public class Foo {
  private boolean isProperName(String s) {
    String names[] = s.split(" ");
    if (names.length != 2) {
 it.next())) {
     return count++false;
    }
    return (isCapitalized(names[0]) && isCapitalized(names[1]));
  }
}

...

...

...

public

...

boolean testString(String s) {
    if (s == null) return false;
    else return isProperName(s);
  }
}

The calling method, testString(), guarantees that isProperName () is always called with a valid string reference. As a result, the class conforms with this rule even though a public isProperName() method would not. Guarantees of this sort can be used to eliminate null pointer dereferences.

Compliant Solution (Optional Type)

This compliant solution uses an Optional String instead of a String object that may be null. The Optional class ( java.util.Optional [API 2014]) was introduced in Java 8 and can be used to mitigate against null pointer dereferences .

Code Block
bgColor#ccccff
public boolean isProperName(Optional<String> os) {
  String names[] = os.orElse("").split(" ");
  return (names.length != 2) ? false : 
         (isCapitalized(names[0]) && isCapitalized(names[1]));
}

The Optional class contains methods that can be used to make programs shorter and more intuitive [ Urma 2014 ].

Exceptions

EXP01-J-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException, either via the throws clause of the method or in the method comments. However, this exception should be relied on sparingly.can happen in many path dependent ways. Due to the limitations of automatic detection tools, code review and manual inspection of code are inevitable \[[Hovemeyer 07|AA. Java References#Hovemeyer 07]\]. Annotations for method parameters that must be non-null can also alleviate the occurrences to a certain extent by aiding automatic detection.

Risk Assessment

Dereferencing a null pointer can lead to Denial a denial of Service vulnerabilitiesservice. In multithreaded programs, this null pointer dereferences can violate cache coherency policies and lead to can cause resource leaks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP01-J

low

Low

likely

Likely

high

High

P3

L3

Automated Detection

...

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Reasoning 03|AA. Java References#Reasoning 03]\] Defect ID 00-0001, Null Pointer Dereference
\[[SDN 08|AA. Java References#SDN 08]\] [Bug ID 6514454|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454]
\[[Hovemeyer 07|AA. Java References#Hovemeyer 07]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 479|http://cwe.mitre.org/data/definitions/476.html]

Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [Hovemeyer 2007] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.

ToolVersionCheckerDescription
The Checker Framework
Include Page
The Checker Framework_V
The Checker Framework_V

Nullness Checker
 Initialization Checker
 Map Key Checker

Null pointer errors (see Chapter 3)
Ensure all fields are set in the constructor (see Chapter 3.8)
Track which values are keys in a map (see Chapter 4)

CodeSonar

Include Page
CodeSonar_V
CodeSonar_V

JAVA.DEEPNULL.PARAM.EACTUAL
JAVA.DEEPNULL.EFIELD
JAVA.DEEPNULL.FIELD
JAVA.NULL.PARAM.ACTUAL
JAVA.NULL.DEREF
JAVA.DEEPNULL.DEREF
JAVA.DEEPNULL.RET.EMETH
JAVA.DEEPNULL.RET.METH
JAVA.NULL.RET.ARRAY
JAVA.NULL.RET.BOOL
JAVA.NULL.RET.OPT
JAVA.STRUCT.UPD
JAVA.STRUCT.DUPD
JAVA.STRUCT.UPED
JAVA.DEEPNULL.PARAM.ACTUAL		Actual Parameter Element may be null
Field Element may be null (deep)
Field may be null (deep)
Null Parameter Dereference
Null Pointer Dereference
Null Pointer Dereference (deep)
Return Value may Contain null Element
Return Value may be null
Return null Array
Return null Boolean
Return null Optional
Unchecked Parameter Dereference
Unchecked Parameter Dereference (deep)
Unchecked Parameter Element Dereference (deep) 
null Passed to Method (deep)
Coverity

v7.5


FORWARD_NULL
NULL_RETURNS
REVERSE_INULL
FB.BC_NULL_INSTANCEOF
FB.NP_ALWAYS_NULL
FB.NP_ALWAYS_NULL_EXCEPTION
FB.NP_ARGUMENT_MIGHT_BE_NULL
FB.NP_BOOLEAN_RETURN_NULL
FB.NP_CLONE_COULD_RETURN_NULL
FB.NP_CLOSING_NULL
FB.NP_DEREFERENCE_OF_ READLINE_VALUE
FB.NP_DOES_NOT_HANDLE_NULL
FB.NP_EQUALS_SHOULD_HANDLE_ NULL_ARGUMENT
FB.NP_FIELD_NOT_INITIALIZED_ IN_CONSTRUCTOR
FB.NP_GUARANTEED_DEREF
FB.NP_GUARANTEED_DEREF_ON_ EXCEPTION_PATH
FB.NP_IMMEDIATE_DEREFERENCE_ OF_READLINE
FB.NP_LOAD_OF_KNOWN_NULL_ VALUE
FB.NP_NONNULL_FIELD_NOT_ INITIALIZED_IN_CONSTRUCTOR
FB.NP_NONNULL_PARAM_VIOLATION
FB.NP_NONNULL_RETURN_VIOLATION
FB.NP_NULL_INSTANCEOF
FB.NP_NULL_ON_SOME_PATH
FB.NP_NULL_ON_SOME_PATH_ EXCEPTION
FB.NP_NULL_ON_SOME_PATH_ FROM_RETURN_VALUE
FB.NP_NULL_ON_SOME_PATH_ MIGHT_BE_INFEASIBLE
FB.NP_NULL_PARAM_DEREF
FB.NP_NULL_PARAM_DEREF_ALL_ TARGETS_DANGEROUS
FB.NP_NULL_PARAM_DEREF_ NONVIRTUAL
FB.NP_PARAMETER_MUST_BE_NON - NULL_BUT_MARKED_AS_NULLABLE
FB.NP_STORE_INTO_NONNULL_FIELD
FB.NP_TOSTRING_COULD_ RETURN_NULL
FB.NP_UNWRITTEN_FIELD
FB.NP_UNWRITTEN_PUBLIC_OR_ PROTECTED_FIELD
FB.RCN_REDUNDANT_COMPARISON_ OF_NULL_AND_NONNULL_VALUE
FB.RCN_REDUNDANT_COMPARISON_ TWO_NULL_VALUES
FB.RCN_REDUNDANT_NULLCHECK_ OF_NONNULL_VALUE
FB.RCN_REDUNDANT_NULLCHECK_ OF_NULL_VALUE
FB.RCN_REDUNDANT_NULLCHECK_ WOULD_HAVE_BEEN_A_NPE

Implemented
Fortify
Include Page
Fortify_V
Fortify_V

Missing_Check_against_Null
Null_Dereference
Redundant_Null_Check

Implemented
Findbugs
Include Page
Findbugs_V
Findbugs_V

NP_DEREFERENCE_OF_READLINE_VALUE
NP_NULL_PARAM_DEREF
NP_TOSTRING_COULD_RETURN_NULL

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.EXP01.NP
CERT.EXP01.NCMD		Avoid NullPointerException
Ensure that dereferenced variables match variables which were previously checked for "null"
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

 V6008V6073V6093
SonarQube
Include Page
SonarQube_V
SonarQube_V

S2259
S2225
S2447
S2637

Null pointers should not be dereferenced
"toString()" and "clone()" methods should not return null
Null should not be returned from a "Boolean" method
"@NonNull" values should not be set to null
SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

NP_DEREFERENCE_OF_READLINE_VALUE
NP_IMMEDIATE_DEREFERENCE_OF_READLINE
NP_ALWAYS_NULL
NP_NULL_ON_SOME_PATH
NP_NULL_ON_SOME_PATH_EXCEPTION
NP_NULL_PARAM_DEREF
NP_NULL_PARAM_DEREF_NONVIRTUAL
NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS
NP_TOSTRING_COULD_RETURN_NULL		Implemented

Related Vulnerabilities

Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException [SDN 2008]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.

Related Guidelines

SEI CERT C Coding Standard

EXP34-C. Do not dereference null pointers

ISO/IEC TR 24772:2010

Null Pointer Dereference [XYH]

MITRE CWE

CWE-476, NULL Pointer Dereference

Android Implementation Details

Android applications are more sensitive to NullPointerException because of the constraint of the limited mobile device memory. Static members or members of an Activity may become null when memory runs out.

Bibliography

[API 2006]

Method doPrivileged()

[API 2014]Class java.util.Optional

[Hovemeyer 2007]


[Reasoning 2003]

"Defect ID 00-0001"
"Null Pointer Dereference"

[SDN 2008]

Bug ID 6514454

[ Seacord 2015 ]
 Image result for video iconImage Added EXP01-J. Never dereference null pointers LiveLesson
[Urma 2014]Tired of Null Pointer Exceptions? Consider Using Java SE 8's Optional!


...

Image Added Image Added Image Added EXP00-J. Use the same type for the second and third operands in conditional expressions      02. Expressions (EXP)      EXP02-J. Do not ignore values returned by methods