Skip to first unread message
Stuart Stephen
Jan 26, 2018, 10:41:53 AM1/26/18
to SonarQube
We seem to have a false positive for "Null pointers should not be dereferenced" - squid:S2259. We cannot understand how there could be a null pointer exception at the reported line. We understand that there could be null values in a list, but there aren't. It doesn't seem to worry about this anyway.
It seems to think that the line where riskHeader is passed into RiskHeaderLocal.factory.getDto(riskHeader) could alter the reference, but we don't see how that is possible?
- Sonar Qube 5.6.6
- Sonar Scanner 3.0.3.778
- Sonar Lint 3.3.0.201711211047
- Eclipse Oxygen.1a Release (4.7.1a)
SonarLint report:
SonarQube report (which seems to highlight line 2806 as the cause):
Any ideas gratefully received.
Thanks,
Stuart
G. Ann Campbell
Jan 30, 2018, 8:06:35 AM1/30/18
to SonarQube
Hi Stuart,
The most important part of this equation is the version of SonarJava installed on your server (assuming you're running SonarLint in connected mode).
Also note that 5.6.7 is the previous LTS. 6.7.1 is the new LTS & I urge you to upgrade at your earliest convenience. /obligatoryPSA.
:-)
Ann
Stuart Stephen
Feb 1, 2018, 8:39:53 AM2/1/18
to G. Ann Campbell, SonarQube
Hi Ann,
Thanks for coming back on this. We have SonarJava 4.15.0.12310.
In the mean-time, I will upgrade the system.
Thanks,
Stuart
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/JnJYvj8mtlU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a8bd968e-2112-4157-b930-6a72aed28c67%40googlegroups.com.
Michael Gumowski
Feb 2, 2018, 7:06:18 AM2/2/18
to Stuart Stephen, G. Ann Campbell, SonarQube
Hey Stuart,
I successfully reproduced your FP with version 4.15.0.12310 of SonarJava analyzer, but the issue disappear with latest release: 5.1.0.13090. I won't investigate further.
SonarJava 5.1 is only compatible with SonarQube LTS 6.7, so I would strongly encourage your to update, in order to benefit from last fixes.
Regards,
Michael
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a8bd968e-2112-4157-b930-6a72aed28c67%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAGuhinLHbU9qtB%3Dy9Lk3qLxDACk4Eox6QitG63TFdQzabU--HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Michael Gumowski | SonarSource
Stuart Stephen
Feb 2, 2018, 12:38:33 PM2/2/18
to Michael Gumowski, G. Ann Campbell, SonarQube
Hi Michael,
Thanks for looking into the issue. It's great that you could replicate and also that it appears to be fixed too :)
I've been upgrading to 6.7.1 LTS, but we're having some teething issues. GC Overhead Limit for example, though we've given the Compute Engine 8GB of memory!
Hopefully we'll get past the issues and see some differences soon. I'll let you know.
Cheers,
Stuart
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
--To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a8bd968e-2112-4157-b930-6a72aed28c67%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAGuhinLHbU9qtB%3Dy9Lk3qLxDACk4Eox6QitG63TFdQzabU--HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--Michael Gumowski | SonarSource
Stuart Stephen
Feb 5, 2018, 7:04:54 AM2/5/18
to SonarQube
Hi Michael,
Unfortunately we're still having some issues here after the update. We're now running:
- SonarQube 6.7.1 LTS
- SonarJava 5.1 (build 13090)
We get the following reasoning, where #2 and especially #3 seems a little dubious.
The factory.getDto( key ) method is not solely for this invocation sequence, but for many other scenarios too. I checked getEnquiry() and this will always return a value as there is a null check if block surrounding this code. The call to getRiskHeader() will always return a collection, either empty or with n values. The logic determining that riskHeader is null appears to be too strict in this given scenario.
1:
2:
3:
4:
Your input is appreciated.
Thanks,
Stuart
On Friday, 2 February 2018 17:38:33 UTC, Stuart Stephen wrote:
Hi Michael,Thanks for looking into the issue. It's great that you could replicate and also that it appears to be fixed too :)I've been upgrading to 6.7.1 LTS, but we're having some teething issues. GC Overhead Limit for example, though we've given the Compute Engine 8GB of memory!Hopefully we'll get past the issues and see some differences soon. I'll let you know.Cheers,Stuart
Michael Gumowski
Mar 20, 2018, 10:49:57 AM3/20/18
to Stuart Stephen, SonarQube
Hello Stuart,
Sorry for coming back to you after so much time.
I tried again to reproduce the issue, but because I do not have access to your code, I had to figure out something (which I hope is) equivalent. I ended up with the following case, which from my point of view, illustrates the FP you are getting:
import java.util.List;
import javax.annotation.Nonnull;
abstract class A {
void foo(List<A> items) {
for (@Nonnull A item : items) {
Object o = qix(A.bar(item));
if ("foo".equals(o.toString())) {
item.toString(); // FP S2259
}
}
}
private static String bar(A item) {
if (item != null) {
return item.toString();
}
return null;
}
abstract Object qix(String s);
}
Now, from what I can see on your example from the first post, there is a difference with what you had in SonarLint and in SonarQube:
- In SonarLint, the declaration of the variable riskHeader in the foreach loop is annotated with @Nonnull,
- In SonarQube, there is no such annotation next to the variable.
Without the @Nonnull annotation, I'm not quite sure that it's a FP. It does not make it obvious to me that the list can not contain null elements, and I would consider the issue has been legit. With the annotation, however, it's clearly a FP to me: We are explicitly telling that each of the items of the list are non-null, and I would expect the analyzer to understand that.
I'm reproducing the issue with the latest released of SonarJava (5.2.0), and I consequently created the following ticket to handle it: SONARJAVA-2693
Cheers,
Michael
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
--To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a8bd968e-2112-4157-b930-6a72aed28c67%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAGuhinLHbU9qtB%3Dy9Lk3qLxDACk4Eox6QitG63TFdQzabU--HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--Michael Gumowski | SonarSource
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a734d6d0-87af-4f38-817b-f27583d8775f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stuart Stephen
Mar 20, 2018, 12:39:26 PM3/20/18
to Michael Gumowski, SonarQube
Hi Michael,
That is great, I appreciate the effort that you have put into looking at this issue. Thank you for spending the time to look at it.
Cheers,
Stuart
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
--To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a8bd968e-2112-4157-b930-6a72aed28c67%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAGuhinLHbU9qtB%3Dy9Lk3qLxDACk4Eox6QitG63TFdQzabU--HQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--Michael Gumowski | SonarSource
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a734d6d0-87af-4f38-817b-f27583d8775f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Michael Gumowski | SonarSource
Reply all
Reply to author
Forward
0 new messages