'Common' library that check null are not taken into account by the rule 'Null pointers should not be dereferenced'

[laro...@idm.fr]

Where I work some common library are used to check null.

One of the most common is org.apache.commons.collections.CollectionUtils where we use isNotEmpty to check a collection is both not-null and not empty.

I know they are a lot of this kind of library, and here are my questions:

- Can/should I edit the default rules that check null to include my own convention ? 

- Is it better to have a new rules extending the default one, and disable the default one ?

- Is this the kind of rules that can be extended to Sonar, or with so many library that is not something you want to do 'by default' ?

Tristan.

[Nicolas Peru]

Hi, 

This case is definitely something we (at SonarSource) want to cover. The correct approach to cover this would be to have cross procedural symbolic execution (ie: somehow inline the code of the methods you mentioned to check that indeed when this returns true, the parameter is not null etc..). 

But this is a complex topic not covered for now. In the meantime I can't really recommend you to extend the rule as that will be _very_ hard to maintain. So I would only recommend (for now) to mark issues as false positive and be patient for X-procedural Symbolic Execution to be delivered in the java plugin. 

Cheers, 

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/6b918a53-31e1-4f04-beeb-3b1a711e1238%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nicolas PERU | SonarSource

Senior Developer
http://sonarsource.com

https://twitter.com/benzonico