rspec/rules/S2259/java/rule.adoc

== Why is this an issue?

A reference to `null` should never be dereferenced/accessed.
Doing so will cause a `NullPointerException` to be thrown.
At best, such an exception will cause abrupt program termination.
At worst, it could expose debugging information that would be useful to an attacker,
or it could allow an attacker to bypass security measures.

Note that when they are present, this rule takes advantage of nullability annotations,
like `@CheckForNull` or `@Nonnull`, defined in https://jcp.org/en/jsr/detail?id=305[JSR-305]
to understand which values can be null or not.
`@Nonnull` will be ignored if used on the parameter of the `equals` method, which by contract should always work with null.

== How to fix it

=== Code examples

==== Noncompliant code example

include::noncompliant-code.adoc[]

==== Compliant solution

include::compliant-code.adoc[]

== Resources

* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference]
* CERT, EXP34-C. - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[Do not dereference null pointers]
* CERT, EXP01-J. - https://wiki.sei.cmu.edu/confluence/x/aDdGBQ[Do not use a null in a case where an object is required]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* 'XXXX' is nullable here and method 'YYY' don't accept nullable argument
* NullPointerException might be thrown as 'XXXX' is nullable here


include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify S2259: Migrate to LaYC - null dereference (#3337) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: leonardo-pilastri-sonarsource <115481625+leonardo-pilastri-sonarsource@users.noreply.github.com> 2023-10-23 14:29:59 +02:00			A reference to `null` should never be dereferenced/accessed.
			Doing so will cause a `NullPointerException` to be thrown.
			`At best, such an exception will cause abrupt program termination.`
			`At worst, it could expose debugging information that would be useful to an attacker,`
			`or it could allow an attacker to bypass security measures.`

			`Note that when they are present, this rule takes advantage of nullability annotations,`
			like `@CheckForNull` or `@Nonnull`, defined in https://jcp.org/en/jsr/detail?id=305[JSR-305]
			`to understand which values can be null or not.`
			`@Nonnull` will be ignored if used on the parameter of the `equals` method, which by contract should always work with null.

			`== How to fix it`

			`=== Code examples`

			`==== Noncompliant code example`

			`include::noncompliant-code.adoc[]`

			`==== Compliant solution`

			`include::compliant-code.adoc[]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference]`
Modify S2259: Migrate to LaYC - null dereference (#3337) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: leonardo-pilastri-sonarsource <115481625+leonardo-pilastri-sonarsource@users.noreply.github.com> 2023-10-23 14:29:59 +02:00			`* CERT, EXP34-C. - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[Do not dereference null pointers]`
			`* CERT, EXP01-J. - https://wiki.sei.cmu.edu/confluence/x/aDdGBQ[Do not use a null in a case where an object is required]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* 'XXXX' is nullable here and method 'YYY' don't accept nullable argument`
			`* NullPointerException might be thrown as 'XXXX' is nullable here`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`include::../highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`