Fortify is complaining about a Null Dereference when I set a field to null:
String sortName = null;
if (lastName != null && lastName.length() > 0) {
sortName = lastName;
}
sortOptions.setSortField(sortName); <-- Fortify Null Dereference
Fortify's analysis trace says:
Assigned null: sortName
Branch taken: if (lastName != null && lastName.length() > 0)
Dereferenced: sortName
I could try:
if (sortName == null)
sortOptions.setSortField(null);
else
sortOptions.setSortField(sortName);
But that seems really silly. Anyone have experience with this one? I'd prefer to get rid of the finding vs. just write it off.
What fortify do not like is the fact that you initialize the variable with null
first, without condition, and then change it.
this should work:
String sortName;
if (lastName != null && lastName.length() > 0) {
sortName = lastName;
} else {
sortName = null;
}
sortOptions.setSortField(sortName);
(Or use the ternary operator if you prefer)
This way you initialize sortName
only once, and explicitely show that a null
value is the right one in some cases, and not that you forgot some cases, leading to a var staying null
while it is unexpected.
The Null dereference error was on the line of code sortName = lastName;
not the call of the setter : fortify do not want you to conditionnally change the value of a variable that was set to null
without doing so in all the branches.
Thierry's answer works great. This also passes Fortify's scan:
Optional<String> sortName = Optional.empty();
if (lastName != null && lastName.length() > 0) {
sortName = Optional.ofNullable(lastName);
}
sortOptions.setSortField(sortName.orElse(null));