Fortify Null Dereference in Java

Question

I got Fortify findings back and I'm getting a null dereference. I think I know why I'm getting it , just wanted to know what would be the best way to fix the issue. Here is a code snippet:

public class Example{
    private Collection<Auth> Authorities;
    public Example(SomeUser user){
        for(String role: user.getAuth()){ //This is where Fortify gives me a null dereference
            Authorities.add(new Auth(role));
        }
    }

    private List<String> getAuth(){
        return null;
    }
}

The best way to fix this is not returning `null` from `getAuth`... — Mark Rotteveel, Jul 07 '21 at 19:37
Does this answer your question? [What is a NullPointerException, and how do I fix it?](https://stackoverflow.com/questions/218384/what-is-a-nullpointerexception-and-how-do-i-fix-it) — njzk2, Jul 07 '21 at 19:40
is there a way to return an empty list that will not cause null dereference? It is the same class — JLo, Jul 07 '21 at 19:44

Simulant · Accepted Answer · 2021-07-09T11:35:19.920

1

getAuth() should not return null. A method returning a List should per convention never return null but an empty List as default "empty" value.

private List<String> getAuth(){
    return new ArrayList<>();
}

java.util.Collections.emptyList() should only be used, if you are sure that every caller of the method does not change the list (does not try to add any items), as this would fail on this unmodifiable List. Only iterating over the list would be fine.
If you can guaranty this, then the empty List is even better, as it does not create a new object all the time.

edited Jul 09 '21 at 11:35

answered Jul 07 '21 at 20:17

Simulant

19,190
8
63
98

1

...or java.util.Collections.emptyList() – JayK Jul 07 '21 at 20:18

Fortify Null Dereference in Java

1 Answers1