JD.CATCH

Klocwork reports a JD.CATCH issue when it finds a catch block with an unwanted exception such as java.lang.NullPointerException. A list of possible exceptions is in the Parameters section.

Vulnerability and risk

Exceptions, as their names implies, should be used only for exceptional conditions; they should never be used for ordinary control flow. Using exceptions for control flow dramatically reduces performance, maintainability, and readability of the code.

Mitigation and prevention

Change the code to code that does a preventive check (full null, array index, and so on).

Example 1

9
10
11
12
13
14
15
      String test1(String my) {
         try {
             return my.substring(1,4);
         } catch (NullPointerException e) {
             return "";
         }
     }

JD.CATCH is reported on line 12: Catching 'java.lang.NullPointerException' explicitly is usually a bad practice. Use preventive checks on data instead.

External guidance

• CERT ERR08-J: Do not catch NullPointerException or any of its ancestors
• CWE-1032: Security Misconfiguration
• OWASP A6:2017 Security Misconfiguration
• OWASP A5:2021 Security Misconfiguration
• STIG-ID:APP3120 Application has error handling vulnerabilities

Security training

Application security training materials provided by Secure Code Warrior.

• Security Misconfiguration Training Video - Test your skills with a training example