NPE.RET

A NullPointerException is thrown in case of an attempt to dereference a null value. The dereference may be a function call, a read or write of a field, or an array access. NPE.RET is reported for the result of a method call being dereferenced when there is a path on which the value coming from a method call returns null.

As of release 2023.2, this checker supports Jakarta EE.

Example 1

15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
     Reader getReader(String configurationPath) throws IOException {
         File file = new File(configurationPath);
         if (file.exists()) {
             return new BufferedReader(new FileReader(file));
         }
         return null;
     }
 
 
     Reader getDefaultReader() throws IOException {
         return getReader("conf");
     }
 
     public void init() throws IOException {
         load(getDefaultReader());
     }
 
     private String load(Reader reader) throws IOException {
         StringBuffer sb = new StringBuffer();
 
         char[] buffer = new char[1024];
         int length;
         while ((length = reader.read(buffer)) > 0) {
             sb.append(buffer, 0, length);
         }
         return sb.toString();
     }

NPE.RET is reported for line 29, since the value returned by 'getDefaultReader()' call can be null and it is passed into the 'load(Reader reader)' method as a parameter, where it would be dereferenced.

Related checkers

• NPE.CONST
• NPE.COND
• NPE.RET.UTIL
• NPE.STAT

External guidance

• CERT EXP01-J: Do not use a null in a case where an object is required
• CWE-476: NULL Pointer Dereference

Security training

Application security training materials provided by Secure Code Warrior.

• Null Dereference Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.