CONNECT Software project. There are too few details in this report for us to be able to work on it. Assuming the size of the file is less than BUFSIZE, this works fine as long as the information in myFile is encoded the same as the default character set, however if it's using a different encoding, or is a binary file, it . Fix: Updated code so that ES no longer sends back to VistA the "Delete" signal for the "Unemployable" field. The following function attempts to acquire a lock in order to perform . Thus, enabling the attacker do delete files or otherwise compromise your system. Is DPAPI still valid option to protect eg. relevant defects identified by Prevent were related to potential null dereference. CODETOOLS-7900082 Fortify: Analize and fix "Missing Check against Null" issue. Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free. The program can dereference a null-pointer because it does not check the return value of a function that might return null. Copyright 2023 Open Text Corporation. Note that you can copy references without accessing the object it references. "The good news about computers is that they do what you tell them to do. But we have observed in practice that not every potential null dereference is a "bug " that developers want to fix. Have a question about this project? Fortify-Issue-300 Null Dereference issues #302. Agreed!!! I know we could change the code to remove it, but that would be changing the structure of our code because of a problem in the tool. It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. So it seems highly unlikely that the line of code you've posted is the source of the exception. Fortify source code analyzer is giving lot's of "Null Dereference" issues becausewe have used Apache Utils to ensure null check. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Palash Sachan 8-Feb-17 13:41pm. Null Dereference Issue New: May 7, 2019 which is not fixed and in the parser, it checks cwe no in also the sample you provided does not contain any cwe no in and in fortify parser it uses this method to extract cwe no which raise problem: If you never set a variable to null you can never have an unexpected null. CWE-476: NULL Pointer Dereference: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. The program can dereference a null-pointer because it does not check the return value of a function that might return null. The following Java Virtual Machine versions are supported: Java 8; Java 11; Java 17; . Basically, yes. Share Improve this answer Follow edited Jun 4, 2019 at 17:08 answered Jun 4, 2019 at 17:01 Thierry 5,170 33 39 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. The list of things beyond my ability to control is . Is a PhD visitor considered as a visiting scholar? Initializes a new instance of the NullReferenceException class, setting the Message property of the new instance to a system-supplied message that describes the error, such as "The value 'null' was found where an instance of an object was required." Wait hold on what is dereference now?. How to Check if Application is Installed in Your Android Phone and Open the App? A check-after-dereference error occurs when a program dereferences a pointer that can be, [1] Standards Mapping - Common Weakness Enumeration, [2] Standards Mapping - Common Weakness Enumeration Top 25 2019, [3] Standards Mapping - Common Weakness Enumeration Top 25 2020, [4] Standards Mapping - Common Weakness Enumeration Top 25 2021, [5] Standards Mapping - Common Weakness Enumeration Top 25 2022, [6] Standards Mapping - DISA Control Correlation Identifier Version 2, [7] Standards Mapping - General Data Protection Regulation (GDPR), [8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012, [9] Standards Mapping - NIST Special Publication 800-53 Revision 4, [10] Standards Mapping - NIST Special Publication 800-53 Revision 5, [11] Standards Mapping - OWASP Top 10 2004, [12] Standards Mapping - OWASP Application Security Verification Standard 4.0, [13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, [14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, [15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, [16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, [17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1, [18] Standards Mapping - Payment Card Industry Software Security Framework 1.0, [19] Standards Mapping - Payment Card Industry Software Security Framework 1.1, [20] Standards Mapping - Security Technical Implementation Guide Version 3.1, [21] Standards Mapping - Security Technical Implementation Guide Version 3.4, [22] Standards Mapping - Security Technical Implementation Guide Version 3.5, [23] Standards Mapping - Security Technical Implementation Guide Version 3.6, [24] Standards Mapping - Security Technical Implementation Guide Version 3.7, [25] Standards Mapping - Security Technical Implementation Guide Version 3.9, [26] Standards Mapping - Security Technical Implementation Guide Version 3.10, [27] Standards Mapping - Security Technical Implementation Guide Version 4.1, [28] Standards Mapping - Security Technical Implementation Guide Version 4.2, [29] Standards Mapping - Security Technical Implementation Guide Version 4.3, [30] Standards Mapping - Security Technical Implementation Guide Version 4.4, [31] Standards Mapping - Security Technical Implementation Guide Version 4.5, [32] Standards Mapping - Security Technical Implementation Guide Version 4.6, [33] Standards Mapping - Security Technical Implementation Guide Version 4.7, [34] Standards Mapping - Security Technical Implementation Guide Version 4.8, [35] Standards Mapping - Security Technical Implementation Guide Version 4.9, [36] Standards Mapping - Security Technical Implementation Guide Version 4.10, [37] Standards Mapping - Security Technical Implementation Guide Version 4.11, [38] Standards Mapping - Security Technical Implementation Guide Version 5.1, [39] Standards Mapping - Web Application Security Consortium 24 + 2, [40] Standards Mapping - Web Application Security Consortium Version 2.00. : Fortify: The method processMessage() in VET360InboundProcessService.java can crash the program by dereferencing a null pointer on line 197. rev2023.3.3.43278. Well, it identifies hundreds of known code vulnerabilities, covers security standard and also make sure to address industry compliance regulations. This does pass the Fortify review. This solution is not always viable in a production environment. Successfully merging a pull request may close this issue. This means sum.something() is an INVALID Syntax in Java. #icon8226:hover{color:;background:;} 800-366-2022 An API is a contract between a caller and a callee. Dereferencing a null pointer An impossible checked cast . Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Missing Check against Null. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. The Java VM sets them so, as long as Java isn't corrupted, you're safe. to fix over 7500 defects across 250 open source projects and 50 million lines of code. The line where the issue is found contains only the Main method declaration, and no other debug code is present. PS: Yes, Fortify should know that these properties are secure. Ventura CA 93001 beyond that why are you scanning possible characters instead of just checking upper and lower limits. "Rules for Null Dereference and Redundant Null Check have been reworked to enable reduction of false positive rates. It's simply a check to make sure the variable is not null. Just about every serious attack on a software system begins with the violation of a programmer's assumptions. Fortify is giving path manipulation error in this line. Why do academics stay as adjuncts for years rather than move around? Fortify is raising an issue, not an error because you are taken input from the process's environment and then opening a path with it without doing any input filtering. Our current plan is to remain open for https://t.co/IwbQgYoZUk, Nov 01, We love seeing this enthusiasm for structural pasteurization from realtors https://t.co/ihCVF4uUk3 https://t.co/3uMUV1VabD, Jul 28. Explanation Null-pointer errors are usually the result of one or more programmer assumptions being violated. Noncompliant Code Example. I've been searching for an explanation of this message and can't find anything that clearly explains it. 0f66c64 (0.15.0) add scripts to check git repo sha lanxia [#6506] 4a7a6b2 (v0.15.0) Fix out-of-bounds write in String.getBytes Benjamin Thomas (Aviansie Ben) [#6502] d58e0f7 (0.15.0) Invoke DomainCombiner.combine() for embedded AccessControlContext Peter Shipton [#6493] 18e7a3c (v0.15.0) Remove extra rpaths in AIX shared libs mikezhang [#6494 . Trying to understand how to get this basic Fourier Series, How to handle a hobby that makes income in US. Fortify: Access Control Database related issue. I'm using "HP Fortify v3.50" on a java project and I find lots of false positive on "Null Dereference", because Fortify doesn't see the control against null is in another method. In Java there are two different variables are there: Since primitives are not objects so they actually do not have any member variables/ methods. Null Dereference C/C++ C#/VB.NET/ASP.NET Java/JSP Abstract clones. Real Estate Software Dubai > blog > how to fix null dereference in java fortify Jun 12, 2022 beauty appeal in advertising It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. They are not only hard to identify but also complex to deal with. Notice how that can never be possible since the method returns early with a 'false' value on the previous 'if' statement. of Computer Science University of Maryland College Park, MD [email protected] William Pugh Dept. The modules cover the full breadth and depth of topics for PCI Section 6.5 compliance and the items that are important for secure software development. Difference Between FileInputStream and FileReader in Java, Introduction about the error with example. But I do see a problem in line 9: Thanks, you are correct, I meant line 9 and I see the error now. Q&A for work. Have Difficulty In Doing. Is it plausible for constructed languages to be used to affect thought and control or mold people towards desired outcomes? This message takes into account the current system culture. Note that this code is also vulnerable to a buffer overflow . Issue Links. (and obviously if httpInputStream is different from null, to avoid a possible Null Dereference by invoking the close() method). Fortify Software in partnership with FindBugs has launched the Java Open Review (JOR) Project. EXP01-J-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException, either via the throws clause of the method or in the method comments. to fix over 7500 defects across 250 open source projects and 50 million lines of code. Could you share the minimal test case? what if the input has some unicode non-English characters? Description The program can potentially dereference a null pointer, thereby raising a NullPointerException. So mark them as Not an issue and move on. As we can see in the example mentioned above is an integer(int), which is a primitive type, and hence it cannot be dereferenced. Note that on Red Hat Enterprise Linux 6 it is not possible to exploit CVE-2010-2948 to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. Copyright 2023 Open Text Corporation. On File delete, using java File delete method what could be the security issue? . Is it correct to use "the" before "materials used in making buildings are"? Posted 29-Sep-17 0:30am OriginalGriff Comments CODETOOLS-7900079 Fortify: Analize and fix "Code Correctness: Regular Expressions Denial of Service" issues. Note: Before moving to this, to fix the issue in Example 1 we can print, Here, we will follow the below-mentioned points to understand and eradicate the error alongside checking the outputs with minor tweaks in our sample code. Explanation Null-pointer errors are usually the result of one or more programmer assumptions being violated. There are at least three flavors of this problem: check-after-dereference, dereference-after-check, and dereference-after-store. It essentially means that the object's reference variable is not pointing anywhere and refers to nothing or 'null'. Closed; is cloned by. ][C:/DIR/npe][38F1CD7C547F94C73D421BDC0BA6B45B : low : System Information Leak : Internal : dataflow ]NPE.java(43) : ->PrintStream.println(0) NPE.java(102) : ->NPE.log(0) NPE.java(98) : <=> (os) NPE.java(98) : <- System.getProperty(return)[38F1CD7C547F94C73D421BDC0BA6B45C : low : System Information Leak : Internal : dataflow ]NPE.java(43) : ->PrintStream.println(0) NPE.java(111) : ->NPE.log(0) NPE.java(109) : <=> (os2) NPE.java(51) : return (s) NPE.java(109) : <->NPE.defaultIfEmpty(0->return) NPE.java(109) : <- System.getProperty(return)[B679BDBBFADB6AD00720E35440F876F7 : high : Null Dereference : controlflow ] NPE.java(57) : Assigned null : arg NPE.java(58) : Branch not taken: ((args.length) <= 0) NPE.java(77) : Dereferenced : arg[935183D4911A3F55EEA10E64B6BDC2F6 : low : Missing Check against Null : controlflow ] NPE.java(98) : start -> allocated : os = getProperty(?) Follows a very simple code sample that should reproduce the issue: In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. Main.java, lines 120-137: Description: SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct a SQL query. Learn more about Stack Overflow the company, and our products. The project is a simple C# console application, with no reference whatsoever to ASP.NET libraries. These can be: Invoking a method from a null object. CODETOOLS-7900078 Fortify: Analize and fix "Redundant Null Check" issues. Roseanne But what exactly does it mean to "dereference a null pointer"? Alternate Terms Relationships . Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. : Fortify: The method processMessage() in VET360InboundProcessService.java can crash the program by dereferencing a null pointer on line 197. CiteSeerX - Document Details (Isaac Councill, Lee Giles, Pradeep Teregowda): Many analysis techniques have been proposed to determine when a potentially null value may be dereferenced. How to Fix int cannot be dereferenced error? Most null-pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null-pointer dereference, the attacker may be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information Also, the term 'pointer' is bad (but maybe it comes from the FindBugs tool): Java doesn't have pointers, it has references. An attack signature is a unique arrangement of information that can be used to identify an attacker's attempt to exploit a known operating system or application vulnerability. For example, if a program fails to call chdir() after calling chroot() , it violates the contract that specifies how to change the active root directory in a secure fashion. Investigate instances where Fortify has identified a null pointer as a potential security flaw. However, most of the existing tools This bug was quite hard to spot! Using the Tika library FilenameUtils.normalize solves the fortify issue. Convert a String to Character Array in Java. Fortify flags this for null dereference. A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. How to resolve this issue? Learn more . Well occasionally send you account related emails. : System.getProperty may return NULL NPE.java(98) : allocated -> allocated : os may be null NPE.java(101) : allocated -> used : os.equalsIgnoreCase() : os used without null check[A423998C51F661CE8B2EB269BB0AF58D : low : Poor Logging Practice : Use of a System Output Stream : structural ] NPE.java(43)[5494E2A573D3F6F3F5F24DE49D893068 : low : J2EE Bad Practices : Leftover Debug Code : structural ] NPE.java(56)$ cat -n NPE.java 1 package npe; 2 3 import org.apache.commons.lang3.StringUtils; 4 5 public class NPE { 6 int v; 7 8 9 public NPE(int v) { 10 this.v = v; 11 } 12 13 14 public static int dangerousLength(String s) { 15 return s.length(); 16 } 17 18 19 public String stringify() { 20 if (v != 0) { 21 return "non-0"; 22 } else { 23 return null; 24 } 25 } 26 27 28 public NPE frugalCopy() { 29 if (v != 0) { 30 return new NPE(v); 31 } else { 32 return null; 33 } 34 } 35 36 37 public int getV() { 38 return v; 39 } 40 41 42 public static void log(String s) { 43 System.out.println(s); 44 } 45 46 47 public static String defaultIfEmpty(String s, String v) { 48 if (s == null || s.length() == 0) { 49 return v; 50 } else { 51 return s; 52 } 53 } 54 55 56 public static void main(String[] args) { 57 String arg = null; 58 if (args.length > 0) { 59 arg = args[0]; 60 } 61 log("arg is " arg); 62 63 // Fortify fails to catch a possible NPE when the null is passed as an 64 // argument. Null-pointer exceptions usually occur when one or more of the programmer's assumptions is violated. Primitive [byte, char, short, int, long, float, double, boolean]. Fix Suggenstion (issue 208) . All rights reserved. If that variable hasn't had a reference assigned, it's a null reference, which (for internal/historical reasons) is referred to as a null pointer. Try this: if (connection != null && conection.State != ConnectionState.Closed) { conection.Close (); } But better, use a using block around your connection creation so it is automatically closed and disposed when it goes out of scope. Sign in Reject from the input, any character you don't want in the path. Exceptions. The best answers are voted up and rise to the top, Not the answer you're looking for? Home; Uncategorized; null dereference fortify fix java; null dereference fortify fix java The following function attempts to acquire a lock in order to perform . Dereference before null check. cmheazel on Jan 7, 2018. cmheazel added the Status:Pull-Request-Issued label on Jan 9, 2018. cmheazel mentioned this issue on Feb 22, 2018. how to fix null dereference in java fortify Literal null values are passed as the third and fourth arguments.In the definition of set, It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. Below is an example. Closed. C/C++. The issue is that if you take data from an external source, then an attacker can use that source to manipulate your path. But we have observed in practice that not every potential null dereference is a bug that developers want to fix. "Leadership is nature's way of removing morons from the productive flow" - Dogbert Articles by Winston can be found here. How can I check before my flight that the cloud separation requirements in VFR flight rules are met? Null-pointer errors are usually the result of one or more programmer assumptions being violated. Why are Suriname, Belize, and Guinea-Bissau classified as "Small Island Developing States"? Exceptions. Redundant Null Check. Is Made In Chelsea Scripted, The value is then dereferenced without a null check in ClientAuthenticationCodec.encodeRequest call: Because your release of resources is conditional on the state of a boolean variable and encased in another try block, the static analyzer must be deciding that rollback() and close() are not guaranteed to execute.. email is in use. Fortify keeps track of the parts that came from the original input. We have, however, opened a support case with the following repro: Scanning this code with Visual Studio 2015 update 3 and HP Fortify plugin 17.10, two issues are found, both invalid: ASP.NET Bad Practices: Leftover Debug Code (Encapsulation, Structural): The class Program contains debug code, which can create unintended entry points in a deployed web application. For instance, what's wrong with this code? The content must be between 30 and 50000 characters. Parse the input for a whitelist of acceptable characters. at com.fortify.sca.Main$Sourceanalyzer.run(Main.java:527) [fortify-sca-18.20.1071.jar:? 31 in Google's Java code Embrace and fix your dumb mistakes. OWASP Benchmark is a test suite designed to verify the speed and accuracy of software vulnerability detection tools. This release, developed in Java technology, contains ESM Phase 3 development and upgrade efforts. But we have observed in practice that not every potential null dereference is a "bug " that developers want to fix. But avoid . By using this site, you accept the Terms of Use and Rules of Participation. The opinions expressed above are the personal opinions of the authors, not of Micro Focus. This type of 'return early' pattern is very common with validation as it avoids nested scopes thus making the code easier to read in general. "We use Fortify's static analysis capabilities to analyze our source code as we develop new features or make enhancements. Null pointers null dereference null dereference - best practices Using Nullable type parameters Memory leak Unmanaged memory leaks. This could allow the server to make the client crash due to the NULL pointer dereference Separate licenses are available for C/C++ analysis and Java analysis. Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie We've added a "Necessary cookies only" option to the cookie consent popup. Buy-solutions-manual Legit, Board while may produce spurious "null dereference" reports. 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 share. In Java, a special null value can be assigned to an object reference. Using Kolmogorov complexity to measure difficulty of problems? Contributor. encryption key? One of the common issues reported by Fortify is the Path Manipulation issue. at com.fortify.sca.frontend.FrontEndSession.runSingleFrontEnd(FrontEndSession.java:231) [fortify-sca-18.20.1071.jar:?] . The root cause of each defect is clearly explained, making it easy to fix bugs Integrated with However, one article [1] claims that the cost of a one year license is based on the number of lines of code, regardless of the number of users. Jira will be down for Maintenance on June 6,2022 from 9.00 AM - 2.PM PT, Monday(4.00 PM - 9.00PM UTC, Monday) +1 for a very succinct answer that pretty much sums up the way I feel: "it depends." Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for . Should Fortify be handling this correctly by default(and we have something misconfigured)? A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Could anyone from Fortify confirm or refute the flakiness of the null dereference check? So, in the end, you'll likely set the issue's analysis to Not an issue and just stop worrying about it. What it is complaining about is that if you take data from an external source, then an attacker can use that source to manipulate your path. 90 int npeV = npe.frugalCopy().getV(); 91 92 log("Called a method of an object returned by a method: " npeV); 93 94 if (npeV == 2) { 95 System.clearProperty("os.name"); 96 } 97 98 String os = System.getProperty("os.name"); 99 // Fortify catches a possible NPE where null signals absence of a 100 // resource, showing a Missing Check against Null finding. Attachments. I have problem to understand how is that solving original issue - path in configuration file How to resolve Path Manipulation error given by fortify? As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. . It's simply a check to make sure the variable is not null. The repro was confirmed by the support representative and the case forwarded to the engineering team. Follows a very simple code sample that should reproduce the issue: public override bool Equals (object obj) { var typedObj = obj as SomeCustomClass; if (typedObj == null) return false; return this.Name == typedObj.Name; } In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. All rights reserved. Example. You also had the guts to say "never check for null" (if null is invalid).Placing an assert() in every member function that dereferences a pointer is a compromise that will likely placate a lot of people, but even that feels like 'speculative paranoia' to me. Available in C# 8.0 and later, the unary postfix ! if (foo == null) { foo.setBar (val); . } Check the documentation for the Connection object of the type returned by the getConnection() factory method, and see if the methods rollback() and close() will even throw an exception. Extended Description NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. In C++, pointers are not guaranteed to be either NULL of have a valid value. This is it, how to fix the int cannot be dereferenced error in Java. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. 476 NULL Pointer Dereference FORWARD_NULL NULL_RETURNS REVERSE_INULL 480 Use of Incorrect Operator CONSTANT_EXPRESSION_RESULT 502 Deserialization of Untrusted Data UNSAFE_DESERIALIZATION 519 Disabled View State MAC generation CONFIG.ASP_VIEWSTATE_MAC 532 Information Exposure Through Log Files Taking the length of null, as if it were an array. Description. You can perform an explicit check for NULL for all pointers returned by functions that can return NULL, and when parameters are passed to the function. The latest patch releases are recommended (2.13.5, 2.12.13, and 2.11.12 as of February 2021). In this example, the variable x is an int and Java will initialize it to 0 for you. The most common quality bug identified was the null pointer dereference, which can cause . The following code shows an example of a NULL pointer dereference: That said, code lives in an ecosystem, not a vacuum. I'm using "HP Fortify v3.50" on a java project and I find lots of false positive on "Null Dereference", because Fortify doesn't see the control against null is in another method. If you have a method that should sometimes not return a value, you could return an empty Collection, or an Optional, which is new in Java 8. Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. Pointer is a programming language data type that references a location in memory. 10 Avoiding Attempt to Dereference Null Object Errors 4,029 views Oct 22, 2014 In this episode we look at 3 common ways to get - and then prevent - the "Attempt to dereference a null object". Example 10. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. . 101 if (os.equalsIgnoreCase("Windows 95")) { 102 log("OS " os " is not supported"); 103 } else { 104 log("OS " os " is supported"); 105 } 106 107 // Fortify fails to catch a possible NPE as it loses track of the null 108 // resource after passing it to another method. The Java VM sets them so, as long as Java isn't corrupted, you're safe. Sign up for a free GitHub account to open an issue and contact its maintainers and the community. Note: Before moving to this, to fix the issue in Example 1 we can print. For example, In the ClassWriter class, a call is made to the set method of an Item object. a NULL pointer dereference would then occur in the call to strcpy(). Software Security | Null Dereference Kingdom: Code Quality Poor code quality leads to unpredictable behavior. @MitchWheat Sure - but if fortify behaves like other analyzers, there may be a null check above this code which doesn't skip this code path if ddl is null. So "dereferencing a null pointer" means trying to do something to the object that it's pointing to. How can I reduce false positives and maintain the rule? Searching it online showed only a match in a SonarQube plugin that may be reusing the GUID by mistake. Then by the end of this article, you will get complete knowledge about the error and able to solve your issue, lets start with an example. They should be investigated and fixed OR suppressed as not a bug. The main theme of Dereferencing is placing the memory address into the reference. Sorry I do not know how to make sense of the Rule ID you mentioned. 1. The SAST tool used was Fortify SCA, .