I believe this particular behavior is a gap in the Fortify analyzer implementation, as all other static analysis tools seem to understand the code flow and will not complain about potential null references in this case. case " Null Dereference ": return 476; // Fortify reports weak randomness issues under Obsolete by ESAPI, rather than in // the Insecure Randomness category if it thinks you are using ESAPI. This could allow the server to make the client crash due to the NULL pointer dereference Separate licenses are available for C/C++ analysis and Java analysis. application of binomial distribution in civil engineering eames replica lounge chair review eames replica lounge chair review This does pass the Fortify review. It essentially means that the object's reference variable is not pointing anywhere and refers to nothing or 'null'. The program can potentially dereference a null-pointer, thereby causing a segmentation fault. TimeZone getOffset(int, int, int, int, int, int) Method in Java with Examples, ZoneOffset ofHoursMinutesSeconds(int, int, int) method in Java with Examples, SimpleTimeZone setStartRule(int, int, int) method in Java with Examples, SimpleTimeZone setEndRule(int, int, int) method in Java with Examples, HijrahDate of(int, int, int) method in Java with Example, IsoChronology date(int, int, int) method in Java with Example, JapaneseChronology date(int, int, int) method in Java with Example, JapaneseDate of(int, int, int) method in Java with Example, JapaneseDate of(JapaneseEra,int, int, int) method in Java with Example, MinguoChronology date(int, int, int) method in Java with Example. Fortify-Issue-300 Null Dereference issues. Why are Suriname, Belize, and Guinea-Bissau classified as "Small Island Developing States"? One of the common issues reported by Fortify is the Path Manipulation issue. When it comes to these specific properties, you're safe. On File delete, using java File delete method what could be the security issue? to fix over 7500 defects across 250 open source projects and 50 million lines of code. Closed; is cloned by. Parse the input for a whitelist of acceptable characters. Software Security | Null Dereference Kingdom: Code Quality Poor code quality leads to unpredictable behavior. References As // such, we are adding this other way to determine if . The bad news is that they do what you tell them to do." We also report experimental results for XYLEM, Coverity Prevent, Fortify SCA, Eclipse and FindBugs, and observe of Computer Science University of Maryland College Park, MD pugh@cs.umd.edu Abstract Many analysis techniques have been proposed to determine when a potentially null value may be You won't find it anywhere in any official Java documents. Note: Before moving to this, to fix the issue in Example 1 we can print. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Buy-solutions-manual Legit, If not is there an option we can set so that it does? An extremely nice thing which was discovered only by Coverity. Jk Robbins wrote:The FindBugs tool is telling me that line 5 contains a null pointer dereference to the id variable but I don't see the problem. "The good news about computers is that they do what you tell them to do. This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL), if (conection.State != ConnectionState.Closed) { conection.Close(); }, This
Share Improve this answer Follow edited Jun 4, 2019 at 17:08 answered Jun 4, 2019 at 17:01 Thierry 5,170 33 39 I believe this particular behavior is a gap in the Fortify analyzer implementation, as all other static analysis tools seem to understand the code flow and will not complain about potential null references in this case. If you have a method that should sometimes not return a value, you could return an empty Collection, or an Optional, which is new in Java 8. You also had the guts to say "never check for null" (if null is invalid).Placing an assert() in every member function that dereferences a pointer is a compromise that will likely placate a lot of people, but even that feels like 'speculative paranoia' to me. The Java VM sets them so, as long as Java isn't corrupted, you're safe. Is it correct to use "the" before "materials used in making buildings are"? The Null dereference error was on the line of code sortName = lastName; not the call of the setter : fortify do not want you to conditionnally change the value of a variable that was set to null without doing so in all the branches. I know we could change the code to remove it, but that would be changing the structure of our code because of a problem in the tool. If foo is null when it is checked in the if statement, then a null dereference will occur, thereby causing a null-pointer exception. By using this site, you accept the Terms of Use and Rules of Participation. Take the following code: Integer num; num = new Integer(10); . (Generated from version 2022.1.0.0007 of the Fortify Secure Coding Rulepacks) Exceptions. : Fortify: The method processMessage() in VET360InboundProcessService.java can crash the program by dereferencing a null pointer on line 197. By clicking Sign up for GitHub, you agree to our terms of service and This failure seems a result of the Control Flow rules 65 // covering only simple patterns within methods: 66 // allocated -> set 67 // allocated -> checked 68 // allocated -> used 69 // as in the sample rule 70 // riches/scan/Scenario Rules/Null Pointer Check/scenarioRules.xml" 71 log("dangerousLength is " dangerousLength(arg)); 72 log("protected length is " defaultIfEmpty(arg, "").length()); 73 log("StringUtils protected length is " StringUtils.defaultIfEmpty(arg, "").length()); 74 75 // Fortify catches a possible NPE in using a formerly assigned null, 76 // showing a Null Dereference finding. Explanation Null-pointer errors are usually the result of one or more programmer assumptions being violated. I have a solution to the Fortify Path Manipulation issues. Coppin State University Honors Program, Believe me, using "dereference" to mean "set to null" is a misconception. we have been using fortify tool in our code to check for security vulnerabilities. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for . So, I suggest an alternative solution. Generally, null variables, references and collections are tricky to handle in Java code. Coverity does not list their price publicly. Fix : Analysis found that this is a false positive result; no code changes are required. The main theme of Dereferencing is placing the memory address into the reference. EXP01-J-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException, either via the throws clause of the method or in the method comments. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. spelling and grammar. A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. Dereference before null check. Palash Sachan 8-Feb-17 13:41pm. Fortify is giving path manipulation error in this line. Example 10. For instance, what's wrong with this code? Closed. To learn more, see our tips on writing great answers. When it comes to these specific properties, you're safe. Making statements based on opinion; back them up with references or personal experience. (Generated from version 2022.4.0.0009 of the Fortify Secure Coding Rulepacks), Fortify Taxonomy: Software Security Errors. CWE-476: NULL Pointer Dereference: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. The following function attempts to acquire a lock in order to perform . Below is an example. Does it just mean failing to correctly check if a value is null? +1 (416) 849-8900. An API is a contract between a caller and a callee. (and obviously if httpInputStream is different from null, to avoid a possible Null Dereference by invoking the close() method). So this is the error that occurs when we try to dereference a primitive. CODETOOLS-7900079 Fortify: Analize and fix "Code Correctness: Regular Expressions Denial of Service" issues. eames replica lounge chair review. 476 NULL Pointer Dereference FORWARD_NULL NULL_RETURNS REVERSE_INULL 480 Use of Incorrect Operator CONSTANT_EXPRESSION_RESULT 502 Deserialization of Untrusted Data UNSAFE_DESERIALIZATION 519 Disabled View State MAC generation CONFIG.ASP_VIEWSTATE_MAC 532 Information Exposure Through Log Files Taking the length of null, as if it were an array. Before using a pointer, ensure that it is not equal to NULL: if (pointer1 != NULL) { /* make use of pointer1 */ /* . NULL pointer dereference erros are common in C/C++ languages. fill_foo checks if the pointer has a value, not if the pointer has a valid value. Learn more about Stack Overflow the company, and our products. Fix: Made minor changes in the code to resolve the null dereference and . #happyholidays2019 #earlyday https://t.co/CIUwaC3QFA, Dec 25, We think #rei has the right idea, and #blackfriday is a great day to #optoutside. Warn if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. Issue Links. Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. : Fortify: The method processMessage() in VET360InboundProcessService.java can crash the program by dereferencing a null pointer on line 197. Team Collaboration and Endpoint Management, We are a .Net shop that recently re-started using Fortify Static Code Analyzer (have version 17.10.0156.). Null Dereference C/C++ C#/VB.NET/ASP.NET Java/JSP Abstract clones. Could you share the minimal test case? Check the documentation for the Connection object of the type returned by the getConnection() factory method, and see if the methods rollback() and close() will even throw an exception. The . By using this site, you accept the Terms of Use and Rules of Participation. Symantec security products include an extensive database of attack signatures. Do you need your, CodeProject,
CiteSeerX - Document Details (Isaac Councill, Lee Giles, Pradeep Teregowda): Many analysis techniques have been proposed to determine when a potentially null value may be dereferenced. It is important to remember here to return the literal and not the char being checked. Does it just mean failing to correctly check if a value is null? Now, let us move to the solution for this error. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. In this example, the variable x is an int and Java will initialize it to 0 for you. Most null pointer issues result in general software reliability problems, but if attackers can intentionally trigger a null pointer dereference, they can use the resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks. 0f66c64 (0.15.0) add scripts to check git repo sha lanxia [#6506] 4a7a6b2 (v0.15.0) Fix out-of-bounds write in String.getBytes Benjamin Thomas (Aviansie Ben) [#6502] d58e0f7 (0.15.0) Invoke DomainCombiner.combine() for embedded AccessControlContext Peter Shipton [#6493] 18e7a3c (v0.15.0) Remove extra rpaths in AIX shared libs mikezhang [#6494 . Bangkok Bank Branch Code List, The latest patch releases are recommended (2.13.5, 2.12.13, and 2.11.12 as of February 2021). Fortify source code analyzer is giving lot's of "Null Dereference" issues because we have used Apache Utils to ensure null check. to your account. Teams. #icon876{font-size:;background:;padding:;border-radius:;color:;} Difference Between FileInputStream and FileReader in Java, Introduction about the error with example. Calling equals() method on the int primitive, we encounter this error usually when we try to use the .equals() method instead of == to check the equality. All rights reserved. \Projects\UnreleasedStream> java HttpURLConnectionReader http != null inputStream != null Exception: java.io.IOExpection: stream is closed http != null inputStream != null . . Liberalism Used In A Sentence, How can i resolve this issue? It would probably help prioritizing a fix if you could attach your repro code. Take the following code: Integer num; num = new Integer(10); Closed; relates to. They should be investigated and fixed OR suppressed as not a bug. CVE-2009-3620. Chances are they have and don't get it. This release includes enhancements and defect fixes to support ESCC and ES Sustainment. Private personal information may include a password, phone number, geographic location, personal messages, credit card number, etc. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. a NULL pointer dereference would then occur in the call to strcpy(). rev2023.3.3.43278. We have these rule packs installed that seem to be relevant to the .Net, Name: Fortify Secure Coding Rules, Core, .NETVersion: 2017.3.0.0008ID: D57210E5-E762-4112-97DD-019E61D32D0ESKU: RUL13002, Version: 2017.3.0.0008ID: 557BCC56-CD42-43A7-B4FE-CDD00D58577ESKU: RUL13027Provides coverage of security relevant APIs in various extended and third-party .NET libraries including Log4Net(TM) and the Microsoft EnterpriseLibrary(TM). Already on GitHub? Here, we will follow the below-mentioned points to understand and eradicate the error alongside checking the outputs with minor tweaks in our sample code. The Java VM sets them so, as long as Java isn't corrupted, you're safe. 10 Avoiding Attempt to Dereference Null Object Errors 4,029 views Oct 22, 2014 In this episode we look at 3 common ways to get - and then prevent - the "Attempt to dereference a null object". I do not know why and how the Data Flow syntax differs from the Control Flow one. In this article. 2.1. But what exactly does it mean to "dereference a null pointer"? In this paper we discuss some of the challenges of using a null dereference analysis in practice, and reasons why developers may not feel it necessary to change code to prevent ever possible null dereference. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Using Kolmogorov complexity to measure difficulty of problems? Board while may produce spurious "null dereference" reports. It could be either removed or replaced. Should Fortify be handling this correctly by default(and we have something misconfigured)? So mark them as Not an issue and move on. a NULL pointer dereference would then occur in the call to strcpy(). (partial fix)) 1.0.5 (February 7, 2018) handle source files with any character encoding (issue 267) Scala 2.11.6 and 2.11.7 are now supported (issue 217) Fortify prioritizes and categorizes the findings so that we can address them immediately." Follows a very simple code sample that should reproduce the issue: In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. Fortify Software in partnership with FindBugs has launched the Java Open Review (JOR) Project. The modules cover the full breadth and depth of topics for PCI Section 6.5 compliance and the items that are important for secure software development. Midwest Athletics Cheer, All rights reserved. 2007 JavaOneSM Conference 4 | Session TS-2007 | . It has no particular knowledge of 83 // the Apache Commons null-checking method. 31 in Google's Java code Embrace and fix your dumb mistakes. Computers are deterministic machines, and as such are unable to produce true randomness. If you have encountered it a lot, that just means it is a popular misconception . The most common forms of API abuse are caused by the caller failing to honor its end of this contract. Dereferencing a null pointer An impossible checked cast . Thanks for contributing an answer to Information Security Stack Exchange! The repro was confirmed by the support representative and the case forwarded to the engineering team. Thus, enabling the attacker do delete files or otherwise compromise your system. Demos (FindBugs, Fortify SCA) Integrating static analysis Wrap up. Provide an answer or move on to the next question. In this noncompliant code example, input_str is copied into dynamically allocated memory referenced by c_str.If malloc() fails, it returns a null pointer that is assigned to c_str.When c_str is dereferenced in memcpy(), the program exhibits undefined behavior.. Additionally, if input_str is a null pointer, the call to strlen() dereferences a null Null Dereference C#, After using Fortify to analyze my code, Fortify show me a vulnerability which is " Null Dereference". Null-pointer errors are usually the result of one or more programmer assumptions being violated. Extended Description NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. Then by the end of this article, you will get complete knowledge about the error and able to solve your issue, lets start with an example. If You Got this error while youre compiling your code? Sorry I do not know how to make sense of the Rule ID you mentioned. 2.1.1Null Dereference. So it seems highly unlikely that the line of code you've posted is the source of the exception. OWASP Benchmark is a test suite designed to verify the speed and accuracy of software vulnerability detection tools. Initializes a new instance of the NullReferenceException class, setting the Message property of the new instance to a system-supplied message that describes the error, such as "The value 'null' was found where an instance of an object was required." Main.java, lines 120-137: Description: SQL injection vulnerabilities occur when data enters an application from an untrusted source and is used to dynamically construct a SQL query. Connect and share knowledge within a single location that is structured and easy to search. OpenFromXML.java, line 545 (Password Management: Empty Password) . Jira will be down for Maintenance on June 6,2022 from 9.00 AM - 2.PM PT, Monday(4.00 PM - 9.00PM UTC, Monday) +1 for a very succinct answer that pretty much sums up the way I feel: "it depends." 2 Answers Sorted by: 4 Fortify is raising an issue, not an error because you are taken input from the process's environment and then opening a path with it without doing any input filtering. Primitive [byte, char, short, int, long, float, double, boolean]. Successfully merging a pull request may close this issue. Null-pointer dereferences, while common, can generally be found and corrected in a simple way. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. VES-6699. ThermaPure has over 15 years of experience training individuals and organizations to use heat to remediate structures and kill pests. Does it just mean failing to correctly check if a value is null? if (ptr == null) {ptr->field = val;.} Merged. CODETOOLS-7900082 Fortify: Analize and fix "Missing Check against Null" issue. getAuth() should not return null.A method returning a List should per convention never return null but an empty List as default "empty" value.. private List getAuth(){ return new ArrayList<>(); } java.util.Collections.emptyList() should only be used, if you are sure that every caller of the method does not change the list (does not try to add any items), as this would fail on this . This means sum.something() is an INVALID Syntax in Java. If connection is null, it will still throw an exception. ; Updated: 29 Sep 2017 To translate Scala code for Fortify to scan, you must be a current Lightbend subscriber. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners. The content must be between 30 and 50000 characters. Try this: if (connection != null && conection.State != ConnectionState.Closed) { conection.Close (); } But better, use a using block around your connection creation so it is automatically closed and disposed when it goes out of scope. Understand that English isn't everyone's first language so be lenient of bad
In C++, pointers are not guaranteed to be either NULL of have a valid value. It only takes a minute to sign up. The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie We've added a "Necessary cookies only" option to the cookie consent popup. : System.getProperty may return NULL NPE.java(98) : allocated -> allocated : os may be null NPE.java(101) : allocated -> used : os.equalsIgnoreCase() : os used without null check[A423998C51F661CE8B2EB269BB0AF58D : low : Poor Logging Practice : Use of a System Output Stream : structural ] NPE.java(43)[5494E2A573D3F6F3F5F24DE49D893068 : low : J2EE Bad Practices : Leftover Debug Code : structural ] NPE.java(56)$ cat -n NPE.java 1 package npe; 2 3 import org.apache.commons.lang3.StringUtils; 4 5 public class NPE { 6 int v; 7 8 9 public NPE(int v) { 10 this.v = v; 11 } 12 13 14 public static int dangerousLength(String s) { 15 return s.length(); 16 } 17 18 19 public String stringify() { 20 if (v != 0) { 21 return "non-0"; 22 } else { 23 return null; 24 } 25 } 26 27 28 public NPE frugalCopy() { 29 if (v != 0) { 30 return new NPE(v); 31 } else { 32 return null; 33 } 34 } 35 36 37 public int getV() { 38 return v; 39 } 40 41 42 public static void log(String s) { 43 System.out.println(s); 44 } 45 46 47 public static String defaultIfEmpty(String s, String v) { 48 if (s == null || s.length() == 0) { 49 return v; 50 } else { 51 return s; 52 } 53 } 54 55 56 public static void main(String[] args) { 57 String arg = null; 58 if (args.length > 0) { 59 arg = args[0]; 60 } 61 log("arg is " arg); 62 63 // Fortify fails to catch a possible NPE when the null is passed as an 64 // argument. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from . Most appsec missions are graded on fixing app vulns, not finding them. The program can potentially dereference a null-pointer, thereby raising a NullException. The list of things beyond my ability to control is . Free source code and tutorials for Software developers and Architects. If a null pointer NULL pointer in C. A null pointer is a pointer which points nothing. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free . email is in use. That's why it's perfectly OK to assign null to variables or pass null into a method. Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. The main theme of Dereferencing is placing the memory address into the reference. So, in the end, you'll likely set the issue's analysis to Not an issue and just stop worrying about it. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. Even if you were to add input filtering, the odds are low that Fortify were to recognize it and stop producing the issue. It's simply a check to make sure the variable is not null. Asking for help, clarification, or responding to other answers. It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. But we have observed in practice that not every potential null dereference is a "bug " that developers want to fix. Explanation. Fortify: Null Dereference (1 issue . Home; Uncategorized; null dereference fortify fix java; null dereference fortify fix java For example, In the ClassWriter class, a call is made to the set method of an Item object. beyond that why are you scanning possible characters instead of just checking upper and lower limits. However, Fortify is throwing me this warning in the report: The method initForm() in SingleReplacementController.java can crash the program by dereferencing a null-pointer on line 110. In the most recent project scanned, only 1 of 24 Null Dereference issues found was legitamite. . how to fix null dereference in java fortify Literal null values are passed as the third and fourth arguments.In the definition of set, It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. Request PDF | Tracking Null Checks in Open-Source Java Systems | It is widely acknowledged that null values should be avoided if possible or carefully used when necessary in Java code. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. -- Ted Nelson. The text was updated successfully, but these errors were encountered: Code modified to fix all identified instances. Alternate Terms Relationships . PS: Yes, Fortify should know that these properties are secure. Fortify flags this for null dereference. 101 if (os.equalsIgnoreCase("Windows 95")) { 102 log("OS " os " is not supported"); 103 } else { 104 log("OS " os " is supported"); 105 } 106 107 // Fortify fails to catch a possible NPE as it loses track of the null 108 // resource after passing it to another method. #icon5632{font-size:;background:;padding:;border-radius:;color:;} Our team struggles with the same thing. at com.fortify.sca.Main$Sourceanalyzer.run(Main.java:527) [fortify-sca-18.20.1071.jar:? Try this: Copy Code if (connection != null && conection.State != ConnectionState.Closed) { conection.Close (); } But better, use a using block around your connection creation so it is automatically closed and disposed when it goes out of scope. . Null-pointer exceptions usually occur when one or more of the programmer's assumptions is violated. If I had to guess, the tool you're using is complaining about our use of Math.random() but we don't rely on it being cryptographically secure. Fortify-Issue-300 Null Dereference issues #302. I'm using "HP Fortify v3.50" on a java project and I find lots of false positive on "Null Dereference", because Fortify doesn't see the control against null is in another method. This release, developed in Java technology, contains ESM Phase 4 development and upgrade efforts. Chain: The return value of a function returning a pointer is not checked for success ( CWE-252) resulting in the later use of an uninitialized variable ( CWE-456) and a null pointer dereference ( CWE-476) CVE-2007-3798. Description The program can potentially dereference a null pointer, thereby raising a NullPointerException. This code will definitely crash due to a null pointer dereference in certain cases.. View Defect : wazuh/ossec-wazuh: USE_AFTER_FREE: C/C++: . There are too few details in this report for us to be able to work on it. #icon5632:hover{color:;background:;} 180 Canada Larga Rd. #icon8226{font-size:;background:;padding:;border-radius:;color:;} Null Dereference (Code Quality, Control Flow): The method ThroughDate() in Program.cs can dereference a null pointer, thereby raising a NullException. If you get an exception, don't catch it and return null, instead wrap and rethrow the exception. 77 log("(as much dangerous) length is " arg.length()); 78 79 arg = StringUtils.defaultIfEmpty(arg, ""); 80 // Fortify stays properly mum below. In Dungeon World, is the Bard's Arcane Art subject to the same failure outcomes as other spells? How to use Slater Type Orbitals as a basis functions in matrix method correctly? If a question is poorly phrased then either ask for clarification, ignore it, or. If you try to access any member variables or methods with that variable, you are trying to dereference it. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners. One of the more common false positives is is a Null Dereference when the access is guarded by the, Name: Fortify Secure Coding Rules, Core, .NET, Network Operations Management (NNM and Network Automation). Some uses of the null pointer are: a) To initialize a pointer variable when that pointer variable isnt assigned any valid memory address yet. In particular, the ability to write custom rules to handle internal null check functions has been added. Here is a POC The Optional class contains methods that can be used to make programs shorter and more intuitive [].. C#/VB.NET/ASP.NET. Explanation Null-pointer errors are usually the result of one or more programmer assumptions being violated. The CWE Top 25. . We revisit previous work on XYLEM, an interprocedural null dereference analysis for Java, and discuss the challenge of comparing the results of different static analysis tools. From a user's perspective that often manifests itself as poor usability.