Martin Piper
New Member.
4515 views

Is it possible to get Fortify to properly interpret C# Null-Conditional operator?

We are a .Net shop that recently re-started using Fortify Static Code Analyzer (have version 17.10.0156.)

We are struggling with a large number of false positives from our scans and hoping for some it is a matter of configuration.

One of the more common false positives is is a Null Dereference when the access is guarded by the null-conditional operator introduced with C# 6.0

Demonstration method:

public string DemonstrateNullConditional()
{
    var maybeNull = GetSomethingThatMayBeNull();
    if (maybeNull?.InstanceMember == "I wasn't null afterall.")
    {
        return maybeNull.OtherMember;
    }
    return "Oh, it was null";
}

in the above example, the if clause is essentially equivalent to:

var temp = (maybeNull == null) ?  (string) null : maybeNull.InstanceMember;
if(temp == "I wasn't null after all")

or

if (maybeNull != null && maybeNull.InstanceMember == "I wasn't null afterall")

If maybeNull is null, the conditional will resolve to false, and will not enter the block where maybeNull.OtherMember is accessed. Fortify flags this for null dereference.

In the most recent project scanned, only 1 of 24 Null Dereference issues found was legitamite. 

Should Fortify be handling this correctly by default(and we have something misconfigured)?

If not is there an option we can set so that it does?

 

We have these rule packs installed that seem to be relevant to the .Net

Name: Fortify Secure Coding Rules, Core, .NET
Version: 2017.3.0.0008
ID: D57210E5-E762-4112-97DD-019E61D32D0E
SKU: RUL13002

Version: 2017.3.0.0008
ID: 557BCC56-CD42-43A7-B4FE-CDD00D58577E
SKU: RUL13027
Provides coverage of security relevant APIs in various extended and third-party .NET libraries including Log4Net(TM) and the Microsoft EnterpriseLibrary(TM)

 

Thanks

Labels (1)
0 Likes
1 Reply
Regular Contributor.. dandreica Regular Contributor..
Regular Contributor..

Re: Is it possible to get Fortify to properly interpret C...

Hi Martin,

Our team struggles with the same thing. I think Fortify should  be handling this correctly, and we have not found an option that fixes this. We have, however, opened a support case with the following repro:

 

class Program
{
    static void Main(string[] args)
    {
        Report report = new Report();
        DateTime? date = ThroughDate(report);
    }

    private static DateTime? ThroughDate(Report report)
    {
        return (
            report
            ?.ModuleConductedDetails
            ?.FirstOrDefault()
            ?.ActualEndDate
        ) ?? (
            report
            ?.ModulePlanneds
            ?.FirstOrDefault()
            ?.PlannedEndDate
        );
    }
}

class ModuleDetails
{
    public DateTime? ActualEndDate { get; set; }
    public DateTime? PlannedEndDate { get; set; }
}

class Report
{
    public IEnumerable<ModuleDetails> ModuleConductedDetails { get; set; }
    public IEnumerable<ModuleDetails> ModulePlanneds { get; set; }
}

Scanning this code with Visual Studio 2015 update 3 and HP Fortify plugin 17.10, two issues are found, both invalid:

  1. ASP.NET Bad Practices: Leftover Debug Code (Encapsulation, Structural): The class Program contains debug code, which can create unintended entry points in a deployed web application.

    The project is a simple C# console application, with no reference whatsoever to ASP.NET libraries. The line where the issue is found contains only the Main method declaration, and no other debug code is present.

  2. Null Dereference (Code Quality, Control Flow): The method ThroughDate() in Program.cs can dereference a null pointer, thereby raising a NullException.

    The method ThroughDate intentionally uses the C# 6.0 null-conditional operator to guard against null values, and is designed to safely return null if any of the values it processes happen to be null.

The repro was confirmed by the support representative and the case forwarded to the engineering team. 

It would probably help prioritizing a fix if you could attach your repro code. Should you wish to do so, please email FortifyTechSupport@hpe.com and reference support case #00278285 opened on Oct 10.

Hope this helps.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.