Enabling the new Null Dereference Analyzer

Document ID:KM03771714
Creation Date:13-Jan-2021
Modified Date:13-Jan-2021
- Micro Focus Products:
  fortify static code analyzer and apps 20.2.0

Summary

This document describes the steps to take should a customer want to enable and test the new Null Dereference analyzer in versions 20.2.0 or newer.

Question

Starting in the 2020 Q3 rulepack update, the following message was sent to users:

https://community.microfocus.com/t5/Fortify-Product-Announcements/Micro-Focus-Fortify-Software-Security-Content-2020-Update-3/td-p/2828992

Specifically, this section:

"Rules for Null Dereference and Redundant Null Check have been reworked to enable reduction of false positive rates. In particular, the ability to write custom rules to handle internal null check functions has been added.

However, it is unclear if the benefits are universal in nature. As such, these improvements that are available in SCA 20.2 are turned off by default.

If you would like to test these improvements please contact customer support."

Answer

Before contacting support to gain the steps to enable the new analyzer, note that the new Null Dereference analyzer is experimental in nature, and included for testing purposes only. As such, it cannot be guaranteed to behave to the level that is expected. If there are any issues encountered with the new analyzer, the debug logging should be collected for analysis before disabling it.

Also note that SCA Engineering is interested in hearing about your experience using this new analyzer, and would like any feedback you can share.