1)NP_ALWAYS_NULL: Null pointer dereference
A null pointer is dereferenced here. This will lead to a NullPointerException when the code is executed.
解釋:有一條語句的分支,如果執行該分支,則將引用空值,這將在執行代碼時生成NullPointerException。當然,可能出該分支或語句不可行,並且永遠不會造成空指針異常。認爲這超出了FindBugs的能力。
錯誤代碼:
public static String testl(String str) {
if(str!=null){
return "";
}
// doSomething
}
2)RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE: Nullcheck of value previously dereferenced
A value is checked here to see whether it is null, but this value can’t be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.
解釋:這裏會檢查一個值是否爲空,但是這個值不能爲空,因爲它之前已經被引用,如果它是空的,那麼空指針異常會在之前的取消引用時發生。本質上,對於是否允許該值爲null,此代碼和前面的取消引用不一致。要麼檢查是多餘的,要麼前面的引用是錯誤的。
錯誤代碼:
myView.setVisibility(View.VISIBLE);
if (null == banner) {
// doSomething
}
3)DM_DEFAULT_ENCODING: Reliance on default encoding
Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
解釋:找到一個方法的調用,該方法將執行一個字節到字符串(或字符串到字節)的轉換,並假設默認的平臺編碼是合適的。這將導致不同平臺之間的應用程序行爲不同。使用替代API並顯式指定charset名稱或charset對象。
錯誤代碼:
// example 1
MessageDigest mdTemp = MessageDigest.getInstance("MD5");
mdTemp.update(string.getBytes());
// example 2
private OutputStream outStream = null;
outStream.write(str.getBytes());
// example 3
String string = new String(bytes);
修改:
// example 1
MessageDigest mdTemp = MessageDigest.getInstance("MD5");
mdTemp.update(string.getBytes(Charset.forName("UTF-8")));
// example 2
private OutputStream outStream = null;
outStream.write(str.getBytes(StandardCharsets.UTF_8));
// example 3
String string = new String(bytes, StandardCharsets.UTF_8);
注:Charset.forName(“UTF-8”) 與 StandardCharsets.UTF_8都可以,第二個要求minAPI 19
4)MS_SHOULD_BE_FINAL: Field isn’t final but should be
This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
解釋:這個靜態字段是公共的,但不是final的,可能被惡意代碼或意外地從另一個包中更改。
5)DM_BOXED_PRIMITIVE_FOR_PARSING: Boxing/unboxing to parse a primitive
A boxed primitive is created from a String, just to extract the unboxed primitive value. It is more efficient to just call the static parseXXX method.
學習:Integer.parseInt(s)與Integer.valueOf(s)的區別詳解
6)ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD: Write to static field from instance method
This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
解釋:此實例方法寫入靜態字段。如果操作了多個實例,則很難糾正這種錯誤,而且通常是不好的實踐。
即一個靜態變量在普通方法中被賦值,可能多次更改達到不想得到的結果。
7)UC_USELESS_VOID_METHOD: Useless non-empty void method
Our analysis shows that this non-empty void method does not actually perform any useful work. Please check it: probably there’s a mistake in its code or its body can be fully removed.
We are trying to reduce the false positives as much as possible, but in some cases this warning might be wrong. Common false-positive cases include:
/ - The method is intended to trigger loading of some class which may have a side effect.
/ - The method is intended to implicitly throw some obscure exception.
解釋:我們的分析表明,這個非空void方法實際上沒有執行任何有用的工作。請檢查:可能是它的代碼有錯誤,或者它的主體可以被完全刪除。
我們試圖儘可能地減少誤報,但在某些情況下,這個警告可能是錯誤的。常見的假陽性病例包括:
-該方法旨在觸發加載某些類,可能有副作用。
-該方法的目的是隱式拋出一些模糊的異常。